PBM Fiduciary Compliance
The regulatory landscape for pharmacy benefits has shifted dramatically. The Consolidated Appropriations Act of 2026 now treats PBMs as covered service providers under ERISA. The Department of Labor has proposed requiring detailed PBM compensation disclosures. State laws are imposing fiduciary duties on PBMs directly. And ERISA litigation against plan sponsors - J&J, Wells Fargo, JPMorgan - is accelerating. For self-funded employers, the question is no longer whether to oversee PBM arrangements, but how to prove that oversight is happening.
The New Regulatory Landscape
Consolidated Appropriations Act of 2026
Signed into law on February 3, 2026, the CAA 2026 includes the most significant PBM reform provisions in decades. Key requirements for employer-sponsored plans include:
PBMs are now classified as "covered service providers" under ERISA Section 408(b)(2), requiring disclosure of all direct and indirect compensation. Compensation must be "reasonable" for the arrangement to qualify for the statutory prohibited transaction exemption. Plans must receive 100% pass-through of rebates and other remuneration, with limited exceptions for bona fide service fees. PBMs must provide detailed semiannual reporting on drug pricing, spread pricing, rebates, and compensation. Noncompliance penalties include up to $10,000 per day for late reporting and up to $100,000 for knowingly providing false information.
DOL Proposed Rule on PBM Disclosure
The Department of Labor has proposed requiring PBMs - and affiliated brokers and consultants - to disclose detailed information about their direct and indirect compensation to plan fiduciaries. The rule would also strengthen audit rights, giving plan fiduciaries the ability to verify whether PBM disclosures match actual revenue and compensation practices.
State PBM Fiduciary Laws
States are moving independently. California's SB 41, effective January 2026, imposes an explicit fiduciary duty on PBMs toward their payer clients, prohibits spread pricing, mandates rebate pass-through, and requires state licensure. Arkansas banned PBM pharmacy ownership. Colorado and other states have enacted delinking laws. These state provisions apply to both fully insured and self-funded plans in many cases, though ERISA preemption questions remain for self-funded employer plans.
ERISA Litigation
Recent lawsuits have put plan sponsors on notice. In the J&J case, an employee-participant alleged the company breached fiduciary duties by allowing its PBM to steer prescriptions to PBM-owned mail-order pharmacies at inflated prices. The Wells Fargo case raised similar allegations - the PBM charged the plan up to 15 times the cash price for covered drugs. JPMorgan faces claims that it failed to monitor PBM contracts despite having access to market benchmarks. These cases signal that courts are increasingly willing to scrutinize plan sponsors' PBM oversight practices.
What Fiduciary Duty Actually Requires
Under ERISA, plan fiduciaries must meet four core obligations:
Loyalty - Act solely in the interest of plan participants and beneficiaries.
Prudence - Use care, skill, and diligence that a prudent person in a similar situation would exercise. This is a process standard, not an outcome standard - the question is whether the fiduciary's decision-making process was reasonable, not whether the outcome was optimal.
Reasonableness - Ensure that fees and compensation paid for plan services are reasonable.
Plan compliance - Follow the terms of plan documents.
For pharmacy benefits specifically, these duties translate into concrete obligations. Plan sponsors must actively monitor PBM performance - not just at contract negotiation, but on an ongoing basis. They must evaluate whether PBM compensation is reasonable in light of services provided. They must assess whether routing decisions serve the plan's interest. And they must document their oversight activities.
Outsourcing plan operations to a PBM does not eliminate fiduciary liability. Plan sponsors remain responsible for overseeing their vendors.
The Gap Between Transparency and Compliance
CAA 2026 and the DOL proposed rule give plan sponsors more visibility into PBM operations than ever before. Semiannual reporting, compensation disclosure, rebate pass-through requirements - these are meaningful reforms.
But visibility alone does not satisfy fiduciary prudence. Receiving a report is not the same as verifying its accuracy. Knowing what the PBM charged is not the same as proving the charge was reasonable. Seeing aggregate savings data is not the same as confirming that each individual routing decision was optimal.
Consider the analogy to financial auditing. A company's CFO receives financial statements from its accounting department. But the existence of those statements does not satisfy the company's audit obligations. An independent auditor must verify that the statements are accurate and that internal controls are functioning.
Pharmacy benefits have the statements - PBM reports, rebate reconciliations, performance guarantees. What they lack is the independent verification.
A Practical Framework for Fiduciary Compliance
Based on the current regulatory landscape and litigation trends, plan sponsors should consider the following framework:
1. Review and Renegotiate PBM Contracts
Ensure contracts include broad audit rights, unrestricted data access, compensation disclosure requirements consistent with CAA 2026, and 100% rebate pass-through language. Remove any provisions that limit the plan's ability to verify PBM performance.
2. Demand and Review Semiannual Reports
Under CAA 2026, PBMs must provide detailed reporting. Plan sponsors must actually review these reports - receiving them is not sufficient. Assess drug-level pricing, spread between plan charges and pharmacy reimbursement, rebate amounts, and total PBM compensation.
3. Conduct Independent Audits
PBM self-reporting is necessary but not sufficient. Engage independent auditors - not auditors recommended by the PBM - to verify that reported data matches actual claims, rebates, and compensation. Audit rights should be exercised regularly, not just when problems are suspected.
4. Evaluate Channel Independence
Assess whether your PBM's routing decisions are influenced by channel ownership. If the PBM owns specialty, mail-order, and retail pharmacies, the plan sponsor should verify that routing decisions are based on lowest net cost to the plan, not PBM channel revenue.
5. Implement Decision-Level Verification
The strongest demonstration of fiduciary prudence is per-prescription documentation showing that each routing decision was evaluated across all available channels and directed to the lowest net cost option. This decision-level evidence provides the specific, granular proof that aggregate reports cannot.
6. Document Everything
Maintain a record of all fiduciary activities - PBM reviews, audit findings, contract negotiations, vendor evaluations, and corrective actions. In ERISA litigation, the court evaluates the process the fiduciary followed, not just the outcome achieved. A well-documented oversight process is the strongest defense.
How Decision-Level Verification Closes the Gap
Decision-level verification is the bridge between transparency (seeing data) and integrity (proving decisions were sound). For each prescription, it provides:
A record of every channel evaluated - including channels the PBM may have excluded from its own analysis. The actual net cost in each channel - not an estimate, not an average, but the real cost based on current pricing. The rules that were applied - formulary status, prior authorization requirements, cost-share design. The routing rationale - why the selected channel was chosen. A complete financial reconciliation - what was billed, what was paid, what the member contributed.
This documentation exists at the individual prescription level, not in aggregate. It can be audited on a per-script basis. And because it is produced by an independent entity with no ownership in any dispensing channel, it is structurally free of the conflicts that compromise PBM self-reporting.
For plan fiduciaries, decision-level verification transforms compliance from "we trusted our PBM and reviewed their reports" to "we have independent, per-decision proof that every high-cost prescription was routed to the lowest net cost."
Frequently Asked Questions
CAA 2026 classifies PBMs as covered service providers under ERISA Section 408(b)(2), requiring them to disclose all compensation, pass through 100% of rebates, and provide detailed semiannual reporting. Noncompliance carries penalties up to $10,000 per day.
CAA 2026 does not explicitly designate PBMs as ERISA fiduciaries, but it treats them as covered service providers subject to compensation disclosure and reasonableness requirements. The practical effect is that PBM oversight is now a statutory obligation of plan fiduciaries, not just a contractual negotiation.
CAA 2026 includes a provision that may shield plan fiduciaries from breach if they did not know of a PBM's failure to remit rebates, reasonably believed compliance would occur, took written steps to compel remittance, and notified the DOL if the PBM failed to comply within 90 days. This does not eliminate general ERISA prudence obligations.
It provides per-prescription evidence that each routing decision was evaluated across all channels and directed to the lowest net cost. This is the strongest form of fiduciary documentation - specific, auditable proof rather than aggregate PBM reports.
Yes. Recent lawsuits against J&J, Wells Fargo, and JPMorgan allege that plan sponsors breached fiduciary duties by failing to oversee PBM routing and pricing. Courts are increasingly willing to let these cases proceed.
Review your PBM contract for audit rights and compensation disclosure language consistent with CAA 2026. Demand semiannual reports. Engage independent auditors. Evaluate whether your PBM's channel ownership creates routing conflicts. Consider implementing decision-level verification for high-cost prescriptions.
Strengthen Your Fiduciary Position
ApalyRx provides independent, decision-level verification for every high-cost prescription - the documentation plan sponsors need to demonstrate prudent oversight.
Request a Conversation