HHS Adjusts HIPAA and Other Civil Monetary Penalties for Inflation

Our Thinking / Law and Policy Group /

27 November 2019

Group health plan sponsors and other entities that violate the privacy, security, breach notification and electronic healthcare transaction rules of the Health Insurance Portability and Accountability Act (HIPAA) now face higher penalties. Inflation adjustments released by the Department of Health and Human Services (HHS) generally apply to penalties assessed on or after Nov. 5, 2019, for violations occurring on or after Nov. 2, 2015. This article highlights the changes of most interest to employers sponsoring group health plans.

HIPAA Privacy and Security

The maximum penalty for each violation of a particular HIPAA requirement or prohibition increases to $58,490 (up from $57,051), with a calendar-year cap of $1,754,698 (up from $1,711,533) for all violations of an identical provision. Curiously, the inflation adjustments do not incorporate the enforcement discretion HHS announced in April 2019, which significantly reduced calendar-year penalty caps for most HIPAA violations (unless due to willful neglect and not timely corrected). Clarification of this issue would be helpful.

The minimum penalty for each violation of a particular HIPAA requirement or prohibition increases to $117 (up from $114) for a covered entity or business associate that did not know — and could not have known by exercising reasonable diligence — about the violation. For violations due to reasonable cause and not willful neglect, the minimum penalty increases to $1,170 (up from $1,141). For violations due to willful neglect but corrected within 30 days of when the covered entity or business associate knew — or should have known by exercising reasonable diligence — about the violation, the minimum penalty increases to $11,698 (up from $11,410).

Affordable Care Act

Though HHS rules directly impact health insurance issuers, employer plan sponsors may be indirectly affected by certain requirements:

Summary of benefits and coverage (SBC). The maximum penalty for each failure by a health insurance issuer to provide SBCs to covered individuals as required increases to $1,156, up from $1,128.
Medical loss ratio (MLR) rules. The maximum penalty for each failure by a health insurance issuer to comply with MLR reporting and rebate regulations increases to $116, up from $113.

Medicare Secondary Payer (MSP) Rules

Penalties for violations of certain MSP rules increase as follows:

Prohibition against financial or other incentives. The maximum penalty for each eligible individual offered financial or other incentives not to enroll in a group health plan that would be primary to Medicare increases to $9,472, up from $9,239.
Nondisclosure. For each failure by an insurer, a third-party administrator or a self-insured/self-administered group health plan's fiduciary to inform HHS about situations in which the plan is or was primary to Medicare, the maximum daily penalty increases to $1,211, up from $1,181.