Employee Benefits Compliance

HHS Annual Adjustments to Penalties for HIPAA, Medicare Secondary Payer (MSP) and Summary of Benefits and Coverage (SBC) Noncompliance

final rule - insurance

Effective January 1, 2020, annual penalty adjustments increase penalties for HIPAA, Medicare Secondary Payer (MSP) statute and Summary of Benefits (SBC), as reflected below. Plan sponsors should ensure compliance with these requirements, where applicable.

MSP Statute. Prohibits group health plans from considering Medicare entitlement in the offering / structuring of coverage.

Violation Type2019 Penalty Per Violation2020 Penalty
Offering incentives to Medicare-eligible individuals not to enroll in a plan that would otherwise be primary



Willful or repeated failure to provide requested information regarding group health plan coverage



Responsible reporting entities that fail to provide information identifying situations where the group health plan is primary



SBC. Must be provided before enrollment describing the costs of the plan. Click here or on the picture below for more details on SBCs.

2019 Penalty for Each Failure2020 Penalty

(More SBC details)

HIPAA. All self-funded plans, including self-funded components such as FSA and HRA must be HIPAA compliant. See below table for penalty changes. Calendar-year caps for Tiers 1–3 do not reflect the enforcement reinterpretation announced by HHS in April 2019 (see the Leavitt Group Article), which significantly reduces the penalty caps for those tiers. Additional clarification from HHS is needed to square up the contradiction. As the article describes, with the changes in the penalty structure through reinterpretation creates confusion in the regulatory and enforcement world. Making HIPAA compliance even more important.

Violation Tiers2019 Penalty Per ViolationOld Cap 2013 – Pre Notice2019 Cap Post April 2019 Notice2020 PenaltyNew 2020 Cap
No Knowledge
That HIPAA was being violated
$100 Minimum –
$50,000 Maximum
$1.5 Million$25,000$117 Minimum –
$58,490 Maximum
Reasonable Cause
Knew or should have known about the violation had reasonable due diligence been applied but falls short of willful negligence
$1000 Minimum –
$50,000 Maximum
$1.5 Million$100,00$1,170 Minimum –
$58,490 Maximum
Willful neglect – corrected$10,000 Minimum –
$50,000 Maximum
$1.5 Million$250,000$11,698 Minimum –
$58,490 Maximum
Willful neglect – not corrected
or not within 30 days/timely
No change$1.5 Million$1.5 MillionNo change$1,754,698


Action Required

Plan sponsors should ensure compliance with these applicable laws; specifically, self-funded plans and insured plans that are hands-on with Protected Health Information (PHI) must be fully HIPAA-compliant (see the Leavitt Articles).

All plans must comply with MSP and SBC requirements. This includes providing SBCs annually reflecting the costs of the plan (see the Leavitt Articles on SBCs).

If not already HIPAA-compliant, now is a great time to start! Start with assigning a HIPAA Privacy and Security Officer. Your HIPAA Privacy Officer will need to create or update any relevant HIPAA materials, but this change is not significant enough to warrant retraining.

  • In case you don’t know who your HIPAA Privacy Officer is or if you do not have one, appoint one and document this role via a job
  • Anyone familiar with the compliance of your employee benefits plans may be a HIPAA Privacy officer but keep in mind this will be the contact should HHS contact your So, choose someone appropriate.
  • Main HIPAA compliance requirements include six major components:
  1. Conduct a Risk Analysis
  2. Develop and implement policies and procedures
  3. Train
  4. Use the minimum necessary amount of Protected Health Information (PHI) needed for any uses and disclosures of PHI
  5. Use an authorization form when sharing PHI unless for payment, treatment or operation of the plan
  6. Provide annually the Notice of Privacy Practices

If already HIPAA-compliant, no action needed on your part. Clients subject to HIPAA (e.g., self-funded plans and components of plans, such as some Health Savings Accounts (HSA), Flexible Spending Accounts (FSA). Health Reimbursement Arrangements (HRA), Medical Savings Accounts (MSA), Employee Assistance Programs (EAP) and wellness programs, should ensure they are HIPAA-compliant. So good job if you have already done so!

If you are not already subscribed to receive Leavitt Group compliance updates, click here to subscribe.

For complete details on these adjustments, see: https://www.federalregister.gov/documents/2019/11/05/2019-23955/annual-civil-monetary-penalties-inflation-adjustment