PBM Contract Pitfalls: A Call to Action for Self-Funded Plans

Pharmacy benefits have been at the forefront of media reports for the last few years—whether a new blockbuster drug, rising drug costs or even TrumpRx. But while the pharmacy benefits landscape has shifted over time, two key topics remain constant for any self-funded employee health benefit plan: the terms of the pharmacy benefits contract and audits of pharmacy benefit managers and other middlemen.

Matthew Modafferi

The Contract

While terms relating to pricing and rebates are important and will be discussed below, the standard contract provisions are nothing to gloss over. One of the most important boilerplate terms to pay attention to is the standard of care that applies to a pharmacy benefit manager or other service provider.

Terence Park

If you are reading this article and you are a benefits coordinator, you should know this without having to look it up in your contract. A service partner is an entity paid to handle and manage services on behalf of the plan and its participants. If that service partner does not want to be held to a fiduciary standard of care, then something is wrong. Essentially, what that PBM or service provider is saying is that “it will not act in your best interests.” Be wary of “partners” that want to expressly disclaim acting in your best interest.

The good news, though, is that the law holds service providers to a functional fiduciary test, meaning if the provider exercises authority or control over plan assets or exercises discretionary authority over plan administration, then that service provider, under the law (as opposed to the contract), is held to a fiduciary standard of care.

Another contract term that should not be overlooked is the provision for audits. What does the pharmacy benefits agreement say about transparency and audits? Again, you want a service partner to be transparent. Would you ever enter into a business venture with someone who hides all the financial data and keeps everything from you? Of course not. Self-funded plans and benefits coordinators want the ability to see the data and conduct audits so that they can meet their own fiduciary obligations to the plan and its beneficiaries. Failing to do so could result in liability to the plan.

It is critical that the contract allows for audits with no strings attached. What good is an audit that must take place in a closed-door room with no windows; no ability to take notes or make copies of relevant contracts or data; and as to which the auditor cannot share with the plan the tidbits of information that were reviewed while inside the room? Exaggeration aside, the point of an audit is to independently analyze the data to ensure accuracy and compliance.

Finally, pricing and rebates. There’s so much that can be said about pricing and rebates, so ask yourself these questions:

• What does your contract say about retail, mail-order and specialty drugs?
• What about specialty generics?
• Are your pricing terms only applicable if the drug is dispensed by an affiliated pharmacy?
• What does the contract say about spread pricing?
• How does the contract define rebates?
• Does the contract even mention a rebate aggregator?
• How does the rebate aggregator get paid? and
• Do you know how much the plan is paying in fees, including administrative fees, drug manufacturer fees, data fees and portal fees?

If the answer to any of these questions is unfavorable to the plan or even “I don’t know,” then it is time to review—and potentially renegotiate—your current pharmacy benefits agreement. If you did not negotiate the agreement to begin with—meaning it was a take-it-or-leave-it contract—then you are long overdue.

Meaningful Audits

Back to audits. Why meaningful? Because not all audits provide true visibility. That is the problem. Plan sponsors and benefits teams think that all is fine because their PBM requires a large accounting firm to verify the PBM’s numbers are accurate. But who is paying that auditor? Are you able to choose your own auditor? Auditors often are provided only the limited subset of information the PBM wants to share and are impeded in performing a meaningful audit. Employers owe it to their employees to conduct a meaningful audit.

Have you ever asked for data to meet your fiduciary responsibility and were told, “No, the data are confidential and proprietary”? Wait, the plan is not entitled to its own data? The PBM may take that position, but legally, the plan is entitled to its data. How else would it meet its duty to monitor service providers and defray unreasonable costs to the plan? The Employee Retirement Income Security Act presently prohibits group health plans from entering into agreements with third-party administrators or service providers that restrict the plan from accessing de-identified claims data upon request and sharing that information with business associates.

The prohibition also applies to downstream entities or affiliates that subcontract to perform work for the TPA or contracted service provider. Often the audit terms of a PBM contract are limited to simply an audit of the PBM, and the plan has no visibility into the PBM’s affiliates, including, for example, its affiliated specialty pharmacy and rebate aggregator. The law permits the plan to obtain such data. In fact, the CAA’s anti-gag prohibition applies even if the terms of an agreement state that the ability to share data with a plan’s business associate is at the discretion of the TPA or service provider. In other words, the plan cannot be restricted from accessing data and information from a subcontractor because the agreement between the service provider and the subcontractor has a term that stands in the way.

The law might say the plan is entitled to the data, but the quality of the audit, who conducts it and how it is conducted are just as critical. Auditors must be impartial, and the audits must be conducted by an independent third party (rather than an entity referred to you by a broker or consultant).

Which entity or entities is the auditor permitted to audit? Again, plan sponsors may only contract with service providers, like PBMs, if the PBM’s compensation is “reasonable,” as per Section 1108(b)(2)(A) of the U.S. Code. PBMs must disclose sources of direct and indirect compensation they receive for performing under the agreement and must include compensation received by the PBMs’ affiliates, subsidiaries and subcontractors.

Is that actually happening? In theory, yes—but in practice, it rarely does. Many plans have no visibility into what occurs behind a PBM’s internal structures and affiliates.

Recent Regulatory Efforts Only Go So Far

The recently enacted Consolidated Appropriation Act of 2026, which will not go into effect until 2028 or 2029, amended ERISA to require “covered service providers” (explicitly including PBMs and their affiliates) to disclose all direct and indirect compensation they receive from providing services to a plan, including manufacturer rebates, administrative fees, and discounts. Additionally, the Department of Labor recently issued a notice of a proposed rule that would impose reporting obligations on PBMs to disclose their compensation to plan sponsors, including manufacturer rebates/revenues, reimbursement spread and copay clawbacks (which occur when a patient’s copay exceeds the cost of the drug, in which case the PBM retains a portion or all of the copay rather than remitting it to the plan).

The DOL proposal has not yet been adopted and codified into the Code of Federal Regulations. However, a potential loophole that PBMs are certain to take advantage of is that the disclosure obligations fall solely on the “covered service provider,” defined as the entity that “has a contract or arrangement with the self-insured group health plan to provide any pharmacy benefit management services to that self[-]insured group health plan.” The DOL rule exempts affiliates, agents and subcontractors of the “covered service provider” from submitting their own disclosures and reports, which may result in incomplete and less robust disclosures.

The increased access to data and compensation disclosures under these pending and proposed laws should not lull plan sponsors into a false sense of security. The importance of the contract terms and meaningful audits remain paramount. Plan sponsors must remain vigilant, negotiate contract terms so that they are clear and avoid common pitfalls, and conduct regular audits to verify the accuracy of the data that PBMs make available to plans.

The Takeaways:

Negotiate better terms and ensure accountability; demand transparency and data; and conduct real, meaningful audits for compliance with law, not compliance with the PBM.

Employers, hear and heed the call to action. The law demands it.

Matthew J. Modafferi, a partner in Frier Levitt’s healthcare and life sciences litigation group, is a seasoned litigation and trial attorney with experience in health care law. Matthew is co-chair of Frier Levitt’s plan sponsor practice group that works with plan sponsors to ensure PBM compliance with contracts and ERISA.

Terence Park is an associate in Frier Levitt’s healthcare group. Terence is also a member of the firm’s plan sponsor practice group, which engages in audits, arbitrations and litigation against pharmacy benefit managers and similar entities.

This feature is to provide general information only, does not constitute legal or tax advice, and cannot be used or substituted for legal or tax advice. Any opinions of the author do not necessarily reflect the stance of ISS STOXX or its affiliates.