By Jude Odu

April 24, 2026

On February 3, 2026, the Consolidated Appropriations Act of 2026 was signed into law. One section of that law quietly rewrote the rules for how your pharmacy benefit manager must treat your plan’s money. Most plan sponsors still haven’t fully acted on it. That gap is a liability.

The Department of Labor ordered a health plan administrator to restore more than $1.3 million to health plan participants as recently as April 29, 2026. ERISA class action lawsuits targeting plan sponsors and their vendors are accelerating. Jones Day published a detailed analysis just this month describing rising scrutiny of employer health plan administration across fiduciary litigation, federal transparency initiatives, and state enforcement. The pattern is clear: plan sponsors who cannot demonstrate active oversight of their PBM and other vendors are exposed.

Here is what changed, and what you need to do about it.

What the CAA 2026 Actually Requires of PBMs

The CAA 2026 clarifies that PBMs serving ERISA-covered group health plans are covered service providers under ERISA Section 408(b)(2). That classification carries specific obligations.

Your PBM must now disclose all direct and indirect compensation. It must pass through 100% of rebates and other remuneration, including amounts collected through rebate aggregators and group purchasing organizations, directly to your plan. It must provide semiannual reports with detailed drug pricing, spread pricing, rebate data, and total compensation figures. Your plan also has formal audit rights, including the right to select your own auditor, not one approved or paid by the PBM.

The semiannual reporting and disclosure obligations are active now. The rebate pass-through and audit provisions apply to contracts entered into or renewed for plan years beginning August 3, 2028, giving you a window to renegotiate, but your monitoring obligations start immediately.

Why the Stakes Are Higher Than Most Plan Sponsors Realize

ERISA fiduciary standards do not require you to make the perfect decision. They require you to follow a prudent process, document it, and act in your plan participants’ sole interest. What the CAA 2026 changed is the floor of what prudent process now means when it comes to PBM oversight.

If your PBM fails to remit rebates and you cannot show that you took steps to compel compliance, you carry the liability. The law includes an innocent fiduciary exception, but it requires you to have documented your oversight, made written demand on the PBM within 90 days of discovering a failure, and notified the DOL if the PBM still did not comply. None of that happens without a process already in place.

The penalties for noncompliance are steep. Up to $10,000 per day for late reporting violations. Up to $100,000 for knowingly filing false information. And those are just the regulatory penalties, before potential litigation.

My book Model Optimal Care: End U.S. Healthcare Waste, Starting with Self-Insured Health Plans, documents exactly this problem. America spent $5.6 trillion on healthcare in 2025. Up to $1.6 trillion of that was waste. A significant portion of that waste runs through opaque vendor arrangements that most plan sponsors never examine closely. The CAA 2026 removes the excuse for not examining them.

Five Actions to Take Before Your Next Plan Year Renewal

1. Request full disclosure from your PBM today. Send a formal written request for all direct and indirect compensation, spread pricing data, rebates collected, and remuneration from any related parties including rebate aggregators. Do this in writing. Date it. Keep a copy. If your PBM refuses or delays, that refusal is itself a data point you need to document.
2. Audit your current PBM contract against CAA 2026 requirements. Pull the contract and compare it line by line against the new disclosure and pass-through requirements. If your contract predates February 2026, it may not contain the required provisions. Your next renewal is the leverage point to demand compliant contract language. Use it.
3. Establish a formal PBM monitoring process. Prudent oversight means regular, documented review, not just an annual glance at a summary report. Set a calendar for semiannual review of the reports your PBM is now required to produce. Assign a responsible fiduciary. Record the findings and any actions taken. This documentation is your legal defense if claims arise.
4. Plan your independent audit. The CAA 2026 gives your plan the right to audit rebate data at least once per plan year, using an auditor your fiduciary selects. That auditor cannot be paid by the PBM, directly or indirectly. If you have not identified an independent auditor, start that process now. Many employers discover material discrepancies in rebate calculations only when an independent party runs the numbers.
5. Benchmark total PBM compensation against market. Knowing what your PBM is paid, in total, across all compensation streams, lets you evaluate whether that compensation is reasonable. ERISA requires you to make that evaluation. It does not have to result in a PBM change, but it has to happen and be documented. The Purchaser Business Group on Health reports that 41% of large employers are either changing PBMs or issuing an RFP in 2026. Many of them are doing this precisely because full compensation disclosure has revealed arrangements they were not willing to continue once they could see them clearly.

The Broader Fiduciary Picture in 2026

The PBM rules are one part of a broader tightening. Courts are expanding who qualifies as a fiduciary based on function, not just contract title. The Sixth Circuit’s decision in Tiara Yachts, LLC v. Blue Cross Blue Shield of Michigan established that functional fiduciary conduct determines liability, not how an agreement characterizes the relationship. State attorneys general from more than a dozen states sent letters to Fortune 500 companies in late 2025 flagging that ERISA health plan lawsuits are surging and employers need to evaluate their vendors.

Brokers are now named defendants in a new wave of class action filings. TPAs face renewed scrutiny. The ERISA Advisory Council has recommended extending fiduciary responsibility to parties making clinical coverage determinations. The direction is consistent: every entity that touches your plan’s money or makes decisions that affect it faces higher accountability expectations, and so do you as the plan sponsor.

That accountability is not a burden. It is protection, if you have the processes to back it up.

What Plan Sponsors Should Do Right Now

The mid-year point is the right time to assess where you stand. Your plan year may be calendar year or otherwise, but most vendor reviews and renewals concentrate in the second half of the year. The planning work happens now.

Start with a written inventory of every service provider touching your health plan. Document what each is paid, in total. Identify which disclosures you have received and which you have not. Then close the gaps before you are in a position where someone else closes them for you.

If you want a structured framework for this, Model Optimal Care lays out a blueprint built around five principles: Transparency, Accountability, Integration, Engagement, and Technology Enablement. The PBM compliance work required by CAA 2026 fits directly into the Transparency and Accountability pillars. The book is available now in print, digital, and audiobook formats on Amazon and wherever books are sold.

The litigation wave is here. Your window to get ahead of it is narrowing. Put the documentation in place before you need it as a defense.