Compliance Monthly Update
January 2026
A brief update on what happened the prior month in group health plan compliance at the federal level, organized chronologically. An update for the state and local level are further down. If you would like additional information, please reach out to the GBS Compliance Team.
Federal Compliance Update
Preventive services mandate expanded to cover cervical cancer screenings under updated HRSA guidelines.
On January 5, the HHS Health Resources and Services Administration (HRSA) issued updated women’s preventive services guidelines (that were approved December 29, 2025). As a reminder, non-grandfathered group health plans and insurers must cover without cost-sharing certain preventive services specified by HRSA, the United State Preventive Services Task Force (USPSTF), and the CDC’s Advisory Committee on Immunization Practices (ACIP). Recommendations and guidelines are updated periodically, and plans generally must cover newly recommended services in plan years beginning on or after the date that is one year after the guideline is approved. The updated HRSA guidelines add the following to the list of health services that must be covered without cost-sharing for plan years beginning on or after December 29, 2026: (a) self-collected cervical cancer screening for women aged 30 to 65 years with average risk and (b) additional testing if necessary to complete the screening process for malignancies (e.g., cytology, biopsy, colposcopy, extended genotyping, and dual stain). The guidelines specify that while individuals meeting the specified criteria now have the option of self-testing, they may instead choose to have an HPV or Pap test performed by a provider.
HHS January 2026 cybersecurity newsletter released with guidance for HIPAA covered entities and business associates.
On January 9, HHS’s Office for Civil Rights (OCR) released a newsletter that highlights the critical role of system hardening (ongoing technical and operational measures to protect ePHI) to reduce the risks that HIPAA covered entities (e.g., group health plans) and business associates face from cyber threats targeting electronic PHI. The guidance reinforces OCR’s continued expectation that covered entities and business associates proactively reduce cybersecurity risks to electronic PHI through ongoing technical and operational safeguards. OCR emphasizes that system hardening directly supports the HIPAA Security Rule’s core requirement to ensure the confidentiality, integrity, and availability of electronic PHI. HIPAA Privacy and Security Officers should review these recommendations for their risk management responsibilities and consider integrating the safeguards outlined in the newsletter into their HIPAA policies, procedures, and training.
2026 federal poverty levels released—and the impact on affordability determinations.
On January 15, the 2026 poverty guidelines were released and set the federal poverty line (FPL) at $15,960 (up from $15,650 in 2025) for a person living in the lower-48 states. The updated FPL is $18,360 for Hawaii and $19,950 for Alaska. Applicable large employer (ALEs) that utilize the FPL affordability safe harbor may use the FPL that is in effect within six months before the start of the plan year. So, January 1, 2026, plan years are still required to use the 2025 FPL because the new 2026 guidelines were not released prior to the beginning of the plan year. However, non-calendar plan years starting in 2026 can use the 2026 guidelines to increase the FPL safe harbor amount due to the increased 2026 guidelines. For example:
- 2026 calendar-year plans. The maximum affordable employee-only contribution for the lowest-cost plan based on the FPL safe harbor = $129.90 = (9.96% x $15,650 FPL for 2025) / 12.
- 2026 non-calendar-year plans. The maximum affordable employee-only contribution for the lowest-cost plan based on the FPL safe harbor = $132.47 = (9.96% x $15,960 FPL for 2026) / 12.
DOL updates their national enforcement priorities.
On January 15, the DOL’s Employee Benefits Security Administration (EBSA) updated its list of ERISA enforcement projects and priorities and issued an associated news release. Of note to group health plans, under the updated enforcement projects, the DOL will prioritize enforcement related to barriers to mental health and substance use disorder benefits, surprise billing compliance, cybersecurity and data protection, and protections of the handling of employee contributions. With this in mind, plan sponsors may want to review their HIPAA Privacy/Security policies, procedures, trainings, and risk analysis; confirm they have a current nonquantitative treatment limitation (NQTL) comparative analysis; verify their carrier/TPA is complying with the surprise billing protections under the No Surprises Act; and ensure employee contributions are handled promptly and properly.
The White House releases a healthcare proposal.
On January 15, the White House released a 2-page “Great Healthcare Plan” proposal (and an associated fact sheet) that calls on Congress to lower drug prices, lower insurance premiums, increase accountability on insurance companies, and maximize price transparency. The plan represents a broad outline of desired health policy changes to lower health care costs amid a renewed public focus on health care affordability, but it does not provide significant detail on the various policy changes proposed. While many of the policies would need congressional action, some of the policy changes likely could be achieved administratively through rulemaking. The plan focuses on the following items: lowering drug prices, lowering insurance premiums, increasing accountability for health insurance companies, and maximizing price transparency.
HHS increases civil monetary penalties for HIPAA, MSP, and SBC noncompliance.
On January 28, HHS announced adjusted penalty amounts effective for penalties assessed on or after January 28, 2026, for violations occurring on or after November 2, 2015. The indexed amounts for violations are as follows:
- The HIPAA Privacy and Security Rules have four tiers of violations that reflect increasing levels of culpability, with minimum and maximum penalty amounts within each tier and an annual cap on penalties for multiple violations of an identical provision.
- No Knowledge. For violations where the covered entity does not know about the violation (and by exercising reasonable diligence, would not have known about the violation) the penalty amount is between $145 and $73,011 for each violation. The calendar year penalty cap is $2,190,294 for all violations of an identical requirement.
- Reasonable Cause. If the violation is due to reasonable cause, the penalty amount is between $1,461 and $73,011 for each violation. The calendar year penalty cap is $2,190,294 for all violations of an identical requirement.
- Willful Neglect (but corrected within 30 days). For corrected violations that are caused by willful neglect, the penalty amount is between $14,602 and $73,011 for each violation. The calendar year penalty cap is $2,190,294 for all violations of an identical requirement.
- Willful Neglect (but not corrected within 30 days). For violations caused by willful neglect that are not corrected, the penalty amount is between $73,001 and $2,190,294 per violation. The calendar year penalty cap is $2,190,294 for all violations of an identical requirement.
- Medicare Secondary Payer (MSP) rules prohibit plans from “taking into account” the Medicare entitlement of employees and dependents. The violation for offering incentives to Medicare-eligible individuals not to enroll in a plan that would otherwise be primary is $11,823. The violation for a failure of a responsible reporting entity (RRE) to provide information identifying situations where the group health plan is primary (i.e., Section 111 reporting) is $1,512.
- Summary of Benefits and Coverage (SBC) generally must be provided to participants and beneficiaries before enrollment and during open enrollment. The penalty for a willful failure to provide an SBC is $1,443.
Additional actions taken in December 2025 not mentioned last month.
State financial officers send letter to Fortune 500 companies requesting information on health care costs.
On December 15, officials from 12 states (Indiana, Kentucky, Louisiana, Mississippi, Montana, Nebraska, North Dakota, Ohio, Oklahoma, South Carolina, Utah, and Wyoming) sent a joint letter to “Fortune 500 companies” requesting the companies (a) conduct a detailed “payment integrity analysis” of their health care spending and (2) provide answers to a detailed list of questions set forth in the letter by January 15, 2026. Regarding the payment integrity analysis, the letter states – “To reduce costs and increase shareholder value, a payment integrity analysis could: (a) compare prices by using actual price data provided by insurers, hospitals, and other providers, to ensure that healthcare fees and expenses are reasonable and necessary; and (b) evaluate contracts, policies, and practices that have been the subject of litigation or enforcement actions against other vendors, such as programs giving vendors a financial incentive to drive up costs and/or make overpayments with plan funds.” The letter includes a section where the signatories characterize their view of companies’ ERISA fiduciary duties when selecting and monitoring group health plan service providers, as well as a section outlining various alleged practices by TPAs and PBMs. The signatories also outline their view that a payment integrity analysis must be performed by a party that is independent of the plan service provider. Although not specifically stated in the letter, the requested analyses and answers appear to be voluntary, and the letter does not state what recourse or ramifications may result if a company fails to undertake the encouraged payment integrity analysis and/or provide the requested answers by January 15.
ERISA fiduciary lawsuits filed targeting voluntary benefit plans.
Last month, a well-known plaintiffs’ law firm filed several class action lawsuits under ERISA targeting major employers and their brokers for allegedly breaching fiduciary duties related to voluntary benefit plans (such as accident, critical illness, and hospital indemnity insurance). These lawsuits generally allege the employers and their brokers breached their ERISA fiduciary duties and caused the participants to pay excessive premiums because they failed to engage in a prudent process when selecting the insurance offerings and failed to monitor the commissions received by the benefits brokers. While the outcome of this litigation is uncertain, it is another reminder to plan sponsors to continue engaging in prudent fiduciary decision-making processes for designing their benefit plans and in their selection of vendors. ERISA does not require plan fiduciaries to select the lowest cost vendors, rather they should make a prudent decision taking in the various factors in the vendor selection process to ensure the plans are designed and administered in participants best interests. Having good documentation and a process in place for making prudent group health plan decisions will generally be the most effective shield against potential lawsuits.
State/Local Compliance Update
A brief update on what happened the prior month in group health plan compliance at the state and local level, listed alphabetically. If you would like additional information, please reach out to the GBS Compliance Team.
California
San Francisco Health Care Security Ordinance (HCSO): self-funded plan top-off reminder, updated notice, and annual online reporting reminder.
Employers with employees based in San Francisco who are covered by the HCSO have several tasks to complete in early 2026. As a reminder, the HCSO applies to covered employers, regardless of whether they have a fully insured or self-funded plan, and they must spend a minimum amount on health care benefits for covered employees.
- For self-funded plans, if the health care spending did not meet the required expenditures in 2025, an additional payment (known as a “top-off”) must be made by February 28, 2026. Instructions for completing these top-off payments are available on the main HCSO website under the “Resources” section. (Note that top-offs for fully insured plans that do not meet the required expenditures are required to be made quarterly.)
- San Francisco has released an updated HCSO notice for the 2026 calendar year. The notice outlines the required health care spending rates and must be displayed in all workplaces with covered employees. Covered employers should download the updated notice and ensure it is displayed prominently at all workplaces or job sites where covered employees work. In the case where a covered employer does not control the work location of its covered employees (e.g., employees working from home or employees outsourced to a third party) the employer must ensure those employees are provided a copy of the notice.
- Covered employers are responsible for submitting the 2025 HCSO Annual Online Reporting Form by April 30, 2026, that reports specific information for the prior calendar year. The form will be available on the HCSO website by April 1, 2026, and employers can sign up to be notified when the form is available.
- See the San Francisco HCSO website for more information.
California releases updated paid sick leave poster.
California has updated the Healthy Workplaces/Healthy Families Act (HWHFA) paid sick leave poster, which reflects recent amendments to the state’s paid sick leave law. Employers should ensure that the most current version is displayed where employees can readily view it during the workday.
Colorado
Colorado releases 2026 FAMLI Program Notice.
The required FAMLI Program Notice has been updated for 2026. Employer should use this most current version that is required to be posted at worksites, furnished to employees during onboarding, and again when an employee experiences a qualifying event.
New Jersey
Expansion of employee protections under New Jersey Family Leave Act.
On January 17, Governor Murphy signed into law A3451/S2950 that expands the reach and protections of the New Jersey Family Leave Act (NJFLA). The law will take effect on July 17, 2026, and amends the NJFLA to cover small employers and will reduce the minimum amount of time an employee must be employed before being eligible for leave. The NJFLA currently provides twelve weeks of leave every twenty-four months to eligible employees who require time off to care for a seriously ill family member or bond with a new child. To be eligible for NJFLA leave under existing law, an employee must: (1) work for an employer with thirty or more employees; (2) have been employed at least twelve months; and (3) have worked at least 1,000 hours in the twelve months preceding the requested leave start date. The new legislation changes each of these eligibility requirements. Now, an employee will be eligible for NJFLA leave if the employee: (1) works for an employer with fifteen or more employees; (2) has been employed for at least three months; and (3) has worked at least 250 hours in the preceding three months. The new law also appears to greatly expand state law to include new job-protection provisions for employees taking medical leave and receiving state Temporary Disability Insurance (TDI) benefits. Currently, the NJFLA (unlike federal FMLA) does not provide job-protected leave for an employee’s own serious medical condition. Under the new law, employees receiving state TDI benefits for their own medical condition must be restored to the same job they had before taking leave, or a job that is equivalent in terms of seniority, status, employment benefits, pay, and other terms and conditions of employment.
New Mexico
New Mexico removes insurance mandate requiring coverage of gender transition services.
On January 12, New Mexico issued Bulletin 2026-001 that repeals the 2018 reproductive healthcare anti-discrimination provisions protecting gender identity and mandating services for gender transition when the services would otherwise be covered for non-gender-transition purposes.
Puerto Rico
Declared state of emergency due to influenza epidemic activates five-day paid leave requirements.
On January 27, Governor Gonzalez declared a State of Emergency in Puerto Rico (due to an influenza virus epidemic) activating extraordinary measures for the protection of public health. This activates a special five-day paid leave entitlement for employees who suffer from, or are suspected of suffering from, the illness or epidemic that gives rise to the state of emergency. Employees must have exhausted both vacation leave and regular sick leave before being eligible to use this special leave.
Rhode Island
Rhode Island employees entitled to temporary caregiver insurance benefits.
Effective January 1, 2026, employees in Rhode Island are now entitled to enhanced temporary caregiver insurance benefits as part of the state’s temporary disability insurance (TDI) program that provides wage replacement benefits for employees who take time off work to care for a seriously ill child, spouse, domestic partner, parent, parent-in-law, grandparent, or to bond with a new child. Employees can now take up to eight weeks in a benefit year to care for a seriously ill family member. The leave is job protected, so employees who exercise their right to caregiver leave are entitled to be restored by their employer to the position held by the employee when the leave commenced, or to a position with equivalent seniority, status, employment benefits, pay, and other terms and conditions of employment including fringe benefits and service credits that the employee had been entitled to at the commencement of the leave. During caregiver leave, the employer must also maintain any existing health benefits of the employee for the duration of the leave as if the employee had continued in employment continuously from the date the employee commenced the leave until the date the caregiver benefits terminate. The employee must continue to pay their share of the cost of health benefits during the leave period. An employer may require an employee who is entitled to federal FMLA or the Rhode Island Parental and Family Medical Leave Act to take their caregiver leave concurrently.
Washington
Kaiser fined for MHPAEA violations.
Washington state insurance commissioner fined Kaiser $300,000 on January 7 for violations of the Mental Health Parity and Addiction Equity Act (MHPAEA). In a press release, the state noted that Kaiser failed to provide sufficient documentation for two treatment limitations—provider admissions standards and network adequacy. Additionally, Kaiser could not provide detailed documentation showing how it initially worked to address disparate results in provider reimbursements and network adequacy standards. Last year, the state also fined Regence BlueShield $550,000 (in November) and Premera $550,000 (in August) for mental health parity violations.
