Employer-sponsored group health plans operate at the intersection of multiple federal regulatory frameworks — ERISA, the ACA, COBRA, HIPAA, the Mental Health Parity and Addiction Equity Act (MHPAEA), and more. Each imposes its own documentation requirements, reporting deadlines, and operational obligations. The challenge for most employers is not a lack of intent to comply, but the sheer complexity of keeping pace with layered and frequently updated rules.
A proactive, systematic compliance review conducted with legal guidance is one of the most effective tools employers have to reduce legal exposure, strengthen plan governance, and prepare for regulatory inquiries. The following overview identifies the key compliance areas that such a review should cover.
Plan Governance and ERISA Documentation
ERISA requires every welfare benefit plan to be maintained pursuant to a written plan document that satisfies specific requirements. Compliance reviews routinely reveal documentation gaps that, while easy to overlook, can create meaningful liability. A thorough review should confirm:
- A written plan document exists and has been updated to reflect current plan terms.
- Plan amendments have been adopted on a timely basis each time benefits changed.
- The plan document includes required ERISA provisions, including fiduciary, amendment, and funding provisions.
- A wrap plan document (where appropriate) properly incorporates insured benefits.
- The plan administrator and named fiduciary are clearly identified and the designations align with actual operational practice.
Participant Disclosures
ERISA’s disclosure obligations are extensive, and failures can result in participant lawsuits and Department of Labor (DOL) penalties. A compliance review should verify that:
- Summary Plan Descriptions (SPDs) contain all required ERISA content and have been distributed within required timeframes — including within 90 days for newly eligible participants.
- Summaries of Material Modifications (SMMs) have been issued following significant plan amendments.
- SPDs have been updated and reissued within the required 5- or 10-year cycle.
- Summaries of Benefits and Coverage (SBCs) have been prepared and distributed at open enrollment and upon request.
ERISA Annual Reporting
Many employers underestimate their Form 5500 obligations. Key questions include whether the plan is large enough to require annual filing, whether required schedules (such as Schedule A for insured benefits) have been included, and whether recent filings are accurate and complete. A review of the last three filing years can reveal reporting errors that may warrant voluntary correction before an agency inquiry.
Fiduciary Governance
Plan fiduciaries are personally liable for breaches of their duties. As we discussed in a prior article, a review should examine whether a benefits committee has been established and the structure is properly documented. Additionally, the review should determine whether an ERISA fidelity bond, if required, is in place and properly sized, and whether service provider agreements clearly allocate fiduciary and administrative responsibilities among all parties.
COBRA Administration
COBRA compliance failures are a frequent source of participant claims and DOL enforcement activity. A review should confirm that qualifying events are systematically tracked, election notices are sent within the required 14-day timeframe, and COBRA premiums are calculated correctly (including the permissible 2% administrative charge). Review of a sample of recent qualifying event notices is often the most revealing audit step.
ACA Compliance
For applicable large employers (ALEs), the ACA’s employer mandate and reporting requirements remain active enforcement priorities. A review should address:
- Whether ALE status has been determined correctly each year based on full-time equivalent employee data.
- Whether full-time employee classifications and measurement period methods are applied consistently across the workforce.
- Whether offered coverage meets affordability and minimum value standards, including use of an IRS safe harbor.
- Whether Forms 1094-C and 1095-C have been filed with the IRS and furnished to employees on time.
- Whether plan design complies with ACA market reforms, including dependent coverage to age 26, the 90-day maximum waiting period limit, and first-dollar coverage for preventive services.
HIPAA Privacy and Security
Self-funded health plans are covered entities under HIPAA. A compliance review should confirm that written privacy and security policies are in place, a privacy officer has been designated, and Business Associate Agreements (BAAs) have been executed with all vendors who handle protected health information. For many employers, the security risk assessment required under the HIPAA Security Rule has not been updated in years — or has never been completed.
Section 125 Cafeteria Plans
Employer pretax benefit arrangements must be operated pursuant to a written cafeteria plan document that satisfies IRS requirements. Election procedures, mid-year change rules, and annual nondiscrimination testing are all areas where operational failures are common. A review should confirm that the plan document is current, that elections and mid-year changes are properly documented, and that nondiscrimination tests have been performed and passed.
Mental Health Parity and Emerging Transparency Requirements
The MHPAEA requires plans to ensure that nonquantitative treatment limitations (NQTLs) applicable to mental health and substance use disorder benefits are no more restrictive than those applied to medical/surgical benefits. Regulations now require plans to maintain a detailed comparative analysis — and to produce it within 45 days of a government request. Many employers have not yet prepared the required documentation.
The No Surprises Act and the ACA Transparency in Coverage Rule also impose distinct obligations regarding balance billing protections and the publication of machine-readable files containing pricing data. These requirements have generated significant compliance attention and ongoing regulatory guidance.
What Should Employers Do Now?
A well-structured health plan compliance audit examines plan documents, participant notices, reporting filings, and operational practices across each of the regulatory frameworks described above. The goal is not simply to identify deficiencies but to prioritize corrective steps and build the documentation necessary to respond to regulatory inquiries confidently. Employers who have not conducted a comprehensive review in the past two to three years should consider doing so — particularly given recent agency enforcement activity targeting employer-sponsored plans.
