Notice of Compliance Review

Form Approved: OMB # 0938-1390
Expiration 02/29/2024

DEPARTMENT OF HEALTH & HUMAN SERVICES
Centers for Medicare & Medicaid Services
7500 Security Boulevard, Mail Stop N1-19-21
Baltimore, Maryland 21244-1850
Notice of Compliance Review
Date of Notice: FULLDATE
CONTACTNAME
JOBTITLE
CENAME
ADDRESS1
ADDRESS2
CITY, ST ZIP
Re: Compliance Review Number XXXXX
Dear FIRSTNAME LASTNAME:
The purpose of this notice is to inform you that the Department of Health and Human Services
(HHS), National Standards Group (NSG) within the Centers for Medicare & Medicaid Services
(CMS), has randomly selected  to be the subject of a Health Insurance
Portability and Accountability Act of 1996 (HIPAA) and Affordable Care Act (ACA) compliance
review.
As part of the  compliance review, an assessment will be conducted to
determine compliance with the Administrative Simplification provisions as outlined in 45 CFR
Parts 160 and 162. The assessment includes a review of the HIPAA mandated transactions, code
sets, unique identifiers and operating rules, and will take approximately 30 days. Violations
discovered during the assessment may result in the implementation of a corrective action plan.
Further in this notice is a request for specific information and artifacts to be provided by your
organization (see Parts B and C). All information and artifacts requested within this notice must
be uploaded to the ASETT Covered Entity Portal no later than (month, day, year (within 10
business days)). Please refer to the CMS Identity Management (IDM) System and Compliance
Review Covered Entity Portal Access Quick Start User Guide to review instructions for accessing
the ASETT Covered Entity Portal.
Once received, we will review the documentation and notify you if it is satisfactory or additional
information is needed. All sensitive and/or confidential information received will be protected to
the full extent required by federal law.
If at any time you are unable to serve as the designated contact person for the  compliance review, please notify us immediately in writing, and provide a replacement
contact name, address, telephone number, and email address.
Disclosure Statement: According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless
it displays a valid OMB control number. The valid OMB control number for this information collection is 0938-1390. The time required to complete
this information collection is estimated to average 16 hours per response, including the time to review instructions, search existing data resources,
gather the data needed, and complete and review the information collection. If you have comments, concerning the accuracy of the time estimate(s)
or suggestions for improving this form, please write to: CMS, 7500 Security Boulevard, Attn: PRA Reports Clearance Officer, Baltimore, Maryland
21244-1850.

NSG is responsible for promoting compliance of the HIPAA Administrative Simplification
requirements as referenced in 45 CFR Part 160.308. Additional information pertaining to
compliance can be found on the CMS website at: CMS Regulations and Guidance.
If you have any questions regarding this notice, please send an email to
[email protected]. Please include the compliance review number located at the
top of this notice.
Sincerely,
Michael Cimmino
[email protected]
Director
National Standards Group (NSG)
Office of Burden Reduction and Health Informatics
(OBRHI)

Enclosures: Parts A, B, C

Part A -Assessment Objectives, Scope, and Review Process
Assessment Objectives
The objective of the compliance review program is to conduct assessments and identify whether a
covered entity is compliant with the HIPAA adopted standards, and administrative simplification. In
addition, it affords the opportunity to correct noted deficiencies, allowing the covered entity to address
compliance issues before they potentially result in a complaint.
Assessment Scope
The scope of the assessment consists of the following actions:
•
•
•
•
•
•
•
•
•
•

Random selection of a covered entity
Notification to the covered entity
Artifact request from the covered entity
Artifacts provided by the covered entity
Assessment review conducted
Assessment outcome reported to covered entity
Covered entity reviews assessment outcome
Covered entity responds to assessment outcome
If necessary, covered entity referred for corrective action
Assessment finalized

Assessment Process
The assessment is to determine if the selected covered entity is compliant with adopted standards,
including transactions, code sets, unique identifiers, and operating rules. The following are used during
the assessment process:
•
•

•
•
•
•

HIPAA mandated electronic transactions
EDIFECS Onboarding and Testing Cloud Service (OTCS) and Transaction Management (TM)
validation tool results, which is accessed through the Administrative Simplification Enforcement
and Testing Tool (ASETT)
X12 Implementation guides (TR3s) and Requests for Interpretation (RFIs)
Applicable code sets
Applicable Council for Affordable Quality Healthcare Committee on Operating Rules for
Information Exchange (CAQH CORE) operating rules and attestations
Applicable companion guides

Part B - Entity Information
This section is intended to collect organization and contact information. A qualified member of
the organization must complete all applicable sections.
Section 1. Organization and Point of Contact Information
Organization Information
Organization
Name:
Contact Name:

DBA 1:

Telephone:

E-mail:

Business
Address:
State/Province
:
URL:

City:

Title:

Country:

Zip:

Point of Contact Information
Organization
Name:
Contact Name:

Title:

Telephone:

E-mail:

Business
Address:
State/Province
:
URL:

City:
Country:

Zip:

Section 2. Type of Covered Entity (check all that apply)
☐ Large Health Plan 2

☐ Large Provider 3

☐ Large Institution

☐ Clearinghouse

☐ Business Associate

☐ Other (please specify):

☐ Small Health Plan 4

☐ Small Provider 5

☐ Small Institution

1 DBA (Doing Business As…)
2 Annual receipts >$5 million
3 Provider with 25 or more full-time employees, or a physician, practitioner, facility, or supplier with 10 or more
full-time equivalent employees
4 Annual receipts ≤ $5 million
5 Provider with less than 25 full-time employees, or a physician, practitioner, facility, or supplier with less than 10
full-time equivalent employees

Section 3. Operating Rule Certification
Has your organization obtained a voluntary Operating Rule seal from CORE? If so, when was it obtained?
(Certificate status must be current and not revoked.)

☐ YES ☐ NO

Date of Certificate:

Section 4. Business Relationships
Does your organization have a relationship with one or more third-party agents (clearinghouses, vendors, etc.) that
conduct transactions or operating rules (ORs) on your behalf?

☐ Yes ☐ No

Please provide company name(s) and points of contact for each third-party relationship:
Company Name

Contact Name

Transaction/OR

Section 5. Acknowledgments
By signing below, I attest that the information provided as part of this questionnaire is true and accurate to the best
of my knowledge.
Please double click the “X” to insert an electronic signature.
Date: Select a date.
X

Contact Person Name:

Title:

Part C - Artifact Request
ENTITY TYPE: Select an option.
DUE DATE: Select a date.
Prior to uploading transaction artifacts, you must accept the invitation to register in the Compliance
Review Program in Onboarding and Testing Cloud Services (OTCS) via the ASETT Compliance
Review Covered Entity Portal. Please refer to the Compliance Review Covered Entity Portal User
Manual to review instructions for accepting the Compliance Review Program invitation and testing
transaction artifacts in the Compliance Review Covered Entity Portal. A link to the Compliance
Review Covered Entity Portal User Manual is provided at the top of the ASETT Covered Entity
Portal Welcome Page.
Upload all requested artifacts marked below to the ASETT Covered Entity Portal by or before the
established due date. As a reminder, all non-transaction artifacts are to be uploaded via the Upload
Documents section in the ASETT Covered Entity Portal. All transaction artifacts must be uploaded
in OTCS. Please refer to the Compliance Review Covered Entity Portal User Manual to review
instructions for uploading artifacts.
All transaction files must be the original file that was sent to your trading partner and be in a
readable text format (.txt, .edi or .dat). Non-transaction documents should be either Microsoft
Word, Excel, or PDF formats. Do not copy and paste transaction data into new files as all
transaction files must be the original file sent to your trading partner. We reserve the right to
contact your trading partners if the need arises.
Please note, the ASETT Compliance Review Covered Entity Portal has a 4.8MB file size limit.
Files that exceed 4.8MB, or documents with embedded files or password protection will produce
an upload error.
Please use the following file-naming convention for single transaction files:
Transaction Number_Covered Entity Name_Original File Name.File Extension
•
•
•
•

Transaction Number is the transaction set number, e.g., 270, 271, etc.
Covered Entity Name is your organization’s (the covered entity) name
Original File Name is optional
o If original file name has multiple nodes (period (.) separators), please replace
with underscores (_)
File Extension is the file extension type (.txt, .edi, or .dat)

DOCUMENTATION REQUESTS
☐ Completed Assessment Package Form (this notice, Part B).
☐ Companion Guides for transactions marked below, if applicable.
☐ Completed Operating Rule Attestation for the following 5010 transaction(s) and EFT: 270,
271, 276, 277 and 835.
☐ Other: _______________________________________________________________

PROVIDER TRANSACTION REQUESTS
Delete this section if not used.
☐ 005010X279A1, 270 Health Care Eligibility Verification Request
o Starting with the __ day of month, provide the last production 270 unaltered file and all
previous 270 unaltered files until a minimum of XX requests has been reached. This may
consist of one or more files to meet the minimum request.
☐ 005010X212, 276 Health Care Claim Status
o Starting with the __ day of month, provide the last production 276 unaltered file and all
previous 276 unaltered files until a minimum of XX requests has been reached. This may
consist of one or more files to meet the minimum request.
☐ 005010X217, 278 Health Care Services Review - Request
o Starting with the __ day of month, provide the last production 278 unaltered file and all
previous 278 unaltered files until a minimum of XX requests has been reached. This may
consist of one or more files to meet the minimum request.
☐ 005010X223A2, 837 Health Care Claim - Institutional
o Starting with the __ day of month, provide the last production 837I unaltered file and all
previous 837I unaltered files until a minimum of XX claims has been reached. This may
consist of one or more files to meet the minimum request.
☐ 005010X222A1, 837 Health Care Claim - Professional
o Starting with the __ day of month, provide the last production 837P unaltered file and all
previous 837P unaltered files until a minimum of XX claims has been reached. This may
consist of one or more files to meet the minimum request.
☐ 005010X224A2, 837 Health Care Claim - Dental
o Starting with the __ day of month, provide the last production 837D unaltered file and all
previous 837D unaltered files until a minimum of XX claims has been reached. This may
consist of one or more files to meet the minimum request.
☐ NCPDP D.0 Pharmacy Claim
o Starting with the __ day of month, provide the last production NCPDP D.0 unaltered file
and all previous NCPDP D.0 unaltered files until a minimum of XX claims has been
reached. This may consist of one or more files to meet the minimum request.

HEALTH PLAN TRANSACTION REQUESTS
Delete this section if not used.
☐ 005010X279A1, 271 Health Care Eligibility Verification Response
o Starting with the __ day of month, provide the last production 271 unaltered file and all
previous 271 unaltered files until a minimum of XX responses has been reached. This
may consist of one or more files to meet the minimum request.
☐ 005010X212, 277 Health Care Claim Status Response
o Starting with the __ day of month, provide the last production 277 unaltered file and all
previous 277 unaltered files until a minimum of XX responses has been reached. This
may consist of one or more files to meet the minimum request.
☐ 005010X217, 278 Health Care Services Review - Response
o Starting with the __ day of month, provide the last production 278 unaltered file and all
previous 278 unaltered files until a minimum of XX responses has been reached. This
may consist of one or more files to meet the minimum request.
☐ 005010X221A1, 835 Health Care Claim Payment/Advice Transactions
o Starting with the __ day of month, provide the last production 835 unaltered file and all
previous 835 unaltered files until a minimum of XX claim payments has been reached.
This may consist of one or more files to meet the minimum request.
☐ 005010X223A2, 837 Health Care Claim - Institutional (COB Only)
o Starting with the __ day of month, provide the last production 837I unaltered file and all
previous 837I unaltered files until a minimum of XX COB claims has been reached. This
may consist of one or more files to meet the minimum request.
☐ 005010X222A1, 837 Health Care Claim - Professional (COB Only)
o Starting with the __ day of month, provide the last production 837P unaltered file and all
previous 837P unaltered files until a minimum of XX COB claims has been reached. This
may consist of one or more files to meet the minimum request.
☐ 005010X224A2, 837 Health Care Claim - Dental (COB Only)
o Starting with the __ day of month, provide the last production 837D unaltered file and all
previous 837D unaltered files until a minimum of XX COB claims has been reached.
This may consist of one or more files to meet the minimum request.
☐ NCPDP D.0 Pharmacy Claim (COB Only)
o Starting with the __ day of month, provide the last production NCPDP D.0 unaltered file
and all previous NCPDP D.0 unaltered files until a minimum of XX COB claims has
been reached. This may consist of one or more files to meet the minimum request.
☐ 005010X218, 820 Premium Payment
o Starting with the __ day of month, provide the last production 820 unaltered file and all
previous 820 unaltered files until a minimum of XX premium payments has been
reached. This may consist of one or more files to meet the minimum request.
☐ 005010X220A1, 834 Benefits Enrollment and Maintenance
o Starting with the __ day of month, provide the last production 834 unaltered file and all
previous 834 unaltered files until a minimum of XX enrollments has been reached. This
may consist of one or more files to meet the minimum request

CLEARINGHOUSE TRANSACTION REQUESTS
Delete this section if not used.
☐ 005010X79A1, 270 Health Care Eligibility Verification Request
o Starting with the __ day of month, provide the last production 270 unaltered file and all
previous 270 unaltered files until a minimum of XX requests has been reached. This may
consist of one or more files to meet the minimum request.
☐ 005010X79A1, 271 Health Care Eligibility Verification Response
o Starting with the __ day of month, provide the last production 271 unaltered file and all
previous 271 unaltered files until a minimum of XX responses has been reached. This
may consist of one or more files to meet the minimum request.
☐ 005010X212, 276 Health Care Claim Status
o Starting with the __ day of month, provide the last production 276 unaltered file and all
previous 276 unaltered files until a minimum of XX requests has been reached. This may
consist of one or more files to meet the minimum request.
☐ 005010X212, 277 Health Care Claim Status Response
o Starting with the __ day of month, provide the last production 277 unaltered file and all
previous 277 unaltered files until a minimum of XX responses has been reached. This
may consist of one or more files to meet the minimum request.
☐ 005010X217, 278 Health Care Services Review - Request
o Starting with the __ day of month, provide the last production 278 unaltered file and all
previous 278 unaltered files until a minimum of XX requests has been reached. This may
consist of one or more files to meet the minimum request.
☐ 005010X217, 278 Health Care Services Review - Response
o Starting with the __ day of month, provide the last production 278 unaltered file and all
previous 278 unaltered files until a minimum of XX responses has been reached. This
may consist of one or more files to meet the minimum request.
☐ 005010X223A2, 837 Health Care Claim - Institutional
o Starting with the __ day of month, provide the last production 837I unaltered file and all
previous 837I unaltered files until a minimum of XX claims has been reached. This may
consist of one or more files to meet the minimum request.
☐ 005010X222A1, 837 Health Care Claim - Professional
o Starting with the __ day of month, provide the last production 837P unaltered file and all
previous 837P unaltered files until a minimum of XX claims has been reached. This may
consist of one or more files to meet the minimum request.
☐ 005010X224A2, 837 Health Care Claim - Dental
o Starting with the __ day of month, provide the last production 837D unaltered file and all
previous 837D unaltered files until a minimum of XX claims has been reached. This may
consist of one or more files to meet the minimum request.
☐ NCPDP D.0 Pharmacy Claim
o Starting with the __ day of month, provide the last production NCPDP D.0 unaltered file
and all previous NCPDP D.0 unaltered files until a minimum of XX claims has been
reached. This may consist of one or more files to meet the minimum request.
☐ 005010X221A1, 835 Health Care Claim Payment/Advice Transactions

o Starting with the __ day of month, provide the last production 835 unaltered file and all
previous 835 unaltered files until a minimum of XX claim payments has been reached.
This may consist of one or more files to meet the minimum request.
☐ 005010X223A2, 837 Health Care Claim - Institutional (COB Only)
o Starting with the __ day of month, provide the last production 837I unaltered file and all
previous 837I unaltered files until a minimum of XX COB claims has been reached. This
may consist of one or more files to meet the minimum request.
☐ 005010X222A1, 837 Health Care Claim - Professional (COB Only)
o Starting with the __ day of month, provide the last production 837P unaltered file and all
previous 837P unaltered files until a minimum of XX COB claims has been reached. This
may consist of one or more files to meet the minimum request.
☐ 005010X224A2, 837 Health Care Claim - Dental (COB Only)
o Starting with the __ day of month, provide the last production 837D unaltered file and all
previous 837D unaltered files until a minimum of XX COB claims has been reached.
This may consist of one or more files to meet the minimum request.
☐ NCPDP D.0 Pharmacy Claim (COB Only)
o Starting with the __ day of month, provide the last production NCPDP D.0 unaltered file
and all previous NCPDP D.0 unaltered files until a minimum of XX COB claims has
been reached. This may consist of one or more files to meet the minimum request.
☐ 005010X218, 820 Premium Payment
o Starting with the __ day of month, provide the last production 820 unaltered file and all
previous 820 unaltered files until a minimum of XX premium payments has been
reached. This may consist of one or more files to meet the minimum request.
☐ 005010X220A1, 834 Benefit Enrollment and Maintenance
o Starting with the __ day of month, provide the last production 834 unaltered file and all
previous 834 unaltered files until a minimum of XX enrollments has been reached. This
may consist of one or more files to meet the minimum request.