[Federal Register: March 25, 2005 (Volume 70, Number 57)]
[Notices]
[Page 15329-15331]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr25mr05-60]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare & Medicaid Services
[CMS-0014-N]
Procedures for Non-Privacy Administrative Simplification
Complaints Under the Health Insurance Portability and Accountability
Act of 1996
AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: This notice sets forth the procedures for filing with the
Secretary of the Department of Health and Human Services a complaint of
non-compliance by a covered entity with certain provisions of the
administrative simplification rules under 45 CFR parts 160, 162, and
164. It also describes the procedures the Department employs to review
the complaints. These procedures are intended to facilitate the
investigation and resolution of these complaints.
DATES: Effective Date: This notice is effective on April 25, 2005.
FOR FURTHER INFORMATION CONTACT: Michael Phillips, (410) 786-6713.
ADDRESSES: Complaints may be filed with CMS in two ways: (1) By
Internet using the Administrative Simplification Enforcement Tool at
http://htct.hhs.gov/. (2) By mail at: The Centers for Medicare &
Medicaid Services, HIPAA TCS Enforcement Activities, P.O. Box 8030,
Baltimore, MD 21244-8030.
SUPPLEMENTARY INFORMATION: The Secretary of Health and Human Services
delegated to the Administrator, Centers for Medicare & Medicaid
Services (CMS), the authority to investigate complaints of
noncompliance with, and to make decisions regarding the interpretation,
implementation, and enforcement of certain regulations adopting
administrative simplification
[[Page 15330]]
standards. See 68 FR 60694 (October 23, 2003). These regulations are
codified at 45 CFR, parts 160, 162, and 164. This delegation includes
authority with respect to the regulations known as follows: the
Transaction and Code Set Rule (TCS), 65 FR 50313 (August 17, 2000), the
National Employer Identifier Number (EIN) Rule, 67 FR 38009 (May 31,
2002), the Security Rule, 68 FR 8334 (February 20, 2003), the National
Provider Identifier Rule, 69 FR 3434 (January 23, 2004), and the
National Plan Identifier Rule (currently under development).
This delegation does not include authority with respect to the
regulations adopted under section 264 of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191, as
amended, known as the Privacy Rule. The Secretary has delegated to the
Office for Civil Rights the authority to receive and investigate
complaints as they may relate to the Privacy Rule codified at 45 CFR
parts 160 and 164. For the purpose of this notice, ``administrative
simplification provisions'' means the administrative simplification
regulatory requirements under HIPAA, other than privacy. For more
information about the administrative simplification provisions of HIPAA
or what entities the law covers, go to http://www.cms.hhs.gov/hipaa/hipaa2
.
1. Procedures for Filing Complaints
A person who believes that a covered entity is not complying with
the applicable administrative simplification provisions may file a
complaint with CMS. The term ``covered entity'' is defined at 45 CFR
160.103 and includes health plans, health care clearinghouses, and
health care providers who conduct certain health care transactions
electronically. A fourth type of covered entity, prescription drug card
sponsors, was added by the Medicare Prescription Drug, Improvement, and
Modernization Act of 2003 (Pub. L. 108-173). CMS will not accept
complaints until on or after the compliance date for the specific
administrative simplification provision in question. (For example,
complaints alleging a failure to comply with the Security Rule will not
be accepted until after April 20, 2005.)
In order to permit efficient use of CMS resources, complaints must
meet all of the following requirements:
Be filed in writing, either on paper or electronically.
CMS will not accept faxed complaints.
Describe the acts or omissions believed to be in violation
of the applicable administrative simplification provisions.
Provide contact information, including name, address, and
telephone number, for the complainant and the covered entity that are
the subject of the complaint.
Be filed within 180 days of when the complainant knew or
should have known that the act or omission that is the subject of the
complaint occurred, unless this time limit is waived by CMS for good
cause shown.
Complainants may, but are not required to, use the CMS complaint
form, which can be downloaded at http://www.cms.hhs.gov.
2. Procedures for Initial Processing of Complaints
Upon receipt of a complaint, CMS will review the complaint to
determine if CMS will accept it for processing. CMS reserves the right
to reject complaints. CMS will acknowledge its receipt of a complaint
filed within 14 calendar days of receipt. That acknowledgment may be
either electronic or on paper.
After CMS receives the complaint, CMS will make a preliminary
review of the complaint to determine whether it is complete and appears
to allege a failure to comply with an administrative simplification
provision. The review will typically proceed as follows:
If the complaint is complete and appears to allege a
failure to comply with the applicable administrative simplification
provisions, CMS will notify the complainant that the complaint is
accepted for processing and further review. Acceptance of a complaint
for processing and further review does not represent a determination
that a compliance failure has occurred.
If additional information is required to make the
preliminary determination, CMS will ask the complainant to provide the
additional information within a reasonable time, and the complaint will
be held in abeyance until that information is received. Failure to
provide the requested additional information when requested by CMS may
lead to closure of the complaint, without prejudice to the
complainant's right to re-file the complaint.
CMS will close a complaint if it does not state a claim
upon which CMS may act.
A complaint may be withdrawn at any time, upon notice to CMS in
such form and manner as CMS may require. Even if a complaint is
withdrawn, CMS may nonetheless determine to continue its investigation
of the alleged non-compliance complaint. In general, a complaint that
has been withdrawn before investigation may be re-filed. Complainants
are, however, cautioned that they must re-file their complaint within
180 days of the date on which the complainant knew or should have known
that the act or omission that is the subject of the complaint occurred,
and should not assume that this time limit will be waived by CMS.
3. Complaint Processing and Review--Procedures
If after initial processing, as outlined in the previous section, a
complaint is accepted for processing and review, CMS will begin an
investigation of the complaint. CMS may request from the complainant
such additional information and materials as it may require in order to
evaluate whether a compliance failure may have occurred, as alleged in
the complaint. Failure to provide the information when requested may
result in closure of the complaint.
If based on the preliminary review and any additional information
gathering CMS ascertains that a compliance failure by a covered entity
may have occurred, CMS will advise the covered entity that a complaint
has been filed and will inform the covered entity of the alleged
compliance failure.
CMS will work with covered entities to obtain voluntary compliance.
CMS will ask the covered entity to respond to the alleged compliance
failure by submitting in writing: (1) A statement demonstrating
compliance; or (2) a statement setting forth with particularity the
basis for its disagreement with the allegations; or (3) a corrective
action plan. CMS will afford the covered entity a reasonable time to
respond to CMS' request for information, generally 30 days. Extensions
may be granted, on a case-by-case basis, at CMS's sole discretion, and
for good cause shown. It is expected that, in most cases, no more than
one extension, of an additional 30 days, will be granted.
A covered entity that disagrees with the allegations made should
set forth and document, where possible: (1) Compliance; (2) in what
respect it believes the allegations to be factually incorrect or
incomplete; and/or (3) why it disagrees that its alleged actions or
failures to act constitute a failure to comply. Upon receipt of this
response from the covered entity, CMS may communicate further with the
covered entity and request the opportunity to interview knowledgeable
persons or to review additional documents or materials. CMS expects
that additional information or access to witnesses will be provided in
a timely manner. CMS may also seek additional information from the
complainant.
[[Page 15331]]
A covered entity may amend or supplement its response at any time
and may propose voluntary compliance through a corrective action plan
at any time. CMS may require modifications in the terms of a proposed
corrective action plan as a prerequisite to accepting the corrective
action plan. If a corrective action plan is accepted, CMS will actively
monitor the plan, and the covered entity will be required to
periodically report to CMS its progress towards compliance. If the
covered entity comes into voluntary compliance, CMS will notify the
complainant by mail or electronically. The parties to the complaint
will be notified, as appropriate, when the complaint is closed.
CMS will make reasonable efforts to secure a timely response from
the covered entity. If the covered entity fails or refuses to provide
the information sought, an investigational subpoena may be issued in
accordance with 45 CFR 160.504 to require the attendance and testimony
of witnesses and/or the production of any other evidence sought in
furtherance of the investigation.
After finding that a violation exists, the Secretary will pursue
other options, such as, but not limited to, civil money penalties.
Collection of Information Requirements
The form associated with this complaint process entitled, ``HIPAA
Non-Privacy Complaint Form'', is currently approved under OMB control
number 0938-0948.
Authority: Sections 1102 and 1171 through 1179 of the Social
Security Act (42 U.S.C. 1302a and 1320d through 1320d-8).
Dated: December 7, 2004.
Tommy G. Thompson,
Secretary.
[FR Doc. 05-5795 Filed 3-24-05; 8:45 am]
BILLING CODE 4120-01-P