Federal Compliance Updates: What Employers Need to Know

1. Major Federal PBM Reforms:

New rules and laws reshape how employers work with PBMs. Three major developments:

A. Proposed Rule (Effective for plan years starting July 1, 2026)

Self-insured ERISA plans must:

• Obtain and review PBM compensation disclosures each year before signing or renewing a contract.
• Receive a semiannual explanation if PBM compensation is 5% or more above the original estimate.

B. New Federal Law (Effective for plan years starting August 3, 2028)

All group health plans will see changes. Requirements include:

• PBM reporting for large plans (100+ employees)
• New PBM notices and summaries for all plans
• Passthrough of all non-transparent PBM compensation in ERISA plans

C. FTC Enforcement

The FTC reached a settlement with Express Scripts requiring business practice changes that affect employer plans. The FTC has similar cases underway involving Caremark Rx and OptumRx.

What this means for employers:

• Every employer offering Rx coverage will be affected.
• ERISA plans must review PBM disclosures as part of their fiduciary duties.
• A new employee notice begins in late 2028, with a $10,000/day penalty for failure to provide it.
• Start preparing internal procedures now to review PBM compensation for reasonableness and conflicts of interest.
  

2. Updated HIPAA Notice of Privacy Practices

What’s New: HHS has released an updated Model HIPAA Notice of Privacy Practices (NPP). This update adds new required language related to Substance Use Disorder (SUD) treatment information, which is protected under special federal privacy rules known as Part 2. These rules are now being aligned with HIPAA, and all health plans must update their NPPs to reflect these changes.

Who This Applies To:

• A self-insured medical plan, including level funded plans, FSAs, HRAs, or ICHRAs
• A self-funded dental or vision plan
• A fully insured plan where you have access to PHI (e.g., detailed claims reporting)
• Any “bolt on” or carveout programs that aren’t fully insured, such as telemedicine, fertility benefits, or Rx carveouts

Exception: If you only offer fully insured medical/dental/vision and have no hands-on access to PHI, your insurance carrier is responsible for the NPP update.

What You May Need to Do:

• Update and replace your NPP immediately: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/privacy-practices-health-plan/index.html
  • Your detailed instructions are listed in the final section “Other Instructions for Notice.”
• Update any applicable internal HIPAA policies or procedures
• Provide brief training to staff who handle PHI

• Ensure timely distribution to all benefit eligible individuals, including employees on leave, COBRA participants, and any alternate recipients by 60 days after the adoption date of February 16^th. (April 16, 2026)

Distribution must be done via paper unless an individual has expressly agreed to electronic HIPAA delivery. This must be itemized in your electronic consent of acknowledgment specifically to qualify.

____________

Below is sample language you may use when communicating to your employees:

Subject: Updated HIPAA Privacy Notice

Good morning,

We’re reaching out to share an updated HIPAA Notice of Privacy Practices (NPP). The Department of Health and Human Services recently released new guidance requiring employers and health plan sponsors to provide an updated notice. This ensures everyone understands how their protected health information (PHI) is used, safeguarded, and what rights you have under HIPAA.

There is no action needed from you. We’re simply providing this updated notice to keep you informed and aligned with current federal requirements.

If you have any questions, please feel free to reach out to the HR team.

**Be sure to indicate if they are receiving this document via email or via paper and how it will be delivered.

3. Updated Model Medicaid and Children's Health Insurance Program (CHIP) Notice

DOL released a new Model Employer CHIP Notice (Jan 29, 2026).

Applies To: All employers that offer medical coverage where employees contribute to premiums and live in a state offering CHIP/Medicaid premium assistance.

Key points

• Must be provided to eligible employees in affected states.
• Penalties for not providing the notice can reach $145 per person per day.
• Updated twice per year (January and July).
• January 2026 update includes changes to Louisiana’s contact information.

Employers should use the most recent version for new hires and open enrollment.

Note: Hausmann Group provides you with an updated notice during your open enrollment.

4. RxDC Reporting – Employer Surveys Are Beginning

Carriers and TPAs handle most of the RxDC submission but need employers’ annual contribution data.

Applies To: All employers with group medical/Rx plans (except ICHRAs).

What employers must provide:

• How much the employer and employees paid for coverage last calendar year
• For self-funded plans: actual fixed costs + claims, minus stoploss rebates and pharmacy rebates

Missing information may require employers to submit directly through HIOS or hire a vendor.

Note: Watch for communications from your Hausmann Group Service Team.

5. Updated Penalties & 2027 Health Plan Out-of-Pocket Maximums

For 2026 Health Plans:

• Health Insurance Portability and Accountability Act (HIPAA) penalties: $145–$73,011 per violation (up to $2.19M/year)

• Summary of Benefits and Coverage (SBC) penalty: $1,443 per failure

• Medicare Secondary Payor (MSP) penalty: $11,823 per failure

For 2027 Health Plans:

• OOP max: $12,000 individual / $24,000 family

• Employer mandate (§4980H) penalties:
  • $3,780 per year
  • $5,670 per year

ALE rules apply to employers with 50+ full-time/FTE employees

6. Federal Enforcement Priorities for 2026

EBSA has identified key focus areas for enforcement under ERISA:

• Cybersecurity: Increased emphasis on system hardening and secure data handling.
• Mental Health & Substance Use Disorder Parity: Ongoing investigations around:
  • Access to in-network MH/SUD providers
  • Medical necessity criteria
  • Barriers to autism therapy, eating disorder treatments, and Medication Assisted Treatment for opioid use disorders
• Surprise Billing
  1. High number of Independent Dispute Resolution cases decided in favor of providers.
  2. Plans need to ensure correct processes/documentation.
• Abusive MEWAs: Continued monitoring of noncompliant association health plans, which can pose fraud or insolvency risks.

Bottom line:
Employers should review compliance processes proactively. Issues in these areas can lead to audits, penalties, or investigations.