Consumer Protection Has Become Consumer Imprisonment

The prevailing view in health policy is that the disclosure requirements, plan document mandates, and compliance obligations attached to employer-sponsored health coverage protect employees from inadequate or misleading benefits. The Summary Plan Description protects the employee who needs to understand what the plan covers. The Summary of Benefits and Coverage protects the employee who needs to compare options. The mental health parity compliance documentation protects the employee who needs behavioral health access. The gag clause attestation protects the employee who would otherwise be blocked from seeing their own claim data. More transparency produces better-informed employees. More regulation produces better outcomes. This is the received view of the compliance apparatus.

The counter-thesis is that the compliance apparatus, taken in aggregate, has crossed the threshold from protective to restrictive. It now does more to prevent employers from offering simpler, cheaper, and more transparent coverage arrangements than it does to protect employees from bad coverage. The apparatus was designed to protect employees from powerful carriers and plan sponsors with information advantages. It has become a system that protects the entities that administer the apparatus, by creating barriers to entry for simpler alternatives and generating demand for compliance services that would disappear if the coverage arrangement were genuinely simple. The apparatus protects the apparatus.

What It Costs a Small Employer to Comply

#

The compliance obligations for a level funded or self-funded group health plan are not marginal. They are a meaningful component of total plan cost, particularly at small group sizes where the fixed cost of compliance is spread across a limited number of covered employees.

A 15-person employer offering a self-funded or level funded plan carries the following federal compliance obligations: preparation and distribution of the Summary Plan Description under ERISA Section 104(b), which for a level funded plan requires a wrap document because the underlying insurance certificate does not contain all required ERISA provisions; generation and distribution of the Summary of Benefits and Coverage (SBC) under the ACA, including updated SBCs whenever plan changes occur within 60 days of the effective date; annual filing of the Patient-Centered Outcomes Research Institute (PCORI) fee on IRS Form 720, which for the 2024 plan year amounts to $3.47 per covered life (inclusive of dependents) per IRS Notice 2024-83; mental health parity documentation and non-quantitative treatment limitation analysis under the Consolidated Appropriations Act of 2021; prescription drug data collection (RxDC) reporting through the Centers for Medicare and Medicaid Services by June 1 of each year; gag clause attestation to CMS by December 31 annually; machine-readable file production and publishing under CAA Section 1182 transparency requirements; COBRA or state mini-COBRA administration for any qualifying events; HIPAA privacy notice requirements; and the marketplace (exchange) notice required under the Fair Labor Standards Act for all covered employees.

None of these obligations disappears because the employer is small. The PCORI fee applies to every self-funded plan, including level funded arrangements, regardless of group size. The SPD requirement applies to all ERISA-covered welfare benefit plans. The CAA transparency requirements, including the machine-readable files and the RxDC reporting, apply to group health plans without small employer carve-outs for the most burdensome elements. The 15-person employer, operating without a dedicated HR compliance department, relies on the TPA and broker to manage most of these obligations, and that reliance is embedded in the per-employee-per-month administrative fees and broker commissions the employer pays.

The total annual compliance cost is not publicly benchmarked with precision for small groups, but the structural components are visible. The PCORI fee for a 15-employee group covering, on average, 20 covered lives (employees plus dependents) amounts to approximately $69.40 per year: immaterial in isolation. The SPD/wrap document is typically produced by legal or compliance services vendors at costs ranging from several hundred to several thousand dollars annually for initial preparation plus modification fees. The mental health parity NQTL analysis, if prepared with actuarial rigor as the CAA requires for comparative analysis submissions, is a substantive professional services engagement for even a small plan. The machine-readable file requirement for self-funded plans requires either TPA production capability or a third-party transparency vendor. Aggregated across all obligations, a small group employer’s total compliance overhead, whether charged explicitly or embedded in TPA and broker fees, is commonly estimated in the industry at $50 to $150 per employee per year, with some estimates exceeding that range for employers without sophisticated TPA infrastructure.

For a 15-person employer paying $400 per employee per month in level funded premiums, a compliance overhead of $100 per employee per year is approximately 2 percent of total health spend. That 2 percent does not buy the employee better care. It buys the regulatory apparatus the ability to audit whether the plan met its disclosure obligations.

The State Patchwork as Protective Equilibrium

#

The federal compliance layer is complicated. The state layer adds dimensions that even sophisticated employers cannot fully manage without specialized legal counsel.

State regulation of stop loss insurance varies enough to determine whether level funded plans are commercially viable in specific states. New York requires stop loss attachment points that effectively prohibit self-funding for small employers. New Jersey imposes assessment rules that add cost to self-funded arrangements. Vermont requires state regulatory approval of certain stop loss rates. Hawaii’s employer mandate for workers exceeding 20 hours per week creates obligations that differ from ERISA’s employer mandate structure (though ERISA preemption limits Hawaii’s authority over self-funded plans under the specific terms of the ERISA preemption exception codified at ERISA Section 514(b)(2)(B)). Massachusetts imposes continuation requirements beyond federal COBRA that apply to insured small groups. Washington state enacted a public option that interacts with level funded in ways carriers must analyze before offering products.

These state variations are not accidental. They are the product of decades of state insurance regulatory activity, driven in part by legitimate state policy interests and in part by lobbying from incumbents who benefit from state-level barriers to entry. A national TPA seeking to offer a level funded product across 40 states operates 40 separate compliance regimes. The cost of that multi-state compliance infrastructure is real, and it is borne by small employers whose premiums fund the overhead. Local carriers and TPAs with single-state or regional footprints have lower multi-state compliance exposure, which constitutes a structural competitive advantage that the regulatory environment confers.

ERISA preemption under Section 514(a) exempts self-funded plans from most state insurance laws. The exemption is broad but not unlimited. State laws regulating insurance can be applied to stop loss carriers (which are insurance companies) even when the underlying employer plan is self-funded. States have exploited this channel to impose attachment point minimums and other requirements on stop loss policies, indirectly restricting employer plan design through the insurance product that sits at the plan’s back end. The Texas court decision in FMC Corp. v. Holliday (1990) established that ERISA preempts application of state insurance “deemer” clauses to self-funded plans; states cannot treat a self-funded plan as an insurance company. But this does not prevent states from regulating the stop loss policy itself, and the state regulatory literature demonstrates that states have pursued this path with regularity.

The patchwork persists because the entities that benefit from it defend it. State carrier associations lobby against federal standards that would reduce their state-level advantages. State broker associations support state licensing requirements that establish barriers to entry for national platforms that might operate without local brokers. State insurance departments employ staff whose mandate includes state market regulation, which creates institutional interest in preserving state regulatory authority. The employer’s interest, which is simple and affordable coverage with manageable compliance burden, has fewer organized lobbyists in state capitals than the carrier and broker interests that benefit from the current structure.

The Protection That Prevents the Simple Arrangement

#

The most concrete illustration of the counter-thesis is the employer who wants to offer a direct contribution to employee health coverage without the full compliance apparatus of a group health plan.

Imagine a 12-person employer who wants to tell each employee: “We will contribute $500 per month toward your health expenses. Use it for premiums, co-pays, prescriptions, or whatever you need for your health. We trust you to manage it.” The employer’s intent is genuinely beneficial. The arrangement is genuinely simple. The problem is that, as structured, this arrangement is not tax-advantaged. The employer’s contribution would be ordinary taxable income to the employee rather than excluded from gross income under Internal Revenue Code Section 106. To make the contribution tax-free, the employer must structure it within one of the regulatory categories Congress has created: an ICHRA under the 2019 joint tri-agency rule, a QSEHRA under the 21st Century Cures Act, a Health Flexible Spending Account under IRC Section 125, or some other qualified arrangement.

Each regulatory category imposes its own compliance obligations. The ICHRA requires a formal plan document, notice to employees 90 days before the plan year (under the 2019 rule), notice to employees who are eligible for premium tax credits on the marketplace, and substantiation of medical expenses before reimbursement. The QSEHRA requires the same notice and substantiation requirements, plus a flat contribution structure (no class variation) and annual limits set by IRS. Both mechanisms require the employer to track substantiation, maintain records, and coordinate with employees on premium tax credit interactions.

The compliance cost of establishing and maintaining an ICHRA or QSEHRA is lower than the compliance cost of a self-funded group health plan, but it is not zero. The employers who most need simple, low-cost coverage mechanisms are the smallest employers, and smallest employers have the least administrative capacity. The QSEHRA’s 2025 contribution limit of $6,350 for single coverage and $12,800 for family coverage, set by IRS each year, caps the tax advantage at amounts that may not cover the cost of an adequate individual market plan in high-premium states. The employer who exceeds the QSEHRA cap and still wants to provide tax-free contributions must move to an ICHRA, with its own compliance structure.

The counter-thesis is not that the tax advantage should be abandoned; it is that the compliance cost of accessing the tax advantage is disproportionate for the smallest employers. A 3-person employer paying $500 per employee per month in health contributions wants to know: is this money tax-free for my employees? The answer requires evaluating ICHRA, QSEHRA, or group plan structure, each with different eligibility rules, notice requirements, substantiation procedures, and premium tax credit interactions. The employer who cannot afford a benefits attorney makes a guess. The employer who guesses wrong files the wrong form or sends the wrong notice and faces the compliance exposure.

Who Benefits from This Architecture

#

The compliance apparatus creates demand for a specific set of professional services: benefits attorneys who draft plan documents and advise on ERISA, CAA, and state law compliance; compliance consultants and technology vendors who produce machine-readable files, coordinate RxDC reporting, and track notice obligations; TPA compliance departments whose expertise in self-funded plan administration is a core selling point; broker compliance operations that add regulatory monitoring to their service offering.

These entities are not adversaries of employers. Many provide genuine value. The problem is structural: the complexity that generates demand for their services is the same complexity that prevents small employers from offering simple, transparent coverage arrangements. Their business model is partially sustained by a regulatory environment that makes non-compliance costly enough that employers pay for the expertise to avoid it. A simplified regulatory framework that reduced the compliance burden for small employers would reduce the market for their services. That is not a conspiracy; it is an alignment of interests that the policy conversation rarely names plainly.

The DOL penalty for failure to provide the SPD within 30 days of a participant’s written request is up to $110 per day. Failure to provide plan documentation to the DOL upon request carries a penalty of up to $184 per day, capped at $1,846 per request per published DOL guidance. The PCORI penalty for non-payment accrues with interest at applicable federal rates. The ACA employer mandate penalty for applicable large employers who fail to offer minimum value coverage can reach thousands of dollars per full-time employee annually. These penalties are designed to enforce compliance. They also create the market for the compliance services industry.

The employer who cannot afford compliance services, and cannot understand the regulatory requirements without them, faces a rational choice: buy a product from a carrier or TPA that handles compliance as part of the package, and pay the embedded compliance cost. The carrier and TPA profit from this choice. The simpler alternative, the direct employer contribution toward employee health, remains tax-disadvantaged unless the employer pays for the compliance structure that makes it tax-advantaged. The apparatus protects the apparatus by making the non-apparatus option more expensive.

The counter-thesis does not argue for eliminating the compliance framework. Disclosure requirements serve real purposes. The SPD protects employees who need to understand their coverage. The SBC protects employees who need to compare options before enrollment. Mental health parity analysis protects employees who face disparate access to behavioral health services. The question is whether the cumulative compliance burden, particularly for the smallest employers and the simplest coverage arrangements, has been calibrated to protect employees or to protect the administrative ecosystem that manages it.

The calibration is overdue. The employer with 8 employees in two states, trying to offer something meaningful for a workforce whose median wage does not cover a $7,000 deductible, should not need a benefits attorney and a TPA compliance department to offer $400 per month per employee toward health expenses without triggering penalty exposure. The regulatory infrastructure was built for a world of large plan sponsors with dedicated HR departments, then layered onto small employers without adjustment for the structural difference. The result is that the smallest employers, who face the greatest barriers to offering any coverage, also face the most punishing compliance environment per employee if they try. An apparatus designed to lower barriers to adequate coverage raises them for the segment that needs lowering most.