Skip to Main Content

Enforcement and Compliance FAQs


Q: Are small providers exempt from HIPAA?

A: No. The term "small providers" originates in the Administrative Simplification Compliance Act (ASCA), the law which requires those providers who bill Medicare to submit only electronic claims to Medicare as of October 16, 2003 in the HIPAA format. However, ASCA does provide an exception to the Medicare electronic claims submission requirements to "small providers". ASCA defines a small provider or supplier as: a provider of services with fewer than 25 full-time equivalent employees or a physician, practitioner, facility or supplier (other than a provider of services) with fewer than 10 full-time equivalent employees. 

It is important to keep in mind that this provision does not preclude providers from submitting paper claims to other health plans. In addition, if a provider transmits any of the designated transactions electronically, it is subject to the HIPAA Administrative Simplification requirements regardless of size.

Q: How does the Centers for Medicare & Medicaid Services (CMS) handle a Health Insurance Portability and Accountability Act (HIPAA) complaint once it is received? 

A: Enforcement of the transactions and code sets and unique identifier standards of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is primarily complaint-driven. Upon receipt of a complaint, CMS will notify the filed against entity of the complaint, and provide them with an opportunity to demonstrate compliance, or to submit a corrective action plan. CMS has the discretion to conduct compliance reviews or on-site evaluations of covered entities' procedures and practices, to verify that they are compliant in how they exchange the standard transactions or use the national identifiers. CMS also has the authority to impose financial penalties on any entity that is non-compliant and has failed to correct their violations. 

Q: What are the penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA) regulations for transactions, code sets, and unique identifiers? 

A: The HIPAA legislation permits civil monetary penalties of not more than $1.5 million per calendar year for a violation of an identical provision.

Q: How do I file a Health Insurance Portability and Accountability Act (HIPAA) complaint if my organization is concerned that another covered entity (health plan, clearinghouse, or covered health care provider) is not complying with the use of the standards, operating rules, or code sets?  

A: You can use the CMS Administrative Simplification Enforcement and Testing Tool (ASETT). Available through the CMS Enterprise Portal, the tool can be used to file complaints and test X12 and NCPDP transactions.

To check on the status of a complaint, you can use ASETT, the HIPAA mailbox at HIPAAcomplaint@cms.hhs.gov or write to:

The Centers for Medicare & Medicaid Services
Division of National Standards: HIPAA Enforcement
P. O. Box 8030, Baltimore, Maryland 21244-8030.

Q: Who can file a Health Insurance Portability and Accountability Act (HIPAA) complaint about possible noncompliance with transaction, operating rule, code set, and unique identifier rules? 

A: Anyone may file a complaint with CMS about any HIPAA covered entity that does not comply with rules for electronic transactions, operating rules, code sets, and unique identifiers. Complaints about HIPAA privacy violations should be directed to the HHS Office for Civil Rights.

Q: How do I submit a Health Insurance Portability and Accountability Act (HIPAA) complaint in writing for possible noncompliance with the transaction, operating rule, code set, or unique identifier rules?

A: CMS recommends that you use our online ASETT platform to file a complaint. It is efficient for individuals to complete the data entry portion of the complaint, and for CMS to review it once it is submitted through the online system.

If you chose to file a hard-copy complaint, you can request a complaint form by writing to:

The Centers for Medicare & Medicaid Services
Division of National Standards: HIPAA Enforcement
P. O. Box 8030, Baltimore, Maryland 21244-8030.