New Maine Law Gives Employers Leverage when Negotiating Audit Rights

Introduction

Maine’s new Act to Improve Accountability and Understanding of Data in Insurance Transactions (the “Audit Act” or “Act”) prohibits Maine-licensed third party administrators (“TPAs”) and pharmacy benefit managers (“PBMs”) from restricting the ability of employers that sponsor self-insured group health plans to access data necessary to complete a full audit of claims. In addition, the Act permits employers to conduct pre-payment audits of high-cost medical claims and collect information regarding amounts paid by PBMs to a pharmacy on behalf of the employer’s plan. The Act, which is effective for services agreements entered into, amended, or renewed on or after January 1, 2026, follows similar legislation in Indiana and joins a series of state laws targeting the activities of PBMs and, to a lesser degree, TPAs throughout the country.

Background

Several states have recently enacted legislation targeting anti-competitive behaviors of PBMs and TPAs. By and large this legislation restricts PBM conduct only, including legislation effective in 2026 prohibiting financial incentives to use PBM-owned pharmacies (Illinois), prohibiting unfair exclusion of pharmacies from the PBMs’ networks (Iowa), restricting PBMs from charging health plans higher prices for prescription drugs than what they pay to pharmacies, known as “spread pricing” (Illinois, California, and Maine [applies to PBMs and carriers]), and banning PBMs from owning pharmacies (Arkansas). Indiana remains at the forefront of TPA regulation, however, by requiring (through Indiana Insurance Department bulletins issued in July 2025) that TPAs and PBMs annually report any entity owning or controlling 5% or more of their business. These bulletins follow Indiana legislation, effective June 30, 2024, that removes onerous restrictions on an employer’s/plan sponsor’s ability to audit claims, IC 27-2-25.5-4.

Conducting group health plan audits provides several benefits to plan sponsors, such as ensuring that TPAs and PBMs are satisfying their contract terms, including financial performance guarantees, and identifying and recouping amounts that the TPA or PBM erroneously overpaid for prescription drugs or medical services. In addition, the ability to conduct robust audits of plan vendors helps plan sponsors to fulfill their fiduciary obligations by ensuring that amounts paid for claims are accurate and reasonable.

Restrictive audit terms in TPA and PBM agreements frustrate employer efforts to ensure their group health plans are paying only reasonable compensation for vendor and provider services and the vendors are accurately reimbursing medical and pharmacy providers. Despite federal tri-agency guidance in FAQs About Consolidated Appropriations Act, 2021 Implementation Part 69 that identifies certain audit restrictions as impermissible “gag clauses,” employers are rarely able to negotiate fair audit terms with much larger, heavily-consolidated PBMs and TPAs. Examples of restrictive audit terms abound and include significant limits on the number of claims that may be reviewed (typically only a few hundred claims when most large plans process millions of claims annually), restrictions on the employer’s ability to select the auditor and determine how the auditor is compensated, and limits on the data elements included in the audit.

The Audit Act

Maine’s governor signed the Audit Act into law on July 1, 2025. Codified in 24-A MRSA § 1914 (concerning TPAs) and 24-A MRSA § 4349-A (concerning PBMs), the Act, in essence, prohibits TPAs and PBMs from including certain audit restrictions in their contracts and network services agreements with employers, recognizing that the ability to audit claims data is necessary for employers to engage in proper oversight of their plans. The Act is limited to TPA and PBM contracts with sponsors of self-insured group health plans (see 24-A MRSA § 4347), acknowledging that carriers already have a significant interest in reviewing claims incurred through their fully-insured book of business for which they bear the risk of loss.

With respect to TPA contract terms, the Audit Act requires that TPA contracts must permit employers to perform a post-payment audit of all claims at least once per calendar year and prohibits TPAs from using unduly restrictive confidentiality provisions as subterfuge for restricting audit rights. The Act also requires that TPAs provide the data necessary for the employer to receive a breakdown of each claim cost, including the billed amount and paid amount for professional and institutional services, administrative and claims processing fees charged to the plan (as opposed to direct expenses for medical goods or services), and information regarding network fees and negotiated discounts as well as other fees charged for cost-containment, subrogation, and repricing services. In addition, the Act prohibits TPAs from imposing fees for audits that exceed the direct cost of providing the data and from imposing certain conditions regarding the number or type of claims analyzed and the employer’s choice of auditor. Finally, the Act compels TPAs to allow pre-payment audit of high-cost claims (defined as individual claims of more than $100,000) to enable the employer to ensure the TPA will comply with its contract terms prior to payment of the claim.

With respect to PBM contract terms, the Audit Act includes requirements nearly identical to those that apply to TPA contracts regarding the frequency of post-payment audits, ensuring access to necessary data elements, a prohibition on unduly restrictive confidentially provisions, and a ban on conditions that would restrict an employer’s ability to conduct an audit of all claims and, generally, to use the auditor of their choice. The Audit Act also requires that PBMs provide data within 30 days of an employer’s request regarding the amount, including dispensing fees, paid directly or indirectly to a pharmacy or pharmacist on behalf of a plan. The intent of this requirement is to provide transparency regarding spread pricing models utilized by many PBMs to generate revenue.

Violations of the Audit Act are punishable under the Maine Unfair Trade Practices Act, which can be enforced by the Attorney General for the State of Maine or through a private right of action by consumers who suffer a loss due to a TPA’s or PBM’s failure to observe the requirements of the Act. Importantly, the Audit Act is enforceable against TPAs and PBMs, who must be licensed under State law, and does not impose requirements on group health plans or employers to avoid preemption by the Employee Retirement Income Security Act of 1974, as amended (“ERISA”). The Act also makes significant allowances for the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to safeguard the protected health information of plan participants that may be shared during a plan audit.

Conclusion

The Audit Act will be an important tool for employers who sponsor self-insured group health plans in 2026. By creating requirements for Maine-licensed TPAs and PBMs to offer greater detail and information about claims and payments through the audit process, the Act helps to level the playing field for employers seeking to negotiate better audit rights in their services agreements.

Please contact Chris Lockman or any member of Verrill’s Employee Benefits & Executive Compensation Group if you would like more information regarding the Audit Act and how it may affect the negotiation or amendment of services agreements with Maine-licensed TPAs or PBMs in 2026 and beyond.