Supporting Statement Part-A
HIPAA Administrative Simplification (Non-
Privacy/Security) Complaint Form
(CMS-10148 OMB No. 0938-0948)
The Secretary of Health and Human Services (HHS), hereafter known as “The Secretary,” codified 45 CFR Parts 160 and 164 Administrative Simplification provisions that apply to the enforcement of the Health Insurance Portability and Accountability Act of
1996 Public Law 104-191 (HIPAA). The provisions address rules relating to the investigation of non-compliance of the HIPAA Administrative Simplification code sets, unique identifiers, operating rules, and transactions. 45 CFR Section 160.306, Complaints to the Secretary, provides for investigations of covered entities by the Secretary. Further, it outlines the procedures and requirements for filing a complaint against a covered entity.
The authority for administering and enforcing compliance of non-privacy/security HIPAA rules, has been delegated to the Centers for Medicare & Medicaid Services (CMS) Enforcement Rule.
In addition to an online complaint management tool, ASETT, CMS provides a paper complaint form for stakeholders who wish to voluntarily file a complaint. Complainants may mail the completed form to CMS or send it to the HIPAA mailbox at
[email protected]. The National Standards Group (NSG) currently uses the OMB control number 0938-0948 (Expiration date 12/31/2021) for collection of information related to non-compliance of HIPAA Administrative Simplification.
The authority for administering and enforcing compliance with the nonprivacy/security Health Insurance Portability and Accountability Act (HIPAA) rules has been delegated to the Centers for Medicare & Medicaid Services (CMS). At present, CMS’ compliance and enforcement activities are primarily complaint-based. Although our enforcement efforts are focused on investigating complaints, they also include conducting compliance reviews to determine if a covered entity is in compliance. Potential violations may come through a complaint form or a compliance review.
The purpose of this collection is to update the complaint form as described in CMS0014-N, procedures for non-privacy/security Administrative Simplification complaints.
The form voluntarily captures complaint information submitted to CMS, Office of Burden Reduction Health Informatics (OBRHI), National Standards Group (NSG), from the public regarding HIPAA Administrative Simplification provisions. The form may not be used to file complaints regarding HIPAA Privacy and Security Rules. These complaints are handled under the purview of the Department of Health and Human Service (HHS) Office of Civil Rights (OCR). The package includes modifications to the existing form.
The modifications include:
Removal of Office of Information Technology (OIT) logo and replaced with the CMS logo. The CMS logo replaces the agency logo, which is the standard logo.
The web link, http://www.cms.hhs.gov/, has been replaced with a specific link that directs users to the Regulation and Guidance tab, https://www.cms.gov/Regulationsand-Guidance/AdministrativeSimplification/HIPAA-ACA/index.
Under the “Code Sets” subsection, the following Current Procedural
Terminology CPT® codes version has been modified. The CPT code set version is updated every year. CPT-4 was replaced in 2001. As of 1/27/2021, the current CPT version is CPT 2021.
A period (.) has been added to the end of the following sentence under the “Unique Identifiers” subsection to make it grammatically correct: “Select if a covered entity is in violation of the following Unique Identifiers: National Provider Identifier (NPI), or Employer Identification Number (EIN).”
Under the “Operating Rules” subsection, CAQH-CORE’s weblink https://www.caqh.org/core/operating-rules has been added, where the Council for Affordable Quality Healthcare, Inc. (CAQH®) Committee on Operating Rules for Information Exchange® (CORE®) operating rules are found. Edifecs, a COREauthorized testing vendor, is providing the updated testing platform that supports Health Insurance Portability and Accountability Act (HIPAA) Version 5010 transactions and associated errata (v5010) operating rules and related test suites were developed under CORE®.
The “Do you want to remain anonymous?” question was revised to “Would you like to remain anonymous?” to make the statement more understandable. Further, the phrase “If you select yes, please note CMS will not share information with the Filed Against Entity (FAE) during the investigation process. However, information provided in this complaint is subject to rules and policy under Freedom of Investigation Act (FOIA).” has been changed to “If you select yes, CMS will not share your information with the Filed against Entity (FAE) during the investigation process. However, information provided in this complaint is subject to rules and policies under the Freedom of Information Act (FOIA).” This provides the Freedom of Information Act disclosure.
A period (.) has been added to the first complaint detail example to make it grammatically correct. “Non-Compliant HIPAA Transaction Received - You received a non-compliant HIPAA transaction from a covered entity.”
The following question was added to the “Complaint Details” section under “Complaint Description”: “Does the complaint relate to the FAE charging fees to conduct standard transactions?” The response is essential to accurately report complaint categories.
The word “referals” under the “Complaint Types” “Transaction Section” has been corrected to “referrals” to make it grammatically correct.
A period (.) has been added to the end of the sentence “If you have comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to: Centers for Medicare & Medicaid Services, Attn: PRA Reports Clearance Officer, Mail Stop C4-26-05, 7500 Security Boulevard, Baltimore, Maryland 21244-1850” to make it grammatically correct.
Section 1173 of the Social Security Act 42 U.S.C. 1320d–2, and Section 264 of HIPAA, requires HHS Secretary to adopt a number of national standards to facilitate the exchange of certain health information and to protect the privacy and security of such information. The Secretary has adopted a number of national standards. Covered entities are required to comply with these HIPAA standards.
In addition, the Secretary promulgated rules that relate to compliance with, and enforcement of, the HIPAA rules, which are codified at 45 CFR Part 160, subparts C, D, and E. On April 17, 2003, The Secretary first issued an interim final rule (IFC) titled
“Civil Money Penalties: Procedures for Investigations, Imposition of Penalties” (42 C.F.R. 1320d-5). This IFC promulgated the procedural requirements for imposition of civil money penalties on violations of the privacy standards. On April 18, 2005, the Secretary subsequently published a proposed rule titled, HIPAA Administrative Simplification: Enforcement; Proposed Rule (70 FR 20224).
Anyone can file a complaint if he or she suspects a potential violation. Persons believing that a covered entity is not utilizing the adopted Administrative Simplification provisions of HIPAA are voluntarily requested to file a complaint with CMS via the Administrative Simplification Enforcement and Testing Tool (ASETT) online system, by mail, or by sending an email to the HIPAA mailbox at
[email protected]. Information provided on the standard form will be used during the investigation process to validate non-compliance of HIPAA Administrative Simplification provisions.
This standard form collects identifying and contact information of the complainant, as well as the identifying and contact information of the filed against entity (FAE). This information enables CMS to respond to the complainant and gather more information if necessary, and to contact the FAE to discuss the complaint and CMS’ findings.
In addition to the identifying and contact information, the standard form collects a summary that outlines the nature of the complaint. This summary is used to determine the validity of the complaint and to categorize the complaint as noncompliance to transactions, standards, code sets, unique identifiers, and/or operating rules. This ensures the appropriate direction of the complaint process investigation and enables CMS to produce accurate reports regarding complaint activity.
The HIPAA complaint process involves the use of both electronic and paper collection techniques. It is expected that approximately 89% of complaints will be completed electronically via the Administrative Simplification and Enforcement Testing Tool (ASETT), which allows for more efficient submission. Complainants can electronically file their complaints securely via the CMS IDM (Identity Management) system.
Both CMS and the complainants can manage their complaints in real-time via this system. The electronic format follows that of the paper complaint form; however, the user may also submit supporting documents and notes. The acknowledgment submission button serves as an electronic signature versus the wet signature on the paper form.
This information collection does not duplicate any other effort and the information cannot be obtained from any other source.
This collection reduces the impact on small businesses or other small entities if the entity chooses to submit a HIPAA Administrative Simplification complaint. The burden is minimized by allowing an entity of any size to submit complaints electronically.
Submission of the complaint form is voluntary. However, without the information requested on the complaint form, CMS may be unable to proceed with a complaint. CMS collects this information under authority of the Enforcement Rule issued pursuant to the HIPAA. CMS will use the information provided to determine jurisdiction and, if so, how to process the complaint. Information submitted on the complaint form is treated confidentially and is protected under the provisions of the Privacy Act of 1974.
7. Special Circumstances
There are no special circumstances that would require an information collection to be conducted in a manner that requires respondents to:
• Report information to the agency more often than quarterly;
• Prepare a written response to a collection of information in fewer than 30 days after receipt of it;
• Submit more than an original and two copies of any document;
• Retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years;
• Collect data in connection with a statistical survey that is not designed to produce valid and reliable results that can be generalized to the universe of study,
• Use a statistical data classification that has not been reviewed and approved by OMB;
• Include a pledge of confidentiality that is not supported by authority established in statute or regulation that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use; or
• Submit proprietary trade secret, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information's confidentiality to the extent permitted by law.
Publication of the 60-day Federal Register Notice was published to the Federal Register (86 FR 42841) 08/05/2021.
One general comment was received and we have provided a response with the response to comment document.
Publication of the 30-day Federal Register Notice was published to the Federal Register (86 FR 57151) 10/14/2021.
9. Payments/Gifts to Respondents
There will be no payments and/or gifts to respondents to complete this form.
Filing a complaint with CMS is voluntary. However, without the missing information requested on the complaint form, CMS may be unable to proceed with a complaint. CMS collects this information under authority of the Enforcement Rule issued pursuant to the HIPAA. CMS will use the information provided to determine jurisdiction and, if so, how to process the complaint. Information submitted on the complaint form is treated confidentially and is protected under the provisions of the Privacy Act of 1974.
Names or other identifying information about individuals are disclosed only when it is necessary for investigation of possible HIPAA Administrative Simplification NonPrivacy/Security violations, for internal systems operations, or for routine uses, which include disclosure of information outside the Department for purposes associated with HIPAA Administrative Simplification Non-Privacy/Security compliance and as permitted by SORN 09-90-0052.
11. Sensitive Questions
This information collection does not contain any sensitive questions.
Public reporting burden for the collection of information on this modified complaint form is reduced due to electronic transmission capability and is estimated to average 60 minutes per form, which would include the time for reviewing instructions, gathering the data needed and entering and reviewing the information on the completed complaint form.
It is estimated that approximately 21 respondents per year will file HIPAA Administrative Simplification Non-Privacy/Security complaints using this form. The total public reporting burden per year will be approximately 1,260 minutes (21 hours). This estimate is based on the current average number of complaints received over the past three years.
Filing a complaint using the form is a one-time burden. To estimate cost, we used the median hourly labor rate of $17.05 reported for an Office and Administrative Support Workers All Other (43-9199), based on data from the Department of Labor, Bureau of Labor Statistics, September 1, 2020, (https://www.bls.gov/oes/current/oes430000.htm https://www.bls.gov/oes/current/oes439199.htm). We added 100% of the median hourly labor wage to the value to account for fringe and overhead which brings the total hourly wage to $34.10 ($17.05 + 17.05).
The estimated cost calculation is determined by having one respondent complete the form on an annual basis. The time to complete the response for an administrative worker, as referenced in the labor statistics above, will not exceed one hour.
Based on an estimated 21 persons completing the form per year at $34.10/hour, the total cost burden is $716.10, and the total hour burden is 21 hours.
(21 respondents) x (1 response/respondent) x (1 hour/response) x (34.10/hour) = $716.10/year.
13. Capital Costs
There are no capital costs for this collection.
There is no cost burden to the federal government as the form will be processed in the normal course of federal duties.
This modification reduces the hours and wage burden estimate. The previous package estimated that there would be a total of 125 submissions annually. As stated earlier in Section 12, we have adjusted our estimate downward to 21 annual submissions based on the average number of submissions received over the last three years. Additionally, we have revised the information collection to account for the hourly labor wage including fringe and overhead.
Some content has been changed and/or reworded and the instrument has been reformatted to improve readability and usability. The instrument captures the same information as the online tool. The instrument is now 508 compliant which makes it accessible to persons with disabilities.
16. Publication/Tabulation Dates
No publication or tabulation of data expected.
The expiration date will be displayed on both the instrument and in the related instructions as part of the Paperwork Reduction Act (PRA) Disclosure Statement. The expiration date is also located in the upper left header of the instrument.
There are no exceptions to the certification statement.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
Author | Stephan McKenzie |
File Modified | 0000-00-00 |
File Created | 2022-08-25 |