Enforcement

The Secretary of Health and Human Services (HHS) delegated to the Administrator, Centers for Medicare & Medicaid Services (CMS), the authority to investigate complaints of noncompliance with, and to make decisions regarding the interpretation, implementation, and enforcement of certain regulations adopting administrative simplification standards. This delegation includes authority with respect to the regulations known as follows: the Transaction and Code Set Rule (TCS), 65 FR 50312 (August 17, 2000), the National Employer Identifier Number (EIN) Rule, 67 FR 38009 (May 31, 2002), the National Provider Identifier Rule, 69 FR 3434 (January 23, 2004), and the National Plan Identifier Rule (currently under development).  This delegation does not include authority with respect to the Security Rule (as of July 27, 2009) and the Privacy Rule.  The Secretary has delegated to the Office for Civil Rights the authority to receive and investigate complaints as they may relate to the Privacy Rule and the Security Rule.

Summary of Responses for the CMS Enforcement RFI

On October 16, 2009 the Centers for Medicare & Medicaid Services (CMS) published a Request for Information (RFI) to obtain stakeholder input on future strategies and enhancements to the Enforcement process for transaction and code set violations (TCS), under the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In addition to our ongoing TCS enforcement process, the February 16, 2006 final rule on Enforcement (45 CFR 160.308) authorized the Secretary to conduct compliance reviews to determine if covered entities are complying with the HIPAA Administrative Simplification provisions. In 2007, CMS invoked that authority with respect to enforcement of the Security Rule, prior to the transfer of Security Rule enforcement authority to the Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) in 2009.

The current HIPAA TCS enforcement process is primarily complaint-driven. To date, the CMS enforcement strategy has been to provide technical assistance and seek the cooperation of all parties to the complaint, to help achieve compliance.

With the impending Version 5010 implementation, and the recent requirements of both the American Recovery and Reinvestment Act , and the Patient Protection and Affordable Care Act, we recognize there may be a need for an enhanced enforcement process whereby CMS would proactively address HIPAA TCS compliance issues through a compliance audit process. We solicited input on both the strength and weaknesses of the current TCS enforcement process; barriers to complaints being filed and how to eliminate those barriers; technical and business problems associated with adoption of HIPAA standards; and other questions.

We received a total of twelve responses to the RFI by the December 3, 2009 response close period. The responses represented providers, health plans, vendors and professional associations. For a summary of the comments, CMS' analysis and next steps, see the link in the Downloads section below.