Updates to Fines for ACA, HIPAA, and MSP Violations

December 20, 2023

Recent updates have been made to the civil penalties for HIPAA violations, ACA requirements, and Medicare Secondary Payer rules. Increases in these fines means it is more important than ever to review your documents and procedures to ensure compliance.

Affordable Care Act (ACA)

Summary of benefits and coverage (SBC):

The maximum penalty for each failure by a health insurance issuer to provide SBCs to covered individuals increases to $1,362 (up from $1,264).

Medical loss ratio (MLR) rules:

The maximum penalty for each failure by a health insurance issuer to comply with MLR reporting and rebate regulations increases to $136 (up from $126).
 

Health Insurance Portability and Accountability Act (HIPAA)

Penalties for HIPAA violations have increased for each violation as well as the annual maximum penalty, as follows.

The minimum penalty for each violation of a particular HIPAA requirement or prohibition:
  • For a covered entity or business associate that did not know — and could not have known by exercising reasonable diligence — about the violation, the minimum penalty is now $137 (up from $127).
  • For violations due to reasonable cause and not willful neglect, the minimum penalty increases to $1,379 (up from $1,280).
  • For violations due to willful neglect but corrected within 30 days of when the covered entity or business associate knew — or should have known by exercising reasonable diligence — about the violation, the minimum penalty increases to $13,785 (up from $12,794).
  • For violations due to willful neglect and not corrected within 30 days of when the covered entity or business associate knew — or should have known by exercising reasonable diligence — about the violation, the minimum penalty increases to $68,928 (up from $63,973).
The maximum penalty for each violation of a particular HIPAA requirement or prohibition:
  • For violations due to willful neglect and not timely corrected, the maximum penalty increases to $2,067,813 (up from $1,919,173).
  • For all others, the maximum penalty increases to $68,928 (up from $63,973).
Calendar-year penalty cap:

The calendar-year penalty cap increases to $2,067,813 (up from $1,919,173) for all violations of an identical HIPAA provision.
 

Medicare Secondary Payer (MSP)

Penalties for violations of certain MSP rules increase as follows:

Prohibition against financial or other incentives:

The maximum penalty for each eligible individual offered incentives not to enroll in a group health plan that would be primary to Medicare increases to $11,162 (up from $10,360).

Nondisclosure:

For each failure by an insurer, a third-party administrator, or a self-insured/self-administered group health plan's fiduciary to inform HHS about situations in which the plan is or was primary to Medicare, the maximum daily penalty increases to $1,428 (up from $1,325).