Employers that sponsor healthplans will face a new layer of compliance risk under the Consolidated Appropriations Act of 2026, which imposes sweeping transparency and reportingrules on pharmacy benefit managers (PBMs).
The law aims to open up the"black box" of prescription drug pricing, but it also puts both self-insured and fully insured employers closer to the compliance line, with potential civil monetary penalties that can reach $10,000 per day for reporting failures and $100,000 per violation for knowingly providing false information.
At the core of the law are three major requirements that directly affect how employer health plans interact with PBMs:
- Full rebate pass-through: PBMs must pass 100% of rebates, discounts and other compensation back to the health plan.
- Detailed reporting: PBMs must provide semiannual reports outlining drug spending, utilization and compensation structures.
- Audit rights: Plan sponsors have the statutory right to audit PBM records at least annually.
These provisions are designed to give employers clearer insight into prescription drug costs, but they also create new fiduciary responsibilities.
How this affects employers
Self-insured employers, which contract directly with PBMs, will feel the most immediate impact. They must ensure they receive required reports, review them and make summary information available to plan participants. They must also document compliance efforts.
Employers that purchase fully insured plans are not off the hook. While carriers and PBMs handle much of the administration, the law still applies to the plan sponsor in certain cases, particularly around participant disclosures and ensuring compliance upstream.
The law does not clearly assign liability for penalties in all situations. As a result, PBMs and insurers may attempt to shift risk to employers through contract language.
Specifically, some PBM agreements may include indemnification provisions that require the employer to cover penalties — even if the PBM failed to meet its reporting obligations.
New risks
Employers should pay close attention to several emerging risks:
- Contractual liability: PBMs may try to transfer penalty exposure to plan sponsors.
- Reporting gaps: Failure to obtain or share required data could trigger fines.
- Notice requirements: Employers must inform plan members about available prescription drug data.
- Fiduciary exposure: Plan sponsors must act prudently in overseeing PBM arrangements.
Employers may avoid penalties if they can demonstrate a “good faith effort” to comply. That makes documentation critical.
What employers should do now
With most provisions taking effect in 2029 for calendar-year plans, employers have time to prepare:
- Review PBM contracts and renegotiate any indemnification clauses that shift compliance risk.
- Establish a compliance process to retain PBM reports and allow employees to request copies.
- Keep records of communications and efforts to obtain required data.
- Ensure summary benefit information and required notices include information on the new law.
- Work with us to better understand compliance issues.
- Notify participants about their right to access PBM plan-level summary data. We can help you integrate this into your next open enrollment or summary plan documents update.
Why this matters
The new PBM mandates are intended to reduce drug costs and improve transparency, but they also introduce a compliance burden that many employers are not equipped to handle alone.
Employers should not assume their PBM or insurance carrier is managing all aspects of compliance.Ultimately, plan sponsors bear fiduciary responsibility for their health plans.
That makes it critical to work closely with a knowledgeable benefits advisor like us who can help review contracts, interpret reporting requirements and ensure that your plan remains compliant as these rules take effect.
