• Enforcement

  • Skip Navigation LinksAdministration > Compliance > HIPAA > Enforcement
  •  Laws | Glossary | FAQs | NOPP | Tutorials | Policies | Links | Enforcement

    CMS Named to Enforce HIPAA Transaction and Code Set Standards

    HIPAA Enforcement Fact Sheet

    • CMS has been designated by the Secretary of HHS to enforce the HIPAA administrative simplifications provisions, with the exception of the privacy standards. This includes transactions and code sets, security and identifiers. CMS will also continue to enforce the insurance portability provisions under Title I of HIPAA.
    • In order to perform these duties CMS will create a new office within the agency to focus on HIPAA activities. This office will establish and operate enforcement processes, develop regulations related to HIPAA standards, and conduct outreach activities to HIPAA covered entities. The office will report directly to the deputy administrator.
    • The enforcement process will be primarily complaint-driven. The focus of enforcement activities will be to obtain voluntary compliance through technical assistance. The process will be progressive, affording a covered entity against whom a complaint has been filed opportunities to demonstrate compliance or to develop a corrective action plan.
    • Privacy enforcement will be the responsibility of the HHS Office for Civil Rights, and the two agencies will work together to address common issues.
    • Penalties:
      • Under the Administrative Simplification Compliance Act (ASCA) -- noncompliant covered entities may be excluded from the Medicare program between October 16, 2002 and October 16, 2003 if they have not submitted an extension request.
      • Under HIPAA -- civil monetary penalties of not more than $100 for each violation, with a cap of $25,000 per calendar year. (Much larger penalties are provided for disclosure of individually identifiable health information).
    • Key HIPAA Dates:
      • 10/16/02 -- Original compliance date for transactions and code sets
      • 10/15/02 – Deadline for filing extension request
      • 10/16/03 – Extended compliance date for transactions and code sets
      • 04/14/03 – Initial compliance date for privacy