“Employer-Sponsored Health Care, Participant Data, TPAs and Service Providers, and ERISA,” The Cohen Milstein Benefits Blog
February 01, 2020
Fiduciaries of ERISA-covered health plans have a duty to implement cybersecurity measures. Fiduciaries are also obligated to ensure that third-party administrators (“TPA”) or service providers do not use participant information without permission.
The selection and monitoring of a benefit plan’s TPAs/service providers is a key fiduciary responsibility; this includes prudently selecting a TPA/ service provider that has appropriate systems to maintain electronic plan data securely and privately.
A health plan’s ERISA fiduciary obligations also require compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) and the protection of personally identifiable information (“PII”).
Participant data must be guarded against cybersecurity breaches; those providing ERISA-covered health plans to their employees may want to consider purchasing data breach/cyber liability insurance coverage.
Fiduciaries also must ensure that TPAs/service providers to the Plan are not using participants’ personal data without permission to market other products. This happens frequently!
The law around plan data remains unsettled, but plan sponsors, fiduciaries, and service providers should consider how to protect participant data and carefully limit a TPA/service provider’s use of plan data.
Fiduciaries should assume that participant data is a plan asset, and act accordingly to protect participant information from data breaches, comply with HIPAA, and ensure that TPAs/service providers do the same. Participant information should not be used for marketing.