Skip to content

Find resources to help with recovery if you’ve been impacted by Hurricanes Milton and Helene. Learn More

Baldwin Bulletin

Civil Monetary Penalty Annual Index From Health & Human Services (“HHS”) For The Office For Civil Rights (“OCR”) & The Centers For Medicare And Medicaid Services (“CMS”).

The Baldwin Group
|
Updated: September 24, 2024
|
4 minute read

HHS has updated its regulations to reflect required annual inflation-related increases to the civil monetary penalty (“CMP”) amounts in its statutes and regulations, under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.

The adjusted civil monetary penalty amounts apply to penalties assessed on or after August 8, 2024, if the violation occurred on or after November 2, 2015.

Employer Action Items

  • Review the 2023-2024 inflation adjusted civil monetary penalty amounts for the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) violations occurring with respect to Level A-D breaches and work with HIPAA officer(s) to mitigate the risk of penalties by performing the mandated administrative simplification requirements.
  • Review the 2023-2024 inflation adjusted civil monetary penalty amounts for selected CMS violations and work with benefit managers to mitigate the risk of penalties by adhering to the prescribed standards related to Medicare Part D, Summary of Benefits and Coverage (“SBC”) dissemination requirements, and others.
  • As an employer, access the BRCC’s consultative and advisory support solutions to aid in your penalty mitigation strategies for these important federal requirements.

Summary

Part I: HIPAA Related Violations

As a reminder, HIPAA breaches occurring after February 18, 2009, are assigned a level value from A-D, depending upon the severity of the underlying breach.

The following table details the 2023-2024 inflation adjusted civil monetary penalty amounts for HIPAA violations occurring with respect to Level A-D breaches on or after February 18, 2009, as well as CMP amount for pre-February 18, 2009, breaches of the Administrative Simplification provisions of the law:

HIPAA Related Civil Monetary Penalties (2023-2024)
RegulationAgencyDescription20232024
45 CFR 160.404(b)(1)(i), (ii)Office of Civil RightsPenalty for each pre-February 18, 2009, violation of the HIPAA administrative simplification provisions:  

Calendar-year Cap:
187      


47,061
193      


48,586
45 CFR 160.404(b)(2)(i)(A), (B)Office of Civil RightsPenalty for each February 18, 2009, or later violation of a HIPAA administrative simplification provision in which it is established that the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such a provision (level “A” breaches).  

Minimum:  

Maximum:  

Calendar-year Cap:
                   





137  

68,928  

2,067,813
                 





141  

71,162  

2,134,831
45 CFR 160.404(b)(2)(ii)(A), (B)Office of Civil RightsPenalty for each February 18, 2009, or later violation of a HIPAA administrative simplification provision in which it is established that the violation was due to reasonable cause and not to willful neglect (level “B” breaches).  

Minimum:  

Maximum:  

Calendar-year Cap:
             



1,379  

68,928  

2,067,813
             



1,424  

71,162  

2,134,831
45 CFR 160.404(b)(2)(iii)(A), (B)Office of Civil RightsPenalty for each February 18, 2009, or later violation of a HIPAA administrative simplification provision in which it is established that the violation was due to willful neglect and was corrected during the 30-day period beginning on the first date the covered entity or business associate knew, or, by exercising reasonable diligence, would have known that the violation occurred (level “C” breaches).  

Minimum:  

Maximum:  

Calendar-year Cap:
                       






13,785  

68,928  

2,067,813
     






                  14,232  

71,162  

2,134,831
45 CFR 160.404(b)(2)(iv)(A), (B)Office of Civil RightsPenalty for each February 18, 2009, or later violation of a HIPAA administrative simplification provision in which it is established that the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the covered entity or business associate knew, or, by exercising reasonable diligence, would have known that the violation occurred (level “D” breaches).  

Minimum:  

Maximum:  

Calendar-year Cap:
                       




68,928  

2,067,813  
2,067,813
                       




71,162  

2,134,831  

2,134,831

Part II: Medicare Secondary Payer Related Violations

The Medicare Secondary Payer statute prohibits a group health plan from “taking into account” the Medicare entitlement of a current employee or a current employee’s spouse or family member and imposes penalties for violations. The indexed amounts for violations applicable to employer-sponsored health plans are as follows:

CMS Related Monetary Penalties (2023-2024)
RegulationAgencyDescription20232024
42 CFR 411.103(b)CMSPenalty for an employer or other entity to offer any financial or other incentive for an individual entitled to benefits not to enroll under a group health plan or large group health plan which would be a primary plan.162524
42 CFR 402.1(c)(21), 402.105(a)CMSPenalty for any entity serving as insurer, third party administrator, or fiduciary for a group health plan that fails to provide information that identifies situations where the group health plan is or was a primary plan to Medicare to the HHS Secretary.428  474  
 CMSPenalty for any non-group health plan that fails to identify claimants who are Medicare beneficiaries and provide information to the HHS Secretary to coordinate benefits and pursue any applicable recovery claim.428    474  
45 CFR 158.606CMSPenalty for violations of regulations related to the medical loss ratio reporting and rebating.136  140
45 CFR 147.200(e)CMSFailure to provide the Summary of Benefits and Coverage.1362    1406

Additional Resources

To obtain additional support for performance of these and other requirements, please reach out to your local service colleague or your client advisor. The Baldwin Regulatory Compliance Collaborative (the “BRCC”) offers a carefully curated range of consultative and advisory support solutions related to the administration of US-based employee benefit plans, programs, and other offerings.


Related Insights

Stay in the know

Our experts monitor your industry and global events to provide meaningful insights and help break down what you need to know, potential impacts, and how you should respond.

Compliance Alert
BRCC COMPLIANCE ALERT - December 17, 2024
2025 BRCC Educational Webcast and HIPAA Complete Training Calendars Overview The Baldwin Regulatory Compliance Collective (“BRCC”) is excited to announce...
Baldwin Bulletin
Upcoming Compliance Deadlines - December
Employers must comply with numerous reporting and disclosure requirements in connection with their group health plans.  Please note the following...
Baldwin Bulletin
2024-2025 Affordable Care Act (“ACA”) Reporting Office Hours with BRCC Compliance Experts
The BRCC announces a new series of open office hours with our ACA compliance experts, designed specifically for the 2024-2025...
Baldwin Bulletin
Summary Annual Report (“SAR”) due December 15th for Calendar Year Plans with Form 5558 Extensions
Employers who are required to submit a Form 5500 for their employee benefit plans also have an obligation to distribute...
Baldwin Bulletin
Internal Revenue Service (“IRS”) Releases Draft Publication 15-B (Fringe Benefits)
The IRS issued an early release draft of their annual Publication 15-B. The draft contains tax forms, instructions, and other...
Let's make it possible

Partner with us to build solutions that align with your business, individual, or employee needs and open new possibilities for your future.

Connect with us