How Today’s Healthcare Legislation Is Redefining TPA Operations in 2026

Third-party administrator operations are more exposed to legislative scrutiny or constraints than ever before. The period from 2020 through 2026 has produced a wave of federal healthcare legislation that has fundamentally changed what TPAs must do, document, disclose, and report. Each piece of legislation adds operational requirements. Together they have transformed TPA administration from a primarily administrative function into a compliance-intensive operational program with significant financial and legal consequences for deficient performance.

The five legislative frameworks reshaping TPA operations most significantly in 2026 are: the No Surprises Act, the MHPAEA Final Rule (2024), the Consolidated Appropriations Act provisions, the ACA transparency and reporting requirements, and the SECURE 2.0 and CAA fiduciary transparency provisions. Each is covered in detail in this article — with specific operational implications for TPA member services, claims adjudication, reporting, and compliance infrastructure.

The Legislative Landscape — Why This Period Is Different

Healthcare legislation affecting TPAs is not new. ERISA, HIPAA, COBRA, and the ACA all created significant compliance requirements that TPAs absorbed over decades. What distinguishes the current legislative period is the pace and specificity of new requirements — and the enforcement intensity that accompanies them.

The enforcement shift means that TPAs who were marginally compliant under previous low-enforcement conditions face genuine financial risk under current conditions. And plan sponsors — who have fiduciary obligations to their plan participants — are increasingly scrutinizing TPA compliance performance as part of their own fiduciary risk management.

Legislation	Effective	Primary TPA Impact	Enforcement Risk
No Surprises Act	Jan 2022 (ongoing)	Balance billing protections, IDR process, GFE requirements	High — CMP per violation; participant’s private right of action
MHPAEA Final Rule	Jan 2025	NQTL analysis, comparative documentation, network adequacy	High — DOL enforcement; plan disqualification risk
CAA provisions	2021–2023 (phased)	Broker compensation disclosure, gag clause prohibitions, Rx reporting	Moderate-high — DOL audit trigger; employer litigation exposure
Price transparency (ACA/TiC)	2022–2024 (phased)	MRF publication, price comparison tool, and advanced EOB	Moderate — CMP per day for non-compliant MRF
CAA fiduciary provisions	2022 (ongoing)	Service provider fee disclosure, fiduciary benchmarking obligation	Moderate — employer fiduciary liability if TPA doesn’t disclose adequately

The No Surprises Act — Operational Reality in 2026

The No Surprises Act has been in effect since January 2022 and its operational demands on TPAs have grown more complex — not simpler — with each successive round of regulatory guidance. What began as a conceptually clear consumer protection against surprise medical billing has become a multi-layered operational compliance program with specific claims processing requirements, member communication standards, and Independent Dispute Resolution participation obligations.

What NSA Requires TPAs to Do

For self-funded plans administered by TPAs, the NSA imposes several specific operational obligations:

Balance billing prohibition enforcement. TPAs must process emergency care claims from out-of-network providers at the member’s in-network cost-sharing level — without requiring prior authorization and regardless of whether the provider is in the plan’s network. This applies to emergency services at any emergency facility, and to non-emergency services from out-of-network providers at in-network facilities where the member had no meaningful choice.

Qualifying Payment Amount calculation. The QPA — the median contracted rate for the same or similar service in the geographic region — must be calculated accurately for every NSA-covered claim. The QPA determines both the patient cost-sharing obligation and the benchmark for provider payment disputes through the IDR process. Incorrect QPA calculations expose plans and TPAs to both provider IDR challenges and participant complaints.

IDR participation. When a provider disputes the plan’s payment for an NSA-covered service and initiates the federal IDR process, the TPA must participate — submitting the plan’s offer, supporting documentation, and QPA justification within regulatory timelines. IDR non-participation by the plan results in the provider’s offer being awarded by default.

Surprise billing notice and consent process management. For non-emergency services from out-of-network providers at in-network facilities, the NSA permits out-of-network billing only with proper advance notice and written consent from the patient — under a specific process with specific content requirements. TPAs must have workflows that identify when this consent process was and wasn’t followed, and process claims accordingly.

Member-Facing NSA Obligations

NSA-related participant inquiries have become one of the most complex contact types in TPA customer care. A participant who received an out-of-network bill at an in-network facility, or who received an emergency bill significantly higher than their in-network cost-sharing, may be experiencing a potential NSA violation — or may be encountering a situation where the NSA doesn’t apply. TPA customer care agents must be trained to:

• Identify which services and situations are NSA-covered and which are not
• Explain the participant’s cost-sharing obligation for NSA-covered services accurately
• Initiate the appropriate claims correction process when an NSA violation is identified
• Explain the participant’s right to dispute through the NSA dispute resolution process when applicable
• Not provide incorrect information about NSA coverage that creates liability for the plan

The NSA participant communication failure is one of the most common compliance gaps in TPA customer care in 2026. Agents who haven’t been trained on NSA specifics — which services are covered, what the participant’s correct cost-sharing obligation is, when the dispute process applies — handle NSA contacts incorrectly in ways that both harm participants and expose plans to participant complaints and regulatory scrutiny.

The MHPAEA Final Rule (2024) — The Most Operationally Demanding Requirement

The 2024 MHPAEA Final Rule, effective January 2025, is arguably the most operationally demanding piece of healthcare legislation affecting TPA operations in the current period. It significantly strengthens and clarifies the non-quantitative treatment limitation (NQTL) parity requirements that have existed since the original MHPAEA — and it adds new affirmative obligations that require TPAs to proactively analyze and document parity, not just avoid explicit discrimination.

What the Final Rule Changed

The comparative analysis requirement is now affirmative. Under the 2024 rule, plans and TPAs must affirmatively analyze whether each NQTL applied to mental health or SUD benefits is no more restrictive than the NQTL applied to the predominant comparable medical/surgical benefit. This is not a response-to-audit requirement. Plans and TPAs must conduct and document this analysis for every NQTL, and make the documentation available to participants and the DOL on request.

Network adequacy is now a parity dimension. The final rule explicitly establishes that network composition — the adequacy of the behavioral health provider network relative to the medical provider network — is an NQTL subject to parity analysis. Plans and TPAs must analyze whether the factors used to build and maintain their behavioral health provider networks produce parity with the medical network. A behavioral health network with significantly longer wait times for in-network appointments, higher out-of-pocket costs due to narrower network, or more frequent treatment of services as out-of-network may evidence an NQTL parity violation.

Outcome data is now required evidence. The final rule requires plans to collect and analyze outcome data — claim denial rates, reimbursement rates, prior authorization approval rates, length-of-stay approvals — for behavioral health vs. medical benefits and use that data in the NQTL comparative analysis. Outcome disparities are not automatically parity violations, but they trigger an obligation to investigate and explain.

TPA Operational Implications

The MHPAEA Final Rule creates several specific operational changes for TPAs:

Comparative analysis infrastructure. TPAs must build the infrastructure to conduct and document NQTL comparative analyses for each plan they administer. This requires data collection systems that capture behavioral health vs. medical benefit metrics at the NQTL level, analysis frameworks that compare those metrics in the format the DOL expects, and documentation workflows that produce analysis reports on plan year timelines.

Prior authorization parity monitoring. PA criteria for behavioral health services must be no more restrictive than PA criteria for comparable medical services. TPAs must monitor PA approval rates, denial rates, and appeals outcomes for behavioral health vs. medical services — and investigate disparities that may evidence NQTL violations. Customer care agents handling PA contacts must apply consistent PA procedures across behavioral health and medical contacts.

Participant disclosure obligations. Plan participants have the right to request the NQTL comparative analysis documentation that the plan is required to prepare. TPA customer care must have a defined process for receiving these requests, confirming them with the plan sponsor, and fulfilling them within the regulatory timeframe.

Consolidated Appropriations Act Provisions — The Transparency Mandate

The Consolidated Appropriations Acts of 2021, 2022, and 2023 collectively imposed a set of transparency, disclosure, and reporting requirements on TPAs that have been phasing in over the past three years. The most operationally significant provisions for TPAs are:

CAA Section 202 — Broker and Consultant Compensation Disclosure

Self-funded plans must disclose to plan fiduciaries the direct and indirect compensation received by brokers and consultants providing brokerage or consulting services to the plan. For TPAs, this creates a specific reporting obligation: when a TPA provides brokerage or consulting services — or when a broker or consultant referred plan business to the TPA for compensation — that compensation arrangement must be disclosed to the plan sponsor in a defined format.

The fiduciary exposure from CAA Section 202 non-disclosure is significant. Plan fiduciaries who were not provided required compensation disclosures by service providers — including TPAs — may be personally liable for using plan assets to compensate undisclosed services. The combination of TPA non-disclosure and employer fiduciary liability has produced a wave of litigation that makes Section 202 compliance a TPA client retention issue as well as a regulatory compliance issue.

CAA Gag Clause Prohibition

The CAA prohibits plan provisions and TPA contractual arrangements that restrict plan sponsors from accessing, receiving, or sharing data about plan claims, costs, and performance — or that prevent plan sponsors from sharing provider-specific cost and quality data with plan participants. Virtually every TPA contract that contained data exclusivity or confidentiality provisions that would qualify as a “gag clause” required amendment following the CAA.

Annual attestation of gag clause prohibition compliance — confirming that no prohibited contractual restrictions exist — is now required. TPAs must file these attestations on behalf of the plans they administer, and must ensure that their service agreements contain no provisions that would constitute a prohibited gag clause.

Prescription Drug Reporting (RxDC)

The Consolidated Appropriations Acts require plans to submit annual prescription drug and health care spending data to the federal government — the RxDC report. For self-funded plans, the TPA typically facilitates or manages the RxDC submission. The reporting requirements are detailed: spending by service category, Rx spending by drug, premium equivalent and enrollment data, and wellness benefit data.

RxDC reporting failures — late submissions, incomplete data, inaccurate figures — are reportable to CMS and carry enforcement risk. TPAs whose data systems can’t produce the required RxDC data accurately and on time are creating compliance failures for every plan they administer.

Price Transparency Requirements — Machine-Readable Files and Cost Comparison Tools

The ACA Transparency in Coverage rules and the No Surprises Act’s transparency provisions have created specific TPA obligations around cost and price data publication that are operationally significant.

Machine-Readable Files

Self-funded plans must publish machine-readable files (MRFs) containing in-network negotiated rates, out-of-network allowed amounts, and prescription drug rates — updated monthly. For TPA-administered plans, the TPA typically manages MRF production and publication. MRF non-compliance carries civil monetary penalties of up to $100 per day per affected participant, which, for large self-funded plans, can quickly reach significant amounts.

MRF production is technically demanding. Plans must format the files to federal specifications, publish them to publicly accessible URLs, and update them monthly with current rate data. TPAs without the technical infrastructure to produce compliant MRFs create ongoing compliance exposure for every plan they administer.

Advanced Explanation of Benefits

The NSA and its implementing regulations require plans to provide participants with Advanced EOBs before scheduled services, containing good-faith cost estimates that include expected charges, the plan’s expected payment, and the participant’s expected cost-sharing. The Advanced EOB requirement creates a significant participant communication program for TPAs — triggered by provider GFE submissions for scheduled services.

The Advanced EOB program directly intersects with TPA customer care. Participants who receive Advanced EOBs contact TPA customer service when they have questions about the contents, dispute the cost estimates, or need help understanding their cost-sharing obligations.Agents who cannot clearly explain the Advanced EOB—including how the estimate was calculated and what circumstances would change the final amount—fail to satisfy a participant communication requirement that ties directly to a federal regulatory obligation.

CAA Fiduciary Transparency — The Plan Sponsor Accountability Shift

The CAA’s fiduciary transparency provisions have created a significant shift in accountability within the TPA-employer relationship. Plan sponsors — the employers that sponsor self-funded health plans — have ERISA fiduciary obligations to their plan participants. The CAA has clarified and strengthened the tools employers must use to fulfill those obligations, including specific obligations to benchmark and monitor TPA performance.

The Fiduciary Benchmarking Obligation

ERISA plan fiduciaries are required to prudently select and monitor service providers — including TPAs. The CAA’s compensation disclosure provisions, combined with DOL guidance on fiduciary monitoring obligations, have produced a clear expectation that plan sponsors must regularly evaluate whether their TPA is delivering reasonable service for reasonable compensation — and document that evaluation.

Plan sponsors who cannot demonstrate that they evaluated their TPAs ‘ performance — including compliance with NSA, MHPAEA, and CAA requirements — against documented benchmarks face personal fiduciary liability exposure. This accountability shift has created a powerful market incentive for TPAs to perform well on compliance metrics: employers who face fiduciary exposure for their TPAs ‘ compliance failures are actively shopping for more compliant alternatives.

Service Provider Fee Transparency

TPAs must provide plan sponsors with clear, comprehensive disclosure of all direct and indirect compensation they receive in connection with the plan — in the format and timing required by CAA Section 202. The disclosure must cover: administrative fees, claims processing fees, network access fees, pharmacy benefit management fees, and any referral or placement fees. Incomplete or late disclosures create both regulatory exposure and employer relationship risk.

Operational Implications by TPA Function — What Must Change

Claims Adjudication

Claims adjudication is most affected by new legislation. Every major law creates specific requirements for this function.

The No Surprises Act demands accurate identification of protected claims, correct QPA calculations, proper in-network cost-sharing, and participation in the IDR process. MHPAEA requires consistent claims-processing standards across behavioral health and medical services. Price transparency rules require claims data for machine-readable files. CAA RxDC reporting needs pharmacy claims data in exact formats.

Many legacy claims systems still lack these updates. TPAs whose systems cannot flag NSA-covered claims, apply QPA-based cost-sharing, or generate transparency outputs risk systematic compliance failures at the claims level.

Prior Authorization

Prior authorization must change under the MHPAEA final rule. TPAs need to analyze PA criteria, decision timelines, and approval rates for behavioral health services against comparable medical services.

Teams must apply the same stringency, response times, and appeal rights to both behavioral health and medical PA requests. Quality monitoring must include MHPAEA-specific scoring. Behavioral health denial notices must provide the same detailed ERISA-compliant reasons and plan references as medical denials.

Customer Care and Participant Services

Customer care is where compliance failures become most visible to participants. Agents who give incorrect NSA information, apply different PA rules to behavioral health calls, or miss ERISA appeal rights create direct harm and compliance violations.

Training requirements have grown significantly. In 2026, agents must master ERISA claims procedures, HIPAA privacy, MHPAEA parity, NSA protections, CAA disclosures, and price transparency rights. This cannot be covered in a two-day session with annual refreshers. TPAs need ongoing, modular training and continuous quality monitoring to ensure knowledge turns into compliant interactions.

Reporting and Data Management

New laws have transformed data management and reporting. Monthly MRF production requires specific claims and rate data formats. Annual RxDC reporting demands aggregated prescription drug spending data. NQTL analyses need outcome data by benefit type. Broker compensation disclosures require detailed network data.

TPAs whose systems were built only for basic ERISA and HIPAA needs now face major gaps. They must invest in infrastructure for MRF, RxDC, and NQTL reporting — or accept ongoing compliance failures. This investment is now an operational necessity.

How Outsourced TPA Support Helps Manage Legislative Compliance

New legislation has made TPA customer care far more complex. Outsourcing parts of participant services offers a practical solution.

A specialized TPA provides robust quality monitoring on all major laws — NSA, MHPAEA, CAA, and ERISA. The partner maintains strong quality monitoring systems and scales quickly during enrollment surges. TPAs avoid building and updating this infrastructure in-house.

The strongest case for outsourcing appears in two areas: training and quality monitoring. Keeping training up to date across five frequently changing legislative frameworks is difficult for most in-house teams. Specialized partners treat compliance training as a core business function. They update it continuously as a matter of survival.

Multilingual support also strengthens the case for outsourcing. Plan participants speak many languages. NSA rights, MHPAEA disclosures, and ERISA appeal rights must be clearly understood by everyone. Multilingual TPA support in 28+ languages improves member experience while ensuring required disclosures actually reach and are understood by all participants.

The full operational framework for outsourced TPA customer care — including compliance training, quality monitoring, and scope design — is detailed in our TPA customer care outsourcing guide.

What Plan Sponsors Are Now Asking Their TPAs — and What the Answers Must Be

The fiduciary accountability shift created by the CAA has changed the questions that sophisticated plan sponsors ask their TPAs. TPAs who can’t answer these questions credibly are facing a competitive disadvantage in the broker and consultant community that places TPA business.

Plan Sponsor Question	Legislative Basis	What TPA Must Be Able to Show
“Are you correctly processing NSA claims?”	No Surprises Act	QPA calculation methodology; NSA claim identification logic; IDR participation record
“Can you produce our NQTL comparative analysis?”	MHPAEA Final Rule	Documented NQTL analysis by treatment type; outcome data by benefit category
“Have you filed our RxDC report?”	CAA prescription drug reporting	Filed confirmation; data completeness verification, submission date
“Are our MRFs current and compliant?”	ACA Transparency in Coverage	Monthly update confirmation; URL for public access; format compliance documentation
“Have you attested to gag clause compliance?”	CAA gag clause prohibition	Annual attestation filing confirmation; contract review documentation
“What compensation are you receiving from our plan?”	CAA Section 202	Complete, itemized compensation disclosure in the required format; indirect compensation documentation

TPAs that cannot answer these questions with documentation—not verbal assurances—fail to meet the fiduciary transparency standard that the CAA establishes. Counsel and consultants increasingly advise plan sponsors who do not receive credible, documented answers to treat the non-answer as a fiduciary risk signal that requires them to evaluate the TPA.

Looking Ahead — What Comes Next in Healthcare Legislation Affecting TPAs

The pace of new legislation affecting TPA operations shows no signs of slowing. Several key developments in 2026 and beyond will create fresh operational demands.

MHPAEA Enforcement Escalation

DOL enforcement of MHPAEA grows stronger each year. Plans and TPAs that have not completed their NQTL comparative analyses face higher audit risk. Those with weak or incomplete analyses face even greater scrutiny as the DOL expands its program.

Expanding NSA Scope

Regulatory guidance continues to broaden the scope of No Surprises Act protections. TPAs that implemented NSA compliance early without tracking later updates may now have gaps. These gaps often appear in QPA calculations or the identification of covered services.

AI and Algorithm Transparency

Federal regulators now focus more closely on algorithms used in claims adjudication and prior authorization. They watch for discriminatory patterns, especially in behavioral health and among racial or ethnic minority groups. TPAs using these tools should prepare for increased scrutiny of their algorithm outcomes.

State-Level Legislation

Many states continue to pass TPA-specific laws. These rules add new requirements on top of federal standards. Topics include prior authorization timelines, network adequacy, and balance billing protections. TPAs operating across multiple states now manage a complex state-by-state compliance matrix.

Success in 2026 and beyond demands a living compliance infrastructure. TPAs need strong quality monitoring at the interaction level. They must stay flexible to adopt new rules quickly. Those who build this capability proactively position themselves to grow. Those who wait for enforcement actions will spend their time defending their programs.