2026 DOL Enforcement Priorities & Penalties

The Department of Labor (DOL) is setting clear enforcement priorities for 2026 that will impact employers, health plans, and employee benefit programs across the United States. These priorities focus on key areas such as the No Surprises Act, mental health parity rules, cybersecurity, and the timely remittance of ERISA employee contributions. Understanding these priorities helps organizations prepare for compliance and avoid costly penalties.

No Surprises Act Enforcement

The No Surprises Act aims to protect consumers from unexpected medical bills, especially those arising from out-of-network providers during emergency care or certain non-emergency services. In 2026, the DOL will increase its focus on enforcing compliance with this law among group health plans and health insurance issuers.

Key enforcement actions will include:

• Reviewing plan documents and disclosures to ensure they clearly explain protections against surprise billing.

• Investigating complaints related to balance billing and improper cost-sharing.

• Ensuring transparency in provider network status and billing practices.

  
  

Employers sponsoring health plans should verify that their plan administrators and insurers comply with the No Surprises Act requirements. For example, plans must provide participants with clear notices about their rights and protections under the law. Failure to comply can lead to investigations and penalties.

For a self-funded group health plan that fails to comply with the No Surprises Act requirements, the IRS may impose an excise tax under IRC § 4980D of $100 per day per affected individual for each day the violation remains uncorrected.

Example: If a self-funded plan improperly applies out-of-network cost-sharing to 20 participants for 30 days, the theoretical excise tax could be:

• $100 × 20 participants × 30 days = $60,000

Mental Health Parity Rules

Mental health parity requires group health plans to provide benefits for mental health and substance use disorders on par with medical and surgical benefits. The DOL will intensify enforcement to close gaps in compliance, especially in areas like:

• Non-quantitative treatment limitations (NQTLs) such as prior authorization and step therapy.

• Financial requirements including copayments and deductibles.

• Scope of benefits ensuring mental health services are not more restrictive.

  
  

The DOL plans to conduct audits and respond to complaints alleging violations of parity rules. Employers and plan sponsors should review their benefit designs and utilization management practices to ensure they do not discriminate against mental health conditions.

For example, a plan that requires more stringent prior authorization for mental health services than for physical health services may face enforcement action. Employers can work with their insurers and third-party administrators to identify and correct such disparities.

or plan sponsors, the most significant penalty for violating the Mental Health Parity and Addiction Equity Act (MHPAEA) is generally the same excise tax that applies to many group health plan mandate violations under the Internal Revenue Code:

Self-funded plans that do not comply with the MHPAEA may face excise tax penalties of $100 per day under IRC § 4980D, per affected individual for each day the violation continues. The penalty can accumulate quickly if a parity violation affects multiple participants over an extended period.

For failures due to reasonable cause rather than willful neglect - the annual excise tax may be capped at the lesser of: (A)10% of the employer's aggregate health plan costs for the year, or (B) $500,000.

If the IRS discovers violations during an examination there is generally a minimum excise tax of $2,500. The minimum can increase to $15,000 for violations that are more than de minimis.

Cybersecurity and Data Protection

With increasing cyber threats targeting employee benefit plans, the DOL will prioritize enforcement related to cybersecurity safeguards. This includes:

• Ensuring plans implement reasonable security measures to protect sensitive participant data.

• Reviewing incident response plans and breach notification procedures.

• Evaluating vendor oversight to confirm third-party service providers meet security standards.

  
  

The DOL expects plan fiduciaries to actively manage cybersecurity risks. For instance, a plan sponsor that fails to monitor its record keeper’s security controls or neglects to respond promptly to a data breach may face scrutiny.

Employers should conduct regular risk assessments, train staff on data protection, and establish clear protocols for responding to cybersecurity incidents. This proactive approach reduces the risk of enforcement actions and protects employee information.

The DOL generally treats cybersecurity as a fiduciary responsibility issue under ERISA. As a result, the consequences for plan sponsors tend to arise through fiduciary breach enforcement rather than a standalone cybersecurity fine.

Timely Remittance of ERISA Employee Contributions

The DOL continues to emphasize the importance of timely remittance of employee contributions to retirement plans governed by ERISA. Delays or failures in forwarding employee deferrals can lead to serious penalties.

Enforcement priorities include:

• Investigating late deposits of employee contributions.

• Reviewing plan records to verify compliance with remittance deadlines.

• Holding fiduciaries accountable for any misuse or mismanagement of funds.

  
  

For example, the DOL has taken action against employers who hold employee contributions for extended periods before depositing them into the plan trust. The general rule requires contributions to be deposited as soon as they can be reasonably segregated from the employer’s general assets, typically within seven business days.

Plan sponsors should establish clear procedures to ensure prompt forwarding of contributions and maintain documentation to demonstrate compliance.

When a plan sponsor withholds employee elective deferrals (401(k), 403(b), etc.) but does not forward them to the plan on time, the Department of Labor (DOL) treats this as one of the most serious ERISA fiduciary violations. It is not just a “late payment” issue — it is generally a prohibited transaction because the employer is considered to be holding “plan assets” that belong to participants.

Prohibited transaction violations trigger an IRS excise tax of: (A) 15% of the “amount involved” per year (typically tied to lost earnings on the late deposits)and, (B) if not corrected: additional 100% excise tax may apply

Preparing for 2026 Enforcement

To align with the DOL’s 2026 enforcement priorities, organizations should:

• Conduct compliance audits focusing on the No Surprises Act and mental health parity.

• Review cybersecurity policies and vendor contracts for adequate protections.

• Implement strict controls and monitoring for timely remittance of employee contributions.

• Train HR, benefits, and compliance teams on updated regulations and enforcement trends.

• Engage legal or compliance experts to address potential gaps proactively.

  
  

Taking these steps helps reduce risk and ensures plans meet regulatory expectations.

The DOL’s enforcement focus reflects growing concerns about consumer protections, mental health access, data security, and fiduciary responsibility. Staying informed and prepared will help employers navigate these complex areas effectively.

The evolving regulatory landscape means organizations must remain vigilant and responsive. Regular reviews and updates to policies and procedures will support compliance and protect both employees and employers from enforcement actions.