Compliance Corner | State PBM Laws and Audits: Things to Know and Next Steps

PDF

In recent years, many states, including Florida, have intensified their scrutiny of pharmacy benefit managers (“PBMs”). PBMs play a crucial role in managing prescription drug benefits for health plans; however, many critics have found the PBM state laws to be too far-reaching and in contravention of the U.S. Supreme Court’s ruling in Rutledge v. Pharmaceutical Care Mgmt Assoc. (2020), which initially allowed application of state laws to PBMs in certain circumstances while honoring the ERISA preemption doctrine—the doctrine that federal ERISA law preempts state law efforts to regulate the same subject. Given the magnified attention to PBMs lately, we have explored this topic in prior articles, which generally delved into the new transparency laws and PBM litigation. In the last few months, the Florida Office of Insurance Regulation (“FLOIR”) has brought PBM laws and preemption back into the spotlight with its somewhat stringent audit protocols aimed at increasing transparency and accountability within the pharmaceutical supply chain, a trend in state oversight of PBMs that may seem attractive to an increasing number of states.

Background

The FLOIR has long mandated PBMs operating within the state to adhere to comprehensive reporting requirements. This year, the FLOIR commenced biennial examination of PBMs, focusing on compliance with specific PBM statutes. Most aspects of the audits do not raise as many concerns as the request by the FLOIR for the PBMs to disclose participant information, including the participants’ identity and health information. Despite the well-intentioned reasoning for the PBM audits, these efforts have sparked debates concerning their impact on employers, the potential preemption of state laws by federal law, and the privacy concerns related to the disclosure of participant information.

Preemption Concerns

As a first line of defense, it is rather expected for ERISA preemption to be the center of discussion and a significant point of contention. ERISA includes a preemption clause that supersedes state laws relating to employee benefit plans subject to ERISA (generally self-insured employee benefit plans). Although the U.S. Supreme Court has previously permitted states to regulate insurance and PBMs, states cannot directly impose requirements upon self-insured employer plans. On one hand, the audit and disclosure requirements introduced by the FLOIR do not directly touch upon self-insured plans. On the other hand, the extent to which the FLOIR and the Florida statutes affect core aspects of self-insured plan administration, such as requiring detailed claims data and imposing compliance attestations, could be interpreted as encroaching upon areas generally protected by ERISA. This position is consistent with the letter written on behalf of The American Benefits Counsel (the “ABC Letter”) challenging the FLOIR regulation.

HIPAA Concerns

As noted above, the audits require PBMs to submit detailed claims data, which includes sensitive patient information. Naturally, this raises privacy concerns and inflicts additional compliance burdens on employers who have to analyze the applicable law to determine whether to follow through with the disclosure. The FLOIR has previously attempted to address the privacy concerns in an Informational Memorandum issued on March 24, 2025 to all PBMs regarding the biennial examination. The FLOIR emphasized its belief that the request for potential protected health information (“PHI”) is permitted under the health oversight activities exception of HIPAA, and reiterated its request for data and information in an unredacted and unaltered format. However, many practitioners are of the opinion that the FLOIR request does not rise to the level of a permitted or mandatory disclosure of PHI under HIPAA. The ABC Letter is in agreement with this position. Similarly, a proposed federal bill targeting PBM transparency explicitly noted that any disclosure “shall not include any information that would identify a patient or a provider that issued a prescription.” In addition, even if the FLOIR had a compelling argument for why this information is requested, the “minimum necessary” standard under HIPAA is unlikely to be satisfied. Employers and third-party administrators are understandably wary of potential federal law violations and are stuck between a rock and a hard place attempting to comply with two (potentially conflicting) laws.

Next Steps

While these measures by the FLOIR are designed to protect consumers and promote fair practices, the complexity of compliance for employers and third-party administrators necessitates the consideration of various factors, such as data privacy and contractual obligations. At this time, it is unclear so far how many PBMs and employers have complied with the disclosure requirements. Seeking legal advice to navigate the complex interplay between state and federal regulations is recommended. In particular, an employer should review the current terms of its PBM contract to pinpoint the employer’s and the PBM’s obligations with respect to state law compliance and HIPAA disclosures. The findings of the audits are yet to be made public. Nevertheless, such findings are expected to potentially affect the contractual relationships between employers and PBMs. Any discrepancies could lead to renegotiations of terms and legal disputes.

Conclusion

The inclusion of PHI in the audit process by the FLOIR has raised alarms among employers. The federal HIPAA concerns add another layer of complexity to an already challenging topic of state PBM laws. Legal experts have largely highlighted the tension between state and federal authority on this topic and echoed the concerns voiced in the ABC Letter. As this tension is yet to be formally resolved, employers should remain vigilant of their next steps.