Mind the Gap: Plan Fiduciaries and Protections for Participant Information
Under ERISA, welfare benefit plans and their fiduciaries owe duties to plan participants in managing the plan. And under HIPAA and the HITECH amendments, plans and their business associates must keep personal health information confidential and secure. However, there is currently a zone of uncertainty when it comes to the protection of private information for participants in ERISA-covered plans. HIPAA and HITECH exclude business associates from certain coverages, while ERISA does not definitively extend fiduciary duties to the protection of personal information. This article examines whether ERISA fiduciary duties would extend to the confidentiality of participant information, and whether the regulatory systems of ERISA and HIPAA should be amended to provide for greater data confidentiality, protection, and security. More broadly, the paper examines whether fiduciary duties more generally encompass duties of confidentiality, and whether these duties extend to responsibility for information breaches stemming from negligence or even average (but less than recommended) levels of security.