Form CMS-10662 Notice_of_Corrective_Action_
Administrative Simplification HIPAA Compliance Review (CMS-10662)
ASETT_Notice_of_Corrective_Action_2024_FINAL
Structuring and monitoring the CAP
OMB: 0938-1390
Form Approved: OMB # 0938-1390
Expiration 12/31/2025
Department of Health & Human Services
Centers for Medicare & Medicaid Services
7500 Security Boulevard, Mail Stop N1-19-21
Baltimore, Maryland 21244-1850
Notice
of Corrective Action
Date of Notice: FULLDATE
CONTACTNAME
JOBTITLE
CENAME
ADDRESS1
ADDRESS2
CITY, ST ZIP
Re: Compliance Review Number XXXXX
Dear FIRSTNAME LASTNAME,
On (month, day, year), the Department of Health and Human Services (HHS), National Standards Group (NSG) within the Centers for Medicare & Medicaid Services (CMS) sent <Covered Entity Name> a Notice of Draft Findings that included an opportunity to provide a response to each violation cited in the <Covered Entity Name> 20XX assessment.
As a follow up to that notice, NSG has opened a corrective action record so that <Covered Entity Name> can address the violations that warrant corrective action. Refer to the enclosed Interim Violations Summary Report for additional information, including a NSG reply for each citation. Should the status of a violation change during the corrective action period, <Covered Entity Name> will be notified via email and a revised Interim Violations Summary Report will be uploaded to the ASETT Covered Entity Portal for review.
<Covered Entity Name> is expected to resolve the violations that warrant corrective action by developing and executing a Corrective Action Plan (CAP). The CAP must include major milestones, planned start and completion dates, as well as the party responsible for each milestone. <Covered Entity Name> must provide the CAP within 30 days from the date of this notice, (month, day, year). As a courtesy, the enclosed CAP template may be used.
Once the CAP is developed, the CAP and all CAP-related documentation must be uploaded to the ASETT Covered Entity Portal via the Corrective Action Plan (CAP) button. Do not use the Upload Artifacts button to upload the CAP or any other CAP-related documentation. Please refer to the Compliance Review Covered Entity Portal User Manual to review instructions for uploading artifacts to the ASETT Covered Entity Portal. A link to the Compliance Review Covered Entity Portal User Manual is provided at the top of the ASETT Covered Entity Portal Welcome Page.
Once received, NSG will review the provided CAP and notify <Covered Entity Name> of its approval. Additionally, as part of the corrective action process, NSG will follow up at the planned completion date(s) of each milestone to verify its completion. Please note, once the CAP is approved, if any milestone planned completion dates require updates, <Covered Entity Name> must submit a revised CAP template with updated milestone planned completion dates.
Prior to closing the corrective action record, NSG must verify that <Covered Entity Name> has fully executed the corrective action plan. <Covered Entity Name> will be asked to submit verification, such as screenshots from its change request system, test system, ticket system, or other applicable system(s) that demonstrates the CAP was executed.
If you have any questions regarding this notice, please send an email to HIPAACompliance@cms.hhs.gov. Please include the compliance review number located at the top of this notice.
Sincerely,
Michael Cimmino
Director, National Standards Group
Office of Healthcare Experience and Interoperability
Enclosures - Interim Violations Summary Report, CAP Example and Template
– Violations Summary Report
VIOLATION # 1 |
Covered Entity File Name: |
Validation Tool Reports |
Consolidated Output File Name: |
Individual Output File Name(s): |
Violation Information |
Violation Error ID: |
Category: |
Violation Description: |
Reference(s): |
Warrant Corrective Action: |
Covered Entity Response |
|
NSG Reply to Covered Entity (NSG Only) |
|
VIOLATION # 2 |
Covered Entity File Name: |
Validation Tool Reports |
Consolidated Output File Name: |
Individual Output File Name(s): |
Violation Information |
Violation Error ID: |
Category: |
Violation Description: |
Reference(s): |
Warrant Corrective Action: |
Covered Entity Response |
|
NSG Reply to Covered Entity (NSG Only) |
|
VIOLATION # 3 |
Covered Entity File Name: |
Validation Tool Reports |
Consolidated Output File Name: |
Individual Output File Name(s): |
Violation Information |
Violation Error ID: |
Category: |
Violation Description: |
Reference(s): |
Warrant Corrective Action: |
Covered Entity Response |
|
NSG Reply to Covered Entity (NSG Only) |
|
Corrective Action Plan Example and Template
Table 1 – Complete all fields.
Assessed Entity Name:
|
Submitted by Name:
|
Phone Number:
|
Compliance Review Number:
|
Submission Date:
|
Email Address:
|
Tables 2 and 3 – Example of a completed corrective action plan. A blank corrective action template is available, see tables 4 & 5 below.
Violation Number |
Transaction Type |
Violation Error ID and Description from Enclosure |
Root Cause of Violation (Optional) |
Notes/Comments |
1 |
837P |
0x39393D2 ZIP Code is invalid in 2010BA, N403. It should be formatted as 5 or 9 digits for US Zip Code. This zip code was 4 digits. |
Data Entry Error |
Edit needs to be added to software program. |
2 |
271 |
0x3938BCE Minimum data requirements for response are not satisfied. Response did not include EB03 value of “30.” |
Mapping issue |
Maps need to be updated to provide EB03 value of “30.” |
Violation Number(s) |
Major Milestones |
Planned Start Date |
Planned Completion Date |
Responsible Party or Position |
1, 2 |
Code updates. |
01/02/23 |
01/10/23 |
Developers |
|
Test changes. |
01/11/23 |
01/16/23 |
Test Team |
|
Code revisions as a result of testing. |
01/17/23 |
01/19/23 |
Developers |
|
Retest. |
01/22/23 |
01/23/23 |
Test Team |
|
Promote to production environment. |
01/24/23 |
01/24/23 |
Database Team |
|
Monitor production environment for impact. |
01/24/23 |
01/31/23 |
Business Analyst |
Corrective Action Plan Template
Table 4 – Complete all fields in the table below. Insert additional rows as needed.
Violation Number |
Transaction Type |
Violation Error ID and Description from Enclosure |
Root Cause of Violation (Optional) |
Notes/Comments |
|
|
|
|
|
|
|
|
|
|
Table 5 – Complete all fields in the table below. Insert additional rows as needed.
Violation Number(s) |
Major Milestones |
Planned Start Date |
Planned Completion Date |
Responsible Party or Position |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 6 – For NSG official use only.
*For NSG Official Use Only* Assessor 1 Signature: _________________________________ Assessor 1 Approval Date: _______________________________ Month Day Year |
According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0938-1390 from the year of 2024 through 2025. The objective of the HIPAA Administrative Simplification information collection program is to conduct assessments and identify whether a covered entity is compliant with the HIPAA - adopted standards, and administrative simplification. The time required to complete this information collection is estimated to average less than 10 hours per response (4 forms x 60 minutes/form), including the time to review instructions, search existing data resources, gather the data needed, to review and complete the information collection. This information collection is mandatory (under 45 CFR § 160.310) If you have comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to: CMS, 7500 Security Boulevard, Attn: PRA Reports Clearance Officer, Mail Stop C4-26-05, Baltimore, Maryland 21244-1850.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Modified | 0000-00-00 |
| File Created | 2025-06-19 |
© 2025 OMB.report | Privacy Policy