The U.S. Department of Health and Human Services (“HHS”) recently released updated penalty amounts for violations of the Health Insurance Portability and Accountability Act, or HIPAA, the Affordable Care Act, and Medicare Secondary Payor rules. While not all of these penalties apply directly to all plan sponsors, the HIPAA penalties should be of particular interest to sponsors of self-funded health plans who must comply with the HIPAA rules. HIPAA requires health plans, health insurers, and their business associates (among others) to implement safeguards to protect the privacy of individuals’ health information. When a plan is fully-insured, the majority of responsibility for HIPAA compliance falls to the insurer and when a plan is self-funded responsibility for compliance with the HIPAA rules falls to the employer as the plan sponsor.

The penalty amounts are adjusted annually for changes in the cost of living. These updated amounts for 2024 apply for penalties assessed on or after August 8, 2024 (the date HHS published the updated amounts) for violations that occurred on or after November 2, 2015. As you can see from the chart below, the HIPAA penalty amounts vary based on the penalized entity’s level of care, while other penalties apply based on the violation itself, without regard to intent.

Violation

2024 (New)

2023

2022

A HIPAA violation the entity did not know about and would not have known about using reasonable diligence.

Minimum per violation

Maximum per violation

Calendar Year Cap

 

 

$141

$71,162

$2,134,831

 

 

$137

$68,928

$2,067,813

 

 

$127

$63,973

$1,919,173

The HIPAA violation occurred due to reasonable cause and not willful neglect.

Minimum per violation

Maximum per violation

Calendar Year Cap

 

$1,424

$71,162

$2,134,831

 

$1,379

$68,928

$2,067,813

 

$1,280

$63,973

$1,919,173

The HIPAA violation occurred due to willful neglect but was corrected within 30 days after the entity knew of the violation (or would have known, using reasonable diligence).

Minimum per violation

Maximum per violation

Calendar Year Cap

 

 

 

$4,232

$71,162

$2,134,831

 

 

 

$13,785

$68,928

$2,067,813

 

 

 

$12,794

$63,973

$1,919,173

The HIPAA violation occurred due to willful neglect and was not corrected within 30 days after the entity knew of the violation (or would have known, using reasonable diligence).

Minimum per violation

Maximum per violation

Calendar Year Cap

 

 

 

$71,162

$2,134,831

$2,134,831

 

 

 

$68,928

$2,067,813

$2,067,813

 

 

 

$63,973

$1,919,173

$1,919,173

Offering incentives to Medicare-eligible individuals not to enroll in an employer plan that would be primary to Medicare.

$11,524

$11,162

$10,360

Failing to provide Medicare Secondary Payer Reporting information.

$1,474

$1,428

$1,325

Willful Failure to provide a Summary of Benefits and Coverage for a health insurer or governmental plan

$1,406

$1,362

$1,264

While the requirement is for HHS to issue these updates annually by January 15, the timing has varied widely.  In recent years, these updates have been issued in April, November, October, and now August.

Additionally, as we have noted previously, these new penalty figures for HIPAA penalties do not reflect HHS’s 2019 decision to apply lower penalty caps to the first three tiers of violations. As a result, lower-level HIPAA violations could have lower penalty caps.  These penalty increases suggest that HHS was merely stating its enforcement objectives in 2019, and it may still, in some cases, choose to apply the full penalty up to the cap. Additionally, given the change in administration since the 2019 directive was issued, it is unclear whether the 2019 statement still applies.

Regardless, a robust compliance program can help avoid penalties like these.  If you have any questions, please contact your HUB Advisor. View more compliance articles in our Compliance Directory.

NOTICE OF DISCLAIMER

Neither Hub International Limited nor any of its affiliated companies is a law or accounting firm, and therefore they cannot provide legal or tax advice. The information herein is provided for general information only and is not intended to constitute legal or tax advice as to an organization’s or individual's specific circumstances. It is based on Hub International's understanding of the law as it exists on the date of this publication. Subsequent developments may result in this information becoming outdated or incorrect and Hub International does not have an obligation to update this information. You should consult an attorney, accountant, or other legal or tax professional regarding the application of the general information provided here to your organization’s specific situation in light of your or your organization’s particular needs.