Enforcement and Compliance FAQs

Q: Are small providers exempt from HIPAA?

A: No. The term "small providers" originates in the Administrative Simplification Compliance Act (ASCA), the law which requires those providers who bill Medicare to submit only electronic claims to Medicare as of October 16, 2003, in the HIPAA format. ASCA provides an exception to the Medicare electronic claims submission requirements to "small providers." ASCA defines a small provider or supplier as: a provider of services with fewer than 25 full-time equivalent employees or a physician, practitioner, facility or supplier (other than a provider of services) with fewer than 10 full-time equivalent employees. 

This provision does not preclude providers from submitting paper claims to other health plans. Also, if a provider transmits any of the designated transactions electronically, it is subject to the HIPAA Administrative Simplification requirements regardless of size.

Q: How does the Centers for Medicare & Medicaid Services (CMS) process a HIPAA complaint once it is received?

A: Enforcement of the transactions and code sets, operating rules and unique identifier standards of HIPAA is primarily complaint-driven. Upon receipt of a complaint, CMS will notify the filed against entity of the complaint, and provide them with an opportunity to demonstrate compliance, or to submit a corrective action plan. CMS has the discretion to conduct compliance reviews or on-site evaluations of covered entities' procedures and practices, to verify that they are compliant in how they exchange the standard transactions or use the national identifiers. CMS also has the authority to impose financial penalties on any entity that is non-compliant and has failed to correct their violations.

Q: What are the penalties for violations of HIPAA regulations for transactions, code sets, unique identifiers and operating rules?

A: The HIPAA legislation permits civil monetary penalties of not more than $1.5 million per calendar year for a violation.

Q: How do I file a HIPAA complaint if my organization is concerned that another covered entity (health plan, health care clearinghouse, or covered health care provider) is not complying with the use of the standards, operating rules, or code sets? 

A: You can use the CMS Administrative Simplification Enforcement and Testing Tool (ASETT). Available through the CMS Enterprise Portal, the tool can be used to file complaints and test X12 and NCPDP transactions.

To check on the status of a complaint, you can use ASETT, the HIPAA mailbox at HIPAAcomplaint@cms.hhs.gov or write to:

The Centers for Medicare & Medicaid Services
National Standards Group: HIPAA Enforcement
P. O. Box 8030, Baltimore, Maryland 21244-8030.

Q: Who can file a HIPAA complaint about possible noncompliance with transaction, operating rule, code set, and unique identifier rules? 

A: Anyone may file a complaint with CMS about any HIPAA covered entity that does not comply with rules for electronic transactions, operating rules, code sets, and unique identifiers. Complaints about HIPAA privacy violations should be directed to the HHS Office for Civil Rights.

Q: How do I submit a HIPAA complaint in writing for possible noncompliance with the transaction, operating rule, code set, or unique identifier rules?

A: CMS recommends that you use our online ASETT platform to file a complaint. It is efficient for individuals to complete the data entry portion of the complaint, and for CMS to review it once it is submitted through the online system.

If you chose to file a hard-copy complaint (PDF), you can request a complaint form by writing to:

The Centers for Medicare & Medicaid Services
National Standards Group: HIPAA Enforcement
P. O. Box 8030, Baltimore, Maryland 21244-8030.

Page Last Modified:
05/12/2022 11:43 AM