Increased Civil Penalty Amounts for SBC, MSP, HIPAA Violations Aug. 8, 2024, the U.S. Department of Health and Human Services (HHS) published a final rule increasing key penalties affecting group health plans. HHS adjusts these penalty amounts for inflation each year to improve their effectiveness and maintain their deterrent effect.
Employer Takeaway: Because these penalties are substantial, employers with group health plans should periodically review their benefit plan administration protocols to ensure full compliance.
Summary of Benefits and Coverage (SBC) (Typically distributed at Open Enrollment) The Affordable Care Act requires group health plans and health insurance issuers to provide participants and beneficiaries with a summary of benefits and coverage (SBC).
Failure to provide the SBC may now result in a penalty of up to $1,406 per participant or beneficiary (up from $1,362).
Medicare Secondary Payer (MSP) When Medicare is the secondary payer, employers cannot discourage employees from enrolling in their group health plan and cannot offer any “financial or other incentive” for an individual entitled to Medicare not to enroll or to terminate enrollment in a group health plan that would otherwise be primary. A violation of the prohibition on offering incentives can now trigger penalties of up to $11,524 (up from $11,162). The penalty for insurers, thirdparty administrators, or fiduciaries of a group health plan that fail to provide information identifying situations where the group health plan is or was primary is now $1,474 (up from $1,428).
HIPAA Privacy and Security Rules Penalties for a covered entity or business associate violating the Health Insurance Portability and Accountability Act’s (HIPAA) privacy and security rules will depend on the type of violation involved. Penalties are broken down into “tiers” that reflect increasing levels of knowledge about the violation. Each tier carries a minimum and maximum penalty with an annual cap, all of which have increased as follows:
- Tier One: For violations where the covered entity or business associate did not know about the violation (and by exercising reasonable diligence, would not have known about the violation), the penalty amount is between $141 and $71,162 for each violation, with an annual cap of $2,134,831.
- Tier Two: If the violation is due to reasonable cause, the penalty amount is between $1,424 and $71,162 for each violation, with an annual cap of $2,134,831.
- Tier Three: For corrected violations that are caused by willful neglect, the penalty amount is between $14,232 and $71,162 for each violation, with an annual cap of $2,134,831.
- Tier Four: For violations caused by willful neglect that are not corrected, the penalty amount is $71,162 for each violation, with an annual cap of $2,134,831.