New PBM Transparency Rules & HIPAA Updates: What Employers Need to Know
The Consolidated Appropriations Act of 2026 and new HHS guidance are reshaping how employers manage prescription benefits and protect sensitive health data. Here's what's changing — and what you need to do now.
New Federal Transparency Requirements for PBMs
On Feb. 3, 2026, the Consolidated Appropriations Act (CAA) of 2026 was signed into law, introducing significant reforms for the pharmaceutical benefit manager (PBM) industry.
PBMs play a key role in administering prescription drug benefits — processing claims, managing pharmacy networks, and negotiating rebates with drug manufacturers. However, the industry has faced increasing scrutiny due to concerns around transparency and pricing practices.
What's Changing
New disclosure requirements take effect for plan years beginning on or after August 3, 2028.
PBMs will now be required to:
- Provide detailed prescription drug spending data to health plans at least twice per year (or quarterly upon request)
- Supply summary reports that can be shared with plan participants upon request
- Pass through 100% of rebates, fees, and discounts to health plans and issuers
Additionally, health plans must:
- Provide participants with an annual notice explaining that PBMs are required to submit prescription drug spending reports
Why It Matters for Employers
These changes are designed to increase transparency and ensure employers and plan sponsors have a clearer understanding of prescription drug costs.
Employers should begin preparing for:
- Greater visibility into drug pricing structures
- Increased communication responsibilities with employees
- Potential contract updates with PBM vendors
HHS Updates Model HIPAA Privacy Notices for Part 2 Records
On Feb. 13, 2026, the U.S. Department of Health and Human Services (HHS) released updated model Notices of Privacy Practices under HIPAA. These updates apply to organizations that handle substance use disorder (SUD) treatment records — also known as "Part 2 records."
What Are Part 2 Records?
Part 2 is a federal law that protects the confidentiality of records related to individuals receiving treatment for substance use disorders. A final rule issued in April 2024 requires covered entities to update their HIPAA privacy notices if they receive or maintain these records.
What Employers Need to Do
- Review whether their health plan handles Part 2 records
- Update HIPAA Privacy Notices to reflect new requirements
- Ensure notices clearly explain:
- How Part 2 records may be used and disclosed
- The organization's responsibilities
- Individuals' privacy rights
Who This Applies To
- Employers with self-insured health plans
- Employers with fully insured plans that access protected health information
Organizations using HHS model notices should ensure they are properly customized with their own plan details.
⚡ Key Takeaways for Employers
- New PBM regulations will significantly increase transparency and reporting requirements
- Employers will need to communicate more clearly with plan participants about drug spending
- Updated HIPAA privacy rules require immediate attention if Part 2 records are involved
- Ongoing regulatory changes suggest continued oversight and compliance expectations
Conclusion
As benefits regulations continue to evolve, employers should stay proactive in reviewing their health plan compliance strategies. Understanding these updates now can help organizations avoid risk, improve transparency, and better support their employees.
This Benefits Buzz is for informational purposes only and is not intended to be exhaustive nor should it be construed as professional advice. © 2026 Zywave, Inc. All rights reserved.