February 11, 2020

HHS Further Adjusts Penalties for Compliance Failures

Due to changes in the law and indexing, the Department of Health and Human Services further adjusted its civil penalty amounts from those issued in December, 2019 (see HHS Increases Penalties for Compliance Failures, Benefit Beat, 12/4/19).  These modified amounts apply to penalties assessed on or after January 17, 2020 for violations occurring on or after November 2, 2015.

  • HIPAA Privacy, Security and Breach

Failure to adhere to the HIPAA privacy, security and breach laws by covered entities could result in civil penalties.  There are four tiers of civil penalties that could be imposed; following are the inflation-adjusted amounts of potential penalties:

Violation category

Each violation

(minimum to maximum)

All such violations of an identical provision in a calendar year

(calendar year cap)

Did not know a violation occurred

$119 to $59,522


Violation due to reasonable cause and not willful neglect

$1,191 to $59,522


Violation due to willful neglect but corrected

$11,904 to $59,522


Violation due to willful neglect and not corrected

$59,522 to $1,785,651



  • Summary of Benefits and Coverage

Failure to provide a summary of benefits and coverage (SBC) could result in HHS penalties, as well as penalties imposed by the Departments of Labor (DOL) and Treasury (IRS).  For HHS and DOL purposes, the potential civil penalty for willful failure to provide the SBC has been increased to $1,176 per failure.

  • Medicare Secondary Payor Rule Violations

Working-aged rule violations.  An individual who becomes entitled to Medicare due to age can, of his/her own volition, choose to decline or drop employer-sponsored coverage; thus, an employer cannot encourage or induce the individual to choose Medicare over its plan.  The penalty for instances in which an employer or other entity offers any financial or other incentive to Medicare-eligible individuals to not enroll in a plan that would otherwise be primary has been increased to $9,639 per violation.  Further, willful or repeated failures to provide timely and accurate information requested relating to an employee’s group health insurance coverage could result in a $1,569 per violation penalty.

Violations of Medicare mandatory reporting requirement.  The penalty for failure to provide information that identifies situations where the group health plan is (or was) a primary plan to Medicare to the HHS Secretary pursuant to the reporting obligation is $1,232 per failure. 

The information contained in this article is provided as general guidance and may be affected by changes in law or regulation. This article is not intended to replace or substitute for accounting or other professional advice. Please consult a CBIZ professional. This information is provided as-is with no warranties of any kind. CBIZ shall not be liable for any damages whatsoever in connection with its use and assumes no obligation to inform the reader of any changes in laws or other factors that could affect the information contained herein.

Accelerated Recovery Resources

Access articles and tools to help your business generate cash, improve leverage, and align & transform as you recover from the pandemic.

COVID-19 Resources

Access all COVID-19 related articles to help your business respond to the pandemic.

Insights in Your Inbox