CFR > Title 45 - Public Welfare > SUBTITLE A—DEPARTMENT OF HEALTH AND HUMAN SERVICES > SUBCHAPTER B—REQUIREMENTS RELATING TO HEALTH CARE ACCESS (parts 140 to 159) > PART 150—CMS ENFORCEMENT IN GROUP AND INDIVIDUAL INSURANCE MARKETS > SUBPART C—CMS Enforcement With Respect to Issuers and Non-Federal Governmental Plans—Civil Money Penalties (§150.301 to §150.347) > 150.317—Factors CMS uses to determine the amount of penalty.

150.317—Factors CMS uses to determine the amount of penalty.

In determining the amount of any penalty, CMS takes into account the following:
(a) The entity's previous record of compliance. This may include any of the following:
(1) Any history of prior violations by the responsible entity, including whether, at any time before determination of the current violation or violations, CMS or any State found the responsible entity liable for civil or administrative sanctions in connection with a violation of HIPAA requirements.
(2) Documentation that the responsible entity has submitted its policy forms to CMS for compliance review.
(3) Evidence that the responsible entity has never had a complaint for noncompliance with HIPAA requirements filed with a State or CMS.
(4) Such other factors as justice may require.
(b) The gravity of the violation. This may include any of the following:
(1) The frequency of the violation, taking into consideration whether any violation is an isolated occurrence, represents a pattern, or is widespread.
(2) The level of financial and other impacts on affected individuals.
(3) Other factors as justice may require.