Regulators continue to increase enforcement activity across ERISA, ACA, HIPAA, and CAA requirements. Investigations are active, penalties are rising, and documentation gaps are being scrutinized. Here’s a clear breakdown of what matters most for 2026.
ERISA Penalties
While most 2026 ERISA penalty updates have not yet been released (aside from Medicare Secondary Payer), we expect increases similar to last year’s 2.6% adjustment.
|
Plan Documents & SPDs |
|
|
Required Notices |
|
|
GINA |
|
|
Form 5500 Reporting |
|
|
§125 Nondiscrimination |
|
|
Medicare Secondary Payer (MSP) Rules |
|
EBSA Enforcement Activity
In FY 2025, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) recovered $1.4 billion in direct payment to plans, participants, and beneficiaries. Here are some of the highlights:
- $468.7 million from informal complaint resolution
- $714.4 million from enforcement actions
- $67 million from No Surprises Act inquiries (a new addition to the report)
Investigation Results
|
Civil Investigations |
Criminal Investigations |
||
|
Total investigations closed |
878 |
Total investigations closed |
253 |
|
Total investigations closed with results |
63% |
Number of convictions |
45 |
|
Cases referred for litigation |
75 |
Number of indictments/initial charges |
62 |
For more information, check out the EBSA Fact Sheet.
ACA Penalties Are Increasing
The Employer Shared Responsibility Penalties under the Affordable Care Act (ACA) continue to be a major enforcement focus. For 2026, we’re seeing quite a big jump:
- 4980H(a): $3,340 per full-time employee
- 4980H(b): $5,010 per employee receiving Marketplace subsidy
Additional ACA Reporting Penalties:
|
Failure to furnish forms to employees |
|
|
Failure to file forms with the IRS |
|
|
Both penalties increase to $680 per form if the failure was caused by “intentional disregard” (criminal penalties may also apply) |
*Bold numbers are subject to annual adjustment
The IRS is now issuing 226J letters for the 2023 tax year and requiring sworn statements in responses, signaling stricter enforcement.
Consolidated Appropriations Act (CAA) Penalties
For group health plans with more than 50 employees, the penalty for non-compliance will be up to $100 per participant per day
The penalty may be excused if the failure was
-
- o Not discovered despite reasonable diligence; or
- o Due to reasonable cause and is corrected within the 30-day period following the date the responsible party knows (or should know) of the failure
HIPAA & Cybersecurity Risks
HIPAA enforcement continues to intensify. The Office for Civil Rights currently has 846 health plans under investigation, most of which are related to hacking and IT incidents.
HIPAA violations carry severe civil and criminal penalties, with fines capped at $2.1 million per calendar year for multiple violations of the same provision.
For self-funded plans, especially, cybersecurity and HIPAA compliance go hand in hand. Weak safeguards increase both regulatory and litigation exposure.
|
Tier |
Civil Penalties |
Criminal Penalties |
|
1 |
Lack of Knowledge: $145 - $73,011 per violation |
Reasonable Cause or No Knowledge of Violation: Up to 1 year imprisonment |
|
2 |
Reasonable Cause: $1,461 - $73,011 per violation |
PHI Obtained Under False Pretenses: Up to 5 years imprisonment |
|
3 |
Willful Neglect (corrected within 30 days): $14,602 - $73,011 per violation |
PHI Obtained for Personal Gain or with Malicious Intent: Up to 10 years imprisonment |
|
4 |
Willful Neglect (not corrected within 30 days): $73,011 - $2,190,294 per violation |
-- |
See all current HIPAA cases under investigation at https://ocrportal.hhs.gov/ocr/breach/breach_report_hip.jsf
As we see, penalties are on the rise, and enforcement isn’t slowing down. For brokers, compliance is more than risk mitigation. It is a value-add opportunity to guide clients, close gaps, and prevent costly exposure.
Medcom provides compliance training, documentation support, and ACA penalty appeal assistance to help protect your clients. Contact us today!
