Your Claims Data Is Legally Yours. Most Employers Still Don't Act Like It.

The regulatory landscape around employer data access has moved significantly in a short period. The Consolidated Appropriations Act of 2026 now requires mandatory PBM reporting, 100% rebate pass-through, annual audit rights, and participant claims data access. The gag clause prohibition, in effect since 2022, already prevents vendors from contractually restricting employers' ability to access or share their own data. State-level laws add further protections. Despite that legal framework, many plan sponsors, benefits directors, and brokers still treat claims data as something they're allowed to see occasionally rather than something they own and should be auditing regularly. That posture leaves recoverable dollars, compliance exposure, and fiduciary risk on the table.

Kaitlyn Boughton is a Registered Nurse and the Co-Founder of Glass River Analytics, a healthcare data auditing firm she's building to help self-insured employers benchmark and audit their PBM and TPA contracts against federal pricing standards. She has more than a decade of clinical experience and is currently completing her nurse anesthesia degree. That clinical background is what led her to the data side of healthcare. After years of watching patients struggle with the climbing cost of care, she began investigating the structures that make affordability a systemic problem rather than an individual one.

"You can provide the best clinical care in the world, but if your patients can't afford it, then there's no point," she says. The connection between clinical care and cost transparency is what drives her approach. Employers who can't see their own data can't fully protect the people covered by their plans.

The legal rights are broader than most employers realize

The CAA 2026 is the strongest federal data-access framework self-insured employers have ever had. It establishes that claims data, rebate documentation, pricing performance, and formulary reporting belong to the plan sponsor. "The CAA basically abolishes the idea that information is proprietary to the PBM," Boughton explains. The gag clause prohibition reinforces that position by preventing vendors from inserting contract language that restricts an employer's ability to access, use, or share their own plan data. Taken together, the federal framework gives employers the standing to request full claims data, audit vendor contracts, and benchmark pricing against external standards.

The practical reality has not caught up. Though the CAA was confirmed in January 2026, with a comment period that closed in March, some legal challenges are still playing out. "It's an evolving landscape because the CAA is being challenged by quite a few PBMs in court right now," Boughton says. That uncertainty gives some employers a reason to wait to press vendors for their data, but she argues that waiting creates its own risk.

Confusion by design

The gap between legal rights and practical access is not accidental. Boughton sees vendor contracts structured to make data access as inconvenient as possible for the employer, even when the law says the data belongs to them. "It is absolutely confusing by design. They're trying to tack on an administrative fee here, or charging for looking over your bill there, versus spread pricing over everyone."

The contract tactics she has encountered include limiting the number of times an employer can audit their claims data per year, requiring data requests to be submitted by physical mail rather than electronically, and restricting data access to a single named representative within the company, which creates a bottleneck that can break entirely when that person leaves. Each of those provisions is technically legal as a contract term, but functionally, they undermine the access rights the employer already has under federal law.

The vertical integration of PBMs, pharmacies, and some TPAs creates an additional layer of conflict. Boughton has found cases where a vendor presents itself as an independent audit or compliance partner, but is funded by or was started by the PBM being audited. "The conflict of interest is often buried. It appears to be a different group, but when you dig a little deeper, you'll find that they're being funded by or were started by the PBM themselves," she reveals.

What an audit actually looks for

Glass River Analytics' audit approach covers the full vendor contract as well as the data underneath it. The benchmarking layer compares pricing against three external standards: the National Average Drug Acquisition Cost (NADAC) published by CMS, Medicare Part B and D pricing, and Mark Cuban Cost Plus Drug Company pricing. "What we're trying to do is create a benchmark. This is what the information is, good, bad, or indifferent," Boughton says.

The outputs, she notes, serve multiple purposes. An audit can surface discrepancies between what the vendor contracted to deliver and what the data shows they actually delivered. It can inform the next round of contract negotiations or a competitive bid process. And it can create a documented record that the employer exercised its fiduciary duty to monitor vendor performance, which matters increasingly as ERISA-related benefits litigation grows. "We're currently working with ERISA counsel to make sure anything we hand over to the client will be able to stand up in court, because we are finding that these cases are going to court quite often."

The compliance dimension adds another layer of urgency. Non-compliance penalties under the current framework can reach $10,000 per day per violation, which means employers who have not taken steps to verify their own compliance exposure are carrying risk they may not have quantified.

Proactive documentation is the best protection

Boughton's advice to plan sponsors and benefits directors draws directly from her nursing training, where documentation discipline is taught as a core survival skill. "Being proactive and making sure you're taking the steps to prevent something bad from happening is much better than reacting to the bad thing happening," she asserts. "If you're taking the steps to try to be transparent and take care of your employees first, you're always going to be set up in a better light."

The parallel to clinical documentation is precise. In nursing, if it's not documented, it didn't happen. In benefits administration, if the employer can't show they requested their data, audited their vendors, benchmarked their pricing, and acted on what they found, the fiduciary defense weakens regardless of intent. "Document, document, document. If you document it, that means it's been acknowledged and that you've understood what is happening. Even if the documentation isn't exactly perfect, the attempt says more than the lack of an attempt or a lack of documentation itself."