The Department of Health and Human Services (“HHS”) has published updated civil penalties. The new penalty amounts, which became effective March 17, 2022, apply to violations occurring on or after November 5, 2021 and are based on an annual inflation factor of 1.06222. Below is a summary of the key penalties.
HIPAA. The so-called HIPAA “Administrative Simplification” rules establish standards to maintain the privacy and security of protected health information (i.e., “PHI”) in electronic transactions. The rules apply to “covered entities,” including health care providers, health care clearinghouses, and health plans, as well as business associates. In the event of a breach of unsecured health information of individuals, examples of noncompliance with the administrative simplification rules include: (i) failure to provide notification of the breach to affected individuals; and (ii) failure to notify the media and HHS in certain circumstances.
The civil penalties that became effective on March 17, 2022, for violations of the HIPAA Administrative Simplification rules are tiered, as follows:
| Minimum | Maximum | Calendar Year Cap | |
| Entity did not know, and would not have known through exercising reasonable diligence, of violation | 127 (up from $120) | $63,973 | $1,919,173 |
| Violation due to reasonable cause and not willful neglect | $1,280 (up from $1,205) | $63,973 | $1,919,173 |
| Violation due to willful neglect, but corrected within 30 days of when entity discovered (or should have discovered) violation | $12,794 (up from $12,045) | $63,973 | $1,919,173 |
| Violation due to willful neglect and not corrected within 30 days of when entity discovered (or should have discovered) violation | $63,973 up from $60,226) | $1,919,173 | $1,919,173 |
Summary of Benefits and Coverage. Certain welfare plans covered by the ACA must provide a written Summary of Benefits and Coverage (“SBC”) to plan participants. The requirement applies to group health plans, including grandfathered plans, whether insured or self-funded.
Failure to provide the SBC could result in HHS penalties, as well as penalties imposed by the DOL and IRS. HHS’s maximum adjusted civil penalty for failure to provide the SBC has increased to $1,264 per failure (up from $1,190).