Enforcement and Compliance FAQs
Enforcement and Compliance FAQs
- Q: Are small providers exempt from HIPAA?
A: No. The term "small providers" originates in the Administrative Simplification Compliance Act (ASCA), the law which requires those providers who bill Medicare to submit only electronic claims to Medicare as of October 16, 2003, in the HIPAA format. ASCA provides an exception to the Medicare electronic claims submission requirements to "small providers." ASCA defines a small provider or supplier as: a provider of services with fewer than 25 full-time equivalent employees or a physician, practitioner, facility or supplier (other than a provider of services) with fewer than 10 full-time equivalent employees.
This provision does not preclude providers from submitting paper claims to other health plans. Also, if a provider transmits any of the designated transactions electronically, it is subject to the HIPAA Administrative Simplification requirements regardless of size.
- Q: How does the Centers for Medicare & Medicaid Services (CMS) process a HIPAA complaint once it is received?
A: Enforcement of the transactions and code sets, operating rules and unique identifier standards of HIPAA is primarily complaint-driven. Upon receipt of a complaint, CMS will notify the filed against entity of the complaint, and provide them with an opportunity to demonstrate compliance, or to submit a corrective action plan. CMS has the discretion to conduct compliance reviews or on-site evaluations of covered entities' procedures and practices, to verify that they are compliant in how they exchange the standard transactions or use the national identifiers. CMS also has the authority to impose financial penalties on any entity that is non-compliant and has failed to correct their violations.
- Q: What are the penalties for violations of HIPAA regulations for transactions, code sets, unique identifiers and operating rules?
A: The HIPAA legislation permits civil monetary penalties of not more than $1.5 million per calendar year for a violation.
- Q: How do I file a HIPAA complaint if my organization is concerned that another covered entity (health plan, health care clearinghouse, or covered health care provider) is not complying with the use of the standards, operating rules, or code sets?
A: You can use the CMS Administrative Simplification Enforcement and Testing Tool (ASETT). Available through the CMS Enterprise Portal, the tool can be used to file complaints and test X12 and NCPDP transactions.
To check on the status of a complaint, you can use ASETT, the HIPAA mailbox at HIPAAcomplaint@cms.hhs.gov or write to:
The Centers for Medicare & Medicaid Services
National Standards Group: HIPAA Enforcement
Statement of Enforcement Discretion for Referral Certification and Authorization Transaction Standard P. O. Box 8030, Baltimore, Maryland 21244-8030.- Q: Who can file a HIPAA complaint about possible noncompliance with transaction, operating rule, code set, and unique identifier rules?
A: Anyone may file a complaint with CMS about any HIPAA covered entity that does not comply with rules for electronic transactions, operating rules, code sets, and unique identifiers. Complaints about HIPAA privacy violations should be directed to the HHS Office for Civil Rights.
- Q: How do I submit a HIPAA complaint in writing for possible noncompliance with the transaction, operating rule, code set, or unique identifier rules?
A: CMS recommends that you use our online ASETT platform to file a complaint. It is efficient for individuals to complete the data entry portion of the complaint, and for CMS to review it once it is submitted through the online system.
If you chose to file a hard-copy complaint (PDF), you can request a complaint form by writing to:
The Centers for Medicare & Medicaid Services
National Standards Group: HIPAA Enforcement
P. O. Box 8030, Baltimore, Maryland 21244-8030.
Statement of Enforcement Discretion for Referral Certification and Authorization Transaction Standard
- Q: What is the intended purpose of the enforcement discretion?
A: This application of enforcement discretion is intended to promote efficiency in the prior authorization process and comes in response to public comments received on multiple notices of proposed rulemaking and extensive stakeholder outreach to CMS and HHS.
- Q: Who is covered under the enforcement discretion?
A: All HIPAA covered entities that implement a FHIR-based Prior Authorization API as described in the CMS Interoperability and Prior Authorization final rule (CMS-0057-F).
- Q: How will HIPAA enforcement discretion be exercised for covered entities that do not use the adopted X12 278 standard?
A: HIPAA Administrative Simplification enforcement action will not be taken against any HIPAA covered entity that does not use the X12 278 standard as part of an electronic FHIR prior authorization process that meets the requirements of the CMS Interoperability and Prior Authorization final rule (CMS-0057-F). This means that, under these specific circumstances, the use of electronic transaction standards that would otherwise be considered non-compliant will not be subject to enforcement action under the HIPAA Administrative Simplification enforcement regulations.
- Q: How long will the enforcement discretion be in place?
A: Although there is no specified terminal date for this HHS exercise of enforcement discretion, we presently anticipate that it will be bounded by a future rulemaking.
- Q: Under what circumstances would the enforcement discretion permitting use of an All-FHIR-Based Prior Authorization API in lieu of the adopted X12 278 standard for prior authorization transactions not apply?
A: The enforcement discretion applies only to covered entities using the FHIR-based Prior Authorization API as described in the CMS Interoperability and Prior Authorization final rule. The enforcement discretion applies to no other circumstance where HIPAA Administrative Simplification rules require covered entities to comply with the adopted version of the X12 278 standard..
- Q: Can a health plan require another HIPAA covered entity to use an alternative standard to the X12 278 standard for prior authorization transactions?
A: No. A covered entity may elect, but may not be required, to use a FHIR-based Prior Authorization API as an alternative standard to the X12 278 as part of a prior authorization process.
Page Last Modified:
06/18/2024 11:51 AM