Federal Transparency in Coverage rules require your health plan to publicly post three machine-readable files every month: in-network negotiated rates, out-of-network allowed amounts, and prescription drug pricing. Most employer plan sponsors have no idea whether their carrier, TPA, or PBM is actually doing it. The exposure is yours, not the vendor's.
Key takeaways
- Three machine-readable files (in-network rates, out-of-network allowed amounts, Rx drug pricing) must be publicly posted and refreshed every month under the Transparency in Coverage rule.
- Posting has been required since July 1, 2022. Plans without confirmed compliance are carrying real fiduciary exposure.
- A December 23, 2025 proposed rule adds a Change-log File and new contextual data fields, with compliance likely required 12 months after final publication.
- Fully insured plans usually rely on the carrier. Self-funded plans usually assume the TPA or PBM is handling it. Assuming isn't a compliance strategy.
- Get the URLs in writing. Open them. Verify the last update date. Document who is responsible. Repeat every month.
What exactly does the Transparency in Coverage rule require?
The U.S. Department of Labor FAQ ACA Part 70 is clear. Non-grandfathered group health plans must disclose pricing data in three separate machine-readable files: in-network provider negotiated rates, out-of-network allowed amounts and billed charges, and negotiated rates plus historical net prices for covered prescription drugs. Three files. Publicly posted. Not optional.
These rules didn't come out of nowhere. The Transparency in Coverage Final Rules were issued jointly by the Departments of Treasury, Labor, and Health and Human Services on November 12, 2020. Public posting has been required since July 1, 2022 per the CMS Transparency in Coverage Final Rule Fact Sheet. Plans without confirmed compliance are carrying real fiduciary exposure.
And the files aren't a one-time post. Plans must refresh them on the first day of every month. Miss a cycle and you're out of compliance.
What's in each of the three machine-readable files?
The In-Network Rate File covers every covered item and service your plan pays for through contracted providers. It has to show the actual negotiated rate, not a range, not an estimate. Specific dollar amounts tied to specific services and providers.
The Out-of-Network Allowed Amount File is narrower but still complex. Per the DOL Allowed Amount File guidance, it must detail each discrete out-of-network allowed amount the plan calculated for covered items or services furnished during a 90-day period. If fewer than 20 claims exist for a service in that window, the plan does not have to include it. The threshold matters for smaller plans.
The Prescription Drug File covers negotiated rates and historical net prices for drugs your plan covers. This one tends to catch employers off guard. Your PBM almost certainly holds this data, not you. Getting it out of them is a separate fight.
Transparency in Coverage Machine-Readable Files at a Glance| File | Content | Update Freq. | 20-Claim Threshold |
|---|
| In-Network Rate | Negotiated rates | Monthly | No |
| Out-of-Network Allowed | Allowed amounts, billed charges | Monthly | ✓ |
| Rx Drug Pricing | Negotiated rates, net prices | Monthly | ✓ |
How do the CAA and the 2025 proposed rule change what employers must do?
The Consolidated Appropriations Act transparency provisions overlap heavily with the machine-readable file requirements. You're not dealing with one rule. You're dealing with layered obligations from multiple federal agencies that don't always map cleanly onto each other. The CAA's fiduciary fingerprints reach into this too, because failing to verify vendor posting is itself a failure of plan oversight.
The CAA also requires plans to provide provider-specific cost and quality-of-care data to referring providers, participants, and enrollees, plus an internet-based cost-sharing tool with enrollee-specific coverage information. That's a separate obligation on top of the MRFs.
Now add this: the Federal Register proposed rule published December 23, 2025 would require plans to post additional contextual machine-readable files alongside the In-Network Rate File, including a new Change-log File identifying every change made between monthly updates. The rule isn't final yet. The comment period was extended to March 2, 2026. But the direction is clear, and the Departments propose compliance 12 months after publication of the final regulations.
What should a plan sponsor verify right now?
Start by confirming who's actually posting your files. Most fully insured plans lean on the carrier. Self-funded plans often assume the TPA or PBM is handling it. Assuming isn't a compliance strategy.
Get written confirmation from your carrier, TPA, or PBM that all three files exist, are publicly accessible, and are updated on a monthly schedule. Ask for the URLs. Pull them up yourself and verify the last update date. If the files are stale or missing, you need to know now, not at audit.
Document everything. The DOL isn't the only one watching. Participants and advocacy groups can access these files too. Gaps in your MRF posting are public gaps, and the DOL's 2026 audit trigger list tracks the same kinds of plan oversight failures the agency is actively pursuing.
If you're self-funded and your PBM hasn't handed over the prescription drug file data, that conversation is overdue. Your plan is on the hook even if the vendor drops the ball. Build the monthly verification cycle into a running compliance calendar so nothing slips between renewal seasons.
Machine-readable file compliance isn't a technical detail you can hand off and forget. It's a fiduciary obligation attached to your plan, not your vendor. If the files aren't posted, aren't current, or aren't complete, that's your exposure. Who's actually verifying yours?
Frequently asked questions
Who is responsible for posting machine-readable files, the carrier or the employer?
Both, depending on plan type. Under the Transparency in Coverage Final Rule, the plan or issuer is responsible. Fully insured carriers typically post on behalf of the plan; self-funded employers are the plan sponsor and remain liable even when they delegate posting to a TPA, PBM, or carrier. Get the assignment in writing.
How often do machine-readable files have to be updated?
Monthly. The files must be refreshed on the first day of each month per the Transparency in Coverage Final Rule. A stale file is a non-compliant file, even if the prior version was perfectly accurate.
What is the 20-claim threshold for the out-of-network file?
For the Out-of-Network Allowed Amount File and the Prescription Drug File, if fewer than 20 claims exist for a particular service or drug during the 90-day reporting window, the plan does not have to report it. The threshold protects participant privacy. It also means smaller plans may have legitimately sparse files.
Does the CAA require anything beyond the three machine-readable files?
Yes. The CAA layers on a public internet-based cost-sharing tool that shows enrollee-specific cost information, plus provider-specific cost and quality data delivered to referring providers. Both are separate from the MRFs and carry their own deadlines and technical specs.
What happens if my plan's machine-readable files are missing or out of date?
The plan sponsor is on the hook. Penalties under ERISA Section 502(c) can run up to a per-day amount per affected participant, and DOL enforcement is increasingly focused on transparency failures. The cleaner risk is participant litigation: gaps in posted files give plaintiffs' counsel a public, time-stamped paper trail of fiduciary inattention.
The math is there. You just need someone to show you.
Bi-weekly analysis across five pillars. Written in financial language for the people who own the budget.
Every other Wednesday. Unsubscribe anytime.
