Increased Civil Penalty Amounts for SBC, MSP and HIPAA Violations


Effective Nov. 15, 2021, the U.S. Department of Health and Human Services (HHS) has increased the following key penalties affecting group health plans:


Summary of Benefits and Coverage (SBC): Failure to provide group health plan participants and beneficiaries with an SBC may now result in a penalty of up to $1,190 per participant or beneficiary.


Medicare Secondary Payer (MSP): Offering Medicare beneficiaries financial or other benefits as incentives not to enroll in or to terminate enrollment in a group health plan that would otherwise be primary to Medicare will now trigger penalties of up to $9,753.


HIPAA privacy and security rules: Penalties for a covered entity or business associate violating the Health Insurance Portability and Accountability Act’s (HIPAA) privacy and security rules will depend on the type of violation involved. Penalties are broken down into “tiers” that reflect increasing levels of knowledge about the violation. Each tier carries a minimum and maximum penalty with an annual cap, all of which have increased as follows:


  • Tier one: Minimum penalty $120, maximum penalty $60,226, annual cap $1,806,757
  • Tier two: Minimum penalty $1,205, maximum penalty $60,226, annual cap $1,806,757
  • Tier three: Minimum penalty $12,045, maximum penalty $60,226, annual cap $1,806,757
  • Tier four: Minimum penalty $60,226, maximum penalty and annual cap $1,806,757


Employers should become familiar with the new penalty amounts and review their benefit plan administration protocols to ensure full compliance.