3 min read

Higher HIPAA penalties announced

Higher HIPAA penalties announced

Violating HIPAA rules is now more expensive, as penalty fines will increase due to inflation adjustments recently announced by the Department of Health and Human Services (HHS). Effective August 8, 2024, these changes apply to penalties assessed for violations occurring on or after November 2, 2015, ensuring that HIPAA penalties reflect inflation.

 

Penalties related to HIPAA privacy and security

HIPAA violations related to privacy, security, breach notifications, and electronic healthcare transactions now carry adjusted penalties, calculated by multiplying the previous penalty amounts by the 2024 cost-of-living multiplier of 1.03241, and rounding to the nearest dollar. Here’s a breakdown of the new minimum, maximum, and annual penalty caps for various violations:

 

Minimum penalties

  • No knowledge: The minimum penalty for violations that a covered entity or business associate could not have known, even with reasonable diligence, increases to $141 (up from $137).
  • Reasonable cause: For violations due to reasonable cause, not willful neglect, the minimum penalty rises to $1,424 (up from $1,379).
  • Willful neglect (corrected within 30 days): If willful neglect is identified and the issue is corrected within 30 days, the minimum penalty increases to $14,232 (up from $13,785).
  • Willful neglect (not corrected): When willful neglect is identified and not corrected within the 30-day window, the minimum penalty jumps to $71,162 (up from $68,928).

Maximum penalties

  • The maximum penalty for each violation of a specific HIPAA requirement (excluding willful neglect) is now $71,162 (up from $68,928).
  • For violations involving willful neglect that are not timely corrected, the maximum penalty increases to $2,134,831 (up from $2,067,813).

Annual penalty caps

  • The annual penalty cap has been adjusted to $2,134,831 for all violations of the same HIPAA provision, which increased from $2,067,813. However, these adjustments still do not factor in the enforcement discretion HHS announced in 2019, which lowered the annual penalty caps for most HIPAA violations except those involving willful neglect.

 

Violation 2023 Penalty 2024 Updated Penalty

HIPAA Security and Privacy Rules 

No knowledge (minimum) $137 $141

No knowledge (maximum) $68,928 $71,162

Reasonable cause (minimum) $1,379 $1,424

Reasonable cause (maximum) $68,928 $71,162

Willful neglect, corrected (minimum) $13,785 $14,232

Willful neglect, not corrected (minimum) $68,928 $71,162

Willful neglect, not corrected (maximum) $2,067,813 $2,134,831

Annual penalty caps

Annual penalty cap (All violations of an identical provision) $2,067,813 $2,134,831

Under enforcement discretion (Annual caps)

No knowledge $25,000 Unchanged; $25,000

Reasonable cause $100,000 Unchanged; $100,000

Willful neglect; corrected) $250,000 Unchanged; $250,000

Willful neglect; not corrected $1,500,000 Unchanged; $1,500,000

See also: HIPAA Compliant Email: The Definitive Guide

 

Impact on employers

Affordable Care Act (ACA)

While the recent HHS penalty adjustments focus on HIPAA, they also impact certain rules under the Affordable Care Act (ACA), affecting employer-sponsored group health plans indirectly.

  • Summary of benefits and coverage (SBC): Failure to provide SBCs now carries a penalty of $1,406, an increase from $1,362.
  • Medical loss ratio (MLR) rules: Health insurers failing to comply with MLR reporting and rebate rules face increased penalties, now at $140 per violation, up from $136.

Medicare secondary-payer (MSP) rules

Employers should also be aware of increased penalties for violations related to the Medicare secondary-payer (MSP) rules:

  • Prohibition against incentives not to enroll in Medicare: Employers offering financial or other incentives to encourage Medicare-eligible individuals not to enroll in a primary group health plan can now be penalized up to $11,524 (up from $11,162).
  • Nondisclosure: If a third-party administrator, insurer, or self-insured group health plan fails to notify HHS when the plan is or was primary to Medicare, the maximum daily penalty increases to $1,474 (up from $1,428).

 

FAQs

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law enacted in 1996 to protect the privacy and security of individuals' medical information, known as protected health information (PHI). HIPAA establishes national standards for healthcare providers, health plans, and their business associates to safeguard sensitive health data. It includes regulations like the Privacy Rule, which controls the use and disclosure of PHI, and the Security Rule, which sets standards for securing electronic PHI (ePHI).

 

What is the role of HHS in enforcing HIPAA penalties?

The Department of Health and Human Services (HHS) is responsible for enforcing HIPAA penalties. Based on the level of non-compliance, HHS assesses the severity of penalties and adjusts for inflation to make sure they stay in force over time.

Related: Who is responsible for enforcing HIPAA?

 

What are ACA penalties, and how do they affect employers?

The Affordable Care Act (ACA) imposes penalties on health insurance issuers and employer plan sponsors for non-compliance with specific requirements.

Go deeper: Understanding the Affordable Care act and HIPAA

 

What are MSP rules?

The Medicare Secondary-Payer (MSP) rules ensure that Medicare is not the primary payer when an individual is eligible for group health insurance.