Yes! You can use AI to fill out Form COD, Certificate of Disposition
Form COD, Certificate of Disposition, is a document required by the Centers for Medicare and Medicaid Services (CMS) to certify that specific data has been destroyed or discontinued. This form is crucial for organizations to comply with data use agreements (DUAs) and ensure that sensitive information is handled properly.
Form Complexity Index
Complex
67 / 100
| Fillable fields | 57 |
| Pages | 2 |
| Fields per page | 28 |
| Sections | 19 |
| Conditional rules | 49 |
| Tables & lists | 1 |
| Instruction pages | — |
| OMB Control No. | 0938-0734 |
| Instafill Form ID | IF-CMS-10252 |
COD has a complex Form Complexity Index of 67/100 — 57 fillable fields across 2 pages. Instafill’s AI completes it accurately in under a minute.
Form specifications
| Form name: | Form COD, Certificate of Disposition |
| Form issued by: | Centers for Medicare and Medicaid Services |
| Number of fields: | 57 |
| Number of pages: | 2 |
| FCI: | Complex (67/100) |
| Version: | 2025 |
| Field instructions: | COD Instructions |
| Language: | English |
Our AI automatically handles information lookup, data retrieval, formatting, and form filling.
It takes less than a minute to fill out COD using our AI form filling.
Securely upload your data. Information is encrypted in transit and deleted immediately after the form is filled out.
Instafill Demo: How to fill out PDF forms in seconds with AI
How to Fill Out COD Online for Free in 2026
Are you looking to fill out a COD form online quickly and accurately? Instafill.ai offers the #1 AI-powered PDF filling software of 2026, allowing you to complete your COD form in just 37 seconds or less.
Follow these steps to fill out your COD form online using Instafill.ai:
- 1 Visit instafill.ai site and select COD.
- 2 Enter requester and organization details.
- 3 Specify study title and DUA number.
- 4 Complete data disposition sections.
- 5 Sign and date the form electronically.
- 6 Check for accuracy and submit form.
Our AI-powered system ensures each field is filled out correctly, reducing errors and saving you time.
Why Choose Instafill.ai for Your Fillable COD Form?
Speed
Complete your COD in as little as 37 seconds.
Up-to-Date
Always use the latest 2026 COD form version.
Cost-effective
No need to hire expensive lawyers.
Accuracy
Our AI performs 10 compliance checks to ensure your form is error-free.
Security
Your personal information is protected with bank-level encryption.
Frequently Asked Questions About COD
COD has a Form Complexity Index of 67 out of 100, placing it in the complex complexity tier. This score is calculated deterministically from the form’s own structure using Instafill’s published Form Complexity Index methodology, so it can be reproduced and independently verified — it is not a subjective estimate.
For COD specifically, the score reflects 57 fillable fields across 2 pages, grouped into 19 sections, and 49 conditional fields that only apply depending on earlier answers, 1 table or repeating lists. The number of fields is the largest factor in the base score (weighted 36%), followed by how difficult those fields are to complete based on their type, where free-text and signature fields count for more than simple checkboxes (26%). The number of pages that actually contain fields (15%), the amount of conditional “fill-only-if” logic (16%), and how many sections the form is divided into (7%) account for the rest of the base. On top of that base, the index adds points for tables and repeating lists, bundled instruction pages, and dense page layouts — capturing difficulty the base alone can miss.
In practical terms, a complex score means the form is demanding, with many fields, multiple pages and branching rules that are easy to get wrong. Instafill removes that effort entirely: our AI reads your information, maps each value to the correct field — including the conditional ones — and completes COD accurately in under a minute, with every field available for you to review before you download. See exactly how the Form Complexity Index is calculated.
The Certificate of Disposition for CMS Data form is used to document the transfer or disposal of Centers for Medicare & Medicaid Services (CMS) data from a covered entity or business associate to another entity. This form helps ensure that CMS is notified of data transfers or disposals in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and the Privacy Rule.
The Certificate of Disposition for CMS Data form should be completed by a covered entity or business associate that is transferring or disposing of CMS data. It is important to note that both the transferring and receiving entities may be required to complete the form, depending on the specifics of the data transfer or disposal.
The information regarding the data being transferred or disposed of must match between the Data Use Agreement (DUA) and the Certificate of Disposition for CMS Data form. This includes the type and amount of data being transferred or disposed of, the purpose of the transfer or disposal, and the entities involved in the transfer or disposal.
To complete the Certificate of Disposition for CMS Data form, the following information should be provided: the names and contact information of the transferring and receiving entities, the date of the transfer or disposal, a description of the data being transferred or disposed of, and the method of disposal. The form should be signed and dated by an authorized representative of each entity.
The Certificate of Disposition for CMS Data form outlines several approved methods for disposing of CMS data. These methods include: shredding, erasing, or destroying the media on which the data is stored, de-identification of the data, or transferring the data to another entity for further use or disposal. It is important to follow the specific instructions for each method to ensure proper disposal of the data.
If only certain files on the Data Use Agreement (DUA) are being closed, the Certificate of Disposition for CMS Data form should only reflect the disposal of those specific files. The Requesting Organization is still required to follow the procedures outlined in the form for disposing of those files, including notifying the CMS Security Officer and providing documentation of the disposal.
The process for disposing of physical data files according to the Certificate of Disposition for CMS Data form includes notifying the CMS Security Officer in writing of the intent to dispose of the files, securing the files against unauthorized access, and destroying the files in a manner that prevents their reconstruction or readability. The Requesting Organization is responsible for documenting the disposal process and retaining a record of the disposal for a period of three years.
If data was only accessed through CMS systems and no physical files were received by the Requesting Organization, the Certificate of Disposition for CMS Data form should still be completed. The Requesting Organization should document the disposal of the data by providing a description of the data and the date it was removed from the CMS systems. The CMS Security Officer should be notified in writing of the disposal.
The Requesting Organization is responsible for disposing of CMS data in accordance with the procedures outlined in the Certificate of Disposition for CMS Data form. This includes notifying the CMS Security Officer in writing of the intent to dispose of the data or physical files, securing the data or files against unauthorized access, and destroying the data or files in a manner that prevents their reconstruction or readability. The Requesting Organization is also responsible for retaining a record of the disposal for a period of three years.
If the Requesting Organization retains copies of CMS data without approval, they may be subject to legal and regulatory consequences. The Certificate of Disposition for CMS Data form requires the Requesting Organization to certify that all CMS data has been returned or destroyed in accordance with the terms of the DUA. Failure to comply with these requirements could result in sanctions, fines, or other penalties.
Clearing, purging, and destroying data refer to different methods of removing or disposing of protected health information (PHI) as outlined in the Certificate of Disposition for CMS Data form. Clearing refers to rendering PHI unreadable, indecipherable, and otherwise unable to be reconstructed. Purging refers to removing PHI from a system or storage media so that it can no longer be accessed or retrieved. Destroying refers to physically destroying the media on which PHI is stored, making it unreadable and unusable. It is important to follow the correct method for disposing of CMS data based on the requirements of the Certificate of Disposition form and applicable regulations.
De-identified data is data that has had all identifiers removed, making it no longer considered protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The process for disposing of de-identified data is not specifically outlined in the Certificate of Disposition for CMS Data form, as it is no longer considered PHI and is not subject to the same disposal requirements. However, it is still important to follow any organizational policies and procedures for handling and disposing of de-identified data to ensure its security and confidentiality.
The importance of ensuring that the Requesting Organization has completed one of the approved methods for disposing of CMS data is to maintain the confidentiality and security of the data. The Certificate of Disposition for CMS Data form requires that the disposal method be approved by the Centers for Medicare & Medicaid Services (CMS) to ensure that the data is properly disposed of and cannot be accessed or retrieved by unauthorized individuals. Failure to properly dispose of CMS data can result in penalties and legal consequences.
The process for disposing of data that is preapproved by CMS is outlined in the Certificate of Disposition for CMS Data form. The form provides a list of approved disposal methods, including clearing, purging, and destroying, and requires that the Requesting Organization select the method they will use and provide a description of the method in the form. Once the disposal method has been completed, the Requesting Organization must complete and sign the Certificate of Disposition form and return it to the CMS Contractor.
The OMB No. (Office of Management and Budget) and Exp. date (Expiration date) mentioned on the Certificate of Disposition for CMS Data form refer to the approval and validity of the form itself. The OMB No. is a unique identifier assigned to the form by the Office of Management and Budget, which is the federal agency responsible for overseeing the development and implementation of government forms. The Exp. date indicates the last date on which the form can be used. It is important to use only current and approved forms when disposing of CMS data to ensure that the disposal process is valid and compliant with regulations.
The Printed Name, Email, Phone #, and Signature in the Disposition Confirmation section are required for identification and contact purposes. The Printed Name represents the name of the individual or organization completing the form. The Email and Phone number provide a means of contact for future communication or clarification regarding the disposition of the CMS data. The Signature signifies the approval and acceptance of the responsibilities outlined in the Certificate of Disposition for CMS Data form.
Section 1 of the Certificate of Disposition for CMS Data form is used by the Data Custodian to provide information about the data being disposed of, including the type of data, the method of disposal, and the date of disposal. Section 2 is used by the Requester to confirm that they have received the data and that it has been disposed of in accordance with their instructions. Both sections must be completed and signed for the form to be valid.
If the Requester or Data Custodian is unsure about how to complete the Certificate of Disposition for CMS Data form, they should contact their organization's IT or Compliance department for guidance. They may also consult the Centers for Medicare & Medicaid Services (CMS) website or contact the CMS Help Desk for assistance. It is important to ensure that the form is completed accurately and completely to ensure compliance with CMS regulations.
Compliance COD
Validation Checks by Instafill.ai
1
Ensures that the Requester's name matches the individual specified in the Data Use Agreement (DUA).
This validation check ensures that the name of the individual requesting the data is identical to the name listed in the Data Use Agreement. It cross-references the provided Requester's name with the name specified in the DUA to maintain consistency and verify authorization. Any discrepancies are flagged for review to prevent unauthorized access to sensitive CMS data. This step is crucial for upholding the integrity of the data sharing process.
2
Confirms that the Requesting Organization's name is the same as the one specified in the DUA.
The validation process confirms that the organization requesting the CMS data is the same entity as the one named in the Data Use Agreement. It checks the organization's name for exact matches, including any abbreviations or legal identifiers. This ensures that the data is being released to the correct and authorized organization, as per the agreement. Any variation in the organization's name is thoroughly investigated to maintain data security.
3
Verifies that the Study Title entered is consistent with the title in section 3 of the DUA.
This check verifies that the title of the study for which the CMS data is being requested matches exactly with the study title provided in section 3 of the Data Use Agreement. It is essential that the study title is consistent to ensure that the data is being used for the approved purpose. Any inconsistency in the study title could indicate a deviation from the agreed-upon research and would require further clarification.
4
Checks that the DUA number entered matches the number associated with the data files.
The validation process checks that the Data Use Agreement number entered on the Certificate of Disposition corresponds with the DUA number associated with the requested CMS data files. This step is critical to ensure that the data being requested is covered under the correct agreement. It helps in tracking and managing data requests efficiently and ensures compliance with the terms of the DUA.
5
Confirms understanding of the conditions for data destruction or discontinuation as per the DUA.
This validation confirms that the requester has acknowledged and understood the conditions outlined in the Data Use Agreement regarding the destruction or discontinuation of the CMS data. It ensures that the requester is aware of their responsibilities for handling the data at the end of the study or in case the data is no longer needed. This check is vital for ensuring that sensitive data is disposed of securely and in accordance with the DUA stipulations.
6
Validates that an approved method for data disposal (Clearing, Purging, or Destroying) is selected.
The AI ensures that one of the approved methods for data disposal is selected on the Certificate of Disposition for CMS Data form. It checks whether the option chosen is either Clearing, Purging, or Destroying, as these are the acceptable methods. The validation process involves confirming that the selection is explicitly made and that it aligns with the guidelines provided for data disposal. If no method is selected or an unapproved method is indicated, the AI flags this section for user review and correction.
7
Ensures that the correct disposition (closing entire DUA or specific files) is indicated in Section 1.
The AI verifies that Section 1 of the form accurately reflects the intended disposition of the data. It ensures that the user has indicated whether the entire Data Use Agreement (DUA) is being closed or if only specific files are being disposed of. The AI checks for clear and unambiguous indication in this section to prevent any misunderstandings regarding the scope of the data disposition. If the information is incomplete or unclear, the AI prompts the user to provide the necessary details.
8
Verifies that Section 2 is completed if physical data files were received.
The AI confirms that Section 2 of the form is fully completed in cases where physical data files were received. It checks for all required information, such as the method of disposition and any relevant details about the physical data files. The AI's validation process includes ensuring that this section is not overlooked when physical data is involved and that all necessary steps for proper disposal are documented. If Section 2 is left incomplete or is inconsistent with the data received, the AI highlights this for user attention.
9
Confirms that Section 3 is completed if no physical data was received and access was through CMS systems.
The AI ascertains that Section 3 is properly filled out when the data was accessed through CMS systems and no physical data files were received. It scrutinizes the form to ensure that the user has provided all the necessary information regarding the electronic data accessed and the measures taken for its disposition. The AI checks that this section is not neglected in the absence of physical data and that electronic data disposal is adequately addressed. Should Section 3 be incomplete or fail to correspond with the data access method, the AI signals this discrepancy for user review.
10
Checks for the inclusion of preapproved 'Other' disposition language if applicable.
The AI examines the form for the inclusion of any preapproved 'Other' disposition language, which may be applicable in certain circumstances. It checks that if the 'Other' option is selected, the language used is preapproved and accurately reflects the disposition method. The AI ensures that this option is not misused and that any 'Other' disposition method is properly documented and justified. In the event that the 'Other' language is missing, incorrect, or not preapproved, the AI flags this area for further clarification and proper documentation.
11
Ensures that the disposition statement letter (A, B, or C) is specified for each file in Section 2.
The AI ensures that a disposition statement letter, either A, B, or C, is clearly indicated for each file listed in Section 2 of the Certificate of Disposition for CMS Data. This check is crucial to determine the specific action taken for each file, such as retention, destruction, or transfer. The AI cross-references the provided information with the acceptable values to confirm compliance with the form's requirements. In the event of a missing or incorrect disposition statement, the AI flags the entry for review and correction.
12
Verifies that each file listed includes the year(s) and the chosen disposition method.
The AI verifies that for each file listed on the Certificate of Disposition for CMS Data, there is a clear indication of the year(s) the data pertains to and the disposition method selected. This validation ensures that historical data is accurately accounted for and that the method of disposition aligns with the requirements set forth by CMS. The AI checks for completeness and accuracy of this information, prompting the user to correct any discrepancies or omissions before the form can be submitted.
13
Confirms that if files are reused under another open CMS DUA, the reuse DUA number is included for each file.
The AI confirms that if any files listed in the Certificate of Disposition for CMS Data are being reused under another open CMS Data Use Agreement (DUA), the corresponding reuse DUA number is provided for each applicable file. This check is essential to track the continuity of data usage and to ensure that all files are accounted for under the appropriate agreements. The AI system scans for the presence of these numbers and validates them against existing DUAs to prevent any unauthorized use or misplacement of data.
14
Ensures that the Requester or Data Custodian's printed name, email, and phone number are provided in Section 3.
The AI ensures that Section 3 of the Certificate of Disposition for CMS Data is fully completed with the Requester or Data Custodian's printed name, email address, and phone number. This information is vital for establishing a point of contact and for any necessary follow-up communication regarding the disposition of the data. The AI checks for the presence and format of this contact information, ensuring that it meets the standard requirements and is readily accessible for CMS officials.
15
Validates that the form is signed, dated, and all signatures and dates are accurate before submission to CMS.
The AI validates that the Certificate of Disposition for CMS Data form is properly signed and dated before it is submitted to CMS. It checks the signature fields to ensure that they are not left blank and that the dates provided are in the correct format and logically consistent. The AI also verifies the accuracy of the dates, ensuring they are current and relevant to the data disposition process. This validation is a critical step to authenticate the form and to prevent any processing delays due to incomplete or incorrect submissions.
Common Mistakes in Completing COD
When completing the Certificate of Disposition for CMS Data form, it is crucial to ensure the name of the individual identified as the requester matches the one specified in the Data Use Agreement (DUA). This inconsistency can lead to potential miscommunications or denials of data access. To avoid this mistake, carefully review the name of the requester on the form against the name listed in the DUA. If there is a discrepancy, make the necessary corrections before submitting the form.
Another common mistake when filling out the Certificate of Disposition for CMS Data form is entering an incorrect name for the requesting organization. This error can lead to delays or denials of data access. To prevent this mistake, enter the name of the organization exactly as it is stated in the DUA. If you are unsure of the correct name, consult the DUA or contact the CMS helpdesk for clarification.
Entering an incorrect study title on the Certificate of Disposition for CMS Data form can lead to confusion and potential denials of data access. To avoid this mistake, enter the study title as specified in section 3 of the DUA. If you are unsure of the correct title, consult the DUA or contact the CMS helpdesk for clarification.
Entering an incorrect Data Use Agreement (DUA) number on the Certificate of Disposition for CMS Data form can lead to denials of data access or delays in processing. To prevent this mistake, enter the correct DUA number as stated in the DUA. If you are unsure of the correct number, consult the DUA or contact the CMS helpdesk for clarification.
Failing to read and understand the conditions for data disposal as outlined in the Certificate of Disposition for CMS Data form can lead to potential violations of CMS regulations. To avoid this mistake, carefully read and understand the conditions for data disposal before completing the form. If you have any questions or concerns, consult the DUA or contact the CMS helpdesk for clarification.
The Certificate of Disposition for CMS Data form requires the selection of an approved method for data disposal in Section 2 - Disposition Statement. Choosing an unapproved method may result in non-compliance with CMS regulations. To avoid this mistake, review the list of approved methods provided by CMS and ensure the selected method is compliant. Proper disposal methods include, but are not limited to, degaussing, shredding, or incineration.
Section 1 of the Certificate of Disposition for CMS Data form requires the clear indication of whether all files or only certain files are being disposed of. Incomplete or incorrect information in this section may lead to confusion and potential non-compliance. To avoid this mistake, ensure that the entirety of the information is provided and that it accurately reflects the situation. If only certain files are being disposed of, specify which ones.
Section 2 of the Certificate of Disposition for CMS Data form requires the listing of each file, including the year(s), and the indication of the chosen disposition method for all files. Failing to complete this section for all files may result in incomplete documentation and potential non-compliance. To avoid this mistake, ensure that all files are accounted for and that the disposition method is clearly stated for each one.
Selecting an incorrect disposition method in Section 2 of the Certificate of Disposition for CMS Data form may lead to non-compliance with CMS regulations. To avoid this mistake, review the list of approved methods provided by CMS and ensure that the selected method is appropriate for the specific file. Proper disposal methods include, but are not limited to, degaussing, shredding, or incineration.
The Certificate of Disposition for CMS Data form requires the provision of a reuse DUA number for approved files in Section 3 - Reuse of Data. Failing to provide this number may result in non-compliance with CMS regulations. To avoid this mistake, ensure that the reuse DUA number is obtained and provided for all approved files. This number is required for the reuse of data and is essential for maintaining compliance with CMS regulations.
One of the most common mistakes made when filling out the Certificate of Disposition for CMS Data form is failing to provide complete and accurate information in Section 3 - Disposition Confirmation. This section requires the name and title of the individual disposing of the data, the date of disposal, and the method of disposal. Leaving any of these fields blank or incomplete can result in delays or rejections of the form. To avoid this mistake, ensure that all required fields are filled out completely and accurately before submitting the form. Double-check the information provided to ensure its correctness and completeness.
Another common mistake made when filling out the Certificate of Disposition for CMS Data form is providing incorrect signatures or dates in Section 3 - Disposition Confirmation. Signatures and dates must be provided by the individual disposing of the data and must be legible and easily readable. Incorrect signatures or dates can result in delays or rejections of the form. To avoid this mistake, ensure that all signatures and dates are provided by the correct individual and are legible and easily readable. Double-check the information provided to ensure its correctness and completeness.
A third common mistake made when filling out the Certificate of Disposition for CMS Data form is failing to submit the completed form to CMS after disposing of the data. This form must be submitted to CMS within 60 days of disposing of the data to maintain compliance with HIPAA regulations. Failure to submit the form can result in fines and other penalties. To avoid this mistake, ensure that the completed form is submitted to CMS within the required timeframe. Double-check that the form has been sent and received by CMS to ensure compliance.
Saved over 80 hours a year
“I was never sure if my IRS forms like W-9 were filled correctly. Now, I can complete the forms accurately without any external help.”
Kevin Martin Green
Your data stays secure with advanced protection from Instafill and our subprocessors
Robust compliance program
Transparent business model
You’re not the product. You always know where your data is and what it is processed for.
ISO 27001, HIPAA, and GDPR
Our subprocesses adhere to multiple compliance standards, including but not limited to ISO 27001, HIPAA, and GDPR.
Security & privacy by design
We consider security and privacy from the initial design phase of any new service or functionality. It’s not an afterthought, it’s built-in, including support for two-factor authentication (2FA) to further protect your account.
Fill out COD with Instafill.ai
Worried about filling PDFs wrong? Instafill securely fills cms-10252 forms, ensuring each field is accurate.
