It’s been a busy week in the nation’s capital. On Tuesday, the president signed into law the Consolidated Appropriations Act, 2026, (CAA 2026), which includes extensive new federal reforms for pharmacy benefit managers (PBMs) effective for plan years beginning on or after 30 months from Feb. 3, 2026 (or Jan. 1, 2029 for calendar year plans).
This comes on the heels of proposed regulations issued by the Department of Labor’s Employee Benefits Security Administration (EBSA) that, if finalized as written, would significantly expand ERISA disclosure requirements for PBMs and affiliated brokerage/consulting providers. This alert includes a brief discussion of the similarities and differences between the CAA 2026 reform provisions and the proposed regulations. For more information on the specifics of the DOL’s proposed regulations, refer to Lockton’s Compliance Insights guide (opens a new window). We also encourage employer plan sponsors to submit comments to the proposed regulations as noted later in this alert.
With the skyrocketing costs of health care and increased pharmacy spending, the implementation of new PBM reforms was expected. No immediate action is required, but employers should be prepared for restructuring of PBM contracts, reporting and oversight governance. Many of the CAA 2026 reforms are incorporated into ERISA, the Public Health Service Act, and the Internal Revenue Code, and will impact all employer plan sponsors, not just ERISA plan fiduciaries. Provisions specific to ERISA plans are identified in this alert.
Executive Summary
The PBM reforms focus on transparency, access to data and participant rights. No specific action is required for plan sponsors at this time; however, as discussed below, plan sponsors may want to consider taking actions to prepare for these reforms and submitting comments to the agencies proposed regulations. Once effective, PBMs, plan sponsors and carriers will face strict reporting and disclosure standards, and substantial civil penalties for noncompliance. The increased visibility into PBM operations reinforces the need for strong plan oversight and, for ERISA plans, fiduciary governance.
LOCKTON COMMENT: CAA 2026 also includes PBM transparency requirements for PBMs contracting with Medicare Part D prescription drug plans, including reporting obligations and compensation disclosures. This alert will not detail these requirements. While the Medicare Part D (Rx) transparency rules do not directly regulate employer group health plans, there are concerns that PBMs may shift lost revenue into the commercial market. While the risk exists, the internal changes needed by the PBMs will likely provide better visibility into pricing and rebates, offering new leverage to plan sponsors and increasing fiduciary expectations.
PBM contract restrictions
Contract terms may not restrict or delay disclosure of compensation, fees, or information tied to manufacturer and pharmacy payments. For plan years beginning on or after 30 months of Feb. 3, 2026 (or Jan. 1, 2029 for calendar year plans), plans and insurance carriers may not enter into, renew, or extend PBM contracts unless the PBM agrees to provide all data necessary for federal reporting.
LOCKTON COMMENT: This is in essence a doubling down on the gag clause prohibition already in place. These expanded contract restriction provisions will likely give rise to PBM contract revisions or renegotiation, and may result in increased fees associated with PBM compliance. PBM contracts should include provisions requiring the PBM to comply with all applicable requirements and to respond to participant requests for their claim-specific information in a timely manner. Plan sponsors will want to carefully review their PBM contracts using pharmacy subject-matter experts.
PBM reporting requirements
The new law imposes two types of reporting requirements on PBMs:
Drug-level reporting is required for large self-funded employers (those with 100 or more employees) along with large fully insured employers that opt in annually; and ‑level reporting is required for large self‑funded employers.
Plan-level summary information for all group health plans (regardless of size).
HIPAA privacy and security rules apply to these reports (including the use and disclosure restrictions) and they may only contain summary health information.
A standardized report format will be created for plans affiliated with manufacturers or wholesalers to prevent anti-competitive behavior.
Drug-level reporting
For large employers, PBMs must submit comprehensive drug-level reports to self-funded plan sponsors and insurance carriers (at least every six months, or quarterly if a plan requests). Large, fully insured employers may also receive the drug-level reporting by opting in annually. The reports must be in plain language and a machine-readable format. For every drug where claims were submitted (including high-cost drugs), the report must include extensive data with respect to such drugs, including but not limited to:
total net spending by the plan and out-of-pocket costs by participants
all compensation paid by the plan to the PBM and all compensation paid by the PBM to pharmacies (as well as the spread amount)
total rebates, fees, and other remuneration received by the plan and PBM
dispensing channel (including retail, mail order or specialty pharmacy)
brand/generic status along with benchmark price
total remuneration provided by drug manufacturers to participants (e.g., copay assistance, etc.)
a description of formulary tiers and utilization management used by therapeutic class
information on affiliated pharmacies (including plan design steerage features, prices versus non-affiliates, net acquisition costs)
LOCKTON COMMENT: Large employers are defined as those who employed 100 or more employees during the prior calendar year or plan year and who employ at least one employee on the first day of the calendar year or plan year. Large, fully insured plans may want to opt-in annually to receive the drug-level reporting from PBMs. More information from fully insured carriers regarding what type of information may be shared from the carrier to the group health plan (as well as specifics around the opt-in process from the regulators, carriers and/or PBMs) would be welcome.
Plan-level summary
PBMs must also provide plan-level summary information on the drug level reporting to all group health plans (regardless of size). This includes information such as gross and net spending, rebates expected, amounts paid directly or indirectly in rebates, fees, or compensation to brokerage firms for referrals, and pharmacy steering mechanisms. Additionally, PBMs must provide:
A summary document for the group health plan summarizing the information required in the drug-level reports as well as information that the Secretaries determine useful to group health plans to select PBMs (e.g., cost per claim, fee structure or reimbursement model, etc.).
A summary document containing aggregate information that plans can provide to participants upon request (with a statement that participants may request their specific, claims-level information from the group health plan).
LOCKTON COMMENT: Employers, plan sponsors, and consultants have long sought the transparency and data access required in these reports. The required reporting is more detailed and more frequent than the existing annual RxDC reporting requirements. PBMs will likely need to implement internal changes to facilitate these required reports. Access to this information will not only help inform plan decision making, but it heightens the need for plan sponsors to implement strong oversight and, for ERISA plans, prudent fiduciary governance practices if they have not already done so. And, as we have already seen, with increased transparency also comes further litigation. Lockton clients have free access to the Lockton fiduciary governance checklist. This checklist provides templates and a road map to assist in implementing a fiduciary governance process, and can be used by non-ERISA plan sponsors to develop strong plan oversight processes. For more information, please contact your Lockton account team.
Annual notice requirement
Group health plans must provide an annual notice to participants regarding PBM reporting obligations. This notice can be incorporated into the plan documents or be provided as a separate, stand-alone notice.
LOCKTON COMMENT: We anticipate the agencies will issue a template notice that plan sponsors can use to satisfy this requirement. Plan sponsors may want to include this new notice in their annual notice packet.
Participant rights
Participants may request the plan’s drug level summary document and claim specific prescription information regarding the participant’s claims from the group health plan. ‑level summary document and claim‑specific prescription information regarding the participant’s claims from the group health plan.
LOCKTON COMMENT: The participant rights contained in CAA 2026 extend transparency of drug-level data to participants and give individuals visibility regarding their own prescriptions. Currently, participant access to cost information is through the required price-comparison tools. This is good news for participants, but it may also give rise to another wave of ERISA litigation related to fiduciary duties and PBM contracts. When CAA 2026 becomes effective, employers need to be prepared to respond to requests from participants for summary documents and to document the same. We anticipate that regulations implementing these reforms will provide more details regarding the deadlines to respond to participant requests. Clarity is also needed regarding the process for participant requests for their claim-specific information (i.e., does the group health plan facilitate the request as an intermediary or should participants be directed to PBMs for such requests). It will be important that the process for requesting claim-specific information exclude plan sponsors to avoid triggering HIPAA compliance concerns.
Reporting and disclosure enforcement and penalties
There are significant civil monetary penalties associated with the reporting requirements:
$10,000 per day where a group health plan, insurance carrier or PBM fails to provide required information; and
$100,000 where a group health plan, insurance carrier or PBM knowingly provides false information (per item).
LOCKTON COMMENT: The substantial nature of these penalties reflects the increased emphasis on ensuring transparency regarding PBM services. These penalties can be waived for good-faith efforts to comply, so plan sponsors will want to ensure they document their good-faith efforts to provide the required notice and plan-level summary information. Moreover, it’s possible that PBMs will insert new indemnification provisions shifting any penalties imposed on PBMs to plan sponsors. With that in mind, we recommend that indemnification provisions in PBM service contracts be carefully reviewed. Furthermore, plan sponsors will want to ensure contracts include indemnification of any penalties imposed due to a PBM’s noncompliance, such as by failing to provide the summary document the plan must provide participants or failing to respond to participant requests for their claim-specific information.
PBM reforms specific only to ERISA plans
CAA 2026 also includes reforms specific to ERISA group health plans (applicable to both fully insured and self-funded plans). These include 100% rebate pass‑through, compensation disclosures, and annual audit requirements.
First, any PBM contract entered into, renewed, or extended for plan years beginning on or after the date that is 30 months after Feb. 3, 2026 (or Jan. 1, 2029 for calendar year plans), must provide for 100% pass-through of rebates, fees, alternative discounts, and other remuneration from any applicable entity related to drug utilization or spending. PBMs must remit these funds on a quarterly basis (no later than 90 days after the end of the quarter) and rebate underpayments must be corrected within 90 days after notice. If the ERISA plan is self-funded, funds are remitted to the group health plan. If the ERISA plan is fully insured, funds are remitted to the insurance carrier on behalf of the plan. Contracts on or after the above date will not be considered reasonable without a 100% pass-through requirement. Rebate aggregators (and applicable group purchasing organizations) are required to remit rebates to PBMs no later than 45 days after the end of the quarter so that the PBM can meet their remittance obligations under the law.
LOCKTON COMMENT: ERISA requires that plan fiduciaries follow plan terms and use plan assets solely for the benefit of the plan and its participants and beneficiaries. Whether rebates are considered plan assets for a contributory plan is a legal question and will require fiduciary discretion on how to handle the rebate. Relying on the DOL’s medical loss ratio (MLR) rebate guidance, the answer may depend on the terms of the plan. For example, a plan might provide that rebates will not be plan assets and will be retained by the employer (but in the unlikely event the rebate exceeds the total amounts paid by the employer for medical coverage, the excess will not then be retained and will be treated as plan assets). Now is a good time for plan sponsors to review plan document provisions regarding handling of rebates and consult with legal counsel if the plan terms are unclear or silent.
Second, the definition of “covered service provider” is broadened under the ERISA compensation disclosure rules to include PBMs and other service providers (e.g., TPAs, etc.) providing services to the group health plan. As a reminder, ERISA requires a covered service provider to provide a disclosure to group health plans of all compensation (direct and indirect) received by the covered service provider. A PBM acting indirectly through a carrier or TPA may qualify for an exemption if it meets the relief requirements, including full rebate pass-through.
LOCKTON COMMENT: By way of background, under ERISA, certain transactions between a plan and a party-in-interest, which includes service providers, are generally prohibited. But to allow a plan to operate, ERISA allows plans to contract for various services as long as the contracts, including remuneration, are reasonable. It is the plan fiduciaries’ obligation to ensure that reasonableness.
This new obligation for PBMs to disclose direct and indirect compensation allows plan fiduciaries to determine whether the contract, including the compensation paid, is reasonable. Failure on the part of plan fiduciaries to receive the required disclosure means the contract is not reasonable under ERISA (and thus the arrangement would be deemed a prohibited transaction), subject to ERISA’s innocent plan fiduciary exception. Plans should retain all PBM reports and documentation to demonstrate compliance. If a PBM or other covered service provider does not provide the required disclosure, fiduciaries should make written requests for the required disclosures.
Third, CAA 2026 adds an audit component requiring that PBM records of rebates, fees, alternative discounts, other remuneration and disclosures be available to group health plans (or plan sponsors, carriers, or a designated third-party) for audit not less than once per year. Auditors must be chosen by plan fiduciaries and not paid for by the PBM. TPAs, carriers, and PBMs must make rebate contracts with manufacturers or rebate aggregators available for audit (subject to confidentiality restrictions).
LOCKTON COMMENT: The expanded transparency and audit provisions give ERISA group health plans stronger tools to ensure contract compliance and fair market value for services. These changes underscore the importance of updating the approach to performing reconciliations and rebate audits, so they align with the new requirements.
CAA 2026 vs. DOL proposed regulations
In advance of the passage of CAA 2026, the DOL published proposed rules that would implement comprehensive federal disclosure requirements for providers of PBM services and their affiliates to disclose all forms of direct and indirect compensation, pricing methodologies, and formulary related incentives to fiduciaries of ERISA covered self-funded group health plans. If the regulations are finalized, these changes would become effective, for plan years on or after July 1, 2026 (or Jan. 1, 2027 for calendar year plans). Plan sponsors currently do not need to take any action regarding these proposed rules. Lockton Compliance Consulting will monitor changes and provide updates as they occur. ‑related incentives to fiduciaries of ERISA‑covered self‑insured group health plans. If the regulations are finalized, these changes would become effective, for plan years on or after July 1, 2026 (or Jan. 1, 2027 for calendar year plans).
LOCKTON COMMENT: The proposed regulations were issued prior to the passage of CAA 2026 and appear to be DOL action to ensure the disclosure and audit requirements for ERISA plans were implemented in the event the PBM reform provisions did not make the final cut in the CAA 2026.
CAA 2026 and the DOL proposed rules have some similarities and overlap (like the audit provisions and data elements that must be reported/disclosed), but there are also some distinct differences. Note: if the regulations overstep the DOL’s authority (since the proposed regulations were issued prior to the passage of CAA 2026), litigants may attempt to challenge those regulations in court pursuant to the Loper v. Bright decision overturning the Chevron doctrine, as noted in Lockton’s July 2024 alert (opens a new window). Notably, the two have differing effective dates as the proposed regulations include a much earlier effective date than the CAA 2026. Additional distinctions include but are not limited to:
The proposed regulations include a requirement for compensation disclosures to plan sponsors every six months, while the CAA 2026 follows existing compensation disclosure timing requirements. The CAA 2026 does require drug-level reporting to plan sponsors on at least a six-month basis (and some information required is similar to the information required under the proposed regulations) with employers having the option to receive reporting quarterly.
CAA 2026 includes significant statutory civil monetary penalties and the proposed rules rely on ERISA’s prohibited transaction penalties.
CAA 2026 requires an annual notice to participants regarding PBM reporting obligations (there is no such notice in proposed regulations).
The reporting requirements, summary information for participants, and notice requirements in CAA 2026 are incorporated into ERISA, the Public Health Service Act, and the Internal Revenue Code. The proposed regulations only apply to ERISA plans.
The DOL is currently seeking comments on the proposed regulations. Lockton will submit comments with our recommendations to encourage seamless implementation of the PBM reforms, as well as highlight concerns related to plan sponsor pharmacy costs, contract terms and PBMs shifting liability for civil monetary penalties through service contract provisions. Plan sponsors are also encouraged to submit comments on these issues and concerns they may have on the proposed regulations. Comments from stakeholders help further shape the finalization of implementing regulations.
Conclusion
The CAA 2026 PBM reforms, coupled with the DOL’s proposed regulations, represent significant and comprehensive federal oversight on PBMs. That being said, many details around these reforms must be sorted out through implementing regulations. Fortunately, ERISA plan fiduciaries may not need to wait long to get clarity on the law’s requirements with DOL’s proposed interpretations already on the street. While specific questions remain, what we know so far highlights the importance of strong oversight and, for ERISA plans, prudent fiduciary governance. Lockton’s Compliance Consulting and Pharmacy teams will continue to monitor and provide regulatory updates, including a webcast in the near future.
Not legal advice: Nothing in this alert should be construed as legal advice. Lockton may not be considered your legal counsel, and communications with Lockton's Compliance Consulting group are not privileged under the attorney-client privilege.
