In June of 2024, the Department of Health and Human Services (HHS) issued rules amending the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in the wake of the 2022 Supreme Court decision in Dobbs v. Jackson Women’s Health Organization (the “2024 Privacy Rule”). These rules were designed to support President Biden’s Executive Orders on protecting access to reproductive health care—in particular, by protecting information related to reproductive health care and bolstering patient-provider confidentiality. On June 18, 2025, the U.S. District Court for the Northern District of Texas issued an order vacating a majority of the 2024 Privacy Rule. HIPAA “Covered Entities” (e.g., health care providers and group health plans) and their business associates will need to evaluate the impact of this ruling on their HIPAA compliance obligations.
What Did the 2024 Privacy Rule Require of Covered Entities?
HHS explained that the 2024 Privacy Rule was necessary to “protect patient confidentiality and prevent medical records from being used against people for providing or obtaining lawful reproductive health care.” In the 2024 Privacy Rule, HHS broadly defined “reproductive health care” to include the health of an individual in all matters related to the reproductive system… .” Examples of reproductive health care include: contraception, pregnancy related health care (such as miscarriage management and pregnancy termination), treatment for menopause, gender affirming care, and fertility related health care.
To comply with these rules, Covered Entities were not allowed to use or disclose protected health information (PHI) for any of the following activities:
In addition, the 2024 Privacy Rule required Covered Entities to gather an attestation from the entity requesting the reproductive health care, to determine whether the use or disclosure of reproductive health care related PHI was permitted under the 2024 Privacy Rule. Furthermore, Covered Entities were required to update their Notice of Privacy Practices to reflect the heightened protections for reproductive health care related PHI.
Background on the Texas Order
A federal judge in Texas vacated a majority of the 2024 Privacy Rule in the ruling Purl v. United States Department of Health and Human Services. By way of background, Dr. Carmen Purl and her clinic sued HHS in 2024 challenging the 2024 Privacy Rule on the grounds that it “impaired her and her employees’ state mandated obligation to report child abuse or participate in public health investigations.” The court agreed with Purl and found that HHS acted “in excess of statutory authority” in violation of the Administrative Procedure Act. As a result, the court vacated the 2024 Privacy Rule related to reproductive health care privacy and clarified that this ruling would have “nationwide effect…and affects persons in all judicial districts equally.”
SUD Records Requirements Still in Effect
In addition to the protections for reproductive health care related PHI, the 2024 Privacy Rule also required changes to a Covered Entity’s Notice of Privacy Practices to account for the confidentiality of substance use disorder (SUD) requirements. While the Texas court vacated all of the reproductive health care related portions of the 2024 Privacy Rule and found those provisions unlawful, it left undisturbed the SUD requirements from those rules. Accordingly, these SUD requirements continue to apply to Covered Entities. Under these rules, a Covered Entity’s Notice of Privacy Practices must be updated by February 16, 2026, to explain the following:
Next Steps for Covered Entities
Handling Requests for Reproductive Health Care Related PHI Under Current HIPAA Rules
Although the extra protections of the 2024 Privacy Rule do not currently apply to reproductive health care related PHI, it is important to note that the HIPAA rules still provide protections for HIPAA PHI (including reproductive health care related PHI). Accordingly, if a Covered Entity receives a request for reproductive health care related PHI, it should only disclose such PHI as allowed under the current HIPAA rules (e.g., pursuant to a participant authorization, and only the minimum necessary amount, etc.) It is worth noting that HHS has previously determined that a health care provider violated the HIPAA rules by disclosing a patient’s reproductive health care related PHI to a prospective employer without obtaining her prior written authorization for the disclosure. In this instance, the health care provider had to enter into a settlement agreement with HHS, pay a monetary penalty, and undertake a corrective action plan to resolve the compliance issue. This HHS determination was made under HIPAA rules that were in effect prior to the 2024 Privacy Rule.
If you have any questions about the changes under the 2024 Privacy Rule and/or its current application, please contact us.
Artificial Intelligence (“AI”) was once a thing of the future. In the employee benefits world, the future is now: plan sponsors, administrators and service providers are using AI in the benefit claim determination process. This raises a question: how can AI be utilized under the Employee Retirement Income Security Act of 1974 (ERISA) consistent with the terms of the plan? Thus far, one notable lawsuit addressing this issue alleges that a claims administrator violated ERISA’s fiduciary duty by using an AI-based algorithm to deny benefit claims when plan terms stated claims would be reviewed by a medical director.
This article discusses the use of AI in determining benefits claims and how one pending court case is impacting its viability. In addition, we address how California is attempting to shape the path forward for AI.
Pending Benefit Claim Case in Which Use of AI Is at Issue
In Kisting-Leung v. Cigna Corporation, et al., No. 2:23-cv-01477 (E.D. Cal. July 24, 2023) participants in different Cigna-sponsored health plans filed a class-action lawsuit. The plaintiffs’ sued the plans’ common claims administrator, claiming its use of an automated algorithm to process benefit claims was contrary to plan terms, which required a medical director to process benefit claims. Plaintiffs alleged that Cigna’s AI tool, called “PxDx,” wrongfully enabled Cigna to circumvent the plan’s requirement that a medical director must review and assess medical claims, any prior medical or surgical history, and treatment.
The plaintiffs’ first two complaints only included state law causes of action, such as breach of the implied covenant of good faith and fair dealing, violation of California unfair competition law (§17200), and intentional interference with contractual relations. It was not until the third and final amended complaint that the plaintiffs replaced all but one of their state law causes of action (violation of California unfair competition law) with ERISA claims: one under ERISA §502(a)(1)(B) for wrongful denial of benefits and the other for breach of fiduciary duty under ERISA §502(a)(3).
Cigna moved to dismiss the third amended complaint, arguing that three of the six named plaintiffs’ lacked standing because Cigna did not deny treatment for these claims using PxDx, which was corroborated by a declaration from Cigna’s medical officer. Cigna also argued that the plaintiffs’ claim to enforce plan rights under §502(a)(1)(B) failed because the plaintiffs did not allege any plan provisions that were breached and did not show exhaustion of their administrative remedies, as required by ERISA §503.
As for the breach of fiduciary duty claim under ERISA §502(a)(3), Cigna argued that this claim failed because “Cigna’s use of PxDx to deny plaintiffs’ claims violated neither the terms of plaintiffs’ plans nor ERISA,” and as a result, plaintiffs’ did not allege a breach of fiduciary duty. Cigna further argued that plaintiffs’ did not state a claim for equitable relief, and the claim is entirely duplicative of the §502(a)(1)(B) claim. Cigna did not dispute that it was an ERISA fiduciary acting in its respective fiduciary capacities but only contested whether Cigna violated ERISA-imposed fiduciary obligations. Furthermore, in regard to whether Cigna violated its fiduciary duty, it argued that because doctors “are the ones using the algorithm to ‘automatically deny payments in batches of hundreds or thousands at a time for treatments that do not match certain pre-set criteria,’ defendants are in compliance with the plan requirement that medical necessity decisions be made by a Medical Director.” Additionally, Cigna argued that using PxDx and its algorithms to process claims was within its discretionary authority to interpret plan terms, noting that it had issued disclosures to doctors and participants regarding its use of PxDx.
On March 30, 2025, the court granted in part and denied in part Cigna’s motion to dismiss. In response to whether the three named plaintiffs had standing, the court stated that all plaintiffs had standing to bring claims under ERISA §502(a)(1)(B), for wrongful denial of benefits. However, the court ruled that the plaintiffs had failed to identify the specific plan terms that made them eligible for benefits. As a result, the plaintiffs had failed to sufficiently allege facts stating a claim under §502(a)(1)(B) and, thus, the benefit denial claims failed. As to the breach of fiduciary duty claim under ERISA §502(a)(3), the court stated that the plaintiffs lacked standing to bring their claims because the complaint failed to state facts sufficient to plausibly allege that PxDx was used to deny their claims. More specifically, because the plaintiffs’ claim determinations “were not made using the PxDx algorithm, denial of their claims is not fairly traceable to the defendants’ challenged behavior.”
The court denied the motion to dismiss as to the fiduciary breach claims on behalf of the three remaining plaintiffs. The court disagreed with Cigna’s argument that because a doctor oversaw PxDx, it complied with plan terms. The court noted that, “the standard used in evaluating an ERISA plan administrator’s interpretation of a plan term varies depending, in part, on whether the plan gives the plan administrator discretion to interpret the terms of the plan.” More specifically, the court stated that “even assuming without deciding that this deferential standard applies here,” the “defendants’ interpretation of the plan provision requiring determinations of medical necessity be made by a medical director—as allowing an algorithm to make the decision so long as a medical director pushes the button—conflicts with the plain language of the plan and constitutes an abuse of discretion.” As a result, the court concluded that the plaintiffs adequately alleged a violation of plan terms and allowed the breach of fiduciary duty claim to proceed.
The court further ordered that the injunctive relief sought by the plaintiffs was an appropriate equitable relief available under ERISA §502(a)(3). More specifically, the court agreed with plaintiffs that if there was a violation of plan terms, the injunctive relief enjoining Cigna from “continuing its improper and unlawful claim handling practices as set forth” was an available and valid relief.
As of April 11, 2025, the plaintiffs’ filed a notice of intent not to amend their complaint. We will continue to monitor the progress of this case, as the outcome could have significant implications for the use of AI in the administration of health care claims.
California’s Legislative Action
To date, Congress has not enacted any legislation that would preclude (or support) the use of AI for benefit determinations in ERISA-covered plans. At the state level, several states have enacted laws to regulate AI use in health plans. As an example, effective January 1, 2025, California passed SB 1120, which modifies §1367.01 of California’s Health and Safety Code. SB 1120 provides that AI tools cannot replace healthcare decision-making and autonomously deny, delay, or modify care. It further provides that final determinations regarding medical necessity must be made by licensed physicians or health care professionals competent to evaluate the clinical issues. Under SB 1120, California is ensuring that a qualified human is involved in the review and determination process.
In general, state laws governing insurance – such as §1367.01 of California’s Health and Safety Code – apply to fully insured ERISA plans but not to self-funded plans. The administration of self-funded health plans is governed exclusively by ERISA. Therefore, state laws that regulate the use of AI by health plans likely apply to fully insured ERISA plans but not to self-funded plans, due to ERISA’s preemption of state laws.
Conclusion
Kisting-Leung may be one of the first of a number of lawsuits challenging the proper role of AI in the benefit claim administration process. This highlights the need for health plan sponsors to carefully review their plan documents and assess whether, in operation, their claims administration processes follow plan terms. It may be that AI can play a valuable role in the benefit plan claims administration; however, as highlighted by Kisting-Leung, it can do so only if properly provided for under plan terms.
Most non-government, non-church retirement and health and welfare benefits are governed by the Employee Retirement Income Security Act (ERISA). The following is a quick reminder that ERISA and related guidance are based on a unique, sometimes counterintuitive vocabulary. Below are examples of uncommon meanings given, in the context of ERISA, to common words and phrases.
| Common Word or Phrase | Common Understanding | ERISA Meaning |
| 1. Employer | The entity for whom an individual works. | The entity for whom an individual works (the “direct employer”) plus related entities (e.g., the direct employer and all entities linked to the direct employer by an 80% or greater chain of ownership, or by 80% or greater common ownership among five or fewer individuals, estates or trusts). This employer group is often referred to as a “controlled group,” or as an “affiliated” or “related” employer or entity. See Internal Revenue Code sections 414(b) and 414(c), 1563(a)(1) and (f)(5), and Treasury Regulations sections 1.1563-1(a)(2)(i) and (a)(3)(ii). |
| 2. Employee | A person who works for an Employer. | a. Employee. Any employed person in the controlled group. This definition is relevant, for example, in the context of vesting. Even if an employee stops working for a controlled group entity whose employees participate in a pension plan, the employee can continue to earn vesting service under that pension plan while working for another member of the controlled group whose employees do not participate in that pension plan. This is because, under the controlled group rules, all service performed for related Employers is aggregated for purposes of determining vesting. b. Eligible Employee. Any employed person in the controlled group whose direct employer is a participating company in an ERISA plan. For example, only employees working for a participating company can earn additional benefits under an ERISA Plan. The best practice is for such an Employee to be referred to as an “Eligible Employee.” |
| 3. Terminate Employment | Stop working for your direct employer. | Cessation of employment for your Employer₋₋i.e., stop working for any entity in the controlled group, not just the direct employer). |
| 4. Retire | Stop working for your direct employer. | a. Same ERISA meaning as item 3, above. b. Terminate employment after having attained a specified age and service condition (e.g., age 60 with 10 years of service). c. Go into pay status (i.e., start receiving monthly payments from a retirement plan). |
| 5. Pension Plan | A retirement plan that pays a monthly pension. | A plan or program (including a 401(k) employee elective deferral plan or a provision in an employment agreement) that provides retirement income to an Employee or defers income to an Employee’s employment termination date or beyond. See ERISA section 3(2)(A). |
| 6. Administrator or Plan Administrator | The third-party administrator (e.g., Fidelity, Vanguard, Blue Shield, Blue Cross), that provides day-to-day administrative services to an employee benefit plan (the “TPA”). | Under ERISA, the Administrator is the person or entity (often a plan committee) that serves as the named fiduciary of an ERISA-covered plan. The Administrator must operate the plan in accordance with its terms and in the best interests of participants and their beneficiaries. The Administrator is typically granted discretionary authority to make decisions regarding plan operations, and has personal liability for its breach of fiduciary duties and responsibilities. TPAs are not plan fiduciaries and, therefore, do not have any duty under ERISA to adhere to fiduciary standards. (Note, however, that any TPA that actually exercises discretion regarding management of an ERISA-covered plan and/or its assets is deemed to be a fiduciary (a “functional fiduciary”), and will be held to ERISA fiduciary standards. See ERISA section 3(1). Note: Unless provided otherwise in the plan document, the plan sponsor is deemed to be the Administrator within the meaning of ERISA. See e.g., ERISA sections (3)(16) and 409, and ERISA Regulation 2510.3-16. |
| 7. Multiemployer Plan; Multiple Employer Plan | A plan in which more than one employer participates. | A Multiemployer Plan is a collectively bargained plan in which unrelated employers participate. See, ERISA (37)(A) A Multiple Employer Plan is a plan in which more than one unrelated employers participate. A Multiple Employer plan is not a collectively bargained plan. See, e.g., instructions to section 5 of IRS Form 5500. See discussion of related employers above. If multiple Employers participate in an ERISA-covered plan and those entities are related, the plan is to be treated as a single employer plan. |
| 8. Voluntary Benefit | A benefit offered by an employer that can be voluntarily elected and 100% paid for by an employee. | Voluntary Benefits within the meaning of ERISA are group benefits that have not been endorsed or paid for by the employer, and therefore are exempt from ERISA requirements such as filing a Form 5500 or distributing a summary plan description. In practice, very few benefits satisfy this ERISA definition because the Employer typically selects (and therefore endorses) group benefits offered to its Employees. See ERISA Regulation section 2520.3-1(j). |
| 9. Excepted Benefit | A benefit (e.g., unemployment insurance) that is not subject to ERISA.
| A health benefit that is exempt from certain Affordable Care Act requirements (e.g., enhanced appeals and external review procedures) and from HIPAA Portability requirements (e.g., special enrollment rights). Such an excepted benefit is not, however, exempt from HIPAA Privacy and Security requirements or from general ERISA requirements such as COBRA health care continuation. See e.g., ERISA Regulation section 2590.732(c). |
Plan sponsors should proceed with caution when the above words and phrases appear in Internal Revenue Service or Department of Labor guidance, in official plan documents or in employee communications. For example, when an ERISA retirement plan document refers to employees, is this a reference to eligible employees/participants or to all employees in the plan sponsor’s controlled group of companies, whether or not those employees are eligible to participate in the plan? The answer lies in a precise analysis of plan terms and related definitions under ERISA, as highlighted above.
If you have questions about plan terminology, please contact us.
With more than 30 legal professionals practicing solely in employee benefits law, Trucker Huss is one of the largest employee benefits specialty law firms in the country. Our in-depth knowledge and breadth of experience on all issues confronting employee benefit plans, and their sponsors, fiduciaries and service providers, translate into realworld, practical solutions for our clients.
We represent some of the country’s largest companies and union sponsored and TaftHartley trust funds. We also represent mid-sized and smaller employers, benefits consultants and other service providers, including law firms, accountants and insurance brokers.
Since its founding in 1980, Trucker Huss has built its reputation on providing accurate, responsive and personal service. The Firm has grown in part through referrals from our many satisfied clients, including other law firms with which we often partner on a strategic basis to solve client challenges.
Our attorneys serve as officers and governing board members to the country’s premier employee benefits industry associations, and routinely write for their publications and speak at their conferences.
The Trucker Huss Benefits Report is published monthly to provide our clients and friends with information on recent legal developments and other current issues in employee benefits. Back issues of the Benefits Report are posted on the Trucker Huss website (www.truckerhuss.com)
Editor: Nicholas J. White, nwhite@truckerhuss.com
In response to IRS rules of practice, we inform you that any federal tax information contained in this writing cannot be used for the purpose of avoiding tax-related penalties or promoting, marketing or recommending to another party any tax-related matters in this Benefits Report.
135 Main Street, 9th Floor
San Francisco, California 94105-1815
15760 Ventura Blvd, Suite 910
Los Angeles, California 91436-3019
329 NE Couch St., Suite 200
Portland, Oregon 97232-1332
Tel: (415) 788-3111
Fax: (415) 421-2017
Email: info@truckerhuss.com
Website: www.truckerhuss.com
Copyright © 2025 Trucker Huss. All rights reserved. This newsletter is published as an information source for our clients and colleagues. The articles are current as of the date of publication, are general in nature and are not the substitute for legal advice or opinion in a particular case.
135 Main Street, 9th Floor
San Francisco, CA 94105-1815
15760 Ventura Boulevard, Suite 910
Los Angeles, CA 91436-2964
329 NE Couch Street, Suite 200
Portland, OR 97232-1332
135 Main Street, 9th Floor
San Francisco, CA 94105-1815
15760 Ventura Boulevard, Suite 910
Los Angeles, CA 91436-2964
329 NE Couch Street, Suite 200
Portland, OR 97232-1332
