Even well‑intentioned employers can find themselves out of compliance with employee benefits requirements — the rules are complex, evolve frequently, and can intersect with benefits administration in unexpected ways. Many compliance issues arise from common operational gaps, outdated assumptions, or misunderstood regulatory obligations rather than deliberate noncompliance. Reviewing common compliance blind spots can help reduce risk and strengthen overall plan governance.
1. Failing to send COBRA initial notices to the right people at the right time.
COBRA initial notices should be provided to covered employees and covered spouses within the first 90 days of coverage. Because COBRA rights are available exclusively to plan participants – not to all employees who are merely eligible for coverage – initial notices should not be distributed through open enrollment guides or new hire packets. Distributing initial notices to employees who are not enrolled for coverage is misleading because it provides employees with information regarding rights they do not have and will never have if they waive coverage. In addition, open enrollment guides and new hire packets do not reach newly covered spouses.
Neither COBRA vendors nor carriers routinely assume responsibility for providing the initial notice. Plan administrators (typically employers) have ultimate responsibility for COBRA compliance and should work with TPAs to ensure the initial notice requirement is timely satisfied.
For more information on distributing COBRA initial notices, please ask your broker or consultant for a copy of the NFP publication COBRA: A Guide for Employers.
2. Failing to offer COBRA continuation coverage on all group health plans.
Employers subject to COBRA must offer continuation coverage on any benefit that includes medical care. Point solutions, health FSAs, and HRAs are often overlooked by employers. Participants generally notice when their access to medical care disappears, increasing the likelihood of a lawsuit or DOL complaint seeking to enforce their rights.
COBRA compliance for point solutions can pose particular administrative challenges. Many point solution vendors encourage employers to offer their program to all employees, not just those enrolled in the major medical plan. However, this type of broader eligibility class creates an entirely new group of COBRA-qualified beneficiaries. The simpler approach is to limit the point solution program benefits to employees enrolled in the major medical plan.
For further information on required COBRA continuation offers, please ask your broker or consultant for a copy of the NFP publication COBRA: A Guide for Employers.
3. Failing to follow HIPAA’s wellness program rules.
HIPAA generally prohibits group health plans from discriminating based on health factors, but it provides an exception for wellness programs that meet specific requirements. These programs can offer rewards such as reduced premium contributions or reduced cost-sharing. HIPAA’s requirements are meant to ensure such programs are reasonably designed to promote health and “not merely a subterfuge for cost-shifting" to employees with higher health risks, which would be unlawful discrimination.
A wellness program that conditions a reward upon meeting a health standard (e.g., cholesterol, BMI, or non-tobacco use) is known as “health-contingent.” Health-contingent wellness programs must satisfy requirements related to when participants can qualify for the reward, maintaining a reasonable design to promote health, offering a reasonable alternative standard (RAS) for obtaining the reward, clearly communicating the availability of that RAS, and limiting the reward amount. Employers often overlook the requirement that when an individual has satisfied the RAS, they must refund or otherwise “credit back” any surcharges.
Class-action lawsuits challenging tobacco surcharges are increasingly common, alleging failures to fulfill ERISA fiduciary duties and satisfy HIPAA nondiscrimination requirements for wellness programs. Noncompliant tobacco surcharges expose employers to costly litigation and court orders or settlements to refund surcharges spanning multiple plan years, potentially with additional penalties. For more information, please see our Compliance Corner article, Tobacco Surcharge: Is Your Wellness Program Up to Snuff?
4. Losing sight of the total employee count.
Many benefits compliance requirements, including those under COBRA, the ACA employer mandate, FMLA, Medicare Secondary Payer rules, and Form 5500 obligations, are triggered by workforce size. Employee counting rules are different for each requirement and vary by status, such as full-time vs. part-time (sometimes prorated), plan participation, common law employee, related entities employee, or international employee. Once triggered, some requirements are effective prospectively for a fixed period, which can be particularly challenging for employers with fluctuating workforce counts. For example, COBRA applies if an employer averaged at least 20 common‑law employees on more than half of its business days in the prior year — and once triggered, COBRA obligations apply for the entire following calendar year, even if the headcount later drops.
Several employee benefits laws determine applicability based on the total number of employees in a controlled group. Incorrectly counting employees or failing to count employees of related entities in a controlled group may expose employers to retroactive penalties, benefit claims, or enforcement actions. Because these errors often go unnoticed until a complaint arises, determining applicability of compliance requirements based on employee count remains one of the riskiest benefits compliance blind spots for employers. For a discussion of benefits compliance considerations associated with an expanding workforce, please see the recording of our webinar “Growing Pains: Compliance Obligations for an Expanding Workforce.”
5. Losing sight of which state PFML laws apply.
Employers must not only know how many employees they have at any given time, but they must also know where those employees are working, as this can fluctuate in an increasingly remote work environment. As of 2026, sixteen states (including DC) mandate some level of paid family or medical leave (PFML) benefits based on where the employees perform their work. Most states allow employers to offer private plans that satisfy their state’s specific requirements. For an overview of state PFML requirements, please ask your broker or consultant for a copy of the NFP publication State PFML and Statutory Disability Programs: A Quick Reference Chart.
No two state PFML programs are the same. Each state has different rules for which conditions or leaves qualify for PFML, wage withholding, notice obligations, whether an employee can be required to use PTO (and how much) before taking leave, and how PFML benefits interact with other statutory leaves and STD benefits. To keep track of which state PFML laws apply to their workforce, employers should ensure remote employees timely notify them when they relocate.
6. Misapplying ACA employer mandate full-time employee measurements.
Under the ACA employer mandate, applicable large employers (generally those with 50 or more full-time employees, including full-time equivalents) risk penalties unless they offer affordable, minimum value health coverage to their full-time employees and dependents. For this purpose, full-time employee status is defined as averaging at least 30 hours of service per week or 130 hours per month. Miscounting hours of service or making errors in applying measurement methods can result in missed coverage offers and inaccurate reporting.
Employers must choose a measurement method to determine full-time employee status and apply it consistently. Tracking hours of service can be particularly challenging for employees with fluctuating schedules or breaks in service, and employers may not realize that they must credit employees with hours of service for certain paid leave and special unpaid leave situations (e.g., FMLA, USERRA, or jury duty).
Mischaracterizing new hires as variable-hour instead of full-time employees can delay required coverage offers beyond the 90-day maximum waiting period. Similarly, incorrectly labeling employees as seasonal and misunderstanding measurement and stability periods can lead to improper status determinations or premature coverage terminations. For more information on determining full-time employee status, please ask your broker or consultant for a copy of the NFP publications ACA: Employer Mandate Full-Time Employees and ACA: Employer Mandate Measurement Methods.
Not aligning ACA measurement rules and plan eligibility provisions can increase the risk of penalties. Employers should ensure plan documents, SPDs, and administrative practices reflect their chosen measurement method and maintain records supporting full‑time status determinations and coverage offers.
Many employers rely on payroll or other reporting vendors to consolidate data and complete their ACA reporting. ACA penalty assessments can be inadvertently triggered because of software glitches or data errors that misrepresent offers of coverage. Employers should carefully review their ACA reporting forms prior to filing. For more information on ACA reporting requirements, please ask your broker or consultant for a copy of the NFP publication ACA: Employer Mandate Reporting Requirements.
7. Missteps in administering group term life eligibility rules and conversion rights.
Group term life insurance is a widely offered and valued benefit, but administrative missteps or misunderstandings about plan terms can result in an employer being held financially responsible for life benefit claims, even when coverage is fully insured. Making matters worse, mistakes often surface only after a claim event, when corrective options are limited and financial exposure is greatest. For examples of litigation and federal enforcement of these issues, please see our Compliance Corner articles Court: Fiduciaries Failed to Disclose Insurance Options, Sixth Circuit Revives Life Insurance Claim Against Wal-Mart, and DOL Settlement with Unum Highlights Risks for Employers.
Common risks include failing to correctly apply eligibility start and end dates (e.g., during a leave of absence or when a dependent reaches an age limit), collecting premiums on supplemental coverage before evidence of insurability has been approved, failing to distribute conversion or portability forms as directed under the plan terms or carrier agreement, and providing incorrect or incomplete information about eligibility and conversion rights. Importantly, fully insuring through a carrier or using a payroll vendor does not transfer compliance responsibility away from the employer. Under ERISA, employers hold fiduciary accountability for administering group term life benefits according to plan terms.
A proactive review of plan documents, administrative practices, and coordination with carriers and payroll vendors can help employers identify and address issues early, such as reducing the risk of litigation, enforcement action, and unintended financial consequences for employers and employees’ families alike. For further information on the compliance issues to address, please ask your broker or consultant for a copy of the NFP publication Group Term Life Insurance: A Guide for Employers.
8. Dropping the ball on Forms 5500.
ERISA plans are required to file Forms 5500 once they have 100 participants. This threshold is often triggered by automatic enrollment in the group term life insurance plan. Employers must also keep in mind that a Form 5500 is required for each ERISA plan, as identified by a unique plan name and plan number. For this reason, many employers opt to wrap their ERISA benefits together under a single plan.
Employers fail to file required Forms 5500 for a variety of reasons. Growing businesses may not realize they have to file once they reach the 100-participant threshold. Employers might think they can rely on the participant count for their major medical plan, which is often lower than the count for their group term life insurance or other plans. Still others may incorrectly assume a vendor will file on their behalf. Under ERISA, the plan administrator – in most cases, the employer – is responsible for complying with the Form 5500 filing requirements, even if a vendor prepares and files the plan’s Form 5500. Employers should always review and confirm the accuracy of Forms 5500 and obtain proof of filing.
The DOL may impose steep civil penalties for every day a filing is late, with criminal penalties possible for the most serious violations. Employers who discover a missed Form 5500 filing may self-report their failure through the DOL’s Delinquent Filer Voluntary Compliance program, which caps penalties at $2,000 per filing or $4,000 per plan.
For additional information about these reporting obligations, please ask your broker or consultant for a copy of the NFP publication Form 5500: A Guide for Employers.
9. Not knowing your plan documents.
Employers often rely on carriers to produce certificates of coverage and benefit booklets explaining coverage terms. Plans typically then need to supplement with a “wrap” document that includes missing information, such as the ERISA plan number, specific eligibility parameters (e.g., the definition of a full-time employee), and when benefits will terminate during extended leaves of absence.
Employers must familiarize themselves with the full plan document in order to administer it correctly and confirm it is consistent with carrier agreements. Terms related to eligibility, leaves of absence, and life conversion or portability rights are often the subject of costly disputes with participants or carriers. Without a comprehensive written plan document, it can be difficult to clearly communicate terms to participants and enforce the intended benefits terms and conditions. Further, if carrier agreements are inconsistent with plan document terms or administration, employers may find themselves self-insuring a claim.
For additional information about plan document requirements, please ask your broker or consultant for a copy of the NFP publication ERISA Compliance Considerations for Health and Welfare Benefit Plans.
10. Being lax about cybersecurity.
Self-insured group health plans (including level funded plans, health FSAs, and HRAs) and fully insured group health plans that are “hands-on” with participants’ protected health information (PHI) are responsible for complying with HIPAA’s Privacy and Security Rules. For more information on what it means to be fully insured and hands-on PHI, please see our Compliance Corner article, Avoiding PHI Pitfalls in Fully Insured Health Plans.
Among many other HIPAA privacy and security responsibilities, plan sponsors must perform a risk assessment, accounting for the ways in which they use and store PHI – including electronic PHI (ePHI) – and implement administrative, physical, and technical safeguards to protect that information. If PHI is used in an unauthorized way, or accessed by an unauthorized individual, then the plan sponsor must respond immediately to analyze the breach, mitigate its effects, and notify both participants and HHS (and sometimes even the media).
With the frequency and sophistication of cyberattacks increasing, group health plan sponsors must remain vigilant in maintaining the security of PHI in their possession. HHS enforces HIPAA through random audits and complaint investigations, and compliance failures can carry steep penalties.
The increase in remote work provides additional HIPAA security challenges. A plan sponsor’s administrative, physical, and technical safeguards should be customized to its workflows and systems. While HIPAA’s Security Rule does not define specific solutions (such as multifactor authentication for remote access to ePHI), it does require covered entities to continually reassess the strength of their protocols. A successful risk analysis will consider whether heightened technical safeguards are needed to protect a more remote employee population from cyberattacks.
For further information about HIPAA’s requirements to protect PHI, please ask your broker or consultant for a copy of the NFP publication HIPAA Privacy and Security for Group Health Plans: A Guide for Employers.
Final Thoughts
Benefits compliance risk most often arises from overlooked details, mistaken assumptions, or gaps between plan documents and daily administration. By identifying blind spots and taking precautions to review plan terms, vendor coordination, and administrative practices, employers may be able to correct problems before they can lead to costly enforcement actions, litigation, or reputational harm.