Speak to an Advisor: 800.727.4114
phone location_on
Blog

Increased Civil Penalty Amounts for SBC, MSP, HIPAA Violations

Posted: in HIPAA , Deadlines, Requirements & Notices


On Jan. 28, 2026, the U.S. Department of Health and Human Services (HHS) published a final rule increasing key penalties affecting group health plans.

HHS adjusts these penalty amounts for inflation each year to maintain their effectiveness and deterrent value (although the prior adjustment had not occurred since 2024). Because these penalties are substantial, health insurers and employers with group health plans should periodically review their benefit plan administration protocols to ensure full compliance.

Effective Dates

Jan. 28, 2026
The adjusted penalty amounts apply to SBC, MSP and HIPAA privacy and security violations assessed on or after this date.

Nov. 2, 2015
The adjusted penalty amounts apply if the SBC, MSP and HIPAA privacy and security violations occurred on or after this date.

Summary of Benefits and Coverage (SBC)

The Affordable Care Act requires group health plans and health insurance issuers to provide participants and beneficiaries with an SBC. The penalty for a health insurer or non-federal government health plan’s failure to provide the SBC may now result in a penalty of up to $1,443 per participant or beneficiary (up from $1,406)—the same penalty amount that currently applies to ERISA-covered group health plans.

Medicare Secondary Payer (MSP)

When Medicare is the secondary payer, employers cannot discourage employees from enrolling in their group health plan and cannot offer any “financial or other incentive” for an individual entitled to Medicare not to enroll or to terminate enrollment in a group health plan that would otherwise be primary. A violation of the prohibition on offering incentives can now trigger penalties of up to $11,823 (up from $11,524). The penalty for insurers, third-party administrators, or fiduciaries of a group health plan that fail to provide information identifying situations where the group health plan is or was primary is now $1,512 (up from $1,474).

HIPAA Privacy and Security Rules

Penalties for a covered entity or business associate violating the Health Insurance Portability and Accountability Act’s (HIPAA) privacy and security rules will depend on the type of violation involved. Penalties are broken down into “tiers” that reflect increasing levels of knowledge about the violation. Each tier carries a minimum and maximum penalty with an annual cap, all of which have increased as follows:

  • Tier One: For violations where the covered entity or business associate did not know about the violation (and by exercising reasonable diligence, would not have known about the violation), the penalty amount is between $145 and $73,011 for each violation, with an annual cap of $2,190,294.
  • Tier Two: If the violation is due to reasonable cause, the penalty amount is between $1,461 and $73,011 for each violation, with an annual cap of $2,190,294.
  • Tier Three: For corrected violations that are caused by willful neglect, the penalty amount is between $14,602 and $73,011 for each violation, with an annual cap of $2,190,294.
  • Tier Four: For violations caused by willful neglect that are not corrected, the penalty amount is between $73,011 and $2,190,294 for each violation, with an annual cap of $2,190,294.

Contact SSG for additional questions.

Previous Icon Prev
See All News See All News Icon
Next Next Icon
Employee Benefits
Health Benefits Consulting Market Management Plan Administration HR Advocacy Workplace Wellness
Explore
Company Blog Webinars Careers
Resources
Compliance Support Insurance Providers
Connect
Contact Us
We know you’re busy, but you still need to be informed.
No spam, just straight-forward, valuable benefits related content and important compliance updates.
Subscribe