Enforcement and Compliance Overview

Compliance Review Program

The CMS National Standards Group, on behalf of HHS, administers the Compliance Review Program to ensure compliance among covered entities with HIPAA Administrative Simplification rules for electronic health care transactions.

Optimization Pilot Program Information Bulletin (PDF)

In April 2019, HHS randomly selected 9 HIPAA-covered entities—a mix of health plans and clearinghouses—for compliance reviews. HHS piloted the program with health plan and clearinghouse volunteers to streamline the compliance review process and identify any system enhancements. In 2019, providers were able to participate in a separate pilot.

CMS Compliance Review Program (Video)

Watch the CMS video about the Compliance Review Program to learn about why compliance reviews are important for the health care industry and how they are conducted.

More information on the Compliance Review Program:

• Compliance Review Infographic (PDF)
• Compliance Review Program Information Bulletin (PDF)
• Optimization Pilot Information Bulletin (PDF)
• What to Expect Q&A (PDF)
• Prep Steps (PDF)

August 2021 Enforcement Webinar

Enforcement Webinar Slides (PDF) – provides an overview of Administrative Simplification enforcement and the tools available to help the health care industry be compliant.

Enforcement Webinar Transcript (PDF) – a transcript of the August 2021 Administrative Simplification enforcement webinar.

Enforcement Webinar Q&A (PDF) – questions and answers from the Q&A portion of the Administrative Simplification enforcement webinar.

ASETT - Administrative Simplification Enforcement and Testing Tool - on the Salesforce Cloud

ASETT allows you to:

• Test your transactions
• Test your trading partners’ transactions
• File complaints
• Track your complaint status

HIPAA Administrative Simplification Enforcement Rule

CMS is charged on behalf of HHS with enforcing compliance with adopted Administrative Simplification requirements.  Enforcement activities include:

• Educating health care providers, health plans, clearinghouses, and other affected groups, such as software vendors
• Solving complaints
• Conducting proactive compliance audits

Compliance with the adopted Administrative Simplification standards and operating rules can benefit organizations across the health care industry by streamlining electronic transactions and saving time and money.

On February 16, 2006, the Department of Health and Human Services (HHS) published the HIPAA Enforcement Rule. The rule details the procedures and amounts for imposing civil money penalties on covered entities that violate any HIPAA Administrative Simplification requirements.

Effective February 18, 2009, Section 13410(d) of the HITECH Act revised section 1176(a) of the Social Security Act to change the amounts of civil money penalties that may be assessed for unresolved HIPAA violations.

Authority

CMS under the Secretary’s authority granted to HHS has the authority to investigate HIPAA transaction complaints and conduct compliance reviews for:

• Standards
• Code sets
• Unique identifiers
• Operating rules

CMS’s enforcement authority covers the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and subsequent legislation.

CMS authority does not extend to the HIPAA Security Rule and the Privacy Rule. The HHS Office for Civil Rights (OCR) manages complaints related to privacy and security.

Keep Up to Date!

Sign up for Administrative Simplification Email Updates and follow us on Twitter