- Fiduciaries of ERISA-covered health plans have a duty to implement cybersecurity measures. Fiduciaries are also obligated to ensure that third-party administrators (“TPA”) or service providers do not use participant information without permission.
- The selection and monitoring of a benefit plan’s TPAs/service providers is a key fiduciary responsibility; this includes prudently selecting a TPA/ service provider that has appropriate systems to maintain electronic plan data securely and privately.
- A health plan’s ERISA fiduciary obligations also require compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) and the protection of personally identifiable information (“PII”).
- Participant data must be guarded against cybersecurity breaches; those providing ERISA-covered health plans to their employees may want to consider purchasing data breach/cyber liability insurance coverage.
- Fiduciaries also must ensure that TPAs/service providers to the Plan are not using participants’ personal data without permission to market other products. This happens frequently!
- The law around plan data remains unsettled, but plan sponsors, fiduciaries, and service providers should consider how to protect participant data and carefully limit a TPA/service provider’s use of plan data.
- Fiduciaries should assume that participant data is a plan asset, and act accordingly to protect participant information from data breaches, comply with HIPAA, and ensure that TPAs/service providers do the same. Participant information should not be used for marketing.
If you have any concerns about whether your claims handling TPA is engaged in cross-plan offsetting, call or write to Karen Handorf, Julie Selesnick, or Sarah Holz at Cohen Milstein, 1100 New York Avenue NW, 5th Floor Washington DC 20005; 202.408.4600.