Skip to Content


Procedures for Non-Privacy Administrative Simplification Complaints Under the Health Insurance Portability and Accountability Act of 1996

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


Centers for Medicare & Medicaid Services (CMS), HHS.




This notice sets forth the procedures for filing with the Secretary of the Department of Health and Human Services a complaint of non-compliance by a covered entity with certain provisions of the administrative simplification rules under 45 CFR parts 160, 162, and 164. It also describes the procedures the Department employs to review the complaints. These procedures are intended to facilitate the investigation and resolution of these complaints.


Effective Date: This notice is effective on April 25, 2005.

Start Further Info


Michael Phillips, (410) 786-6713.

End Further Info


Complaints may be filed with CMS in two ways: (1) By Internet using the Administrative Simplification Enforcement Tool at​. (2) By mail at: The Centers for Medicare & Medicaid Services, HIPAA TCS Enforcement Activities, P.O. Box 8030, Baltimore, MD 21244-8030.

End Preamble Start Supplemental Information


The Secretary of Health and Human Services delegated to the Administrator, Centers for Medicare & Medicaid Services (CMS), the authority to investigate complaints of noncompliance with, and to make decisions regarding the interpretation, implementation, and enforcement of certain regulations adopting administrative simplification Start Printed Page 15330standards. See 68 FR 60694 (October 23, 2003). These regulations are codified at 45 CFR, parts 160, 162, and 164. This delegation includes authority with respect to the regulations known as follows: the Transaction and Code Set Rule (TCS), 65 FR 50313 (August 17, 2000), the National Employer Identifier Number (EIN) Rule, 67 FR 38009 (May 31, 2002), the Security Rule, 68 FR 8334 (February 20, 2003), the National Provider Identifier Rule, 69 FR 3434 (January 23, 2004), and the National Plan Identifier Rule (currently under development).

This delegation does not include authority with respect to the regulations adopted under section 264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191, as amended, known as the Privacy Rule. The Secretary has delegated to the Office for Civil Rights the authority to receive and investigate complaints as they may relate to the Privacy Rule codified at 45 CFR parts 160 and 164. For the purpose of this notice, “administrative simplification provisions” means the administrative simplification regulatory requirements under HIPAA, other than privacy. For more information about the administrative simplification provisions of HIPAA or what entities the law covers, go to​hipaa/​hipaa2.

1. Procedures for Filing Complaints

A person who believes that a covered entity is not complying with the applicable administrative simplification provisions may file a complaint with CMS. The term “covered entity” is defined at 45 CFR 160.103 and includes health plans, health care clearinghouses, and health care providers who conduct certain health care transactions electronically. A fourth type of covered entity, prescription drug card sponsors, was added by the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (Pub. L. 108-173). CMS will not accept complaints until on or after the compliance date for the specific administrative simplification provision in question. (For example, complaints alleging a failure to comply with the Security Rule will not be accepted until after April 20, 2005.)

In order to permit efficient use of CMS resources, complaints must meet all of the following requirements:

  • Be filed in writing, either on paper or electronically. CMS will not accept faxed complaints.
  • Describe the acts or omissions believed to be in violation of the applicable administrative simplification provisions.
  • Provide contact information, including name, address, and telephone number, for the complainant and the covered entity that are the subject of the complaint.
  • Be filed within 180 days of when the complainant knew or should have known that the act or omission that is the subject of the complaint occurred, unless this time limit is waived by CMS for good cause shown.

Complainants may, but are not required to, use the CMS complaint form, which can be downloaded at

2. Procedures for Initial Processing of Complaints

Upon receipt of a complaint, CMS will review the complaint to determine if CMS will accept it for processing. CMS reserves the right to reject complaints. CMS will acknowledge its receipt of a complaint filed within 14 calendar days of receipt. That acknowledgment may be either electronic or on paper.

After CMS receives the complaint, CMS will make a preliminary review of the complaint to determine whether it is complete and appears to allege a failure to comply with an administrative simplification provision. The review will typically proceed as follows:

  • If the complaint is complete and appears to allege a failure to comply with the applicable administrative simplification provisions, CMS will notify the complainant that the complaint is accepted for processing and further review. Acceptance of a complaint for processing and further review does not represent a determination that a compliance failure has occurred.
  • If additional information is required to make the preliminary determination, CMS will ask the complainant to provide the additional information within a reasonable time, and the complaint will be held in abeyance until that information is received. Failure to provide the requested additional information when requested by CMS may lead to closure of the complaint, without prejudice to the complainant's right to re-file the complaint.
  • CMS will close a complaint if it does not state a claim upon which CMS may act.

A complaint may be withdrawn at any time, upon notice to CMS in such form and manner as CMS may require. Even if a complaint is withdrawn, CMS may nonetheless determine to continue its investigation of the alleged non-compliance complaint. In general, a complaint that has been withdrawn before investigation may be re-filed. Complainants are, however, cautioned that they must re-file their complaint within 180 days of the date on which the complainant knew or should have known that the act or omission that is the subject of the complaint occurred, and should not assume that this time limit will be waived by CMS.

3. Complaint Processing and Review—Procedures

If after initial processing, as outlined in the previous section, a complaint is accepted for processing and review, CMS will begin an investigation of the complaint. CMS may request from the complainant such additional information and materials as it may require in order to evaluate whether a compliance failure may have occurred, as alleged in the complaint. Failure to provide the information when requested may result in closure of the complaint.

If based on the preliminary review and any additional information gathering CMS ascertains that a compliance failure by a covered entity may have occurred, CMS will advise the covered entity that a complaint has been filed and will inform the covered entity of the alleged compliance failure.

CMS will work with covered entities to obtain voluntary compliance. CMS will ask the covered entity to respond to the alleged compliance failure by submitting in writing: (1) A statement demonstrating compliance; or (2) a statement setting forth with particularity the basis for its disagreement with the allegations; or (3) a corrective action plan. CMS will afford the covered entity a reasonable time to respond to CMS' request for information, generally 30 days. Extensions may be granted, on a case-by-case basis, at CMS's sole discretion, and for good cause shown. It is expected that, in most cases, no more than one extension, of an additional 30 days, will be granted.

A covered entity that disagrees with the allegations made should set forth and document, where possible: (1) Compliance; (2) in what respect it believes the allegations to be factually incorrect or incomplete; and/or (3) why it disagrees that its alleged actions or failures to act constitute a failure to comply. Upon receipt of this response from the covered entity, CMS may communicate further with the covered entity and request the opportunity to interview knowledgeable persons or to review additional documents or materials. CMS expects that additional information or access to witnesses will be provided in a timely manner. CMS may also seek additional information from the complainant. Start Printed Page 15331

A covered entity may amend or supplement its response at any time and may propose voluntary compliance through a corrective action plan at any time. CMS may require modifications in the terms of a proposed corrective action plan as a prerequisite to accepting the corrective action plan. If a corrective action plan is accepted, CMS will actively monitor the plan, and the covered entity will be required to periodically report to CMS its progress towards compliance. If the covered entity comes into voluntary compliance, CMS will notify the complainant by mail or electronically. The parties to the complaint will be notified, as appropriate, when the complaint is closed.

CMS will make reasonable efforts to secure a timely response from the covered entity. If the covered entity fails or refuses to provide the information sought, an investigational subpoena may be issued in accordance with 45 CFR 160.504 to require the attendance and testimony of witnesses and/or the production of any other evidence sought in furtherance of the investigation.

After finding that a violation exists, the Secretary will pursue other options, such as, but not limited to, civil money penalties.

Collection of Information Requirements

The form associated with this complaint process entitled, “HIPAA Non-Privacy Complaint Form”, is currently approved under OMB control number 0938-0948.

Start Authority

Authority: Sections 1102 and 1171 through 1179 of the Social Security Act (42 U.S.C. 1302a and 1320d through 1320d-8).

End Authority Start Signature

Dated: December 7, 2004.

Tommy G. Thompson,


End Signature End Supplemental Information

[FR Doc. 05-5795 Filed 3-24-05; 8:45 am]