Supporting Statement for the Health Insurance Portability and Accountability Act (HIPAA) Administrative

Simplification (A.S.) Complaint Form

(CMS-10148; 0938-0948)

Background

This submission reinstates and modifies the information collection requirements in CMS-0014-N (70 FR 15329-15331). Due to an updated enforcement system being developed and implemented, it was anticipated that a paper form would not be needed or used. The transition of a series of personnel caused the submission of a continuing form to be inadvertently neglected. And with the migration of the preexisting system to the latest one required fields have changed.as of the June 2016 implementation. CMS continued to receive requests for the paper form. In the interim, the original form was infrequently and sporadically used as it was not removed from the website. The purpose of this collection is to update the complaint form to capture complaint information voluntarily submitted to the Centers for Medicare & Medicaid Services (CMS), Program Management National Standards Group (PMNSG) by the public regarding the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification (A.S.) regulations with the exception of the Privacy and Security Rules.

HIPAA became law in 1996 (Public Law 104–191). Subtitle F of Title II of HIPAA, titled ‘‘Administrative Simplification,’’ (A.S.) requires the Secretary of HHS to adopt national standards for certain information-related activities of the health care industry. The HIPAA provisions, by statute, apply only to “covered entities” referred to in section 1320d – 2(a) (1) of this title. Responsibility for administering and enforcing the HIPAA A.S. Transactions, Code Sets, Identifiers has been delegated to the Centers for Medicare & Medicaid Services (CMS). This updated information collected to administer these rules will be used to initiate enforcement actions.

This information-collection update clarifies the removal of the HIPAA Security complaint category. In this updated collection section, the information collection change clarifies the “Identify the HIPAA Non-Privacy/Security complaint category” section of the complaint form. In this section, complainants are given an opportunity to check the “Unique Identifiers” and “Operating Rules” option to additionally categorize the type of HIPAA complaint being filed. The revised form now includes an option for filing complaints under Unique Identifier and Operating Rules. It also requests email information about filed against entities, if available. The change does not impact the hours and wages burden estimate and does not introduce any additional burden impact.

1. Justification

1 .Need and Legal Basis

The Secretary of Health and Human Services delegated to the Administrator, Centers for Medicare & Medicaid Services (CMS), the authority to investigate complaints of noncompliance with, and to make decisions regarding, the interpretation, implementation, and enforcement of administrative simplification standards that include administrative health care transactions, code sets, unique identifiers and operating rules that supplement the transaction standards. See 68 FR 60694 (October 23, 2003). These regulations are codified at 45 CFR, parts 160, 162, For example, if an entity is conducting health care claim transactions with a trading partner, and is required by the trading partner to use non-compliant ICD-10 codes to get the claim paid, the submitter could file a HIPAA complaint. The complaint could be filed electronically, or using the paper form that is the subject of this PRA.

Once the CMS enforcement team receives the complaint, whether it is electronic or on the paper form, an investigation ensues.and164. This delegation includes authority with respect to the following regulations: the Transaction and Code Set Rule (TCS), 65 FR 50313 (August 17, 2000), the National Employer Identifier Number (EIN) Rule, 67 FR 38009 (May 31, 2002), the Security Rule, 68 FR 8334 (February 20, 2003), the National Provider Identifier (NPI) Rule, 69 FR 3434 (January 23, 2004) and the HIPAA Enforcement Final Rule, 45 CFR Parts 160 and 164 (February 16, 2006).

This delegation does not include authority with respect to the regulations adopted under section 264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191, as amended, known as the HIPAA Security Rule. The Security Rule is a set of federal security standards to protect the confidentiality, integrity, and availability of electronic protected health information. The Secretary of HHS delegated authority for administration and enforcement of the Security Rule to OCR on July 27, 2009. Before that date, the Centers for Medicare and Medicaid Services (CMS) was responsible for enforcing the Security Rule, including investigating complaints and conducting compliance reviews. For the purpose of this notice, “administrative simplification provisions” means the administrative simplification regulatory requirements under HIPAA, other than privacy and security.

2. Information Users

It is expected that covered entities under HIPAA (health plans, health care clearinghouses, and health care providers) and any entity requesting to file a complaint will use this form. The complaint form is available to all internal and external entities, as well as, individuals. Anyone can file a complaint if they suspect a potential violation. CMS enforcement staff use the information to investigate allegations of non-compliance with the HIPAA adopted transaction standards, code sets, unique identifiers and operating rules.

2. Use of Information Technology

This process involves the use of electronic and paper collection techniques. It is expected that approximately 95% of complaints submitted will be electronic. The electronic process allows for a more efficient submission process. This collection is currently available for completion electronically and will be expanded to collect additional HIPAA A.S. complaint types in the future. The collection requires an acknowledgement submission button as the electronic signature or signature on paper.

2. Duplication of Efforts

This information collection does not duplicate any other effort and the information cannot be obtained from any other source.

2. Small Businesses

This collection would impact small businesses or other small entities if the entity chooses to submit a HIPAA A.S. complaint. The burden is minimized by allowing an entity of any size to submit complaints electronically.

2. Less Frequent Collection

Submission of the complaint form is a voluntary process.

2. Special Circumstances

This information collection does not contain any special circumstances.

2. Federal Register/Outside Consultation

The Federal Register notice published on June 6, 2016.

2. Payments/Gifts to Respondents

There will be no payments and/or gifts to respondents.

2. Confidentiality

Filing a complaint with CMS is voluntary. However, without the information requested on the complaint form, CMS may be unable to proceed with a complaint. CMS collects this information under authority of 68 FR 60694 (October 23, 2003) issued pursuant to the HIPAA. CMS will use the information provided to determine if CMS has jurisdiction and, if so, how CMS will process the complaint. Information submitted on the complaint form is treated confidentially and is protected under the provisions of the Privacy Act of 1974. Names or other identifying information about individuals are disclosed only when it is necessary for investigation of possible HIPAA A.S. Non-Privacy violations, for internal systems operations, or for routine uses, which include disclosure of information outside the Department for purposes associated with HIPAA A.S. Non-Privacy compliance and as permitted by SORN 09-90-0052.

2. Sensitive Questions

This information collection does not contain any sensitive questions.

2. Burden Estimates (Hours & Wages)

Public reporting burden for the collection of information on this updated complaint form has not changed and is estimated to average 1 hour per response, including the time for reviewing instructions, gathering the data needed and entering and reviewing the information on the completed complaint form. It is estimated that approximately 500 respondents per year will file HIPAA Non-Privacy/Security complaints using this form. The total public reporting burden per year will be approximately 500 hours. This estimate is based on the current average number of complaints received over the past three years.

This information collection change clarifies the “Identify the HIPAA Non-Privacy/Security complaint category” section of the complaint form. In this section, complainants are given an opportunity to check the “Unique Identifiers” and “Operating Rules” option to additionally categorize the type of HIPAA complaint being filed. The revised form now includes an option for identifying Unique Identifier and Operating Rules complaints.

2. Capital Costs

There are no capital costs for this collection.

2. Cost to Federal Government

There is no cost burden to the federal government as the form will be processed in the normal course of Federal duties. Two FTEs at the GS-13 level and 1 FTE at the GS-12 level will review this document. The expected totals are 30% of their daily workload.

2. Changes to Burden

This information collection change clarifies that the “Identify the HIPAA Non-Privacy/Security complaint category” sections strictly used for potential privacy and security complaints. These complaints are investigated through the Office of Civil Rights (OCR).The original complaint form indicated that complainants were given the opportunity to file complaints under the administrative simplification standards of code sets and transactions. The revised form now includes an option for complaints to file under Unique Identifier and Operating Rules. It also requests email information about filed against entities, if available. This change does not impact the hours and wages burden estimate.

2. Publication/Tabulation Dates

Does not apply to this information collection.

2. Expiration Date

The expiration date has been added to the form as part of the standard PRA disclosure statement. It is also posted in the top left corner of the document. We also added the expiration date to the instruction document.

2. Certification Statement

There are no exceptions to the certification statement.