Employee benefits compliance has many traps for the unwary and is ever evolving. Below, we have provided a primer on current issues of importance in the employee benefits area to help in-house attorneys identify potential risks, mitigate them, and know when to call an outside ERISA lawyer.
1. What Is Old Is New: Get Your Health Plan Governance in Order
Employers that sponsor self-funded health plans have a host of complicated obligations. There are greater potential legal, regulatory, and fiduciary risks than in years past with managing health plans because of increased congressional legislation, increased Department of Labor (DOL) focus on group health plan compliance, and increased group health plan litigation, often by the same plaintiffs’ firms that have been suing 401(k) plans in fee litigation the past 20 years or more.
Employers should consider properly establishing a benefits committee, much like how they established committees for their retirement plans, that will serve to govern and oversee their employer-sponsored group health plans, especially those that are self-funded. A formal committee could help employers stay compliant, formalize their prudent decision-making process, and shift certain fiduciary liability to the benefits committee from the Board, thus insulating the Board from the underlying fiduciary decisions.
2. Stay Calm and Carry On: Mental Health Parity Non-Enforcement Policy Pauses Only Certain Requirements
Self-insured health plans must show that the plan does not include more restrictions on access to mental health benefits than on access to medical benefits. The law looks at both financial limits (e.g., coinsurance, copays, and deductibles) and other types of limits (e.g., pre-authorization requirements, provider network design, and prescription drug formulary design).
Beginning in 2021, plans were required to produce a written analysis of the non-financial limits, also known as non-quantitative treatment limitations (NQTLs), and the DOL has been actively auditing those analyses. Such audits have been time- and resource-intensive, given that the DOL has yet to approve an analysis without changes.
Late last year, the agencies released a final rule with details on the DOL’s expectations with respect to the NQTL analysis. They have since been sued for the rule, with the plaintiffs claiming overreach by the DOL. On May 15, 2025, the DOL stated that it would not enforce the final rule but would continue to enforce the statute and prior guidance.
Therefore, self-insured plans should continue to produce and update their NQTL analysis. We expect at least some continued audit activity, as well as the threat of private litigation.
3. To Report or Not to Report, That Is the Question: Florida Data Request to Self-Insured Plans Under Pharmacy Benefits Management Law
Several states have recently enacted laws designed to increase oversight of pharmacy benefit managers (PBMs) and limit certain PBM practices. Many of these laws impose reporting obligations on PBMs and the plans and employers with which they contract. While some of these laws exempt self-funded group health plans from their reach, recognizing that states are generally preempted from regulating such plans under ERISA, others explicitly include self-funded group health plans within their reach. For example, Florida’s Prescription Drug Reform Act includes “self-insured employer health plans” in its definition of “pharmacy benefits plan or program”—the category of plans to which the law applies.
This year, Florida’s Office of Insurance Regulation issued data requests under the PBM law, asking PBMs and group health plans to submit a broad range of prescription drug data, including participants’ names, dates of birth, prescriptions filled, and doctors visited. For sponsors of self-funded health plans, these data requests and similar requests made by other state agencies raise questions regarding both ERISA preemption and Health Insurance Portability and Accountability Act (HIPAA) obligations.
We expect that these questions may soon be answered through litigation, but in the meantime, employers with self-funded plans should work with counsel to evaluate these requests on a case-by-case basis. In some instances, the requested data may be minimal, and the state laws may fall outside of ERISA’s broad preemption protection. In other cases, where states request sweeping, specific data, such requests might be preempted by ERISA, especially where sharing the information would violate HIPAA.
4. If You Didn’t Document It, It Didn’t Happen: Takeaways from Cunningham v. Cornell University
On April 27, 2025, the U.S. Supreme Court ruled in Cunningham v. Cornell University that a plaintiff can allege that a transaction between a plan and a “party in interest,” such as a plan service provider, is a “prohibited transaction” under ERISA even if the plaintiff doesn’t directly allege that the transaction was unreasonable or unnecessary. Why did the Supreme Court conclude a plaintiff doesn’t have to allege something specifically wrong, especially where transactions between plans and plan service providers are common? The Court took a textualist approach and concluded that ERISA’s structure puts the burden on the plan fiduciary to prove the transaction was necessary and reasonable, and because of this, a plaintiff need not plead “unreasonableness” in its complaint. As the Court conceded, the result is that the bar to get past a motion to dismiss is lowered, making it more difficult for plans to avoid costly litigation for weak—if not downright meritless—prohibited transaction claims. Recognizing that this may be problematic for plans, the Supreme Court urged lower courts to use other tools at their disposal to weed out meritless claims sooner rather than later, such as additional pleadings or the threat of shifting plan legal fees to a plaintiff.
So, what can a prudent plan administrator take away from a case about technical ERISA pleading standards? The clearer a fiduciary’s prudent process for selecting and compensating a plan service provider, the better. Clear documentation of the fiduciary’s process, such as in committee meeting minutes (preferably, vetted by experienced counsel), makes it more likely that a court will see the prudence a fiduciary has exercised from the get-go, before individuals have to defend their efforts in depositions.
5. How Well Is Your Wellness Plan?
HIPAA’s wellness program rules provide an exception to its general rule that prohibits an employer from determining premiums or benefits based on a health factor. Employers offering wellness programs should be mindful of ongoing challenges to health-contingent programs. These programs require participants to satisfy a standard related to a health factor to earn a reward. Health contingent programs can be outcomes-based or activity-only programs. While many of the requirements apply to both programs, challenges—and litigation—focus on health-contingent programs that are outcomes-based. These programs require employers to allow a “reasonable alternative standard” for meeting the requirements, regardless of whether it is medically inadvisable for a participant to try to meet the standard, or if meeting the standard is unreasonably difficult due to a medical condition. Cases focus on the availability of, or communication related to, a “reasonable alternative standard.”
Employers offering these plans should review their communications ahead of open enrollment season to make sure reasonable alternative standards are disclosed in all printed and electronic communications. Employers should also ensure that they are, in fact, offering a reasonable alternative standard as well as ensuring payment is made for any retroactive periods while the standard is being met.
6. Don’t You Forget About Me: Cybersecurity Guidance Applies to All Employee Benefit Plans
In April 2021, in the wake of a rash of phishing and hacking incidents that resulted in the theft of retirement funds, the DOL issued cybersecurity guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants. Recognizing the vast assets being held in private-sector pension and defined contribution plans without sufficient vigilance, protections, and accountability, these assets may be at risk from both internal and external cyber threats.
The guidance issued by the DOL includes Tips for Hiring a Service Provider, Cybersecurity Program Best Practices, and Online Security Tips. However, it was heavily focused on ways to protect retirement plan data and the financial assets in retirement accounts, leading many to the misconception that the guidance didn’t extend to the data maintained by the plan sponsors, plan fiduciaries, and the contractors and vendors for health and welfare plans.
As cybercrime evolved and hackers began to use malware and ransomware, health care data became an increasingly attractive target because the services that health care organizations and their IT systems support keep people alive and healthy. Hackers appreciated that there was little tolerance for allowing health care systems to remain offline, making it more likely a ransom will be paid, creating the perfect storm and magnifying the value of health care data to cybercriminals. Breaches by large vendors made it abundantly clear that, in a digital world, the need for strong cyber hygiene transcends all boundaries, prompting the DOL to issue an update in November 2024 to the cybersecurity guidance to confirm that it applies to all ERISA plans.