Claims & Payment Center
Client Login
CareersFirst Quarter Benefit News Highlights
This quarter’s benefits news highlights key compliance and administration issues that employers should keep on their radar, from updated HIPAA requirements and new privacy notice guidance to rising ACA cost limits and increased enforcement activity. We’re also tracking important litigation trends and reporting reminders that could affect plan administration in the months ahead. Read on for timely updates to help you stay informed and prepared.
1. New HIPAA Rule Modernizes Claims Processing
This final rule establishes the first nationwide HIPAA standards for electronically exchanging health care claims attachments such as medical records and clinical data and requires the use of secure electronic signatures for those transactions. It replaces outdated manual processes like faxing and mailing with standardized electronic systems, improving efficiency, speeding claims processing, and enhancing data security across providers and insurers. Overall, the rule modernizes administrative workflows in healthcare and is projected to save the industry roughly $780 million annually while reducing burden and improving care delivery. Compliance, which will be handled primarily by carriers and TPAs on behalf of group health plans, is required by May 26, 2028. Read more here.
2. Changes to USPS Postmark Rules May Impact Benefit Administration
It’s not often that postal rules affect employee benefits, but a recent change by the U.S. Postal Service (USPS) could impact certain benefit functions, particularly COBRA. Under the new USPS rules, the postmark reflects the date mail first undergoes automated processing, not necessarily the date it was dropped in the mail. Depending on location and processing timelines, this could occur one or more days after USPS receives the letter.
Many benefit deadlines rely on the “mailbox rule,” which treats a document as delivered on the postmark date. That date determines whether submissions such as COBRA elections or premium payments are timely. For example, if a COBRA premium grace period ends March 30 and a participant mails payment that day, they may believe the payment is timely. But if USPS does not process the mail until April 1 or 2, the postmark will reflect that later date. Under the mailbox rule, the payment could be considered late, allowing the employer to terminate coverage for nonpayment. Because many participants mail COBRA forms or payments close to the deadline, this change could increase disputes where participants claim they mailed items on time, but the postmark shows otherwise. It remains to be seen whether courts will adjust the mailbox rule in response. In the meantime, employers may need to decide whether to continue relying strictly on the postmark or to adopt a more flexible approach.
3. ERISA Fiduciary Litigation Update
Recent ERISA litigation developments continue to highlight the growing scrutiny on employer health plan fiduciary practices, particularly related to prescription drug pricing and pharmacy benefit manager (PBM) oversight.
In Navarro v. Wells Fargo, a federal court dismissed claims alleging the company breached fiduciary duties by allowing excessive prescription drug pricing in its health plan. The court found plaintiffs lacked Article III standing because they failed to demonstrate a concrete financial injury. Conversely, Stern v. JPMorgan Chase will move forward after a court allowed claims alleging fiduciaries failed to prudently monitor PBM arrangements and allowed participants to pay inflated prices for generic drugs. Separately, new claims have been filed, reflecting an emerging trend in litigation that is expanding beyond plan sponsors to include benefits consultants and advisors. These cases reinforce the importance for plan fiduciaries to maintain strong governance, actively monitor vendors, and document efforts to meet ERISA’s duties of prudence and loyalty.
4. Updated RxDC Instructions
CMS released updated instructions for prescription drug reporting (RxDC reporting) in late February. The instructions don’t include any substantive changes. The latest instructions and templates can be found here.
Annual RxDC reporting is required by June 1 of each year. Reporting for 2025 data is due June 1, 2026. The reporting consists of a plan file (P2), eight data files (D1 – D8) and accompanying narratives. Most employer-sponsored health plans rely heavily on their carriers, TPAs, and PBMs to provide the data necessary, and in many cases, to submit the reporting to CMS on behalf of employer group health plans. To complete the reporting, carriers or TPAs may have reached out to employers asking for information about premium splits (employer and employee contributions) as well as other data required for the D1 file. Once this information is provided, the carrier, TPA, and/or PBM may handle the entirety of a group health plan’s RxDC reporting. However, for employers who fail to timely respond with the requested data, or if the carrier/TPA is unwilling to help with the D1 file, the employer may have to submit a P2 and D1 file on their own. If assistance is needed with the P2 and D1 files, see Lumelight's solution here.
5. Updated Model Notice of Privacy Practices
The HIPAA Privacy Rule requires health plans and covered health care providers to develop and distribute a notice that provides a clear, user friendly explanation of individuals’ rights with respect to their personal health information and the privacy practices of health plans and health care providers. As of February 16, 2026, these HIPAA covered entities are required to include information about specific restrictions on the use and disclosure of substance use disorder (SUD) patient records in their notice of privacy practices (NPP). The new model notice incorporating these changes was released by Health and Human Services (HHS) on February 13, 2026. Plan sponsors of self-funded group health plans should use an updated NPP for all future distributions. Insurance carriers will typically handle distribution of the NPP for fully-insured plans. Read more here.
6. 2027 ACA OOP Maximums
The 2027 maximum out-of-pocket (OOP) limits that may be used for non-grandfathered group health plans under ACA rules. For 2027, the maximum OOP for self-only coverage is $12,000 (currently $10,150 for 2026) and the maximum OOP for family coverage is $24,000 (currently $20,300 for 2026). The guidance can be found here.
7. Updated HIPAA, MSP and SBC Penalties for Non-Compliance
The Department of Health & Human Services (HHS) announced updated penalty amounts for HIPAA, MSP, and SBC violations. The updated penalties can be found here.
- For HIPAA privacy and security non-compliance, the updated penalties range from $145 for lack of knowledge to $2,190,294 for willful neglect.
- For non-compliance with Medicare Secondary Payer (MSP) rules, including taking into account Medicare eligibility or incenting individuals to waive the employer’s plan in favor of Medicare, the updated penalty is $11,823.
For failure to timely distribute a current summary of benefits & coverage (SBC), the updated penalty is $1,443.
8. EBSA 2026 Enforcement Priorities
The U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) announced its national enforcement priorities for fiscal year 2026, focusing on issues that pose the greatest risk to plan participants and beneficiaries. Specific to health and welfare benefit plans, investigations will prioritize cybersecurity, access to mental health and substance use disorder benefits, surprise medical billing, and handling of employee contributions. EBSA also signaled a continued commitment to addressing abusive Multiple Employer Welfare Arrangements (MEWAs). Read more here.
9. Increased State-Level Mental Health Parity Enforcement
States are increasingly enforcing mental health parity laws and issuing record fines against health insurers for failing to provide mental health and substance use disorder coverage on par with medical/surgical benefits. Regulators have penalized plans like Kaiser Foundation Health Plan of Washington for not supplying adequate documentation or compliance evidence such as a non-quantitative treatment limitation (NQTL) comparative analysis, signaling tougher scrutiny of insurer practices under parity requirements. These actions reflect a broader state-level crackdown to hold insurers accountable for adhering to both state and federal mental health parity standards, aiming to improve access and equity in mental and behavioral health care. For employers offering self-funded health plans, this serves as a reminder that compliance with the Mental Health Parity and Addiction Equity Act (MHPAEA) requires a completed NQTL comparative analysis that must be maintained and made available upon request. See Lumelight’s solutions here.
10. Updated HRSA Preventive Coverage Guidelines
Non-grandfathered group health plans must cover preventive services included in the updated HRSA-supported Women’s Preventive Services Guidelines without cost-sharing under the ACA. The cervical cancer screening guideline has been revised for plan years beginning in 2027 to reflect current evidence-based recommendations for average-risk women aged 30–65. The guideline retains existing options (Pap tests, co-testing, and primary high-risk HPV testing every five years) and adds a recommendation that patient-collected (self-collected) hrHPV testing should also be covered. It also explicitly states that when additional testing (e.g., cytology, biopsy, extended genotyping) is clinically indicated to complete the screening process, those services are part of the cervical cancer screening guideline and must be covered accordingly. Read more here.
11. OCR Cybersecurity Newsletter
OCR (The Office for Civil Rights), a division HHS (Health & Human Services), released a newsletter further clarifying its focus on cybersecurity of PHI (protected health information). The newsletter underscores that system hardening is a core HIPAA compliance obligation, not merely a best practice. “System hardening” is the process of customizing electronic information systems to reduce the number of weaknesses and vulnerabilities that an attacker can exploit. OCR identifies three methods covered entities and business associates are expected to undertake in the process of system hardening:
- Regularly patching known vulnerabilities
- Removing or disabling unnecessary software and services
- Properly enabling and configuring security controls.
OCR’s expectation is that covered entities and business associates engage in regular review, documentation, monitoring and remediation. Read the newsletter here.
12. Marketplace Premium Tax Credits
Since Congress did not pass legislation before the end of 2025 to extend the enhanced premium tax credits, many individuals will face higher Marketplace premiums in 2026. Importantly, a change in the cost of individual health coverage does not trigger a HIPAA special enrollment event. As a result, group health plans are not required to allow mid-year enrollment, meaning affected individuals generally cannot move to an employer’s plan until the next open enrollment period, unless the employer and carrier (or stop-loss vendor) choose to permit a more generous special enrollment opportunity.
In addition, federal agencies issued updated FAQs addressing premium tax credits. The guidance clarifies that repayment caps have been removed, which may significantly increase tax liability for individuals who receive excess premium tax credits. This can occur, for example, if an individual is ineligible due to the availability of employer-sponsored coverage or fails to provide accurate or updated household income information when enrolling in Marketplace coverage. The updated FAQs can be found here.
If you have questions, please contact your North Risk Partners Risk Advisor. Don’t have an advisor? No problem. We’ll help you find one.
While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it. This publication is distributed on the understanding that the publisher is not engaged in rendering legal, accounting, or other professional advice or services. Readers should always seek professional advice before entering into any commitments.