How does cms ensure private plans are compliant with medicare regulations

Federal regulations at 42 C.F.R. §§422.503 and 423.504 specify the requirements for Medicare Plans to implement an effective Compliance Program.  This section contains information related to the CMS' Compliance Program Policy and Guidance and will assist Medicare Plans and the public in understanding Part C and Part D compliance program requirements.

Please submit all Compliance Program Policy and Guidance related questions directly to the following mailbox:

The CMS National Standards Group, on behalf of HHS, administers the Compliance Review Program to ensure compliance among covered entities with HIPAA Administrative Simplification rules for electronic health care transactions.

In April 2019, HHS randomly selected 9 HIPAA-covered entities—a mix of health plans and clearinghouses—for compliance reviews. HHS piloted the program with health plan and clearinghouse volunteers to streamline the compliance review process and identify any system enhancements. In 2019, providers were able to participate in a separate pilot.

More information on the Compliance Review Program

CMS Compliance Review Program (Video)
Watch the CMS video about the Compliance Review Program to learn about why compliance reviews are important for the health care industry and how they are conducted.

Why Compliance Reviews?

Health care providers, health plans, and clearinghouses have encouraged HHS to take proactive steps, including reviews, to ensure compliance with Administrative Simplification transaction standards, which reduce the administrative burden on the health care industry.

HHS’s proactive approach implements a progressive penalty process with the goal of remediation. If an organization isn’t compliant, HHS will work with the entity to resolve any issues. Corrective Action Plans are commonly used to address non-compliance. In cases of willful and egregious noncompliance, monetary penalties may be assessed and calculated on a case by case basis.

Provider Pilot Program

The CMS National Standards Group, on behalf of HHS, launched a volunteer Provider Pilot Program to test the compliance review process and to gain insight on compliance with HIPAA Administrative Simplification rules among providers. This followed a successful pilot program for health plans and clearinghouses completed in 2018.

In April 2019, HHS selected 3 health care providers from the pool of volunteers to participate.

Learn more about the Provider Pilot Program:

Q: Are small providers exempt from HIPAA?

A: No. The term "small providers" originates in the Administrative Simplification Compliance Act (ASCA), the law which requires those providers who bill Medicare to submit only electronic claims to Medicare as of October 16, 2003, in the HIPAA format. ASCA provides an exception to the Medicare electronic claims submission requirements to "small providers." ASCA defines a small provider or supplier as: a provider of services with fewer than 25 full-time equivalent employees or a physician, practitioner, facility or supplier (other than a provider of services) with fewer than 10 full-time equivalent employees.

This provision does not preclude providers from submitting paper claims to other health plans. Also, if a provider transmits any of the designated transactions electronically, it is subject to the HIPAA Administrative Simplification requirements regardless of size.

A: Enforcement of the transactions and code sets, operating rules and unique identifier standards of HIPAA is primarily complaint-driven. Upon receipt of a complaint, CMS will notify the filed against entity of the complaint, and provide them with an opportunity to demonstrate compliance, or to submit a corrective action plan. CMS has the discretion to conduct compliance reviews or on-site evaluations of covered entities' procedures and practices, to verify that they are compliant in how they exchange the standard transactions or use the national identifiers. CMS also has the authority to impose financial penalties on any entity that is non-compliant and has failed to correct their violations.

A: The HIPAA legislation permits civil monetary penalties of not more than $1.5 million per calendar year for a violation.

A: You can use the CMS Administrative Simplification Enforcement and Testing Tool (ASETT). Available through the CMS Enterprise Portal, the tool can be used to file complaints and test X12 and NCPDP transactions.

To check on the status of a complaint, you can use ASETT, the HIPAA mailbox at or write to:

The Centers for Medicare & Medicaid Services
National Standards Group: HIPAA Enforcement
P. O. Box 8030, Baltimore, Maryland 21244-8030.

A: Anyone may file a complaint with CMS about any HIPAA covered entity that does not comply with rules for electronic transactions, operating rules, code sets, and unique identifiers. Complaints about HIPAA privacy violations should be directed to the HHS Office for Civil Rights.

A: CMS recommends that you use our online ASETT platform to file a complaint. It is efficient for individuals to complete the data entry portion of the complaint, and for CMS to review it once it is submitted through the online system.

If you chose to file a hard-copy complaint (PDF), you can request a complaint form by writing to:

The Centers for Medicare & Medicaid Services
National Standards Group: HIPAA Enforcement
P. O. Box 8030, Baltimore, Maryland 21244-8030.