150.305—Determination of entity liable for civil money penalty.
If a failure to comply is established under this Part, the responsible entity, as determined under this section, is liable for any civil money penalty imposed.
(a) Health insurance issuer is responsible entity—
(1) Group health insurance policy.
To the extent a group health insurance policy issued, sold, renewed, or offered to a private plan sponsor or a non-Federal governmental plan sponsor is subject to applicable HIPAA requirements, a health insurance issuer is subject to a civil money penalty, irrespective of whether a civil money penalty is imposed under paragraphs (b) or (c) of this section, if the policy itself or the manner in which the policy is marketed or administered fails to comply with an applicable HIPAA requirement.
(2) Individual health insurance policy.
To the extent an individual health insurance policy is subject to an applicable HIPAA requirement, a health insurance issuer is subject to a civil money penalty if the policy itself, or the manner in which the policy is marketed or administered, violates any applicable HIPAA requirement.
(b) Non-Federal governmental plan is responsible entity—
(1) Basic rule.
If a non-Federal governmental plan is sponsored by two or more employers and fails to comply with an applicable HIPAA requirement, the plan is subject to a civil money penalty, irrespective of whether a civil money penalty is imposed under paragraph (a) of this section. The plan is the responsible entity irrespective of whether the plan is administered by a health insurance issuer, an employer sponsoring the plan, or a third-party administrator.
(2) Exception.
In the case of a non-Federal governmental plan that is not provided through health insurance coverage, this paragraph (b) does not apply to the extent that the non-Federal governmental employers have elected under § 146.180 to exempt the plan from applicable HIPAA requirements.
(c) Employer is responsible entity—
(1) Basic rule.
If a non-Federal governmental plan is sponsored by a single employer and fails to comply with an applicable HIPAA requirement, the employer is subject to a civil money penalty, irrespective of whether a civil money penalty is imposed under paragraph (a) of this section. The employer is the responsible entity irrespective of whether the plan is administered by a health insurance issuer, the employer, or a third-party administrator.
(2) Exception.
In the case of a non-Federal governmental plan that is not provided through health insurance coverage, this paragraph (c) does not apply to the extent the non-Federal governmental employer has elected under § 146.180 to exempt the plan from applicable HIPAA requirements.
(d) Actions or inactions of agent.
A principal is liable for penalties assessed for the actions or inactions of its agent.