Updates to Civil Monetary Penalties for HIPAA, SBC, and MSP Violations

Updates to Civil Monetary Penalties for HIPAA, SBC, and MSP Violations

Many laws include a variety of civil and sometimes criminal penalties to encourage compliance. These penalty amounts are periodically, typically annually, adjusted to ensure that they stay relevant. To that end, the Department of Health and Human Services has issued civil penalties specific to HIPAA privacy, summary of benefits and coverage, and Medicare secondary payer compliance as follows. The adjusted civil monetary penalty amounts apply to civil penalties assessed on or after August 8, 2024, for violations occurring on or after November 2, 2015.

Following a reassessment of the HITECH Act in 2019, the Office of Civil Rights (OCR) issued a Notice of Enforcement Discretion determining that some of the language in the HITECH Act had been misinterpreted. As a result, OCR reduced the maximum penalties and the annual penalties caps in Tiers 1-3. As a result of this discretion, the penalty maximums are reflected in parentheses.

Penalties for HIPAA Violations

The penalties listed in the table below are for violations of the administrative simplification of the HIPAA privacy rules.

Screenshot 2024-09-04 150201.png

Summary of Benefits and Coverage

Failure to provide a summary of benefits and coverage (SBC) could result in HHS penalties, as well as penalties imposed by the Department of Labor (DOL) and Treasury (IRS). For HHS and DOL purposes, the potential civil penalty for willful failure to provide the SBC has been increased to $1,406 per failure.

Medicare Secondary Payor Rule Violations

The penalties listed in the table below are for violations of the administrative simplification of the HIPAA privacy rules.

Penalties for HIPAA Violations

Working-aged rule violations. An individual who becomes entitled to Medicare due to age can, of his/her own volition, choose to decline or drop employer-sponsored coverage; thus, an employer cannot encourage or induce the individual to choose Medicare over its plan. The penalty for instances in which an employer or other entity offers any financial or other incentive to Medicare-eligible individuals to not enroll in a plan that would otherwise be primary has been increased to $11,524 per violation. Further, willful, or repeated failures to provide timely and accurate information requested relating to an employee’s group health insurance coverage could result in a $1,877 per violation penalty.

Violations of Medicare mandatory reporting requirement. The penalty for failure to provide information that identifies situations where the group health plan is (or was) a primary plan to Medicare to the HHS Secretary pursuant to the reporting obligation is $1,474 per failure.

The information contained in this Benefit Beat is not intended to be legal, accounting, or other professional advice, nor are these comments directed to specific situations. This information is provided as general guidance and may be affected by changes in law or regulation. This information is not intended to replace or substitute for accounting or other professional advice. You must consult your own attorney or tax advisor for assistance in specific situations. This information is provided as-is, with no warranties of any kind. CBIZ shall not be liable for any damages whatsoever in connection with its use and assumes no obligation to inform the reader of any changes in laws or other factors that could affect the information contained herein.


© Copyright CBIZ, Inc. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization. 

“CBIZ” is the brand name under which CBIZ CPAs P.C. and CBIZ, Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.

Updates to Civil Monetary Penalties for HIPAA, SBC, and MSP Violationshttps://www.cbiz.com/Portals/0/Images/GettyImages-1626847273-2.jpg?ver=M32H71wy3xmd_EPfiVQUWQ%3d%3dhttps://www.cbiz.com/Portals/0/Images/GettyImages-1626847273-1.jpg?ver=nPWdVByNJL-_8hjKa_GC-g%3d%3dThe Department of Health and Human Services has issued civil penalties specific to HIPAA privacy, summary of benefits and coverage, and Medicare secondary payer compliance.2024-09-04T17:00:00-05:00The Department of Health and Human Services has issued civil penalties specific to HIPAA privacy, summary of benefits and coverage, and Medicare secondary payer compliance.Regulatory, Compliance, & LegislativeEmployee Benefits ComplianceNo