Q2 Compliance Roundup

What you need to keep on your HR radar and compliance to-do list

Navigating compliance can feel overwhelming, but staying up-to-date is half the battle. This quarter, there are some major updates that HR professionals and brokers need to understand. Here’s a breakdown of the key Q2 compliance updates, why they matter, and actionable insights to help you stay on track.

Mental Health Parity Non-Enforcement Policy

On May 15, 2025, the U.S. Departments of Labor, Health and Human Services, and the Treasury announced a non-enforcement policy for the new rules imposed under the 2024 Final Rule of the Mental Health Parity and Addiction Equity Act (MHPAEA).   

The departments advised that plans and issuers may continue to refer to the 2013 final rule, FAQs About MHPAEA Implementation and the CAA, 2021 Part 45. A breakdown of these FAQs may also be found in “CAA #7: Clarifying the CAA’s Mental Health Parity Rules.” 

Important: Always consult your experienced employee benefits attorney before making compliance shifts due to the non-enforcement policy. 

But what does this mean for HR professionals, brokers, and benefits managers?

HR’s Key Takeaways   

• What’s Paused 
  The departments are indicating they will not enforce the new requirements in the 2024 Final Rule until a final court ruling concludes on the lawsuit filed by the ERISA Industry Committee. Once that ruling happens, enforcement won’t begin for another 18 months. 
  
  Be sure to check in with legal counsel before becoming out of compliance with the 2024 Final Rule.
   
• What’s Still Active 
  The 2013 MHPAEA rules and the Consolidated Appropriations Act (CAA) of 2021 still stand! This means you must continue to provide nonquantitative treatment limitation (NQTL) comparative analyses to highlight compliance with MHPAEA requirements. 

HR’s “Still Have To” Compliance List

While there’s a break on the 2024 updates, that doesn’tmean compliance should take a back seat in your HR priority list. You still need to ensure your NQTL analyses are accurate, detailed, and reflect compliance with existing rules from 2013 and the updated CAA requirements. This includes analyzing NQTLs and drafting comparative analyses that reflect the CAA statutory requirements. These should demonstrate that the processes, strategies, evidentiary standards, and/or other factors the plan uses in applying an NQTL to mental health and substance use disorder benefits are comparable to and applied no more stringently than those used with respect to medical/surgical benefits. 

HR’s Best Practice Approach   

As a best practice, plan fiduciaries should thoroughly document their actions in complying with the MHPAEA and its implementing regulations. This includes maintaining clear records and ensuring that all processes used to prepare and evaluate comparative analyses are prudent and well-organized.  

Pro Tip: Despite that, the departments have issued a non-enforcement policy regarding the 2024 Final Rule, remember that members can still file private litigation. Guessing enforcement outcomes isn’t a strategy.  

HIPAA Enforcement and Risk Analysis  

In April 2025, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its eighth enforcement action in its Risk Analysis Initiative. Since its introduction in October 2024, the initiative has already led to settlement payments of nearly $900,000 from eight different health care organizations. This underscores the OCR’s commitment to holding entities accountable for insufficient risk analysis and mitigation strategies. Without a proper risk analysis, an organization is exposed to cyberattacks and regulatory fines.

Why Does the HIPAA Security Rule Matter?  

If you are in HR, you already know the sensitive nature of employee information, especially electronic protected health information (“ePHI”). The HIPAA Security Rule exists to safeguard ePHI by keeping it confidential, accessible only to authorized users, and protected against threats. 

Failing to comply can lead to data breaches, regulatory fines, lost trust, and negative media coverage. Additionally, it proves that your organization values security and is serious about protecting your workforce’s ePHI.

Lessons Group Health Plans Can Learn from the Latest Enforcement Case  

Not sure what steps you need to take? Start with these key priorities to stay off OCR’s radar:  

1. Conduct a Thorough Risk Analysis
   OCR highlights the importance of evaluating risks to ePHI. Set time aside to assess where ePHI data could be vulnerable.
2. Implement and Continue to Review Implement Security Risks
   Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).
3. Build and Implement a Risk Management Plan
   Identify vulnerabilities and address them proactively. Close the gaps before threats arise.
4. Penalties and Corrective Action Plans
   Penalties for Security Rule violations include civil monetary penalties from $25,000 to $3,000,000 and often include requirements to implement and corrective action plan mandating the completion of a risk analysis. 

For a more detailed article on OCR Enforcement see “New Administration Takes HIPAA Security Rule Complaints Seriously.”

Bottomline 

While the compliance landscaping is shifting, now is not the time to devalue compliance. As we’ve discussed compliance is evolving not going away, see our article “HHS Workforce Reduction: What It Means for HIPAA and ERISA.”