Civil Monetary Penalties for HIPAA, MSP, and SBC Violations Updated

The Department of Health and Human Services has announced adjustments of civil monetary penalties for statutes within its jurisdiction. The latest adjustments are based on a cost-of-living increase of 1.07745%. These adjustments are effective for penalties assessed on or after October 6, 2023, for violations occurring on or after November 2, 2015. Following are highlights of the adjustments potentially affecting employee benefit health plans.


The HIPAA administrative simplification provisions encompass standards for privacy, security, breach notification, and electronic health care transactions. HIPAA has four tiers of violations that reflect increasing levels of culpability, with minimum and maximum penalty amounts outlined within each tier and an annual cap on penalties for multiple violations of an identical provision. The newly indexed penalty amounts for each violation of a HIPAA administrative simplification provision are as follows:

Minimum Penalty Maximum Penalty Calendar Year Max
Lack of knowledge
$137 $68,928 $2,067,813
Tier 2
Reasonable cause and not willful neglect
$1,379 $68,928 $2,067,813
Tier 3
Willful neglect, corrected within 30 days
$13,785 $68,928 $2,067,813
Tier 4
Willful neglect, not corrected within 30 days
$68,928 $2,067,813 $2,067,813


Medicare Secondary Payer 

The Medicare Secondary Payer statute prohibits a group health plan from “taking into account” the Medicare entitlement of a current employee or a current employee’s spouse or family member and imposes penalties for violations. The indexed amounts for violations applicable to employer-sponsored health plans are as follows:

Annual Penalty
Offering Incentives
Offering incentives to Medicare-eligible individuals not to enroll in a plan that would otherwise be primary
Failure to Respond
Failure of responsible reporting entities to provide information identifying situations where the group health plan is primary


Summary of Benefits and Coverage (SBC)

An SBC generally must be provided to participants and beneficiaries before enrollment or re-enrollment in a group health plan.

Per Incident Penalty
Willful Failure
Willful failure to provide an SBC as required


Timing of Penalty Changes

The annual adjustments to penalties are designed to preserve their deterrent effect in the face of inflation. The HHS’s “annual” adjustments are supposed to be made by January 15 of each year, but in practice have come at irregular intervals. The last adjustment was made on March 17, 2022.

Employer Action

These monetary penalties are significant; thus, we recommend that employers assess their group health plan HIPAA compliance program and confirm that policies and procedures are effectively deployed and that HIPAA training is in place for all employees with access to PHI.

As a reminder, Vita provides a HIPAA Compliance Program for group health plans. In addition, a 20-minute Critical HIPAA Training video is available on demand for employees who have access to PHI and need to be trained.


HHS, Annual Civil Monetary Penalties Inflation Adjustment, 45 CFR Part 102, 88 Fed. Reg.69531 (Oct. 6, 2023)


Post a comment