Under the Employee Retirement Income Security Act of 1974 (ERISA), employers who sponsor health or retirement plans are fiduciaries, meaning they are legally responsible for protecting participants’ best interests. But employers rarely operate these plans alone. They rely on a network of third-party service providers such as consultants, brokers, TPAs, PBMs, auditors, and others to manage sensitive participant data. When those vendors access, process, or store protected health information (PHI) from a health plan, they become ERISA Business Associates.
Defining an ERISA Business Associate
An ERISA Business Associate is any outside person or organization that performs work for an ERISA-covered health plan and, in doing so, handles PHI. This concept originates under the Health Insurance Portability and Accountability Act (HIPAA) but directly affects ERISA plans because HIPAA privacy and security rules apply to group health plans that are subject to ERISA.
In plain terms:
If a service provider can see, store, or use your employees’ health data, they are a Business Associate.
Examples include:
Third-Party Administrators (TPAs) who process medical claims
Pharmacy Benefit Managers (PBMs) who manage prescription drug programs
Benefits consultants or brokers who design or negotiate plan options
Data analytics firms that evaluate claims for cost management
Cloud or IT vendors hosting benefits platforms containing PHI
These Business Associates are extensions of the employer’s fiduciary responsibility. If a Business Associate mishandles PHI or breaches privacy laws, the employer (plan sponsor) can still face liability for failing to properly oversee or contract with them.
The Role of a Business Associate Agreement (BAA)
A Business Associate Agreement (BAA) is the formal, legally required contract between a covered entity (the employer’s health plan) and each of its Business Associates. It outlines exactly how PHI can be used, stored, transmitted, and protected. Without this agreement, allowing a vendor to access PHI is a HIPAA violation.
The Department of Health and Human Services (HHS) mandates BAAs to ensure accountability across all parties who handle sensitive health data. A compliant BAA typically includes:
Permitted uses and disclosures of PHI by the Business Associate
Safeguard requirements, ensuring PHI is stored securely and protected from unauthorized access
Breach notification obligations, requiring the Business Associate to inform the plan promptly of any data breach
Subcontractor compliance, ensuring any subcontractors who handle PHI also sign equivalent agreements
Termination clauses, allowing the employer to end the relationship if the Business Associate violates the agreement
A well-drafted BAA does more than satisfy HIPAA. It reinforces ERISA fiduciary obligations by demonstrating that the employer has taken prudent steps to protect participants’ data.
Why This Matters for Fiduciaries
Under ERISA, fiduciaries must act with “care, skill, prudence, and diligence.” That responsibility now extends to monitoring data security and privacy practices. If a Business Associate’s actions result in harm to participants, whether through a data breach or misuse of health information, the employer could be seen as having failed in their fiduciary oversight duties.
As recent litigation highlights, employers are increasingly being held accountable for vendor misconduct and conflicts of interest within the health benefits ecosystem. Fiduciary oversight now means more than monitoring costs and fees; it includes monitoring how data and decisions are managed by Business Associates.
“Who watches the Watchmen?” Jed Cohen asked in BenefitsPRO, a reminder that even those hired to help employers must themselves be monitored and held accountable.
Practical Steps for Employers
To remain compliant and minimize fiduciary exposure:
Identify all Business Associates that access PHI under your health plan
Execute a Business Associate Agreement (BAA) with each vendor before sharing PHI
Verify compliance by requesting documentation of each vendor’s HIPAA policies, security training, and incident response plan
Regularly review and update BAAs, especially when plan design, vendors, or technology change
Document oversight activities by recording your review process, findings, and follow-up actions
These steps not only meet HIPAA’s privacy and security requirements but also satisfy ERISA’s demand that fiduciaries demonstrate prudence and accountability.
Final Thoughts
An ERISA Business Associate is not just a vendor. They are a fiduciary risk partner. The Business Associate Agreement is your first line of defense, transforming that relationship into a clearly defined, enforceable framework for protecting participant data.
As litigation around fiduciary breaches expands from retirement to health plans, employers who take time now to identify their Business Associates, execute compliant agreements, and monitor those relationships will be better positioned to avoid regulatory penalties and class-action exposure.
Or as one of the most famous lines from The Watchmen goes:
"Who watches the Watchmen?"
In the world of ERISA fiduciary compliance, you do.
References:
[1] U.S. Department of Health & Human Services. (2023). Business Associate Contracts. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
[2] U.S. Department of Labor. (2024). ERISA Compliance for Health Benefit Plans. EBSA. https://www.dol.gov/agencies/ebsa
[3] Cohen, J. (2022, July 26). Conflicts of interest in the health insurance industry: “Who watches the Watchmen?” BenefitsPRO. Fiduciary In A Box. https://www.benefitspro.com/2022/07/26/conflicts-of-interest-in-the-health-insurance-industry-who-watches-the-watchmen/
[4] Cohen, J. (2024, May 6). Breaking News: Mayo Clinic Sued for Fiduciary Breach on Health Plan. Fiduciary In A Box. https://www.fiduciaryinabox.com/breaking-news-mayo-clinic-sued-for-fiduciary-breach-on-health-plan/
[5] U.S. Department of Health & Human Services. (2024). The HIPAA Privacy Rule and ERISA Health Plans. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/erisa-health-plans/index.html
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article