Among the provisions of SECURE 2.0 (effective December 29, 2022) welcomed by plan sponsors were the additions to the Internal Revenue Code that allow qualified plans to refrain from trying to recoup an “inadvertent benefit overpayment” (referred to here as an IBO), and from having to restore such payments to the plan.  In addition, the Code was amended to permit the treatment of such overpayments as eligible rollover distributions for certain purposes.

The IRS has now addressed, via interim guidance in Notice 2024-77 issued and generally effective October 15, 2024, some of the many questions that arise under the new Code IBO relief provisions. Before that date, a reasonable good faith compliance standard applies, and after that date following the guidance in the Notice will be considered compliance. Comments on the new guidance may be made to the Treasury Department by December 16, 2024.  The following is a general summary of the major points of guidance in the Notice:

IBO definition. An IBO is defined by the Notice as an “eligible inadvertent failure” consisting of a payment from a qualified plan that either (A) exceeds the amount that should have been payable under the terms of the plan or (B) exceeds a Code or regulatory limitation. The requirement that the overpayment be an eligible inadvertent failure means it must have occurred despite the existence of established practices and procedures as described in Revenue Procedure 2021-30, the current IRS EPCRS plan correction standards, and that it not be egregious, relate to diversion or misuse of plan assets nor be directly related to an abusive tax avoidance transaction.  An IBO also encompasses payments made before a proper distribution date under the plan and Code, excluding any overpayments made to “disqualified persons” as defined in the prohibited transaction provisions of the Code or to any owner-employee. The term also excludes any payment made as part of a correction for another failure under the EPCRS correction procedures.

Coordination with EPCRS. The EPCRS plan correction standards are amended to be consistent with the Notice. But note that if a plan opts to forego recoupment of an overpayment any related operational failures must still be corrected. These could include scenarios in which the overpayment resulted from incorrect account allocations, resulting in the underpayment of benefits to other participants, or where the overpayment causes an impermissible forfeiture under Code Section 411.

Recoupment compliance. If, despite the available recoupment relief, a plan still seeks recoupment of an IBO, it must do so under the EPCRS overpayment correction standards and the provisions of ERISA (as amended by SECURE 2.0) regarding the limitations on recoupment.

Eligible rollover treatment of IBOs. An IBO transferred to an eligible retirement plan will be treated as an eligible rollover distribution under the Code (with corresponding excise tax relief for early withdrawals and excess contributions) if the payor plan does not seek recoupment of the overpayment and if the payment otherwise qualifies as an eligible rollover distribution. In such cases, the overpayment cannot have resulted from a compensation limit failure under Section 401(a)(17) or an annual additions failure under Section 415. Eligible rollover distribution treatment also applies if the payor plan attempts to recoup the overpayment, and the overpayment is repaid to that plan. If the plan does seek recoupment, it must notify the payee that any amount not returned to the plan will not be eligible for tax-free rollover treatment.

Other portions of the Notice clarify plan corrections when an overpayment results from violations of Code Sections 436, 401(a)(17), or 415 and states that a plan may not correct an IBO by retroactively amending the plan to increase benefit payments already made if that amendment would result in a violation of Sections 401(a)(17) or 415 for a past year. Similar guidance applies to any retroactive amendments that increase past benefit payments in a way that violates Code Section 436 for the past year.

Please contact your Jackson Lewis Employee Benefits Attorney for more detailed advice on dealing with IBOs in light of this interim guidance. 

The Internal Revenue Service recently announced its cost-of-living adjustments applicable to dollar limitations on benefits and contributions for retirement plans generally effective for Tax Year 2025 (see IRS Notice 2024-80). Most notably, the limitation on annual salary deferrals into a 401(k) or 403(b) plan will increase to $23,500, and the dollar threshold for highly compensated employees will increase to $160,000. This year’s notice also includes the optional SECURE 2.0 Super Catch-up amounts for participants ages 61-63.  The more significant dollar limits for 2025 are as follows:

LIMIT20242025
401(k)/403(b) Elective Deferral Limit (IRC § 402(g)) The annual limit on an employee’s elective deferrals to a 401(k) or 403(b) plan made through salary reduction.$23,000$23,500
Government/Tax Exempt Deferral Limit (IRC § 457(e)(15)) The annual limit on an employee’s elective deferrals concerning Section 457 deferred compensation plans of state and local governments and tax-exempt organizations.$23,000$23,500
401(k)/403(b)/457 Catch-up Limit (IRC § 414(v)(2)(B)(i)) In addition to the regular limit on elective deferrals described
above, employees over the age of 50 generally can make an additional “catch-up” contribution not to exceed this limit. (See special rule below for those aged 60–63)
$7,500$7,500
SECURE 2.0 Super Catch-up Age 60-63 (IRC  § 414(v)(2)(E)(i)) Other than Plans described in 401(k)(11) or 408(p).Not applicable$11,250
Defined Contribution Plan Limit (IRC § 415(c)) The limitation for annual contributions to a defined contribution
plan (such as a 401(k) plan or profit sharing plan).
$69,000$70,000
Defined Benefit Plan Limit (IRC § 415(b)) The limitation on the annual benefits from a defined benefit plan.$275,000$280,000
Annual Compensation Limit (IRC § 401(a)(17)) The maximum amount of compensation that may be taken into account for benefit calculations and nondiscrimination testing.$345,000 ($505,000 for certain gov’t plans)$350,000 ($520,000 for certain gov’t plans)
Highly Compensated Employee Threshold (IRC § 414(q)) The definition of an HCE includes a compensation threshold for the prior year. A retirement plan’s discrimination testing is based on coverage and benefits for HCEs.$155,000 (for 2024 HCE determination)$160,000 (for 2025 HCE determination)
Highly Compensated Employee (“HCEs”)  (SECURE 2.0 Sec. 603 – IRC § 414(v)(7))    Catch up contributions for HCEs earning above this limit in FICA wages for the preceding year MUST be ROTH contributions.   Not Required for Plan Years beginning in 2025$145,000$145,000
Key Employee Compensation Threshold (IRC § 416) The definition of a key employee includes a compensation threshold. Key employees must be determined for purposes of applying the top-heavy rules. Generally, a plan is top-heavy if the plan benefits of key employees exceed 60% of the aggregate plan benefits of all employees.$220,000$230,000
SEP Minimum Compensation Limit (IRC § 408(k)(2)(C)) The mandatory participation requirements for a simplified employee pension (SEP) includes this minimum compensation threshold.$750$750
SIMPLE Employee Contribution (IRC § 408(p)(2)(E)) The limitation on deferrals to a SIMPLE retirement account.$16,000$16,500
SIMPLE Catch-up Limit (IRC § 414(v)(2)(B)(ii))) The maximum amount of catch-up contributions that individuals age 50 or over may make to a SIMPLE retirement account or SIMPLE 401(k) plan. (See special rule below for those aged 60-63)$3,500$3,500
SECURE 2.0 Super Catch-up Age 60-63 (IRC  § 414(v)(2)(E)(ii)) The maximum amount of catch-up contributions that individuals aged 60–63 may make to a SIMPLE retirement account or SIMPLE 401(k) plan.Not Applicable$5,250
Social Security Taxable Wage Base See the Social Security Contribution and Benefit Base site. This threshold is the maximum amount of earned income on which Social Security taxes may be imposed (6.20% paid by the employee and 6.20% paid by the employer).$168,600$176,100

Please contact a team member or the Jackson Lewis attorney with whom you regularly work if you have questions or need assistance.

As we conclude our “Health Plan Hygiene” blog series, we reflect on the important insights shared about fiduciary responsibilities under the Employee Retirement Income Security Act of 1974 (ERISA) and highlight the risk posed by recent group health plan fiduciary litigation and offered strategies for mitigating these risks by meeting ERISA obligations. We have explored best practices for evaluating, selecting, and contracting with third-party administrators, emphasizing the importance of cybersecurity protocols for health plan data, and discussed the proactive review of third-party vendor fee arrangements, including pharmacy benefit managers and broker compensation structures.

As health and welfare plan fiduciaries prepare for the year ahead, how can they remain vigilant in identifying and executing their responsibilities in a climate of increasing compliance demands and associated risk?  

  1. Set up a fiduciary committee. Where a health and welfare plan document permits delegation, a named fiduciary, such as the plan administrator, may wish to delegate some of its fiduciary duties to a health and welfare plan fiduciary committee. Fiduciary committees are designed to act solely in the best interests of plan participants and beneficiaries by ensuring prudent policies and procedures are in place. A fiduciary committee typically includes designated decision-makers and at least one person with intimate knowledge of the plan’s written terms, day-to-day operations, and the plan sponsor’s participant population, such as an HR professional with a benefits background. While the delegator shares responsibility for ensuring that the committee executes its duties properly, the committee can help the delegator stay abreast of evolving compliance requirements and best practices. The committee may want to adopt a charter that addresses, at a minimum, the committee’s purpose, scope of authority and responsibilities, meeting frequency, and committee membership, including appointment and removal procedures.
  1. Document decision-making. Establish and consistently use internal recordkeeping procedures for all fiduciary decisions and actions taken regarding the plan. For example, the fiduciary committee should take minutes during all meetings to reflect on the topics discussed and the reasoning behind its decisions. Clear documentation of the decision-making process promotes transparency and becomes critical if a plan is audited or sued.
  1. Mindfully negotiate and monitor service provider contracts. Health and welfare plan fiduciaries may want to establish and use prudent processes when selecting service providers. For example, the fiduciary might request proposals from multiple service providers to assess whether the terms are appropriate for the current market. Once a service provider is selected, the fiduciary is wise to stay updated on all contracts and operations regarding the plan to ensure the terms are written and performed in the best interest of plan participants and beneficiaries. Fiduciaries may also reassess and re-negotiate fees when appropriate.
  1. Ensure plan expenses are reasonable. The fiduciary has a duty to ensure plan expenses are reasonable, including any compensation paid to experts and third-party service providers.
  1. Conduct an internal audit. ERISA requires certain employee benefit plans to submit to an annual independent audit, a report of which is filed with the Department of Labor. However, some welfare plans, such as those that covered fewer than 100 participants at the beginning of the plan year if the plan is fully insured, unfunded, or a combination of fully insured and unfunded, are excluded from this requirement. Regardless of whether an audit is required, voluntarily conducting an independent audit facilitates proper plan governance and often helps identify opportunities to improve compliance.

For questions, please contact a Jackson Lewis Employee Benefits Practice Group member or the Jackson Lewis attorney with whom you regularly work.

With just a couple of weeks before election day, the Biden Administration announced on October 21, 2024, that it was issuing proposed rules designed, in part, to require health plans to cover over-the-counter contraception without cost sharing, including birth control, the morning-after pill, and the male condom.  The proposed rules are the latest in a series of pronouncements that post-date the Dobbs decision overturning Roe v. Wade, which are aimed at providing access to reproductive health.  However, the tri-agencies’ earlier reproductive health guidance has been subject to a legal challenge, with a pending request for review by the Supreme Court.  Time will tell how these efforts to mandate contraception coverage without cost-sharing will be resolved.

At the heart of the guidance is the Affordable Care Act’s preventive care mandate, which in part requires non-grandfathered group health plans and issuers offering group health insurance coverage to cover, without cost-sharing, both preventive items or services, including those rated “A” or “B” by the United States Preventive Services Task Force (PSTF), and preventive care and screenings for women not recommended by PSTF, but that are included in guidelines issued by the Health Resources and Services Administration (HRSA).

To further this preventive services mandate and with reference to the HRSA’s most recent Women’s Preventive Services Guidelines that “recommends that adolescent and adult women have access to the full range of contraceptives and contraceptive care to prevent unintended pregnancies and improve birth outcomes” and now omits any reference to prescribed contraception, the proposed rule in part:

  • Requires non-grandfathered health plans and health insurance issuers to cover, without cost-sharing and without a prescription, the cost of all types of contraception, including the first-ever Food and Drug Administration (FDA) approved over-the-counter birth control pill.  This is a significant step from prior guidance that required a prescription;
  • Mandates disclosures to covered persons so they are aware and can take full advantage of the newly available coverage; and
  • Enhances the “exceptions process” for medical management techniques whereby coverage can be sought for preventive health items or services that generally are not covered by the plan if the individual’s provider determines it is medically necessary for an individual.

If finalized, the proposed rule would impose new administrative processes on employer-sponsored plans, mandate employee disclosures, and require plan amendments.  The government recognizes that the proposed rule has the potential to drive up the cost of contraception and is likely to impact the gross premiums and out-of-pocket costs of all covered persons, even those who do not obtain over-the-counter contraception.  Therefore, in lieu of also implementing other over-the-counter coverage mandates it is evaluating, such as coverage for tobacco cessation products, the proposed rule takes an incremental approach to guidance, starting only with the contraception mandate. 

The proposed rule is the latest in a series of guidance issued by the Biden Administration following the Dobbs decision that may get folded into impending legal challenges.  Those challenges focus on the authority of the PSTF that is issuing these preventive service mandates. 

Specifically, prior preventive care guidance, which includes mandatory coverage for prescribed contraception, HPV vaccines, and drugs preventing the transmission of HIV, has been challenged under the Administrative Procedures Act.  The assertion is that those serving on the PSTF and issuing these preventive care mandates are “principal officers” of the United States who have not been validly appointed under the Appointments Clause of Article II of the Constitution.  As a result, the challengers assert that the preventive care mandates the PSTF has issued are unlawful.  These arguments have gained traction in the courts.  A writ of certiorari filed by the Biden Administration on September 19, 2024, is still pending before the Supreme Court.  It is unclear whether the Supreme Court will agree to hear the case. 

Employer-sponsored health plans, therefore, are in a holding pattern to see how these reproductive health mandates will resolve.  In this particularly partisan environment, employers should be on the lookout for forthcoming guidance. 

The Jackson Lewis Employee Benefits Practice Group members can assist if you have questions or need assistance. Please contact a Jackson Lewis employee benefits team member or the Jackson Lewis attorney with whom you regularly work.

Our “health plan hygiene” series has focused on steps that fiduciaries of employer-sponsored group health plans can take to ensure they meet their fiduciary responsibilities.  This issue has been brought to the forefront recently due to a wave of class action lawsuits that have been brought against group health plan fiduciaries.  In our last post, we discussed the importance of a thorough RFP process and an overview of important contractual provisions.  This post will address the issue at the center of those class action lawsuits:  the fees.   

Third-Party Vendor Fee Arrangements

Health plan fiduciaries have the duty to ensure that the fees paid to third-party vendors are reasonable.  This can feel like an overwhelming task because health plans, especially self-insured health plans, can hire multiple third-party vendors to keep the plan running.  For example, third-party administrators (“TPAs”), network providers, repricing servicers, claims auditors, pharmacy benefit managers (“PBMs”), telehealth providers, and behavioral health providers may all be involved in the administration of a single health plan.  

Health plan fiduciaries should educate themselves on the potential pricing methods and fee arrangements with each of the third-party service providers.  For example:

  • “Bundled” Services and Fee Arrangements Because of the seemingly endless number of third-party vendors that may be required for health plan administration, fiduciaries will often rely on one TPA to manage and contract with the other third-party vendors.  While this can ease the burden of tracking multiple vendors, it remains the fiduciaries’ duty to ensure that the fees are reasonable for each vendor.  That means that the fiduciaries must understand the services provided by each vendor, and the fees charged by each vendor.  Fiduciaries should not rely on the TPA to manage the overall fees or to provide one total billed amount for all vendors without a breakdown.
  • Pharmacy Benefit Managers.  The recent class action lawsuits have focused heavily on PBM fees.  PBM fee structures have historically been complex and not particularly transparent, so it is essential that plan fiduciaries understand PBM pricing models. 
    • Pass-Through Pricing.  Under the pass-through pricing model, the PBM charges the plan the drug acquisition cost (the amount paid to the drug manufacturer).  Any negotiated rebates are also passed through to the plan.  The PBM receives compensation from the plan via a per-employee or per-month rate to the plan.  Proponents of the pass-through pricing model argue that pass-through pricing provides the most transparency and consistency for the plan.
    • Spread Pricing.  Under the spread pricing model, the PBM and the plan set the price that the plan pays for prescription drugs by reference to a specific benchmark price.  The PBM then negotiates a lower price with the drug manufacturer, and the PBM receives compensation on the difference (the “spread”) between the PBM’s acquisition cost and the benchmark price.  PBMs in this arrangement are financially motivated not to make formulary decisions based on which drugs have the lowest cost to the plan and beneficiaries but rather based on which drugs have the most significant spread.
    • Rebates.  PBMs negotiate rebates from drug manufacturers. The PBM may keep all or a portion of the rebate instead of paying the rebate back to the plan. 
  • Brokers Fiduciaries will often hire brokers to help identify and retain service providers for a health plan.  Brokers can provide an important service.  However, some brokers enter into commission or other compensation arrangements with service providers.  It is essential that plan fiduciaries are aware of any compensation or commission arrangements between a broker and other third-party vendors to ensure that the broker is providing the best objective recommendations, not recommendations motivated by financial gain. 

Potential Impacts

Recent class actions have highlighted the complexities and potential liabilities associated with third-party vendor fees. It is essential fiduciaries be well-informed about current third-party vendor contracts or agreements, including their termination or renewal periods. These periods can offer opportunities to reassess and renegotiate fees.

As your representative, the Jackson Lewis Employee Benefits Practice Group members can assist if you have questions or need assistance, especially when selecting service providers. Please contact a Jackson Lewis employee benefits team member or the Jackson Lewis attorney with whom you regularly work.

A health plan’s fiduciaries are responsible for administering the health plan.  Because most employers are not in the business of administering health benefits, they outsource the day-to-day health plan administration to a third-party health plan administrator (TPA).  This outsourcing does not mean the employer is off the hook for their fiduciary obligations under ERISA.  Even the evaluation and selection of a TPA is itself a fiduciary act, and employers must follow a prudent process.

Below, we provide information for employers regarding the selection, evaluation, and contracting with a TPA:

Rely on the Experts

Just as most employers are not in the business of administering health benefits, most employers are not in the business of evaluating and selecting TPAs.  To help ensure this process complies with ERISA’s fiduciary duties, employers often rely on a broker or consultant and legal counsel.  Brokers and consultants will identify TPAs that are appropriate for the employer’s size, industry, and location, provide guidance regarding the reasonableness of the TPA’s fees, and help with fee negotiation.  Legal counsel will help the fiduciary with legal compliance and contract negotiation. 

Conduct a Request for Proposal

The broker/consultant and legal counsel will help conduct a request for proposal (RFP) for a TPA.  The RFP will invite potential TPAs to submit bids and information regarding the health plan’s administration.  With the RFP, the fiduciary should: 

  • Invite several providers to respond to the request for proposal;
  • Prepare specific questions that are relevant and important to the plan’s administration;
  • Make sure the TPA’s fees are reasonable;  
  • Request sample contracts to identify any “dealbreaker” provisions; and
  • Identify potential internal conflicts that could taint the process (e.g., TPAs with other relationships with the employer). 

Thorough Review and Negotiation of Services Agreement

The employer should select a potential TPA well before the implementation date so that there is time for legal counsel and the broker/consultant to negotiate the services agreement and fees and, if necessary, select an alternate TPA if the negotiations fall apart.  Key contractual provisions include: 

  1. Indemnification provisions.  TPAs expect plan fiduciaries to indemnify the TPA against third-party claims, losses, or suits based on the services provided by the TPA to the plan and the participants.  However, the plan fiduciaries should not indemnify the TPA for claims based on the TPA’s negligence, misconduct, or fiduciary breach.  Instead, the TPA should be liable for any claims based on the TPA’s “bad actions,” and the TPA should indemnify the plan against those claims.    
  2. Accepting fiduciary responsibility.  If the TPA is authorized to interpret the plan provisions, for example, if the TPA is delegated the authority to handle claims and appeals under the plan, the TPA is acting as a fiduciary under ERISA.  In that case, the services agreement should expressly state that the TPA acknowledges its fiduciary status. 
  3. Audit rights.  Reserving the right to audit the TPA’s performance under the service agreement is important.  Beware of onerous restrictions on “claims” audits.  To avoid negative findings in audit reports, some service providers limit the number of audits a plan sponsor may undertake, establish long notice periods, or, in extreme cases, provide an exclusive list of auditors or prohibit certain auditors from conducting audits.    
  4. Termination provisions. ERISA generally prohibits fiduciaries from entering into contracts that cannot be terminated without substantial penalties or within a reasonable period. The service agreement should give the employer the flexibility to terminate. 
  5. Claims litigation. Make sure the agreement clearly states which party will handle claims litigation and which party will indemnify the other for any damages.      

Measure Twice, Cut Once

The process of selecting and contracting with a new TPA can seem overwhelming, time-consuming, and exhausting. However, taking the proper steps to ensure that the process is completed in accordance with ERISA’s fiduciary duties can save employers from costly mistakes.  

The Jackson Lewis Employee Benefits Practice Group members can assist if you have questions or need assistance. Please contact a Jackson Lewis employee benefits team member or the Jackson Lewis attorney with whom you regularly work.

A little more than three years ago, the U.S. Department of Labor (DOL) posted cybersecurity guidance on its website for ERISA plan fiduciaries. That guidance extended only to ERISA-covered retirement plans, despite health and welfare plans facing similar risks to participant data.

Last Friday, the DOL’s Employee Benefits Security Administration (EBSA) issued Compliance Assistance Release No. 2024-01. The EBSA’s purpose for the guidance was simple – confirm that the agency’s 2021 guidance generally applies to all ERISA-covered employee benefit plans, including health and welfare plans. In doing so, EBSA reiterated its view of the expanding role for ERISA plan fiduciaries relating to protecting plan data:

“Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.

In 2021, we outlined the DOL’s requirements for plan fiduciaries here, and in a subsequent post discussed DOL audit activity that followed shortly after the DOL issued its newly minted cybersecurity requirements.

As noted in our initial post, the EBSA’s best practices included:

  • Maintain a formal, well documented cybersecurity program.
  • Conduct prudent annual risk assessments.
  • Implement a reliable annual third-party audit of security controls.
  • Follow strong access control procedures.
  • Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
  • Conduct periodic cybersecurity awareness training.
  • Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  • Encrypt sensitive data, stored and in transit.

Indeed, the substance of the guidance is largely the same, as indicated above, and still covers three areas – Tips for Hiring a Service Provider, Cybersecurity Program Best Practices, and Online Security Tips (for plan participants). What is different are some of the issues raised by the new plans to which the expanded guidance applies – health and welfare plans. Here are some examples.

  • The plans covered by the DOL’s guidance. As noted, the DOL’s cybersecurity guidance now extends to health and welfare plans. This includes plans such as medical, dental, and vision plans. It also includes other familiar benefit plans for employees, including plans that provide life and AD&D insurance, LTD benefits, business travel insurance, certain employee assistance programs and wellness programs, most health flexible spending arrangements, health reimbursement arrangements, and other benefit plans covered by ERISA. Recall that an “employee welfare benefit plan” under ERISA generally includes:

“any plan, fund, or program…established or maintained by an employer or by an employee organization…for the purpose of providing for its participants or their beneficiaries, through the purchase of insurance or otherwise…medical, surgical, or hospital care or benefits, or benefits in the event of sickness, accident, disability, death or unemployment, or vacation benefits, apprenticeship or other training programs, or day care centers, scholarship funds, or prepaid legal services.

A threshold compliance step for ERISA fiduciaries, therefore, will be to identify the plans in scope. However, cybersecurity should be a significant compliance concern for just about any benefit offered to employees, whether covered by ERISA or not.

  • Identifying service providers. It is tempting to focus on a plan’s most prominent service providers – the insurance carrier, claims administrator, etc. However, the DOL’s guidance extends to all service providers, such as brokers, consultants, auditors, actuaries, wellness providers, concierge services, cloud storage companies, etc. Fiduciaries will need to identify what individuals and/or entities are providing services to the plan.
  • Understanding the features of plan administration. The nature and extent of plan administration for retirement plans as compared to health and welfare plans often is significantly different, despite both being covered by ERISA which includes a similar set of compliance requirements. For instance, retirement plans tend to collect personal information only about the employee, although there may be a beneficiary or two. However, health and welfare plans, particularly medical plans, often cover an employee’s spouse and dependents. Additionally, for many companies, different groups of employees monitor retirement plans versus health and welfare plans. And, of course, more often than not, there are different vendors servicing these categories employee benefit plans.
  • What about HIPAA? Since 2003, certain group health plans have had to comply with the privacy and security regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The DOL’s cybersecurity guidance, however, raises several distinct issues. First, the DOL’s recent pronouncements concerning cybersecurity are directed at fiduciaries, who as a result may need to take a more active role in compliance efforts. Second, obligations under the DOL’s guidance are not limited to group health plans or plans that reimburse the cost of health care. As noted above, popular benefits for employees such as life and disability benefits are covered by the DOL cybersecurity rule, not HIPAA. Third, the DOL guidance appears to require greater oversight and monitoring of plan service providers than HIPAA requires of business associates. In several places, the Office of Civil Rights’ guidance for HIPAA compliance states that covered entities are not required to monitor a business associate’s HIPAA compliance. See, e.g., here and here.  

The EBSA’s Compliance Assistance Release No. 2024-01 significantly expands the scope of compliance for ERISA fiduciaries with respect to their employee benefit plans and cybersecurity, and by extension the service providers to those plans. Third-party plan service providers and plan fiduciaries should begin taking reasonable and prudent steps to implement safeguards that will adequately protect plan data. EBSA’s guidance should help the responsible parties get there, along with the plan fiduciaries and plan sponsors’ trusted counsel and other advisors.

The Employee Retirement Income Security Act of 1974 (ERISA) regulates most private employee benefit retirement and welfare plans. This statute’s purview is vast; it governs employer-sponsored defined benefit and defined contribution retirement plans and an array of welfare plans.

Under ERISA, a plan fiduciary is an entity that exercises authority or control over the management or disposition of plan assets. Within the ERISA context, “fiduciary” is a functional title rather than a job title. A fiduciary need not know that they have assumed fiduciary status to be liable for a potential fiduciary breach. If one fiduciary fails to meet their responsibilities, other fiduciaries may be held accountable, even if they were not directly involved. This is known as “joint and several liability.”

What are a fiduciary’s obligations under ERISA?

ERISA Section 404 and Section 2550.404a-1 of the Department of Labor’s regulations outline fiduciary obligations. The provisions demand that a fiduciary:

  • Act solely in the interest of the participants and beneficiaries, exclusively to provide benefits to them and defray reasonable expenses of the plan.
  • Carry out their duties prudently.  
  • Follow the plan documents, except where the plan document conflicts with ERISA.
  • Diversify plan investments to minimize the risk of significant losses.
  • Pay only reasonable plan expenses.

How can a plan fiduciary ensure it is fulfilling its obligations?

  • Differentiate between “fiduciary” and “settlor” functions. Not all functions related to employee benefit plans are fiduciary functions. Fiduciaries must carry out their duties in the best interests of plan participants. The administration of the plan is generally a fiduciary function. Settlor functions, in contrast, may be carried out in the best interests of the plan sponsor and may include adopting, amending, or terminating a benefits plan.
  • Manage plan administration using well-documented, rigorous decision-making processes. The fiduciary duty of prudence is a process requirement. The fiduciary does not have a duty to maximize plan asset growth or minimize plan expenses absolutely. Instead, the fiduciary has the duty to administer the plan using reasonable, rational decision-making processes. “Prudent” processes cited in recent cases include reviewing quarterly reports, engaging an investment consultant, using a watch list and investment policy statement in decision-making, and actively monitoring underperforming funds.
  • Follow the plan’s terms—and design the plan to make that possible. If a provision is written into the plan and does not conflict with ERISA, the fiduciary is bound to follow the terms of each such provision to remain in compliance. 

The Bottom Line

  • The role of a fiduciary under ERISA is both critical and complex. Fiduciaries are responsible for managing the plan’s assets and safeguarding the interests of the participants and beneficiaries. While the path to compliance with ERISA’s fiduciary obligations may seem daunting, it is based on loyalty, prudence, and adherence to the plan’s terms. By understanding and respecting these principles, fiduciaries can navigate their responsibilities.
  • The essence of fiduciary duty under ERISA is about making informed, well-considered decisions that align with the best interests of the plan participants and beneficiaries.

The Jackson Lewis Employee Benefits Practice Group members can assist if you have questions or need assistance. Please contact a Jackson Lewis employee benefits team member or the Jackson Lewis attorney with whom you regularly work.

During the next several weeks, we will publish a series of articles that dive deeply into “health plan hygiene” relating to health and welfare benefit plan fiduciary issues and how employers can protect themselves in this quickly evolving area.

Section 408(b)(2) of the Employee Retirement Income Security Act of 1974 (ERISA) requires certain disclosures regarding employee benefit plan fees.  When this so-called fee disclosure rule was put in place for retirement plans, it sparked litigation regarding whether the fees paid by defined contribution retirement plans for recordkeeping, plan administration, and investment management are too high.  These cases have included claims of ERISA fiduciary breaches and prohibited transactions and have plagued the retirement plan industry for the last two decades.

The disclosure rule was expanded by the Consolidated Appropriations Act of 2021 to apply to welfare plans, and several notable cases have already been filed against welfare benefit plan sponsors. These recent cases have included claims that the benefits committees have been imprudent in their plan design, have overpaid for benefits, have set their premiums too high because of commissions being paid to brokers, have improperly retained rebates, and have had a conflict of interest when selecting plan partners.

Note that while there is no law requiring employers to sponsor a retirement plan for their employees, the same is not necessarily true for welfare benefits. Under the Affordable Care Act, certain large employers are required to offer medical insurance to full-time employees or risk a penalty from the Internal Revenue Service.  As a result, employers who offer group health insurance will be at risk for claims regarding these benefits and services and cannot protect themselves by simply not offering the benefit.

Now is the time for plan fiduciaries to protect themselves from potential claims by revisiting their fiduciary practices as they apply to health and welfare plan administration.  

Check our blog regularly for more information on this topic.  In the meantime, please contact a Jackson Lewis employee benefits team member or the Jackson Lewis attorney with whom you regularly work if you have questions or need assistance.