[Federal Register Volume 70, Number 57 (Friday, March 25, 2005)]
[Notices]
[Pages 15329-15331]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 05-5795]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services

[CMS-0014-N]


Procedures for Non-Privacy Administrative Simplification 
Complaints Under the Health Insurance Portability and Accountability 
Act of 1996

AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: This notice sets forth the procedures for filing with the 
Secretary of the Department of Health and Human Services a complaint of 
non-compliance by a covered entity with certain provisions of the 
administrative simplification rules under 45 CFR parts 160, 162, and 
164. It also describes the procedures the Department employs to review 
the complaints. These procedures are intended to facilitate the 
investigation and resolution of these complaints.

DATES: Effective Date: This notice is effective on April 25, 2005.

FOR FURTHER INFORMATION CONTACT: Michael Phillips, (410) 786-6713.

ADDRESSES: Complaints may be filed with CMS in two ways: (1) By 
Internet using the Administrative Simplification Enforcement Tool at 
http://htct.hhs.gov/. (2) By mail at: The Centers for Medicare & 
Medicaid Services, HIPAA TCS Enforcement Activities, P.O. Box 8030, 
Baltimore, MD 21244-8030.

SUPPLEMENTARY INFORMATION: The Secretary of Health and Human Services 
delegated to the Administrator, Centers for Medicare & Medicaid 
Services (CMS), the authority to investigate complaints of 
noncompliance with, and to make decisions regarding the interpretation, 
implementation, and enforcement of certain regulations adopting 
administrative simplification

[[Page 15330]]

standards. See 68 FR 60694 (October 23, 2003). These regulations are 
codified at 45 CFR, parts 160, 162, and 164. This delegation includes 
authority with respect to the regulations known as follows: the 
Transaction and Code Set Rule (TCS), 65 FR 50313 (August 17, 2000), the 
National Employer Identifier Number (EIN) Rule, 67 FR 38009 (May 31, 
2002), the Security Rule, 68 FR 8334 (February 20, 2003), the National 
Provider Identifier Rule, 69 FR 3434 (January 23, 2004), and the 
National Plan Identifier Rule (currently under development).
    This delegation does not include authority with respect to the 
regulations adopted under section 264 of the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191, as 
amended, known as the Privacy Rule. The Secretary has delegated to the 
Office for Civil Rights the authority to receive and investigate 
complaints as they may relate to the Privacy Rule codified at 45 CFR 
parts 160 and 164. For the purpose of this notice, ``administrative 
simplification provisions'' means the administrative simplification 
regulatory requirements under HIPAA, other than privacy. For more 
information about the administrative simplification provisions of HIPAA 
or what entities the law covers, go to http://www.cms.hhs.gov/hipaa/hipaa2.

1. Procedures for Filing Complaints

    A person who believes that a covered entity is not complying with 
the applicable administrative simplification provisions may file a 
complaint with CMS. The term ``covered entity'' is defined at 45 CFR 
160.103 and includes health plans, health care clearinghouses, and 
health care providers who conduct certain health care transactions 
electronically. A fourth type of covered entity, prescription drug card 
sponsors, was added by the Medicare Prescription Drug, Improvement, and 
Modernization Act of 2003 (Pub. L. 108-173). CMS will not accept 
complaints until on or after the compliance date for the specific 
administrative simplification provision in question. (For example, 
complaints alleging a failure to comply with the Security Rule will not 
be accepted until after April 20, 2005.)
    In order to permit efficient use of CMS resources, complaints must 
meet all of the following requirements:
     Be filed in writing, either on paper or electronically. 
CMS will not accept faxed complaints.
     Describe the acts or omissions believed to be in violation 
of the applicable administrative simplification provisions.
     Provide contact information, including name, address, and 
telephone number, for the complainant and the covered entity that are 
the subject of the complaint.
     Be filed within 180 days of when the complainant knew or 
should have known that the act or omission that is the subject of the 
complaint occurred, unless this time limit is waived by CMS for good 
cause shown.
    Complainants may, but are not required to, use the CMS complaint 
form, which can be downloaded at http://www.cms.hhs.gov.

2. Procedures for Initial Processing of Complaints

    Upon receipt of a complaint, CMS will review the complaint to 
determine if CMS will accept it for processing. CMS reserves the right 
to reject complaints. CMS will acknowledge its receipt of a complaint 
filed within 14 calendar days of receipt. That acknowledgment may be 
either electronic or on paper.
    After CMS receives the complaint, CMS will make a preliminary 
review of the complaint to determine whether it is complete and appears 
to allege a failure to comply with an administrative simplification 
provision. The review will typically proceed as follows:
     If the complaint is complete and appears to allege a 
failure to comply with the applicable administrative simplification 
provisions, CMS will notify the complainant that the complaint is 
accepted for processing and further review. Acceptance of a complaint 
for processing and further review does not represent a determination 
that a compliance failure has occurred.
     If additional information is required to make the 
preliminary determination, CMS will ask the complainant to provide the 
additional information within a reasonable time, and the complaint will 
be held in abeyance until that information is received. Failure to 
provide the requested additional information when requested by CMS may 
lead to closure of the complaint, without prejudice to the 
complainant's right to re-file the complaint.
     CMS will close a complaint if it does not state a claim 
upon which CMS may act.
    A complaint may be withdrawn at any time, upon notice to CMS in 
such form and manner as CMS may require. Even if a complaint is 
withdrawn, CMS may nonetheless determine to continue its investigation 
of the alleged non-compliance complaint. In general, a complaint that 
has been withdrawn before investigation may be re-filed. Complainants 
are, however, cautioned that they must re-file their complaint within 
180 days of the date on which the complainant knew or should have known 
that the act or omission that is the subject of the complaint occurred, 
and should not assume that this time limit will be waived by CMS.
3. Complaint Processing and Review--Procedures
    If after initial processing, as outlined in the previous section, a 
complaint is accepted for processing and review, CMS will begin an 
investigation of the complaint. CMS may request from the complainant 
such additional information and materials as it may require in order to 
evaluate whether a compliance failure may have occurred, as alleged in 
the complaint. Failure to provide the information when requested may 
result in closure of the complaint.
    If based on the preliminary review and any additional information 
gathering CMS ascertains that a compliance failure by a covered entity 
may have occurred, CMS will advise the covered entity that a complaint 
has been filed and will inform the covered entity of the alleged 
compliance failure.
    CMS will work with covered entities to obtain voluntary compliance. 
CMS will ask the covered entity to respond to the alleged compliance 
failure by submitting in writing: (1) A statement demonstrating 
compliance; or (2) a statement setting forth with particularity the 
basis for its disagreement with the allegations; or (3) a corrective 
action plan. CMS will afford the covered entity a reasonable time to 
respond to CMS' request for information, generally 30 days. Extensions 
may be granted, on a case-by-case basis, at CMS's sole discretion, and 
for good cause shown. It is expected that, in most cases, no more than 
one extension, of an additional 30 days, will be granted.
    A covered entity that disagrees with the allegations made should 
set forth and document, where possible: (1) Compliance; (2) in what 
respect it believes the allegations to be factually incorrect or 
incomplete; and/or (3) why it disagrees that its alleged actions or 
failures to act constitute a failure to comply. Upon receipt of this 
response from the covered entity, CMS may communicate further with the 
covered entity and request the opportunity to interview knowledgeable 
persons or to review additional documents or materials. CMS expects 
that additional information or access to witnesses will be provided in 
a timely manner. CMS may also seek additional information from the 
complainant.

[[Page 15331]]

    A covered entity may amend or supplement its response at any time 
and may propose voluntary compliance through a corrective action plan 
at any time. CMS may require modifications in the terms of a proposed 
corrective action plan as a prerequisite to accepting the corrective 
action plan. If a corrective action plan is accepted, CMS will actively 
monitor the plan, and the covered entity will be required to 
periodically report to CMS its progress towards compliance. If the 
covered entity comes into voluntary compliance, CMS will notify the 
complainant by mail or electronically. The parties to the complaint 
will be notified, as appropriate, when the complaint is closed.
    CMS will make reasonable efforts to secure a timely response from 
the covered entity. If the covered entity fails or refuses to provide 
the information sought, an investigational subpoena may be issued in 
accordance with 45 CFR 160.504 to require the attendance and testimony 
of witnesses and/or the production of any other evidence sought in 
furtherance of the investigation.
    After finding that a violation exists, the Secretary will pursue 
other options, such as, but not limited to, civil money penalties.

Collection of Information Requirements

    The form associated with this complaint process entitled, ``HIPAA 
Non-Privacy Complaint Form'', is currently approved under OMB control 
number 0938-0948.

    Authority: Sections 1102 and 1171 through 1179 of the Social 
Security Act (42 U.S.C. 1302a and 1320d through 1320d-8).

    Dated: December 7, 2004.
Tommy G. Thompson,
Secretary.
[FR Doc. 05-5795 Filed 3-24-05; 8:45 am]
BILLING CODE 4120-01-P