Advocate Team   |   Client/Member Login

Compliance in Motion – March 2026

Mar 5, 2026

Download the PDF version here!

Listen to the audio version here!

Want just the highlights? Click here!

Federal PBM Reforms Are Here

Federal changes are coming for group health plans with respect to their contracts with Pharmacy Benefit Managers (PBMs). Following are three recent developments:

  • A proposed rule requiring all size self-insured ERISA plan years on or after July 1, 2026, to secure and evaluate:
    • PBM compensation disclosures with estimates of all non-transparent compensation before a contract or agreement begins each year, and
    • A semiannual explanation for any overages of 5% or more.
  • A new law effective for plan years on or after August 3, 2028, requiring:
    • Detailed PBM reporting for all large group health plans (100+)
    • New PBM notices and summaries for all size health plans
    • Pass-through of all non-transparent PBM compensation in all size ERISA contracts.

A Federal Trade Commission (FTC) settlement in which the large PBM, Express Scripts, agreed to implement a number of business changes that impact employer group health plans.

Who This Applies To

All employers sponsoring prescription drug coverage will experience an impact in some way, directly or indirectly, including a new employee notice requirement coming in late 2028. ERISA plans have fiduciary obligations to ensure PBM compensation disclosures and summaries are provided and evaluated. Governmental, tribal, or church plans are exempt from ERISA but are subject to some of the reporting and disclosure requirements imposed by the new law.

Penalties for Non-Compliance

For changes to ERISA plans, fiduciaries have an obligation to review compensation and contracts for reasonableness to avoid engaging in a prohibited transaction. The new law’s notice requirement, going into effect in late 2028 for all size employers regardless of ERISA status, imposes a $10,000 per day penalty for failing to provide the required notice.

Practical Impact to Employers

The intent of these changes is to provide employers greater transparency into their PBM contracts and compensation. Employers should begin establishing procedures for how these disclosures will be evaluated by the plan’s fiduciaries for reasonableness and potential conflicts of interest. The new notice requirement can be part of the standard notices employers routinely provide, but it includes one of the largest penalties seen thus far for failing to provide a specific notice.

Updated Model HIPAA Notice of Privacy Practices Now Available

On February 13, Health and Human Services (HHS) published a revised model HIPAA Notice of Privacy Practices (NPP) that incorporates newly required language related to Substance Use Disorder (SUD) records under 42 CFR Part 2. This update reflects the alignment of Part 2 with HIPAA as required by the CARES Act and introduces new patient rights and redisclosure limitations related to certain SUD records that must appear in compliant NPPs as of February 16, 2026.

Under HIPAA rules, Covered Entities have 60 days from the date of any material change to their NPP to distribute the updated notice to plan participants. For example, a plan adopting the new HHS language on February 16, 2026, must distribute the updated notice to participants on or before April 16, 2026.

Who This Applies To

Employers sponsoring:

  • Fully insured medical, dental, or vision plans that include claims analytics drill-down data feeds or other access to Protected Health Information (PHI).
  • Self-insured medical plans including level-funded plans, FSAs, HRAs, or ICHRAs.
  • Self-funded dental or vision plans.
  • Any carve-out or bolt-on benefit integrated with the employer’s medical plan (telemedicine, fertility, Rx carve-out, etc.).

Note: Only a self-insured, self-administered health plan with fewer than 50 eligible employees is exempt from HIPAA Privacy and Security rules and NPP requirements.

Model Employer CHIP Notice Updated

The Department of Labor updated the Model Employer Children’s Health Insurance Program (CHIP) Notice as of January 29, 2026.

Employers must provide the Employer CHIP Notice to employees eligible for the employer’s medical plan who reside in a state with a premium assistance subsidy, regardless of the employer’s location.

A model notice is available in English and Spanish and is updated twice annually to reflect changes in state contact information.

For the January 2026 update, Louisiana made changes to its website, email, phone, fax, and mailing address.

Employers sponsoring a group health plan should provide the CHIP notice with other health plan eligibility materials such as new hire materials and annual open enrollment communications.

Penalties for Non-Compliance

Employers who fail to provide the Employer CHIP Notice to employees in premium assistance states may face a penalty of up to $145 per person per day.

Practical Impact to Employers

Although the model notice may contain a distant expiration date, employers are strongly encouraged to use the most recent version to ensure employees have accurate contact information for state programs offering premium assistance.

RxDC Surveys Are Here — Respond Promptly

As in prior years, most carriers and TPAs, in partnership with PBMs, will submit the required RxDC reporting for their group health plan clients because they hold the detailed prescription drug claims data. However, carriers and TPAs do not know how much employees paid versus how much the employer paid for the previous calendar year’s health coverage. Therefore, they must request that information from employers each year.

Employers should watch for the questionnaire and respond promptly to meet the carrier or TPA deadline.

Who This Applies To

All employers sponsoring a group medical plan and prescription drug benefit that is not an Individual Coverage Health Reimbursement Arrangement (ICHRA).

Employers must rely heavily on claims administrators to complete the reporting because those service providers hold the detailed claims data. Typically, carriers request key information from employers about three months before the June 1 annual deadline.

Carriers mainly need information on how much the employer paid versus how much participants (including COBRA participants) paid for the previous calendar year’s medical and prescription coverage.

Self-funded plans must report a “premium equivalent,” calculated as actual fixed costs plus claims.

Any missing data must be submitted either by the employer through the government’s HIOS system or through a third-party vendor.

Employers should prepare early for the June 1 deadline.

HHS Updates Penalties and 2027 Out-of-Pocket Limits

Each year, HHS publishes indexing for penalties and non-grandfathered out-of-pocket (OOP) maximums.

For 2026

  • HIPAA penalties increase to a range of $145 to $73,011 per violation, with a calendar-year cap of $2,190,294.
  • $1,443 per failure to provide a Summary of Benefits and Coverage (SBC).
  • $11,823 per failure to comply with Medicare Secondary Payer rules.

For 2027

  • Non-grandfathered in-network OOP limits increase to $12,000 per person and $24,000 per family (up from $10,600 / $21,200 in 2026).
  • ACA §4980H(a) employer mandate penalty increases to $3,780 annually ($315/month).
  • ACA §4980H(b) penalty increases to $5,670 annually ($472.50/month).

Who This Applies To

Employers of all sizes may be subject to penalties related to HIPAA, SBC, MSP, and OOP requirements.
Applicable Large Employers (50+ full-time or equivalent employees) are subject to §4980H penalties.

Federal Benefits Enforcement Priorities for 2026

The Employee Benefits Security Administration (EBSA), a division of the Department of Labor, publishes enforcement priorities each year. While retirement plans remain the primary focus, additional priorities include cybersecurity, mental health parity, and surprise billing.

Key Focus Areas

Cybersecurity
Electronic transactions and communications in benefits administration continue to grow. System hardening is a major theme for 2026.

Mental Health and Substance Use Disorder Parity
Regulators continue monitoring barriers to in-network mental health care and determinations of medical necessity.

Surprise Billing
Millions of disputes enter the Independent Dispute Resolution system, with roughly 80% resolving in favor of healthcare providers rather than health plans.

Abusive MEWAs

Regulators are also focusing on abusive Multiple Employer Welfare Arrangements (MEWAs). These arrangements sometimes operate without proper regulatory oversight, which can lead to fraud, mismanagement, or insolvency.

Practical Impact to Employers

Compliance with federal and state benefits laws is critical. Enforcement priorities signal where regulators will focus investigations, audits, and enforcement efforts.