February 2026

• Updated HIPAA Notice of Privacy Practices Required in 2026
• Nondiscrimination Testing: Why Early Testing Makes Sense
• DOL Proposes Additional PBM Transparency Rules
• New Childhood Vaccination Guidelines and Employer Impact
• Part D Creditable Coverage Disclosure Due to CMS
• Updated Civil Penalties for Employers Sponsoring Group Health Plans
• New Jersey Expands Paid Family Leave
• New Lawsuits Put Voluntary Benefits under the Fiduciary Microscope
• Question of the Month

Updated HIPAA Notice of Privacy Practices Required in 2026
Employers that sponsor self-funded group health plans should prepare for upcoming changes to the HIPAA Notice of Privacy Practices (NPP). Federal privacy rules require group health plans to provide plan participants with an NPP explaining how their protected health information (PHI) is used, disclosed, and safeguarded. HIPAA requires covered entities to distribute an NPP to individuals when coverage begins and to periodically remind participants of its availability. Recent regulatory changes related to substance use disorder (SUD) records require many covered entities that create, receive, maintain, or transmit SUD treatment records to update this notice by February 16, 2026.

Under HIPAA, the NPP must be written in clear, easy-to-understand language and must explain:

• When PHI can be used or disclosed without authorization
• When participant consent is required
• What privacy rights individuals have
• How those rights can be exercised
• How to contact the plan with questions or complaints

The need to update the NPP arises from expanded privacy protections under 42 CFR Part 2 (Part 2), which applies to certain entities that create or maintain SUD treatment records. These rules impose stricter standards than HIPAA in many cases and limit how SUD information may be used, disclosed, or relied upon in legal and administrative proceedings. Although the Department of Health and Human Services (HHS) has not released a standardized model notice specifically for these changes, employers are still required to meet the February 16, 2026, compliance date under the applicable regulations and available guidance.

The updated notice must clearly explain the enhanced confidentiality protections that apply to SUD records, including that these records generally cannot be used or disclosed in civil, criminal, administrative, or legislative proceedings without specific authorization or a court order. The notice must also clarify that when both HIPAA and Part 2 apply to SUD records, covered entities must comply with both sets of rules, and that the more protective Part 2 standards limit how those records may be used and disclosed.

In addition, for entities that use PHI for fundraising, the updated NPP must describe the individual’s right to opt out of fundraising communications, consistent with HIPAA’s fundraising rules as integrated with the new Part 2 framework.
Employer ConsiderationsEmployers should pay close attention to how and when the updated NPP is distributed. The revised notice must be provided to plan participants no later than February 16, 2026. Distribution may be made:

• Electronically (if federal electronic delivery and consent requirements are satisfied)
• By posting on a benefits website (with appropriate notification)
• Through hard-copy delivery, such as first-class mail

Fully insured plan sponsors can typically rely on their insurance carriers to fulfill this obligation, whereas self-funded plan sponsors are more likely to be responsible for distributing the notice.

Nondiscrimination Testing: Why Early Testing Makes Sense Nondiscrimination testing (NDT) is an annual IRS requirement to ensure that employee benefits do not overly favor highly compensated employees (HCEs) or key employees. Certain group health plans and tax-favored accounts may choose to run nondiscrimination testing early in the year so there is ample time to spot and fix failures before year‑end, protect the tax‑favored status of benefits, and avoid costly corrections after year-end.

Employer-sponsored plans subject to nondiscrimination rules include:

• Self-insured medical plans (IRC §105(h))

• Health flexible spending arrangements (FSAs)
• Cafeteria plans (IRC §125)
• Dependent Care Assistance Programs (DCAPs) (IRC §129)

Key reasons to test early:

• Early testing allows the employer to determine whether elections and participation patterns are likely to cause the plan to fail nondiscrimination when compliance is measured as of the last day of the plan year.
• If a preliminary test identifies concerns, the plan sponsor may still adjust plan design, employer contributions, or communication strategies to increase non‑HCE participation before the plan year closes.

• Once the plan year has ended, there is generally no practical way to remedy a nondiscrimination failure. At that point, employees may be required to include the discriminatory portion of benefits in taxable income, and the employer may need to issue corrected Forms W-2 and amend payroll tax filings.

Employer Consideration Running a “mock” or mid‑year test is considered a best practice because nondiscrimination rules are applied based on the facts and circumstances as of the last day of the plan year, making early testing a useful compliance forecast.

Early testing helps document a good‑faith compliance process in the event of an IRS audit by demonstrating that the employer actively monitored the plan and took reasonable steps to avoid favoring highly compensated or key employees.
DOL Proposes Additional PBM Transparency Rules. The U.S. Department of Labor (DOL) has finalized a new proposed rule under the Employee Retirement Income Security Act (ERISA) to better identify how pharmacy benefit managers (PBMs) and their affiliates are paid. The rule requires significantly more transparency about PBM fees and compensation so that plan fiduciaries can better understand costs, identify conflicts of interest, and determine whether PBM arrangements are reasonable under ERISA.

The final rule implements President Trump’s Executive Order 14273, Lowering Drug Prices by Once Again Putting Americans First, and is part of a broader administration effort to increase healthcare price transparency and address prescription drug costs.

Why This Matters to Employers: Prescription drugs account for a major and growing share of employer-sponsored healthcare spending. PBMs play a central role in managing pharmacy benefits—designing formularies, negotiating with drug manufacturers, setting up pharmacy networks, and processing claims. However, PBM compensation structures are often complex and difficult for employers to evaluate because PBMs may receive revenue not only from the health plan, but also from manufacturers, pharmacies, and other third parties.

The DOL believes that this lack of transparency makes it harder for plan fiduciaries to fulfill their ERISA duties and manage rising drug costs. The final rule is intended to give employers clearer insight into PBM compensation flows and stronger tools to oversee these arrangements.
BackgroundERISA generally prohibits transactions between a group health plan and certain “parties in interest,” including service providers. An important exception—ERISA section 408(b)(2)—allows these arrangements only if:

• The services are necessary
• The arrangement is reasonable
• No more than reasonable compensation is paid

Existing regulations already require fee disclosures for certain brokers and consultants serving group health plans. The new proposal builds on that framework but is specifically tailored to PBMs, recognizing the unique complexity of the pharmaceutical supply chain.
Key Requirements in the Proposed Rule: Who Is Covered?
The rule would apply to:

• PBMs providing services to self-insured group health plans
• PBM-affiliated brokers and consultants. These entities are referred to as “covered service providers,” even if services are performed through affiliates or subcontractors.

Initial Disclosures. Before entering, renewing, or extending a PBM contract, covered service providers would have to disclose:

• A description of the PBM services being provided
• All reasonably expected compensation, including amounts paid by the plan and payments from other sources, such as:
  • Drug manufacturer payments and rebates
  • Spread pricing
  • Pharmacy claw-backs
  • Price protection arrangements
  • Other direct or indirect compensation tied to the plan

Ongoing Disclosures: Twice a year, PBMs must report the same categories of compensation based on what was actually received, allowing employers to monitor arrangements over time—not just at contract signing.

Audit Rights: The proposal would require PBMs to allow plan fiduciaries to audit the disclosed information to confirm its accuracy.

Protection for Plan Fiduciaries

The DOL acknowledges that employers should not automatically be penalized if a PBM fails to meet its disclosure obligations. As a result, the proposal includes a new administrative exemption that could protect plan fiduciaries if they take appropriate steps to address the failure and notify the DOL if the PBM does not correct the issue.
Employer ConsiderationEmployers sponsoring self-insured plans can expect greater disclosure, enhanced oversight responsibilities, and new opportunities to assess whether PBM arrangements are truly reasonable and aligned with plan interests.

Employers will see expanded PBM fee transparency, the ability to evaluate PBM contracts, and the ability to manage prescription drug costs and meet their fiduciary obligations under ERISA.

New Childhood Vaccination Guidelines and Employer Impact. In early January 2026, the U.S. Department of Health and Human Services (HHS) and the Centers for Disease Control (CDC) released major updates to the childhood immunization schedule, marking one of the most significant changes in decades. While the science behind vaccination remains unchanged, the way certain vaccines are categorized and discussed has shifted, creating new considerations for employers and their health plans.

​The updated schedule reduces the number of vaccines that are universally recommended for all children from birth through age 18. Core vaccines—such as those for measles, mumps, rubella, polio, whooping cough, and chickenpox—remain universally recommended. Other vaccines, including influenza, COVID-19, hepatitis A and B, RSV, rotavirus, and some meningococcal vaccines, are now recommended based on either a child’s risk factors or shared clinical decision-making between families and healthcare providers.

Importantly, access has not changed. All recommended vaccines remain available and are generally covered at no cost under ACA-compliant health plans and federal programs like Medicaid and Vaccines for Children. Families should still work directly with pediatric providers to determine the appropriate vaccines for each child.

Employer Considerations For employers, these updates are less about changes in coverage and more about communication. Under the ACA, most group health plans must continue to cover CDC-recommended vaccines without cost-sharing. However, employees may be confused by the shift away from “universal” recommendations and may question whether certain vaccines are still covered.

To prepare, employers should

• Review plan documents

• Confirm carrier and TPA guidance
• Update benefits materials to clearly explain what has changed and what has not

Part D Creditable Coverage Disclosure. Employers and other group health plan sponsors must report to the Centers for Medicare & Medicaid Services (CMS) whether their prescription drug coverage is creditable for Medicare Part D purposes using the Online Disclosure to CMS Form, which is due on March 1 for calendar-year plans.

Plans that do not offer any prescription drug benefits to Medicare-eligible individuals as of the start of the plan year do not have to file, and plans covered under the Retiree Drug Subsidy for specific retirees are exempt from reporting for those retirees.
When completing the disclosure, refer to the instructions and be prepared to provide:

• Employer name, address, phone number, and EIN
• Plan year start and end dates, number of prescription drug options offered, and whether each option is creditable or non-creditable
• Estimated number of plan participants who are Medicare-eligible (sometimes broken out by active vs. retiree, if applicable)
• Date the required Notice of Creditable Coverage was provided to Medicare-eligible individuals
• Name, title, and email for the person submitting the disclosure

CMS requires the online disclosure to be submitted at specific times:

• Annually, no later than 60 days from the beginning of each plan year (for calendar-year plans, this date generally aligns with March 1)
• Within 30 days after termination of a prescription drug plan
• Within 30 days after any change in the plan’s creditable coverage status

After submitting, CMS provides on-screen confirmation. Plan sponsors are encouraged to print or save a screenshot or PDF of this confirmation for their records.
Penalties

CMS has not established a monetary penalty tied to late or missed CMS online disclosure filings by group health plans. However, employers are still legally required to complete the disclosure within the required timeframes, so failure to file could be cited in an audit or diligence review.

Employer Considerations: The disclosure and individual creditable coverage notices help Medicare‑eligible employees determine whether they can safely delay enrolling in Part D without incurring a personal late enrollment penalty. If an employee lacks clear notice, delays enrolling in Medicare Part D, and goes more than 63 consecutive days without creditable coverage, the employee is subject to a permanent late enrollment penalty. While the penalty is imposed on the employee, not the employer, failure to provide notice can lead to employee disputes and complaints.

Updated Civil Penalties for Employers Sponsoring Group Health Plans. The Department of Health and Human Services (HHS) has announced updated civil monetary penalties for violations of HIPAA Administrative Simplification, Medicare Secondary Payer (MSP) requirements, and Summary of Benefits and Coverage (SBC) provisions, effective January 28, 2026.

Key UpdatesHIPAA Administrative Simplification

HIPAA Administrative Simplification encompasses standards for privacy, security, breach notification, and electronic health care transactions. Penalties for violations are categorized into four tiers based on culpability.
 
Minimum Penalty

The maximum penalty for the first three tiers is $73,011 (up from $71,162), and the calendar-year cap is $2,190,194 (up from $2,134,831).

For the fourth tier (willful neglect), the maximum penalty and calendar-year cap are $2,190,294 (up from $2,134,831).
Medicare Secondary Payer (MSP)

Penalties for employers offering incentives to Medicare-eligible individuals not to enroll in an employer-sponsored health plan, and failure to report primary plan situations both rose.

• Offering incentives to Medicare-eligible individuals not to enroll in a plan that would otherwise be primary: $11,823 (up from $11,524).
• Failure of responsible reporting entities to provide information identifying situations where the group health plan is primary: $1,512 (up from $1,474).

Summary of Benefits and Coverage (SBC)
An SBC is a consumer-facing, ACA-required, standardized document that outlines a health plan’s costs, benefits, covered services, and limitations. It must be provided to plan participants and beneficiaries before enrollment or re-enrollment.

• The penalty for willful failure to provide SBCs increased to $1,443 (up from $1,406) for each failure.

 
New Jersey Expands Paid Family LeaveNew Jersey has significantly expanded its paid and job-protected family leave laws, broadening coverage for both employers and employees. Signed into law on January 17, 2026, and effective July 17, 2026, the New Jersey Family Leave Act (NJFLA) will apply to employers with 15 or more employees, a reduction from the prior 30‑employee threshold.

Employee eligibility has also expanded, as workers will qualify for job-protected leave after three months of employment and 250 hours worked, rather than the previous 12 months and 1,000 hours.

Eligible employees may take up to 12 weeks of job-protected leave in a 24-month period to bond with a new child or to care for a family member with a serious health condition, with the right to reinstatement to the same or an equivalent position upon return.

Employer ConsiderationsThese expansions mean that more employees will qualify for protected leave sooner and at smaller employer sizes. Employers should:

• Check employee count
• Update leave policies and employee handbooks
• Adjust administrative processes to ensure
  • Proper coordination of leave benefits
  • Access to leave requests
  • Anti-retaliation rules are in place
  • Tracking mechanisms are effective
  • Managers and supervisors understand the change

New Lawsuits Put Voluntary Benefits Under the Fiduciary Microscope. As the new year begins, employers are facing heightened legal scrutiny around voluntary benefit programs. Schlichter Bogard LLC, a firm well known for aggressive litigation involving retirement plans and, more recently, health and welfare plans, filed a series of class action lawsuits targeting how employers oversee voluntary benefits such as accident, critical illness, and hospital indemnity plans.

These lawsuits allege that employers, plan fiduciaries, and benefits brokers failed to meet their fiduciary responsibilities, resulting in millions of dollars in losses to plan participants.

Why Voluntary Benefits Are Now a Legal Hot Spot
Voluntary benefits are commonly offered at no direct cost to employers, with employees typically paying 100% of the premiums. Many of these arrangements are intended to fall outside of ERISA under a regulatory “voluntary plan” exception. However, that exception is narrow and technical. If even one requirement is missed, the plan may be treated as an ERISA plan—bringing with it full fiduciary obligations and enforcement risk.
For this reason, voluntary benefits can quietly expose employers to significant compliance and litigation risk if they are not carefully structured and monitored.

Fiduciary Duties and Prohibited Transactions Under ERISA
Under ERISA, anyone who exercises discretion over plan management, administration, or assets can be considered a fiduciary. Fiduciaries must act solely in the interest of plan participants, ensure expenses are reasonable, and follow a prudent, well-documented decision-making process.
ERISA also prohibits certain transactions, including:

• Providing services between a plan and a “party in interest” (such as an employer, broker, or consultant)
• Transferring plan assets to a party in interest
• Fiduciary self-dealing

Some of these transactions can be permitted, but only if strict conditions are met—most notably that compensation is reasonable, and the arrangement is defensible.

What the Lawsuits Allege
The lawsuits were filed against four large employers—Laboratory Corporation of America Holdings, United Airlines, CHS/Community Health Systems, and Allied Universal—along with their benefits brokers, including Willis Towers Watson, Mercer, Gallagher, and Lockton.
Although the cases involve different companies, the allegations are nearly identical. The claims assert that:

• The voluntary benefit programs should be treated as ERISA plans
• Both employers and brokers functioned as plan fiduciaries
• Fiduciaries failed to properly oversee carrier selection, premiums, commissions, and loss ratios
• There was no meaningful fiduciary process, such as competitive bidding, benchmarking, or leveraging plan size to control costs
• Employers and brokers engaged in prohibited transactions and knowingly participated in each other’s violations

The lawsuits seek personal liability for fiduciaries, recovery of alleged plan losses, disgorgement of profits, and removal of fiduciaries accused of breaching their duties.

​Employer Action Items: Given the increased focus on health and welfare fiduciary oversight, employers sponsoring group and voluntary benefits may want to proactively strengthen their governance. Key risk-reduction steps include:

• Establishing a formal fiduciary committee for health and welfare benefits, supported by a written charter
• Re-evaluating whether voluntary benefits truly meet the requirements for ERISA exemption
• Carefully reviewing and negotiating broker, consultant, and administrative service agreements
• Requesting and reviewing detailed fee and compensation disclosures from service providers
• Assessing whether compensation is reasonable and avoids potential conflicts of interest
• Confirming accurate reporting of compensation on Form 5500 filings
• Periodically issuing requests for proposals for insurers, third-party administrators, pharmacy benefit managers, and service providers
• Benchmarking premiums, fees, and vendor performance on a regular basis
• Thoroughly documenting fiduciary processes, decisions, and oversight activities to demonstrate procedural prudence

Question of the Month: Qualified Life Event Due to Loss of ACA SubsidyQ. If an employee loses ACA subsidies and premiums increase significantly as a result, would that be considered a qualifying life event that would allow them to drop coverage mid-year?
A. Unfortunately, this is a very common question this year. Increased costs on the Marketplace due to the loss of ACA subsidies are not a qualifying life event entitling an employee to enroll in his or her employer’s plan mid-year. The employee will need to wait until open enrollment (or a different qualifying life event).