Skip to Main Content

Enforcement and Compliance FAQs


Q: Are small providers exempt from HIPAA?

A: No. The term "small providers" originates in the Administrative Simplification Compliance Act (ASCA), the law which requires those providers who bill Medicare to submit only electronic claims to Medicare as of October 16, 2003 in the HIPAA format. However, ASCA does provide an exception to the Medicare electronic claims submission requirements to "small providers". ASCA defines a small provider or supplier as: a provider of services with fewer than 25 full-time equivalent employees or a physician, practitioner, facility or supplier (other than a provider of services) with fewer than 10 full-time equivalent employees. 

It is important to keep in mind that this provision does not preclude providers from submitting paper claims to other health plans. In addition, if a provider transmits any of the designated transactions electronically, it is subject to the HIPAA Administrative Simplification requirements regardless of size.

Q: How does the Centers for Medicare & Medicaid Services (CMS) handle a Health Insurance Portability and Accountability Act (HIPAA) complaint once it is received? 

A: Enforcement of the transactions and code sets and unique identifier standards of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is primarily complaint-driven. Upon receipt of a complaint, CMS will notify the filed against entity of the complaint, and provide them with an opportunity to demonstrate compliance, or to submit a corrective action plan. CMS has the discretion to conduct compliance reviews or on-site evaluations of covered entities' procedures and practices, to verify that they are compliant in how they exchange the standard transactions or use the national identifiers. CMS also has the authority to impose financial penalties on any entity that is non-compliant and has failed to correct their violations. 

Q: What are the penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA) regulations for transactions, code sets, and unique identifiers? 

A: The HIPAA legislation permits civil monetary penalties of not more than $1.5 million per calendar year for a violation of an identical provision.

Q: How do I file a Health Insurance Portability and Accountability Act (HIPAA) complaint if my organization is concerned that another covered entity (health plan, clearinghouse, or covered health care provider) is not complying with the use of the standards, operating rules, or code sets?  

A: You can use the CMS Administrative Simplification Enforcement and Testing Tool (ASETT). Available through the CMS Enterprise Portal, the tool can be used to file complaints and test X12 and NCPDP transactions.

To check on the status of a complaint, you can use ASETT, the HIPAA mailbox at HIPAAcomplaint@cms.hhs.gov or write to:

The Centers for Medicare & Medicaid Services
Division of National Standards: HIPAA Enforcement
P. O. Box 8030, Baltimore, Maryland 21244-8030.

Q: Who can file a Health Insurance Portability and Accountability Act (HIPAA) complaint about possible noncompliance with transaction, operating rule, code set, and unique identifier rules? 

A: Anyone may file a complaint with CMS about any HIPAA covered entity that does not comply with rules for electronic transactions, operating rules, code sets, and unique identifiers. Complaints about HIPAA privacy violations should be directed to the HHS Office for Civil Rights.

Q: How do I submit a Health Insurance Portability and Accountability Act (HIPAA) complaint in writing for possible noncompliance with the transaction, operating rule, code set, or unique identifier rules?

A: CMS recommends that you use our online ASETT platform to file a complaint. It is efficient for individuals to complete the data entry portion of the complaint, and for CMS to review it once it is submitted through the online system.

If you chose to file a hard-copy complaint, you can request a complaint form by writing to:

The Centers for Medicare & Medicaid Services
Division of National Standards: HIPAA Enforcement
P. O. Box 8030, Baltimore, Maryland 21244-8030.

Q: What is meant by "certification of compliance" with HIPAA operating rules and standards?

A: Certification of compliance" refers to the requirements in section 1173(h) of the Social Security Act (which was added by the Affordable Care Act) that requires, "[not later than December 31, 2013, a health plan shall file a statement with the Secretary... certifying that the data and information systems for such plan are in compliance with any applicable standards... and associated operating rules... for electronic funds transfers, eligibility for a health plan, health claim status, and health care payment and remittance advice, respectively." Certification of compliance also refers to similar requirements for the transactions specified in sections 1173(h)(1)(B) and (h)(5) of the Social Security Act.

In addition, certification of compliance provisions require health plans to provide adequate documentation of compliance and to ensure that any entities that provide services pursuant to a contract comply with the applicable standards and operating rules.

The requirement for health plans to certify compliance should not be confused with "CORE certification." The Committee on Operating Rules for Information Exchange (CORE) awards Certification Seals to entities that use transactions according to the operating rules that CORE creates. CORE certification is not currently required by federal law or regulation.

.