HHS has updated its regulations to reflect required annual inflation-related increases to the civil monetary penalty (“CMP”) amounts in its statutes and regulations, under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.
The adjusted civil monetary penalty amounts apply to penalties assessed on or after August 8, 2024, if the violation occurred on or after November 2, 2015.
Employer Action Items
- Review the 2023-2024 inflation adjusted civil monetary penalty amounts for the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) violations occurring with respect to Level A-D breaches and work with HIPAA officer(s) to mitigate the risk of penalties by performing the mandated administrative simplification requirements.
- Review the 2023-2024 inflation adjusted civil monetary penalty amounts for selected CMS violations and work with benefit managers to mitigate the risk of penalties by adhering to the prescribed standards related to Medicare Part D, Summary of Benefits and Coverage (“SBC”) dissemination requirements, and others.
- As an employer, access the BRCC’s consultative and advisory support solutions to aid in your penalty mitigation strategies for these important federal requirements.
Summary
Part I: HIPAA Related Violations
As a reminder, HIPAA breaches occurring after February 18, 2009, are assigned a level value from A-D, depending upon the severity of the underlying breach.
The following table details the 2023-2024 inflation adjusted civil monetary penalty amounts for HIPAA violations occurring with respect to Level A-D breaches on or after February 18, 2009, as well as CMP amount for pre-February 18, 2009, breaches of the Administrative Simplification provisions of the law:
| HIPAA Related Civil Monetary Penalties (2023-2024) | ||||
| Regulation | Agency | Description | 2023 | 2024 |
| 45 CFR 160.404(b)(1)(i), (ii) | Office of Civil Rights | Penalty for each pre-February 18, 2009, violation of the HIPAA administrative simplification provisions: Calendar-year Cap: | 187 47,061 | 193 48,586 |
| 45 CFR 160.404(b)(2)(i)(A), (B) | Office of Civil Rights | Penalty for each February 18, 2009, or later violation of a HIPAA administrative simplification provision in which it is established that the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such a provision (level “A” breaches). Minimum: Maximum: Calendar-year Cap: | 137 68,928 2,067,813 | 141 71,162 2,134,831 |
| 45 CFR 160.404(b)(2)(ii)(A), (B) | Office of Civil Rights | Penalty for each February 18, 2009, or later violation of a HIPAA administrative simplification provision in which it is established that the violation was due to reasonable cause and not to willful neglect (level “B” breaches). Minimum: Maximum: Calendar-year Cap: | 1,379 68,928 2,067,813 | 1,424 71,162 2,134,831 |
| 45 CFR 160.404(b)(2)(iii)(A), (B) | Office of Civil Rights | Penalty for each February 18, 2009, or later violation of a HIPAA administrative simplification provision in which it is established that the violation was due to willful neglect and was corrected during the 30-day period beginning on the first date the covered entity or business associate knew, or, by exercising reasonable diligence, would have known that the violation occurred (level “C” breaches). Minimum: Maximum: Calendar-year Cap: | 13,785 68,928 2,067,813 | 14,232 71,162 2,134,831 |
| 45 CFR 160.404(b)(2)(iv)(A), (B) | Office of Civil Rights | Penalty for each February 18, 2009, or later violation of a HIPAA administrative simplification provision in which it is established that the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the covered entity or business associate knew, or, by exercising reasonable diligence, would have known that the violation occurred (level “D” breaches). Minimum: Maximum: Calendar-year Cap: | 68,928 2,067,813 2,067,813 | 71,162 2,134,831 2,134,831 |
Part II: Medicare Secondary Payer Related Violations
The Medicare Secondary Payer statute prohibits a group health plan from “taking into account” the Medicare entitlement of a current employee or a current employee’s spouse or family member and imposes penalties for violations. The indexed amounts for violations applicable to employer-sponsored health plans are as follows:
| CMS Related Monetary Penalties (2023-2024) | ||||
| Regulation | Agency | Description | 2023 | 2024 |
| 42 CFR 411.103(b) | CMS | Penalty for an employer or other entity to offer any financial or other incentive for an individual entitled to benefits not to enroll under a group health plan or large group health plan which would be a primary plan. | 162 | 524 |
| 42 CFR 402.1(c)(21), 402.105(a) | CMS | Penalty for any entity serving as insurer, third party administrator, or fiduciary for a group health plan that fails to provide information that identifies situations where the group health plan is or was a primary plan to Medicare to the HHS Secretary. | 428 | 474 |
| CMS | Penalty for any non-group health plan that fails to identify claimants who are Medicare beneficiaries and provide information to the HHS Secretary to coordinate benefits and pursue any applicable recovery claim. | 428 | 474 | |
| 45 CFR 158.606 | CMS | Penalty for violations of regulations related to the medical loss ratio reporting and rebating. | 136 | 140 |
| 45 CFR 147.200(e) | CMS | Failure to provide the Summary of Benefits and Coverage. | 1362 | 1406 |
Additional Resources
To obtain additional support for performance of these and other requirements, please reach out to your local service colleague or your client advisor. The Baldwin Regulatory Compliance Collaborative (the “BRCC”) offers a carefully curated range of consultative and advisory support solutions related to the administration of US-based employee benefit plans, programs, and other offerings.
For more information
We’re ready when you are. Get in touch and a friendly, knowledgeable Baldwin advisor is prepared to discuss your business or individual needs, ask a few questions to get the full picture, and make a plan to follow up.
This document is intended for general information purposes only and should not be construed as advice or opinions on any specific facts or circumstances. The content of this document is made available on an “as is” basis, without warranty of any kind. The Baldwin Insurance Group Holdings, LLC (“The Baldwin Group”), its affiliates, and subsidiaries do not guarantee that this information is, or can be relied on for, compliance with any law or regulation, assurance against preventable losses, or freedom from legal liability. This publication is not intended to be legal, underwriting, or any other type of professional advice. The Baldwin Group does not guarantee any particular outcome and makes no commitment to update any information herein or remove any items that are no longer accurate or complete. Furthermore, The Baldwin Group does not assume any liability to any person or organization for loss or damage caused by or resulting from any reliance placed on that content. Persons requiring advice should always consult an independent adviser.
The Baldwin Group offers insurance services through one or more of its insurance licensed entities. Each of the entities may be known by one or more of the logos displayed; all insurance commerce is only conducted through The Baldwin Group insurance licensed entities. This material is not an offer to sell insurance.
