Compliance Briefing | February

Updated HIPAA Notice of Privacy Practices Required in 2026

Employers that sponsor self-funded group health plans should prepare for upcoming changes to the HIPAA Notice of Privacy Practices (NPP). Federal privacy rules require group health plans to provide plan participants with an NPP explaining how their protected health information (PHI) is used, disclosed, and safeguarded. HIPAA requires covered entities to distribute an NPP to individuals when coverage begins and to periodically remind participants of its availability. Recent regulatory changes related to substance use disorder (SUD) records require many covered entities that create, receive, maintain, or transmit SUD treatment records to update this notice by February 16, 2026.

Under HIPAA, the NPP must be written in clear, easy-to-understand language and must explain:

• When PHI can be used or disclosed without authorization
• When participant consent is required
• What privacy rights individuals have
• How those rights can be exercised
• How to contact the plan with questions or complaints

The need to update the NPP arises from expanded privacy protections under 42 CFR Part 2 (Part 2), which applies to certain entities that create or maintain SUD treatment records. These rules impose stricter standards than HIPAA in many cases and limit how SUD information may be used, disclosed, or relied upon in legal and administrative proceedings. Although the Department of Health and Human Services (HHS) has not released a standardized model notice specifically for these changes, employers are still required to meet the February 16, 2026, compliance date using the regulatory requirements and available guidance.

The updated notice must clearly explain the enhanced confidentiality protections that apply to SUD records, including the fact that these records generally cannot be used or disclosed for civil, criminal, administrative, or legislative proceedings without specific authorization or a court order. The notice must also clarify that when both HIPAA and Part 2 apply to SUD records, covered entities must follow both sets of rules, and the more protective Part 2 standards limit how those records may be used and disclosed.

In addition, for entities that use PHI for fundraising, the updated NPP must describe the individual’s right to opt out of fundraising communications, consistent with HIPAA’s fundraising rules as integrated with the new Part 2 framework.

Employer Considerations
Employers should pay close attention to how and when the updated NPP is distributed. The revised notice must be provided to plan participants no later than February 16, 2026. Distribution may be made:

• Electronically (if federal electronic delivery and consent requirements are satisfied)
• By posting on a benefits website (with appropriate notification)
• Through hard-copy delivery, such as first-class mail

Fully insured plan sponsors can typically rely on their insurance carriers to fulfill this obligation, whereas self-funded plan sponsors are more likely to be responsible for distributing the notice.

Nondiscrimination Testing: Why Early Testing Makes Sense

Nondiscrimination testing (NDT) is an annual IRS requirement to ensure that employee benefits do not overly favor highly compensated employees (HCEs) or key employees. Certain group health plans and tax-favored accounts may choose to run nondiscrimination testing early in the year so there is ample time to spot and fix failures before year end, protect the tax favored status of benefits, avoid costly corrections after year-end.Employer-sponsored plans subject to nondiscrimination rules include:

• Self-insured medical plans (IRC §105(h))
• Health flexible spending arrangements (FSAs)
• Cafeteria plans (IRC §125)
• Dependent Care Assistance Programs (DCAPs) (IRC §129)

Key reasons to test early:

• Early testing allows the employer to see whether elections and participation patterns are likely to cause the plan to result in a nondiscrimination failure when compliance is measured as of the last day of the plan year.
• If a preliminary test identifies concerns, the plan sponsor may still adjust plan design, employer contributions, or communication strategies to increase non HCE participation before the plan year closes.
• Once the plan year has ended, there is generally no practical way to remedy a nondiscrimination failure. At that point, employees may be required to include the discriminatory portion of benefits in taxable income, and the employer may need to issue corrected Forms W-2 and amend payroll tax filings.

Employer Considerations
Running a “mock” or mid-year test is considered a best practice because nondiscrimination rules are applied based on the facts and circumstances as of the last day of the plan year, making early testing a useful compliance forecast.

Early testing helps document a good-faith compliance process in the event of an IRS audit by demonstrating that the employer actively monitored the plan and took reasonable steps to avoid favoring highly compensated or key employees.

New Childhood Vaccination Guidelines and Employer Impact

In early January 2026, the U.S. Department of Health and Human Services (HHS) and the Centers for Disease Control (CDC) released major updates to the childhood immunization schedule, marking one of the most significant changes in decades. While the science behind vaccination remains unchanged, the way certain vaccines are categorized and discussed has shifted, creating new considerations for employers and their health plans.

The updated schedule reduces the number of vaccines that are universally recommended for all children from birth through age 18. Core vaccines—such as those for measles, mumps, rubella, polio, whooping cough, and chickenpox—remain universally recommended. Other vaccines, including influenza, COVID-19, hepatitis A and B, RSV, rotavirus, and some meningococcal vaccines, are now recommended based on either a child’s risk factors or shared clinical decision-making between families and healthcare providers.

Importantly, access has not changed. All recommended vaccines remain available and are generally covered at no cost under ACA-compliant health plans and federal programs like Medicaid and Vaccines for Children. Families should still work directly with pediatric providers to determine the appropriate vaccines for each child.

Employer Action Items
For employers, these updates are less about changes in coverage and more about communication. Under the ACA, most group health plans must continue to cover CDC-recommended vaccines without cost-sharing. However, employees may be confused by the shift away from “universal” recommendations and may question whether certain vaccines are still covered.

To prepare, employers should:

• Review plan documents
• Confirm carrier and TPA guidance
• Update benefits materials to clearly explain what has changed and what has not

Updated Civil Penalties for Employers Sponsoring Group Health Plans

The Department of Health and Human Services (HHS) has announced updated civil monetary penalties updated civil monetary penalties for violations of HIPAA Administrative Simplification, Medicare Secondary Payer (MSP) requirements, and Summary of Benefits and Coverage (SBC) provisions, effective January 28, 2026.

Key Updates

HIPAA Administrative Simplification
HIPAA Administrative Simplification encompasses standards for privacy, security, breach notification, and electronic health care transactions. Penalties for violations are categorized into four tiers based on culpability.

Minimum penalties in 2026 are:

• For lack of knowledge – $145 (up from $141)
• For reasonable cause, not willful neglect – $1,461 (up from $1,424)
• For willful neglect, corrected within 30 days – $14,602 (up from $14,232)
• For willful neglect, not corrected with 30 days – $73,011 (up from $71,162)

The maximum penalty for the first three tiers is $73,011 (up from $71,162), and the calendar-year cap is $2,190,194 (up from $2,134,831).
For the fourth tier (willful neglect), the maximum penalty and calendar-year cap are $2,190,294 (up from $2,134,831).

Medicare Secondary Payer (MSP)
Penalties for employers offering incentives to Medicare-eligible individuals not to enroll in an employer-sponsored health plan, and failure to report primary plan situations both rose.

• Offering incentives to Medicare-eligible individuals not to enroll in a plan that would otherwise be primary: $11,823 (up from $11,524).
• Failure of responsible reporting entities to provide information identifying situations where the group health plan is primary: $1,512 (up from $1,474).

Summary of Benefits and Coverage (SBC)
An SBC is a consumer-facing, ACA-required, standardized document that outlines a health plan’s costs, benefits, covered services, and limitations. It must be provided to plan participants and beneficiaries before enrollment or re-enrollment.

• The penalty for willful failure to provide SBCs increased to $1,443 (up from $1,406) for each failure.

New Lawsuits Put Voluntary Benefits under the Fiduciary Microscope

As the new year begins, employers are facing heightened legal scrutiny around voluntary benefit programs. Schlichter Bogard LLC, a firm well known for aggressive litigation involving retirement plans and, more recently, health and welfare plans, filed a series of class action lawsuits targeting how employers oversee voluntary benefits such as accident, critical illness, and hospital indemnity plans.

These lawsuits allege that employers, plan fiduciaries, and benefits brokers failed to meet their fiduciary responsibilities, resulting in millions of dollars in losses to plan participants.

Why Voluntary Benefits Are Now a Legal Hot Spot

Voluntary benefits are commonly offered at no direct cost to employers, with employees typically paying 100% of the premiums. Many of these arrangements are intended to fall outside of ERISA under a regulatory “voluntary plan” exception. However, that exception is narrow and technical. If even one requirement is missed, the plan may be treated as an ERISA plan—bringing with it full fiduciary obligations and enforcement risk.

For this reason, voluntary benefits can quietly expose employers to significant compliance and litigation risk if they are not carefully structured and monitored.

Fiduciary Duties and Prohibited Transactions Under ERISA

Under ERISA, anyone who exercises discretion over plan management, administration, or assets can be considered a fiduciary. Fiduciaries must act solely in the interest of plan participants, ensure expenses are reasonable, and follow a prudent, well-documented decision-making process.

ERISA also prohibits certain transactions, including:

• Providing services between a plan and a “party in interest” (such as an employer, broker, or consultant)
• Transferring plan assets to a party in interest
• Fiduciary self-dealing

Some of these transactions can be permitted, but only if strict conditions are met—most notably that compensation is reasonable and the arrangement is defensible.

What the Lawsuits Allege

The lawsuits were filed against four large employers—Laboratory Corporation of America Holdings, United Airlines, CHS/Community Health Systems, and Allied Universal—along with their benefits brokers, including Willis Towers Watson, Mercer, Gallagher, and Lockton.

Although the cases involve different companies, the allegations are nearly identical. The claims assert that:

• The voluntary benefit programs should be treated as ERISA plans
• Both employers and brokers functioned as plan fiduciaries
• Fiduciaries failed to properly oversee carrier selection, premiums, commissions, and loss ratios
• There was no meaningful fiduciary process, such as competitive bidding, benchmarking, or leveraging plan size to control costs
• Employers and brokers engaged in prohibited transactions and knowingly participated in each other’s violations

The lawsuits seek personal liability for fiduciaries, recovery of alleged plan losses, disgorgement of profits, and removal of fiduciaries accused of breaching their duties.

Employer Action Items
Given the increased focus on health and welfare fiduciary oversight, employers sponsoring group and voluntary benefits may want to proactively strengthen their governance. Key risk-reduction steps include:

• Establishing a formal fiduciary committee for health and welfare benefits, supported by a written charter
• Re-evaluating whether voluntary benefits truly meet the requirements for ERISA exemption
• Carefully reviewing and negotiating broker, consultant, and administrative service agreements 
• Requesting and reviewing detailed fee and compensation disclosures from service providers
• Assessing whether compensation is reasonable and avoids potential conflicts of interest
• Confirming accurate reporting of compensation on Form 5500 filings
• Periodically issuing requests for proposals for insurers, third-party administrators, pharmacy benefit managers, and service providers
• Benchmarking premiums, fees, and vendor performance on a regular basis
• Thoroughly documenting fiduciary processes, decisions, and oversight activities to demonstrate procedural prudence