Compliance Monthly Update
September 2025
A brief update on what happened the prior month in group health plan compliance at the federal level, organized chronologically. An update for the state and local level are further down. If you would like additional information, please reach out to the GBS Compliance Team.
Federal Compliance Update
HIPAA Security Risk Assessment (SRA) Tool updated.
On September 9, HHS announced an updated version of the interactive HIPAA Security Risk Assessment (SRA) Tool. The HIPAA Security Rule requires covered entities and business associates to conduct a risk assessment that helps ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where protected health information (PHI) could be at risk. The SRA Tool is designed to help conduct the risk assessment as required by HIPAA and walks users through multiple choice questions. The answers to those questions show whether corrective action is necessary to comply with the HIPAA Security Rule.
Eleventh Circuit upholds health plan’s exclusion of “gender-affirming” surgery.
On September 9, the U.S. Court of Appeals for the Eleventh Circuit (sitting en banc) held in Lange v. Houston County Georgia that the exclusion of health plan coverage for “gender-affirming” surgery is not sex discrimination under Title VII.
- The case was brought by a transgender employee who had been denied coverage for surgery recommended by her physician to treat gender dysphoria.
- The court reasoned that the exclusion did not violate Title VII because the plan denied coverage of a “sex change operation” for anyone, regardless of biological sex. Further, the court held that the exclusion did not discriminate on the basis of transgender status because it was a classification based on medical use. The court explained that the procedures that make up a sex change would be covered for other purposes, such as for cancer or reconstructive surgery following a car accident, without regard to whether the employee who needed those procedures was transgender. The court concluded the exclusion is not facially discriminatory based on a protected status.
- In reaching this conclusion, the Eleventh Circuit relied heavily on the Supreme Court’s recent Skrmetti decision where the Supreme Court held a Tennessee law did not discriminate based on sex or transgender status when it disallowed certain hormone therapy treatments for gender dysphoria in minors but permitted the same treatments for other medical conditions. While Skrmetti involved the Equal Protection Clause of the Fourteenth Amendment and not Title VII, the Eleventh Circuit nonetheless found that the Supreme Court’s Skrmetti ruling controlled. That is, the Eleventh Circuit interpreted the Skrmetti ruling to reach both the Equal Protection Clause of the Fourteenth Amendment and Title VII.
This case again shows the unclear legal landscape on plan coverage and exclusions of “gender-affirming” care because the courts are divided on the application of Title VII and other nondiscrimination laws like ACA Section 1557. At least one other district court addressing a similar health plan exclusion for “gender-affirming” care (post-Skrmetti) reached a different conclusion from the Eleventh Circuit, however that case was in the context of ACA Section 1557 and not Title VII. Plan sponsors should be aware that plan exclusions of coverage for “gender-affirming” care continue to be frequent targets of litigation.
Court finds ERISA does not preempt Arkansas PBM reporting requirements under Rule 128.
A district court found that Arkansas Rule 128 requiring ERISA plans to report certain prescription drug compensation related information regarding their PBMs is not preempted by ERISA.
- As background, Rule 128 requires plans and payors to report compensation for pharmacy services with the goal of maintaining adequate PBM networks in the state. If the state insurance commissioner determines that compensation is inadequate, payment of an additional cost (a “dispensing fee”) may be required.
- In this case, a plan argued that the rule was preempted because it imposed requirements directly on ERISA plans that interfered with plan design and restricted the plan’s ability to structure prescription drug benefits, impacting it’s nationally uniform plan administration.
- The court explained that ERISA preempts state laws that either reference (e.g., apply exclusively or immediately to) or are impermissibly connected to an ERISA plan. A state law impermissibly connected to an ERISA plan is one that governs a central matter of plan administration or interferes with nationally uniform plan administration. Determining that Rule 128 did not restrict its application to ERISA plans, the court shifted its focus to whether it was impermissibly connected to ERISA plans. It first concluded that the rule’s reporting requirement was merely incidental to its purpose of procuring the information necessary to ensure fair and reasonable reimbursement of pharmacy services. The court also rejected the argument that the dispensing fee dictates ERISA plan design, reasoning that the fee “may” apply (i.e., only if imposed by the insurance commissioner). The court also noted that plans were not prohibited from seeking to offset the fee by allocating its costs to Arkansas plan participants (within the scope of plan rules) across copay, coinsurance, or deductible requirements. Comparing the rule to a similar Arkansas law at issue in the Supreme Court’s Rutledge decision, the court noted that it is a cost regulation law that does not impermissibly interfere with uniform administration of ERISA plans—that is, it relates to the cost regulation of all health benefit plans, not just ERISA plans, and is not preempted.
- This is yet another case in the continuing trend of ERISA preemption challenges to state laws regulating PBMs. And while this decision aligns closely with Rutledge, it is important to note that the outcome of these cases depends on specifics. And state laws directly affecting ERISA plan design are more likely to be held preempted.
Updated preventive services coverage requirements.
As a reminder, the ACA requires health plans to cover preventive services with no cost-sharing for participants, and the ACA empowers three agencies—the U.S Preventive Services Task Force (PSTF), the Health Resources and Services Administration (HRSA), and the Advisory Committee on Immunization Practices (ACIP)—to determine what kinds of preventive care fall within each category of mandatory coverage by issuing guidelines or recommendations. Preventive services and recommended vaccine schedules are added or updated regularly throughout the year. For group health plans subject to the mandate, the recommendation must be covered beginning with the first plan year that begins on or after one year following publication of the new or updated recommendation. However, plans may begin implementing the change sooner, particularly in situations where a new plan year begins shortly after the recommendation is published. Here are some updates on these preventive services coverage requirements:
- For plans beginning on or after January 1, 2026, several updated recommendations are set go into effect, such as breast cancer screening for women aged 40 at average risk (HRSA), intimate partner and domestic violence screening at counseling (USPSTF), and osteoporosis to prevent fractures screening (USPSTF).
- Related to COVID vaccines, also effective January 1, 2026, plans must begin covering (a) individuals older than 65 and individuals aged six months to 64 years with moderate or severe immunocompromise receive a second COVID-19 vaccine dose 6 months after their last dose and (b) individuals aged six months or older with moderate or severe immunocompromise may receive additional doses based on shared clinical decision-making.
- On September 18 and 19, 2025, ACIP revised its recommendations on the COVID vaccine and the combined measles, mumps, rubella, varicella (“MMRV”) vaccine (note that varicella is commonly referred to as chickenpox). These recommendations are not finalized until adopted by the acting CDC Director.
- ACIP voted to change the COVID vaccine recommendation so that adults 65+ get a COVID vaccine based on shared clinical decision making. And for individuals aged 6 months to 64 years old, a vaccine is recommended based on shared clinical decision making, with an added emphasis on providing risk-benefit information. ACIP also voted that individuals that decide to get the vaccine can do so without a prescription.
- ACIP voted that instead of recommending the MMRV vaccine which is a combined shot covering measles, mumps, rubella and varicella (chickenpox) for children under four, they are now recommending MMR by itself, and a varicella/chickenpox shot by itself. ACIP voted to continue covering the combined MMRV vaccine at 100% for children ages four and older if parents prefer.
- Remember that a finalized recommendation must be covered beginning with the first plan year that begins on or after one year following publication of the new or updated recommendation.
State/Local Compliance Update
A brief update on what happened the prior month in group health plan compliance at the state and local level, listed alphabetically. If you would like additional information, please reach out to the GBS Compliance Team.
Arkansas
Court finds ERISA does not preempt Arkansas PBM reporting requirements under Rule 128.
A district court found that Arkansas Rule 128 requiring ERISA plans to report certain prescription drug compensation related information regarding their PBMs is not preempted by ERISA.
- As background, Rule 128 that applies to health benefit plans and health care payors requires plans and payors to report compensation for pharmacy services with the goal of maintaining adequate PBM networks in the state. If the state insurance commissioner determines that compensation is inadequate, payment of an additional cost (a “dispensing fee”) may be required.
- In this case, a plan argued that the rule was preempted because it imposed requirements directly on ERISA plans that interfered with plan design and restricted the plan’s ability to structure prescription drug benefits, impacting its nationally uniform plan administration.
- The court explained that ERISA preempts state laws that either reference (e.g., apply exclusively or immediately to) or are impermissibly connected to an ERISA plan. A state law impermissibly connected to an ERISA plan is one that governs a central matter of plan administration or interferes with nationally uniform plan administration. Determining that Rule 128 did not restrict its application to ERISA plans, the court shifted its focus to whether it was impermissibly connected to ERISA plans. It first concluded that the rule’s reporting requirement was merely incidental to its purpose of procuring the information necessary to ensure fair and reasonable reimbursement of pharmacy services. The court also rejected the argument that the dispensing fee dictates ERISA plan design, reasoning that the fee “may” apply (i.e., only if imposed by the insurance commissioner). The court also noted that plans were not prohibited from seeking to offset the fee by allocating its costs to Arkansas plan participants (within the scope of plan rules) across copay, coinsurance, or deductible requirements. Comparing the rule to a similar Arkansas law at issue in the Supreme Court’s Rutledge decision, the court noted that it is a cost regulation law that does not impermissibly interfere with uniform administration of ERISA plans—that is, it relates to the cost regulation of all health benefit plans, not just ERISA plans, and is not preempted.
- This is yet another case in the continuing trend of ERISA preemption challenges to state laws regulating PBMs. And while this decision aligns closely with Rutledge, it is important to note that the outcome of these cases depends on the specific facts. And state laws directly affecting ERISA plan design are more likely to be held preempted.
California
California enacts new standards for preventive health coverage.
Governor Newsom signed AB 144 on September 17 that revises state requirements for coverage of immunizations and other preventive health care services required to be covered under fully insured plans issued in the state. In effect, AB 144 freezes in place (for California plans) the federal vaccine and preventive services recommendations that were in effect on January 1, 2025 (prior to any new recommendations that have been or will be made under the Trump administration). As a reminder under federal law, the ACA requires health plans to cover preventive services with no cost-sharing for participants, and the ACA empowers three agencies—the U.S Preventive Services Task Force (PSTF), the Health Resources and Services Administration (HRSA), and the Advisory Committee on Immunization Practices (ACIP)—to determine what kinds of preventive care fall within each category of mandatory coverage by issuing guidelines or recommendations. Under AB 144, all of the state of California required items of coverage (summarized below) will be subject to update by the California Department of Public Health. This means that there may be one set of items that require coverage without cost-sharing for insureds in California and a different set in the rest of the U.S. This legislation also raises the possibility that, as other states’ lawmakers object to changes made by federal health regulators, there will be different rules in multiple states for fully insured plans. For California fully insured plans, AB 114 will require coverage without cost-sharing for:
- Evidence-based items or services that had, in effect on January 1, 2025, a rating of “A” or “B” in the recommendations of the USPTF.
- Immunizations that had, in effect on January 1, 2025, a recommendation from ACIP.
- With respect to infants, children, and adolescents, evidence-informed preventive care and screenings provided in the comprehensive guidelines, as periodically updated, supported by the HRSA, as of January 1, 2025.
- With respect to women, those additional preventive care and screenings as provided for in comprehensive guidelines supported by HRSA as of January 1, 2025.
- Immunizations for COVID or any other disease for which the Governor has declared a public health emergency, if those immunizations had in effect a recommendation from ACIP as of January 1, 2025.
Colorado
Emergency regulation issued for coverage of COVID vaccines as a preventive service for Colorado fully insured plans.
The Colorado DOI has adopted Emergency Regulation 25-E-04 titled “Concerning Coverage of COVID-19 Vaccines as a Preventive Service” that effective September 11, 2025, requires fully insured plans issued in Colorado to provide access to COVID vaccines without cost-sharing as a covered preventive service. The Colorado DOI indicated “that immediate adoption of this regulation is imperatively necessary for the preservation of public health, safety, or welfare as allowing Individuals safe access to and coverage at no cost share for COVID-19 vaccines is imperative to preserve the health of the citizens of Colorado. … [Based] upon the recent actions by the Federal Drug Administration (FDA) to limit access to the COVID-19 vaccine, as well as the clear evidence demonstrating the effectiveness of the COVID-19 vaccine, taking actions to expand access to COVID-19 vaccines is necessary to enhance the protection of public health.”
Illinois
Illinois fully insured plans required to extend coverage to dependent parents and stepparents starting in 2026.
Fully insured plans issued in the state of Illinois that provide dependent coverage will be required to extend coverage to dependent parents and stepparents of an employee for plans issued, amended, or renewed after January 1, 2026. This new requirement under HB 5258 applies only if the parent or stepparent meets the IRS definition of a “qualifying relative” and if they live within the insurance policy’s service area. That is, a parent or stepparent who:
- Has gross income that is less than the IRS exemption amount ($5,050 for 2025).
- Receives a majority of their financial support from the primary insured individual.
- Is not a qualified dependent of another taxpayer for the same year.
- And lives or resides within the insurance policy’s service area.
Oregon
Oregon Bulletin issued on coverage of COVID vaccines as a preventive service for Oregon fully insured plans.
The Oregon Division of Financial Regulation issued Bulletin DFR 2025-6: Coverage of COVID-19 Vaccination on September 17. Oregon also provided FAQs on insurance coverage for COVID vaccines. The bulletin clarifies the division’s expectations around the coverage of COVID vaccination by health benefit plans in Oregon in accordance with prior guidance and emphasizes that:
- All fully insured health benefit plans (including grandfathered health benefit plans) in Oregon must provide coverage for FDA-approved COVID vaccines and their administration in accordance with Bulletin No. DFR 2021-1.
- The requirement to cover vaccines and their administration under Bulletin No. DFR 2021-1 is in addition to any coverage requirements that may apply to a health benefit plan under state or federal law.
- A health benefit plan may not impose any cost sharing requirements, such as a copay, coinsurance, or deductible, or restrict coverage to in-network providers in accordance with Bulletin No. DFR 2021-1.
