HIPAA Complaint Process Outlined
Health Data Management (March 25, 2005)

The Centers for Medicare and Medicaid Services has published a notice describing its procedures for handling complaints of non-compliance with rules under the HIPAA administrative simplification provisions. The notice is available in the March 25th Federal Register, at www.gpoaccess.gov/fr/index.html.

The Notice can be accessed at:

http://a257.g.akamaitech.net/7/257/2422/01jan20051800/edocket.access.gpo.gov/2005/pdf/05-5795.pdf

The notice covers complaints about non-compliance with the transactions and code sets, national employer identifier, data security, national provider identifier and national plan identifier rules. The centers will not accept complaints until on or after the compliance date of the rule in question. Compliance dates have passed for the transactions and employer identifier rules; the security rule deadline is April 20.

In the newly published procedures, CMS reaffirms it will work with covered entities to obtain voluntary compliance with a HIPAA rule. If a covered entity in violation fails to become compliant in a timely manner, the department will pursue other options, such as civil fines.

The Department of Health and Human Services’ Office for Civil Rights is responsible for enforcing the privacy rule and has its own procedures for investigating complaints.

Posted to HIPAAcomply 3/28/05