Background on GLP-1s

GLP-1s (shorthand for glucagon-like peptide-1 receptor agonists) are medications that are used to treat type-2 diabetes and obesity and are well known for their effects on weight loss. There are several GLP-1s that are FDA-approved for adults who are overweight or obese, and even a few that are approved for children or teenagers.[1] Although various GLP-1s may be prescribed for other uses, such as to treat sleep apnea or cardiovascular disease, they are commonly used for weight loss and have been growing in popularity in recent years due to their success in helping people lose weight.

With the increase in demand for GLP-1s, employers have been looking for ways to manage costs due to the high price tag for GLP-1s—the cost of GLP-1s for weight management can be $1,000 or more per month, per individual prescription. Although employer-sponsored group health plans may utilize cost containment measures (or even consider removing coverage for such GLP-1s) to mitigate the high costs associated with GLP-1s, employers should consider the following compliance issues when designing their GLP-1 coverage.

ACA and Essential Health Benefits

To lower the cost of providing GLP-1 coverage for weight management, some plan sponsors have shifted the cost of these medications to participants by way of cost-sharing. For example, some plans may impose higher co-pays for GLP-1s or exclude any cost-sharing amounts from the annual out-of-pocket maximum. However, plan sponsors must consider whether higher participant cost-sharing has Affordable Care Act (ACA) implications.

Under the ACA, group health plans are prohibited from imposing annual and lifetime dollar limits on Essential Health Benefits (EHBs), the categories for which are defined by the Department of Health and Human Services (HHS).[2]  Additionally, the ACA requires group health plans to establish an out-of-pocket maximum, which limits the overall out-of-pocket costs (i.e., deductibles, coinsurance, copayments, etc.) participants can pay in a year for EHBs.

The list of EHBs includes prescription drugs, although large and self-funded employer-sponsored plans have flexibility in determining which prescriptions drugs will be considered EHBs based on the state-benchmark plan they select.[3]  If a plan uses a state-benchmark plan that does not include GLP-1s for weight loss (currently, only one state includes GLP-1s for weight loss in their benchmark plan), then the plan may impose annual or lifetime limits on GLP-1 coverage for weight loss.  In addition, any out-of-pocket costs that participants incur as a result of using these medications for weight loss are not required to be counted toward their out-of-pocket maximum when they are not considered EHBs.

However, sponsors of large and self-funded group health plans should keep in mind that there may be changes to the EHB rules, such that all prescription drugs covered by a large or self-funded plan (i.e., including drugs that are in excess of those covered by a state’s EHB-benchmark plan) will be considered EHBs. The Department of Labor, HHS, and the Department of Treasury under the Biden administration issued guidance stating their intent to propose rulemaking that would require large and self-funded group health plans to treat all prescription drugs covered under their plans as EHBs.[4]  Whether the Trump administration will follow through on this is currently questionable, but plan sponsors will need to revisit their plan design should such guidance be issued.

Weight-Management Programs

Pairing GLP-1s with a weight-management program is a popular plan design for sponsors looking to cover GLP-1s for weight loss while also containing costs—though some plans merely offer weight-management programs in tandem with GLP-1 coverage, while others require participation in the weight management program as a prerequisite for subsidized GLP-1 coverage. Depending on their design, some of these weight-management programs are wellness programs that can rise to the level of a group health plan under the Employment Retirement Income Security Act of 1974, as amended (ERISA) when they provide “medical care” (i.e., physical examinations, nutrition counseling, prescription drugs, etc.). Wellness programs that are group health plans are subject to compliance obligations under several federal statutes, including the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules, the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA), and the Genetic Information Nondiscrimination Act (GINA). Additionally, wellness programs that impose penalties for non-participation (e.g., individuals that do not participate in the wellness program have higher cost-sharing for GLP-1s) can pose issues under the HIPAA Nondiscrimination rules and the Americans with Disabilities Act (ADA).

HIPAA Nondiscrimination

HIPAA generally prohibits group health plans from using health factors to discriminate among similarly situated individuals with respect to eligibility, premiums, or contributions. An exception to HIPAA’s nondiscrimination requirements is a wellness program that is reasonably designed to promote health or prevent disease. The HIPAA nondiscrimination rules describe two types of wellness programs: (1) participatory programs, and (2) health-contingent programs.[5]

A participatory program is one that does not condition eligibility to receive a reward (e.g., cost-sharing discount or absence of a premium surcharge) on a participant’s satisfaction of a standard related to a health factor and are permissible if participation in the program is available to all similarly situated individuals. For example, a weight management program that is available to all full-time employees and offers reduced co-pays for GLP-1s to individuals participating in the program (e.g., completing a health risk assessment), regardless of whether they lost weight or met a similar health standard, would likely be considered a permissible participatory program.

Health-contingent wellness programs on the other hand require individuals to satisfy a standard related to a health factor in order to obtain a reward and must satisfy numerous requirements in order to be compliant with the HIPAA nondiscrimination rules. Health-contingent wellness programs can either be an activity-only wellness program (e.g., exercise or diet programs) or an outcome-based wellness program (e.g., attaining a certain BMI score), and the financial reward offered under these programs is generally limited to 30% of the total cost of employer and employee contributions for employee-only coverage under the plan, among other requirements. The rules for designing and administering health-contingent wellness programs are complex, so plan sponsors will need to exercise caution when implementing a weight management program that requires participants to satisfy a health factor standard in order to receive GLP-1 coverage.

ADA Compliance

The ADA prohibits disability-related discrimination in employment, which covers all aspects of the employment process, including disability-related medical examinations and inquiries. One exception to the prohibition on medical examinations and inquiries is for voluntary medical examinations and disability-related inquiries under a wellness program that is reasonably designed to promote health or prevent disease, among other requirements.[6]  A wellness program that requires examinations and inquiries may qualify for this exception if it does not require the employee to participate in the program (i.e., the program is voluntary) and does not deny coverage or limit the extent of benefits under the employer’s group health plan for non-participants (i.e., the program does not act as a gatekeeper to receiving coverage generally or receiving certain benefits (known as the “gateway” provision)).

With respect to the “voluntary” prong, outside of the current regulations, there is no additional guidance from the Equal Employment Opportunity Commission (EEOC) regarding the extent to which a wellness program will no longer be considered voluntary based on the size of financial incentives (i.e., rewards or penalties) offered to employees who participate in the wellness program.[7]  Weight management programs often require medical examinations or health risk assessments for participants, which are considered disability-related inquiries or examinations for ADA purposes. For wellness programs that provide GLP-1 coverage in connection with wellness program participation in which participants are required to submit to a medical examination or inquiry, employers will need to consider whether the incentives offered make participation in the program truly voluntary.

Under the “gateway” provision, employers are not prohibited under the ADA from denying an incentive for non-participation in a wellness program that includes disability-related inquiries or medical examinations; however, the ADA does prohibit the outright denial of access to a benefit available by virtue of employment. For example, an employer that offers several medical options, such as a PPO and HMO, cannot require that employees who decline to participate in its wellness program enroll in the HMO.

It should be noted that wellness programs that do not require disability-related inquiries or medical examinations (such as programs that only provide general nutrition and weight-loss counseling) will not be subject to these ADA requirements.

Disability Discrimination

Some plan sponsors have considered limiting or removing GLP-1 coverage for weight loss entirely from their group health plans in order to save on costs, while maintaining GLP-1 coverage for other issues (i.e., diabetes management). However, plan sponsors will need to consider whether such changes could make the plans subject to disability discrimination claims under federal law on the basis that the plans are discriminating against individuals with obesity.

Several courts have considered the question of whether obesity is considered a disability under the ADA. A majority of federal courts have found that obesity by itself is not a disability, but that it can be considered a disability if it is caused by an underlying health condition (such as diabetes). Some courts, though, have held that obesity is a disability under the ADA, even in the absence of an underlying health condition.

Notably, recent litigation on this front has posed the question of whether a group health plan’s exclusion of GLP-1 coverage for weight loss constitutes disability discrimination, although no final decisions have yet been rendered on this issue.[8]  Sponsors of self-funded group health plans should monitor ongoing litigation for updates. Should courts find that removal of GLP-1 coverage amounts to disability discrimination, self-funded plans that cover GLP-1s for diabetes but not obesity will likely need to be amended to cover the prescriptions for both conditions or neither of them.

Conclusion

With the ever-growing list of creative plan designs for GLP-1s, plan sponsors will need to carefully review their options and ensure that coverage (or lack thereof) of GLP-1s for weight loss is compliant with applicable requirements. If you have questions regarding GLP-1 coverage or other health plan issues, please contact us.

The lawsuit, Williams-Linzey v. Empower Advisory Group, LLC, alleges that Empower improperly and repeatedly leveraged its position as a retirement plan recordkeeper to harvest highly confidential, private financial data concerning retirement plan participants for its own economic benefit. Specifically, the lawsuit claims that Empower used the data it collected to identify retirement plan participants with large account balances nearing retirement age and target them for Empower’s managed account program. The complaint alleges that the targeted campaign falsely portrayed the managed account program as a superior investment option, despite its “extremely high costs” and regardless of whether it was actually in the best interest of participants, all for Empower’s financial gain.

The complaint offers a legal theory that is yet to be well addressed in ERISA case law—that participant data should be treated as a “plan asset” subject to ERISA’s fiduciary duties of prudence and loyalty. Under this theory, Empower would not only be held to a fiduciary standard based on its provision of investment advice, but also for its control and exercise of discretion over an alleged plan asset—that is, participant data. And while Empower is the only defendant in the case, the complaint also asserts that the plan fiduciaries breached their own fiduciary duties by failing to monitor Empower’s use of participant data. Such an assertion highlights the real-world risk of permitting recordkeeper utilization of participant data for any purpose beyond core recordkeeping responsibilities, regardless of whether the use may be beneficial to participants. This article provides practical contracting considerations for plan fiduciaries seeking to strike a balance between fiduciary risk and permitting financial wellness products.

Understanding the Risk

Data mining has undoubtedly become the gold rush of the 21^st Century. In the right hands, data has the ability to influence thought and behavior and therefore create significant financial profits. Under section 404(a) of ERISA, fiduciaries must discharge their duties with respect to a plan solely in the interests of providing benefits to participants and beneficiaries, and only paying reasonable expenses for plan administration (the “duty of loyalty”), and in carrying out these responsibilities, must act with care, skill, prudence and diligence under the circumstances (the “duty of prudence”). As such, it is incumbent on plan fiduciaries to scrutinize the use of data collected by ERISA plan service providers, particularly with respect to use of the data to market additional products where there is a profit to be made (regardless of whether the additional products are ERISA plans). Failure to do so could lead to complaints from participants that they were marketed or sold unreasonably expensive or ineffective products and services at a profit to the service provider (similar to the allegations in Williams-Linzey). As such, responsible plan fiduciaries should work proactively to mitigate potential risk.

Mitigating Risk Starts with Good Contracting 

As the promotion of financial wellness offerings by recordkeepers and other service providers continues to expand, contractual terms around data usage are becoming more robust and complicated. The provisions are typically contained in two sets of terms: terms covering the use of participant data outside of core services and terms covering cybersecurity. Careful review, consideration and scrutiny should be paid to both sets of terms in order to protect the interests of participants and mitigate unnecessary fiduciary risk.

Terms Addressing Use of Participant Data

When entering into service agreements, responsible plan fiduciaries should be thinking critically about how they might reasonably make appropriate program offerings available without disregarding the fiduciary duties of loyalty and prudence. To strike a balance when negotiating service agreements, plan fiduciaries should consider the following:

• Prohibit Unfettered Use of Data. It is increasingly common for service agreements to provide for broad use of any data collected as an ERISA service provider. While these types of provisions arguably prevent the need for future service agreement updates, they may present unnecessary risk for fiduciaries and have significant potential for abuse. Good contract drafting necessitates defining the parameters for the use of participant data, the types of financial wellness offerings data will be applied to, how the plan fiduciaries will be kept informed of any changes in offerings and a mechanism by which the fiduciaries can restrict the offerings without terminating the ERISA service agreement. Such contractual terms help demonstrate fiduciary prudence by establishing clear boundaries and conditions for the use of participant data and ensuring that the core services offered are not beholden to continued commitment to ancillary offerings that will inevitably need to be reviewed as the landscape around use of participant data continues to evolve.

• Prohibit the Sale of Data. The sale of data collected by a service provider to third parties should be contractually prohibited. Data sales are not a financial wellness offering, result in additional (indirect) compensation to a service provider with speculative or no direct benefit to plan participants and result in the loss of control of such data.

• Require Participants Consent to the Use of Data. Individualized or targeted communications are undoubtedly an effective way to advertise financial wellness programs and help participants understand potential benefits of an offering, but a participant’s data should not be used for such purposes without their consent. The reasons for this are twofold. First, a participant may not be interested in the product or offering and be frustrated that their data was used without their consent, resulting in complaints routinely directed to the Plan fiduciaries rather than the service provider. Second, unsolicited individualized communications are more likely to lead a participant to incorrectly assume that the offering is part of an ERISA plan, and/or the offering has been endorsed by the plan fiduciaries. By requiring service providers obtain participant consent to any personalized use of their data—either during account registration, or through generalized correspondence asking interested participants to take action, participants will have better control over the use of their data and plan fiduciaries will be able to better prevent frustration and the illusion of tacit endorsement of offerings.

• Avoid Fee Models Contingent Upon Use of Participant Data. While financial wellness offerings may provide ancillary benefits to participants, they are also revenue generators for service providers. With that in mind, it is important that the use of participant data and marketing of financial wellness products not be tied to agreed-upon fees for services. This is relevant whether the sponsor or the participants bear the cost of services. Where the sponsor pays the service provider’s fees and a portion of the fees are contingent upon the ability to market products and use participant data, a participant could claim that the plan sponsor allowed their data to be used to market products in order to save the sponsor money. Where the participants bear the service provider’s fees, participants may raise claims regarding the reasonableness of the total compensation paid to the service provider, as well as the equitableness of fees based on varied usage of the additional services.

• Avoid Substantive Terms of Wellness Programs in ERISA Plan Agreements. A service agreement for an ERISA Plan should be prepared for the exclusive benefit of the participants and beneficiaries in that Plan; therefore, the terms of any ancillary program should not be spelled out in that agreement. This is important in not only satisfying ERISA’s exclusive benefit rule, but also in avoiding an argument that the ancillary program is intended to be an ERISA plan, which if true would subject the plan fiduciaries to additional fiduciary responsibility and related liability.

Terms Addressing Cybersecurity

As technology evolves, including electronic communication, ERISA plans are growing targets for cyber attacks. While cybersecurity safeguards are critical in the maintenance of any ERISA plan, they have heightened importance where participant data may be used for ancillary purposes, as data is likely to be more robust, stored for longer and in more locations, and will necessarily be accessible by more parties. If participant data were to be accessed by unauthorized parties (a cybersecurity breach), it could compromise participant financial safety and security and expose the plan fiduciaries to liability.

In 2021, the Department of Labor (DOL) released cybersecurity best practices guidance (updated in 2024) [https://www.dol.gov/agencies/ebsa/employers-and-advisers/plan-administration-and-compliance/compliance-assistance-releases/2024-01], which responsible plan fiduciaries should contractually require service providers (and their subsidiaries and affiliates) adhere to. Released in three pieces—one geared toward plan fiduciaries, one toward service providers, and one toward participants—the guidance underscores the importance of monitoring cybersecurity compliance as a fiduciary best practice. The DOL guidance should be treated as a minimum standard; to the extent a plan sponsor’s business cybersecurity standards are greater than the standards established by the DOL, the plan sponsor should consider whether it would be appropriate to apply its business cybersecurity standards to agreements with ERISA plan service providers.

Importantly, plan fiduciaries should acknowledge the reality of cybersecurity breaches and be prepared to handle them when they arise. Fiduciaries should ensure both the plan and service providers have effective and ready-to-go breach remediation plans, such that appropriate actions can be taken as soon as reasonably possible once a data breach is discovered. Equally important, fiduciaries should consider cybersecurity insurance and require service providers handling participant data to have cybersecurity insurance that covers any breach of participant data held by the service provider, its affiliates and subcontractors (if any).

Conclusion

While the Williams-Linzey case is in its infancy, the risks associated with maintenance and use of participant data are not new. Thoughtful consideration of the fiduciary issues discussed, which importantly include careful analysis of service provider contract terms can mitigate risk, permit reasonable financial wellness offerings and simultaneously protect plan participants.

If you have any questions about your recordkeeping contracts, financial wellness products, or use of participant data, contact the Trucker Huss attorneys with whom you usually work.