Claims & Loss Prevention

TPA Governance for Commercial Health: A Board-Level Playbook for Indian Corporates

How Indian corporate boards and HR risk committees should govern Third Party Administrators handling group health programmes, covering IRDAI TPA regulations, oversight committees, SLA scorecards, conflict-of-interest controls, and the levers that change actual member experience.

Sarvada Editorial TeamInsurance Intelligence
18 min read

Listen to this article

Audio version • 18 min read

tpa-governancegroup-health-insuranceirdai-tpa-regulationsboard-oversightsla-scorecardsconflict-of-interestclaims-management

Last reviewed: June 2026

Why TPA Governance Belongs on the Board Agenda

Third Party Administrators sit at the operational fulcrum of every large Indian corporate health insurance programme. They are the entity that receives claims, validates documents, applies coverage rules, communicates with hospitals through the cashless network, and ultimately decides whether an employee's family pays out of pocket or has a smooth admission. For a corporate spending INR 30 to 300 crore annually on group health premiums, the TPA's performance directly shapes employee experience, retention metrics, and the renewal economics with the insurer. Yet TPA oversight in many Indian corporates remains an HR operational matter rather than a board-level risk topic.

The regulatory framework recognises this importance. The IRDAI (Third Party Administrators - Health Services) Regulations, 2016, replacing the original IRDA (Third Party Administrators - Health Services) Regulations 2001, set out licensing, capital adequacy, governance, and operational requirements for entities providing TPA services. The 2016 framework was further refined through circulars on cashless network management, claim service standards, and grievance redressal. The IRDAI has issued repeated reminders since 2022 that the responsibility for TPA conduct ultimately rests with the insurer and, through commercial contract chains, with the corporate group policyholder.

When TPA performance degrades, the consequences flow through three channels. The first is direct member impact: cashless approvals delayed beyond the IRDAI-mandated timelines, reimbursement claims rejected on technicalities, hospitals demanding deposits despite valid cashless authorisation. The second is claims data integrity: poorly managed TPA case files produce inflated loss ratios that drive renewal premium increases the following year. The third is governance exposure: under the Companies Act 2013 and the SEBI Listing Obligations and Disclosure Requirements Regulations, listed Indian companies have specific board-level duties around material operational risks, and a group health programme covering 5,000 to 50,000 employees and dependants qualifies.

This guide sets out the board-level playbook. It is written for Indian corporate risk committees, CHROs, and CFOs responsible for group health programmes ranging from INR 5 crore to INR 500 crore in annual premium, and for the insurance brokers who advise them on TPA governance design.

The Regulatory Foundation: IRDAI TPA Regulations from 2001 to the 2016 Framework and Later Circulars

The Indian TPA regulatory framework has moved through three substantive phases. The original IRDA (Third Party Administrators - Health Services) Regulations, 2001 created the TPA licensing regime, set minimum capital requirements at INR 1 crore with a working capital floor, and established the basic operational accountability structure. The 2001 framework was thin on consumer protection, vague on data security, and silent on conflict-of-interest controls.

The IRDAI (Third Party Administrators - Health Services) Regulations, 2016 were a substantial rewrite. They raised the minimum paid-up capital requirement to INR 4 crore, introduced detailed fit-and-proper criteria for directors and key managerial personnel, mandated the appointment of a Compliance Officer reporting to the board, set out service standards for cashless processing and reimbursement claims, and introduced explicit grievance redressal obligations. The 2016 regulations also clarified that TPAs cannot directly accept premium or issue policies, restricting them to service functions, and required that the contract between insurer and TPA include defined service levels with measurable parameters.

The 2018 and 2019 IRDAI circulars on cashless service standards introduced specific timelines: pre-authorisation decisions for planned admissions within 6 working hours of receipt of complete request, and enhancement decisions during admission within 6 working hours. The 2020 circular on COVID-19 related claims further sharpened time-bound decision-making expectations under load. Through 2022 and 2023, IRDAI issued circulars on portability of cashless networks, standardisation of pre-authorisation forms, and mandatory empanelment criteria for network hospitals.

The IRDAI (Protection of Policyholders' Interests) Regulations, 2017, which apply across non-life and health insurance, set the framework for claim turnaround and grievance handling that TPAs must operationally deliver. Reimbursement claims must be decided within 30 days of receipt of all documents. Cashless requests for planned admissions must be decided within 6 working hours. Emergency cashless authorisations must be decided within 1 hour. These are not aspirations. They are enforceable regulatory standards, and a TPA's persistent breach is a reportable matter to IRDAI.

The most recent regulatory development is the IRDAI's master circular on health insurance products and services, refined through 2024 and 2025 iterations, which consolidates expectations around TPA operations including data handling under the Digital Personal Data Protection Act, 2023, network hospital empanelment fairness, and complaint resolution. Boards governing corporate group health programmes should diary the IRDAI website for the current master circular and ensure their TPA's compliance certifications align with the latest version.

Designing the Oversight Committee: Structure, Cadence, and Reporting Lines

The single most important governance design choice is to create a formal oversight committee for the group health programme rather than treating it as a routine HR or procurement function. The committee structure depends on company size, but the principles are constant.

For mid-market corporates with group health premium between INR 5 crore and INR 50 crore annually, the oversight committee should be chaired by the Chief Human Resources Officer with the Chief Financial Officer, the head of total rewards, and the broker as standing members. The committee should meet quarterly with a documented agenda, formal minutes, and a clear escalation path to the Risk Management Committee of the board for material issues. The CFO's presence is non-negotiable: TPA performance directly affects loss ratio and renewal economics, and treating the topic as purely HR loses the financial discipline that makes governance effective.

For large enterprises with premium above INR 50 crore, the oversight committee should report directly into the Risk Management Committee of the board, with the CHRO chairing the operating committee and the audit committee chair providing oversight on data and compliance matters. The internal audit function should conduct an annual TPA audit, separate from the insurance broker's renewal review. The two perspectives produce different insights, and both are valuable.

The oversight committee cadence should follow the claims cycle. The first meeting after renewal sets expectations, finalises the SLA scorecard, and approves the empanelment of network hospitals proposed by the TPA. The mid-year meeting reviews actual performance against SLA, escalates persistent failures, and addresses member grievances. The pre-renewal meeting reviews loss ratio, claim experience, and renewal strategy with the insurer. The post-renewal meeting closes the loop on outcomes and resets the scorecard for the new policy year.

Reporting lines deserve specific attention. The TPA reports operationally to the insurer under the IRDAI framework, not to the corporate. This means the corporate's influence is contractual through the insurer, not direct. The oversight committee should require the insurer's account manager to attend the quarterly meetings, with the TPA's account manager present as the operational owner. The accountability chain is corporate to insurer to TPA, and the meeting structure should reflect that.

Documentation matters. Minutes should record specific commitments, action owners, and target dates. SLA breach incidents should be documented with case numbers, employee identifiers (anonymised in board papers but tracked in detail at the operational level), and the corrective action taken. Six months of documented breach incidents without sustained corrective action is the threshold at which the oversight committee should formally escalate to the insurer's claims head with a written letter requesting either TPA replacement at the next renewal or specific remediation plans. Indian insurers respond meaningfully to written, documented escalation backed by data; verbal complaints rarely move the needle.

Risk Committee Action Items

Risk committees should ensure that the TPA contract includes specific board-level rights: the right to inspect TPA premises and systems on reasonable notice, the right to receive monthly SLA reports in a defined format, the right to terminate the contract on persistent SLA failure, and the right to require the appointment of an alternative TPA at the insurer's cost where the existing TPA's performance falls below a defined floor. These rights should be exercised, not merely documented.

SLA Scorecards: What to Measure and How to Score It

An SLA scorecard that measures the wrong things, or measures the right things in the wrong way, produces governance theatre rather than governance substance. Indian corporate group health programmes have evolved a set of metrics that, in combination, capture both the experience side and the financial side of TPA performance.

The member experience metrics start with cashless approval turnaround. The scorecard should measure the proportion of planned admission pre-authorisation requests decided within the IRDAI-mandated 6 working hours, the proportion of emergency cashless requests decided within 1 hour, and the proportion of enhancement requests during admission decided within 6 working hours. The scoring threshold should not be 'at the regulatory minimum'. For commercial corporate programmes, the realistic best-practice expectation is 95% or higher of requests decided within the regulatory window, with median turnaround sitting well below the window.

Reimbursement claim turnaround is the second core metric. The IRDAI 30-day window from complete documents is the regulatory floor. Best-in-class TPA performance for corporate programmes runs at median 12 to 15 days from complete documents to payment, with the 95th percentile within 25 days. The scorecard should separately track the proportion of reimbursement claims requiring additional information requests from members (the 'IR cycle' that delays settlement), because excessive IR requests are a leading indicator of either inadequate first-pass review or systematic effort to deflect claims.

Claim rejection rate and rejection reasons require careful tracking. The aggregate rejection rate should be benchmarked against the TPA's other corporate clients of similar size and industry. A rejection rate well above benchmark warrants investigation. Rejection reasons should be categorised: documentation deficiency, coverage exclusion, non-medical expense, pre-existing disease, waiting period. The category mix tells the oversight committee whether the TPA is rejecting legitimate claims on technicalities or whether the member population is filing claims that genuinely fall outside coverage.

Network hospital availability and admission experience are member-facing metrics. The scorecard should track the proportion of cashless authorisation requests at network hospitals that proceed without the hospital demanding additional deposits, the proportion of network hospitals that ultimately bill at agreed package rates, and the proportion of admissions where the discharge process is completed without member out-of-pocket payments beyond approved deductibles. Member surveys conducted independently of the TPA, ideally by the broker or by the corporate's internal employee experience function, are the most reliable source for these metrics.

Grievance and complaint metrics should track first response time, resolution time, and the proportion of complaints escalated to the insurer's grievance officer or the IRDAI grievance portal. A rising trend in IRDAI portal complaints is a leading indicator of broader service deterioration and should trigger an oversight committee escalation.

The financial metrics overlay the experience metrics. Loss ratio for the policy year, claim severity trends, claim frequency by category, and the proportion of claims falling under specific high-cost categories (oncology, cardiac, ICU) should be reported quarterly with year-on-year comparisons. The CFO's interest in these metrics is direct: they drive next year's premium.

The scoring methodology should produce a single composite score per quarter, with each metric weighted by importance. A common weighting puts cashless turnaround and reimbursement turnaround at the top (collectively 40 to 50% of the score), claim rejection rate and reasons at 15 to 20%, network and member experience at 15 to 20%, and grievance metrics at 10 to 15%. The composite score over four quarters becomes a key input to the renewal decision: a TPA scoring below 80 of 100 for two consecutive quarters should be a candidate for replacement at the next renewal cycle.

Conflict-of-Interest Controls: The Hidden Layer of TPA Governance

Conflicts of interest in the TPA business model are structural rather than incidental. The TPA is paid by the insurer per claim processed, often on a tiered structure that incentivises volume. The TPA's network hospital empanelment process involves negotiating rates with hospitals, and hospitals know that empanelment decisions affect their patient flow. The TPA's claim adjudication function operates with insurer-set rules that can be applied strictly or liberally. Each of these features creates conflict-of-interest pressure that, in the absence of explicit controls, can shift outcomes against members.

The first control is segregation of the empanelment function from the claims adjudication function. Within the TPA, the team that negotiates and decides hospital empanelment should be organisationally separate from the team that decides individual claims. Where the same team handles both, the risk emerges that hospitals seeking empanelment offer rate concessions in exchange for liberal claim approvals, or that claim approvals tighten when a hospital is in commercial dispute with the TPA. The oversight committee should ask the TPA to certify the segregation in writing and to describe the reporting lines that maintain it.

The second control is fee structure transparency. The corporate policyholder typically does not pay the TPA directly; the TPA fee is built into the premium. The oversight committee should obtain disclosure of the TPA fee structure, including any volume-based bonuses, success fees, or other variable compensation. A TPA paid solely per claim processed has different incentives from a TPA paid on a flat servicing fee. Neither structure is inherently wrong, but transparency is a precondition for understanding behaviour.

The third control is the hospital empanelment audit. The empanelled hospital list should be reviewed annually by the oversight committee with the broker. Hospitals that appear unusually frequently in member complaints, hospitals with high revisit rates suggesting under-treatment, and hospitals where the TPA has rate variances against industry benchmarks all warrant scrutiny. The oversight committee should have the right to request de-empanelment of specific hospitals and to require the addition of hospitals in geographies that are under-served.

The fourth control is the related-party check. Some Indian TPAs are subsidiaries or affiliates of insurer groups, hospital chains, or pharmaceutical distributors. These relationships are public and not inherently disqualifying, but they require disclosure and specific governance. The oversight committee should know whether the TPA is related to any of the insurer, the hospital network, or the diagnostic chain through which claims flow, and should adjust scrutiny accordingly.

The fifth control is the data access boundary. TPAs handle protected health information for thousands of employees. Under the Digital Personal Data Protection Act, 2023, the corporate policyholder has obligations as a data fiduciary, and the TPA acts as a data processor under contract. The TPA contract must specify data access controls, retention periods, breach notification timelines, and the rights of the corporate to audit data handling practices. Sales calls to employees from third parties claiming to be from the TPA or affiliated insurers, which surface periodically as member complaints, are an early indicator of data control failures and should trigger immediate investigation.

The Renewal Decision: When and How to Change TPAs

Most Indian corporate group health programmes renew annually with the same insurer and TPA combination for several years. Inertia is the dominant pattern, and inertia is not always wrong. A TPA that has built familiarity with the company's HR systems, claim history, and member demographics has operational depth that a new TPA must rebuild. The cost of switching TPAs is real: data migration, network re-empanelment, member communication, and the inevitable transition-period claim disputes.

The right framework for the renewal decision separates the insurer choice from the TPA choice from the broker choice. These are three different decisions that should be made independently, although they interact. The corporate can change insurer while keeping the broker. The corporate can change TPA while keeping the insurer (where the insurer offers a choice of TPAs from their panel). The corporate can re-tender the broker relationship while keeping the insurer and TPA stable.

The TPA change decision should be triggered by specific evidence, not by general dissatisfaction. The decision criteria typically include: SLA scorecard below the 80% composite threshold for two or more consecutive quarters, IRDAI grievance portal complaints exceeding a threshold relative to membership, persistent breach of regulatory turnaround standards documented in writing without effective remediation, material data security incidents not adequately responded to, or evidence of systematic claim rejection on technicalities that the insurer has been unwilling or unable to correct.

Where the change decision is made, the transition planning matters. The new TPA needs time to onboard, including network empanelment, IT integration with the corporate's HR system, and member communication. A six-month overlap between the decision and the effective date allows orderly transition. The exit terms with the outgoing TPA, including the handover of open claim files, the transfer of historical data, and the management of in-progress disputes, should be negotiated and documented before the formal notice is served.

Where the change decision is not made, the alternative is a documented improvement plan. The oversight committee should require the TPA to commit to specific performance improvements with measurable targets and quarterly review checkpoints. This formal improvement-plan path keeps the change option open if performance does not improve, while giving the existing TPA a structured opportunity to address the issues without disruption.

The broker's role in the TPA change decision is to provide market intelligence on TPA alternatives, to facilitate the conversation with the insurer where the insurer's TPA panel is constrained, and to manage the operational transition. Brokers who maintain working relationships with multiple TPAs across their book are best placed to advise specifically on which alternative TPA would suit the corporate's profile, employee distribution, and claim mix. To understand how data-driven TPA performance benchmarking can support your renewal decision, Request Access to Sarvada's broker intelligence platform.

Data Security and the DPDP Act 2023: TPA-Specific Obligations

The Digital Personal Data Protection Act, 2023 changes the legal foundation for TPA data handling in ways that corporate boards must understand. Under the Act, the corporate policyholder is a Data Fiduciary for employee personal data, including the protected health information that flows through the group health programme. The insurer is also a Data Fiduciary with respect to its own processing. The TPA acts as a Data Processor under contractual arrangement with the insurer.

The practical implications are significant. The corporate policyholder has direct legal obligations under Sections 4 to 11 of the Act, including the obligation to process personal data only for the purpose for which consent was given, to implement reasonable security safeguards, to notify the Data Protection Board of significant breaches, and to facilitate data principal rights including access, correction, and erasure. The corporate cannot delegate these obligations to the insurer or TPA. It can contractually require the TPA to implement specific controls, but the legal accountability under the Act remains with the corporate as Data Fiduciary.

The contract between the insurer and the TPA, and the side agreement between the corporate and the insurer, should explicitly address: the scope of personal data the TPA may access, the permitted purposes for processing, the duration for which data may be retained after the policy year, the security controls the TPA must implement (encryption at rest, encryption in transit, access controls, audit logging), the breach notification timeline (typically within 72 hours of TPA awareness for material breaches), the rights of the corporate to audit data handling, and the indemnity structure for data breach liability.

The operational controls deserve specific attention. Indian TPAs vary materially in data security maturity. Smaller TPAs operating with on-premise data centres and limited audit capability are higher-risk processors than larger TPAs with ISO 27001 certification, regular SOC 2 audits, and explicit data security teams. The oversight committee should require evidence of current certifications and should consider commissioning an independent data security audit of the TPA at least once during each multi-year engagement.

Member-facing controls also matter. Employees frequently report unsolicited calls from third parties claiming to be from the TPA or insurer, offering follow-up services, additional products, or asking for additional information. These calls are usually outright fraud or are commercial calls from affiliated entities that operate outside the consent framework. The TPA contract should explicitly prohibit the use of member personal data for any purpose other than the contracted health insurance services, with material penalties for breach. The corporate should set up a member-facing channel for reporting such calls, and should investigate any pattern that emerges.

Breach response planning is the last operational pillar. The corporate and the TPA should have a documented joint breach response plan that specifies notification flows, regulatory reporting obligations to the Data Protection Board and IRDAI, and member communication protocols. The plan should be tested annually through a tabletop exercise. The 72-hour notification window in the Act leaves no time for ad-hoc decision making after a real breach has occurred.

The Annual Governance Cycle: A 12-Month Calendar

Effective TPA governance is a calendar discipline, not an event. The oversight committee's work distributes across the policy year in a predictable rhythm, and codifying that rhythm into an annual calendar makes the difference between systematic governance and reactive firefighting.

Month 1 (immediately post-renewal): formal handover meeting with the insurer and TPA, finalisation of the SLA scorecard for the new policy year, sign-off on the network hospital list with any additions or deletions, employee communication on changes to coverage or process. The renewal documents (master policy, schedule, endorsements, TPA service agreement appendices) should be filed and indexed by the broker for committee reference.

Months 2 to 3: induction sessions for HR teams handling escalations, member education sessions on coverage and process, and the first month of operational data review to validate that the new policy year is performing to expectation. This is also when any teething issues from the renewal (incorrect member data, dependent coverage gaps, ID card issuance delays) should be identified and resolved before they accumulate.

Quarterly cadence (months 3, 6, 9, 12): oversight committee meeting with the SLA scorecard, claim experience review, grievance review, and forward-looking discussion of expected high-cost claims or claim mix shifts. The Q2 meeting should include a preliminary discussion of the renewal positioning that the broker will take to the insurer in advance of the next renewal cycle.

Month 6 (mid-year): full data-driven loss ratio projection for the policy year based on first-half experience, with corrective interventions where necessary. If the loss ratio is trending materially above expectation, the mid-year is the right point to assess whether mid-term policy changes, coverage adjustments, or wellness interventions are warranted.

Month 9: renewal strategy meeting. The broker should present a forward analysis of expected renewal pricing, the market alternatives, the case for staying with the current insurer and TPA versus the case for change, and the projected renewal scenarios. This is the point at which TPA change decisions are made, with sufficient runway for orderly transition planning.

Months 10 to 11: renewal execution with the insurer, TPA selection where change is being made, transition planning, member communication on any coverage changes, and finalisation of the new policy year SLA scorecard.

Month 12: closure of the outgoing policy year, including resolution of any pending claims that bridge the policy year boundary, settlement of any rebates or experience-rated adjustments, and the documented committee review of the full year's governance experience. The lessons captured here feed forward into the next year's oversight committee charter.

The calendar above is the minimum cadence. Corporates with premium above INR 100 crore typically run monthly operational reviews with the TPA in addition to the quarterly oversight committee meetings, and very large programmes (premium above INR 500 crore) typically have dedicated full-time corporate insurance teams whose work overlaps with but does not replace the board-level oversight discipline described in this guide. The principle is constant: TPA performance is a managed outcome, not a delegated function, and the boards that govern it actively produce meaningfully better outcomes than those that do not.

Frequently Asked Questions

Which Indian regulations primarily govern TPA conduct in commercial group health insurance?
The primary framework is the IRDAI (Third Party Administrators - Health Services) Regulations, 2016, which replaced the original 2001 regulations. The 2016 regulations cover licensing, capital adequacy at INR 4 crore minimum paid-up, fit-and-proper criteria for directors, compliance officer requirements, and operational service standards. These are supplemented by the IRDAI (Protection of Policyholders' Interests) Regulations, 2017, which set claim turnaround timelines, and successive IRDAI circulars on cashless service standards, network hospital empanelment, and grievance redressal. The Digital Personal Data Protection Act, 2023 adds data handling obligations that flow through to the TPA as a Data Processor under contract.
What is the right composition of a TPA oversight committee for a mid-market Indian corporate?
For corporates with group health premium between INR 5 crore and INR 50 crore annually, the committee should be chaired by the Chief Human Resources Officer with the Chief Financial Officer, the head of total rewards, and the broker as standing members. The insurer's account manager and the TPA's account manager should attend quarterly meetings. The committee should report into the Risk Management Committee of the board for material issues. The CFO's involvement is essential because TPA performance directly affects loss ratio and renewal economics, and treating the topic as purely HR loses the financial discipline that makes governance effective.
What SLA scorecard threshold should trigger a TPA replacement decision?
A composite SLA scorecard score below 80 of 100 for two or more consecutive quarters is a reasonable threshold for active TPA replacement consideration. The composite score should weight cashless turnaround and reimbursement turnaround at 40 to 50%, claim rejection rate and reasons at 15 to 20%, network and member experience at 15 to 20%, and grievance metrics at 10 to 15%. The decision should also factor in IRDAI grievance portal complaint trends, persistent breach of regulatory turnaround standards documented in writing, and any material data security incidents. Replacement should be planned with a six-month transition runway to avoid operational disruption.
How does the DPDP Act 2023 affect TPA contracts and corporate obligations?
Under the Digital Personal Data Protection Act 2023, the corporate policyholder is a Data Fiduciary for employee health data, with non-delegable obligations including purpose limitation, security safeguards, breach notification to the Data Protection Board, and facilitation of data principal rights. The TPA acts as a Data Processor under contract. The TPA contract must specify the scope of data access, permitted purposes, retention period, security controls including encryption at rest and in transit, breach notification timeline of typically 72 hours, audit rights for the corporate, and indemnity for breach liability. Corporates should also require evidence of TPA certifications such as ISO 27001 and consider commissioning an independent data security audit during multi-year engagements.
What conflict-of-interest controls should the oversight committee establish for the TPA relationship?
Five controls form the operational foundation. First, require segregation of hospital empanelment functions from individual claim adjudication functions within the TPA, with the segregation certified in writing. Second, obtain transparency on the TPA fee structure including any volume-based bonuses or success fees. Third, conduct an annual hospital empanelment audit with the broker, examining complaint patterns, revisit rates, and rate variances against industry benchmarks. Fourth, perform a related-party check on whether the TPA is affiliated with any insurer group, hospital chain, or diagnostic chain in the flow. Fifth, establish strict data access boundaries with explicit contractual prohibition on use of member data for purposes other than the contracted services.

Related Glossary Terms

Related Insurance Types

Related Industries

Related Articles

Sarvada

Ready to see Sarvada in action?

Explore the platform workflow or start a product conversation with our underwriting automation team.

Explore the platform