Skip to Main Content

Enforcement and Compliance Overview

Compliance with the adopted Administrative Simplification requirements yields benefits to the healthcare industry; including providers, health plans and clearinghouses.  CMS is working to assist these entities achieve widespread compliance through:

  • Education
  • Complaint-driven enforcement
  • Certification of Compliance rules (in development)

To help the health care community use electronic standards for administrative transactions, CMS announces a new video, Reaching Compliance with ASETT.

This animated short: 

  • Explains the benefits of complying with Administrative Simplification standards, including substantial cost savings
  • Describes how ASETT—the Administrative Simplification Enforcement and Testing Tool—allows you to test transactions, both your own and your business trading partners’ transactions
  • Tells you how to use ASETT to file a complaint if you have any noncompliant business trading partners

Administrative Simplification – Compliance and Enforcement

CMS, on behalf of HHS, has the authority to investigate complaints and audit for compliance with HIPAA standards for:

  • Transactions
  • Code sets
  • Unique identifiers
  • Operating rules

This includes authority with respect to the Administrative Simplification provisions of the:

  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Patient Protection and Affordable Care Act of 2010 (ACA)

Enforcing Administrative Simplification requirements is essential to ensuring the health care community reaps the benefits of standardized transactions and reduced administrative costs. Learn more about how CMS enforces Administrative Simplification requirements in this video.

CMS authority does not extend to the Security Rule and the Privacy Rule. The HHS Office for Civil Rights (OCR) receives and investigates complaints related to privacy and security. 

HIPAA Administrative Simplification Enforcement Rule

On February 16, 2006, the Department of Health and Human Services (HHS) published the HIPAA Enforcement Rule.

The rule details the procedures and amounts for imposing civil money penalties on covered entities that violate any HIPAA Administrative Simplification requirements.

Effective February 18, 2009, Section 13410(d) of the HITECH Act revised section 1176(a) of the Social Security Act to revise the amounts of civil money penalties that may be assessed for unresolved HIPAA violations.

Code set enforcement includes ICD-10, which became effective October 1, 2015.

The HHS Office for Civil Rights (OCR) enforces HIPAA Security and Privacy rules.