Pharmacy benefit managers (PBMs) are increasingly using artificial intelligence tools for pharmacy benefit management. This is a transaction-intensive feature that includes fee, discount, and rebate calculations to manage costs for plan sponsors and participants. Although AI allows PBMs to operate more efficiently and optimize pricing to reduce drug costs, this new technology poses several data privacy, regulatory, and contractual risks for employers sponsoring health plans. This insight explains how plan sponsors can leverage the benefits that AI brings to healthcare costs and management while identifying potential red flags and avoiding potential liability.
How PBMs’ use of AI impacts health plans
The relationship between a PBM and a health plan sponsor is governed by an administrative services agreement (ASA) that authorizes the PBM to manage prescription drug programs. ASAs increasingly include provisions that explicitly allow PBMs to leverage AI in service delivery.
However, these provisions are often very broad, giving PBMs significant discretion to use AI as they see fit. Such a structure raises many data privacy concerns, including:
- If the use of AI results in actionable harm, who ultimately bears the risk?
- What decision-making functions does AI perform?
- Where will PBMs implement AI in plan management rather than relying on traditional management methods?
- When is the use of AI permitted as an enhancement to operations or prohibited as a risk to patient privacy concerns?
- How can plan sponsors avoid being responsible for a PBM’s AI strategy?
- How can plan sponsors protect themselves and their participants from AI-related incidents?
Top Tips for Plan Sponsors Negotiating or Renewing an ASA
Fortunately, many of these concerns can be addressed with ASA. ASAs must be carefully drafted to avoid giving PBMs the power to unilaterally decide where, when, and how AI is used.
When negotiating the terms of your ASA, you should consider promoting the following provisions:
1. Prohibit the use of AI in judicial decision-making. To the extent that AI plays a role in determining benefit amounts, this poses a serious risk to plan sponsors. If the AI improperly denies coverage, participants may have a cause of action against the sponsor. Therefore, when a PBM proposes the use of AI, the ASA must clearly identify the AI as: can’t do it It will not be used to make or materially influence unfavorable benefit decisions, coverage denials, utilization review results, or pricing decisions.
2. Limit the use of PHI for training AI tools and models. To maximize effectiveness, AI relies on the steady introduction of large datasets to become “smarter” and optimize performance. Nevertheless, protected health information (PHI) of people that plan participants do not know or do not want to participate in the plan should not be used to train AI systems. Limitations on how a PBM can use PHI to “train” an AI model must be detailed in the ASA. Plan sponsors should also ensure that the Business Associate Agreement (BAA) governing the PBM relationship explicitly addresses AI model training as an acceptable use, or preferably prohibits it. Any use of PHI must comply with commonly used data protection principles (such as anonymization, anonymization, and pseudonymization).
3. Shift the risk of AI use to the PBM. After all, PBMs choose to use AI because they believe it will benefit their business. In return, they have to bear the risk if something goes wrong. Including language in the ASA that “any use of AI or generated AI constitutes a representation by the vendor of regulatory compliance and fitness for purpose” will help protect plan sponsors. Additionally, sponsors would be wise to include indemnification provisions that impose costs associated with AI errors on PBMs.
3 proactive steps you can take now
The use of AI in healthcare is a rapidly evolving field, but its impact is not yet fully clear. However, there is no denying that the regulatory environment is catching up with companies adopting this technology. It is therefore inevitable that policy makers will begin to take more authoritative action when AI impacts health.
In the meantime, plan sponsors can take the following steps to stay at the forefront of AI-related developments.
- Maintain open communication channels. Understand if and how your planning PBM applies AI, what its strategic vision and short-, medium-, and long-term tactical applications are for its use.
- Establish robust AI-oriented policies and procedures. Your company may already be considering using AI for its own purposes, or other vendors you do business with may be using AI to provide services. We recommend having a set of guardrails around the use of AI.
- Leverage outside expertise. One of the most distinctive features of data protection in the United States is the lack of uniform rules and regulations. Federal, state, and local governments all have legislation in this area. We should expect a similar pattern to continue with AI. A data protection lawyer’s job is to stay aware of trends in this area and work with organizations to design, develop, and deploy compliant best practices.
