The Department of Health and Human Services (HHS) released inflation-adjusted increases for certain HHS-related penalties, including those for violations of the Health Insurance Portability and Accountability Act (HIPAA) rules and the Medicare Secondary Payer rules[1].
These adjustments are effective for penalties assessed on or after January 28, 2026, for violations occurring on or after November 2, 2015.
The reference table below highlights the inflation-adjusted HHS penalty increases directly (or indirectly) impacting employer-sponsored group health plans:
|
HHS Enforcement Item |
Violation |
2026 Penalty |
2024 Penalty (Prior)[2] |
|---|---|---|---|
|
HIPAA |
Violation of a HIPAA administrative simplification provision due to lack of knowledge[3] (Tier 1) |
$145 minimum |
$141 minimum |
|
$73,011 maximum |
$71,162 maximum |
||
|
$2,190,294 calendar year cap |
$2,134,831 calendar year cap |
||
|
HIPAA |
Violation of a HIPAA administrative simplification provision due to reasonable cause and not willful neglect (Tier 2) |
$1,461 minimum |
$1,424 minimum |
|
$73,011 maximum |
$71,162 maximum |
||
|
$2,190,294 calendar year cap |
$2,134,831 calendar year cap |
||
|
HIPAA |
Violation of a HIPAA administrative simplification provision due to willful neglect and corrected within 30 day period[4] (Tier 3) |
$14,602 minimum |
$14,232 minimum |
|
$73,011 maximum |
$71,162 maximum |
||
|
$2,190,294 calendar year cap |
$2,134,831 calendar year cap |
||
|
HIPAA |
Violation of a HIPAA administrative simplification provision due to willful neglect and not corrected within 30 day period[5] (Tier 4) |
$73,011 minimum |
$71,162 maximum |
|
$2,190,294 maximum |
$2,134,831 maximum |
||
|
$2,190,294 calendar year cap |
$2,134,831 calendar year cap |
||
|
Medicare Secondary Payer |
An employer or other entity offering financial incentives to individuals entitled to Medicare not to enroll in a plan that would otherwise be primary |
$11,823 |
$11,524 |
|
Medicare Secondary Payer |
Failure by an insurer, third-party administrator, or group health plan fiduciary to provide information to the HHS Secretary identifying situations where the group health plan is or was a primary plan to Medicare |
$1,512 |
$1,474 |
|
Affordable Care Act |
Failure to provide a Summary of Benefits and Coverage (SBC) |
$1,443 |
$1,406 |
Employers should consider reviewing their plan practices and processes for compliance with applicable HHS requirements in an effort to avoid these penalties.
As a reminder:
In addition to applicable HHS penalties, group health plans governed under the Employee Retirement Income Security Act of 1974 (ERISA) are also subject to annually adjusted Department of Labor penalties.
[1] The Medicare Secondary Payer statute prohibits a group health plan from “taking into account” the Medicare entitlement of a current employee or a current employee’s spouse or family member and imposes penalties for violations.
[2] Note that the last prior adjustment of these penalties was made on August 8, 2024. Click here for a Risk Strategies article with more details.
[3] HIPAA administrative simplification comprises standards for privacy, security, breach notification, and electronic health care transactions.
[4] 30 day period of when the covered entity knew — or would have known by exercising reasonable diligence — about the violation.
[5] 30 day period of when the covered entity knew — or would have known by exercising reasonable diligence — about the violation.