Most employers negotiate their PBM contract blind. No benchmark. No reference point. Just whatever the PBM puts in front of them, usually positioned as ‘standard language.’
PBMs work hard to keep it that way. It’s one thing to protect pricing. But it’s another to make your contract unshareable and uncomparable.
In contrast, government contracts are public documents. Cities, counties, school districts: their PBM agreements are subject to open records requests.
After reviewing dozens of government PBM contracts, patterns emerge that apply to every employer. Including this one: Even PBMs that claim to be transparent often have data and audit provisions preventing you from verifying your contract terms.
This week: what pooled contract data reveals, why custody matters as much as visibility, and a concept every fiduciary needs to understand:
Data Sovereignty.
The Confidentiality Problem
PBMs don’t just want to protect pricing. They want to prevent comparison.
Standard PBM confidentiality provisions often prohibit sharing contract terms with other employers, restrict disclosure to advisors with PBM-approved NDAs, and classify the entire agreement as confidential.
The effect: employers can’t compare notes. They can’t learn what peers negotiated. They can’t discover the ‘standard’ clause they signed isn’t standard at all.
This isn’t about protecting PBM trade secrets. It’s about preserving PBM information asymmetry.
The Government Contract Exception
Government employers don’t have the NDA problem (at least to the same degree). Government contracts are public records making copies available for examination.
Of course PBMs still try to block disclosure, claiming proprietary pricing, trade secrets, competitive harm. Some redactions are legitimate. Many are overly broad. But the contract structure, the provision language, the rights and restrictions? Those are visible.
That’s the dataset we’ve been building.
But It’s Still Not A Panacea
Here’s what we’re also finding: many government employers don’t have custody of their own contracts.
The pattern looks like this: A city or school district signs a ‘joinder agreement’ that piggybacks on a larger purchasing cooperative. The contract document references a Master Service Agreement that governs many of the important terms: data access, audit rights, termination provisions.
The problem? The government entity often hasn’t seen the MSA. They don’t know what rights or restrictions apply to them. They signed a document that points to another document they’ve never reviewed.
When the governing terms live in a referenced MSA held by a purchasing cooperative, the government employer has signed a contract without knowing what it says. That’s not delegation. It’s abdication.
A contract you haven’t read can’t protect you, even if it’s technically a public record. We’ll address the solution in next week’s issue. For now, the point is this:
Visibility isn’t enough. Custody matters. You can’t exercise rights you don’t know you have.
What We’re Finding
After reviewing dozens of city, county, and school district PBM contracts, here’s what we’re finding that generalizes to all employers:
Audit restrictions vary wildly, and aren’t driven by employer size. Some contracts give the plan sponsor full discretion over auditor selection. Others restrict selection to a PBM-approved list or require ‘mutual agreement.’ Both are presented as standard. Only one protects the fiduciary. The restriction isn’t market-driven. It’s leverage-driven. If a school district with 3,000 lives can negotiate unrestricted audit rights, so can you.
Termination clauses reveal significant exit penalties. Clean exit with 60-day notice and earned rebates paid through termination? Or 180-day notice with rebate forfeiture for early exit? Both provisions exist in the same PBM’s contracts with different government employers. The penalty you accepted may not exist in the contract your peer signed.
Carve-out rights exist on paper but are neutralized by penalty clauses. Some contracts include explicit carve-out rights: the ability to use an outside vendor for specialty, clinical programs. But a separate clause triggers pricing adjustments or rebate forfeiture for ‘changes to plan design.’ A right that triggers a penalty isn’t a right. It’s a deterrent with a label.
Fiduciary language is often absent, or actively disclaimed. Some contracts acknowledge the plan sponsor’s fiduciary duties and commit to support them. Others are silent. Others explicitly disclaim fiduciary status with no corresponding commitment. The PBM’s willingness to acknowledge your fiduciary role is itself a signal.
Two Peers Comparing Contracts
Introducing Data Sovereignty
One pattern deserves its own frame: Data Sovereignty.
Data sovereignty means the plan sponsor has genuine control over their data. Not just nominal ownership, but the access and audit rights required to exercise fiduciary oversight. Here’s what we’re finding:
Ownership language varies from explicit protection to quiet extraction.
Some contracts state claims data is ‘sole property of Plan Sponsor.’ Others classify de-identified data as PBM Confidential Information: an ownership assertion buried in a definition section. Same PBM. Different employers. Different terms.
Even transparent PBMs often restrict data access and audit rights.
This is the surprise. PBMs that market themselves as transparent, with pass-through pricing and 100% rebate pass-through, sometimes have the most restrictive data and audit provisions. Transparency on pricing doesn’t mean transparency on oversight.
A fiduciary who can’t access their own data can’t verify the pricing they’re being charged. A fiduciary who can’t choose their own auditor can’t exercise independent oversight. A fiduciary who can’t share findings with their board has transparency without accountability.
Data sovereignty isn’t about disclosure. It’s about control.
The question isn’t whether the PBM will show you a report. It’s whether you can: access raw claims data without restriction; choose your own auditor without PBM approval; share audit findings without PBM consent; port your data to a new vendor at termination without penalty.
When contracts fail these tests, the plan sponsor may have visibility but not sovereignty. They can see what the PBM chooses to show them. They can’t verify it independently.
Dave Chase, founder of Health Rosetta and one of the most influential voices in employer health plan reform, puts it bluntly:
“The best indicator of whether a plan performs well is whether it offers the employer complete access to its claims data, which actually is required by law.”
Required by law. And yet contract after contract restricts it, conditions it, or buries it in definitions that make “access” meaningless in practice.
That’s why data sovereignty matters. It’s not enough to have nominal ownership. The question is whether your contract gives you the access, audit rights, and portability required to actually exercise fiduciary oversight.
Why This Matters Now: CAA 2026
The Consolidated Appropriations Act requires plan sponsors to document that they’ve evaluated service provider compensation for reasonableness.
You can’t evaluate what you can’t access. You can’t document what you can’t verify.
Data sovereignty isn’t a nice-to-have. It’s a compliance prerequisite. Contracts that restrict data access and audit rights don’t just create fiduciary risk. They create documentation gaps that CAA 2026 makes harder to defend.
Why PBMs Resist This
Opacity is a feature, not a bug.
When employers can’t compare, PBMs can present extractive terms as standard, negotiate different terms based on employer sophistication rather than merit, and avoid the competitioin that transparency would create.
The pattern: employers who compare notes get better terms. PBMs who compete on contract quality attract them. The market tilts toward alignment, but only when visibility exists.
The Benchmark Is Forming
Every contract we review contributes to a benchmark that didn’t exist before.
Not just provision-by-provision ratings, but patterns: Which provisions vary by employer type? Which PBMs sign fiduciary-aligned terms? Where does ‘standard’ actually mean ‘extractive’?
Government contracts gave us the starting point. Employer submissions are building the rest.
What to Do First Thing Monday
1. Confirm you have custody of your contract. Not just the joinder or amendment: the governing MSA. If you can’t produce it, you have a custody gap before you have a contract gap.
2. Read your confidentiality provision. Does it prohibit sharing the contract with peers? With advisors? Does it classify the entire agreement as confidential, or just pricing?
3. Read your data ownership and audit provisions. Can you access raw claims data? Choose your own auditor? Share findings without PBM consent? If not, you have a data sovereignty gap.
4. Submit your contract for scoring. Email support@nautilushealth.org. Your contract contributes to the benchmark and you receive a confidential analysis in return.
In Closing
PBMs don’t just protect pricing. They prevent comparison.
Government contracts are public. But many government employers have signed contracts without ever seeing the governing MSA. Visibility without custody is a different kind of opacity.
And here’s the pattern that should concern every fiduciary: even PBMs that claim to be transparent often have data and audit provisions that prevent you from verifying their claims.
Transparency without data sovereignty is disclosure without accountability.
You can’t negotiate what you can’t compare. You can’t exercise rights you don’t know you have. Now you can see both problems, and start fixing them.
Here’s to clearer thinking, stronger plans, and better outcomes for the people who rely on us.
All the best,
P.S. Next week: Data sovereignty in depth. Who owns your claims data? What does ‘access’ actually mean when the contract defines it? Why joinder agreements and referenced MSAs create hidden custody gaps. And how ‘Data Sovereignty Gold’ contract standards would close them.
Subscribe & Share
🔗 Subscribe: Was this newsletter forwarded to you? Signup to receive The Health Plan Compliance Advantage every Monday.
📤 Share: Forward this issue to your General Counsel, CFO, outside ERISA counsel, or a peer. Create alignment and collective action. Look for opportunities to benchmark contracts and pool insights
💸 SPECIAL OFFER: Newsletter subscribers receive 10% off any Validation Institute service. Use code FIDUCIARY10 at checkout.
────────────────────────────────────────
A Note of Appreciation
Dave Chase
Dave Chase, is the co-founder of Health Rosetta and Nautilus Health Institute, a 501(c)(3) nonprofit. Dave has been a long time advocate for health plan sovereignty. His insights into the correlation between plan data and performance has been the underlying driver behind Nautilus open source standards, model contracts, and data platforms.
Don’t be a bystander. Change the status quo and reap the benefits of The Health Plan Compliance Advantage. Schedule an introductory call with us.
