Employer-Sponsored Health Care, Participant Data, TPAs and Service Providers, and ERISA
February 01, 2020
- Fiduciaries of ERISA-covered health plans have a duty to implement cybersecurity measures. Fiduciaries are also obligated to ensure that third-party administrators (“TPA”) or service providers do not use participant information without permission.
- The selection and monitoring of a benefit plan’s TPAs/service providers is a key fiduciary responsibility; this includes prudently selecting a TPA/ service provider that has appropriate systems to maintain electronic plan data securely and privately.
- A health plan’s ERISA fiduciary obligations also require compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) and the protection of personally identifiable information (“PII”).
- Participant data must be guarded against cybersecurity breaches; those providing ERISA-covered health plans to their employees may want to consider purchasing data breach/cyber liability insurance coverage.
- Fiduciaries also must ensure that TPAs/service providers to the Plan are not using participants’ personal data without permission to market other products. This happens frequently!
- The law around plan data remains unsettled, but plan sponsors, fiduciaries, and service providers should consider how to protect participant data and carefully limit a TPA/service provider’s use of plan data.
- Fiduciaries should assume that participant data is a plan asset, and act accordingly to protect participant information from data breaches, comply with HIPAA, and ensure that TPAs/service providers do the same. Participant information should not be used for marketing.