ERISA Fiduciary Duties and Personal Liability: What CEOs, CFOs, and Board Members Must Know About Healthcare Plan Oversight

Executive Overview

Employers face increasing ERISA scrutiny, with recent legislation requiring annual certification to ensure that healthcare benefits are delivered in members' best interests. Yet many employers still lack full data rights or visibility into key contracts, limiting their ability to oversee vendors or validate prudent decisions. Failing to address these heightened obligations can result in personal liability for board members and executives, as well as potential penalties and enforcement actions from regulatory authorities.

Fiduciary Obligations and Risks for Employers

When a company sponsors a health plan, it assumes a fiduciary role under ERISA, which requires fiduciaries to act "solely in the interest of the participants and beneficiaries." While this document focuses on self-funded employers, it is critical to note that all ERISA plans - including fully-funded, small group, middle-market, and large group plans - are subject to these fiduciary responsibilities, emphasizing cost transparency, contractual oversight, and evaluation of broker and consultant compensation.

Corporate leadership - including the CEO and CFO - must act solely in the interest of plan members. This includes ensuring prudent decision-making, monitoring TPAs and PBMs, keeping fees reasonable, and protecting participant data. Because fiduciary duties under ERISA apply to the individuals making decisions - not just the company - business leaders can face personal liability if they fail to act prudently or in the best interests of participants.

A key fiduciary obligation under the CAA is the requirement that employers annually certify to HHS that all gag clauses have been removed from their health plan contracts. Fiduciaries must access and use their plan's own cost, quality, access, and outcomes data to make rational and accountable procurement decisions and to assess the cost and value of vendors to the plan. This accountability also extends to the right to check the work of vendors to the plan to assure accuracy and accountability, including the ability to audit payments and recoup wrong/overpayments.

To do so, employers must review all contracts - ASO, PBM, SPD, network, and stop-loss - to ensure they can obtain data and audit payments. Many discover they lack critical contracts or data rights, making proper oversight impossible. Regulators increasingly view data access and contract transparency as core to fiduciary duty, and employers without them face significant legal risk.

For many self-funded employers, meeting these obligations is especially challenging when they rely on a large carrier as their ASO. While these large carriers administer claims and provide network access, they often limit the employer's visibility into detailed claims data, pricing methodologies, and contracted reimbursement rates. Many ASO agreements also restrict audits, obscure administrative fees, and prevent employers from reviewing or negotiating critical PBM, network, or repricing arrangements embedded in the ASO contract. This lack of transparency can make it extremely difficult for fiduciaries to evaluate whether fees are reasonable, whether claims are being adjudicated accurately, or whether vendor behavior aligns with the employer's duty to act solely in the best interests of its members.

As AI is increasingly used in claims processing, navigation, and utilization management, it has the potential to both strengthen and complicate fiduciary compliance. On the positive side, AI can help identify unreasonable fees, detect TPA or PBM claim-processing errors, and flag patterns of inappropriate denials - supporting the fiduciary duty to monitor vendors and ensure fair, accurate administration. It can also analyze network performance, highlight overspending, and help validate MHPAEA and CAA transparency requirements. At the same time, AI can create new risks if not properly governed: biased algorithms could lead to inconsistent approvals, opaque models may make claim decisions hard to justify, and inadequate oversight could allow PHI to be mishandled or exposed.

Lack of Standardized Framework Increases Risk for Companies

Unlike cybersecurity or operational risk domains, there is no standardized framework - such as SOC2, NIST, ISO, or HITRUST - that can be used to verify or to certify that fiduciary obligations are fully met. These frameworks can support aspects of prudence, data protection, and vendor oversight, but they do not address the full scope of ERISA's legal duties. Ultimately, fiduciary compliance depends on governance, documentation, and judgment, not on passing an external audit.

Potential Personal Liability for Corporate Leadership

When corporate leadership (e.g., the CEO, CFO, or a member of a Board of Directors) acts as a fiduciary for a company's health plan, they are personally responsible for upholding their duties under ERISA. The basis for this liability is that fiduciary duties under ERISA apply to the individuals making decisions, not just the company. Failing to address heightened fiduciary obligations can result in personal liability for board members and executives, as Mercer Consulting pointed out, "ERISA fiduciaries who violate their duties may be subject to investigation and personally liable for any profits obtained or losses incurred through the use of plan assets. ERISA fiduciaries also can be subject to removal from their fiduciary coverage to the fiduciary positions, other court-ordered equitable relief and DOL civil penalties."

Recent Fiduciary-Duty Lawsuits Involving Large Employers

In recent years, companies that mismanage self-funded health plans or fail to meet fiduciary duties have faced significant legal consequences, including lawsuits from plan members, class actions, and enforcement actions by the Department of Labor. Courts have held employers liable for excessive fees, lack of vendor oversight, undisclosed conflicts of interest, and discriminatory claims practices - sometimes resulting in multimillion-dollar settlements or mandated corrective actions. These rulings can extend beyond the company itself: executives and committee members who acted as fiduciaries may be held personally responsible for losses to the plan if they failed to act prudently.

1. Owens & Minor, Inc. v. Anthem Health Plans of Virginia (E.D. Va. 2024-cv-820) - Employer sued its TPA (Anthem) for alleged mismanagement of its self-funded plan, hidden fees, and failure to provide adequate claims data.

2. Tiara Yachts, Inc. v. Blue Cross Blue Shield of Michigan (6th Cir. 2025, No. 24-1223) - Court found BCBSM may have acted as an ERISA fiduciary by overpaying claims and retaining 'savings,' reviving the employer's claims.

3. JPMorgan Chase & Co. (Stern v. JPMorgan, S.D.N.Y. filed March 13, 2025) - Participants allege JPMorgan allowed its PBM to charge excessively high drug prices, costing employees significantly more than retail alternatives.

4. Wells Fargo & Co. case (Minnesota 2025) - Plaintiffs alleged inflated prescription-drug costs and PBM mismanagement; the case was dismissed on standing grounds but highlights fiduciary exposure.