Skip to main content
Syam Adusumilli
Regulatory and Legal Structure · LFP-03.06

HIPAA, DOL Enforcement, and Audit Exposure: What Plan Sponsors Need to Survive Scrutiny

By Syam Adusumilli · 10 min read
In a Hurry? Read the executive summary.

Self-funded plan sponsors are ERISA fiduciaries with legal obligations they may not understand they have assumed. HIPAA privacy and security rules apply to group health plans. DOL enforcement includes plan document review, fiduciary breach investigations, and random audits. The plan sponsor who cannot produce compliant plan documents, HIPAA policies, required disclosures, and fiduciary documentation when regulators ask is carrying risk that becomes visible only at the worst possible time. Audit survival is a function of documentation. Most small employers sponsoring level funded plans have inadequate documentation.

ERISA Fiduciary Obligations
#

An employer who sponsors a self-funded plan becomes a fiduciary under ERISA section 3(21). The designation is not optional. It arises from the employer’s exercise of discretionary authority or control over the management of the plan, the disposition of its assets, or the administration of the plan. The employer may designate a named fiduciary, often a company officer or a benefits committee, but fiduciary responsibility cannot be entirely delegated away. The employer remains responsible for selecting and monitoring service providers. The employer remains responsible for ensuring the plan is administered according to its terms and the law.

Fiduciary status carries personal liability for breach. The duty of loyalty requires the fiduciary to act solely in the interest of plan participants and beneficiaries. The duty of prudence requires the fiduciary to act with the care, skill, prudence, and diligence that a prudent person would use under the circumstances. The duty to follow the plan document requires administration in accordance with the plan’s written terms unless those terms conflict with ERISA. The duty to diversify plan investments applies to plan assets, which in a self-funded arrangement includes the claims fund.

Most small employers do not know they are fiduciaries. The employer who chose level funded because the broker recommended it, signed the TPA agreement, and pays the monthly premium may not realize they have assumed personal liability for how the plan is administered. The broker is not a fiduciary of the plan. The TPA provides services under contract but is not the fiduciary unless the employer has delegated fiduciary status through proper procedures. The employer, by default, is the fiduciary with the duties and the liability that follow.

What fiduciary status means in practice is that the employer must select TPAs, stop loss carriers, and other service providers prudently. The employer must evaluate service provider qualifications, compare options, and document the selection process. The employer must monitor service provider performance and compensation on an ongoing basis. The employer must ensure the plan is administered according to its written terms. The employer must act in the interest of participants when making plan design decisions, not solely in the interest of the employer’s budget.

HIPAA Compliance for Group Health Plans
#

The HIPAA Privacy Rule applies to group health plans, including self-funded plans. A group health plan is a covered entity under HIPAA and must comply with privacy requirements governing the use and disclosure of protected health information.

The plan must have a notice of privacy practices describing how the plan uses and discloses PHI. The notice must be distributed to participants at enrollment and made available upon request. The plan may share PHI with the plan sponsor (employer) only for plan administration purposes and only if the plan documents contain specific provisions authorizing the disclosure and restricting employer use. Without proper plan document amendments, the TPA cannot share claims data with the employer. The employer who receives claims reports from the TPA without proper authorization is receiving PHI improperly.

The employer must establish firewalls between employees who receive PHI for plan administration and those who make employment decisions. An HR manager who receives individual claims data for plan administration purposes cannot use that information in employment decisions. The employer must have policies ensuring separation. Employees with access to PHI must be identified, trained, and bound by confidentiality requirements.

The HIPAA Security Rule applies if the plan creates, receives, maintains, or transmits electronic PHI. For most small level funded plans, the TPA handles ePHI operationally. But the plan sponsor has oversight responsibility. The plan must ensure that administrative, physical, and technical safeguards are in place. Risk assessment, access controls, audit controls, and breach notification procedures are required. The employer must verify that the TPA maintains appropriate security protections for the ePHI it handles on the plan’s behalf.

The TPA is a business associate of the plan under HIPAA. A Business Associate Agreement must be in place between the plan and the TPA defining the TPA’s obligations regarding PHI protection, breach notification, and permitted uses and disclosures. Most TPAs have standard BAAs. Whether the BAA is current, compliant, and properly executed is a documentation question the employer should be able to answer.

HIPAA breach notification requirements apply to the plan. If a breach of unsecured PHI occurs, the plan must notify affected individuals, HHS, and for breaches affecting 500 or more individuals, the media. For most small plans, breaches are reported through the TPA. But the plan sponsor is the covered entity responsible for notification. An employer whose TPA experiences a breach that affects plan participants must ensure proper notification occurs.

Required Plan Documents and Disclosures
#

ERISA requires every plan to be established and maintained pursuant to a written plan document. The plan document is the legal instrument governing the plan. It defines eligibility, benefits, cost-sharing, exclusions, limitations, claims procedures, and administrative provisions. For level funded plans, the plan document is distinct from the stop loss policy, the TPA agreement, and the enrollment materials. Many small level funded plans operate with a plan document provided by the TPA. Whether that document is current, accurate, and reflects the plan as actually administered is a compliance question.

The Summary Plan Description must be furnished to all participants within 90 days of becoming covered and updated within 210 days of the end of the plan year in which a material change occurs. The SPD must be written in a manner calculated to be understood by the average plan participant. It must describe eligibility requirements, benefits, cost-sharing, claims procedures, and participant rights. Non-distribution of SPDs is one of the most common ERISA violations identified in DOL audits. An employer who has never distributed an SPD, or who distributed one five years ago and has not updated it despite plan changes, is in violation.

The Summary of Benefits and Coverage must be distributed in a standardized template format as required by the ACA. Self-funded plans must provide SBCs at enrollment, upon request, and when plan changes occur. The TPA typically produces the SBC, but the plan administrator is responsible for distribution.

Additional required notices include COBRA initial and qualifying event notices, HIPAA notice of privacy practices, WHCRA notices regarding coverage of breast reconstruction, Newborns’ and Mothers’ Health Protection Act notices, and CHIPRA notices regarding Children’s Health Insurance Program options. Each notice has specific content requirements and distribution timing. An employer who has not distributed required notices is in violation.

DOL Enforcement and Audit Exposure
#

DOL’s Employee Benefits Security Administration enforces ERISA through investigations, audits, and benefit advisory programs. Investigations can be complaint-driven when a participant files a complaint, targeted based on agency enforcement priorities, or random as part of general compliance monitoring.

EBSA enforcement priorities currently include fiduciary compliance for service provider selection and monitoring, mental health parity compliance, plan document adequacy, broker and consultant compensation disclosure, and cybersecurity practices. An employer whose plan touches any of these areas may be subject to investigation. An employer whose plan touches all of them, which describes most level funded plans, has multiple potential triggers.

An audit looks for specific documentation. Plan document and SPD: current versions, evidence of distribution, amendments for plan changes. Claims procedures: written procedures consistent with plan terms and DOL regulations. Fiduciary process documentation: evidence that the fiduciary selected service providers through a prudent process, monitors ongoing performance, and reviews compensation against benchmarks. HIPAA compliance: privacy and security policies, Business Associate Agreements, breach notification procedures. MHPAEA compliance: NQTL comparative analysis, parity documentation. CAA compliance: broker disclosure, RxDC reporting, No Surprises Act procedures.

The small employer compliance posture is typically incomplete. Most small level funded plan sponsors cannot produce half of the documentation an audit would request. The TPA may have some documentation but not all. The employer may not have copies of what the TPA produced. The broker may have recommended the plan but has no obligation to ensure compliance documentation is complete. The result is a compliance posture that appears adequate on the surface because the plan is operational, claims are being paid, and members are covered. The documentary foundation is incomplete.

The Audit Scenario
#

An employer receives a letter from DOL EBSA requesting documentation for an investigation. The letter requests the plan document, SPD, evidence of SPD distribution, claims procedures, HIPAA privacy notice, HIPAA security policies, Business Associate Agreement with the TPA, NQTL comparative analysis, broker compensation disclosure, evidence of RxDC reporting, fiduciary process documentation for TPA selection, and service provider fee analysis.

The employer contacts the TPA. The TPA provides the plan document template they used, a generic SPD, and their standard BAA. The TPA does not have documentation of SPD distribution because the employer was responsible for distribution. The TPA does not have a plan-specific NQTL comparative analysis because they have not performed one. The TPA does not have broker compensation disclosure because the employer was responsible for obtaining it.

The employer contacts the broker. The broker provides a general compensation disclosure that does not itemize indirect compensation sources as the statute requires. The broker does not have fiduciary process documentation because they were not involved in the TPA selection process.

The employer reviews their own files. They have the TPA agreement and the stop loss policy. They do not have evidence of SPD distribution. They do not have HIPAA security policies. They have not completed a fiduciary assessment of the TPA. They have not reviewed service provider fees against benchmarks.

The employer’s response to DOL is incomplete. The investigation continues. DOL identifies fiduciary process deficiencies, missing documentation, incomplete parity analysis, and inadequate broker disclosure. The employer is advised of violations and required to submit a corrective action plan. The employer’s next renewal is complicated by the need to remediate compliance deficiencies identified by DOL.

This scenario is not hypothetical. It is the experience of employers whose plans are selected for investigation. The employer who sponsors a level funded plan without adequate documentation is not saving money on compliance. They are borrowing against future enforcement risk with interest.

What Documentation Infrastructure Requires
#

A compliant level funded plan sponsor should maintain current plan documents that accurately reflect plan terms as administered. The plan document should be reviewed at each renewal for necessary amendments. A compliance binder should contain the current plan document, all amendments, and evidence of the adoption process.

The employer should have SPDs distributed to all participants with evidence of distribution. A distribution log, signed acknowledgment forms, or electronic delivery with confirmed receipt satisfies the evidence requirement. Updates should be distributed within required timeframes when plan terms change.

HIPAA documentation should include a notice of privacy practices, security policies appropriate to the employer’s handling of PHI, a current Business Associate Agreement with the TPA, and breach notification procedures. If the employer receives individual claims data, the plan document should contain the required authorization provisions and the employer should have policies restricting use of that data.

Fiduciary process documentation should include evidence of how the TPA was selected, what alternatives were considered, how fees were evaluated, and how ongoing performance is monitored. Annual service provider reviews with documented outcomes satisfy the monitoring requirement. Fee benchmarking studies, even informal comparisons, provide evidence of prudent fee evaluation.

The compliance infrastructure is not bureaucracy. It is the plan sponsor’s defense against regulatory liability. The employer who invests in compliance documentation is not spending unnecessarily. They are protecting against enforcement exposure that can be far more expensive than the documentation cost.

How this article connects to others in Blue Gray Matters.

LFP-05.01 What A Tpa Actually Does related
The TPA's Business Associate Agreement, SPD preparation support, and compliance administration functions are the operational apparatus the employer relies on to meet the documentation obligations this article identifies as primary audit exposure; LFP-05.01 examines the full scope of TPA services including the compliance infrastructure whose presence or absence determines whether a small employer can survive a DOL audit.
LFP-05.03 Claims Adjudication And Accuracy deepens
DOL plan audits concentrate on claims adjudication accuracy, plan document compliance, and the documentation of how claims were processed against plan terms; LFP-05.03 examines TPA claims adjudication and accuracy as an operational function, covering the adjudication systems, error rates, and audit trails that DOL reviewers examine when a plan is selected for investigation.
LFP-13.06 Claims Data Ownership related
The HIPAA framework governing employer access to PHI for plan administration, which this article establishes must be authorized through specific plan document provisions before the TPA can share claims data with the employer, is the regulatory constraint LFP-13.06 examines when analyzing claims data ownership and contractual data access rights between employer and TPA.
LFP-14.05 Building A Level Funded Practice related
Brokers who position themselves as level funded specialists carry responsibility for ensuring employer clients understand their fiduciary status, HIPAA compliance obligations, and DOL audit exposure; LFP-14.05 examines level funded practice building, where the compliance advisory role distinguishes brokers who can retain level funded clients through regulatory complexity from those who cannot.

Sources cited in this article.

  1. Employee Retirement Income Security Act of 1974. 29 U.S.C. ยงยง 1001-1461.
  2. Health Insurance Portability and Accountability Act. 45 C.F.R. Parts 160, 164.
  3. U.S. Department of Health and Human Services. "HIPAA Privacy Rule and Sharing Information Related to Mental Health." HHS, 2017.
  4. U.S. Department of Labor. "Compliance Assistance Guide: Health Benefits Coverage Under Federal Law." DOL, 2023.
  5. U.S. Department of Labor. "Reporting and Disclosure Guide for Employee Benefit Plans." DOL, 2022.
  6. U.S. Department of Labor, Employee Benefits Security Administration. "Enforcement." DOL, www.dol.gov/agencies/ebsa/about-ebsa/our-activities/enforcement. Accessed 2024.