ERISA Claims Litigation

Last week, a Northern District of Illinois court decision reinforced several key ERISA litigation principles relevant to health plan sponsors and carriers. While state law claims were dismissed as preempted, the court allowed the plaintiff’s §502(a)(1)(B) claim to proceed and declined to dismiss based on failure to exhaust administrative remedies. The court emphasized that exhaustion is an affirmative defense and found that, based on the plan’s communications, the plaintiff plausibly alleged that the administrative process had been represented as complete. Critically, the issue centered on inaccurate or inconsistent communications during the appeals process, which could mislead a participant about available appeal rights. The decision highlights the importance of ensuring carriers and TPAs are providing clear, accurate, and consistent claims and appeal communications, as defects in those communications may undermine exhaustion defenses and increase litigation risk. MEMORANDUM Opinion and Order

Tobacco Surcharge Litigation

Recent litigation continues to evolve around tobacco surcharge wellness programs, with courts increasingly focusing on how these claims are brought rather than definitively resolving questions about compliance with HIPAA nondiscrimination rules. In a recent Ohio case, the court concluded that implementing a tobacco surcharge is a plan design (settlor) decision, not a fiduciary function, making it more difficult for participants to pursue claims under ERISA’s fiduciary standards. The court also declined to require retroactive refunds when a participant later satisfies a reasonable alternative standard (RAS), a position that contrasts with earlier decisions and DOL guidance.

Importantly, these cases hinge on ERISA’s role as the enforcement mechanism, as HIPAA itself offers limited avenues for private lawsuits, meaning courts can dismiss cases without fully resolving the underlying HIPAA nondiscrimination requirements. As a result, while the litigation landscape may be trending more employer-friendly, the underlying HIPAA wellness rules have not changed, and agencies (such as the DOL, IRS, or HHS) could still enforce a more conservative interpretation. Employers should continue to administer tobacco surcharge programs carefully, particularly around RAS availability and communication, given ongoing legal uncertainty and the potential for future regulatory or enforcement shifts. USCOURTS-ohnd-1_24-cv-01890-0.pdf

New HIPAA Rule Modernizes Claims Processing

This final rule establishes the first nationwide HIPAA standards for electronically exchanging health care claims attachments such as medical records and clinical data and requires the use of secure electronic signatures for those transactions. It replaces outdated manual processes like faxing and mailing with standardized electronic systems, improving efficiency, speeding claims processing, and enhancing data security across providers and insurers. Overall, the rule modernizes administrative workflows in healthcare and is projected to save the industry roughly $780 million annually while reducing burden and improving care delivery. Compliance, which will be handled primarily by carriers and TPAs on behalf of group health plans, is required by May 26, 2028. HIPAA Administrative Simplification

Changes to USPS Postmark Rules May Impact Benefit Administration

It’s not often that postal rules affect employee benefits, but a recent change by the U.S. Postal Service (USPS) could impact certain benefit functions, particularly COBRA. Under the new USPS rules, the postmark reflects the date mail first undergoes automated processing, not necessarily the date it was dropped in the mail. Depending on location and processing timelines, this could occur one or more days after USPS receives the letter.

Many benefit deadlines rely on the “mailbox rule,” which treats a document as delivered on the postmark date. That date determines whether submissions such as COBRA elections or premium payments are timely. For example, if a COBRA premium grace period ends March 30 and a participant mails payment that day, they may believe the payment is timely. But if USPS does not process the mail until April 1 or 2, the postmark will reflect that later date. Under the mailbox rule, the payment could be considered late, allowing the employer to terminate coverage for nonpayment. Because many participants mail COBRA forms or payments close to the deadline, this change could increase disputes where participants claim they mailed items on time but the postmark shows otherwise. It remains to be seen whether courts will adjust the mailbox rule in response. In the meantime, employers may need to decide whether to continue relying strictly on the postmark or to adopt a more flexible approach.

ERISA Fiduciary Litigation Update

Recent ERISA litigation developments continue to highlight the growing scrutiny on employer health plan fiduciary practices, particularly related to prescription drug pricing and PBM oversight.

In Navarro v. Wells Fargo, a federal court dismissed claims alleging the company breached fiduciary duties by allowing excessive prescription drug pricing in its health plan. The court found plaintiffs lacked Article III standing because they failed to demonstrate a concrete financial injury. Conversely, Stern v.
JPMorgan Chase will move forward after a court allowed claims alleging fiduciaries failed to prudently monitor PBM arrangements and allowed participants to pay inflated prices for generic drugs.

Separately, new claims have been filed involving Marsh McLennan Agency (MMA), reflecting an emerging trend of litigation expanding beyond plan sponsors to include benefits consultants and advisors. These cases reinforce the importance for plan fiduciaries to maintain strong governance, actively monitor vendors, and document efforts to meet ERISA’s duties of prudence and loyalty.

Proposed Rules for Trump Accounts

The IRS recently released proposed regulations implementing “Trump Accounts,” a new tax-advantaged savings vehicle for children created under the 2025 tax legislation. The proposed rules primarily address how accounts are opened, who may act as the responsible party, and how the government’s $1,000 pilot contribution for children born between 2025 and 2028 will be administered.

For employers, the underlying law allows employer contributions of up to $2,500 annually per employee, and earlier IRS guidance indicates employers may eventually allow salary-reduction contributions through a §125 cafeteria plan to fund a dependent child’s Trump Account. However, the newly proposed regulations largely reserve those employer-specific details for future guidance.
Additional rules are expected addressing employer contribution programs, cafeteria plan coordination, and potential ERISA implications.

Updated RxDC Instructions

CMS released updated instructions for prescription drug reporting (RxDC reporting) in late February. The instructions don’t include any substantive changes. The latest instructions and templates can be found here – Prescription Drug Data Collection (RxDC) | CMS

Annual RxDC reporting is required by June 1 of each year. Reporting for 2025 data is due June 1, 2026. The reporting consists of a plan file (P2), eight data files (D1 – D8) and accompanying narratives. Most employer-sponsored health plans rely heavily on their carriers, TPAs, and PBMs to provide the data necessary, and in many cases, to submit the reporting to CMS on behalf of employer group health plans. To complete the reporting, carriers or TPAs may have reached out to employers asking for information about premium splits (employer and employee contributions) as well as other data required for the D1 file. Once this information is provided, the carrier, TPA and/or PBM may handle the entirety of a group health plan’s RxDC reporting. However, for employers who fail to timely respond with the requested data, or if the carrier/TPA is unwilling to help with the D1 file, the employer may have to submit a P2 and D1 file on their own. If assistance is needed with the P2 and D1 files, see our solution here – RxDC Reporting - Lumelight

CRS Report: HSAs

The Congressional Research Service (CRS) recently updated its report on Health Savings Accounts (HSAs), providing a comprehensive overview of how HSAs are structured under current law. The report details eligibility requirements, contribution rules, tax treatment, and reimbursement parameters. In addition, the report compiles federal data on HSA utilization trends, enrollment patterns in HSA-qualified high-deductible health plans, and the relative sources of employer versus employee contributions. For employers and brokers, the report serves as a useful policy and data snapshot amid ongoing legislative interest in HSA expansion and reform. Health Savings Accounts (HSAs) | Congress.gov | Library of Congress

CRS Report: Premium Tax Credits & Cost-Sharing Reductions

The Congressional Research Service’s report on the Health Insurance Premium Tax Credit (PTC) and Cost-Sharing Reductions (CSRs) offers a thorough overview of how these ACA subsidies operate, including eligibility criteria, calculation of credit amounts, enrollment requirements, and historical enrollment and spending data. The report is a useful reference for those seeking to understand federal subsidy mechanics and how recent law changes such as temporary expansions of PTC eligibility and amounts affect Marketplace coverage. With recent regulatory changes tightening enrollment and eligibility determination procedures and no further legislation yet passed to continue enhanced premium tax credits, premiums may increase and coverage instability could affect Marketplace enrollees. The CRS analysis helps frame these ongoing debates by grounding them in current law and data. Health Insurance Premium Tax Credit and Cost-Sharing Reductions | Congress.gov | Library of Congress

Updated Model Notice of Privacy Practices

The HIPAA Privacy Rule requires health plans and covered health care providers to develop and distribute a notice that provides a clear, user friendly explanation of individuals’ rights with respect to their personal health information and the privacy practices of health plans and health care providers. As of February 16, 2026, these HIPAA covered entities are required to include information about specific restrictions on the use and disclosure of substance use disorder (SUD) patient records in their notice of privacy practices (NPP). The new model notice incorporating these changes was released by Health and Human Services (HHS) on February 13, 2026. Plan sponsors of self-funded group health plans should use an updated NPP for all future distributions. Insurance carriers will typically handle distribution of the NPP for fully-insured plans. Model Notices of Privacy Practices | HHS.gov

District Court Upholds Choice of Law Clause

On February 13, 2026, the United States District Court for the Central District of California granted Unum’s partial summary judgment, holding that the plan’s clear choice of Massachusetts law was enforceable because of the plan’s substantial relationship to the state. The Court further ruled that the enforceability of a choice-of-law provision must be determined before considering the applicability of any state statute. As a result, a California Insurance Code provision invalidating discretionary choice-of-law clauses for California residents did not apply. The decision underscores that, for multi-state employers, a well-drafted choice-of-law provision tied to a state with a meaningful connection to the plan may be enforced, promoting greater predictability and uniformity in benefit plan administration. Read the case here.

Updated IRS Pub. 969

The IRS released an updated Publication 969 with general information about the taxation rules associated with health savings accounts (HSAs), medical savings accounts (MSAs), health flexible spending arrangements (FSAs) and health reimbursement arrangements (HRAs) to be used in preparing individuals’ 2025 tax returns. It also recognizes the change allowing telehealth to be offered alongside high-deductible health plan (HDHP) coverage without impacting HSA eligibility. The updated publication can be found here – 2025 Publication 969

Express Scripts Settlement

The Federal Trade Commission (FTC) has reached a settlement with Express Scripts, one of the largest pharmacy benefit managers, resolving a lawsuit that alleged the company’s rebate and formulary practices artificially inflated the list price of insulin and other drugs. Under the terms of the settlement, Express Scripts will be required to overhaul key business practices, including favoring lower-cost drugs on standard formularies, delinking PBM compensation from list prices, and increasing pricing transparency and reporting to plan sponsors. While no monetary penalties were imposed and no admission of wrongdoing was made, the FTC estimates the changes could reduce patient out-of-pocket costs significantly and bring new revenue to community pharmacies over the next decade. Employers and brokers should monitor the final consent order and how the changes could affect PBM contracting, formulary design, and rebate strategies. The FTC’s news release can be found here – News Release

CMS-SSA Re-Establish ACA Eligibility Data Match Program

The Centers for Medicare & Medicaid Services (CMS) and the Social Security Administration (SSA) are re-establishing a Privacy Act computer matching program to share data for determining eligibility for Marketplace health plans, premium tax credits, Medicaid, CHIP, and related affordability programs under the Affordable Care Act. Under the program, SSA will provide CMS with certain information (e.g., income and identity data) to support eligibility determinations and renewals. The matching program is scheduled to begin in March 2026 for an initial 18-month term, subject to public comment and final procedures. The change may improve the accuracy of federal eligibility and subsidy determinations for employees who interact with the Marketplace. The agency notice can be found here – Federal Register:: Privacy Act of 1974; Matching Program

HHS Notice of Benefit & Payment Parameters for 2027

Through CMS, HHS released the Notice of Benefit Payment Parameters for 2027, a proposed rule, on February 9. This proposed rule includes many items with the overall goal of providing more administrative flexibility to States seeking to operate their own Exchanges and to carriers in the design of their Exchange offerings, while promoting transparency in plan designs’ network adequacy and provider access rules, and stronger enforcement of eligibility requirements for premium subsidies.

Some proposed action items include eliminating standardized plan options introduced under Biden and imposing stronger income checks for premium subsidies and verification of individual eligibility and special enrollments. The HHS fact sheet and proposed rule can be found here – HHS Notice of Benefit and Payment Parameters for 2027 Proposed Rule | CMS

PBM Transparency & Reporting: DOL v. Congress

This week produced two separate — and potentially conflicting — federal actions on pharmacy benefit manager (PBM) regulation.

First, on January 30, the Department of Labor (DOL) issued proposed PBM compensation disclosure rule under the ERISA prohibited transaction rules. The rules are modeled on the ERISA broker compensation disclosure requirements issued back in 2021 but are much more detailed and would require extensive compensation reporting and new audit rights for covered plans. These rules would apply only to self-funded ERISA plans and were slated to take effect in July 2026. Proposed PBM Rules

Then on February 3, Congress passed a stopgap funding measure, the Consolidated Appropriations Act, 2026 (CAA 2026). Included in that statute is a separate, comprehensive PBM regulatory and disclosure framework. Unlike the DOL proposal, the statute applies broadly to fully-insured and self-funded plans, including both ERISA and non-ERISA arrangements. Compliance is not required until August 2028. CAA, 2026.

The DOL proposal is heavily focused on PBM compensation; CAA 2026 regulates a wider range of PBM activities, including claims-level reporting. In addition, the two frameworks use different terminology, and it is unclear whether their disclosure requirements would overlap, conflict, or duplicate one another. The big question now is what the DOL will do with its proposed rules following the passage of CAA 2026. The DOL could withdraw or pause its proposed rules, proceed with the ERISA-based requirements on a faster timeline, or re-issue revised regulations that align more closely with the statute. Until the DOL clarifies its approach, employers, brokers, and PBMs face uncertainty around what compliance obligations to prepare for — and when. We expect further guidance from the DOL and will continue monitoring developments closely.

2027 ACA OOP Maximums

This week the agencies provided the 2027 maximum out-of-pocket (OOP) limits that may be used for non-grandfathered group health plans under ACA rules. For 2027, the maximum OOP for self-only coverage is $12,000 (currently $10,150 for 2026) and the maximum OOP for family coverage is $24,000 (currently $20,300 for 2026). The guidance can be found here – 2027 Benefit Year Adjustments

Challenge of CA’s PBM Fiduciary Law

A national pharmacy benefit manager (PBM) trade group has filed a federal lawsuit seeking to block California’s new oversight law that would impose fiduciary duties and reporting requirements on PBMs, including those serving self-insured employer health plans. The suit is one of several recent challenges to state-level PBM regulation, with PBMs arguing that ERISA preempts state laws affecting self-funded plans. California’s law is intended to increase PBM transparency and align PBM conduct with plan sponsors’ interests, particularly around drug pricing. How the court rules on ERISA preemption will be closely watched, as courts in other PBM cases have reached differing conclusions on similar issues.

PBM legislation is also being discussed at the federal level. 2026-01-02_PCMA-v-Bonta.pdf

Updated HIPAA, MSP and SBC Penalties for Non-Compliance

The Department of Health & Human Services (HHS) announced updated penalty amounts for HIPAA, MSP and SBC violations. The updated penalties can be found here – 2024-17466.pdf

For HIPAA privacy and security non-compliance, the updated penalties range from $145 for lack of knowledge to $2,190,294 for willful neglect.

For non-compliance with Medicare Secondary Payer (MSP) rules, including taking into account Medicare eligibility or incenting individuals to waive the employer’s plan in favor of Medicare, the updated penalty is $11,823.

For failure to timely distribute a current summary of benefits & coverage (SBC), the updated penalty is
$1,443.

EBSA 2026 Enforcement Priorities

The U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) announced its national enforcement priorities for fiscal year 2026, focusing on issues that pose the greatest risk to plan participants and beneficiaries. Specific to health and welfare benefit plans, investigations will prioritize cybersecurity, access to mental health and substance use disorder benefits, surprise medical billing, and handling of employee contributions. EBSA also signaled a continued commitment to addressing abusive Multiple Employer Welfare Arrangements (MEWAs). EBSA National Enforcement Projects

Increased State-Level Mental Health Parity Enforcement

States are increasingly enforcing mental health parity laws and issuing record fines against health insurers for failing to provide mental health and substance use disorder coverage on par with medical/surgical benefits. Regulators have penalized plans like Kaiser Foundation Health Plan of Washington for not supplying adequate documentation or compliance evidence such as a non-quantitative treatment limitation (NQTL) comparative analysis, signaling tougher scrutiny of insurer practices under parity requirements. These actions reflect a broader state-level crackdown to hold insurers accountable for adhering to both state and federal mental health parity standards, aiming to improve access and equity in mental and behavioral health care. For employers offering self-funded health plans, this serves as a reminder that compliance with the Mental Health Parity and Addiction Equity Act (MHPAEA) requires a completed NQTL comparative analysis that must be maintained and made available upon request. See Lumelight’s solutions here – MHP and NQTL Analysis - Lumelight

Proposed Legislation: PBMs as ERISA Fiduciaries

A bipartisan bill introduced in December 2025 would amend ERISA to designate PBMs as fiduciaries when they provide services to employer-sponsored health plans. Under the proposal, PBMs would be legally required to act in the best interests of plan sponsors and participants, similar to how ERISA already treats other service providers. Additionally, PBMs would be required to disclose their compensation, including direct and indirect fees, rebates, discounts, and price concessions.

Proponents argue this increased transparency and fiduciary accountability will help employers better assess whether PBM arrangements are reasonable and aligned with plan cost-management goals. This in turn would address longstanding concerns about opaque pricing practices and misaligned incentives in the PBM industry.

The proposed legislation can be accessed here: H.R.6837

Updated HRSA Preventive Coverage Guidelines

Non-grandfathered group health plans must cover preventive services included in the updated HRSA-supported Women’s Preventive Services Guidelines without cost-sharing under the ACA. The cervical cancer screening guideline has been revised for plan years beginning in 2027 to reflect current evidence-based recommendations for average-risk women aged 30–65. The guideline retains existing options (Pap tests, co-testing, and primary high-risk HPV testing every five years) and adds a recommendation that patient-collected (self-collected) hrHPV testing should also be covered. It also explicitly states that when additional testing (e.g., cytology, biopsy, extended genotyping) is clinically indicated to complete the screening process, those services are part of the cervical cancer screening guideline and must be covered accordingly. 2025-24235.pdf

OCR Cybersecurity Newsletter

OCR (The Office for Civil Rights), a division HHS (Health & Human Services), released a newsletter further clarifying its focus on cybersecurity of PHI (protected health information). The newsletter underscores that system hardening is a core HIPAA compliance obligation, not merely a best practice. “System hardening” is the process of customizing electronic information systems to reduce the number of weaknesses and vulnerabilities that an attacker can exploit. OCR identifies three methods covered entities and business associates are expected to undertake in the process of system hardening – (i) regularly patching known vulnerabilities; (ii) removing or disabling unnecessary software and services; and (iii) properly enabling and configuring security controls. OCR’s expectation is that covered entities and business associates engage in regular review, documentation, monitoring and remediation. January 2026 OCR Cybersecurity Newsletter | HHS.gov

Duty to Affirmatively Advise in Special Circumstances Survives Dismissal

The United States District Court for the Northern District of Georgia Atlanta Division denied a motion to dismiss a claim for coverage under ERISA § 502(a)(1)(B) on January 12, 2026. The claim was made by a decedent’s estate against the employer plan sponsor for a death benefit with waiver of premiums available to individuals who are totally disabled, provided that the individual submit written proof of continued total disability to the insurer. The Court decided that it is possible the employer in this case had a fiduciary duty to affirmatively advise the employee of the requirements to receive the death benefit as the employer had knowledge of the employee’s special circumstances. This follows a string of cases where an affirmative duty to disclose was found to be a fiduciary requirement in certain special circumstances. Importantly, this case has only survived dismissal. Court Opinion and Order

Marketplace Premium Tax Credits

Since Congress did not pass legislation before the end of 2025 to extend the enhanced premium tax credits, many individuals will face higher Marketplace premiums in 2026. Importantly, a change in the cost of individual health coverage does not trigger a HIPAA special enrollment event. As a result, group health plans are not required to allow mid-year enrollment, meaning affected individuals generally cannot move to an employer’s plan until the next open enrollment period, unless the employer and carrier (or stop-loss vendor) choose to permit a more generous special enrollment opportunity.

In addition, federal agencies issued updated FAQs addressing premium tax credits. The guidance clarifies that repayment caps have been removed, which may significantly increase tax liability for individuals who receive excess premium tax credits. This can occur, for example, if an individual is ineligible due to the availability of employer-sponsored coverage or fails to provide accurate or updated household income information when enrolling in Marketplace coverage. The updated FAQs can be found here - Updates to Questions and Answers about the Premium Tax Credit

ERISA Fiduciary Lawsuits

In late December, the plaintiff firm Schlichter Bogard—well known for its ERISA litigation against large retirement plans—filed four new ERISA class action lawsuits targeting employer-sponsored voluntary benefit plans. The lawsuits challenge the long-standing assumption that voluntary benefits (e.g., accident, critical illness, and hospital indemnity coverage) are exempt from ERISA, alleging that many plans fail to meet the voluntary plan safe harbor requirements. Across the cases, plaintiffs assert that employers and their advisors breached fiduciary duties by failing to negotiate fair premiums, failing to prudently select and monitor service providers, allowing excessive and unclear compensation arrangements, and engaging in prohibited transactions. Notably, the complaints place brokers and consultants directly in the spotlight by characterizing them as “functional fiduciaries” based on their influence over carrier selection, plan design, and compensation structures. While the cases are still in early stages, they signal increased scrutiny of fiduciary governance, documentation, and fee transparency for health and welfare plans similar to what retirement plans experienced over the past decade.