Stephanie Raborn, JD
McGriff Employee Benefits Compliance Team
If your organization sponsors a group health plan, understanding the CAA reporting requirements is essential. This includes RX reporting obligations related to prescription drug and healthcare spending under the Consolidated Appropriations Act (CAA). Staying informed about these rules can help you meet deadlines and avoid penalties.
Prescription drug and healthcare spending reporting comes from a healthcare transparency provision in the CAA, specifically Section 204. This section requires group health plans and insurers to submit general information about the plan or coverage. You’ll also need to report details about prescription drug spending, total healthcare costs, and how any rebates, fees, or other payments affect premiums and out-of-pocket expenses.
In 2021, the Departments of Labor, Health and Human Services, and Treasury (the Agencies) issued a temporary rule to implement these CAA reporting requirements. According to the Centers for Medicare and Medicaid Services (CMS), who have since provided guidance, this includes who must report, how to submit data, and examples of required information. While insurers and third-party administrators (TPAs) often provide much of the data, your organization is ultimately responsible for making sure the reports are submitted. Each year by June 1, group health plan sponsors must submit or ensure submission of an “RxDC” report to CMS covering the prior year’s data.
Who must comply with CAA reporting requirements
According to the Agencies, third parties like TPAs, Pharmacy Benefit Managers (PBMs), and insurers are expected to provide much of the information. However, your organization is ultimately responsible for compliance. This applies to all group health plans, including small groups, grandfathered plans, and fully insured plans.
As found in the interim final rule, the term “reporting entity” is defined broadly, meaning any party submitting information on your behalf. You should talk with your insurers, TPAs, and other service providers to decide who will prepare and submit the reports. It’s a good idea to document these agreements in writing.
What information is required for RX reporting
You’ll need to submit several categories of information, including:
- General identifying details such as Federal Employer Identification Number (FEIN), plan year dates, number of covered lives, and states where coverage is offered
- Healthcare spending broken down by type, including hospital costs, primary and specialty care, clinical services, prescription drugs, and other medical expenses
- Average monthly premiums paid by employers on behalf of participants, as well as premiums paid by participants, beneficiaries, and enrollees
- Two “top 50” drug lists: one showing the most frequently dispensed drug brands by total annual spend, and another showing the 50 drugs with the greatest increase in plan spending over the year
- Prescription drug rebates, fees, and other payments from drug manufacturers to the plan, issuer, or administrators, along with how these affect drug costs under the plan
- A “top 25” drug list showing prescription drugs with the highest rebate amounts
This data must be submitted through the CMS Health Insurance Oversight System (HIOS). CMS updates reporting instructions and help desk contacts annually to support CAA prescription drug reporting.
Compliance considerations for plan sponsors
Coordinate with your service providers
Most group health plans won’t have all the necessary data on their own. You’ll need to work closely with your insurers, TPAs, PBMs, and other partners to gather and submit the required information. If you’re changing or adding vendors, make sure reporting responsibilities are clear well before deadlines.
Fully insured plans
If your plan is fully insured, confirm who will submit the data through the CMS HIOS portal. Usually, insurers handle this, but you should verify whether they will submit all or part of the data for you. Even when insurers submit reports, they often need additional information from you, such as employer versus member premium amounts. Watch for insurer requests and deadlines.
Fully insured plans can shift liability to insurers if there’s a written agreement stating the insurer will provide the required information. However, a simple email may not be enough to protect you from liability if the insurer fails to report. A signed agreement is preferred, though sometimes mass communications are the only confirmation available. Clarification from the Agencies on this would be helpful.
Self-funded plans
If your plan is self-funded, you can enter agreements with vendors to help with reporting, but you remain responsible for compliance. Because data may come from multiple sources, you’ll need to identify who holds what information. For example, you might have premium data, while your TPA or PBM has prescription drug and healthcare spending details.
If your prescription benefits are carved out, you may need to coordinate reporting with multiple vendors. Sometimes, a simple email exchange can clarify who has the data you need.
Deciding who will submit reports
Your plan can meet its reporting obligations by having multiple entities submit data on its behalf. Many vendors offer options to either submit reports for you or provide the data so you can submit it yourself. Keep track of who is reporting what to avoid duplicate submissions.
Make sure to get contractual commitments from any vendor submitting reports for your plan. Some vendors may be reluctant to accept liability for noncompliance.
Changing vendors
If you changed insurers, TPAs, or PBMs during the reporting year, check with your previous providers—ideally before the transition—about their role in reporting. They may file reports on your behalf or provide data so you can complete the reporting.
Penalties for noncompliance with CAA reporting
The regulations don’t specify penalties for noncompliance, but the IRS could impose an excise tax of up to $100 per day per affected individual. The Department of Labor enforces compliance for ERISA plans, and the Department of Health and Human Services oversees non-ERISA plans. Simply paying a fine won’t excuse failure to comply.
What this means for you
While MMA can assist you in understanding these requirements and coordinating with your service providers, ultimate responsibility for compliance rests with your organization. Because multiple entities may be involved, it’s important to communicate clearly and coordinate efforts. Familiarize yourself with the law and guidance, and work closely with your partners to meet your reporting obligations.
