Suspected HIPAA Violations? How to File a HIPAA Complaint
Filing a HIPAA Complaint
Enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulatory provisions for Transactions and Code Sets and Unique Identifier is primarily complaint-driven, and is managed by the Centers for Medicare & Medicaid Services (CMS). Any individual who wishes to submit a complaint related to an alleged Transactions and Code Sets or Unique Identifier violation against a HIPAA covered entity may do so through the Administrative Simplification Enforcement and Testing Tool (ASETT). Complainants are urged to provide as much detail as possible to justify and support the allegations, and to ensure that accurate contact information is provided for the filed against entity (full names, titles, phone numbers, and email addresses). Each complaint is reviewed for validity and completeness to ensure that it can be processed.
How CMS Investigates a HIPAA Complaint
Once the contact information for both parties is verified and validated, The Centers for Medicare and Medicaid Services (CMS) will officially open a complaint. CMS will contact the filed-against entity by phone/email to notify them of the allegations and to advise them that a letter will be sent with details and a request for follow-up. This exchange allows the filed-against entity to evaluate the information, conduct an internal investigation, and either dispute the allegations or develop a response indicating how the issue will be corrected, either immediately or through a process outlined in a formal Corrective Action Plan (CAP). All relevant information is housed in the ASETT system and tied to the original complaint.
What is ASETT?
The Administrative Simplification Enforcement and Testing Tool (ASETT) is a web-based application which enables individuals or organizations to file a Health Insurance Portability and Accountability Act of 1996 (HIPAA) complaint against a health care provider, health plan, or clearinghouse covered entity for potential non-compliance with the non-Privacy/Security provisions of HIPAA. This includes Transactions and Code Sets, and Unique Identifier provisions. The ASETT system securely captures demographic information about the complainant and the filed against entity, as well as details for the alleged violation, and any supporting documentation provided by the complainant and the filed against entity. When filing a complaint, the complainant has the option for remaining anonymous to the filed against entity.
Who may use ASETT?
Anyone may use to file a Health Insurance Portability and Accountability Act of 1996 (HIPAA) complaint related to Transactions and Code Sets and Unique Identifiers. This tool should not be used to file a complaint related to the HIPAA Privacy/Security provisions since these complaints are not addressed by the Centers for Medicare & Medicaid Services (CMS). HIPAA Privacy and Security complaints must be directed to the Office for Civil Rights (OCR), which has responsibility for enforcing HIPAA Privacy and Security violations. Click here now (www.hhs.gov/ocr/hipaa) to leave this site and go to OCR’s website for more information on filing a Privacy or Security complaint.
ASETT requires the use of a UserID and password, along with a valid email address. Once registered, the individual will be able to access the Administrative Enforcement and Testing Tool (ASETT) system to add information or check on the complaint status. Once registration is completed, to file a complaint the complainant must provide accurate and complete contact information for him or herself, as well as for the entity against whom a complaint is being made. Without accurate information, the complaint cannot be processed, and may have to be closed without any action taken. Complainants must also provide accurate information about themselves so the Centers for Medicare & Medicaid Services (CMS) can request additional information if necessary, or provide updates regarding the status of the complaint.
NOTE: When filing a complaint, the complainant has the option to remain anonymous.
Web address for filing a HIPAA Complaint: https://asett.cms.gov/ASETT_HomePage.