ERISA Compliance: Essential Guide for US Plan Sponsors 2025

If you have discretion over plan management or assets, you may be a fiduciary. This includes making decisions about investment options, selecting plan providers, or administering benefits. Fiduciaries are held to a high standard of conduct, known as the "prudent person" rule. You must act solely in the interest of plan participants and beneficiaries, manage the plan for their benefit, and avoid conflicts of interest.

If you control the purse strings, you carry the risk.

Fiduciaries must also diversify investments to minimize large losses and follow plan documents, as long as those documents align with ERISA rules. In short, you're expected to make well-informed decisions and document your reasoning. If there's doubt, consult with professionals who understand the terrain.

ERISA requires plan administrators to provide certain disclosures to participants and government agencies. These include:

• Summary Plan Description (SPD): A plain-language overview of the plan's benefits, eligibility, and procedures.
• Summary of Benefits and Coverage (for health plans).
• Annual Form 5500 filing: A required report for most ERISA plans, submitted to the Department of Labor.

Keep in mind that these documents must be distributed in a timely and accessible way—just posting them in a file cabinet doesn't count. Electronic delivery is acceptable if it meets federal delivery standards.

Participants have the right to a fair process when claims are denied. ERISA mandates internal grievance and appeals procedures for both retirement and health plans. You must share clear instructions on how to appeal, handle appeals in a consistent way, and meet timelines for notification and response.

If participants believe their rights have been violated or fiduciaries have breached their duties, they are allowed to sue in federal court. That's why having strong processes—from enrollment to resolution—matters so much.

ERISA compliance isn't set-it-and-forget-it. It requires constant attention. You'll need to:

• Monitor service providers and review their performance regularly.
• Ensure plan documentation stays current with legal changes.
• Track contributions and distributions accurately and timely.
• Maintain fiduciary training and meeting notes.

Consistency is what shields you when scrutiny arrives.

Create a compliance calendar and routine checklists to prevent tasks from falling through the cracks. Whether you do this in-house or rely on outside support, the goal is the same—ongoing accountability and a clear paper trail.

If your business funds its own employee health benefits, you're not alone. Self-funded ERISA plans are an increasingly common approach for companies looking to manage costs and gain more control over plan design. But when a plan is self-funded, ERISA compliance takes on a different level of complexity—and carries more direct risk for the plan sponsor.

What is a self-funded ERISA plan? It's a health benefit plan where the employer assumes the financial risk for paying claims, rather than purchasing a health insurance policy from a carrier. Typically, third-party administrators (TPAs) handle claims processing and provider networks, but the employer remains responsible for the money.

The key difference between self-funded and insured plans is who's on the financial hook. With a fully insured plan, an insurance company manages the claims and holds the risk. With self-funding, your business becomes the payer—and ERISA puts strict guardrails in place to protect plan participants in this setup.

Self-funded arrangements must still meet all standard ERISA requirements: disclosures, Form 5500 filings, fiduciary oversight, and participant protections. Where challenges arise is in the added responsibility of handling claims payments and making funding decisions directly tied to employee health outcomes.

• Risk management: If large claims happen, your company pays. Stop-loss insurance is often used to protect against catastrophic losses, but fiduciaries must carefully vet these policies and structure plan reserves appropriately.
• Fiduciary oversight: Because the employer is closer to the financial operations of the plan, fiduciaries face heightened scrutiny. This includes reviewing TPA contracts, monitoring claim payment patterns, and documenting decisions.
• Plan design decisions: Custom plan design can introduce ERISA conflicts. For instance, limiting coverage must not violate participant rights or discriminate unfairly.

When you self-fund, decisions that were once abstract become very real.

While ERISA is a federal law, it preempts most state insurance regulations. However, nuances matter. In states like New Mexico (referenced as "ERISA NM"), ERISA preemption doesn't wipe out every local concern. For example, independent reviews, provider network access, or state-specific patient rights may still apply to insured products, but not to self-funded plans under ERISA. That distinction is why understanding how your plan is classified matters so much.

If your plan is fully self-funded, it likely avoids many state mandates. That can lead to cost savings and operational flexibility. But it also means greater fiduciary exposure and the need to proactively manage federal compliance without a state-level safety net.

The bottom line: With more autonomy comes more accountability.

Health plans fall directly under the umbrella of ERISA when provided by private-sector employers. These plans are classified as employee welfare benefit plans, and they include medical, dental, vision, life insurance, disability, and certain disease-specific coverages. If your business offers group health coverage to employees, ERISA likely governs how that plan is managed, communicated, and maintained.

At its core, ERISA health insurance refers to employer-sponsored group plans that are subject to federal oversight. Whether the plan is fully insured or self-funded, ERISA enforces specific rules about how plan documents are written, how information is shared with participants, and how benefit claims are handled. The law also sets the standards for fiduciary oversight over how plan assets—if any—are managed.

Two major federal laws work alongside ERISA and directly shape how you manage your group health offerings: COBRA and HIPAA.

• COBRA (Consolidated Omnibus Budget Reconciliation Act): This amendment requires most group health plans to offer continued coverage to qualified beneficiaries after certain life events, such as termination or reduction in work hours. As the plan sponsor, you're responsible for notifying employees of their COBRA rights and ensuring proper implementation if coverage needs to be extended.
• HIPAA (Health Insurance Portability and Accountability Act): HIPAA impacts how pre-existing condition exclusions, special enrollment rights, and privacy of health information are managed within ERISA plans. While most businesses know HIPAA for its privacy rules, the law also enforces important plan design requirements you can't ignore.

Ignoring either law can lead to compliance failures—quiet at first, expensive later.

If you're the plan sponsor, ERISA holds you responsible for ensuring that your health plan remains compliant with federal mandates. This includes:

• Maintaining a current and clear Summary Plan Description (SPD) that includes COBRA and HIPAA information.
• Coordinating benefit changes to reflect legal updates and staying informed about new regulations.
• Administering claims and appeals without bias, delay, or procedural error.
• Overseeing third-party vendors to confirm they're meeting ERISA and HIPAA obligations on your behalf.

Remember, even if you use a TPA or insurance carrier, you don't outsource your responsibility. The compliance burden stays with the plan sponsor. That's why it's critical to review your plan materials regularly and run operational compliance checks at least once per year.

Compliance with ERISA health plan rules isn't a checkbox—it's an ongoing obligation.

When done correctly, it protects your employees and shields your business from risk. When done poorly, the consequences range from civil penalties to, lawsuits and maybe criminal penalties. Get clear on the details, delegate with oversight, and stay alert to regulatory updates that impact your plans.

Staying compliant with ERISA means more than filing a few forms. It requires structure, vigilance, and the right support systems. Whether you manage a retirement plan, self-funded health plan, or both, having access to reliable ERISA compliance services can take the operational burden off your plate while reducing legal risk.

• Third-Party Administrators (TPAs): These service providers manage day-to-day tasks such as claims processing, plan enrollment, recordkeeping, and compliance notices. For self-funded health plans, TPAs are particularly critical for handling technical processes that keep the plan running smoothly. Still, the plan sponsor remains responsible for oversight.
• ERISA-focused Legal Counsel: Attorneys who specialize in ERISA law provide guidance on fiduciary obligations, plan design, document review, and audits. Their input becomes especially important when responding to Department of Labor inquiries or participant lawsuits.
• Compliance Consultants and Resources: These services range from document preparation firms to full-scale advisory teams that offer ongoing education, fiduciary training, compliance toolkits, and audit support. The right tools can help you stay organized and confident in your execution.

Support doesn't remove your responsibility—but it equips you to meet it better.

Regardless of how you structure your support, ERISA compliance is built on operational consistency. To reduce risk, adopt a system that includes:

• Calendar-driven compliance checklists: Routine compliance tasks—like Form 5500 filings, SPD updates, nondiscrimination testing, fiduciary reviews, and notice distributions—should be managed on a clear annual calendar. Missed timelines can trigger penalties or create exposure if a plan comes under scrutiny.
• Audit-ready documentation: Keep records of fiduciary meeting notes, decisions about plan investments or vendor selections, training logs, and notifications issued to participants. Whether you handle these internally or through a TPA, well-labeled documentation makes audits manageable and defensible.
• Responding to compliance issues early: When problems come up—missing disclosures, late contributions, or operational errors—address them quickly. Some correction programs exist if action is taken before enforcement begins. A proactive response can often limit financial or reputational damage.

ERISA favors organizations that stay prepared, not those that play catch-up.

If you haven't already, evaluate your internal compliance practices and external vendors. Make sure everyone's aligned on responsibilities, deadlines, and ongoing monitoring. Compliance shouldn't hinge on one overworked administrator. Build a team and system that keeps your plan protected year-round.

ERISA compliance isn't a background task—it's a frontline priority. If your business sponsors a retirement or health plan, you're not just offering a benefit. You're accepting legal responsibility for how that benefit is managed, communicated, and administered. Failing to meet those duties can lead to costly audits, lawsuits, or regulatory penalties.

The goal is simple: protect plan participants and shield your business from exposure.

Plan sponsors have a unique role under ERISA. You're required to act in the best interests of participants, manage plan operations prudently, and keep records that hold up under scrutiny. That won't happen with a set-it-and-forget-it approach. It takes structured oversight, ongoing reviews, and clear accountability across your team and service providers.

1. Review your fiduciary processes. If you aren't documenting plan oversight activities, fiduciary reviews, or training sessions, it's time to start. Sound processes protect you as much as they protect participants.
2. Update your compliance calendar. Make sure ERISA-required tasks—like plan disclosures, participant notices, and annual filings—are on a shared schedule and tracked. Missed items create audit risk.
3. Check vendor performance. TPAs, legal advisors, and brokers must understand ERISA. If they're not extending clear guidance, you may need new support.
4. Audit your plan documents. Summary Plan Descriptions, Form 5500s, and fiduciary meeting minutes should all be current and stored securely. Regulatory reviewers will ask for them if questions arise.

ERISA compliance is not one-time—it's ongoing stewardship.

If this feels like more than your team can handle alone, don't wait for an enforcement letter to take action. Engage with advisors who work in ERISA daily. Ask them to review your plan setup, fiduciary controls, and compliance touchpoints. You don't need to solve it all at once, but you do need to move forward with clarity and purpose.