Group health plan sponsors and other entities that violate the privacy, security, breach notification and electronic healthcare transaction rules of the Health Insurance Portability and Accountability Act (HIPAA) now face higher penalties. Inflation adjustments released by the Department of Health and Human Services (HHS) generally apply to penalties assessed on or after Nov. 5, 2019, for violations occurring on or after Nov. 2, 2015. This article highlights the changes of most interest to employers sponsoring group health plans.
The maximum penalty for each violation of a particular HIPAA requirement or prohibition increases to $58,490 (up from $57,051), with a calendar-year cap of $1,754,698 (up from $1,711,533) for all violations of an identical provision. Curiously, the inflation adjustments do not incorporate the enforcement discretion HHS announced in April 2019, which significantly reduced calendar-year penalty caps for most HIPAA violations (unless due to willful neglect and not timely corrected). Clarification of this issue would be helpful.
The minimum penalty for each violation of a particular HIPAA requirement or prohibition increases to $117 (up from $114) for a covered entity or business associate that did not know — and could not have known by exercising reasonable diligence — about the violation. For violations due to reasonable cause and not willful neglect, the minimum penalty increases to $1,170 (up from $1,141). For violations due to willful neglect but corrected within 30 days of when the covered entity or business associate knew — or should have known by exercising reasonable diligence — about the violation, the minimum penalty increases to $11,698 (up from $11,410).
Though HHS rules directly impact health insurance issuers, employer plan sponsors may be indirectly affected by certain requirements:
Penalties for violations of certain MSP rules increase as follows:
Mercer Law & Policy Resources