Strengthening Oversight of Self-Insured Health Plans

Employers that sponsor their own self-insured health plans rely heavily on third-party administrators (TPAs) and pharmacy benefit managers (PBMs) to process claims, manage networks, control costs, and deliver programs that support a healthier workforce. Yet without deliberate and structured oversight, plan sponsors are vulnerable to heightened operational, compliance, and reputational risks that can erode financial stability and undermine participant trust.

This article highlights the essential elements of fiduciary oversight and provides a practical structure for building an oversight function that strengthens compliance and plan performance.

TPAs and PBMs play a central role in the daily operation of self-insured plans. But when oversight is informal or fragmented, sponsors face risks that extend beyond claim processing errors. Weak oversight can result in hidden or unreasonable fees, systemic processing failures, noncompliance with regulations, cybersecurity vulnerabilities, and reputational damage with employees and other stakeholders.

Over time, these risks can weaken the financial performance of the plan and erode the credibility of those charged with fiduciary responsibility. A well-structured oversight program is not optional, it is a core element of fiduciary duty.

Effective oversight starts with contracts that are clear and enforceable. Well-drafted agreements spell out responsibilities, define accountability, and detail how fees are assessed. This clarity is essential for financial transparency and effective oversight.

Ambiguity in contracts leaves sponsors vulnerable to disputes, inefficiencies, and hidden costs. By contrast, contracts that precisely define roles, costs, and performance standards provide the foundation for financial transparency and consistent oversight. Just as important, contracts must include mechanisms for enforcement, such as explicit audit rights, guaranteed access to complete and accurate data, and performance guarantees that are measurable, enforceable, and aligned with the sponsor’s priorities. Without these safeguards, even the strongest sounding agreements are vulnerable to becoming unenforceable promises.

But contracts are only the beginning. To translate those protections into practice, plan sponsors must build a structured oversight function with defined roles, clear responsibilities, and the authority to act.

Effective oversight cannot be left to chance or handled informally across multiple departments. It requires institutional commitment, dedicated resources, and a framework that integrates governance, technical review, and continuous improvement. Importantly, not every function must be built entirely in-house. Some elements are best retained internally to preserve fiduciary accountability, while others can be supported by external specialists to provide independent validation, market benchmarking, and technical expertise.

A well-structured oversight function encompasses seven core areas, each reinforcing the others to create a sustainable framework for plan accountability and fiduciary protection.

Oversight must be anchored in a fiduciary committee or governing body that remains directly accountable under ERISA. This body sets the tone at the top, establishes oversight priorities, approves policies, and serves as the escalation point when vendors fail to meet expectations. While advisors may guide the process, fiduciary responsibility cannot be delegated.

Internal teams, often with legal counsel and consultants advising, should negotiate audit rights, embed measurable performance guarantees, and establish transparent fee provisions. External advisors can assist by benchmarking fees and contract terms against market standards, but the sponsor must ultimately approve, monitor, and enforce the agreement.

Independent claim audits are a cornerstone of oversight, providing independent validation that claims are priced and paid accurately in accordance with plan rules and vendor contracts. While sponsors may develop internal analytics capabilities for ongoing monitoring, most engage external audit firms for annual or targeted reviews. External specialists provide independence, benchmarking across multiple plans, and technical testing methodologies. Internal staff should coordinate these reviews, interpret results, and ensure corrective action is taken.

Internal resources should maintain responsibility for compliance monitoring at a plan level, ensuring processes exist to address requirements under ERISA, HIPAA, MHPAEA, ACA, COBRA, transparency rules, and other applicable federal and state mandates. However, specialized reviews such as HIPAA security assessments, MHPAEA parity testing, or transparency reporting validation are often best conducted by external experts. Internal teams then act on findings and integrate them into the plan’s compliance framework.

Internal teams must ensure vendor contracts include strong data security provisions, breach notification requirements, and alignment with Department of Labor guidance. External IT and cybersecurity specialists, however, are often engaged to review SOC reports, test vendor controls, and validate compliance. This combination of internal governance and external validation provides both accountability and technical rigor.

While external partners generate valuable findings, the responsibility for reporting rests with the sponsor. Results from audits, compliance reviews, and vendor monitoring must flow into standardized reporting for the fiduciary committee. These reports should track claims quality metrics, vendor performance, fee reasonableness, and the status of corrective actions. Internal ownership of reporting ensures that fiduciaries remain directly engaged and can demonstrate fulfillment of their oversight obligations.

A sustainable oversight structure must evolve with regulatory change, market conditions, and emerging risks. Internal teams should lead the continuous improvement process, updating contracts and monitoring practices as needed. External advisors can add value by providing independent reviews, benchmarking against industry best practices, and highlighting innovations in vendor oversight. Together, these inputs ensure the oversight function remains dynamic and resilient.

Taken together, these seven areas form the backbone of an effective oversight function. Contracts provide the foundation, but it is the structure around governance, audits, compliance, cybersecurity, reporting, and continuous improvement that turns written agreements into enforceable protections. For fiduciaries, this is not only a matter of regulatory compliance it is a duty to safeguard plan assets, protect participants, and preserve the credibility of those entrusted with oversight. Sponsors that invest in structured oversight gain more than protection from risk; they create a framework that strengthens financial performance, builds participant trust, and demonstrates fiduciary stewardship with rigor and transparency.

For self-insured plan sponsors, effective oversight is not optional, but rather integral to fiduciary duty and financial stewardship. Contracts must establish enforceable rights, fee transparency, and clear accountability; assessments must identify structural weaknesses; and dedicated oversight functions must translate responsibilities into measurable performance.

Sponsors that invest in structured oversight position themselves to mitigate risks, safeguard plan assets, and build participant trust. More than compliance, oversight becomes a strategic advantage ensuring the health plan is managed with rigor, transparency, and credibility in the eyes of both regulators and stakeholders.