February 01, 2020
  • Fiduciaries of ERISA-covered health plans have a duty to implement cybersecurity measures. Fiduciaries are also obligated to ensure that third-party administrators (“TPA”) or service providers do not use participant information without permission.
  • The selection and monitoring of a benefit plan’s TPAs/service providers is a key fiduciary responsibility; this includes prudently selecting a TPA/ service provider that has appropriate systems to maintain electronic plan data securely and privately.
  • A health plan’s ERISA fiduciary obligations also require compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) and the protection of personally identifiable information (“PII”).
  • Participant data must be guarded against cybersecurity breaches; those providing ERISA-covered health plans to their employees may want to consider purchasing data breach/cyber liability insurance coverage.
  • Fiduciaries also must ensure that TPAs/service providers to the Plan are not using participants’ personal data without permission to market other products. This happens frequently!
  • The law around plan data remains unsettled, but plan sponsors, fiduciaries, and service providers should  consider how to protect participant data and carefully limit a TPA/service provider’s use of plan data. 
  • Fiduciaries should assume that participant data is a plan asset, and act accordingly to protect participant information from data breaches, comply with HIPAA, and ensure that TPAs/service providers do the same. Participant information should not be used for marketing.