Overview
The Department of Health and Human Services (HHS) has updated its regulations to reflect required annual inflation-related increases to the civil monetary penalty (CMP) amounts in its statutes and regulations, under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.
The adjusted civil monetary penalty amounts apply to penalties assessed on or after August 8, 2024, if the violation occurred on or after November 2, 2015.
Employer Action Items
- Review the 2023-2024 inflation adjusted civil monetary penalty amounts for HIPAA violations occurring with respect to Level A-D breaches. Employers are encouraged to work with their HIPAA Officer(s) to mitigate risk of penalties.
- Review the required annual inflation-related increases to the civil monetary penalty (CMP) amounts in its statutes and regulations. Employers are encouraged to use The Baldwin Group’s extensive suite of support solutions and advisory guidance capabilities respecting a covered entity’s performance of the HIPAA administrative simplification mandates.
- As the employer, you have the ability to utilize BRCC’s to utilize the BRCC’s consultative and advisory support solutions.
- Review the required annual inflation-related increases to the civil monetary penalty (CMP) amounts in its statutes and regulations. Encourage the employer to use The Baldwin Group’s extensive suite of support solutions and advisory guidance capabilities respecting a covered entity’s performance of the HIPAA administrative simplification mandates.
- Please encourage the employer to utilize the BRCC’s consultative and advisory support solutions.
Summary
The table on the following page includes the 2023-2024 inflation adjusted civil monetary penalty amounts for HIPAA violations occurring with respect to Level A-D breaches occurring on or after February 18, 2009, as well as CMP amount for pre-February 18,2009 breaches of the Administrative Simplification provisions of the law.
As a reminder, HIPAA breaches occurring after February 18, 2009, are assigned a level value from A-D, depending upon the severity of the underlying breach:
| HIPAA Related Civil Monetary Penalties (2023-2024) | ||||
| Regulation | Agency | Description | 2023 | 2024 |
| 45 CFR 160.404(b)(1)(i), (ii) | Office of Civil Rights | Penalty for each pre-February 18, 2009 violation of the HIPAA administrative simplification provisions: Calendar-year Cap: | 187 47,061 | 193 48,586 |
| 45 CFR 160.404(b)(2)(i)(A), (B) | Office of Civil Rights | Penalty for each February 18, 2009, or later violation of a HIPAA administrative simplification provision in which it is established that the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such a provision (level “A” breaches). Minimum: Maximum: Calendar-year Cap: | 137 68,928 2,067,813 | 141 71,162 2,134,831 |
| 45 CFR 160.404(b)(2)(ii)(A), (B) | Office of Civil Rights | Penalty for each February 18, 2009, or later violation of a HIPAA administrative simplification provision in which it is established that the violation was due to reasonable cause and not to willful neglect (level “B” breaches). Minimum: Maximum: Calendar-year Cap: | 1,379 68,928 2,067,813 | 1,424 71,162 2,134,831 |
| 45 CFR 160.404(b)(2)(iii)(A), (B) | Office of Civil Rights | Penalty for each February 18, 2009, or later violation of a HIPAA administrative simplification provision in which it is established that the violation was due to willful neglect and was corrected during the 30-day period beginning on the first date the covered entity or business associate knew, or, by exercising reasonable diligence, would have known that the violation occurred (level “C” breaches). Minimum: Maximum: Calendar-year Cap: | 13,785 68,928 2,067,813 | 14,232 71,162 2,134,831 |
| 45 CFR 160.404(b)(2)(iv)(A), (B) | Office of Civil Rights | Penalty for each February 18, 2009, or later violation of a HIPAA administrative simplification provision in which it is established that the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the covered entity or business associate knew, or, by exercising reasonable diligence, would have known that the violation occurred (level “D” breaches). Minimum: Maximum: Calendar-year Cap: | 68,928 2,067,813 2,067,813 | 71,162 2,134,831 2,134,831 |
Medicare Secondary Payer
Effective August 8th, 2024, The Department of Health and Human Services (HHS) has updated its regulations to reflect required annual inflation-related increases to the civil monetary penalty (CMP) amounts in its statutes and regulations, under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.
The adjusted civil monetary penalty amounts apply to penalties assessed on or after August 8, 2024, if the violation occurred on or after November 2, 2015.
The Medicare Secondary Payer statute prohibits a group health plan from “taking into account” the Medicare entitlement of a current employee or a current employee’s spouse or family member and imposes penalties for violations. The indexed amounts for violations applicable to employer-sponsored health plans are as follows:
| CMS Related Monetary Penalties (2023-2024) | ||||
| Regulation | Agency | Description | 2023 | 2024 |
| 42 CFR 411.103(b) | CMS | Penalty for an employer or other entity to offer any financial or other incentive for an individual entitled to benefits not to enroll under a group health plan or large group health plan which would be a primary plan. | 162 | 524 |
| 42 CFR 402.1(c)(21), 402.105(a) | CMS | Penalty for any entity serving as insurer, third party administrator, or fiduciary for a group health plan that fails to provide information that identifies situations where the group health plan is or was a primary plan to Medicare to the HHS Secretary. | 428 | 1474 |
| CMS | Penalty for any non-group health plan that fails to identify claimants who are Medicare beneficiaries and provide information to the HHS Secretary to coordinate benefits and pursue any applicable recovery claim. | 428 | 474 | |
| 45 CFR 158.606 | CMS | Penalty for violations of regulations related to the medical loss ratio reporting and rebating. | 136 | 140 |
| 45 CFR 147.200(e) | CMS | Failure to provide the Summary of Benefits and Coverage | 1362 | 1406 |
Additional Information & Related Resources
To obtain additional support for performance of these and other HIPAA requirements, as mandated by the Security and Privacy Rules, please reach out to your local service colleague or your client advisor. The Baldwin Group maintains an extensive suite of support solutions and advisory guidance capabilities respecting a covered entity’s performance of the HIPAA administrative simplification mandates. The Baldwin Regulatory Compliance Collaborative (the “BRCC”) also offers a carefully curated range of consultative and advisory support solutions related to the administration of US-based employee benefit plans, program, and other offerings.
If you have comments, questions, or suggestions respecting the content of this COMPLIANCE ALERT or any other BRCC publication, please do not hesitate to reach out to your client advisor or service colleague.
Thank you for your time.
Kindest regards,
Baldwin Regulatory Compliance Collaborative
For more information
We’re ready when you are. Get in touch and a friendly, knowledgeable Baldwin advisor is prepared to discuss your business or individual needs, ask a few questions to get the full picture, and make a plan to follow up.
This document is intended for general information purposes only and should not be construed as advice or opinions on any specific facts or circumstances. The content of this document is made available on an “as is” basis, without warranty of any kind. The Baldwin Insurance Group Holdings, LLC (“The Baldwin Group”), its affiliates, and subsidiaries do not guarantee that this information is, or can be relied on for, compliance with any law or regulation, assurance against preventable losses, or freedom from legal liability. This publication is not intended to be legal, underwriting, or any other type of professional advice. The Baldwin Group does not guarantee any particular outcome and makes no commitment to update any information herein or remove any items that are no longer accurate or complete. Furthermore, The Baldwin Group does not assume any liability to any person or organization for loss or damage caused by or resulting from any reliance placed on that content. Persons requiring advice should always consult an independent adviser.
The Baldwin Group offers insurance services through one or more of its insurance licensed entities. Each of the entities may be known by one or more of the logos displayed; all insurance commerce is only conducted through The Baldwin Group insurance licensed entities. This material is not an offer to sell insurance.
