How does a plan sponsor audit its pharmacy benefits if the pharmacy benefits manager (PBM) restricts access to data? Why does the PBM contract limit a plan’s access to data and the right to conduct a meaningful audit? How can a plan sponsor fulfill its fiduciary duty to its members without the data?
These are questions that the Consolidated Appropriations Act of 2021 (CAA) seeks to resolve. Plan sponsors need to understand the CAA and demand access to the information and data.
Recommended For You
The CAA amended the Employee Retirement Income Security Act (“ERISA”) by prohibiting group health plans from entering into an agreement with health care providers, a third-party administrator (TPA), or other service provider that restricts the plan from accessing de-identified claims data upon request and sharing such information with a business associate.
The CAA’s Gag Clause Prohibition has caused confusion. Plans take a broad view of the gag clause prohibition, while service providers take a narrow view. PBMs and their rebate aggregators have contract terms that violate the “gag clause” by limiting and, in some instances, avoiding the production of data. For several years after the CAA was enacted, there was no clear guidance from the U.S. Department of Health and Human Services (HHS) regarding the interpretation and scope of the Gag Clause Prohibition.
However, the Department of Labor, Health and Human Services, the Treasury and Office of Personnel Management recently issued frequently asked questions (FAQs) to provide guidance regarding the Gag Clause Prohibition.
Key takeaways for plan sponsors
The FAQs have three important takeaways for plan sponsors:
- The prohibition applies to downstream entities or affiliates that subcontract to perform work for the TPA or contracted service provider.
- The prohibition applies even if the terms of an agreement state that the ability to share data with a plan’s business associate is at the discretion of the TPA or service provider.
- Common PBM contract terms that violate the prohibition.
- limiting access to a minimum number of de-identified prescription drug claims;
- limiting the scope of access to the data to specific, narrow purposes (such as an audit);
- limiting the frequency of claims reviews;
- limiting the number and types of de-identified claims that a plan or issuer may access;
- restricting the data fields of a de-identified claim that a plan or issuer may access; and
- providing access to de-identified claims data only on the TPA’s or service provider’s physical premises.
The CAA mandates transparency — but PBMs continue to resist
The CAA’s mandates are clear: Plans and plan beneficiaries are entitled to information and data, as well as de-identified claims data, for purposes of transparency and ensuring that its service providers are adhering to the agreements and fiduciary duties. While service providers, TPAs, and subcontractors try to operate in the shadows, the CAA works to shine the light on the work performed.
But PBMs, service providers and TPAs continue to limit access to data and restrict the rights of Plans from conducting meaningful audits. Plans must demand compliance with the CAA and assert their right to obtain and analyze the data.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
