You’re Probably a Plan Fiduciary. Do You Know What That Means?

If your company sponsors a health plan, especially a self-funded one, there is a good chance that you, or someone on your team, is an ERISA fiduciary. Most people in that position have never been told so. Here is what the role requires, why it has become one of the fastest-growing areas of litigation and enforcement risk for employers, and what to do if a claim or an investigator ever comes knocking.

First, the uncomfortable truth: you’re probably a fiduciary

When employers think about legal exposure from their benefits programs, they usually picture the carrier, the third-party administrator, or the broker, the professionals they pay to handle the plan. What they rarely picture is themselves. Yet under the Employee Retirement Income Security Act (ERISA), the federal law that governs employer-sponsored benefit plans, fiduciary status does not attach to a title or a job description. It attaches to what you actually do.

ERISA defines a fiduciary functionally. You are a fiduciary to the extent that you exercise discretionary authority or control over the management of the plan or its assets or have discretionary responsibility in administering it. No one has to appoint you. You do not have to want the job. If you make discretionary decisions about how the plan is run or how its money is spent, the law treats you as a fiduciary for those decisions, with all of the duties and personal exposure that come with them.

In most companies, the employer itself is the plan’s “named fiduciary” and “plan administrator,” often by default, because the plan document simply names “the Company.” But courts look through the company to the people who exercise the discretion. That usually means the benefits committee, if one exists. If one does not, it means whoever is doing the work: the HR or benefits leader who decides appeals and selects vendors, the CFO or controller who signs the administrative-services agreement and controls the account holding employee contributions, sometimes an owner or executive with the final say. A great many people are carrying fiduciary responsibility right now without realizing it, which is exactly the problem.

When you’re the employer, and when you’re the fiduciary

Here is the distinction that trips up even sophisticated employers, and the one worth internalizing first: you wear two different hats, and only one of them carries fiduciary duty.

When you decide whether to offer a health plan, what benefits to include, how much employees will contribute, or whether to self-fund, those are business decisions. ERISA calls them “settlor” functions, and they carry no fiduciary obligation. You are free to make them in the company’s interest, to change them, or to end the plan entirely. As an employer designing a benefit, you owe your duty to the business.

The moment you start implementing those decisions, the other hat goes on. Selecting and contracting with the TPA and the pharmacy benefit manager (PBM), negotiating their fees, handling the employee premium dollars withheld from payroll, deciding claims and appeals, and communicating with participants- all of that is fiduciary activity. And when you act as a fiduciary, you no longer owe your duty to the company. You owe it, exclusively, to the plan’s participants and their families.

That shift is the whole ballgame. The same person, in the same week, can put on the settlor hat to decide that the company will raise the employee contribution next year, a pure business call, and then put on the fiduciary hat to evaluate whether the PBM the plan pays is charging a reasonable fee. The skill is knowing which hat you are wearing for which decision, and not letting the company’s financial interest quietly drive a choice that the law says must be made solely for participants. The premium-and-pricing theories in the recent wave of lawsuits live precisely on this seam: plaintiffs argue that employers let cost-shifting to the business contaminate decisions that were supposed to be made for participants alone.

What does the law actually ask of you?

ERISA’s fiduciary duties are often called the highest known to the law. In plain terms, four of them matter most for a health plan:

  • Loyalty. Act solely in the interest of participants and beneficiaries, for the exclusive purpose of providing their benefits and paying reasonable plan expenses, not in the interest of the company, and not in your own.
  • Prudence. Act with the care, skill, and diligence of a knowledgeable person familiar with these matters. Critically, and this is the single most important thing to understand, prudence is judged by your process at the time, not by how things turn out in hindsight. A decision that produces a bad result but was made through a careful, documented process is defensible. A decision that happened to turn out fine but was made carelessly, with no process at all, is not.
  • Follow the plan documents. Administer the plan in accordance with its written terms, to the extent those terms are consistent with ERISA.
  • Pay only reasonable expenses. The plan may pay only the reasonable costs of administering it, which is the legal hook for scrutinizing everything you pay your TPA, PBM, and broker.

The reason “process, not outcome” matters so much is that it tells you exactly how to protect yourself. You cannot guarantee good results, but you can build and document a prudent process. That record is the difference between a defensible decision and an indefensible one.

Why does this matter far more than it did three years ago?

Two features of ERISA make fiduciary status genuinely serious. First, the duties run with personal liability. A fiduciary who breaches is personally liable to make the plan whole for the resulting losses, out of personal assets, and can be removed and barred from serving. The plan cannot waive that with an exculpatory clause; the statute voids any such clause. The company is allowed to indemnify and insure its fiduciaries, but in my experience, the people carrying the exposure have rarely confirmed that either protection is actually in place. Second, the clock is long: the limitations period can run for six years from the breach, which means the vendor contract you sign this year could be a potential exhibit well into the next decade.

For years, this risk lived almost entirely in the retirement-plan world, where a cottage industry of plaintiffs’ firms built careers suing 401(k) fiduciaries over excessive fees. Health plans were largely spared, not because the duties were any different, but because nobody could see the prices. That has changed. The Consolidated Appropriations Act of 2021 dismantled the secrecy: it banned the “gag clauses” that kept cost and claims data hidden, required plans to attest each year that their contracts contain none, forced brokers and consultants to disclose their compensation, and made plans report prescription-drug and spending data to the federal government annually. The same plaintiffs’ firms followed the data straight into health plans.

The headline cases are about prescription-drug pricing. Participants sued Johnson & Johnson and Wells Fargo, alleging their plans paid grossly inflated prices. In the J&J complaint, the now-famous example is a generic drug the plan allegedly paid more than $10,000 for that retails for under $80. Both cases have been dismissed, more than once, and are now on appeal. But it would be a serious mistake to read those dismissals as vindication. Every one of them turned on standing, a procedural doctrine about whether these particular plaintiffs could show the overcharge hit their own wallets, not on whether the underlying conduct was prudent. No court has blessed any employer’s process. And in early 2026, a suit against JPMorgan Chase broke through: a federal court found that the plaintiffs had standing because they pleaded a detailed, drug-by-drug markup analysis showing that they personally overpaid. It allowed their imprudence and prohibited-transaction claims to proceed into discovery. The surviving theory should get every sponsor’s attention: the fiduciaries never seriously considered the alternatives, such as pass-through PBM models or specialty carve-outs, that comparable employers had already adopted.

The takeaway is not “plaintiffs keep losing.” It is that the roadmap now exists, your plan’s pricing data is increasingly public, and the defense that wins is a documented, prudent process. The window you have right now is the time to build that record, before your plan’s data shows up in someone’s complaint.

The duty you are most likely failing to perform: monitoring your vendors.

Hiring a TPA or a PBM is itself a fiduciary act. So is keeping them. Delegating work to a vendor transfers the work; it does not transfer your responsibility. The duty to monitor is a continuing obligation, and it is where most employers are quietly exposed, because the comfortable assumption is that “the broker is watching the PBM” or “the TPA handles all that.”

Discharging the duty looks like this in practice, and, not coincidentally, it is exactly what a defense lawyer will ask you to produce on the first day of a lawsuit:

  • Put your vendors out to competitive bid on a regular cycle; every three to five years is a common benchmark, and make sure transparent and pass-through PBM models are actually in the mix, because “we never looked at the alternatives” is now a live legal theory.
  • Independently benchmark what every vendor earns from your plan, TPA fees, PBM spread and retained rebates, broker commissions and overrides, against real market data, not the vendor’s own assurance that the deal is competitive.
  • Negotiate, and then actually use, the contract rights that make oversight possible: audit rights, full access to your own claims data (which the law now requires to be available to you), rebate transparency, and reasonable termination terms.

Certain things should stop a fiduciary cold: a broker compensated by the very vendors it recommends without fully disclosing that compensation; a PBM that will not break out its spread or how much rebate money it keeps; a TPA that resists handing over your own data or pushes back on audit rights; “shared savings” or recovery fees a vendor charges for fixing problems the vendor itself created. In nearly every fee case, the conflict was sitting in the contract the entire time. Someone had to read it, and the fiduciary is the someone.

A word on what “reasonable” means, because it is widely misunderstood: it does not mean cheapest. It means you can show what the plan pays, what it gets in return, what the alternatives were, and why you chose what you chose, documented at the time.

Build the file before you need it: governance and documentation.

Because prudence is a process standard and process is proven on paper, governance is not bureaucracy; it is your best and cheapest protection. At a minimum, a self-funded sponsor should:

  • Establish a health-plan fiduciary committee by formal resolution, with a charter that defines its scope and authority. This does two things at once: it concentrates fiduciary responsibility in people who know they hold it and can be trained, and it helps insulate the board and uninvolved executives.
  • Meet regularly, quarterly or semi-annually, on real agenda items: vendor performance and fees, claims and appeals trends, compliance status, and a briefing on legal developments.
  • Keep minutes that show deliberation, not just conclusions, what you reviewed, what alternatives you weighed, what your advisors told you, and why you decided as you did. Write them as though a plaintiff’s lawyer will one day read them aloud, because if it ever matters, one will.
  • Train your fiduciaries, and document that you did.

Finally, sort out your insurance, because this is one of the most common and costly misunderstandings I encounter. Three different products get conflated. The ERISA fidelity bond is mandatory where plan assets are handled and protects the plan against theft; it does nothing for you. Employment practices liability insurance (EPLI) covers employment claims and excludes ERISA fiduciary claims. Fiduciary liability insurance is the one that actually responds to a breach-of-duty claim, and it is optional, which is why so many employers either lack it or carry a token amount buried in a management-liability policy no one has examined for health-plan coverage. Confirm that you have it, that it names your health and welfare plans, that the limits are realistic against defense costs that routinely run into seven figures, and that your individual committee members are covered.

What to do if a lawsuit or a DOLnotice lands on your desk?

If it happens, your instinct will be to ask whether you did something wrong. That is the wrong first move. Two things have to happen immediately, because they cause permanent damage if you are slow, and neither one depends on whether the claim has any merit:

  1. Issue a litigation hold right away. Suspend any automatic deletion and preserve everything: committee files, vendor contracts, email, electronic records. Destroying relevant documents, even routinely and unintentionally, creates a separate and serious problem that can sink an otherwise defensible case.
  2. Put your fiduciary liability insurer on notice that day. These are “claims-made” policies, and late notice can result in the forfeiture of coverage entirely. Confirm that the policy applies to the health plan and get your defense costs covered before the fees start.

Then, in short order: engage experienced ERISA counsel and calendar your response deadline; do not let HR or a generalist draft the response. Identify everyone who might be a co-fiduciary, since others may share the exposure and individual defendants sometimes need their own counsel. And be disciplined about privilege from day one. Communications about administering the plan may not be protected from participants the way communications about defending the litigation are, so route everything through counsel and keep those two streams separate.

It also helps to understand what you are actually facing. If it is a private lawsuit, the threshold battle in today’s environment is almost always standing, whether the plaintiff has shown a concrete financial injury to themselves, not just a general grievance about the plan. That is the question that has decided the recent cases, and it is the first thing competent counsel will test.

If, instead, it is a notice from the U.S. Department of Labor, specifically its Employee Benefits Security Administration (EBSA), which is the regulator for self-funded ERISA plans, then the posture is different, since ERISA generally preempts state insurance departments from regulating self-funded plans. A DOL inquiry usually arrives as a letter requesting documents, often prompted by a participant complaint or one of EBSA’s enforcement priorities, such as mental-health-parity compliance, the annual gag-clause attestation, or claims-and-appeals practices. The same initial rules apply: preserve documents and involve counsel before you respond, but cooperation, carefully managed through counsel, is generally the right posture. Be accurate and complete, because what you say can shape an enforcement decision later. And be aware of a common trap: EBSA frequently asks for the plan’s mental-health-parity comparative analysis, and most sponsors who receive that request discover that no one ever prepared a plan-specific one. An investigation can resolve quietly with a voluntary compliance letter, or it can escalate to penalties, and the direction it takes often depends on how organized and credible your response is.

Where to start?

If this is unfamiliar territory, you are not so much behind as newly aware, and the first steps are genuinely manageable. Find out, on paper, who your plan’s fiduciaries are and whether the right people are formally in the role. Pull your vendor contracts and compensation disclosures and find out what everyone is paid and whether you have the data and audit rights you are entitled to. Check your insurance. And hold one documented fiduciary meeting, with the people who actually run your plan, on the three questions that matter most: what are we paying our vendors, what do our contracts let us see, and who is personally on the hook.

None of that requires a consultant or a new budget cycle. What it requires is the recognition that the role exists, the duties are real, and the record you build now is what stands between you and the next complaint. That single piece of paper, minutes from one real meeting, is the difference between a plan with a defensible process and a plan with an empty file.

Related Services:

Labor & Employment 

About the Author:

Sara H. Jodka (Member, Columbus) is a member of the firm’s labor and employment department and regularly counsels employers and litigates all types of employment-related cases. Sara is the editor of the firm’s All Things HR Blog and the Immediate Past Chair of the Ohio State Bar Association’s Labor and Employment Section Council. She can be reached at 614-744-2943 or SJodka@dickinsonwright.com. Her biography can be viewed here.