MGMA Urges CMS to Enforce Compliance with HIPAA Administrative Simplification Rules

The Department of Health and Human Services’ Office for Civil Rights has issued many financial penalties for HIPAA violations after receiving complaints from employees and patients and investigating data breaches. State attorneys general also fine HIPAA-covered entities for violating HIPAA Rules. However, while the HHS’ Centers for Medicare and Medicaid Services (CMS) is mandated to help OCR enforce the HIPAA Administrative Simplifications, no fines have been issued to date.

The Medical Group Management Association (MGMA) thinks that CMS should begin enforcing compliance with the HIPAA Administrative Simplifications. Many complaints have been received by MGMA regarding the failure of health plans to comply with these HIPAA requirements. However, if CMS does not take action, there is little incentive to comply to with HIPAA Rules on transactions, code sets, national identifiers and operating rules.

MGMA took the opportunity to submit its critique of the CMS HIPAA administrative simplification enforcement process after feedback was requested on the CMS complaint form. The form is used by physician practices to file formal complaints against health plans and healthcare clearinghouses that are not complying with HIPAA Rules.

MGMA is recommending that CMS should take steps in enforcing the compliance of health plans with the HIPAA and ACA administrative simplification regulations and provides the following figures to back up its point:

  • Below 80% use X12 270/271 (Eligibility & Benefit Verification)
  • About 56% use X12 835 (Remittance Advice)
  • Only 60% use the Electronic Funds Transfer transaction for payments
  • Only 8% use X12 278 (Prior Authorization) transactions

MGMA thinks that health plans and clearinghouses are not supportive of the administrative simplification standards and operating rules. This forces providers to use manual methods like making phone calls, using facsimiles and web portals, which diverts the providers’ attention away from patient care. That is unfortunate because millions of dollars of savings are unrealized.

OCR actively enforces HIPAA Rules which pushes HIPAA-covered entities to improve their compliance efforts. If CMS does not do the same, violations of the HIPAA Administrative Simplifications will continue.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

What CMS should do, according to MGMA, is implement random audits on health plans and healthcare clearinghouses. Any entity that fails to comply with the administrative simplifications must be outed and potentially fined. MGMA also suggests the voluntary Optimization Pilot for Administrative Simplification Transactions should be discontinued as it is only delaying the start of CMS’ effective compliance audit program.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: