The U.S. Department of Health & Human Services (HHS) just announced increased penalty amounts for entities who violate the privacy, security, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Medicare secondary payer (MSP) rules barring employers form providing incentives to individuals to drop employer-sponsored coverage in favor of Medicare, or the Summary of Benefits and Coverage (SBC) rules under the Affordable Care Act (ACA). The higher amounts will apply to any penalties assessed after November 15, 2021 for violations occurring after November 2, 2015.
HIPAA
The announcement specifically addresses HIPAA’s four-tiered penalty structure under which the Office for Civil Rights (OCR) will assess an amount that corresponds to the nature of a HIPAA violation. The new amounts are:
|
Level of Violation
|
Minimum*
|
Maximum*
|
Calendar Year Maximum
|
|
Tier 1 – Lack of Knowledge
|
$120
|
$60,226
|
$1,806,757
|
|
Tier 2 – Reasonable Cause and Not Willful Neglect
|
$1,205
|
$60,226
|
$1,806,757
|
|
Tier 3 – Willful Neglect (corrected within 30 days)
|
$12,045
|
$60,226
|
$1,806,757
|
|
Tier 4 – Willful Neglect (uncorrected within 30 days
|
$60,226
|
$1,806,757
|
$1,806,757
|
|
* per occurrence
|
|
|
|
In 2019, HHS exercised its discretionary authority and issued guidance that lowered the calendar year maximums that it would enforce to $25,000 for Tier 1 violations, $100,000 for Tier 2 violations, and $250,000 for Tier 3 violations (all subject to indexing for inflation). Though its annual penalty update continues to reflect a much higher calendar year maximum, we expect OCR will continue to exercise its discretion and assess the lower amounts for violations within in the first three tiers.
Medicare
Medicare imposes restrictions on employers who sponsor group health coverage under which Medicare-eligible individuals may participate. Essentially the rules aim to ensure that Medicare will pay claims secondary to other employer-sponsored coverage for groups of a certain size.
The rules generally work to prevent such employers from taking into account an individual’s Medicare eligibility with regard to coverage under an employer-sponsored plan. Specifically, the rules prohibit an employer from providing an incentive (financial or otherwise) to encourage Medicare-eligible employees to opt out of employer-sponsored coverage in favor of Medicare. Employers found to have provided such an impermissible incentive now face a penalty of up to $9,753 per violation.
SBC
The ACA imposed the SBC disclosure requirement on employer group health plan sponsors and carriers. When individuals enroll or re-enroll in a group health plan, they must receive a formal document that describes critical features of their available plans, so they can make reasonable and informed choices regarding their coverage. Violators who fail to provide SBCs now face penalties of $1,190 per occurrence.
Conclusion
HHS must increase penalties annually to account for inflation under Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. Other agencies tasked with enforcing laws that impact employee benefit plans also must adjust penalty amounts to maintain their deterrent effect. So, the cost of non-compliance will continue to escalate. This latest round of increases should compel employer plan sponsors to consider self-auditing their benefit programs to help prevent burdensome agency audits and potentially crippling penalties.
