Why Most Employers Have Never Audited Their PBM
Most self-funded employers have never audited their PBM. Not because they do not care about the cost of their pharmacy benefit, but because the process seemed opaque, the contract terms seemed final, and the PBM's own reporting seemed sufficient. None of those assumptions hold up under scrutiny in 2026.
ERISA requires plan fiduciaries to act with the care of a knowledgeable expert. CAA 2026 gives fiduciaries the legal tools to see PBM compensation and audit PBM behavior. Using those tools is now an obligation, not an option. A self-funded employer that has the right to audit its PBM and never exercises that right is not acting with the diligence the law requires.
This guide gives plan sponsors a practical framework for conducting a meaningful PBM audit. It is not a legal opinion. It is a step-by-step process that a benefits director or plan trustee can follow to evaluate the current arrangement and document the review.
Step 1: Request the CAA 2021 and CAA 2026 Disclosures
The Consolidated Appropriations Act of 2021 already requires PBMs to disclose direct and indirect compensation to self-insured ERISA plans. CAA 2026 expands and strengthens those requirements. Start by formally requesting all required disclosures from your PBM in writing.
The request should cover all direct compensation paid by the plan to the PBM, all indirect compensation received by the PBM from manufacturers, rebate aggregators, or other third parties in connection with the plan, formulary placement fees and incentives, spread pricing amounts if applicable, and any compensation paid to affiliated entities including pharmacies owned by or related to the PBM.
Send the request on letterhead with a specific response deadline. Document the date of the request and the response received. If the PBM refuses, provides incomplete information, or asks for an extension beyond a reasonable period, that is itself a finding worth documenting. A PBM that cannot or will not disclose its compensation structure to the plan fiduciary is raising a material compliance question.
Step 2: Analyze the All-In Cost of Your Highest-Cost Drugs
Pull your claims data for the top 20 high-cost drugs by total plan spend. For each drug, calculate the all-in cost to the plan including the amount paid to the pharmacy, the administrative fee paid to the PBM, and any spread captured by the PBM. If your PBM uses spread pricing, the amount the PBM charges the plan may be higher than the amount the PBM pays the pharmacy. That difference is PBM revenue that does not appear as a line item on most standard reports.
Then compare that all-in cost to the available alternatives. Manufacturer-direct pricing programs now exist for many high-cost specialty drugs and GLP-1 medications. Independent pharmacy pricing may differ from PBM network pricing. Other supply channels your PBM has not evaluated may offer lower net costs for specific drugs.
The goal of this analysis is not necessarily to find that your PBM is overcharging you. The goal is to document that you compared available options and made a reasoned decision. If you find a lower-cost alternative and can document why you chose not to use it, perhaps because of clinical considerations, member disruption, or contract obligations, that is a defensible ERISA fiduciary position. If you find a lower-cost alternative and have no documented rationale for staying with the current channel, that is a fiduciary exposure that needs to be addressed.
Step 3: Review Your Contract for Conflict-of-Interest Provisions
Read your PBM contract specifically looking for provisions that create financial conflicts of interest. Four categories of provisions warrant close attention.
Exclusivity provisions that require all prescriptions to be routed through the PBM's network, preventing the plan from evaluating or using alternative channels for specific drugs. Performance guarantees that measure aggregate outcomes such as total rebate dollars or average discount percentage rather than per-prescription routing quality. Provisions that allow the PBM to retain any portion of manufacturer rebates, which CAA 2026 prohibits for ERISA plans after the effective date. And audit restrictions that limit the plan's ability to verify PBM compensation claims, cap the frequency of audits, or impose unreasonable conditions on the audit process.
Each of these provisions warrants scrutiny at the next renewal negotiation. Some may need to be renegotiated immediately if they conflict with the plan's fiduciary obligations. Document your review and the specific provisions you identified, along with your assessment of whether each provision serves the plan's interest or the PBM's interest.
Step 4: Evaluate Per-Prescription Documentation
Ask your PBM to provide a decision-level record for ten specific high-cost prescriptions from the past quarter. Select prescriptions across different drug categories and different fulfillment channels. The record should show which channels were evaluated for each prescription, what the net cost was in each channel, and why the winning channel was selected.
This is the most revealing step in the PBM audit. Most PBMs cannot produce this documentation because their systems were not built to generate it. PBM reporting is designed to show aggregate outcomes across a population, not individual routing decisions. The PBM can tell you that it processed a specific prescription and what it charged the plan. It typically cannot tell you what other channels were available for that prescription, what the cost would have been in each alternative channel, and why the PBM's channel was selected.
If the PBM cannot produce decision-level documentation, you have identified a material gap in your fiduciary oversight capability. Aggregate reporting showing population-level savings does not substitute for per-prescription records under ERISA's prudent expert standard. The absence of this documentation does not mean the PBM acted improperly. It means you cannot prove it acted properly, and under ERISA, that distinction carries legal weight.
Step 5: Document Your Process
The audit process itself must be documented. Keep records of every disclosure request, every response received, every analysis you conducted, and every decision you made as a result. If a regulator, a plaintiff's attorney, or a plan participant ever asks how a specific pharmacy benefit decision was made, your documentation is your defense.
The standard is not perfection. It is a demonstrable, good-faith effort to act in the interest of plan participants with the care of a knowledgeable expert. An employer that conducted a structured PBM audit, identified gaps, and took proportional action is in a strong fiduciary position regardless of whether every decision was optimal. An employer that never looked is in a weak position regardless of how good the PBM's aggregate numbers appear.
Create a written summary of the audit findings, the actions taken or planned, and the timeline for follow-up. Present the summary to the plan's fiduciary committee or equivalent body and record the discussion and any decisions made.
What to Do With What You Find
Most plan sponsors who conduct a genuine PBM audit find at least one material gap. The response should be proportional to the finding.
Minor gaps, such as incomplete reporting on a low-cost drug category, can be addressed at the next contract renewal through updated reporting requirements. Material gaps warrant more immediate action. A finding that the PBM is routing high-cost prescriptions to its own specialty pharmacy at a cost materially above available alternatives, without disclosure or documented rationale, is a material finding. The response might include renegotiating specific contract provisions to eliminate the routing conflict, implementing an independent routing layer for the targeted high-cost drugs where the gap is most significant, or in serious cases issuing a request for proposal for a new PBM arrangement.
Document the findings and the response regardless of what you decide. The fiduciary record is not just the audit. It is the audit plus the response plus the documented rationale for the chosen course of action. A self-funded employer that found a problem and took documented, proportional action is demonstrating exactly the kind of prudent oversight that ERISA requires.
Filling the Documentation Gap
The most common finding in a PBM audit is the absence of decision-level documentation for individual prescriptions. ApalyRx is the independent routing platform that fills that gap, producing a complete per-prescription record for every in-scope drug showing which channels were evaluated, what the cost was in each, and why the selected channel was chosen. For self-funded employers ready to strengthen their fiduciary position, learn how the platform works. For the structural standard behind independent routing, read the Drug Benefit Integrity standard.