HHS Increases Civil Money Penalties for HIPAA Noncompliance, Effective March 17, 2022 | Practical Law

HHS Increases Civil Money Penalties for HIPAA Noncompliance, Effective March 17, 2022 | Practical Law

The Department of Health and Human Services (HHS) has issued final regulations that include the agency's annual inflation adjustments to civil money penalties assessed under its regulations, as required by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The final regulations, which are effective March 17, 2022, include updated penalties for certain violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HHS Increases Civil Money Penalties for HIPAA Noncompliance, Effective March 17, 2022

by Practical Law Employee Benefits & Executive Compensation
Published on 17 Mar 2022USA (National/Federal)
The Department of Health and Human Services (HHS) has issued final regulations that include the agency's annual inflation adjustments to civil money penalties assessed under its regulations, as required by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The final regulations, which are effective March 17, 2022, include updated penalties for certain violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HHS has issued final regulations containing inflation adjustments to civil money penalties that HHS administers, including penalties for violations of HIPAA's "administrative simplification" rules (87 Fed. Reg. 15100 (Mar. 17, 2022); see HIPAA Privacy, Security, and Breach Notification Toolkit and Practice Note, HIPAA Enforcement: Penalties and Investigations). (Administrative simplification generally refers to HIPAA's privacy, security, and other requirements—including rules to standardize how health plan data is exchanged.)
The inflation adjustments are required under the Federal Civil Penalties Inflation Adjustment Act of 1990, as amended by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 (Inflation Adjustment Act) (Pub. L. No. 101-410 (1990); Pub. L. No. 114-74 (2015)). The Inflation Adjustment Act revised the method for calculating inflation adjustments for penalty increases and requires HHS to annually adjust its penalties for inflation (under a cost-of-living formula) by January 15 of each year. These changes were intended to:
  • Improve the effectiveness of civil money penalties.
  • Maintain the penalties' deterrent effect.

HHS Penalty Regulations Under the Inflation Adjustment Act

As background, HHS issued interim final regulations (IFRs) in September 2016 that established an initial catch-up for civil money penalties that HHS administers (81 Fed. Reg. 61538 (Sept. 2, 2016); see Legal Update, HHS Increases Penalties for HIPAA Noncompliance, Effective August 1). The adjustments were required to take effect by August 1, 2016, and HHS's interim final regulations were effective on September 6, 2016. In February 2017, HHS published final regulations with HHS's 2017 annual inflation adjustment to its civil money penalties (82 Fed. Reg. 9174 (Feb. 3, 2017)). According to HHS, notice-and-comment rulemaking procedures under the Administrative Procedure Act (APA) are not required for the annual adjustments (5 U.S.C. § 553).

Past and Present Inflation Adjustments

In October 2018, HHS published final regulations containing the 2018 annual inflation adjustment to its civil money penalties (83 Fed. Reg. 51369 (Oct. 11, 2018); see Legal Update, HHS Increases Civil Money Penalties for HIPAA Noncompliance, Effective October 11, 2018).
In November 2019, HHS published final regulations with the 2019 annual inflation adjustment to its civil money penalties (84 Fed. Reg. 59549 (Nov. 5, 2019); see Legal Update, HHS Increases Civil Money Penalties for HIPAA Noncompliance, Effective November 5, 2019).
In January 2020, HHS published final regulations with the 2020 annual inflation adjustment to its civil money penalties (85 Fed. Reg. 2869 (Jan. 17, 2020); see Legal Update, HHS Increases Civil Money Penalties for HIPAA Noncompliance, Effective January 17, 2020).
In November 2021, HHS published final regulations with the 2021 annual inflation adjustment to its civil money penalties (86 Fed. Reg. 62928 (Nov. 15, 2021); see Legal Update, HHS Increases Civil Money Penalties for HIPAA Noncompliance, Effective November 15, 2021).

Effective Date of 2022 Annual Adjustments

The final regulations are effective March 17, 2022. The adjusted penalty amounts apply to penalties assessed on or after March 17, 2022, if the violation occurred on or after November 2, 2015 (that is, the Inflation Adjustment Act's enactment date). The penalty amounts in effect before September 6, 2016, apply if either:
  • The violation occurred before November 2, 2015.
  • The penalty was assessed before September 6, 2016.

Adjustment Process and Calculation

The annual adjustment is based on the Consumer Price Index for All Urban Consumers (CPI-U). In general, an adjustment is calculated using the percent change between:
  • The October CPI-U preceding the date of the adjustment.
  • The prior year's October CPI-U.
The cost-of-living adjustment multiplier for 2022, based on the CPI-U for October 2021 (not seasonally adjusted), is 1.0622 (see OMB Memorandum M-22-07 (Dec. 15, 2021)). To calculate the 2022 annual adjustment, HHS multiplied the most recent penalty amount for each applicable penalty by the multiplier, 1.0622, and rounded to the nearest dollar.

Table of Adjusted Civil Money Penalties

The following table reflects certain of HHS's annual inflation adjustments to the civil money penalties for HHS-administered provisions, which are generally effective March 17, 2022.
Statutory and Regulatory Provisions
Description of Violation
Adjusted Penalty Amount
45 C.F.R. § 160.404(b)(1)(i) and (ii)
Pre-February 18, 2009, violations of HIPAA's administrative simplification provisions. 
(February 18, 2009, was the effective date of certain increased penalties for HIPAA violations under the Health Information Technology for Economic and Clinical Health Act (HITECH Act).)
$174
$43,678 (calendar year cap)
42 U.S.C. § 1320d-5(a); 45 C.F.R. § 160.404(b)(2)(i)(A) and (B)
February 18, 2009, or later violations of HIPAA's administrative simplification provisions, if it is established that a HIPAA covered entity (CE) or business associate (BA) did not know (and by exercising reasonable diligence would not have known) that the CE or BA violated the provision.
$127 (minimum)
$63,973 (maximum)
$1,919,173 (calendar year cap)
42 U.S.C. § 1320d-5(a); 45 C.F.R. § 160.404(b)(2)(ii)(A) and (B)
February 18, 2009, or later violations of HIPAA's administrative simplification provisions, if it is established that the violation was due to reasonable cause and not willful neglect.
$1,280 (minimum)
$63,973 (maximum)
$1,919,173 (calendar year cap)
42 U.S.C. § 1320d-5(a); 45 C.F.R. § 160.404(b)(2)(iii)(A) and (B)
February 18, 2009, or later violations of HIPAA's administrative simplification provisions, if it is established that the violation was due to willful neglect and was corrected during the 30-day period beginning on the first date the CE or BA knew (or by exercising reasonable diligence would have known) that the violation occurred.
$12,794 (minimum)
$63,973 (maximum)
$1,919,173 (calendar year cap)
42 U.S.C. § 1320d-5(a); 45 C.F.R. § 160.404(b)(2)(iv)(A) and (B)
February 18, 2009, or later violations of HIPAA's administrative simplification provisions, if it is established that the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the CE or BA knew (or by exercising reasonable diligence would have known) that the violation occurred.
$63,973 (minimum)
$1,919,173 (maximum)
$1,919,173 (calendar year cap)
42 U.S.C. § 300gg-15(f) (Section 2715 of the Public Health Service Act (PHSA)); 45 C.F.R. § 147.200(e)
Failure to provide summaries of benefits and coverage (SBCs), as required under the Affordable Care Act (ACA) (see Practice Note, Summaries of Benefits and Coverage under the ACA).
$1,264
42 U.S.C. § 300gg-18 (PHSA § 2718); 45 C.F.R. § 158.606
Violations of the ACA's medical loss ratio reporting and rebating rules (see Legal Update, Guidance on Plan Asset Implications of Medical Loss Ratio Rebates).
$126
CARES Act, Pub. L. No. 116-136, § 3202(b)(2); 45 C.F.R. § 182.70
Noncompliance by health provider with rule requiring public disclosure of the cash price for COVID-19 diagnostic testing on the provider's public website (see Practice Note, COVID-19 Vaccine and Testing Requirements for Group Health Plans).
$300 per day
42 U.S.C. §§ 300gg-118, 300gg-134 (PHSA §§ 2799A-8, 2799B-4)
Failure to comply with the No Surprises Act's (NSA's) requirements for providers, facilities, and air ambulance service providers (part of the Consolidated Appropriations Act, 2021 (CAA-21)) (see Surprise Medical Billing for Health Plans, Health Insurers, and Health Care Providers and Facilities Toolkit).
$10,622
42 U.S.C. § 1395y(b)(3)(C); 42 C.F.R. § 411.103(b)
An employer or other entity offering any financial or other incentive for an individual entitled to benefits not to enroll under a group health plan or large group health plan that would be a primary plan.
$10,360
42 U.S.C. § 1395y(b)(7)(B)(i)
Failure of an entity serving as an insurer, third-party administrator (TPA), or fiduciary for a group health plan to provide information identifying situations where the group health plan is (or was) a primary plan to Medicare to HHS.
$1,325
42 U.S.C. § 18041(c)(2); 45 C.F.R. §§ 150.315 and 156.805(c)
Failure to comply with ACA requirements addressing risk adjustment, reinsurance, risk corridors; penalty for violations of rules or standards of behavior associated with insurer participation in the ACA's health insurance exchanges (see Article, Health Insurance Exchange and Related Requirements Under the ACA).
$174
42 U.S.C. § 18081(h)(1)(A)(i)(II); 45 C.F.R. § 155.285
Providing false information on an exchange application.
$31,616
42 U.S.C. § 18081(h)(1)(B); 45 C.F.R. § 155.285
Knowingly or willfully providing false information on an exchange application.
$316,155