Enter to open, tab to navigate, enter to select
HHS Increases Civil Money Penalties for HIPAA Noncompliance, Effective October 6, 2023
Practical Law Legal Update w-040-9581 (Approx. 9 pages)
HHS Increases Civil Money Penalties for HIPAA Noncompliance, Effective October 6, 2023
by Practical Law Employee Benefits & Executive Compensation
| Published on 06 Oct 2023 • USA (National/Federal) |
The Department of Health and Human Services (HHS) has issued final regulations that include the agency's annual inflation adjustments to civil money penalties assessed under its regulations, as required by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The final regulations, which are effective October 6, 2023, include updated penalties for certain violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HHS has issued its inflation adjustments to civil money penalties that the agency administers, including penalties for violations of HIPAA's "administrative simplification" rules (88 Fed. Reg. 69531 (Oct. 6, 2023); see HIPAA Privacy, Security, and Breach Notification Toolkit and Practice Note, HIPAA Enforcement: Penalties and Investigations). Administrative simplification generally refers to HIPAA's privacy, security, and other requirements—including rules to standardize how health plan data is exchanged.
The inflation adjustments are required under the Federal Civil Penalties Inflation Adjustment Act of 1990, as amended by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 (Inflation Adjustment Act) (Pub. L. No. 101-410 (1990); Pub. L. No. 114-74 (2015)). The Inflation Adjustment Act revised the method for calculating inflation adjustments for penalty increases and requires HHS to annually adjust its penalties for inflation (under a cost-of-living formula) by January 15 of each year. These changes were intended to:
- Improve the effectiveness of civil money penalties.
- Maintain the penalties' deterrent effect.
HHS Penalty Regulations Under Inflation Adjustment Act
As background, HHS issued interim final regulations (IFRs) in September 2016 that established an initial catch-up for civil money penalties that HHS administers (81 Fed. Reg. 61538 (Sept. 2, 2016); see Legal Update, HHS Increases Penalties for HIPAA Noncompliance, Effective August 1). The adjustments were required to take effect by August 1, 2016, and HHS's interim final regulations were effective on September 6, 2016. In February 2017, HHS published final regulations with HHS's 2017 annual inflation adjustment to its civil money penalties (82 Fed. Reg. 9174 (Feb. 3, 2017)). According to HHS, notice-and-comment rulemaking procedures under the Administrative Procedure Act (APA) are not required for the annual adjustments (5 U.S.C. § 553).
HHS Inflation Adjustments from Recent Years
In October 2018, HHS published final regulations containing the 2018 annual inflation adjustment to its civil money penalties (83 Fed. Reg. 51369 (Oct. 11, 2018); see Legal Update, HHS Increases Civil Money Penalties for HIPAA Noncompliance, Effective October 11, 2018).
In November 2019, HHS published final regulations with the 2019 annual inflation adjustment to its civil money penalties (84 Fed. Reg. 59549 (Nov. 5, 2019); see Legal Update, HHS Increases Civil Money Penalties for HIPAA Noncompliance, Effective November 5, 2019).
In January 2020, HHS published final regulations with the 2020 annual inflation adjustment to its civil money penalties (85 Fed. Reg. 2869 (Jan. 17, 2020); see Legal Update, HHS Increases Civil Money Penalties for HIPAA Noncompliance, Effective January 17, 2020).
In November 2021, HHS published final regulations with the 2021 annual inflation adjustment to its civil money penalties (86 Fed. Reg. 62928 (Nov. 15, 2021); see Legal Update, HHS Increases Civil Money Penalties for HIPAA Noncompliance, Effective November 15, 2021).
In March 2022, HHS published final regulations with the 2022 annual inflation adjustment to its civil money penalties (87 Fed. Reg. 15100 (Mar. 17, 2022); see Legal Update, HHS Increases Civil Money Penalties for HIPAA Noncompliance, Effective March 17, 2022).
Effective Date of 2023 Annual Adjustments
The latest penalty adjustments are effective October 6, 2023. The adjusted penalty amounts apply to penalties assessed on or after October 6, 2023, if the violation occurred on or after November 2, 2015 (that is, the Inflation Adjustment Act's enactment date). The penalty amounts in effect before September 6, 2016, apply if either:
- The violation occurred before November 2, 2015.
- The penalty was assessed before September 6, 2016.
Adjustment Process and Calculation
The annual adjustment is based on the Consumer Price Index for All Urban Consumers (CPI-U). In general, an adjustment is calculated using the percent change between:
- The October CPI-U preceding the date of the adjustment.
- The prior year's October CPI-U.
The cost-of-living adjustment multiplier for 2023, based on the CPI-U for October 2022 (not seasonally adjusted), is 1.07745 (see OMB Memorandum M-23-05 (Dec. 15, 2022)). To calculate the 2023 annual adjustment, HHS multiplied the most recent penalty amount for each applicable penalty by the multiplier, 1.07745, and rounded to the nearest dollar.
Table of Adjusted Civil Money Penalties
The following table reflects certain of HHS's annual inflation adjustments to the civil money penalties for HHS-administered provisions, which are generally effective October 6, 2023.
Statutory and Regulatory Provisions | Description of Violation | Adjusted Penalty Amount |
Pre-February 18, 2009, violations of HIPAA's administrative simplification provisions. (February 18, 2009, was the effective date of certain increased penalties for HIPAA violations under the Health Information Technology for Economic and Clinical Health Act (HITECH Act).) | $187 $47,061 (calendar year cap) | |
February 18, 2009, or later violations of HIPAA's administrative simplification provisions, if it is established that a HIPAA covered entity (CE) or business associate (BA) did not know (and by exercising reasonable diligence would not have known) that the CE or BA violated the provision. | $137 (minimum) $68,928 (maximum) $2,067,813 (calendar year cap) | |
February 18, 2009, or later violations of HIPAA's administrative simplification provisions, if it is established that the violation was due to reasonable cause and not willful neglect. | $1,379 (minimum) $68,928 (maximum) $2,067,813 (calendar year cap) | |
February 18, 2009, or later violations of HIPAA's administrative simplification provisions, if it is established that the violation was due to willful neglect and was corrected during the 30-day period beginning on the first date the CE or BA knew (or by exercising reasonable diligence would have known) that the violation occurred. | $13,785 (minimum) $68,928 (maximum) $2,067,813 (calendar year cap) | |
February 18, 2009, or later violations of HIPAA's administrative simplification provisions, if it is established that the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the CE or BA knew (or by exercising reasonable diligence would have known) that the violation occurred. | $68,928 (minimum) $2,067,813 (maximum) $2,067,813 (calendar year cap) | |
42 U.S.C. § 300gg-15(f) (Section 2715 of the Public Health Service Act (PHSA)); 45 C.F.R. § 147.200(e) | Failure to provide summaries of benefits and coverage (SBCs), as required under the Affordable Care Act (ACA) (see Practice Note, Summaries of Benefits and Coverage Under the ACA). | $1,362 |
42 U.S.C. § 300gg-18 (PHSA § 2718); 45 C.F.R. § 158.606 | Violations of the ACA's medical loss ratio reporting and rebating rules (see Legal Update, Guidance on Plan Asset Implications of Medical Loss Ratio Rebates). | $136 |
CARES Act, Pub. L. No. 116-136, § 3202(b)(2); 45 C.F.R. § 182.70 | Noncompliance by health provider with rule requiring public disclosure of the cash price for COVID-19 diagnostic testing on the provider's public website (see Practice Note, COVID-19 Vaccine and Testing Requirements for Group Health Plans). | $323 per day |
42 U.S.C. §§ 300gg-118, 300gg-134 (PHSA §§ 2799A-8, 2799B-4) | Failure to comply with the surprise medical billing requirements for providers, facilities, and air ambulance services providers under the No Surprises Act (NSA) (part of the Consolidated Appropriations Act, 2021 (CAA-21)) (see Surprise Medical Billing for Health Plans, Health Insurers, and Health Care Providers and Facilities Toolkit). | $11,445 |
Penalty for an employer or other entity that offers any financial or other incentive for an individual who is entitled to benefits not to enroll under a group health plan or large group health plan that would be a primary plan. | $11,162 | |
Failure of an entity serving as an insurer, third-party administrator (TPA), or fiduciary for a group health plan to provide information identifying situations where the group health plan is, or was, a primary plan (relative to Medicare) to HHS. | $1,428 | |
Failure to comply with ACA requirements addressing risk adjustment, reinsurance, risk corridors; penalty for violations of rules or standards of behavior associated with insurer participation in the ACA's health insurance exchanges (see Article, Health Insurance Exchange and Related Requirements Under the ACA). | $187 | |
Providing false information on an exchange application. | $34,065 | |
Knowingly or willfully providing false information on an exchange application. | $340,641 | |
Penalty for each day, for each individual affected by the failure of a health insurer or non-federal governmental group health plan to comply with certain federal market reforms under the PHSA. | $177 |