Enforcement and Compliance FAQs

Enforcement and Compliance FAQs
A man sitting on a questions mark, next to a gavel, holding a checkmark
Q: What type of investigation does the National Standards Group (NSG) perform when it receives allegations of noncompliance with the HIPAA Administrative Simplification standards, operating rules, code sets, and unique identifiers? 

A: NSG enforces Administrative Simplification provisions by investigating complaints alleging noncompliance. NSG will request and review documentation from entities to determine if a violation of a standard has occurred.  Where it has been determined that a violation has occurred, NSG may request that the “filed against entity” (FAE) take corrective action to remediate the issue. Where an FAE fails to undertake required corrective action and a violation persists, NSG may impose a Civil Money Penalty.

Separate from its reactive complaint process, NSG conducts random compliance reviews, which involve the review of a sample of transactions from a covered entity to ensure adherence to HIPAA standards. These reviews may result in requiring the subject of the compliance review to pursue corrective action when necessary.

Q: What is the Administrative Simplification Enforcement Tool (ASETT)?

A: ASETT is a multipurpose tool that may be used both to file a complaint with NSG against a HIPAA covered entity for noncompliance with HIPAA Administrative Simplification requirements, and also as a free tool that enables users to test their own electronic health care transactions and their trading partners’ transactions to ensure compliance with HIPAA standards. When filing a complaint, the complainant has the option to remain anonymous to the FAE. 

Q: Who can file a HIPAA complaint about possible noncompliance with electronic transaction, operating rule, code set, and unique identifier regulations?

A: Anyone may file a complaint with NSG about any HIPAA covered entity that they believe has failed to comply with regulations for electronic transactions, operating rules, code sets, and unique health identifiers.

Q: What information should I include when filing a HIPAA Administrative Simplification enforcement complaint?

A: When filing a complaint, the complainant has the option to remain anonymous to the FAE. Though you may elect to remain anonymous, NSG may require contact information, to obtain additional information regarding the complaint. Such information would include, where applicable, your organization’s name, phone number, your title, name, address, email, and phone number. You will need to identify the entity against which you are filing your complaint, including the organization’s name and if available organization’s address, contact name, title, email, and phone number. Finally, you will need to describe the alleged violation in detail, including when the alleged violation occurred. You may also attach supporting material to further document your complaint if you are a registered user.

While registration is not required to file a complaint through ASETT, it is highly recommended, as it allows you to view your complaint, upload supporting documents, check complaint status, and test transactions.

Q: How do I file a HIPAA complaint if my organization is concerned that another covered entity (health plan, health care clearinghouse, or covered health care provider) is not complying with the use of the standards, operating rules, or code sets?

A: You may file a complaint utilizing the NSG ASETT tool

To check on the status of a complaint, you can use ASETT, the HIPAA mailbox at HIPAAcomplaint@cms.hhs.gov or write to:

Centers for Medicare & Medicaid Services
National Standards Group: HIPAA Enforcement
P. O. Box 8030, Mailstop D0-01-10, Baltimore, Maryland 21244-8030.

Q: How do I submit in writing a HIPAA complaint alleging possible noncompliance with the electronic transaction, operating rule, code set, or unique identifier regulations?

A: NSG recommends that you use our online ASETT platform to file a complaint. Using ASETT makes it more efficient for individuals to complete the data entry portion of the complaint, and for NSG to review the data submitted through the online system.  However, you may, if you elect, file a hard copy complaint.  To do so, download the complaint form from the ASETT tool  and mail the completed form to: 

Centers for Medicare & Medicaid Services
National Standards Group: HIPAA Enforcement
P. O. Box 8030, Mailstop D0-01-10, Baltimore, Maryland 21244-8030.

Q: How does NSG process a HIPAA complaint once it is received?

Upon receipt of a complaint, NSG will conduct an initial evaluation of the allegations. Should the allegations fall within the purview of the HIPAA Administrative Simplification requirements and adequately allege an apparent violation, NSG will notify the covered FAE of the complaint and provide them with an opportunity to dispute the allegations, demonstrate compliance, and/or, as necessary, submit a corrective action plan. Should a HIPAA covered entity be determined to be out of compliance with requirements and fail to voluntarily achieve compliance, further enforcement action may be taken.  For additional details please view the Complaint Process Infographic (PDF).

Q: What should I expect after filing a HIPAA enforcement complaint using ASETT?

Once a complaint is submitted, NSG will review all information and provide a response to the complainant. Should your complaint adequately articulate noncompliance with an Administrative Simplification requirement, NSG will notify the entity and investigate the issue(s). Throughout the process, you will receive correspondence from NSG via mail or email regarding the status of the complaint.

Q: What are the penalties for violations of HIPAA regulations for electronic transactions, code sets, unique identifiers, and operating rules?

Civil monetary penalties (CMPs) may be imposed. The amount of the CMPs would be in accordance with 45 CFR § 160.404.

Q: Who can help me with issues with the ASETT?

For assistance with registering in ASETT and/or logging into your existing ASETT account or password problems, you can contact the ASETT Helpdesk at (703) 951-6810. Email inquiries can be sent to the ASETT helpdesk mailbox at ASETTHelpdesk@cms.hhs.gov.

Q: What do I need to do to test a HIPAA transaction on the ASETT?

These are the steps to test a HIPAA transaction:

Click the “Register” link on the ASETT Homepage to create a new user account. *All registration steps must be completed prior to accessing the Transaction Testing Tool*.

  1. After successfully registering, select the “Test HIPAA Transactions” button towards the bottom of the screen.
  2. Enroll in the Testing Tool by selecting the Onboarding, Testing, and Cloud Services (OTCS) link.
  3. Follow the system prompts.
  4. View or print the results.

You can view the ASETT demonstration video.  Review our ASETT User Manual (PDF) for a step-by-step guide. 

Q: Do I need to provide Personally Identifiable Information (PII) when testing a HIPAA transaction using the ASETT?

To test a transaction(s), you must first register as a user with ASETT.  Registration requires that you enter certain information, including your name, date of birth, and e-mail address. PII is only shared with Experian for identity proofing.

I am trying to use ASETT to test transactions using ASC X12 5010 standards, but I am having trouble performing tests.  What can I do?

You may consult the ASETT User Manual, found under the Support tab in the heading bar at the top of the Home Screen, at https://asett.cms.gov/ASETT_ST_CMP_HomePage or under the User Manual tab on the registered user landing page. For convenience, we've added the User Manual link here: https://asett.cms.gov/ASETT_ST_CMP_UserManual. Please see section 4.3 Test HIPAA Transaction, starting on page 59, for full information about using the testing tool.  

Q: Where can I find educational materials regarding HIPAA Administrative Simplification transaction and code set enforcement on the CMS website?   

For information about HIPAA Administrative Simplification requirements, visit Go.CMS.gov/AdminSimp. For the latest news about HIPAA Administrative Simplification transactions and code sets, sign up for Email Updates.

Statement of Enforcement Discretion for Referral Certification and Authorization Transaction Standard

Q: What is the intended purpose of the enforcement discretion?

A: This application of enforcement discretion is intended to promote efficiency in the prior authorization process and comes in response to public comments received on multiple notices of proposed rulemaking and extensive stakeholder outreach to CMS and HHS.

Q: Who is covered under the enforcement discretion?

A: All HIPAA covered entities that implement a FHIR-based Prior Authorization API as described in the CMS Interoperability and Prior Authorization final rule (CMS-0057-F).

Q: How will HIPAA enforcement discretion be exercised for covered entities that do not use the adopted X12 278 standard?

A: HIPAA Administrative Simplification enforcement action will not be taken against any HIPAA covered entity that does not use the X12 278 standard as part of an electronic FHIR prior authorization process that meets the requirements of the CMS Interoperability and Prior Authorization final rule (CMS-0057-F). This means that, under these specific circumstances, the use of electronic transaction standards that would otherwise be considered non-compliant will not be subject to enforcement action under the HIPAA Administrative Simplification enforcement regulations.

Q: How long will the enforcement discretion be in place?

A: Although there is no specified terminal date for this HHS exercise of enforcement discretion, we presently anticipate that it will be bounded by a future rulemaking.

Q: Under what circumstances would the enforcement discretion permitting use of an All-FHIR-Based Prior Authorization API in lieu of the adopted X12 278 standard for prior authorization transactions not apply?

A: The enforcement discretion applies only to covered entities using the FHIR-based Prior Authorization API as described in the CMS Interoperability and Prior Authorization final rule. The enforcement discretion applies to no other circumstance where HIPAA Administrative Simplification rules require covered entities to comply with the adopted version of the X12 278 standard..

Q: Can a health plan require another HIPAA covered entity to use an alternative standard to the X12 278 standard for prior authorization transactions?

A: No. A covered entity may elect, but may not be required, to use a FHIR-based Prior Authorization API as an alternative standard to the X12 278 as part of a prior authorization process.

Page Last Modified:
09/27/2024 02:51 PM
Help with File Formats and Plug-Ins