Employee Benefits Compliance, HIPAA

Self-funded Plans Beware! Penalties for HIPAA Violations Increase

gavel with money

The U.S. Department of Health and Human Services (HHS) has released its inflation-adjusted civil monetary penalties for violations of the HIPAA Privacy and Security Rules. The new amounts apply to penalties assessed on or after October 6, 2023.

Because HIPAA’s penalties are substantial, employers with group health plans should periodically review their compliance with the Privacy and Security Rules. See the prior Leavitt Group article from the last time penalties were changed in 2019.

Increased Penalties

Potential penalties for HIPAA violations depend on the type of violation involved. Penalties are broken down into “tiers” that reflect increasing levels of culpability. Each tier carries a minimum and maximum penalty, all of which have increased as follows:

  • For violations where the covered entity or business associate did not know about the violation (and by exercising reasonable diligence, would not have known about the violation), the penalty amount is between $137 and $68,928 for each violation.
  • If the violation is due to reasonable cause, the penalty amount is between $1,379 and $68,928 for each violation.
  • For corrected violations that are caused by willful neglect, the penalty amount is between $13,785 and $68,928 for each violation.
  • For violations caused by willful neglect that are not corrected, the penalty amount is $68,928 for each violation, with an annual cap of $2,067,813.

HIPAA Enforcement

HHS’ Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. When OCR determines that a HIPAA violation has occurred, it will often pursue a resolution agreement rather than imposing civil penalties. A resolution agreement typically requires a covered entity or business associate to take corrective action and pay a settlement amount, which is usually much less than the applicable penalty amount. However, if the covered entity or business associate does not take action to resolve the matter in a way that is satisfactory, OCR may decide to impose civil penalties.

Common HIPAA Violations

According to HHS, the compliance problems most frequently reported under HIPAA are:

  • Impermissible uses or disclosures of protected health information (PHI)
  • Lack of safeguards on PHI
  • Lack of patient access to their PHI
  • Lack of administrative safeguards for electronic PHI
  • Use or disclosure of more than the minimum necessary PHI

Action Required

Plan sponsors should ensure compliance with these applicable laws; specifically, self-funded plans and insured plans that are hands-on with Protected Health Information (PHI) must be fully HIPAA-compliant (see the Leavitt Articles).

If not already HIPAA-compliant, now is a great time to start! Start with assigning a HIPAA Privacy and Security Officer. Your HIPAA Privacy Officer will need to create or update any relevant HIPAA materials, but this change is not significant enough to warrant retraining.

  • In case you don’t know who your HIPAA Privacy Officer is or if you do not have one, appoint one and document this role via a job description.
  • Anyone familiar with the compliance of your employee benefits plans may be a HIPAA Privacy officer but keep in mind this will be the contact should HHS contact your So, choose someone appropriate.
  • Main HIPAA compliance requirements include six major components:
    1. Conduct a Risk Analysis
    2. Develop and implement policies and procedures
    3. Train
    4. Use the minimum necessary amount of Protected Health Information (PHI) needed for any uses and disclosures of PHI
    5. Use an authorization form when sharing PHI unless for payment, treatment or operation of the plan
    6. Provide annually the Notice of Privacy Practices

If already HIPAA-compliant, no action needed on your part. Clients subject to HIPAA (e.g., self-funded plans and components of plans, such as some Health Savings Accounts (HSA), Flexible Spending Accounts (FSA). Health Reimbursement Arrangements (HRA), Medical Savings Accounts (MSA), Employee Assistance Programs (EAP) and wellness programs, should ensure they are HIPAA-compliant. So good job if you have already done so!

Be sure to work with your Leavitt Group Trusted Advisor for all of your HIPAA compliance needs. We have everything you need to be HIPAA-compliant. Let us help!

Subscribe to our news alerts to stay abreast of any changes to these and other important employee benefits and employment law changes. If you are not already subscribed to receive Leavitt Group compliance updates, click here to subscribe.


Source: Some content by Zywave. Leavitt Group Employee Benefits team contributions.