CAA 2026 Compliance Starts Now, Not in Three Years
Executive Brief
“It Doesn’t Kick In Until 2029.”
That’s the most misconstrued deadline in employer benefits right now.
Yes, the CAA 2026’s rebate pass-through and reporting requirements take effect for plan years beginning on or after August 3, 2028 (January 1, 2029 for calendar-year plans). But that headline obscures three realities that make 2026 the year to act:
First, the “covered service provider” clarification has no effective date. Legal experts say it’s effective now. Almost any entity serving health plans, extending beyond brokers and consultants as enumerated in CAA 2021, must disclose all direct and indirect compensation to ERISA plans today.
Second, PBM contracts typically run three years. A contract signed in 2026 or 2027 will still be in force when compliance becomes mandatory. If that contract permits spread pricing, restricts audits, or allows rebate retention, you’ll face a prohibited transaction problem the moment the law kicks in.
Third, the DOL’s proposed rule (if finalized as written) takes effect July 1, 2026. That’s this year.
The math is straightforward: waiting until 2028 to negotiate compliant terms means renegotiating under pressure. Building those terms into your next contract means leading from a position of strength.
Three Timelines, One Conclusion
The confusion stems from conflating different provisions with different effective dates. Here’s what’s actually happening:
Effective Now (February 3, 2026)
The CAA 2026 “clarifies” covered service providers under ERISA Section 408(b)(2) and requires them to disclose all direct and indirect compensation.
The law firm of Ogletree Deakins notes: “The inclusion of PBMs as covered service providers appears to be effective immediately.”
Translation: If your PBM or other service provider has yet to provide a comprehensive compensation disclosure, you should be asking for one now.
Covered Service Providers
2. Effective 2026/2027 (DOL Proposed Rule)
The DOL’s proposed rule on PBM fee transparency would apply to plan years beginning on or after July 1, 2026 (January 1, 2027 for calendar-year plans). The comment period closes April 15, 2026.
This rule requires PBMs to disclose compensation, spread pricing, rebate retention, and manufacturer payments to ERISA self-funded plans. It also permits (but leaves optional) annual audits.
Translation: If finalized, this rule creates disclosure obligations before the main CAA 2026 provisions even kick in.
3. Effective 2028/2029 (CAA 2026 Core Provisions)
The headline requirements take effect for plan years beginning on or after August 3, 2028 (January 1, 2029 for calendar-year plans):
• 100% rebate pass-through (mandatory)
• Semi-annual reporting to large employers (100+ employees)
• Audit rights with plan-selected auditor
• $10,000/day penalties for non-compliance
Critical detail: These requirements apply to contracts “entered into, renewed, or extended” for those plan years. A three-year contract signed in 2026 runs through 2029. If it falls short of CAA 2026 standards, you’ll need to renegotiate or face a prohibited transaction.
The Contract Cycle Problem
Most PBM contracts run three years, creating a timing trap employers haven’t fully absorbed.
Scenario A: You renew your PBM contract in 2026 with traditional terms (spread pricing permitted, rebate retention allowed, audit restrictions in place). That contract runs through 2029. When CAA 2026 provisions take effect January 1, 2029, your contract violates the new requirements. You either renegotiate mid-contract (from a weak position) or continue operating under an arrangement that constitutes a prohibited transaction.
Scenario B: You negotiate CAA 2026-compliant terms into your 2026 renewal. The contract runs through 2029. When the law takes effect, you’re already compliant. No renegotiation needed. No prohibited transaction risk.
The difference isn’t legal interpretation. It’s contract timing.
As the National Law Review put it: “Employers will benefit from early review of their PBM contracts as the CAA requirements prohibit the renewal of contracts that do not meet the requirements.”
The law firm of Morgan Lewis is more specific: “Plan sponsors currently negotiating PBM agreements, which generally are effective for a term of three years, should consider incorporating required reporting language, full rebate pass-through provisions, audit rights, and reconciliation mechanisms in agreements.”
What Non-Compliance Looks Like
The CAA 2026 creates more than new requirements. It creates new consequences.
Prohibited Transaction Exposure: A PBM contract failing to meet the rebate pass-through requirements is “unreasonable” under ERISA Section 408(b)(2). The prohibited transaction exemption falls away. Both the PBM and the plan sponsor face liability.
Civil Penalties: PBMs that fail to provide required information face penalties of $10,000 per day. Knowingly providing false information carries penalties up to $100,000.
Fiduciary Liability: The CAA 2026’s penalties apply to PBMs. But ERISA fiduciary duties apply to plan sponsors. A fiduciary who fails to monitor PBM compensation or reporting could face civil lawsuits for failing to prudently manage plan vendors.
The “innocent fiduciary” exception provides some protection: if you didn’t know the PBM failed to comply and reasonably believed they did, you’re protected if you act promptly upon discovering the failure. The exception requires active monitoring, not passive assumption.
The Contract X-Ray: Finding Non-Compliance Before 2029
You can’t fix what you can’t see. That’s why Nautilus built the Contract X-Ray.
The analysis reviews your existing PBM contract against provisions essential for fiduciary compliance and CAA 2026 readiness, organized into six categories:
Six Review Categories
For each provision, you see where your contract meets fiduciary standards, where it falls short, and specific language recommendations for addressing deficiencies.
What to Do First Thing Monday
1. Pull your current PBM contract and check the term. When does it expire? If it runs through 2028 or 2029, you’re negotiating within the CAA 2026 compliance window. If it expires in 2026 or 2027, your next contract will be in force when the law takes effect.
2. Request a compensation disclosure from your PBM. The “covered service provider” clarification appears to be effective immediately. Ask your PBM to provide a complete disclosure of all direct and indirect compensation. Document the request and the response.
3. Run a Contract X-Ray analysis. Submit your current PBM contract to support@nautilushealth.org for a confidential review. Identify which CAA 2026 requirements your contract already meets and which create compliance gaps.
4. Brief your fiduciary committee on the timeline. The “we have until 2029” assumption is creating false comfort. Share this analysis with your committee and document the discussion. A committee decision to evaluate CAA 2026 readiness is a fiduciary action worth recording.
In Closing
The 2029 effective date is real. But it’s not a reason to wait. It’s a reason to prepare.
Every contract you sign between now and then will be measured against CAA 2026 standards. Every renewal will be an opportunity to lead or an obligation to remediate. The difference is whether you act now and reap the benefits of necessary protections or react later and negotiate from a weaker positikon.
Here’s to clearer thinking, stronger plans, and better outcomes for the people who rely on us.
All the best,
P.S. The DOL comment period has been extended to April 15. If you’ve struggled to get compensation disclosures from your PBM, your experience is exactly what the Department wants to hear about. Your comment could shape the final rule.
Subscribe & Share
🔗 Subscribe: Was this newsletter forwarded to you? Signup to receive The Health Plan Compliance Advantage every Monday.
📤 Share: Forward this issue to your benefits advisor and ERISA counsel. The effective date question has legal implications worth discussing.
💸 SPECIAL OFFER: Newsletter subscribers receive 10% off any Validation Institute service. Use code FIDUCIARY10 at checkout.
────────────────────────────────────────
A Note of Appreciation
Alden Bianchi
Alden Bianchi is an Employee Benefits and Executive Compensation lawyer. He has advised corporate, not-for-profit, governmental, and individual clients on executive compensation and employee benefits issues. After four decades of law firm practice, Alden recently joined his long-time client SBMA, a subsidiary of Acrisure.
Don’t be a bystander. Change the status quo and reap the benefits of The Health Plan Compliance Advantage. Schedule an introductory call with us.
