Download the PDF version here.
Federal Compliance Update
On Jan. 28, 2026, the U.S. Department of Health and Human Services (HHS) published a final rule increasing key penalties affecting group health plans. HHS adjusts these penalty amounts for inflation each year to maintain their effectiveness and deterrent value (although the prior adjustment had not occurred since 2024). Because these penalties are substantial, health insurers and employers with group health plans should periodically review their benefit plan administration protocols to ensure full compliance. HIPAA compliance and training are just a part of this requirement.
Penalties for a covered entity or business associate violating the Health Insurance Portability and Accountability Act’s (HIPAA)privacy and security rules will depend on the type of violation involved. Penalties are broken down into “tiers” that reflect increasing levels of knowledge about the violation. Each tier carries a minimum and maximum penalty with an annual cap, all of which have increased as follows:
• Tier One: For violations where the covered entity or business associate did not know about the violation (and by exercising reasonable diligence, would not have known about the violation), the penalty amount is between $145 and $73,011 foreach violation, with an annual cap of $2,190,294.
• Tier Two: If the violation is due to reasonable cause, the penalty amount is between $1,461 and $73,011 for each violation, with an annual cap of $2,190,294.
• Tier Three: For corrected violations that are caused by willful neglect, the penalty amount is between $14,602 and$73,011 for each violation, with an annual cap of $2,190,294.
• Tier Four: For violations caused by willful neglect that are not corrected, the penalty amount is between $73,011 and$2,190,294 for each violation, with an annual cap of $2,190,294.
Covered Entities (HIPAA-regulated by definition)
If you’re a covered entity, HIPAA training is required for workforce members, and annual training is the industry norm (even though the rule says “as necessary and appropriate”).
Any provider that transmits health information electronically in connection with standard transactions: • Hospitals & health systems
• Physician practices (MD, DO, PA, NP)
• Dentists, orthodontists
• Behavioral health providers (psych, therapy, substance use treatment)
• Chiropractors
• Physical, occupational, speech therapists
• Home health & hospice agencies
• Skilled nursing facilities & long-term care
• Clinics (urgent care, specialty clinics, FQHCs)
• Health insurance carriers
• HMOs, PPOs
• Employer-sponsored group health plans
• Medicare, Medicaid
• Prescription drug plans (Part D)
• Billing services
• Claims processing entities
• Revenue cycle management companies (when acting as a clearinghouse)
If an organization creates, receives, maintains, or transmits PHI on behalf of a covered entity, HIPAA training is required for relevant workforce members.
• Medical billing & coding companies
• Revenue cycle management vendors
• EHR / EMR software companies
• Practice management software providers
• Cloud hosting providers storing PHI
• IT support & cybersecurity firms serving healthcare
• Data analytics firms using PHI
• Medical transcription services
• Legal firms handling medical records
• Accounting firms for healthcare clients
• Third-party administrators (TPAs)
• Claims management vendors
• Background screening companies (healthcare clients)
• HR/benefits administrators handling PHI
• Call centers supporting healthcare operations
• If a company is a vendor to a Business Associate and touches PHI:
• Cloud infrastructure providers
• Offshore data processing services
• IT managed services
• SaaS integrations with healthcare systems
If you need or are interested in hearing about our Learning Management System HPAA training options, please don’t hesitate to contact us at office@lhrs.net.
Starting January 1, 2026, the IRS standard mileage rate will be 72.5 cents per mile driven for business purposes (up from 70 cents in 2025). This rate also applies to electric and hybrid vehicles. Use of this rate is optional for private employers, though it’s widely accepted as an easy and standard reimbursement rate for employees who use their personal vehicle for work. If your organization uses the IRS rate to calculate mileage reimbursement, be sure to update your systems to account for this change.
The 2026 IRS standard mileage rate was announced on December 29, 2025.
Nothing new so far… The legislative session just began,
2/1 – Deadline to Post OSHA Form 300A
2/2 – Forms W2 and 1099-Misc Distribution Deadline
3/2 – Deadline to Distribute Forms 1095-B and 1095-C
3/2 – Deadline to Submit OSHA 300, 300A, and 301 Data
3/2 – Forms 1094-B, 1095-B, 1094-C, and 1095-C Filing Deadline (paper filers)
3/2 – Medicare Part D Creditable Coverage Disclosure Deadline (calendar year plans)
3/31 – Forms 1094-B, 1095-B, 1094-C, and 1095-C Filing Deadline (electronic filers)
4/30 – Removal of OSHA Form 300A
Lighthouse HR Support (LHRS) provides practical human resource information and guidance based upon our knowledge and experience in the industry and with our clients. LHRS services are not intended to be a substitute for legal advice. LHRS services are designed to provide general information to human resources and/or business professionals regarding human resource concerns commonly encountered. Given the changing nature of federal, state and local legislation and the changing nature of court decisions, LHRS cannot and will not guarantee that the information is completely current or accurate. LHRS services do not include or constitute legal, business, international, regulatory, insurance, tax or financial advice. Use of our services, whether by phone, email or in person shall indicate your acceptance of this knowledge.
