Supporting Statement Part A
HIPAA Administrative Simplification
(Non-Privacy/Security)
Complaint Form
(CMS-10148)
OMB No. 0938-0948
The Secretary of Health and Human Services (The Secretary) codified 45 CFR Parts 160 and 164 Administrative Simplification provisions that apply to the enforcement of the Health Insurance Portability and Accountability Act of 1996 Public Law 104-191 (HIPAA). The provisions address rules relating to the investigation of non-compliance of the HIPAA Administrative Simplification code sets, unique identifiers, operating rules, and transactions. 45 CFR Section 160.306 provides for investigations of covered entities by the Secretary. Further, it outlines the procedures and requirements for filing a complaint against a covered entity.
The authority for administering and enforcing compliance of non-privacy/security HIPAA rules, has been delegated to the HHS Centers for Medicare & Medicaid Services (CMS) Enforcement Rule.
In addition to an online complaint management tool, CMS provides a paper complaint form for stakeholders who wish to mail in their complaints. The Division of National Standards (DNS) currently utilizes the OMB control number 0938-0948 Expiration 2/29/2020 for collection of information related to HIPAA complaints of administrative simplification non-compliance.
The current paper complaint form was modified as a result of the transition to a new online tool which requires additional Personal Identifiable Information/Personal Health Information. The modified complaint form includes the following fields:
Complaint type category - operating rules
Removal of security standards
Complainant Email Address
Complainant Organization Role
Complainant Organization Type
Complainant Title
Filed Against Entity Email Address
Filed Against Entity Organization Role
Filed Against Entity Organization Type
Filed Against Entity Title
11. Non-Compliant HIPAA Transaction Received
12. Compliant Transaction Sent and Rejected
13. Invalid Companion Guide
14. Code Set Received or Sent and Rejected
15. Failure to Conduct a Standard Transaction
The authority for administering and enforcing compliance with the non-privacy/security Health Insurance Portability and Accountability Act (HIPAA) rules has been delegated to the Centers for Medicare & Medicaid Services (CMS). At present, CMS’ compliance and enforcement activities are primarily complaint-based. Although our enforcement efforts are focused on investigating complaints, they may also include conducting compliance reviews to determine if a covered entity is in compliance. Potential violations can come through a complaint form or a compliance review.
The purpose of this collection is to update the complaint form as described in CMS-0014-N (70 FR 15329), procedures for non-privacy Administrative Simplification complaints, to capture complaint information voluntarily submitted to CMS, Program Management National Standards Group (PMNSG), from the public regarding HIPAA Administrative Simplification (A.S.) regulations. The form may not be used to file complaints regarding HIPAA Privacy and Security Rules.
In accordance with the Paperwork Reduction Act (1995), no persons are required to respond to a collection of information unless it displays a valid Office of Management and Budget (OMB) control number. The valid OMB control number for this information collection is 0938-0948 (Expires 02/29/20). The time required to complete this information collection is estimated to average 1 hour per response, including the time to review instructions, search existing data resources, and gather the data needed, and complete and review the information collection.
1. Need and Legal Basis
Section 1173 of the Social Security Act (the Act), 42 U.S.C. 1320d–2, and section 264 of HIPAA, requires the Department of Health and Human Services’ Secretary to adopt a number of national standards to facilitate the exchange of certain health information and to protect the privacy and security of such information. The Secretary has adopted a number of national standards. Covered entities are required to comply with these HIPAA standards.
In addition, the Secretary promulgated rules that relate to compliance with, and enforcement of, the HIPAA rules, which are codified at 45 CFR Part 160, subparts C, D, and E. On April 17, 2003, The Secretary first issued an interim final rule (IFC) titled “Civil Money Penalties: Procedures for Investigations, Imposition of Penalties” (68 FR 18896). This IFC promulgated the procedural requirements for imposition of civil money penalties on violations of the privacy standards. On April 18, 2005, the Secretary subsequently published a proposed rule titled, HIPAA Administrative Simplification: Enforcement; Proposed Rule (70 FR 20224).
This collection of information modifies the current form (0938-0948) to remove the HIPAA Privacy/Security complaint category section. The section is revised to read as follows: “Identify the HIPAA Non-Privacy/Security complaint category” section of the complaint form. In this section, complainants are given an opportunity to check the “Unique Identifiers” and “Operating Rules” option to additionally categorize the type of HIPAA complaint being filed.
The modified form adds an option for filing complaints under Unique Identifier and Operating Rules. It also requests an email address for filed against entities, if available. We believe that these changes decrease the impact of the hours and wages burden estimate and do not introduce any additional burden impact.
This form may be expanded to collect additional HIPAA Administrative Simplification complaint types in the future.
Information Users
Anyone can file a complaint if he or she suspects a potential violation. Persons believing that a covered entity is not utilizing the adopted Administrative Simplification provisions of HIPAA are requested to file a complaint to the Centers for Medicare & Medicaid Services (CMS) via the Administrative Simplification Enforcement and Testing Tool (ASETT) online system, by mail or by sending an email to the HIPAA mailbox at [email protected]. Information provided on the standard form will be used during the investigation process to validate non-compliance of HIPAA Administrative Simplification provisions.
This standard form collects identifying and contact information of the complainant, as well as, the identifying and contact information of the filed against entity (FAE). This information enables CMS to respond to the complainant and gather more information if necessary, and to contact the FAE to discuss the complaint and CMS’ findings.
In addition to the identifying and contact information, the standard form collects a summary which outlines the nature of the complaint. This summary is used to determine the validity of the complaint, and to categorize the complaint as related to transactions, standards, code sets, unique identifiers, and/or operating rules. This ensures the appropriate direction of the complaint process and enables CMS to produce accurate reports regarding complaint activity.
Use of Information Technology
This process involves the use of electronic and paper collection techniques. It is expected that approximately 98% of complaints submitted would be done electronically. The electronic process allows for a more efficient submission process. This collection of information form is currently available for completion electronically. The collection requires an acknowledgement submission button as the electronic signature or signature on paper.
Duplication of Efforts
This information collection does not duplicate any other effort and the information cannot be obtained from any other source.
Small Businesses
This collection reduces the impact on small businesses or other small entities if the entity chooses to submit a HIPAA Administrative Simplification complaint. The burden is minimized by allowing an entity of any size to submit complaints electronically.
Less Frequent Collection
Submission of the complaint form is a voluntary process.
Special Circumstances
This information collection does not contain any special circumstances.
Federal Register/Outside Consultation
The 60-day Federal Register notice published on March 29, 2018. We received two public comments.
The 30-day Federal Register notice published on August 18, 2018.
Payments/Gifts to Respondents
There will be no payments and/or gifts to respondents.
Confidentiality
Filing a complaint with CMS is voluntary. However, without the information requested on the complaint form, CMS may be unable to proceed with a complaint. CMS collects this information under authority of the Enforcement Rule issued pursuant to the HIPAA. CMS will use the information provided to determine jurisdiction and, if so, how to process the complaint. Information submitted on the complaint form is treated confidentially and is protected under the provisions of the Privacy Act of 1974.
Names or other identifying information about individuals are disclosed only when it is necessary for investigation of possible HIPAA Administrative Simplification Non-Privacy/Security violations, for internal systems operations, or for routine uses, which include disclosure of information outside the Department for purposes associated with HIPAA Administrative Simplification Non-Privacy/Security compliance and as permitted by SORN 09-90-0052.
Sensitive Questions
This information collection does not contain any sensitive questions.
Burden Estimates (Hours & Wages)
Public reporting burden for the collection of information on this modified complaint form is reduced due to electronic transmission capability and is estimated to average 60 minutes per form, which would include the time for reviewing instructions, gathering the data needed and entering and reviewing the information on the completed complaint form.
It is estimated that approximately 125 respondents per year will file HIPAA Administrative Simplification Non-Privacy/Security complaints using this form. The total public reporting burden per year will be approximately 7,500 minutes (125 hours). This estimate is based on the current average number of complaints received over the past three years.
Filing a complaint using the form is a one-time burden. To estimate cost, we used the median hourly labor rate of $16.36 reported for an Office and Administrative Support Workers All Other (43-9199), based on data from the Department of Labor, Bureau of Labor Statistics, May 2016 (https://www.bls.gov/oes/current/oes430000.htm). We added 100% of the median hourly labor wage to the value to account for fringe and overhead which brings the total hourly wage to $32.72 ($16.36 + $16.36).
The estimated cost calculation is determined by have one respondent complete the form on an annual basis. The time to complete the response for an administrative worker, as referenced in the labor statistics above, will not exceed one hour.
Based on an estimated 125 persons completing the form per year at $32.72/hour, the total cost burden is $4090 and the total hour burden is 125 hours.
(125 respondents) x (1 response/respondent) x (1 hour/response) x ($32.72/hour) = $4090/year.
Capital Costs
There are no capital costs for this collection.
Cost to Federal Government
There is no cost burden to the federal government as the form will be processed in the normal course of Federal duties.
Changes to Burden
This modification reduces the hours and wage burden estimate. The previous package estimated the time to complete each form at 2.67 hours. We have adjusted the burden estimate downward to 1 hour per submission. The previous package estimated that two persons would complete the complaint form. In this submission, we are revising our estimate as we believe the form will be completed by one person. In addition, we previously estimated that there would be a total of 500 submissions annually. As stated earlier in section 12, we have adjusted our estimate downward to 125 annual submission based on the average number of submissions received over the last three years. Additionally, we have revised the information collection to account for the hourly labor wage including fringe and overhead.
Secondly, some content has been changed and/or reworded, and the instrument has been reformatted to improve readability and usability. The instrument captures the same information as the online tool. The instrument also mirrors the online tool. The instrument is now 508 compliant which makes it readable to those with disabilities.
Finally, we made some minor amendments, we added the following fields:
Complaint type category of operating rules;
Removal of security standards;
Complainant email address, complainant organization role, complainant organization type, complainant title;
Filed against entity email address, filed against entity organization role, filed against entity organization type, filed against entity title;
Non-compliant HIPAA transaction received;
Compliant transaction sent and rejected;
Invalid companion guide;
Code set received or sent and rejected; and
Failure to conduct a standard transaction.
Publication/Tabulation Dates
Does not apply to this information collection.
Expiration Date
The expiration date of 2/29/2020 will be displayed on both the instrument and the related instructions as part of the PRA Disclosure Statement. The expiration date is also located in the upper left header of the instrument.
Certification Statement
There are no exceptions to the certification statement.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | Complaint Form PRA Package December 2017 |
| Author | Cecily Austin |
| File Modified | 0000-00-00 |
| File Created | 2021-01-20 |