Enforcement and Compliance Overview

Compliance with the adopted Administrative Simplification requirements yields benefits to the healthcare industry; including providers, health plans and clearinghouses.  CMS is working to assist these entities achieve widespread compliance through:

• Education
• Complaint-driven enforcement
• Certification of Compliance rules (in development)

Administrative Simplification – Compliance and Enforcement

CMS, on behalf of HHS, has the authority to investigate complaints and audit for compliance with HIPAA standards for:

• Transactions
• Code sets
• Unique identifiers
• Operating rules

This includes authority with respect to the Administrative Simplification provisions of the:

• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Patient Protection and Affordable Care Act of 2010 (ACA)

CMS authority does not extend to the Security Rule and the Privacy Rule. The HHS Office for Civil Rights (OCR) receives and investigates complaints related to privacy and security.

HIPAA Administrative Simplification Enforcement Rule

On February 16, 2006, the Department of Health and Human Services (HHS) published the HIPAA Enforcement Rule.

The rule details the procedures and amounts for imposing civil money penalties on covered entities that violate any HIPAA Administrative Simplification requirements.

Effective February 18, 2009, Section 13410(d) of the HITECH Act revised section 1176(a) of the Social Security Act to revise the amounts of civil money penalties that may be assessed for unresolved HIPAA violations.

Code set enforcement includes ICD-10, which became effective October 1, 2015.

The HHS Office for Civil Rights (OCR) enforces HIPAA Security and Privacy rules.