By: HUB’s EB Compliance Team
The U.S. Department of Health and Human Services (“HHS”) recently released updated penalty amounts for violations of the Health Insurance Portability and Accountability Act, or HIPAA, the Affordable Care Act, and Medicare Secondary Payor rules. HIPAA requires health plans, health insurers, and their business associates (among others) to implement safeguards to protect the privacy of individuals’ health information.
The penalty amounts are adjusted annually for changes in the cost of living. These updated amounts for 2023 apply for penalties assessed on or after October 6, 2023 (the date HHS published the updated amounts) for violations that occurred on or after November 2, 2015. As you can see from the chart below, the HIPAA penalty amounts vary based on the penalized entity’s level of care, while other penalties apply based on the violation itself, without regard to intent.
| Violation | Penalty | 2023 (New) | 2022 | 2021 |
|---|---|---|---|---|
| A HIPAA violation the entity did not know about and would not have known about using reasonable diligence. |
Minimum per violation Maximum per violation Calendar Year Cap |
$137 $68,928 $2,067,813 |
$127 $63,973 $1,919,173 |
$120 $60,226 $1,806,757 |
| The HIPAA violation occurred due to reasonable cause and not willful neglect. |
Minimum per violation Maximum per violation Calendar Year Cap |
$1,379 $68,928 $2,067,813 |
$1,280 $63,973 $1,919,173 |
$1,205 $60,226 $1,806,757 |
| The HIPAA violation occurred due to willful neglect but was corrected within 30 days after the entity knew of the violation (or would have known, using reasonable diligence). |
Minimum per violation Maximum per violation Calendar Year Cap |
$13,785 $68,928 $2,067,813 |
$12,794 $63,973 $1,919,173 |
$12,045 $60,226 $1,806,757 |
| The HIPAA violation occurred due to reasonable cause and not willful neglect. |
Minimum per violation Maximum per violation Calendar Year Cap |
$68,928 $2,067,813 $2,067,813 |
$63,973 $1,919,173 $1,919,173 |
$60,226 $1,806,757 $1,806,757 |
| Offering incentives to Medicare-eligible individuals not to enroll in an employer plan that would be primary to Medicare. | n/a | $11,162 | $10,360 | $9,753 |
| Failing to provide Medicare Secondary Payer Reporting information. | n/a | $1,428 | $1,325 | $1,247 |
| Willful Failure to provide a Summary of Benefits and Coverage for a health insurer or governmental plan | n/a | $1,362 | $1,264 | $1,190 |
While the requirement is for HHS to issue these updates annually by January 15, the timing has varied widely. Last year, they were issued in April. The year before, they were issued in November. This year, in October.
Additionally, as we have noted previously, these new penalty figures for HIPAA penalties do not reflect HHS’s 2019 decision to apply lower penalty caps to the first three tiers of violations. As a result, lower level HIPAA violations could have lower penalty caps. These penalty increases suggest that HHS was merely stating its enforcement objectives in 2019, and it may still, in some cases, choose to apply the full penalty up to the cap. Given the change in administration since the 2019 directive was issued, it is unclear whether the 2019 statement still applies.
Regardless, a robust compliance program can help avoid penalties like these. If you have any questions, please contact your HUB Advisor. View more compliance articles in our Compliance Directory.
NOTICE OF DISCLAIMER
Neither Hub International Limited nor any of its affiliated companies is a law or accounting firm, and therefore they cannot provide legal or tax advice. The information herein is provided for general information only and is not intended to constitute legal or tax advice as to an organization’s or individual's specific circumstances. It is based on Hub International's understanding of the law as it exists on the date of this publication. Subsequent developments may result in this information becoming outdated or incorrect and Hub International does not have an obligation to update this information. You should consult an attorney, accountant, or other legal or tax professional regarding the application of the general information provided here to your organization’s specific situation in light of your or your organization’s particular needs.