Skip to main content
Syam Adusumilli
Regulatory and Legal Structure · LFP-03.06

Executive Summary: HIPAA, DOL Enforcement, and Audit Exposure: What Plan Sponsors Need to Survive Scrutiny

By Syam Adusumilli · 2 min read
Executive Summary Read the full article.

LFP-03.06 — The Regulatory Landscape
#

An employer who sponsors a self-funded plan is a fiduciary under ERISA section 3(21). This is not optional; it arises from the employer’s exercise of discretionary authority over the plan’s management or administration. The fiduciary’s personal liability for breach covers failure to select and monitor service providers prudently, failure to administer the plan in accordance with its terms, and failure to act in the interest of participants. Most small employers who chose level funded because their broker recommended it do not know they have assumed this exposure. The broker is not a plan fiduciary. The TPA is a service provider under contract. The employer, by default, holds the duties and the liability.

HIPAA applies to group health plans including self-funded plans. The Privacy Rule requires a notice of privacy practices distributed at enrollment and made available on request. The plan may share protected health information with the plan sponsor only if the plan document contains specific authorization provisions and restricts employer use. Without proper plan document amendments, the TPA sharing claims reports with the employer is sharing PHI improperly. The Security Rule requires administrative, physical, and technical safeguards for electronic PHI. The TPA must have a current, compliant Business Associate Agreement in place. HIPAA breach notification obligations fall on the plan as covered entity; an employer whose TPA experiences a breach affecting plan participants must ensure notification occurs regardless of whether the TPA’s contract assigns the operational responsibility.

Required ERISA documents include the written plan document (the legal instrument governing eligibility, benefits, exclusions, and claims procedures), the Summary Plan Description distributed to all participants within 90 days of enrollment and updated within 210 days of the plan year end after a material change, the Summary of Benefits and Coverage, and multiple required notices covering COBRA, HIPAA privacy, WHCRA, the Newborns’ and Mothers’ Health Protection Act, and CHIPRA. Non-distribution of SPDs is among the most common violations DOL identifies in audits.

DOL EBSA enforcement priorities currently include fiduciary compliance for service provider selection and monitoring, MHPAEA compliance, plan document adequacy, CAA broker disclosure, and cybersecurity practices. An audit requests current plan documents with evidence of distribution, claims procedures, fiduciary process documentation, HIPAA policies and BAAs, NQTL comparative analyses, and CAA compliance records. Most small level funded plan sponsors cannot produce half of this documentation. The employer who sponsors a level funded plan without adequate documentation is not saving money on compliance. They are borrowing against future enforcement risk.