150.203—Circumstances requiring CMS enforcement.
CMS enforces HIPAA requirements to the extent warranted (as determined by CMS) in any of the following circumstances:
(a) Notification by State.
A State notifies CMS that it has not enacted legislation to enforce or that it is not otherwise enforcing HIPAA requirements.
(b) Determination by CMS.
If CMS receives or obtains information that a State may not be substantially enforcing HIPAA requirements, it may initiate the process described in this subchapter to determine whether the State is failing to substantially enforce these requirements.
(c) Special rule for guaranteed availability in the individual market.
If a State has notified CMS that it is implementing an acceptable alternative mechanism in accordance with § 148.128 of this subchapter instead of complying with the guaranteed availability requirements of § 148.120, CMS's determination focuses on the following:
(d) Consequence of a State not implementing an alternative mechanism.
If a State is not implementing an acceptable alternative mechanism, CMS determines whether the State is substantially enforcing the requirements of §§ 148.101 through 148.126 and § 148.170 of this subchapter.