HHS adjusts 2023 HIPAA, certain ACA and MSP monetary penalties 

October 20, 2023

Group health plan sponsors and other entities that violate the privacy, security, breach notification and electronic healthcare transaction rules of the Health Insurance Portability and Accountability Act (HIPAA) now face higher penalties. Inflation adjustments released by the Department of Health and Human Services (HHS) apply to penalties assessed on or after Oct. 6, 2023, for violations occurring on or after Nov. 2, 2015. The adjusted penalties are calculated by multiplying the previous penalties by 1.07745 (the 2023 cost-of-living multiplier), rounded to the nearest dollar. This article highlights the changes of interest to employers sponsoring group health plans.

Minimum penalties. The minimum penalty for each violation of a particular HIPAA requirement or prohibition increases to $137 (up from $127) for a covered entity or business associate that did not know — and could not have known by exercising reasonable diligence — about the violation. For violations due to reasonable cause and not willful neglect, the minimum penalty increases to $1,379 (up from $1,280). For violations due to willful neglect but corrected within 30 days of when the covered entity or business associate knew — or should have known by exercising reasonable diligence — about the violation, the minimum penalty increases to $13,785 (up from $12,794). For violations due to willful neglect and not corrected within 30 days of when the covered entity or business associate knew — or should have known by exercising reasonable diligence — about the violation, the minimum penalty increases to $68,928 (up from $63,973).

Maximum penalties. The maximum penalty for each violation of a particular HIPAA requirement or prohibition (except for violations due to willful neglect and not timely corrected) increases to $68,928 (up from $63,973). For violations due to willful neglect and not timely corrected, the maximum penalty increases to $2,067,813 (up from $1,919,173).

Calendar-year penalty caps. The calendar-year penalty cap increases to $2,067,813 (up from $1,919,173) for all violations of an identical HIPAA provision. Curiously, the inflation adjustments still do not incorporate the enforcement discretion HHS announced in April 2019, which significantly reduced calendar-year penalty caps for most HIPAA violations except for those due to willful neglect and not timely corrected. Clarification of this issue would be helpful. Here are the penalty caps under the enforcement discretion:

Though HHS rules directly impact health insurance issuers, employer plan sponsors may be indirectly affected by certain requirements:

• Summary of benefits and coverage (SBC). The maximum penalty for each failure by a health insurance issuer to provide SBCs to covered individuals increases to $1,362 (up from $1,264).
• Medical loss ratio (MLR) rules. The maximum penalty for each failure by a health insurance issuer to comply with MLR reporting and rebate regulations increases to $136 (up from $126).

Penalties for violations of certain MSP rules increase as follows:

• Prohibition against financial or other incentives. The maximum penalty for each eligible individual offered financial or other incentives not to enroll in a group health plan that would be primary to Medicare increases to $11,162 (up from $10,360).
• Nondisclosure. For each failure by an insurer, a third-party administrator or a self-insured/self-administered group health plan's fiduciary to inform HHS about situations in which the plan is or was primary to Medicare, the maximum daily penalty increases to $1,428 (up from $1,325).

• HHS annual civil monetary penalties inflation adjustment (Federal Register, Oct. 6, 2023)
• HHS enforcement discretion regarding HIPAA civil money penalties (Federal Register, April 30, 2019)

• DOL sets 2023 penalties for health and welfare benefit plan violations (Jan. 18, 2023)