Supporting Statement Part-A
HIPAA Administrative Simplification (Non-
Privacy/Security) Complaint Form
(CMS-10148 OMB No. 0938-0948)
The Secretary of Health and Human Services (HHS), hereafter known as “The Secretary,” codified 45 CFR Parts 160 and 164 Administrative Simplification provisions that apply to the enforcement of the Health Insurance Portability and Accountability Act of
1996 Public Law 104-191 (HIPAA). The provisions address rules relating to the investigation of non-compliance of the HIPAA Administrative Simplification code sets, unique identifiers, operating rules, and transactions. 45 CFR Section 160.306, Complaints to the Secretary, provides for investigations of covered entities by the Secretary. Further, it outlines the procedures and requirements for filing a complaint against a covered entity.
The authority for administering and enforcing compliance of non-privacy/security HIPAA rules, has been delegated to the Centers for Medicare & Medicaid Services (CMS) Enforcement Rule.
In addition to an online complaint management tool, ASETT, CMS provides a paper complaint form for stakeholders who wish to voluntarily file a complaint. Complainants may mail the completed form to CMS or send it to the HIPAA mailbox at
[email protected]. The National Standards Group (NSG) currently uses the OMB control number 0938-0948 (Expiration date 08/31/2025) for collection of information related to non-compliance of HIPAA Administrative Simplification.
The authority for administering and enforcing compliance with the non-privacy/security Health Insurance Portability and Accountability Act (HIPAA) rules has been delegated to the Centers for Medicare & Medicaid Services (CMS). At present, CMS’ compliance and enforcement activities are primarily complaint-based. Although our enforcement efforts are focused on investigating complaints, they also include conducting compliance reviews to determine if a covered entity is in compliance. Potential violations may be submitted via the complaint form or discovered during a compliance review.
The purpose of this collection is to update the complaint form as described in CMS0014-N, procedures for non-privacy/security Administrative Simplification complaints.
The form voluntarily captures complaint information submitted to CMS, Office of Health Experience and Interoperability, National Standards Group (NSG), from the public regarding HIPAA Administrative Simplification provisions. The form may not be used to file complaints regarding HIPAA Privacy and Security Rules. These complaints are handled under the purview of the Department of Health and Human Service (HHS) Office of Civil Rights (OCR). The package includes modifications to the existing form.
The modifications include:
Addition of COMPLAINT TYPE selection
Justification – Selection field is in alignment with current selection field available on ASETT.cms.gov complaint filing page
Addition of the following text:
Code Sets - Select if a covered entity is in violation of the following Code Sets: HCPCS (Ancillary Services/Procedures), CPT-4 (Physicians Procedures), CDT (Dental Terminology), ICD-9 (Diagnosis and hospital inpatient Procedures), ICD-10 (As of October 1, 2015) and NDC (National Drug Codes) codes with which providers and health plan are familiar, are the adopted code sets for procedures, diagnoses, and drugs.
Transactions - Select if a covered entity is in violation of the following transactions: claims and encounter information, payment and remittance advice, claims status, eligibility, enrollment and disenrollment, referrals and authorizations, coordination of benefits and premium payment
Operating Rules - Select if a covered entity is suspected of being in violation of any of the adopted Operating Rules: Electronic Funds Transfer/Electronic Remittance Advice (EFT/ERA), Health Care Claim Status, and Eligibility for a Health Plan.
Unique Identifiers - Select if a covered entity is in violation of the following Unique Identifiers: National Provider Identifier (NPI), Employer Identification Number (EIN).
Removal of outdated CMS Logo from the top right of every page.
Justification – Outdated CMS logo replaced with current CMS logo
Addition of CMS Letter Head at the beginning of Page 2
Justification – creation of new page, letterhead is at the top of each page on complaint form
Addition of row in Table – Complainant Details, row 3, Complainant Organization Type (Other)
Justification – Addition of row brings into alignment with current row available on ASETT Complaint filing page
Addition of the following row in row 3
Complainant Organization Type (Other)
Formatting of Table – Complainant Details, addition of second column of cells to the right of original column
Justification – original table was not split into two cells, formatted so that complainant has an individual text box to enter information
Change in location of “*Mandatory fields to be filled in” from Column 1, Row 1 of Original Table – Filed Against Entity Details
Justification – text was not located in Column 1, Row 1 of Table – Complainant Details
Addition of row in Table – Filed Against Entity Details, Column 1, Row 2, FAE Organization Type (Other)
Justification – Addition of row brings into alignment with current row available on ASETT Complaint filing page
Addition of the following row in row 2
FAE Organization Type (Other)
Formatting of Table – Filed Against Entity (FAE) Details, addition of second column of cells to the right of original column
Justification – original table was not split into two cells, formatted so that complainant has an individual text box to enter information
Removal of Selection Field “Complaint Details”
Justification – Brings Complaint Intake Form into alignment with current Complaint Filing page on ASETT
Removal of the following text, found on Page 3 of Original Document:
*Mandatory fields to be filled in
Non-Compliant HIPAA Transaction Received - You received a non-compliant HIPAA transaction from a covered entity
Compliant Transaction Sent and Rejected - A covered entity rejected your compliant HIPAA transaction.
Invalid Companion Guide - A covered entity that you send data to or receive data from requires use of a non-compliant companion guide. For example, a companion guide must not specify additional fields beyond those specified by the adopted standard.
Code Set Received or Sent and Rejected - Either or both of these examples may apply: (1) A covered entity sent you a non-compliant HIPAA code within an electronic transaction. (2) A covered entity rejected a compliant HIPAA code that you sent within an electronic transaction.
Failure to Conduct a Standard Transaction – A covered entity failed to conduct a standard transaction.
Other - You have another type of complaint against a covered entity. Please describe below:
Formatting of Table – COMPLAINT DETAILS, addition of second column of cells to the right of original column
Justification – original table was not split into two cells, formatted so that complainant has an individual text box to enter information
Removal of Ex. [2/27/2017]” from Column 1, Row 1 of Table – COMPLAINT DETAILS
Justification – Indicating to Complainant that the second column is where the entry of text goes
Addition of “Ex. [2/27/2017]” to Column 2, Row 1 of Table – COMPLAINT DETAILS
Justification – Indicating to Complainant that the second column is where the entry of text goes
Addition of row in Table – COMPLAINT DETAILS, Row 5, “Does the complaint relate to the FAE charging fees to conduct standard transactions?*”
Justification – Addition of row brings into alignment with current row available on ASETT Complaint filing page
Addition of the following row in row 5
Does the complaint relate to the FAE charging fees to conduct standard transactions?*
Alteration of text in Table – COMPLAINT DETAILS, Column 1, Row 6
Justification – Alteration of text brings into alignment with current row available on ASETT Complaint filing page
Original Text: “Attempted to Resolve”
Altered Text: “Have you previously attempted to resolve this complaint?”
Addition of text in Table - COMPLAINT DETAILS, Column 2, Row 6
Justification – Indicating to complainant that this table is a Yes/No field
Additional text: “Yes/No”
Alteration of text in Table – COMPLAINT DETAILS, Column 1, Row 7
Justification – Alteration of text brings into alignment with current row available on ASETT Complaint filing page
Original Text: “Complainant Action Description”
Altered Text: “If yes, describe the action you took to resolve this complaint.”
Alteration of text in Table – COMPLAINT DETAILS, Column 1, Row 8
Justification – Alteration of text brings into alignment with current row available on ASETT Complaint filing page
Original Text: “Complaint Previously Submitted: Yes/No (circle)
Altered Text: “Has this complaint been previously submitted?”
Addition of text in Table - COMPLAINT DETAILS, Column 2, Row 8
Justification – Indicating to complainant that this table is a Yes/No field
Additional text: “Yes/No”
Addition of Text at below the Disclaimer at the end of the intake form
Justification – indicating to the complainant that NSG may request additional information from the complainant due to the inability to submit documentation when the complainant files a complaint using the Complaint Intake Form
Additional Text: “During the course of an investigation, NSG may need to request additional information from the complainant to investigate the complaint’s allegations. In the event of such a request, it will be sent from [email protected]. When providing a response to NSG, please ensure that your response does not contain Protected Health information (PHI) or Personally Identifiable Information (PII), or send your response containing PHI or PII in an encrypted file, with the decryption key sent in separate email.”
Addition of Row below the Disclaimer at the end of the intake form
Justification – providing additional space for footnote notifying complainant that NSG may request additional information during the course of the investigation.
Section 1173 of the Social Security Act 42 U.S.C. 1320d–2, and Section 264 of HIPAA, requires HHS Secretary to adopt a number of national standards to facilitate the exchange of certain health information and to protect the privacy and security of such information. The Secretary has adopted a number of national standards. Covered entities are required to comply with these HIPAA standards.
In addition, the Secretary promulgated rules that relate to compliance with, and enforcement of, the HIPAA rules, which are codified at 45 CFR Part 160, subparts C, D, and E. On April 17, 2003, The Secretary first issued an interim final rule (IFC) titled
“Civil Money Penalties: Procedures for Investigations, Imposition of Penalties” (42 C.F.R. 1320d-5). This IFC promulgated the procedural requirements for imposition of civil money penalties on violations of the privacy standards. On April 18, 2005, the Secretary subsequently published a proposed rule titled, HIPAA Administrative Simplification: Enforcement; Proposed Rule (70 FR 20224).
Anyone can file a complaint if he or she suspects a potential violation. Persons believing that a covered entity is not utilizing the adopted Administrative Simplification provisions of HIPAA are voluntarily requested to file a complaint with CMS via the Administrative Simplification Enforcement and Testing Tool (ASETT) online system, by mail, or by sending an email to the HIPAA mailbox at
[email protected]. Information provided on the standard form will be used during the investigation process to validate non-compliance of HIPAA Administrative Simplification provisions.
This standard form collects identifying and contact information of the complainant, as well as the identifying and contact information of the filed against entity (FAE). This information enables CMS to respond to the complainant and gather more information if necessary, and to contact the FAE to discuss the complaint and CMS’ findings.
In addition to the identifying and contact information, the standard form collects a summary that outlines the nature of the complaint. This summary is used to determine the validity of the complaint and to categorize the complaint as noncompliance to transactions, standards, code sets, unique identifiers, and/or operating rules. This ensures the appropriate direction of the complaint process investigation and enables CMS to produce accurate reports regarding complaint activity.
The HIPAA complaint process involves the use of both electronic and paper collection techniques. It is expected that approximately 97% of complaints will be completed electronically via the Administrative Simplification and Enforcement Testing Tool (ASETT), which allows for more efficient submission. Complainants can electronically file their complaints securely via the CMS IDM (Identity Management) system.
Both CMS and the complainants can manage their complaints in real-time via this system. The electronic format follows that of the paper complaint form; however, the user may also submit supporting documents and notes. The acknowledgment submission button serves as an electronic signature versus the wet signature on the paper form.
This information collection does not duplicate any other effort and the information cannot be obtained from any other source.
This collection reduces the impact on small businesses or other small entities if the entity chooses to submit a HIPAA Administrative Simplification complaint. The burden is minimized by allowing an entity of any size to submit complaints electronically.
Submission of the complaint form is voluntary. However, without the information requested on the complaint form, CMS may be unable to proceed with a complaint. CMS collects this information under authority of the Enforcement Rule issued pursuant to the HIPAA. CMS will use the information provided to determine jurisdiction and, if so, how to process the complaint. Information submitted on the complaint form is treated confidentially and is protected under the provisions of the Privacy Act of 1974.
7. Special Circumstances
There are no special circumstances that would require an information collection to be conducted in a manner that requires respondents to:
• Report information to the agency more often than quarterly;
• Prepare a written response to a collection of information in fewer than 30 days after receipt of it;
• Submit more than an original and two copies of any document;
• Retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years;
• Collect data in connection with a statistical survey that is not designed to produce valid and reliable results that can be generalized to the universe of study,
• Use a statistical data classification that has not been reviewed and approved by OMB;
• Include a pledge of confidentiality that is not supported by authority established in statute or regulation that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use; or
• Submit proprietary trade secret, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information's confidentiality to the extent permitted by law.
The 60-day notice published in the Federal Register on June 27, 2025 (90 FR 27540). A total of zero (0) comments were received.
A 30-day notice published in the Federal Register on September 24, 2025 (90 FR 45951).
9. Payments/Gifts to Respondents
There will be no payments and/or gifts to respondents to complete this form.
Filing a complaint with CMS is voluntary. However, CMS may be unable to proceed with the complaint, if the requested information within the complaint form is missing and/or incomplete. CMS collects this information under authority of the Enforcement Rule issued pursuant to the HIPAA. CMS will use the information provided to determine jurisdiction and, if so, how to process the complaint. Information submitted on the complaint form is treated confidentially and is protected under the provisions of the Privacy Act of 1974.
Names or other identifying information about individuals are only disclosed when it is necessary for investigation of possible HIPAA Administrative Simplification Non-Privacy/Security violations, for internal systems operations, or for routine uses, which include disclosure of information outside the Department for purposes associated with HIPAA Administrative Simplification Non-Privacy/Security compliance and as permitted by SORN 09-90-0052.
11. Sensitive Questions
This information collection does not contain any sensitive questions.
Public reporting burden for the collection of information on this modified complaint form is reduced due to electronic transmission capability and is estimated to average 60 minutes per form, which would include the time for reviewing instructions, gathering the data needed and entering and reviewing the information on the completed complaint form.
It is estimated that approximately 400 respondents per year will file HIPAA Administrative Simplification Non-Privacy/Security complaints using this form. The total public reporting burden per year will be approximately 24,000 minutes (400 hours). This estimate is based on the current average number of complaints received over the past three years.
Filing a complaint using the form is a one-time burden. To estimate cost, we used the median hourly labor rate of $22.82 reported for an Secretary and/or Administrative Assistant, based on data from the Department of Labor, Bureau of Labor Statistics, https://www.bls.gov/ooh/office-and-administrative-support/secretaries-and-administrative-assistants.htm April 18, 2025. We added 100% of the median hourly labor wage to the value to account for fringe and overhead which brings the total hourly wage to $45.64 ($22.82 + 22.82).
The estimated cost calculation is determined by having one respondent complete the form on an annual basis. The time to complete the response for an administrative worker, as referenced in the labor statistics above, will not exceed one hour.
Based on an estimated 400 persons completing the form per year at $ 45.64/hour, the total cost burden is $18,256.00 and the total hour burden is 400 hours.
(400 respondents) x (1 response/respondent) x (1 hour/response) x (45.64/hour) = $18,256.00/year.
13. Capital Costs
There are no capital costs for this collection.
There is no cost burden to the federal government as the form will be processed in the normal course of federal duties.
This modification reduces the hours and wage burden estimate. The previous package estimated that there would be a total of 21 submissions annually. As stated earlier in Section 12, we have adjusted our estimate upward to 400 annual submissions based on the average number of submissions received over the last three years via submission of the complaint form electronically, via U.S. mail, and the ASETT system. Additionally, we have revised the information collection to account for the hourly labor wage including fringe and overhead.
16. Publication/Tabulation Dates
No publication or tabulation of data expected.
The expiration date will be displayed on both the instrument and in the related instructions as part of the Paperwork Reduction Act (PRA) Disclosure Statement. The expiration date is also located in the upper left header of the instrument.
There are no exceptions to the certification statement.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | Stephan McKenzie |
| File Modified | 0000-00-00 |
| File Created | 2025-11-05 |