Compliance Matters Newsletter | November 2025

Let our team help you navigate the ever-changing benefits compliance landscape each month. Check out this month’s latest alerts, additional updates, and resources hot off the press:

Employee Benefits Compliance Alerts

This month’s Compliance Matters newsletter provides a comprehensive review of the following topics. To obtain your copy, please use the form below to download.

• Special Compliance Alert: IRS Updates FSA Limits for 2026
• Compliance Considerations for Prescription Drug Importation
• ACA Preventive Services Recap & Updates
• Departments Provide Updated Fertility Benefits Guidance
• Employee Benefits Litigation Series: Multidistrict Litigations Contest Rising Healthcare Costs
• Employee Benefits Litigation Series: Plan’s Gender-Affirming Surgery Exclusion Not Facially Discriminatory
• 2025 State Regulation Series: California Enacts New PBM Bill
• 2025 State Regulation Series: California Legislative Updates

Additional Updates & Resources

HIPAA Security Risk Assessment Tool Updated

Employers sponsoring group health plans that are covered entities under the Health Insurance Portability and Accountability Act (HIPAA) are required to conduct a security risk analysis for electronic protected health information (ePHI). Employers can use the Security Risk Assessment (SRA) Tool created by the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) to assist with this analysis. The tool guides organizations in identifying where ePHI is stored or transmitted, evaluating vulnerabilities, and documenting risks with corresponding mitigation steps. The latest version (v3.6) enhances usability with clearer guidance, updated questions and responses that reflect current cybersecurity practices, and improved educational content addressing areas such as encryption and incident response. The latest version of the SRA Tool can be found on HealthIT.gov.

Updated HIPAA Notice of Privacy Practices Due in Early 2026

In February 2024, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR), the governing department for the Health Insurance Portability and Accountability Act (HIPAA), issued final regulations on substance use disorders (SUD) privacy called “Part 2.” Programs subject to Part 2 requirements have until February 16, 2026, to implement necessary changes. One requirement due in February 2026 is to provide an updated HIPAA Notice of Privacy Practices to include a statement that SUD treatment records received from Part 2 programs cannot be used or disclosed for legal or legislative proceedings without an individual’s prior notice and written consent, and if a HIPAA covered entity intends to use Part 2 program records for fundraising purposes, the individual must first be provided clear and conspicuous opportunity to not receive any fundraising communications.

OCR provides a model Notice of Privacy Practices for covered entities to use; however, as of the date of this publication, OCR has not provided an updated model notice that includes additional protection and consent language for SUD. While we expect them to provide a model notice that includes the required updates, it is not clear when they may do that or if those updates will be made prior to the February 16, 2026, deadline. If OCR does not put out a model notice, EPIC will, to the best of our ability, work with clients to provide language to update the Notice of Privacy Practices.

Gag Clause Prohibition Attestations Due in December

The Consolidated Appropriations Act of 2021 (CAA) prohibits group health plans and health insurance carriers from entering into agreements with providers, third-party administrators (TPAs), or other service providers that includes language that constitutes a “gag clause.” The first attestation was due December 31, 2023, and subsequent attestations are due annually by December 31, making the next submission due December 31, 2025.

While instructions and processes for submitting the gag clause prohibition attestation have not changed from prior years, starting in 2025, plans and issuers must attest that “downstream agreements” are in compliance with gag clause prohibition requirements. A downstream agreement is a contract entered into by a third-party administrator (TPA), pharmacy benefit manager (PBM), or network on behalf of a plan. This new requirement means that even if the plan itself is not a direct party to a restrictive clause, the plan could be noncompliant if its vendors’ subcontracts limit data sharing. Plans are expected to include language in direct contracts requiring vendors not to enter into downstream agreements that would violate the prohibition.

The gag clause prohibition and attestation requirements apply to all group health plans, but not excepted benefits, retiree-only plans, or account-based plans. Both fully insured and self-funded plans are subject to the requirements, as well as grandfathered plans, grandmothered plans, ERISA plans, and non-ERISA plans.

Centers for Medicare and Medicaid Services (CMS) created a webpage with information about how to comply with the gag clause prohibition, as well as how to attest to compliance. This webpage is the hub for resources and information from CMS on the gag clause prohibition and attestation requirement and includes a link to the webform for submitting the attestation. For the 2025 attestation period, there are no changes to prior submission requirements or instructions as of the date of publication of this alert.

For questions about the process or to report difficulties with the attestation process, employers or reporting entities should email CMS directly at .

EPIC has created informational resources for our clients’ use. Please reach out to your EPIC account team for more information about how to access these resources. Previous alerts on the gag clause prohibition, attestation and a webinar on the attestation requirement and submission process are available below:

• August 2023 Alert
• November 2023 Alert
• July 2023 Webinar

Draft ACA Reporting Instructions Released

In September, the Internal Revenue Service (IRS) released the draft 2025 Affordable Care Act (ACA) instructions for Forms 1094-C and 1095-C. There are no significant changes from the prior year’s instructions other than updated due dates and penalty amounts. For 2025 reporting (covering the 2024 calendar year), statements must be furnished to employees or a notice of availability posted by March 2, 2025, and electronic filing with the IRS is due by March 31, 2025. The maximum penalty for reporting failures has increased to $340 per form. While we will need to wait until the final instructions are issued, it is unlikely there will be substantial changes from the draft version. The draft instructions can be found here – 2025 Instructions for Forms 1094-C and 1095-C. Additionally, an updated version of Pub. 5165, which provides a guide for electronically filing the ACA information returns, can be found here – Publication 5165 (Rev. 7-2025).

Colorado Caps Prices on Certain Prescription Drugs

In October 2025, the Colorado Prescription Drug Affordability Review Board set a price cap on the prescription drug Enbrel used to treat rheumatoid arthritis and other autoimmune diseases starting January 1, 2027. The price cap is unprecedented, as Colorado becomes the first state to implement such a regulation. At the time of this publication, Colorado has yet to provide further guidance on how the price cap should be implemented, although, as the law impacts the sale and purchase of Enbrel, it is expected that the entire supply chain will be affected. EPIC will continue to monitor developments with this law and provide updates as they become available.

Monthly FAQ: What elections under a cafeteria plan can be retroactive after a mid-year event?

There are limited instances that allow a cafeteria plan to take pre-tax deductions retroactively. An allowable retroactive change occurs when an employee has a HIPAA special enrollment right due to birth, adoption, or placement for adoption, and the change is retroactive to the date of the birth, adoption, or placement for adoption. Note that this doesn’t mean that employers cannot retroactively date coverage for other midyear events, such as a change in other employer coverage or a change in marital status, only that the salary reductions for those midyear events cannot be retroactively taken pre-tax.