Many laws include a variety of civil and sometimes criminal penalties to encourage compliance. These penalty amounts are periodically, typically annually, adjusted to ensure that they stay relevant. To that end, the Department of Health and Human Services has issued civil penalties specific to HIPAA privacy, summary of benefits and coverage, and Medicare secondary payer compliance as follows. The adjusted civil monetary penalty amounts apply to civil penalties assessed on or after August 8, 2024, for violations occurring on or after November 2, 2015.
Following a reassessment of the HITECH Act in 2019, the Office of Civil Rights (OCR) issued a Notice of Enforcement Discretion determining that some of the language in the HITECH Act had been misinterpreted. As a result, OCR reduced the maximum penalties and the annual penalties caps in Tiers 1-3. As a result of this discretion, the penalty maximums are reflected in parentheses.
Penalties for HIPAA Violations
The penalties listed in the table below are for violations of the administrative simplification of the HIPAA privacy rules.

Summary of Benefits and Coverage
Failure to provide a summary of benefits and coverage (SBC) could result in HHS penalties, as well as penalties imposed by the Department of Labor (DOL) and Treasury (IRS). For HHS and DOL purposes, the potential civil penalty for willful failure to provide the SBC has been increased to $1,406 per failure.
Medicare Secondary Payor Rule Violations
The penalties listed in the table below are for violations of the administrative simplification of the HIPAA privacy rules.
Penalties for HIPAA Violations
Working-aged rule violations. An individual who becomes entitled to Medicare due to age can, of his/her own volition, choose to decline or drop employer-sponsored coverage; thus, an employer cannot encourage or induce the individual to choose Medicare over its plan. The penalty for instances in which an employer or other entity offers any financial or other incentive to Medicare-eligible individuals to not enroll in a plan that would otherwise be primary has been increased to $11,524 per violation. Further, willful, or repeated failures to provide timely and accurate information requested relating to an employee’s group health insurance coverage could result in a $1,877 per violation penalty.
Violations of Medicare mandatory reporting requirement. The penalty for failure to provide information that identifies situations where the group health plan is (or was) a primary plan to Medicare to the HHS Secretary pursuant to the reporting obligation is $1,474 per failure.
The information contained in this Benefit Beat is not intended to be legal, accounting, or other professional advice, nor are these comments directed to specific situations. This information is provided as general guidance and may be affected by changes in law or regulation. This information is not intended to replace or substitute for accounting or other professional advice. You must consult your own attorney or tax advisor for assistance in specific situations. This information is provided as-is, with no warranties of any kind. CBIZ shall not be liable for any damages whatsoever in connection with its use and assumes no obligation to inform the reader of any changes in laws or other factors that could affect the information contained herein.