The TPA Is the Plan

The legal framework governing self-funded and level funded health plans rests on a specific fiction: the employer is the plan sponsor. The employer establishes the plan, maintains the plan document, and bears fiduciary responsibility for plan administration. The third-party administrator is a service provider. The TPA executes; the employer decides.

In operational reality, the relationship runs the other direction. For the typical small employer operating a level funded plan, the TPA writes or substantially controls the plan document, selects or strongly recommends the provider network, sets adjudication criteria, manages prior authorization, processes every claim, handles every appeal, manages the stop loss relationship, and produces the renewal analysis that determines whether the employer continues with the current structure or changes it. The employer’s active decision-making typically consists of selecting how much to contribute and signing where the broker directs. The legal fiction that the employer sponsors and the TPA administers is increasingly disconnected from how these plans actually operate. That gap has fiduciary implications that the industry avoids addressing directly.

What the Employer Decides, Precisely

#

The outline of a typical 20-person level funded plan installation illustrates the gap. The employer chooses a TPA, nearly always on the broker’s recommendation. The employer sets a contribution amount, nearly always within a range the TPA’s quoting process established. The employer signs a plan document the TPA prepared or that the TPA provided from a template. The employer may choose between two or three network options the TPA offers, which are themselves determined by which network aggregators the TPA has contracted with. The employer may select from a limited menu of plan design options: deductible levels, out-of-pocket maximums, copay tiers. Within that menu, every option was pre-designed by the TPA and pre-approved by the stop loss carrier.

The employer does not write the plan document. Most small employers cannot interpret the plan document if handed one. The employer does not negotiate the network. The employer does not set adjudication criteria. The employer does not determine which services require prior authorization. The employer does not manage stop loss reporting. The employer does not conduct the claims audit that would identify if the TPA’s adjudication is accurate. In practice, the employer’s meaningful decision-making is bounded by three choices: which TPA to use, how much to contribute, and whether to renew.

What the TPA Decides, Precisely

#

The TPA makes every operational decision that determines what the plan covers, how it pays, and what the member experiences when care is needed.

The TPA drafts or controls the plan document language that determines coverage scope. When a claim is disputed and the plan document is ambiguous, the TPA interprets it. Many TPAs include language in their service agreements explicitly reserving interpretive authority to themselves. The TPA sets the adjudication criteria: which procedure codes are payable, at what rates, subject to which edits. The TPA determines prior authorization requirements: which services require advance approval, what clinical criteria must be satisfied, and what documentation the treating provider must submit. When a member or provider appeals a denial, the TPA processes the appeal. In most small group level funded arrangements, the TPA’s appeal decision is final unless the employer intervenes, and the employer lacks the clinical expertise to evaluate whether the TPA’s clinical determination was correct.

The TPA selects the network. For most small group level funded arrangements, the TPA offers access to a rented network, either a national aggregator like MultiPlan or PHCS, or a regional network, with the employer choosing from whatever networks the TPA has contracted to offer. The TPA negotiates the network access fee: typically a per-member-per-month charge the employer pays for the right to the contracted discount. The employer does not know what the TPA paid to access the network, what margin the TPA captures on the access fee, or whether a competing network aggregator would produce equivalent discounts at lower cost. The employer’s network decision is a selection from a curated menu, not an independent procurement.

The TPA manages stop loss reporting: it prepares and submits the claims data that determines when the specific attachment point is triggered and when aggregate protection activates. The accuracy of that reporting directly affects the employer’s stop loss recovery. The employer has no independent mechanism to verify that the TPA’s reporting is timely, complete, or accurate without retaining an independent auditor, an expense that most small employers do not incur. Several TPA service agreements examined in published ERISA litigation contain provisions that limit the employer’s audit rights, require extended advance notice before an audit, or restrict the auditors the employer may engage. These provisions are structurally incompatible with the employer’s fiduciary duty to monitor service providers, a duty the DOL has stated applies to plan sponsors of self-funded health plans.

The TPA produces the renewal analysis. At renewal, the employer receives a document the TPA prepared, summarizing what happened during the plan year, what the next year’s costs are projected to be, and what adjustments are recommended. The employer who lacks independent analytical capability to verify the TPA’s analysis is, in most cases, relying entirely on the TPA’s framing of the employer’s options. That framing includes whether the TPA recommends renewing with the same stop loss carrier, switching carriers, or restructuring the attachment point. In each case, the TPA’s recommendation affects the TPA’s own economics: network access revenue, stop loss administrative fees, and claims volume all change depending on the plan structure the employer selects. The employer making a renewal decision based solely on TPA analysis is relying on advice from an advisor whose financial interest is not fully disclosed.

The Fiduciary Gap

#

ERISA Section 3(16) defines the plan administrator as the person designated by the plan instrument or, absent such designation, the plan sponsor. The plan sponsor is the employer. The DOL has consistently held that the ERISA plan administrator role is inherently a fiduciary position: the named fiduciary bears responsibility for the prudent and loyal administration of the plan, for the selection and monitoring of service providers, and for plan compliance with ERISA requirements.

Fiduciary responsibility is supposed to follow decision-making authority. When the TPA makes the operative decisions and the employer signs the documents, fiduciary responsibility and decision-making authority are misallocated. The employer bears liability for decisions it did not make and may not understand. The TPA makes the decisions and, in most small group service agreements, has negotiated contractual language designed to minimize its own fiduciary exposure.

The DOL has stated explicitly that the selection of a TPA is itself a fiduciary act requiring a prudent process: the employer must evaluate the TPA’s qualifications, review the service agreement, assess reasonableness of fees, and monitor ongoing performance. These obligations apply to a 20-person employer with the same force as to a 20,000-person employer. The DOL’s guidance document “Understanding Your Fiduciary Responsibilities Under a Group Health Plan” (September 2015) identifies the ongoing duty to monitor service providers as a core fiduciary obligation. Most small employers who signed a TPA agreement on broker recommendation did not conduct the process the DOL describes and do not conduct the ongoing monitoring the guidance requires. They are technically in breach of fiduciary duty from the moment the plan is established, not because they acted in bad faith but because the administrative burden of fiduciary compliance for a self-funded health plan is not scaled to the size of the employer who is legally responsible for it.

The legal mechanism for TPA insulation from liability is the ministerial functions doctrine. A TPA can avoid ERISA fiduciary status if its functions are purely ministerial: applying rules to determine eligibility, processing claims, calculating benefits within a framework the employer established. If the TPA has no discretion, it is not a fiduciary. But the ministerial defense collapses when the TPA exercises interpretive authority over plan terms, makes final appeal decisions, or controls asset disposition. A TPA that has authority to approve or deny disputed claims is exercising discretion and is therefore a functional fiduciary under ERISA Section 3(21)(A), regardless of what the service agreement says. Courts have repeatedly held that fiduciary status is determined by actual function, not contractual characterization.

The Sixth Circuit’s May 2025 decision in Tiara Yachts v. Blue Cross Blue Shield of Michigan directly addressed this boundary. The appellate court reversed the lower court’s dismissal, finding that BCBSM’s control over plan assets established functional fiduciary status despite contractual provisions the TPA relied on to characterize its role as ministerial. The Sixth Circuit held that contractual duties and ERISA fiduciary status are not mutually exclusive. The decision represents a circuit split with the First Circuit’s 2023 ruling in a parallel case against Blue Cross Blue Shield of Massachusetts, where the court found the TPA was not a fiduciary because it was bound by contract terms rather than exercising discretion. The Supreme Court has not yet resolved this split. The outcome matters enormously for the employer: if the TPA is not a fiduciary, the employer has a contract claim against a service provider when things go wrong. If the TPA is a fiduciary, the employer has an ERISA remedy but the TPA also has corresponding responsibility. Most small employers have no idea which legal framework governs their TPA relationship.

The Regulatory Misalignment

#

TPAs currently operate under state TPA licensing laws. These vary widely. As of 2024, approximately 35 states require some form of TPA licensure or registration, with requirements ranging from basic registration and financial disclosure to bonding requirements and mandatory reserves. States including California, Florida, Texas, and New York impose TPA licensing with varying capital and solvency requirements. States including Wyoming, Montana, and several others impose minimal requirements or none at all. A TPA headquartered in a lightly regulated state can administer plans for employers in heavily regulated states through ERISA preemption without being subject to the destination state’s TPA requirements, since the federal preemption structure that shields self-funded plans from state insurance law also limits state oversight of the TPAs administering those plans.

This regulatory gap is a feature, not an oversight. TPAs are structured as service providers, not risk-bearing entities, partly because the self-funded plan structure assigns risk to the employer. The TPA does not bear the claims risk. The employer does, with stop loss protection. But the TPA bears the decision-making authority that determines what claims are paid and at what amounts. Decision-making authority without commensurate financial exposure creates a structural misalignment: the TPA decides, the employer pays.

The TPA that adjudicates claims too aggressively imposes the reputational and legal cost of wrongful denials on the employer while reducing the TPA’s own operational processing cost. The TPA that adjudicates claims too generously increases the employer’s financial exposure without proportionate cost to the TPA, whose fee is typically fixed per employee per month regardless of claims volume or accuracy. Neither outcome is regulated at the operational level by any framework calibrated to the TPA’s actual decision-making authority. The DOL’s EBSA reported $1.434 billion in total recoveries from ERISA enforcement actions in fiscal year 2023, across 731 civil investigations closed. The employer’s role as named fiduciary means that when TPA failures generate enforcement actions or participant lawsuits, the employer’s exposure is real even when the underlying decisions were made by the TPA. ERISA does not permit the employer to escape fiduciary liability by pointing to the TPA’s contract.

The DOL’s ERISA Advisory Council recommended in 2005 that TPAs’ fiduciary status for initial benefit determinations be formally affirmed, addressing exactly this misalignment. That recommendation has not been implemented. In the intervening two decades, the small group level funded market has grown substantially while the regulatory framework governing TPA decision-making authority has not evolved to reflect that growth. The TPA industry’s lobbying against fiduciary designation is rational from the TPA’s perspective: fiduciary designation would bring capital requirements, bonding obligations, and litigation exposure that the industry currently avoids by characterizing its functions as ministerial. The employer pays the price of that characterization when claims are mishandled and the TPA’s contract disclaimers limit the employer’s recovery to breach of contract rather than ERISA breach of fiduciary duty.

What Follows

#

If the TPA is the de facto plan, three regulatory consequences follow logically. First, TPAs making fiduciary decisions should bear fiduciary liability. Contractual disclaimers of discretionary authority that are inconsistent with actual operational function should not insulate TPAs from the consequences of decisions they effectively make. The Sixth Circuit’s Tiara Yachts ruling moves the law in this direction.

Second, employers functioning as nominal plan sponsors without meaningful decision-making authority should have access to practical oversight tools. This includes contract terms that preserve audit rights without the restrictive conditions some TPAs impose, standardized data reporting that allows employers to independently verify claim adjudication accuracy, and advisory services that are independent of the TPA relationship. Many of these tools exist for large plan sponsors. A Fortune 500 company with a self-funded plan has an internal benefits team, engages independent claims auditors, and negotiates TPA service agreements with legal counsel experienced in ERISA. The audit rights are meaningful because the employer has the capacity to exercise them. The 20-person employer whose total benefits management capacity is a shared HR function that handles payroll, compliance, and onboarding in addition to benefits has none of that capacity. The fiduciary obligation is identical. The capability to meet it is not. That asymmetry is the root of the employer vulnerability this article describes. The regulatory framework that addresses it for large employers through professional expertise and market power does not scale to the small group market, and no regulatory mechanism currently compensates for that gap.

Third, TPA regulation should reflect operational reality. A TPA that makes the decisions a plan sponsor is legally required to make should face regulatory requirements proportional to that authority: capital adequacy, bonding, and oversight standards that match the functional role rather than the contractual label. This is the conclusion that neither the TPA industry nor the employer community has organized to reach, because the current arrangement, imperfect as it is, distributes cost in a way that is bearable for most parties most of the time. When it breaks, it breaks for the employer.