Skip to Main Content


The Secretary of Health and Human Services (HHS) delegated to the Administrator, Centers for Medicare & Medicaid Services (CMS), the authority to investigate complaints of noncompliance with, and to make decisions regarding the interpretation, implementation, and enforcement of certain regulations adopting administrative simplification standards. This delegation includes authority with respect to the the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Affordable Care Act (ACA).   This delegation does not include authority with respect to the Security Rule (as of July 27, 2009) and the Privacy Rule.  The Secretary has delegated to the Office for Civil Rights the authority to receive and investigate complaints as they may relate to the Privacy Rule and the Security Rule.

The current HIPAA TCS and ACA operating rules enforcement process is primarily complaint-driven. To date, the CMS enforcement strategy has been to provide technical assistance and seek the cooperation of all parties to the complaint, to help achieve compliance.

With the implementation of Version 5010 and D.0 and the requirements of both the American Recovery and Reinvestment Act, and the Patient Protection and Affordable Care Act, we recognized the need for an enhanced enforcement process whereby CMS would proactively address HIPAA/ACA Transactions and Code Sets, Unique Identifiers, Operating Rule and Health Plan Certification compliance issues through a compliance audit process. Information on the CMS compliance audit process and potential non-compliance penalties is in development and will be forthcoming.