November 5, 2018

HHS Increases Penalties for Compliance Failures (article)

Employee benefit plans are subject to oversight by several government regulatory agencies including Health and Human Services (HHS), and the Departments of Labor and Treasury.  These governing agencies may adjust certain monetary civil penalties for compliance failures. 

To this end, on October 11, 2018, HHS published its annual inflationary adjustments for civil penalties relating to violations of the HIPAA privacy, security and breach rules, failure to provide the summary of benefits and coverage to plan participants, as well as violations relating to the Medicare secondary payor rules.  Following are highlights of the changes.  These penalties take effect on October 11, 2018.

  • HIPAA Privacy, Security and Breach

HHS regulates entities subject to the HIPAA Administrative Simplification laws; specifically, covered entities, which include health care providers, health care clearinghouses, and health plans, as well as business associates.  In the event of a breach of unsecured health information of individuals, one of the obligations of the covered entity is to provide notification of the breach to affected individuals, as well as notify the media and HHS in certain circumstances.  Failure to adhere to these rules by a covered entity could result in civil penalties.  There are four tiers of civil penalties that could be imposed; following are the inflation-adjusted amounts of potential penalties:

Violation category

Each violation

All such violations of an identical provision in a calendar year

Did not know a violation occurred

$114 to $57,051


Violation due to reasonable cause and not willful neglect

$1,141 to $57,051


Violation due to willful neglect but corrected

$11,410 to $57,051


Violation due to willful neglect and not corrected

$57,051, no maximum



  • Summary of Benefits and Coverage

The Affordable Care Act requires all group health plans, including grandfathered plans, whether insured or self-funded to provide a written summary of benefits and coverage (SBC) to plan participants.  There are five instances in which the SBC must be provided: upon application, by the first day of coverage, within 90 days of special enrollment period, upon contract renewal and upon request.  Failure to provide the SBC could result in HHS penalties, as well as penalties imposed by the Departments of Labor and Treasury.  For HHS purposes, the potential civil penalty for willful failure to provide the SBC is increased to $1,128 per failure (up from $1,105 in 2017).

  • Medicare Secondary Payor Rule Violations

In certain instances in which employer-provided health coverage is available, Medicare only pays after the employer plan pays.  The rules governing these situations are known as the Medicare Secondary Payer Rules (MSP rules).  These rules are generally applicable to the working aged, individuals with end stage renal disease and certain disabled individuals.

Working-aged rule violations.  As background, the working aged MSP rule applies to employers with at least 20 full and/or part-time employees on each working day in each of 20 or more calendar weeks in the current or preceding calendar year. In this category, employer-provided health coverage is the primary payer and Medicare is the secondary payer for the working aged.   The MSP working aged rules require benefits for individuals aged 65 and over in current employment status, as well as his/her spouse, aged 65 or older must be the same as those available to individuals under age 65.  Further, these individuals must be given the same right to participate in the employer-sponsored plan as those individuals under age 65. 

An individual who becomes entitled to Medicare due to age can, of his/her own volition, choose to decline or drop employer-sponsored coverage; thus, an employer cannot encourage nor induce the individual to choose Medicare over its plan.  The penalty for Instances in which an employer or other entity offers any financial or other incentive to Medicare-eligible individuals to not enroll in a plan that would otherwise be primary will increase to $9,239 per violation (up from $9,054).  Further, willful or repeated failures to provide timely and accurate information requested relating to an employee’s group health insurance coverage could result in a $1,504 per violation penalty, (up from $1,474 in 2017),

Violations of Medicare mandatory reporting requirementFor the past decade, insurers, third party administrators (TPAs) and plan administrators of self-funded, self-administered health plans (known as, responsible reporting entities, “RRE”) have been subject to a Medicare secondary payor reporting rule.  The purpose of this reporting obligation is to ensure that the Medicare secondary payor rules are properly administered.  These entities are required to register with the Centers for Medicare and Medicaid Services and accomplish the required reporting through the CMS’ dedicated website. The penalty for failure to provide information that identifies situations where the group health plan is or was a primary plan to Medicare to the HHS Secretary pursuant to this reporting obligation will increase to $1,181 per failure (up from $1,157 in 2017).


The information contained in this article is provided as general guidance and may be affected by changes in law or regulation. This article is not intended to replace or substitute for accounting or other professional advice. Please consult a CBIZ professional. This information is provided as-is with no warranties of any kind. CBIZ shall not be liable for any damages whatsoever in connection with its use and assumes no obligation to inform the reader of any changes in laws or other factors that could affect the information contained herein.

Accelerated Recovery Resources

Access articles and tools to help your business generate cash, improve leverage, and align & transform as you recover from the pandemic.

COVID-19 Resources

Access all COVID-19 related articles to help your business respond to the pandemic.

Insights in Your Inbox