After two decades in employee benefits, I've learned one hard truth: most compliance checklists are built to catch the easy stuff while letting the real risks slide right through.
You know the drill. ERISA plan documents? Check. HIPAA privacy notices? Check. ACA reporting deadlines? Check. We tick those boxes and assume we're covered. But underneath, there's a whole layer of structural risk that rarely gets discussed at benefits committee meetings.
Let me walk you through the five compliance blind spots I've seen trip up even the most well-intentioned HR teams. These aren't theoretical. They're the quiet liabilities that can turn into major headaches if nobody's watching.
1. The Plan Document Trap
What most people ask: "Do we have a Summary Plan Description?"
What they should be asking: "Does our plan document actually match what we're doing?"
I've reviewed hundreds of plans where the document and the operations live in parallel universes. Courts and the DOL are paying closer attention to this gap than ever before. If you've added a wellness reward, a preventive care incentive, or anything that ties health actions to financial accounts, your plan document needs to explicitly authorize it. Otherwise, you're looking at participant lawsuits and penalties of $2,586 per day, per violation.
Best practice: update your plan document before launching a new benefit structure. Not after. Every funding mechanism, every incentive, every third-party arrangement needs to be spelled out.
2. The Fiduciary Blind Spot in Automated Systems
What most people check: "Do we have a claims appeals process?"
What they should check: "Who's the fiduciary when our system makes a decision automatically?"
This is a big one. When a benefits platform automatically approves preventive care, funds accounts, or triggers retirement contributions without human intervention, those are effectively claims decisions under ERISA. If nobody has explicitly documented who holds fiduciary responsibility for those decisions, guess who's on the hook? The employer.
The DOL has made it clear they're watching how AI and automation affect benefits decisions. The fix is straightforward: include explicit fiduciary delegation language in every vendor service agreement. Make sure the employer isn't the default fiduciary for system-generated actions.
3. The ACA Reporting-Funding Disconnect
What most people check: "Did we file Forms 1094-C and 1095-C on time?"
What they should check: "How does every dollar flowing to employees affect our ACA numbers?"
Here's where things get messy. If your benefits system puts money into incentive accounts, wellness rewards, or health reimbursement arrangements, each of those dollars needs to be properly classified. Is it compensation? A reimbursement? A benefit? The answer determines your ACA reporting obligations and affordability calculations.
The IRS is getting better at data matching. If your reporting doesn't align with your actual benefits structure, you'll get a letter. Or worse, an audit. The fix: map every dollar flow against ACA, ERISA, and tax code requirements before you implement anything new.
4. The HIPAA Privacy Exception That Isn't
What most people check: "Do we have a Notice of Privacy Practices?"
What they should check: "Is our wellness program actually part of the group health plan under HIPAA?"
This distinction matters more than most people realize. When a system tracks preventive health actions and ties them to financial incentives, it's handling protected health information. But whether that system qualifies as a simple wellness program or falls under full group health plan HIPAA rules depends on how it's structured.
The HHS Office for Civil Rights has been actively investigating wellness programs that collect health data without proper safeguards. Penalties can hit $1.9 million per violation category per year. Best practice: have regulatory counsel make a formal determination about your program's classification, document it, and execute proper business associate agreements with every vendor that touches PHI.
5. The COBRA Continuation Nightmare
What most people check: "Are we sending COBRA notices within 44 days?"
What they should check: "What exactly are participants entitled to continue?"
Here's a scenario I've seen play out more than once: an employer offers a layered benefits program with a core plan, an incentive account, a pharmacy benefit, and maybe even retirement funding tied to health actions. When someone elects COBRA, what are they actually getting? If your system automatically funds accounts based on preventive behavior, does that funding continue during COBRA? If not, you may have a compliance problem.
Courts-especially the 9th Circuit-have been aggressive about requiring the same benefits during COBRA as during active employment. Every benefit element must be mapped to COBRA continuation. If something can't be continued, it must be clearly disclosed upfront.
What This Means for Benefits Leaders
These five gaps aren't isolated incidents. They're symptoms of a broader problem: most compliance frameworks were built for a simpler era. Today's benefits systems cross multiple legal categories, use automation to make consequential decisions, and create complex financial flows between employers, employees, and vendors.
The approach that actually works is to map the entire system-every dollar flow, every data point, every decision point-against every relevant regulatory framework. Not once, but continuously.
Here are the questions I recommend asking before you sign off on any new benefits initiative:
- Plan Document Integration: Does this system require plan document updates, and who is responsible for that?
- Fiduciary Assignment: Who is the fiduciary for automated decisions, and is that documented in writing?
- ACA Mapping: How does every financial flow affect affordability calculations and reporting?
- HIPAA Classification: Is this system a wellness program or part of the group health plan? Have we documented that determination?
- COBRA Continuity: Can every benefit element be continued during COBRA? Is that communicated clearly to participants?
- Regulatory Counsel: Has this been reviewed by benefits regulatory counsel, not just benefits consultants?
- Documentation: Is there a written compliance framework that maps every dollar and data flow?
Final Thought
The benefits systems that survive regulatory scrutiny-and avoid the hidden liabilities I've described-are the ones that treat compliance as a design principle, not a checklist. The question isn't whether a system is compliant today. It's whether it was built to stay compliant as regulations evolve, employees change, and audits eventually arrive.
The best systems solve compliance problems first, then layer the benefits value on top. Everything else is just an accident waiting to happen.
This analysis reflects my personal experience across hundreds of employer benefits programs. Every situation is different and requires individualized legal counsel.