The Cost of Employee Benefits Non-Compliance Just Went Up . . . Again

The U.S. Department of Health & Human Services (HHS) just announced increased penalty amounts for entities who violate the privacy, security, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Medicare secondary payer (MSP) rules barring employers form providing incentives to individuals to drop employer-sponsored coverage in favor of Medicare, or the Summary of Benefits and Coverage (SBC) rules under the Affordable Care Act (ACA). The higher amounts will apply to any penalties assessed after November 15, 2021 for violations occurring after November 2, 2015.

HIPAA

The announcement specifically addresses HIPAA’s four-tiered penalty structure under which the Office for Civil Rights (OCR) will assess an amount that corresponds to the nature of a HIPAA violation. The new amounts are:

In 2019, HHS exercised its discretionary authority and issued guidance that lowered the calendar year maximums that it would enforce to $25,000 for Tier 1 violations, $100,000 for Tier 2 violations, and $250,000 for Tier 3 violations (all subject to indexing for inflation). Though its annual penalty update continues to reflect a much higher calendar year maximum, we expect OCR will continue to exercise its discretion and assess the lower amounts for violations within in the first three tiers.

Medicare

Medicare imposes restrictions on employers who sponsor group health coverage under which Medicare-eligible individuals may participate. Essentially the rules aim to ensure that Medicare will pay claims secondary to other employer-sponsored coverage for groups of a certain size. 

The rules generally work to prevent such employers from taking into account an individual’s Medicare eligibility with regard to coverage under an employer-sponsored plan. Specifically, the rules prohibit an employer from providing an incentive (financial or otherwise) to encourage Medicare-eligible employees to opt out of employer-sponsored coverage in favor of Medicare. Employers found to have provided such an impermissible incentive now face a penalty of up to $9,753 per violation.

SBC

The ACA imposed the SBC disclosure requirement on employer group health plan sponsors and carriers. When individuals enroll or re-enroll in a group health plan, they must receive a formal document that describes critical features of their available plans, so they can make reasonable and informed choices regarding their coverage. Violators who fail to provide SBCs now face penalties of $1,190 per occurrence.

Conclusion

HHS must increase penalties annually to account for inflation under Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. Other agencies tasked with enforcing laws that impact employee benefit plans also must adjust penalty amounts to maintain their deterrent effect. So, the cost of non-compliance will continue to escalate. This latest round of increases should compel employer plan sponsors to consider self-auditing their benefit programs to help prevent burdensome agency audits and potentially crippling penalties. 

We will monitor these developments and provide updates as warranted, so make sure that you are subscribed to Fisher Phillips’ Insights to get the most up-to-date information direct to your inbox. If you have further questions, contact your Fisher Phillips attorney, the author of this Insight, or any attorney in our Employee Benefits and Tax Practice Group.