You Can't Oversee What You Can't See: Why Claims Data Access Is a Fiduciary Obligation

Every year, self-funded health plan fiduciaries are handed a legal contradiction. ERISA holds them personally liable for the proper allocation of billions of dollars in plan assets to healthcare claims. Yet the third-party administrators, networks, and intermediaries who actually process and pay those claims routinely deny plan sponsors access to the data required to validate that spending. Then, when disputes arise, those same vendors remind the employer: you are the fiduciary. You are responsible.

This is not a compliance gray area. It is an untenable legal contradiction — and it is one that the courts, Congress, and regulators are increasingly unwilling to tolerate. The principle is simple:

A fiduciary cannot prudently oversee what it cannot see.

Claims Data Access and Your ERISA Fiduciary Duty

ERISA imposes an active, ongoing duty of prudence on health plan fiduciaries — not a passive one. A fiduciary cannot satisfy this obligation by simply delegating claims administration to a TPA and walking away. Prudent oversight requires the ability to:

• Verify that claims are being paid correctly and in accordance with the plan document

• Confirm that TPAs and networks are fulfilling their contractual obligations

• Detect fraud, waste, abuse, and improper billing practices before or after they occur

• Identify and recover overpayments made with plan assets

• Monitor vendor performance and hold intermediaries accountable

None of these obligations can be fulfilled without access to complete, unmasked, line-level claims data. This is not a nice-to-have capability. It is a fundamental prerequisite for fiduciary compliance.

What "Complete" Claims Data Access Actually Means for Fiduciaries

Not all data access is created equal. Plan sponsors are sometimes offered partial datasets, delayed reports, masked provider identifiers, or files with key financial fields removed. This is not meaningful access; it is the appearance of transparency without the substance.

For fiduciary oversight purposes, complete claims data must include at a minimum:

• All adjudicated claims data, without sampling or exclusion

• Provider identifiers and service details, including NPI and billing codes

• Allowed amounts and paid amounts at the claim-line level

• Contracted reimbursement rates and the pricing methodologies applied

• Network identifiers and contract references for every claim

• Any administrative fees, adjustments, spread pricing, or markups applied at the claim-line level

Access to this data must also be provided at no additional cost to the plan and within a reasonable timeframe upon request — specifically within 60 days of the plan sponsor's written request. Delays beyond 60 days should trigger meaningful enforcement consequences.

The CAA Gag Clause Prohibition: Congress Already Said Yes

The Consolidated Appropriations Act of 2021 (CAA) explicitly prohibits contractual "gag clauses" that restrict a group health plan's ability to access or share claims and pricing information. This was not an accident. Congress recognized that fiduciary oversight is impossible without access to data and acted accordingly.

The Transparency in Coverage rules and hospital price transparency requirements further underscore this principle. Contracted reimbursement rates are no longer legitimately "confidential." Regulatory frameworks already require public disclosure of negotiated rates. Vendors who refuse to share that same data with the plan sponsor whose assets funded those payments are not protecting confidentiality; they are obstructing fiduciary oversight.

Equally important: without access to complete claims data, plan sponsors have no practical way to verify whether the prices reported in public Transparency in Coverage files are the prices actually applied to their claims. The only check on the accuracy of public transparency data is the plan sponsor's own claims data. Deny that access, and the public transparency system itself becomes unverifiable.

Tiara Yachts and the Functional Fiduciary Problem

The courts are clarifying the stakes. In Massachusetts Laborers' Health and Welfare Fund v. Blue Cross Blue Shield of Massachusetts, the First Circuit agreed that BCBSMA was not acting as an ERISA fiduciary with respect to claims processing. The court emphasized that the plan ultimately determines how claims are paid, even though the TPA priced and processed those claims.

This creates the data access paradox in its sharpest form: the plan is responsible, but the TPA controls the data. If fiduciaries are responsible for every payment, they must have the means to validate each payment.

A more recent development in the Sixth Circuit — Tiara Yachts v. BCBSM (2025) — further examined the question of TPA functional fiduciary status when intermediaries exercise discretionary authority over plan assets. The emerging body of case law makes clear: the line between administrative service provider and ERISA fiduciary is determined by conduct, not contract language. Vendors who control claims data as a competitive shield are increasingly exposed to fiduciary liability claims, while simultaneously preventing the plan sponsor from performing its own oversight.

The Enforcement Gap — and How to Close It

The CAA's gag clause prohibition has not been matched with sufficient enforcement teeth. Many plan sponsors who request complete claims data from their TPA or carrier still face delays, partial disclosures, and procedural obstacles designed to wear down the requester rather than fulfill the obligation.

A meaningful enforcement framework would look like this: if complete claims data is not delivered within 60 days of a plan sponsor's written request, the responsible administrator or intermediary should be subject to a civil penalty of $1,000 per day until the requested data is delivered. This is consistent with ERISA's existing enforcement framework under §502(c), which imposes per-day penalties for failure to produce plan documents.

Plan sponsors and their authorized representatives — including independent payment integrity firms — should have enforceable rights to:

• Complete, unmasked claims data without additional cost

• Delivery within 60 days of written request

• A clear right of action for non-compliance

• Vendor-agnostic access for authorized third-party reviewers

What Independent Oversight Looks Like in Practice

ClaimInformatics exists precisely because this data access gap is real and consequential. When plan sponsors partner with ClaimInformatics, they gain an independent, conflict-free review of 100% of their claims — not a statistical sample, not a carrier-produced summary, but a complete analysis of every dollar their plan spent.

With access to complete claims data, ClaimInformatics enables fiduciaries to:

• Validate that claims are paid in accordance with the plan document and contracted rates

• Identify billing errors, duplicate payments, upcoding, and unbundling across a proprietary edit suite organized into 8 payment integrity categories

• Detect pricing spreads, undisclosed administrative markups, and network manipulation

• Recover overpayments already made, using a provider-friendly process with no upfront cost

• Generate audit-ready documentation of fiduciary prudence for DOL defense

• Verify whether Transparency in Coverage files reflect the rates actually applied to the plan's claims

Unlike carrier-affiliated payment integrity vendors, ClaimInformatics has no ownership, revenue sharing, or contractual relationships with any TPA, carrier, or network. This [independence](https://www.claiminformatics.com/your-fiduciary-duties/avoid-conflicts/) is not a marketing claim; it is a structural condition that enables genuinely unbiased fiduciary oversight.

Frequently Asked Questions

Do plan sponsors have a legal right to complete claims data under ERISA? Yes. ERISA's duty of prudence requires fiduciaries to monitor the expenditure of plan assets. This cannot be done without access to the underlying claims data. The Consolidated Appropriations Act of 2021 reinforced this by prohibiting gag clauses that restrict data access. Courts have increasingly affirmed that the plan, not the TPA, bears ultimate responsibility for how claims are paid — which logically requires access to claims data.

What if my TPA or carrier claims the data is confidential? This argument is increasingly difficult to sustain. The Transparency in Coverage rules and hospital price transparency requirements already mandate public disclosure of negotiated rates. Your TPA or carrier cannot simultaneously publish those rates publicly while claiming they are confidential when you request the same data for your own claims. Under the CAA, any contractual clause that restricts your access to claims and pricing data is void and unenforceable.

What is a "gag clause" under the CAA, and is mine enforceable? A gag clause is any contractual provision in a TPA, carrier, or network agreement that restricts the plan sponsor or its authorized representatives from accessing, sharing, or using claims and cost data. The CAA explicitly prohibits such provisions in group health plan contracts. Any gag clause entered into or renewed after the CAA's effective date is unenforceable. Plans are required to annually attest to the DOL that their contracts do not contain prohibited gag clauses.

How does claims data access relate to the Schlichter Bogard ERISA lawsuits? The December 2025 Schlichter Bogard lawsuits name major consulting firms — including Gallagher, Mercer, Lockton, and Willis Towers Watson — as co-defendants, alleging self-dealing and failure to act in participant interests. Many of these claims rest on the allegation that fiduciaries (and their advisors) failed to independently validate that plan expenditures were reasonable. Claims data access is the mechanism through which that independent validation is performed.

What should a plan sponsor do today if they cannot obtain their claims data? Start with a formal written request to your TPA or carrier, citing CAA Section 201 and your ERISA fiduciary obligations. Document all responses and delays. If data is not provided within 60 days, consult with ERISA counsel regarding enforcement options. Engaging an independent payment integrity partner such as ClaimInformatics can help you assert your data rights, negotiate access, and analyze the claims data once obtained.

The Bottom Line

ERISA's duty of prudence is not a passive obligation. It demands active, evidence-based oversight — and that oversight is impossible without complete, timely access to claims data. The law already prohibits gag clauses. The courts are increasingly holding fiduciaries accountable for their spending decisions. The Schlichter firm is aggressively expanding its litigation playbook into healthcare consulting.

The question is no longer whether plan sponsors need access to claims data. It is whether they will exercise that right before litigation forces the issue.

Ready to see what's in your claims data? Contact ClaimInformatics for a complimentary fiduciary assessment.

What steps has your organization taken to secure full access to your claims data? Share your experience in the comments.