e-CFR banner

Home
gpo.gov
govinfo.gov

e-CFR Navigation Aids

Browse

Simple Search

Advanced Search

 — Boolean

 — Proximity

 

Search History

Search Tips

Corrections

Latest Updates

User Info

FAQs

Agency List

Incorporation By Reference

eCFR logo

Related Resources

 

Electronic Code of Federal Regulations

e-CFR data is current as of March 26, 2020

Title 45Subtitle ASubchapter BPart 150 → Subpart C


Title 45: Public Welfare
PART 150—CMS ENFORCEMENT IN GROUP AND INDIVIDUAL INSURANCE MARKETS


Subpart C—CMS Enforcement With Respect to Issuers and Non-Federal Governmental Plans—Civil Money Penalties


Contents
§150.301   General rule regarding the imposition of civil money penalties.
§150.303   Basis for initiating an investigation of a potential violation.
§150.305   Determination of entity liable for civil money penalty.
§150.307   Notice to responsible entities.
§150.309   Request for extension.
§150.311   Responses to allegations of noncompliance.
§150.313   Market conduct examinations.
§150.315   Amount of penalty—General.
§150.317   Factors CMS uses to determine the amount of penalty.
§150.319   Determining the amount of the penalty—mitigating circumstances.
§150.321   Determining the amount of penalty—aggravating circumstances.
§150.323   Determining the amount of penalty—other matters as justice may require.
§150.325   Settlement authority.
§150.341   Limitations on penalties.
§150.343   Notice of proposed penalty.
§150.345   Appeal of proposed penalty.
§150.347   Failure to request a hearing.

§150.301   General rule regarding the imposition of civil money penalties.

If any health insurance issuer that is subject to CMS's enforcement authority under §150.101(b)(2), or any non-Federal governmental plan (or employer that sponsors a non-Federal governmental plan) that is subject to CMS's enforcement authority under §150.101(b)(1), fails to comply with PHS Act requirements, it may be subject to a civil money penalty as described in this subpart.

[64 FR 45795, Aug. 20, 1999, as amended at 78 FR 13440, Feb. 27, 2013]

§150.303   Basis for initiating an investigation of a potential violation.

(a) Information. Any information that indicates that any issuer may be failing to meet the PHS Act requirements or that any non-Federal governmental plan that is a group health plan as defined in section 2791(a)(1) of the PHS Act and 45 CFR §144.103 may be failing to meet an applicable HIPAA requirement, may warrant an investigation. CMS may consider, but is not limited to, the following sources or types of information:

(1) Complaints.

(2) Reports from State insurance departments, the National Association of Insurance Commissioners, and other Federal and State agencies.

(3) Any other information that indicates potential noncompliance with PHS Act requirements.

(b) Who may file a complaint. Any entity or individual, or any entity or personal representative acting on that individual's behalf, may file a complaint with CMS if he or she believes that a right to which the aggrieved person is entitled under PHS Act requirements is being, or has been, denied or abridged as a result of any action or failure to act on the part of an issuer or other responsible entity as defined in §150.305.

(c) Where a complaint should be directed. A complaint may be directed to any CMS regional office.

[64 FR 45795, Aug. 20, 1999, as amended at 78 FR 13440, Feb. 27, 2013]

§150.305   Determination of entity liable for civil money penalty.

If a failure to comply is established under this part, the responsible entity, as determined under this section, is liable for any civil money penalty imposed.

(a) Health insurance issuer is responsible entity—(1) Group health insurance policy. To the extent a group health insurance policy issued, sold, renewed, or offered to a private plan sponsor or a non-Federal governmental plan sponsor is subject to applicable PHS Act requirements, a health insurance issuer is subject to a civil money penalty, irrespective of whether a civil money penalty is imposed under paragraphs (b) or (c) of this section, if the policy itself or the manner in which the policy is marketed or administered fails to comply with an applicable HIPAA requirement.

(2) Individual health insurance policy. To the extent an individual health insurance policy is subject to an applicable HIPAA requirement, a health insurance issuer is subject to a civil money penalty if the policy itself, or the manner in which the policy is marketed or administered, violates any applicable HIPAA requirement.

(b) Non-Federal governmental plan is responsible entity—(1) Basic rule. If a non-Federal governmental plan is sponsored by two or more employers and fails to comply with an applicable HIPAA requirement, the plan is subject to a civil money penalty, irrespective of whether a civil money penalty is imposed under paragraph (a) of this section. The plan is the responsible entity irrespective of whether the plan is administered by a health insurance issuer, an employer sponsoring the plan, or a third-party administrator.

(2) Exception. In the case of a non-Federal governmental plan that is not provided through health insurance coverage, this paragraph (b) does not apply to the extent that the non-Federal governmental employers have elected under §146.180 to exempt the plan from applicable PHS Act requirements.

(c) Employer is responsible entity—(1) Basic rule. If a non-Federal governmental plan is sponsored by a single employer and fails to comply with an applicable HIPAA requirement, the employer is subject to a civil money penalty, irrespective of whether a civil money penalty is imposed under paragraph (a) of this section. The employer is the responsible entity irrespective of whether the plan is administered by a health insurance issuer, the employer, or a third-party administrator.

(2) Exception. In the case of a non-Federal governmental plan that is not provided through health insurance coverage, this paragraph (c) does not apply to the extent the non-Federal governmental employer has elected under §146.180 to exempt the plan from applicable PHS Act requirements.

(d) Actions or inactions of agent. A principal is liable for penalties assessed for the actions or inactions of its agent.

[64 FR 45795, Aug. 20, 1999, as amended at 78 FR 13440, Feb. 27, 2013]

§150.307   Notice to responsible entities.

If an investigation under §150.303 indicates a potential violation, CMS provides written notice to the responsible entity or entities identified under §150.305. The notice does the following:

(a) Describes the substance of any complaint or other information.

(b) Provides 30 days from the date of the notice for the responsible entity or entities to respond with additional information, including documentation of compliance as described in §150.311.

(c) States that a civil money penalty may be assessed.

[64 FR 45795, Aug. 20, 1999, as amended at 70 FR 71023, Nov. 25, 2005]

§150.309   Request for extension.

In circumstances in which an entity cannot prepare a response to CMS within the 30 days provided in the notice, the entity may make a written request for an extension from CMS detailing the reason for the extension request and showing good cause. If CMS grants the extension, the responsible entity must respond to the notice within the time frame specified in CMS's letter granting the extension of time. Failure to respond within 30 days, or within the extended time frame, may result in CMS's imposition of a civil money penalty based upon the complaint or other information alleging or indicating a violation of PHS Act requirements.

[64 FR 45795, Aug. 20, 1999, as amended at 78 FR 13440, Feb. 27, 2013]

§150.311   Responses to allegations of noncompliance.

In determining whether to impose a civil money penalty, CMS reviews and considers documentation provided in any complaint or other information, as well as any additional information provided by the responsible entity to demonstrate that it has complied with PHS Act requirements. The following are examples of documentation that a potential responsible entity may submit for CMS's consideration in determining whether a civil money penalty should be assessed and the amount of any civil money penalty:

(a) Any individual policy, group policy, certificate of insurance, application, rider, amendment, endorsement, certificate of creditable coverage, advertising material, or any other documents if those documents form the basis of a complaint or allegation of noncompliance, or the basis for the responsible entity to refute the complaint or allegation.

(b) Any other evidence that refutes an alleged noncompliance.

(c) Evidence that the entity did not know, and exercising due diligence could not have known, of the violation.

(d) Documentation that the policies, certificates of insurance, or non-Federal governmental plan documents have been amended to comply with PHS Act requirements either by revision of the contracts or by the development of riders, amendments, or endorsements.

(e) Documentation of the entity's issuance of conforming policies, certificates of insurance, plan documents, or amendments to policyholders or certificate holders before the issuance of the notice to the responsible entity or entities described in §150.307.

(f) Evidence documenting the development and implementation of internal policies and procedures by an issuer, or non-Federal governmental health plan or employer, to ensure compliance with PHS Act requirements. Those policies and procedures may include or consist of a voluntary compliance program. Any such program should do the following:

(1) Effectively articulate and demonstrate the fundamental mission of compliance and the issuer's, or non-Federal governmental health plan's or employer's, commitment to the compliance process.

(2) Include the name of the individual in the organization responsible for compliance.

(3) Include an effective monitoring system to identify practices that do not comply with PHS Act requirements and to provide reasonable assurance that fraud, abuse, and systemic errors are detected in a timely manner.

(4) Address procedures to improve internal policies when noncompliant practices are identified.

(g) Evidence documenting the entity's record of previous compliance with HIPAA requirements.

[64 FR 45795, Aug. 20, 1999, as amended at 70 FR 71023, Nov. 25, 2005; 78 FR 13440, Feb. 27, 2013]

§150.313   Market conduct examinations.

(a) Definition. A market conduct examination means the examination of health insurance operations of an issuer, or the operation of a non-Federal governmental plan, involving the review of one or more (or a combination) of a responsible entity's business or operational affairs, or both, to verify compliance with PHS Act requirements.

(b) General. If, based on the information described in §150.303, CMS finds evidence that a specific entity may be in violation of a HIPAA requirement, CMS may initiate a market conduct examination to determine whether the entity is out of compliance. CMS may conduct the examinations either at the site of the issuer or other responsible entity or a site CMS selects. When CMS selects a site, it may direct the issuer or other responsible entity to forward any documentation CMS considers relevant for purposes of the examination to that site.

(c) Appointment of examiners. When CMS identifies an issue that warrants investigation, CMS will appoint one or more examiners to perform the examination and instruct them as to the scope of the examination.

(d) Appointment of professionals and specialists. When conducting an examination under this part, CMS may retain attorneys, independent actuaries, independent market conduct examiners, or other professionals and specialists as examiners.

(e) Report of market conduct examination—(1) CMS review. When CMS receives a report, it will review the report, together with the examination work papers and any other relevant information, and prepare a final report. The final examination report will be provided to the issuer or other responsible entity.

(2) Response from issuer or other responsible entity. With respect to each examination issue identified in the report, the issuer or other responsible entity may:

(i) Concur with CMS's position(s) as outlined in the report, explaining the plan of correction to be implemented.

(ii) Dispute CMS's position(s), clearly outlining the basis for its dispute and submitting illustrative examples where appropriate.

(3) CMS's reply to a response from an issuer or other responsible entity. Upon receipt of a response from the issuer or other responsible entity, CMS will provide a letter containing its reply to each examination issue. CMS's reply will consist of one of the following:

(i) Concurrence with the issuer's or non-Federal governmental plan's position.

(ii) Approval of the issuer's or non-Federal governmental plan's proposed plan of correction.

(iii) Conditional approval of the issuer's or non-Federal governmental plan's proposed plan of correction, which will include any modifications CMS requires.

(iv) Notice to the issuer or non-Federal governmental plan that there exists a potential violation of PHS Act requirements.

[64 FR 45795, Aug. 20, 1999, as amended at 78 FR 13440, Feb. 27, 2013]

§150.315   Amount of penalty—General.

A civil money penalty for each violation of 42 U.S.C. 300gg et seq. may not exceed $100 as adjusted annually under 45 CFR part 102 for each day, for each responsible entity, for each individual affected by the violation. Penalties imposed under this part are in addition to any other penalties prescribed or allowed by law.

[64 FR 45795, Aug. 20, 1999, as amended at 81 FR 61581, Sept. 6, 2016]

§150.317   Factors CMS uses to determine the amount of penalty.

In determining the amount of any penalty, CMS takes into account the following:

(a) The entity's previous record of compliance. This may include any of the following:

(1) Any history of prior violations by the responsible entity, including whether, at any time before determination of the current violation or violations, CMS or any State found the responsible entity liable for civil or administrative sanctions in connection with a violation of PHS Act requirements.

(2) Documentation that the responsible entity has submitted its policy forms to CMS for compliance review.

(3) Evidence that the responsible entity has never had a complaint for noncompliance with PHS Act requirements filed with a State or CMS.

(4) Such other factors as justice may require.

(b) The gravity of the violation. This may include any of the following:

(1) The frequency of the violation, taking into consideration whether any violation is an isolated occurrence, represents a pattern, or is widespread.

(2) The level of financial and other impacts on affected individuals.

(3) Other factors as justice may require.

[64 FR 45795, Aug. 20, 1999, as amended at 78 FR 13440, Feb. 27, 2013]

§150.319   Determining the amount of the penalty—mitigating circumstances.

For every violation subject to a civil money penalty, if there are substantial or several mitigating circumstances, the aggregate amount of the penalty is set at an amount sufficiently below the maximum permitted by §150.315 to reflect that fact. As guidelines for taking into account the factors listed in §150.317, CMS considers the following:

(a) Record of prior compliance. It should be considered a mitigating circumstance if the responsible entity has done any of the following:

(1) Before receipt of the notice issued under §150.307, implemented and followed a compliance plan as described in §150.311(f).

(2) Had no previous complaints against it for noncompliance.

(b) Gravity of the violation(s). It should be considered a mitigating circumstance if the responsible entity has done any of the following:

(1) Made adjustments to its business practices to come into compliance with PHS Act requirements so that the following occur:

(i) All employers, employees, individuals and non-Federal governmental entities are identified that are or were issued any policy, certificate of insurance or plan document, or any form used in connection therewith that failed to comply.

(ii) All employers, employees, individuals, and non-Federal governmental plans are identified that were denied coverage or were denied a right provided under PHS Act requirements.

(iii) Each employer, employee, individual, or non-Federal governmental plan adversely affected by the violation has been, for example, offered coverage or provided a certificate of creditable coverage in a manner that complies with PHS Act requirements that were violated so that, to the extent practicable, that employer, employee, individual, or non-Federal governmental entity is in the same position that he, she, or it would have been in had the violation not occurred.

(iv) The adjustments are completed in a timely manner.

(2) Discovered areas of noncompliance without notice from CMS and voluntarily reported that noncompliance, provided that the responsible entity submits the following:

(i) Documentation verifying that the rights and protections of all individuals adversely affected by the noncompliance have been restored; and

(ii) A plan of correction to prevent future similar violations.

(3) Demonstrated that the violation is an isolated occurrence.

(4) Demonstrated that the financial and other impacts on affected individuals is negligible or nonexistent.

(5) Demonstrated that the noncompliance is correctable and that a high percentage of the violations were corrected.

[64 FR 45795, Aug. 20, 1999, as amended at 78 FR 13440, Feb. 27, 2013]

§150.321   Determining the amount of penalty—aggravating circumstances.

For every violation subject to a civil money penalty, if there are substantial or several aggravating circumstances, CMS sets the aggregate amount of the penalty at an amount sufficiently close to or at the maximum permitted by §150.315 to reflect that fact. CMS considers the following circumstances to be aggravating circumstances:

(a) The frequency of violation indicates a pattern of widespread occurrence.

(b) The violation(s) resulted in significant financial and other impacts on the average affected individual.

(c) The entity does not provide documentation showing that substantially all of the violations were corrected.

§150.323   Determining the amount of penalty—other matters as justice may require.

CMS may take into account other circumstances of an aggravating or mitigating nature if, in the interests of justice, they require either a reduction or an increase of the penalty in order to assure the achievement of the purposes of this part, and if those circumstances relate to the entity's previous record of compliance or the gravity of the violation.

§150.325   Settlement authority.

Nothing in §§150.315 through 150.323 limits the authority of CMS to settle any issue or case described in the notice furnished in accordance with §150.307 or to compromise on any penalty provided for in §§150.315 through 150.323.

§150.341   Limitations on penalties.

(a) Circumstances under which a civil money penalty is not imposed. CMS does not impose any civil money penalty on any failure for the period of time during which none of the responsible entities knew, or exercising reasonable diligence would have known, of the failure. CMS also does not impose a civil money penalty for the period of time after any of the responsible entities knew, or exercising reasonable diligence would have known of the failure, if the failure was due to reasonable cause and not due to willful neglect and the failure was corrected within 30 days of the first day that any of the entities against whom the penalty would be imposed knew, or exercising reasonable diligence would have known, that the failure existed.

(b) Burden of establishing knowledge. The burden is on the responsible entity or entities to establish to CMS's satisfaction that no responsible entity knew, or exercising reasonable diligence would have known, that the failure existed.

§150.343   Notice of proposed penalty.

If CMS proposes to assess a penalty in accordance with this part, it delivers to the responsible entity, or sends to that entity by certified mail, return receipt requested, written notice of its intent to assess a penalty. The notice includes the following:

(a) A description of the PHS Act requirements that CMS has determined that the responsible entity violated.

(b) A description of any complaint or other information upon which CMS based its determination, including the basis for determining the number of affected individuals and the number of days for which the violations occurred.

(c) The amount of the proposed penalty as of the date of the notice.

(d) Any circumstances described in §§150.317 through 150.323 that were considered when determining the amount of the proposed penalty.

(e) A specific statement of the responsible entity's right to a hearing.

(f) A statement that failure to request a hearing within 30 days permits the assessment of the proposed penalty without right of appeal in accordance with §150.347.

[64 FR 45795, Aug. 20, 1999, as amended at 78 FR 13440, Feb. 27, 2013]

§150.345   Appeal of proposed penalty.

Any entity against which CMS has assessed a penalty may appeal that penalty in accordance with §150.401 et seq.

§150.347   Failure to request a hearing.

If the responsible entity does not request a hearing within 30 days of the issuance of the notice described in §150.343, CMS may assess the proposed civil money penalty, a less severe penalty, or a more severe penalty. CMS notifies the responsible entity in writing of any penalty that has been assessed and of the means by which the responsible entity may satisfy the judgment. The responsible entity has no right to appeal a penalty with respect to which it has not requested a hearing in accordance with §150.405 unless the responsible entity can show good cause, as determined under §150.405(b), for failing to timely exercise its right to a hearing.

Need assistance?