Effective January 1, 2020, annual penalty adjustments increase penalties for HIPAA, Medicare Secondary Payer (MSP) statute and Summary of Benefits (SBC), as reflected below. Plan sponsors should ensure compliance with these requirements, where applicable.
MSP Statute. Prohibits group health plans from considering Medicare entitlement in the offering / structuring of coverage.
| Violation Type | 2019 Penalty Per Violation | 2020 Penalty |
| Offering incentives to Medicare-eligible individuals not to enroll in a plan that would otherwise be primary | $9,239 | $9,472 |
| Willful or repeated failure to provide requested information regarding group health plan coverage | $1,504 | $1,542 |
| Responsible reporting entities that fail to provide information identifying situations where the group health plan is primary | $1,181 | $1,211 |
SBC. Must be provided before enrollment describing the costs of the plan. Click here or on the picture below for more details on SBCs.
| 2019 Penalty for Each Failure | 2020 Penalty |
| $1,128 | $1,156 |
HIPAA. All self-funded plans, including self-funded components such as FSA and HRA must be HIPAA compliant. See below table for penalty changes. Calendar-year caps for Tiers 1–3 do not reflect the enforcement reinterpretation announced by HHS in April 2019 (see the Leavitt Group Article), which significantly reduces the penalty caps for those tiers. Additional clarification from HHS is needed to square up the contradiction. As the article describes, with the changes in the penalty structure through reinterpretation creates confusion in the regulatory and enforcement world. Making HIPAA compliance even more important.
| Violation Tiers | 2019 Penalty Per Violation | Old Cap 2013 – Pre Notice | 2019 Cap Post April 2019 Notice | 2020 Penalty | New 2020 Cap |
| No Knowledge That HIPAA was being violated | $100 Minimum – $50,000 Maximum (indexed) | $1.5 Million | $25,000 | $117 Minimum – $58,490 Maximum | $1,754,698 |
| Reasonable Cause Knew or should have known about the violation had reasonable due diligence been applied but falls short of willful negligence | $1000 Minimum – $50,000 Maximum (indexed) | $1.5 Million | $100,00 | $1,170 Minimum – $58,490 Maximum | $1,754,698 |
| Willful neglect – corrected | $10,000 Minimum – $50,000 Maximum (indexed) | $1.5 Million | $250,000 | $11,698 Minimum – $58,490 Maximum | $1,754,698 |
| Willful neglect – not corrected or not within 30 days/timely | No change | $1.5 Million | $1.5 Million | No change | $1,754,698 |
Action Required
Plan sponsors should ensure compliance with these applicable laws; specifically, self-funded plans and insured plans that are hands-on with Protected Health Information (PHI) must be fully HIPAA-compliant (see the Leavitt Articles).
All plans must comply with MSP and SBC requirements. This includes providing SBCs annually reflecting the costs of the plan (see the Leavitt Articles on SBCs).
If not already HIPAA-compliant, now is a great time to start! Start with assigning a HIPAA Privacy and Security Officer. Your HIPAA Privacy Officer will need to create or update any relevant HIPAA materials, but this change is not significant enough to warrant retraining.
- In case you don’t know who your HIPAA Privacy Officer is or if you do not have one, appoint one and document this role via a job
- Anyone familiar with the compliance of your employee benefits plans may be a HIPAA Privacy officer but keep in mind this will be the contact should HHS contact your So, choose someone appropriate.
- Main HIPAA compliance requirements include six major components:
- Conduct a Risk Analysis
- Develop and implement policies and procedures
- Train
- Use the minimum necessary amount of Protected Health Information (PHI) needed for any uses and disclosures of PHI
- Use an authorization form when sharing PHI unless for payment, treatment or operation of the plan
- Provide annually the Notice of Privacy Practices
If already HIPAA-compliant, no action needed on your part. Clients subject to HIPAA (e.g., self-funded plans and components of plans, such as some Health Savings Accounts (HSA), Flexible Spending Accounts (FSA). Health Reimbursement Arrangements (HRA), Medical Savings Accounts (MSA), Employee Assistance Programs (EAP) and wellness programs, should ensure they are HIPAA-compliant. So good job if you have already done so!
If you are not already subscribed to receive Leavitt Group compliance updates, click here to subscribe.
For complete details on these adjustments, see: https://www.federalregister.gov/documents/2019/11/05/2019-23955/annual-civil-monetary-penalties-inflation-adjustment