November 30, 2021

Group health plan sponsors and other entities that violate the privacy, security, breach notification and electronic healthcare transaction rules of the Health Insurance Portability and Accountability Act (HIPAA) now face higher penalties. Inflation adjustments released by the Department of Health and Human Services (HHS) apply to penalties assessed on or after Nov. 15, 2021, for violations occurring on or after Nov. 2, 2015. This most recent inflation increase is 1.182%. This article highlights the changes of interest to employers sponsoring group health plans.

HIPAA privacy and security

Minimum penalties. The minimum penalty for each violation of a particular HIPAA requirement or prohibition increases to $120 (up from $119) for a covered entity or business associate that did not know — and could not have known by exercising reasonable diligence — about the violation. For violations due to reasonable cause and not willful neglect, the minimum penalty increases to $1,205 (up from $1,191). For violations due to willful neglect but corrected within 30 days of when the covered entity or business associate knew — or should have known by exercising reasonable diligence — about the violation, the minimum penalty increases to $12,045 (up from $11,904). For violations due to willful neglect and not corrected within 30 days of when the covered entity or business associate knew — or should have known by exercising reasonable diligence — about the violation, the minimum penalty increases to $60,266 (up from $59,522).

Maximum penalties.
The maximum penalty for each violation of a particular HIPAA requirement or prohibition (except for violations due to willful neglect and not timely corrected) increases to $60,226 (up from $59,522). For violations due to willful neglect and not timely corrected, the maximum penalty increases to $1,806,757 (up from $1,785,651).
 

Calendar-year penalty caps. The calendar-year penalty cap increases to $1,806,757 (up from $1,785,651) for all violations of an identical HIPAA provision. Curiously, the inflation adjustments still do not incorporate the enforcement discretion HHS announced in April 2019, which significantly reduced calendar-year penalty caps for most HIPAA violations except for those due to willful neglect and not timely corrected. Clarification of this issue would be helpful. Here are the penalty caps under the enforcement discretion:

 

Affordable Care Act

Though HHS rules directly impact health insurance issuers, employer plan sponsors may be indirectly affected by certain requirements:
 

  • Summary of benefits and coverage (SBC). The maximum penalty for each failure by a health insurance issuer to provide SBCs to covered individuals as required increases to $1,190, up from $1,176.

  • Medical loss ratio (MLR) rules. The maximum penalty for each failure by a health insurance issuer to comply with MLR reporting and rebate regulations increases to $119, up from $118.

Medicare secondary payer (MSP) rules

Penalties for violations of certain MSP rules increase as follows:
 

  • Prohibition against financial or other incentives. The maximum penalty for each eligible individual offered financial or other incentives not to enroll in a group health plan that would be primary to Medicare increases to $9,753, up from $9,639.

  • Nondisclosure. For each failure by an insurer, a third-party administrator or a self-insured/self-administered group health plan's fiduciary to inform HHS about situations in which the plan is or was primary to Medicare, the maximum daily penalty increases to $1,247, up from $1,232.

Related resources

Dorian Z. Smith
by Dorian Z. Smith

Partner, Mercer’s Law & Policy Group

Katharine Marshall
by Katharine Marshall

Principal, Mercer's Law & Policy Group


Speak with a Mercer consultant

Provide your contact information to get in touch
*Required Fields