On January 28, 2026, HHS announced the inflation-adjusted penalty amounts related to violations of Summary of Benefits and Coverage (SBC), Medicare Secondary Payer (MSP), and HIPAA Privacy and Security Rule requirements. These new penalty amounts are calculated based on a cost-of-living increase of 1.02598% and are applied to penalties assessed on or after August 8, 2024, for violations occurring on or after January 28, 2026.
Summary of Benefits and Coverage (SBC)
The ACA requires insurers and group health plan sponsors to provide SBCs to eligible employees and their beneficiaries before enrollment or re-enrollment in a group health plan. The maximum penalty for a health insurer or plan's failure to provide an SBC has increased from $1,406 to $1,443 per failure.
Medicare Secondary Payer (MSP) Rules
The MSP provisions prohibit employers and insurers from offering Medicare beneficiaries financial or other benefits as incentives to waive or terminate group health plan coverage that would otherwise be primary to Medicare. The failure to comply with the MSP rules has increased from $11,524 to $11,823.
In addition, the maximum daily penalty for the failure of an insurer, self-insured group health plan, or a TPA to inform HHS when the plan is or was primary to Medicare has increased from $1,474 to $1,512.
HHS Administrative Simplification
The HIPAA administrative simplification regulations provide standards for privacy, security, breach notification, and electronic healthcare transactions to protect the privacy of individuals' health information.
The penalty amounts vary depending on a violator’s level of culpability and are broken down by HIPAA's four-tiered penalty structure, as summarized in the following chart:
| Level of Violation | Previous Penalty Amounts | Effective for Penalties Assessed on or After January 28, 2026 | ||||
|---|---|---|---|---|---|---|
| Min | Max | Calendar Year Cap | Min | Max | Calendar Year Cap | |
| Lack of knowledge | $141 | $71,162 | $2,134,831 | $145 | $73,011 | $2,190,294 |
| Reasonable cause and not willful neglect | $1,424 | $71,162 | $2,134,831 | $1,461 | $73,011 | $2,190,294 |
| Willful neglect, corrected within 30 days | $14,232 | $71,162 | $2,134,831 | $14,602 | $73,011 | $2,190,294 |
| Willful neglect, not corrected | $71,162 | $2,134,831 | $2,134,831 | $73,011 | $2,190,294 | $2,190,294 |
Employer Takeaway
Employers should review their compliance with SBC, MSP, and HIPAA requirements to help reduce the likelihood of agency audits or potential penalties. For further information on compliance with HIPAA privacy and security requirements, please ask your broker or consultant for a copy of the NFP publication HIPAA Privacy and Security for Group Health Plans: A Guide for Employers. The DOL is expected to release the adjusted 2026 ERISA penalty amounts within the coming weeks.
For the full description of the penalties described, see the HHS, Annual Civil Monetary Penalties Inflation Adjustment, 45 CFR Part 102, 91 Fed. Reg. 3665.