On January28, 2026, the U.S. Department of Health and Human Services (HHS) issued a final rule increasing several key penalties for group health plans. Because these inflation‑adjusted penalties are substantial, health insurers and employers should periodically review their plan administration practices to help ensure ongoing compliance.
The Affordable Care Act requires group health plans and health insurance issuers to provide participants and beneficiaries with a Summary of Benefits and Coverage (SBC). Failure by a health insurer or non-federal governmental health plan to provide the SBC may now result in penalties of up to $1,443 per participant or beneficiary, matching the current penalty for ERISA-covered group health plans.
When Medicare is the secondary payer, employers may not discourage employees from enrolling in their group health plan or offer any financial or other incentive to avoid or terminate enrollment in a plan that would otherwise be primary. Violations can result in penalties of up to $11,823. In addition, insurers, third-party administrators, or plan fiduciaries that fail to report when a group health plan is or was primary may face penalties of up to $1,512.
Penalties for covered entities and business associates that violate HIPAA privacy and security rules vary by the type and severity of the violation. Civil penalties are divided into four tiers based on the organization’s level of knowledge:
Download the bulletin for more details.