ERISA Fiduciary Obligations for Employer-Sponsored Health Plans: What Growing Companies Need to Know in 2026

When a company moves from a fully managed carrier plan to a level-funded or self-funded arrangement, something changes that most employers do not anticipate. Under the Employee Retirement Income Security Act, known as ERISA, the employer sponsoring the plan takes on legal obligations that did not apply in the same way under a carrier-managed plan. These are called fiduciary obligations, and they apply regardless of whether the employer hired a third-party administrator, outsourced day-to-day plan management to a PEO, or delegated all administrative decisions to a broker.

For mid-size employers with 20 to 250 employees, ERISA fiduciary duty is the area of health plan compliance that receives the least attention and creates the most exposure. A missed disclosure deadline, a prohibited transaction with a plan vendor, or failure to monitor a third-party administrator can expose the plan sponsor, and the individual officers who made plan decisions, to personal liability. The Department of Labor actively enforces these obligations and has increased its audit activity following the Consolidated Appropriations Act of 2021, which added significant new disclosure requirements for health plan service providers.

This guide explains what ERISA fiduciary duty actually requires, who bears it, how it changes when you move to a self-funded or level-funded plan, and the practical steps mid-size employers can take to stay compliant in 2026. The goal is not to turn HR managers into ERISA attorneys. It is to help employers understand what they are responsible for and where the highest-risk gaps tend to appear.

What ERISA Fiduciary Duty Means for Employers Who Sponsor Health Plans

Who Is a Fiduciary Under ERISA

ERISA Section 3(21) defines a fiduciary as any person who exercises discretionary authority over the management of a plan, exercises discretionary authority over the management or disposition of plan assets, or provides investment advice for a fee. For health plans, this definition reaches the employer as plan sponsor and plan administrator, any benefits committee or HR officer who makes binding plan decisions, and any outside service providers who exercise discretionary authority over plan administration.

The practical implication is straightforward: every HR director, CFO, or founder who has signed a benefits contract, approved a claim override, or selected a vendor for a company health plan has acted as an ERISA fiduciary, whether or not they realized it at the time. ERISA does not require formal designation or training as a condition of fiduciary status. Functional authority creates fiduciary status. If you made a binding decision about how the plan operates, you were acting as a fiduciary when you made it.

The Prudent Person Standard

ERISA Section 404 establishes the foundational duty of care: a fiduciary must act with the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent person acting in a like capacity and familiar with such matters would use in conducting an enterprise of a like character and with like aims. This is not the ordinary prudence standard of everyday decision-making. It is measured against someone who understands how health plans work.

For a mid-size employer selecting a third-party administrator for a self-funded plan, the prudent person standard means gathering multiple bids, reviewing administrative fee disclosures, and documenting the decision process. An employer who selects a TPA because their broker recommended it, without reviewing the fee disclosure or evaluating alternatives, has potentially fallen short of the standard, even if the TPA turns out to be adequate. The process matters as much as the outcome.

The Duty to Monitor Plan Vendors

Delegating plan administration to a TPA, a pharmacy benefit manager, or a stop-loss carrier does not transfer the employer's fiduciary obligation. ERISA requires fiduciaries to monitor vendors on an ongoing basis to ensure they are performing their obligations competently and in compliance with plan documents. The monitoring obligation includes reviewing vendor performance reports, verifying that claims are being adjudicated in accordance with the plan document, and reviewing vendor fees on a regular basis.

For mid-size employers who have moved to self-funded or level-funded arrangements, this monitoring duty is the most frequently overlooked compliance requirement. Many employers sign a TPA contract, hand off day-to-day administration, and do not review TPA performance until a claim dispute surfaces. By that point, the employer may have accumulated months of plan administration that departed from the plan document or that involved undisclosed fees the TPA was collecting through provider arrangements.

How ERISA Fiduciary Obligations Change When You Move to Self-Funding

The Shift in Plan Asset Control

Under a fully carrier-managed plan, the carrier pools all contributions and manages the plan assets. The employer never holds plan assets directly. Under a self-funded arrangement, the employer establishes a trust or claims account that holds funds designated for claim payments. At the moment the employer controls those funds, ERISA's plan asset rules apply with full force.

Plan asset control means the employer is subject to the prohibited transaction rules of ERISA Section 406, which prohibit transactions between the plan and parties in interest, including vendors, brokers, and service providers. A TPA that routes claims through a network it owns without full disclosure of the network revenue creates a potential prohibited transaction. A broker who receives undisclosed compensation from a stop-loss carrier tied to the employer's plan creates another. The Consolidated Appropriations Act of 2021 added broker compensation disclosure requirements precisely to address this pattern. Employers who do not request and review CAA-required fee disclosures from their brokers are not meeting their fiduciary monitoring obligation. For a detailed breakdown of what changes when you move from a carrier plan to a self-funded structure, see our guide on the compliance shift to self-funded benefits.

Compliance Requirements That Apply to Self-Funded Plan Sponsors

Self-funded and level-funded plan sponsors face a set of compliance obligations that a carrier handles for fully managed groups. When you sponsor a self-funded plan, these become your direct responsibility:

• Plan document requirements: A written plan document specifying coverage, exclusions, claims procedures, and appeals rights is required under ERISA Section 402. The summary plan description must be provided to employees within 90 days of coverage enrollment and updated when material changes occur.
• Form 5500 filing: Most self-funded plans with more than 100 participants must file an annual Form 5500 with the Department of Labor. Smaller plans may qualify for simplified reporting but still have basic filing obligations.
• HIPAA compliance: The employer, as plan sponsor, is responsible for ensuring that health information is handled in accordance with HIPAA's privacy and security requirements.
• Mental Health Parity documentation: The Mental Health Parity and Addiction Equity Act requires self-funded plans to analyze and document their quantitative and nonquantitative treatment limitations annually. The CAA added stricter requirements for comparative analysis documentation.
• Transparency in Coverage: Self-funded plan sponsors must make machine-readable files available showing covered items, services, and negotiated rates, per the 2022 Transparency in Coverage rule.

What Changes in Day-to-Day Risk Exposure

For employers who have moved to self-funded arrangements, the fiduciary exposure shifts from abstract to concrete. Under a carrier-managed plan, if the carrier makes a claims adjudication error, the carrier bears the financial consequence. Under a self-funded plan, if the TPA makes a claims error that results in an overpayment, the plan sponsor may be responsible if the TPA contract does not include adequate indemnification provisions.

The practical consequence of this risk shift is that plan sponsors who have moved to self-funding need to review TPA contracts with attention to indemnification, performance standards, and termination rights. They also need to verify that their stop-loss coverage picks up at the correct attachment point and covers the claim types their workforce actually generates. Our guide on how stop-loss coverage works in self-funded health plans explains the key contract terms and coverage decisions that determine whether the employer is actually protected.

Practical ERISA Compliance Steps for Mid-Size Employers

Documenting the Decision Process

The single most important compliance step for ERISA fiduciaries at any plan size is documenting the decision process. ERISA does not require a perfect outcome. It requires a prudent process. An employer who reviews three TPA bids, receives and reviews fee disclosures, and documents the selection rationale has satisfied the standard even if the selected TPA later underperforms. An employer who selects a TPA on a broker's recommendation with no documentation has potentially fallen short of the standard even if the TPA performs well.

Documentation should cover three areas: vendor selection decisions, which include what was reviewed, who participated, and why the choice was made; annual vendor performance reviews, which include what was checked, any issues found, and corrective steps taken; and plan design changes, which include the rationale, who approved, and any member-impact analysis that was considered. These records do not need to be elaborate. A brief written summary of each decision, retained in a plan file, is sufficient for most mid-size employer situations.

Requesting and Reviewing Required Fee Disclosures

Since 2021, the Consolidated Appropriations Act has required brokers and consultants who advise employer-sponsored health plans to disclose all direct and indirect compensation they receive in connection with the plan. The disclosure must be made in writing before the broker is engaged or before the contract is renewed.

Mid-size employers who have not requested these disclosures should do so at their next broker renewal. The disclosure should list all compensation the broker receives from carriers, TPAs, stop-loss carriers, and any other plan vendors. If the broker receives volume bonuses from the stop-loss carrier based on the book of business they place with that carrier, that compensation should appear on the disclosure. Reviewing the fee disclosure is part of the fiduciary monitoring obligation. An employer who receives the disclosure and renews the broker contract without evaluating whether the compensation structure aligns with the plan's interests has potentially not satisfied the monitoring duty.

Working With Qualified Plan Advisors

ERISA allows fiduciaries to delegate certain responsibilities to qualified professionals. An employer who engages an experienced ERISA-focused benefits attorney to review plan documents and compliance has documented a prudent process. An employer who works with a benefits advisor who carries fiduciary liability coverage and who is contractually bound to act in the plan's interest, rather than in the interest of carriers or other vendors, has built a stronger compliance position than one who works with a broker under a standard commission arrangement.

For mid-size employers evaluating their funding arrangement options, understanding the compliance implications of each option is part of the due diligence process. Our guide on the six health coverage funding strategies for mid-size employers covers the compliance and cost tradeoffs across fully managed, level-funded, self-funded, captive, and PEO arrangements, with specific attention to what each funding type adds to the employer's compliance burden.

Where Mid-Size Employers Most Often Run Into ERISA Exposure

The Annual Enrollment Season Risk Window

The highest-risk period for ERISA fiduciary exposure at a mid-size employer is the 60 to 90 days before and after annual enrollment. This is when plan changes are made, when employee elections are recorded, and when the plan document either reflects or fails to reflect what was communicated to employees. A summary plan description that says one thing and a benefits guide that says another creates an ERISA compliance gap that an employee can enforce through a formal claim.

Summary plan descriptions and benefits guides should be reviewed by someone with ERISA plan document experience before they are distributed, not after. Most mid-size employers do not have this review built into their enrollment calendar. Adding it is a low-cost step that closes a significant exposure window.

The Claim Denial Process

ERISA prescribes specific requirements for how plan administrators must handle claim denials. A denial must be in writing, must explain the reason in plain language, must reference the specific plan provision on which the denial is based, and must describe the claims and appeals procedures available to the claimant. An employer who handles claim denials informally, without following the ERISA-required written denial procedures, has created plan document compliance gaps that can be used against the plan in litigation.

For self-funded employers, the claims adjudication function is typically handled by the TPA. But the plan sponsor retains the fiduciary obligation to ensure the TPA is applying the plan document correctly. Reviewing a sample of claim denials each year, including both upheld and overturned appeals, is a straightforward monitoring step that provides evidence of ongoing fiduciary oversight.

The ACA Affordability Intersection

For employers with 50 or more full-time equivalent employees, ERISA fiduciary obligations intersect with ACA employer mandate compliance. The employer's plan document must offer coverage that meets minimum value and affordability standards under the ACA. If the plan document offers coverage that the employer's HR team marketed as affordable during enrollment, but the actual plan fails the ACA affordability test, the employer faces both ACA penalty exposure and a potential ERISA disclosure issue. Our guide on ACA affordability rules for 2026 covers how to set contribution levels that satisfy both the ACA standard and the employer's budget constraints.

Model Your Funding Options and Their Compliance Implications

Frequently Asked Questions

Are all employers who sponsor health plans subject to ERISA fiduciary obligations?

ERISA applies to most private-sector employer-sponsored benefit plans. Government employer plans and church plans are generally exempt. Any private-sector employer that offers a group health plan to employees is subject to ERISA, regardless of company size or whether the plan is fully managed by a carrier or self-funded. The specific compliance obligations differ by plan type and employer size, but the core fiduciary duties, including the prudent person standard and the duty to monitor vendors, apply broadly across the private-sector employer population.

What happens if an employer fails to meet ERISA fiduciary obligations?

ERISA fiduciaries who breach their duties can be held personally liable for losses to the plan and for restoring any profits made through the breach. The Department of Labor can seek civil penalties for certain violations, and plan participants can sue fiduciaries directly for breach of duty. For mid-size employers, the most common enforcement pathway is a DOL audit triggered by a participant complaint or selected as part of a targeted enforcement initiative. Fiduciary liability is not limited to the company as an entity; individual officers who acted as functional fiduciaries can be named personally in enforcement actions.

Does ERISA fiduciary duty apply differently to self-funded versus fully managed health plans?

The core fiduciary duties apply to both. The practical compliance burden is higher for self-funded plan sponsors because they are directly responsible for obligations the carrier handles for fully managed groups. Self-funded plan sponsors must maintain plan documents, file Form 5500 annually for plans over the applicable threshold, ensure HIPAA compliance as a covered entity, conduct mental health parity analyses, and monitor TPA and vendor performance against the plan document. Fully managed plan sponsors have reduced administrative exposure because the carrier manages these functions, though the duty to select and monitor the carrier remains.

What is the CAA broker fee disclosure, and is my company required to receive one?

The Consolidated Appropriations Act of 2021 requires brokers and consultants who advise employer health plans to disclose in writing all direct and indirect compensation they receive in connection with the plan. The disclosure must be made before the broker is engaged or before the contract renews. If a broker provides services to your health plan without providing this disclosure, they are in violation of the CAA requirement. As a plan fiduciary, you have an obligation to request the disclosure if it has not been provided and to review it as part of your vendor monitoring process. The disclosure should cover all forms of compensation, including commissions, volume bonuses, and fees from carriers, TPAs, and stop-loss carriers.

How does working with a PEO affect an employer's ERISA fiduciary obligations?

When an employer joins a PEO's master health plan, the PEO typically becomes the plan sponsor and assumes the primary ERISA fiduciary responsibilities for the plan. The employer retains obligations related to accurately reporting employee data to the PEO and ensuring that the PEO's plan meets ACA standards, but the bulk of the plan document, compliance, and vendor monitoring obligations shift to the PEO. This is one of the meaningful compliance benefits of a PEO arrangement for smaller employers who do not have dedicated ERISA compliance resources. The tradeoff is reduced plan design flexibility, since employees participate in the PEO's master plan rather than a plan the employer designs directly.

What documents should an employer retain to demonstrate ERISA fiduciary compliance?

Plan fiduciaries should retain written records of vendor selection decisions, including what was reviewed and why the choice was made; annual vendor performance reviews; plan document updates and the rationale for changes; CAA broker compensation disclosures received and reviewed; participant communications including summary plan descriptions and open enrollment guides; claim denial logs and appeals records; and Form 5500 filings with supporting schedules. ERISA does not specify a retention period for fiduciary decision records, but the DOL generally looks back six years in an audit. Retaining decision records for at least six years from the date of the decision is a reasonable standard for most mid-size employers.

References

1. U.S. Department of Labor. Understanding Your Fiduciary Responsibilities Under a Group Health Plan. DOL.gov/sites/dolgov/files/EBSA/about-ebsa/our-activities/resource-center/publications/understanding-your-fiduciary-responsibilities.pdf
2. Employee Retirement Income Security Act of 1974, 29 U.S.C. Section 1001 et seq. Washington, DC: U.S. Congress.
3. U.S. Department of Labor. Consolidated Appropriations Act, 2021: Broker and Consultant Compensation Disclosure Requirements. DOL.gov, 2021.
4. Kaiser Family Foundation. Employer Health Benefits Survey 2024: Summary of Findings. kff.org, 2024.
5. U.S. Department of Labor. Form 5500 Series: Annual Return/Report of Employee Benefit Plan. DOL.gov/agencies/ebsa/employers-and-advisers/plan-administration-and-compliance/reporting-and-filing