From 401(k) to Health Plans

Stephen Carrabba and Jamie Greenleaf

The evolution of fiduciary oversight in employer-sponsored benefits has crossed onto a new frontier. What began as a transformation within the 401(k) retirement space—driven by lawsuits, Department of Labor rules and fee transparency—is now unfolding in health care plans. Fueled by the Consolidated Appropriations Act of 2021 and embedded in the fiduciary standards of the Employee Retirement Income Security Act, plan sponsors must recognize that such oversight of health care benefits is no longer optional.

This article is meant to provide and go beyond surface comparisons. It frames 401(k) governance as a blueprint providing fiduciary best practices for employers to apply to their health care plans. It outlines key legal shifts, case-law momentum and governance gaps, and it offers a strategic road map for plan sponsors to stay ahead of regulatory and litigation risk—highlighting where aligned, conflict-free service partners can support the transition.

The 401(k) Compliance Playbook: A Brief Evolution

The evolution of 401(k) governance was not abstract—it was driven by litigation that revealed widespread shortcomings and ultimately redefined fiduciary standards.

Key cases include:

• Tussey v. ABB Inc. (2012): In one of the first landmark 401(k) fee cases, the court found that ABB and its fiduciaries breached duties by failing to monitor fees paid to Fidelity, including recordkeeping charges and revenue-sharing practices;
• Tibble v. Edison International (2015): The U.S. Supreme Court affirmed that plan fiduciaries have an ongoing duty to monitor plan investment offerings and remove imprudent options. This case established the “continuing duty” standard;
• Cassell v. Vanderbilt University (2021): A cautionary tale about the importance of plan governance and prudent vendor management, particularly regarding recordkeeper arrangements and data sharing; and

• Cunningham v. Cornell University (2025): The Supreme Court clarified that plaintiffs bringing a claim under ERISA Section 406 only need to plausibly allege that a fiduciary engaged in a transaction prohibited under ERISA Section 1106(a)(1)(C). This significantly lowers the bar for bringing ERISA prohibited transaction claims, making it easier for litigation to proceed.

Health Plan Oversight: A System More Than 10 Years Behind

Until recently, health plans operated in a compliance void:

• Brokers were paid undisclosed indirect compensation;
• Third-party administrators set administrative pricing without challenge;
• Pharmacy benefit managers retained opaque rebate structures;
• Networks and TPAs operated with inherent conflicts of interest, often prioritizing carrier or vendor relationships ahead of employer and plan member interests; and
• Employers lacked access to their own claims and pricing data.

Enter the CAA, in 2021, which included:

• Section 201: Gag Clause Removal – Prohibits gag clauses, ensuring transparency rights and employers’ access to their data related to cost and quality;
• Section 202: 408(b)(2)(B) Compensation Disclosures – Requires brokers/consultants to disclose all direct and indirect compensation and requires the employer to assess the reasonableness of those arrangements;
• Section 203: Comparative Analysis Reporting under the Mental Health Parity and Addiction Equity Act – Bars health plans from having separate treatment limitations and cost-sharing requirements for mental health and substance abuse, and it requires health plans to conduct and document comparative analyses of nonquantitative treatment limitations; and
• Section 204: Prescription Drug Health Care Data Collection Reporting – Requires insurance companies and employer-based health plans to submit information about prescription drug and health care spending to the U.S. departments of Health & Human Services, Labor and the Treasury.

The 8 Fiduciary Responsibilities

In addition to the mandates introduced by the CAA, ERISA imposes a set of fundamental fiduciary responsibilities that apply equally to health plans. These principles form the foundation of prudent oversight and require fiduciaries to:

• Act solely in the interest of participants and beneficiaries;
• Act prudently, with the care, skill and diligence of a prudent expert;
• Follow the plan documents (to the extent they align with ERISA);
• Diversify plan investments and arrangements to minimize the risk of over-reliance on a single vendor or opaque pricing structure;
• Pay only reasonable plan expenses, ensuring transparency in fees and compensation;
• Avoid conflicts of interest, especially where TPAs, networks or brokers benefit at the expense of the plan;
• Ensure plan assets are protected and managed appropriately (the parallel for health plans is being transparent and safeguarding payment flows); and
• Provide full and fair disclosure to participants and beneficiaries regarding plan operations, benefits and rights.

Together, these responsibilities reinforce the principle that fiduciary oversight is not passive—it needs to be active, documented and defensible.

The regulatory expectation is now clear: Fiduciaries must manage health plans with the same diligence, process and documentation expected in 401(k) oversight.

Fiduciary Litigation Has Arrived

The following health plan lawsuits echo the fiduciary breach theories common in 401(k) litigation:

• Tiara Yachts v. Blue Cross Blue Shield of Michigan: The employer alleged BCBS engaged in “hidden fee” practices by marking up provider claims and pocketing undisclosed amounts—mirroring recordkeeper revenue-sharing controversies in 401(k) litigation;
• Lewandowski v. Johnson & Johnson: Failure to manage PBM drug pricing and rebate structure, as well as excessive prescription costs;
• Navarro v. Wells Fargo: Alleged hidden broker/TPA compensation and a breach of fee transparency;
• Owens & Minor v. Anthem: Claimed TPA overcharged and blocked data access, paralleling recordkeeper conflicts in 401(k) cases;
• Stern v. JPMorganChase: Participants sued for PBM oversight failures and rebate mismanagement; and
• Kraft Heinz v. Aetna: The employer alleged a breach of fiduciary duty due to pricing opacity and failure to ensure fair vendor arrangements.

Start with engaging in the process through these steps:

1. Establish a Health Plan Fiduciary Committee and include formal documentation, charter and governance training;
2. Hire a “Prudent Expert”: If you are not looking to become the “prudent expert,” make sure you hire one;
3. Require Transparent Contracts and Data Access and ensure audit rights, data availability and clear service terms in all agreements;
4. Perform Routine Market Checks and Benchmarks by using independent data to compare TPAs, PBMs and broker compensation;
5. Conduct Independent Claim and Vendor Oversight by monitoring claim payments, vendor practices and financial flows to ensure plan assets are spent solely for the benefit of participants;
6. Document Everything by tracking vendor decisions, contract changes, plan expenses and governance activities; and
7. Train Plan Fiduciaries by educating committee members on their responsibilities under ERISA and the CAA.

Conclusion

The fiduciary transformation that reshaped retirement plans is bearing down on employer-sponsored health plans. With the CAA of 2021, ERISA and recent litigation, employers can no longer treat health plan oversight as optional. Hidden fees, opaque vendor arrangements and restricted data access mirror the same problems that once plagued 401(k)s—and courts are making clear that fiduciaries must act with the same diligence, prudence and documentation in health benefits as they do in retirement plans.

For plan sponsors, the mandate is straightforward: establish formal fiduciary governance, demand transparency and monitoring rights, benchmark vendors, oversee claims and payment flows, and document every step. Litigation is already here, and regulators have set expectations. Those that adopt a 401(k)-style playbook—supported by prudent experts and conflict-free partners—can protect both their organizations and participants, while those that delay risk becoming the next case study in fiduciary failure.

Stephen Carrabba is the founder and CEO of ClaimInformatics, and Jamie Greenleaf is a fiduciary consultant and co-founder of the firm Fiduciary In A Box.

This feature is to provide general information only, does not constitute legal or tax advice, and cannot be used or substituted for legal or tax advice. Any opinions of the author do not necessarily reflect the stance of ISS STOXX or its affiliates.