HIPAA, MSP, and SBC Penalties Indexed as of November 15, 2021

Federal regulators have announced inflationary adjustments to civil monetary penalties for violations occurring on/after November 2, 2015.

Assessments on/after Jan 17, 2020 Assessments on/after Nov 15, 2021
HIPAA Privacy & Security violations
  1. Unintentional violations
  2. Due to reasonable cause and not willful neglect
  3. Willful violations corrected within 30 days
  1. Minimum: $119
  2. Minimum: $1,191
  3. Minimum: $11,904
  1. Minimum: $120
  2. Minimum: $1,205
  3. Minimum: $12,045
    • Caps for each violation above
    • Unclear how these published CY caps tie into the 2019 Notice of Enforcement Discretion which should have lowered the CY caps to $25K/$100K/$250K for tiers 1/2/3 above
  • Maximum: $59,522
  • CY cap: $1,785,651
  • Maximum: $60,226
  • CY cap: $1,806,757
  1. Willful violations not corrected within 30 days
  • Minimum: $59,522
  • CY cap: $1,785,651
  • Minimum: $60,226
  • CY cap: $1,806,757
Medicare Secondary Payer (MSP) violations
  1. Employer incenting or coercing someone not to enroll in a group health plan that would be primary to Medicare
  2. Responsible reporting entity (RRE) failing to identify situations where group plan is primary
  1. $9,639
  2. $1,232
  1. $9,753
  2. $1,247
Summary of Benefits and Coverage (SBC) violations
  • $1,176
  • $1,190

 

IMA will continue to monitor regulator guidance and offer meaningful, practical, timely information.

This material should not be considered as a substitute for legal, tax and/or actuarial advice. Contact the appropriate professional counsel for such matters. These materials are not exhaustive and are subject to possible changes in applicable laws, rules, and regulations and their interpretations.