Employee Benefits Compliance Checklist for Mid-Market Employers (2026)

For an HR Director at a 150-person company, employee benefits compliance is a second full-time job. The ACA wants 1094-C and 1095-C filings by specific dates. ERISA wants plan documents updated when you change carriers. COBRA wants notices out within 14 days of a qualifying event — every time, without exception. Miss one, and the penalties compound by the day.

This checklist is built for mid-market employers with 50–500 employees managing group health, retirement, and ancillary benefit plans. It covers every material compliance obligation — federal law, key deadlines, and what your benefits broker should be managing so your HR team isn’t tracking it manually.

ACA Compliance: What Mid-Market Employers Must Do

The Affordable Care Act’s employer mandate kicks in at 50 full-time equivalent employees. At that point, you’re an Applicable Large Employer (ALE) and the compliance calendar gets significantly more demanding. Miss the ACA reporting deadlines or fail the affordability test and you’re looking at Employer Shared Responsibility Payments (ESRP) that can run thousands of dollars per employee per year.

Annual ACA reporting deadlines for 2026 (2025 coverage year):

• January 31, 2026 — Provide 1095-C forms to employees (for 2025 coverage). Note: the 30-day extension commonly granted in prior years is no longer automatic.
• February 28, 2026 — Paper filing deadline for 1094-C and 1095-C with the IRS (applies only if filing fewer than 10 returns)
• March 31, 2026 — Electronic filing deadline for 1094-C and 1095-C; ALEs with 10 or more returns must file electronically

Beyond the annual filing, ACA ongoing compliance requires:

• Affordability test — the employee’s contribution for self-only coverage cannot exceed 9.02% (2025 rate) of household income; use IRS-approved safe harbors (W-2, federal poverty line, or rate of pay) to verify compliance
• Minimum value standard — the plan must cover at least 60% of the total allowed cost of benefits and cover substantial hospital and physician services
• 90-day maximum waiting period — eligible employees must be able to enroll within 90 days of their hire date
• Full-time employee tracking — maintain documentation supporting your FTE count and eligibility determinations; this is the evidence the IRS will request in an ESRP audit
• State ACA reporting — California, Massachusetts, New Jersey, Washington DC, Vermont, and Rhode Island have their own ACA reporting requirements separate from the federal mandate

ERISA Compliance: Plan Document and Fiduciary Obligations

ERISA governs virtually every employer-sponsored benefit plan — health, dental, vision, life, disability, FSA, HRA, and retirement plans. The compliance obligations fall into three buckets: plan documentation, participant disclosure, and fiduciary duty.

Plan Documentation Checklist:

• Summary Plan Description (SPD) — required for every ERISA-covered plan; must be provided to each participant within 90 days of enrollment or 120 days of a new plan establishment. The SPD must be written in language understandable to the average participant — the carrier’s coverage booklet alone does not satisfy this requirement. A “Wrap SPD” that incorporates all benefit lines into a single document is the most common mid-market approach.
• Summary of Material Modifications (SMM) — any material change to a covered plan (carrier switch, plan design change, eligibility modification) must be communicated to participants within 210 days after the end of the plan year in which the change was adopted
• Summary Annual Report (SAR) — must be distributed to all plan participants by December 15 (for calendar-year plans that filed Form 5500 by July 31) or September 15 (for plans that filed under extension)
• Section 125 Plan Document — if you offer a cafeteria plan allowing pre-tax premium contributions, you must maintain a formal plan document that meets IRS Section 125 requirements. An undocumented cafeteria plan loses its pre-tax treatment.

ERISA Fiduciary Obligations:

• Act solely in the interest of plan participants and beneficiaries
• Follow the plan documents unless inconsistent with ERISA
• Diversify plan investments to minimize risk (retirement plans)
• Pay only reasonable plan expenses
• Monitor service providers — including your broker — to ensure they are fulfilling their obligations

COBRA Compliance: Notices, Timelines, and Common Mistakes

COBRA applies to employers with 20 or more employees who offer group health coverage. The compliance requirements are specific, time-sensitive, and unforgiving — penalties of up to $110 per day per qualified beneficiary apply for failure to provide required notices within the mandated timeframes.

Required COBRA notices and deadlines:

• General Rights Notice (Initial Notice) — must be provided to each employee and their covered spouse within 90 days of the employee’s enrollment in the group health plan; can be included in the SPD
• Election Notice — must be provided within 14 days after the plan administrator receives notice of a qualifying event (termination, reduction in hours, divorce, dependent aging off, etc.); the notice must include the premium amount, payment instructions, and deadline for election
• Qualifying Events requiring COBRA notification: termination of employment (other than gross misconduct), reduction in hours below full-time threshold, divorce or legal separation, dependent child aging off at 26, Medicare entitlement, employer bankruptcy
• COBRA premium updates — update premiums annually to reflect actual cost of coverage (plus the 2% administrative surcharge); notify qualified beneficiaries of any rate changes
• State continuation coverage — if you have fewer than 20 employees, check your state’s mini-COBRA law; most states with populations over 1 million have continuation coverage requirements for small groups

The most common mid-market COBRA failure isn’t missing the notice entirely — it’s the qualifying event notification process breaking down. HR gets busy, someone forgets to log a termination as a qualifying event, the 14-day clock expires. Build a workflow with HR, payroll, and whoever administers your COBRA (most benefits brokers can administer this directly or coordinate with a TPA) that triggers automatically when a termination is processed.

HIPAA Compliance for Employer Health Plans

HIPAA’s privacy and security rules apply to employer-sponsored health plans that are “covered entities” — which includes self-funded plans and insured plans where the employer handles any protected health information (PHI) beyond enrollment and premium payment. Most mid-market insured plans are exempt from many HIPAA requirements if the employer has no access to individual claims data, but the privacy notice requirement applies broadly.

HIPAA compliance checklist for employer health plans:

• Privacy Notice — distribute to all plan participants at enrollment; re-distribute every 3 years or when the notice is materially revised
• Annual staff training — anyone who handles PHI (HR staff reviewing enrollment data, payroll processing health deductions) must complete annual HIPAA training
• Business Associate Agreements (BAAs) — required with any vendor who handles PHI on your behalf (TPA, benefits administration platform, COBRA administrator)
• Mental Health Parity and Addiction Equity Act (MHPAEA) — your plan’s mental health and substance use disorder benefits must be comparable to medical/surgical benefits; the DOL has increased enforcement scrutiny of MHPAEA compliance for mid-market plans, and Non-Quantitative Treatment Limitation (NQTL) analyses are now required

Form 5500 and Audit Requirements

Every ERISA-covered benefit plan with 100 or more participants must file Form 5500 annually, with audited financial statements attached. Plans with fewer than 100 participants file Form 5500-SF without an audit. The July 31 deadline applies to calendar-year plans; a 2.5-month extension to October 15 is available by filing Form 5558 before the original deadline.

The 2023 Form 5500 rule change counts only participants with account balances — not eligible-but-not-participating employees. If your plan participant count dropped under the new methodology, confirm your current filing obligation with your broker or ERISA counsel. For full details on the audit requirement and auditor selection process, see our complete guide to employee benefit plan audits.

Section 125 and FSA/HSA Compliance

If your employees make pre-tax contributions to health premiums, FSA accounts, or dependent care accounts through payroll deduction, you’re running a Section 125 cafeteria plan. That plan must have a formal written document — and it must pass annual nondiscrimination testing to maintain pre-tax treatment for highly compensated employees (HCEs).

Section 125 compliance checklist:

• Maintain a current written plan document that meets IRS requirements
• Complete annual nondiscrimination tests (eligibility, benefits, and concentration tests) before year-end
• Communicate FSA enrollment windows, IRS contribution limits (2026 limits: $3,300 for health FSA; $5,000 for dependent care FSA for joint filers), and use-or-lose rules to employees at open enrollment
• If offering an HSA: confirm that the paired health plan qualifies as a High Deductible Health Plan (HDHP) under IRS rules; employer contributions must be reported on W-2 (Box 12, Code W)

State Law Compliance: What Changes by Jurisdiction

Mid-market employers operating across multiple states face benefit compliance requirements that vary materially by state. This is one of the most underappreciated compliance risks for growing companies — benefits compliant in Texas may not meet New York or California standards.

Key state-specific compliance areas to track:

• Paid family and medical leave — California, New York, New Jersey, Massachusetts, Connecticut, Oregon, Colorado, and Washington have mandatory paid leave programs with specific employer contribution and reporting requirements
• State ACA reporting — several states require separate filings even for employers meeting the federal mandate
• Mini-COBRA laws — most states with significant populations have continuation coverage requirements for employers with fewer than 20 employees
• State health insurance mandates — some states require specific coverage (infertility treatment, mental health, substance use disorder, etc.) beyond federal minimums
• Equal pay and benefits laws — several states require comparable benefits for part-time workers above certain hour thresholds

For mid-market companies with offices across Houston, Miami, and NYC — Hotaling’s three primary markets — the state law variation between Texas, Florida, and New York is significant. Our licensed advisors track state-specific requirements across all jurisdictions for every client.

Your Annual Compliance Calendar

Here’s what a complete mid-market benefits compliance calendar looks like by quarter:

• Q1 (January–March) — Distribute 1095-C forms to employees; file 1094-C and 1095-C with IRS; confirm Form 5500 audit engagement if required; review Section 125 plan document for any needed updates
• Q2 (April–June) — Support plan audit if applicable; confirm open enrollment dates; begin carrier renewal process 90–120 days before renewal date; run benchmarking analysis
• Q3 (July–September) — File Form 5500 by July 31 (or file extension by July 31 if needed); distribute SAR to participants; complete Section 125 nondiscrimination testing; finalize open enrollment materials
• Q4 (October–December) — Run open enrollment; update SPD and SMM for any plan changes taking effect January 1; confirm COBRA premium rates for the new plan year; update carrier and vendor Business Associate Agreements; confirm state-specific reporting obligations for the filing year

Frequently Asked Questions