PlanLedger is the tamper-proof fiduciary ledger of record for self-funded employers. Upload your monthly PBM claims, review AI-flagged disputes, and download an audit-ready Fiduciary Package any time — no consultant, no scraping, no PBM permission required.
Free trial · no credit card · full product · cancel anytime.
April 2026 · Compliance Task
Upload claims
optumrx_apr_2026.csv · 12,481 rows
Review 23 AI-flagged disputes
$84,210 in potential overcharges
Clear March's PBM responses
14 of 18 received · 4 escalation drafts ready
Fiduciary Package
Available nowPlanLedger_Fiduciary_Package_2026-Q2.pdf
Hash-chained · KMS-signed · 7-year WORM retention
Time on task today: 12 min
Built for plan sponsors managing every major PBM
OptumRx
CVS Caremark
Express Scripts
MedImpact
Prime Therapeutics
Humana Pharmacy
The new fiduciary reality
The compliance bar moved. The tools didn't. So far, plan sponsors have had two options: hire a $50K/year consultant, or hope no one asks for receipts.
If your company self-funds health benefits, ERISA §404(a)(1)(B) holds the named plan administrator personally liable for prudent oversight of every dollar paid to your PBM. The DOL is enforcing it. Plan participants are suing.
Spread pricing, hidden rebates, MAC list manipulation, specialty steerage, formulary games — the FTC's 2024 6(b) PBM report calls it ‘a vertically integrated, opaque industry’ that systematically overcharges plans 3–8%.
The Consolidated Appropriations Act §204 gives plan sponsors statutory access to claims, rebates, and fees. PBMs comply slowly, partially, in formats designed to obstruct analysis. Most plans never exercise the right.
Tibble v. Edison (2015) made ‘continuous monitoring’ a legal duty. J&J, Wells Fargo, Mayo Clinic, and dozens of mid-market plans are in active class actions over PBM oversight. Average settlement: $1.1M.
The legal point of view
Every line of our product is anchored to a statute, a court decision, or a federal report. No fearmongering — just the law as it stands today.
01
Plan fiduciaries must act ‘with the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use.’ Translation: ignorance of PBM pricing isn't a defense. Continuous expert oversight is the bar.
02
Every fiduciary act must be documented in a way that survives the participant lawsuit, the DOL audit, and the next plan administrator. PlanLedger writes that documentation for you, hash-chained and KMS-signed, the moment each act happens.
03
The Consolidated Appropriations Act of 2021 gives self-funded plans the right to claims-level pricing, rebate, and fee data from their PBM. Refusing or stalling is a federal violation. PlanLedger generates the formal §204 demand letters, tracks the response window, and auto-drafts the DOL/EBSA escalation if the PBM stonewalls.
04
The Supreme Court held that fiduciaries have an ongoing duty to monitor — not just at procurement, not just annually, but continuously. ‘We did an RFP three years ago’ no longer cuts it. PlanLedger turns continuous monitoring into a 15-minute monthly task with a permanent record.
05
OptumRx, CVS Caremark, Express Scripts, MedImpact, Prime, and Humana plan-sponsor portals all prohibit automated access in their ToS. Tools that ‘scrape’ portals on your behalf put your contract — and your fiduciary record — at risk. PlanLedger never logs into a PBM portal. We're the recorder, not the actor.
06
PlanLedger is a software platform and the system of record for your fiduciary diligence. We are not a law firm, an ERISA consultant, or your plan's named fiduciary. We make it provable that you did the job. You and your counsel decide what to do next.
Counsel-reviewed positioning
PlanLedger is positioned by an external health-tech ERISA attorney as a fiduciary diligence system of record — not contingency recovery, not portal automation, not legal advice. Every customer cycle produces evidence that was missing before, in a format auditors and courts have already accepted.
Our solution
We document the duty. We flag the disputes. You stay in control of every PBM interaction — and you walk away with proof.
Every action — every claim file uploaded, every dispute flagged, every PBM response classified, every Primary sign-off — is appended to a per-tenant, hash-chained, KMS-signed ledger. Tamper-evident by construction. Anyone can verify a record with a public key.
Every claim is benchmarked against NADAC and WAC, evaluated against your contract's pricing terms, and scored for dispute-worthiness. Powered by AWS Bedrock Claude inside the HIPAA bubble — your PHI never leaves your AWS region.
At any moment — not only at quarter-end — your plan administrator downloads the PlanLedger Fiduciary Package PDF: ledger excerpt, 3-step proof bundle, ERISA 6-obligation snapshot, and an openssl verification recipe. Hand it to the DOL. Hand it to plaintiff's counsel.
We never log into a PBM portal. We never store your PBM credentials. You drag and drop your monthly file (or set up a one-time SFTP feed). The PBM never knows we exist — and your contract is never at risk.
When your PBM stalls, PlanLedger drafts the formal §204 data request, tracks the statutory response window, and queues the DOL/EBSA escalation if the deadline passes. You sign and send. We document.
Our published no-scrape attestation, BAA index, subprocessor list, and KMS public verification key are at planledger.io/trust — so your auditor, your broker, and your participants can independently verify our posture. No NDA required.
Our process
Built for the busiest plan administrator in the company — usually one person at the SMB / mid-market scale, doing benefits as part of a wider HR or finance role.
First 10 minutes
Tell us your company name, employee count, and which PBM(s) you use. Name your Primary fiduciary, up to two Delegates, and a Backup. Drop in your most recent PBM contract — we extract every pricing term automatically. That's onboarding. One time.
Each month, ~5 min
Drop in the claims file your PBM gave you (CSV, XLSX, EDI 835, NCPDP, even PDF). Within ~10 minutes, we benchmark every line against NADAC + WAC and your contract terms, score each claim, and flag the disputable ones at ≥85% confidence.
Each month, ~7 min
Three buttons per flagged claim: include, defer, dismiss with reason. Then upload any responses your PBM sent you last cycle — our AI classifies each one (accepted / partial / denied / no response). PlanLedger drafts the next escalation when a window expires.
Each month, ~3 min
Your named Primary clicks ‘I certify I performed this monthly fiduciary review’ — capturing e-signature, IP, user agent, content hash, and ERISA §404(a)(1)(B) attestation language. The cycle is sealed in the ledger. The Fiduciary Package is ready to download.
Who it's for
Usually the head of HR, benefits, or finance at a self-funded employer. ERISA names you. PlanLedger gives you a 15-minute monthly task and a permanent receipt for every act.
Strengthen client retention by giving them an audit-ready ledger they can't get anywhere else. Earn 15% recurring rev-share via Stripe Connect.
PBM line items are usually in the top three line items in the benefits budget. PlanLedger's flagged disputes typically return 4–10× cost in year one.
Get read-only access to your client's ledger. Generate Fiduciary Packages for plan committee meetings. No more asking for ‘the binder.’
How we compare
PlanLedger is the fourth option — built specifically for the plan administrator who needs to satisfy ERISA without hiring a team.
| Capability | PlanLedger $5 PEPM | PBM consultant e.g. Mercer, Aon | Scraping platform e.g. HDS / Rivera, Xevant | DIY in spreadsheets Excel + claims dump |
|---|---|---|---|---|
| Annual cost (250-EE plan) | $15,000 / yr | $50,000–$150,000 / yr | $30,000–$80,000 / yr | Hidden cost: 1 FTE |
| Time-to-first value | Same day | 60–90 days | 30–60 days (portal setup) | Months |
| PBM contract risk | None — never logs in | Low | ToS violation risk | None |
| Tamper-proof fiduciary ledger | Yes — KMS-signed, hash-chained | PDFs in a SharePoint | Dashboards, no proof | Spreadsheets |
| Continuous (per Tibble) | Monthly cycle, every month | Quarterly meeting | Continuous, but not legally documented | Annual at best |
| On-demand audit-ready package | Any time, any cycle | Custom engagement | No | No |
| Disputes filed | By you, with our pack — your contract, your decision | By them | Mixed | By you (manually) |
| Stays in your data — no PHI to vendor brain | Yes — AWS BAA + Bedrock | Often shared | Often shared | N/A |
Comparison reflects publicly available information about each category. Named vendors are illustrative examples of the category, not direct product-by-product comparisons.
Pricing
$5 per eligible employee per month, flat. Month-to-month, no annual contract, no feature gating, no consultant retainer. Same price for the 75-employee plumbing distributor and the 4,500-employee hospital system.
Live calculator
PlanLedger monthly
$1,250
Billed monthly. Cancel any time.
PlanLedger annual
$15,000
Less than one hour of ERISA counsel.
Estimated annual recovery (bonus, not the value prop)
$10,000–$29,000
Based on Mercer's $4,265 average PBM spend per employee per year and 3–6% typical overcharge per FTC's 2024 6(b) report, risk-adjusted by realistic dispute capture rates.
ROI multiple (low)
1×
ROI multiple (high)
2×
No credit card required. One full monthly cycle on the house.
$5 / employee / month
Flat. Monthly billing. Cancel any time.
Free trial includes one full monthly Compliance Task and one Fiduciary Package download. Subscription unlocks the living ledger and unlimited packages.
No annual contract
Month-to-month. The product earns the renewal each cycle.
No recovery share
Your recovered dollars are yours. We charge for the ledger, not the outcome.
Your data is yours
Export every byte at any time, even after you cancel. We are the recorder.
Trust & security
If your auditor or your CISO has questions, the answers are already on the Trust Center — no NDA, no sales call required.
Every service inside the PHI boundary has a signed BAA on file. Supabase Team + HIPAA, AWS BAA (Bedrock, Lambda, S3, KMS), Phaxio, PostGrid, Resend, Sentry, Clerk.
We do not log into any PBM portal. We do not collect or store PBM credentials. Annual third-party attestation published on our Trust Center.
Per-tenant append-only fiduciary ledger. SHA-256 hash chain, KMS-signed every write, public verification key. Anyone can verify a record.
Auditor packages and ledger artifacts stored in S3 with Object Lock (Compliance mode). Independent of our control after write.
Repo-level ESLint rules forbid PHI fields from crossing into Stripe, PostHog, Sentry, or any out-of-bubble service. Violations fail CI.
Type I targeted at 6 months post-launch, Type II at 18 months. Live status, auditor, and report request form on the Trust Center.
Want the full picture — BAA index, subprocessor list, public KMS verification key, security whitepaper?
Visit the Trust Center →From the field
(Names withheld during private beta. Unedited customer language.)
Our last benefits committee meeting opened with one click — the Fiduciary Package PDF — instead of a six-week scramble. PlanLedger has changed how I think about my role.
Director of Total Rewards
850-employee logistics company
I spent two decades writing PBM contracts. PlanLedger is the first tool that actually reads the contract I negotiated and tells the plan whether the PBM is honoring it.
Independent ERISA consultant
Regional benefits advisory firm
Our broker put us on PlanLedger. In the first cycle the AI flagged $47K of overcharges I'd have never caught. We filed the dispute pack ourselves. The PBM accepted $31K.
VP of Finance
320-employee manufacturer
Frequently asked
No. PlanLedger is a software platform that documents fiduciary diligence. We are not a law firm and do not provide legal advice. Our positioning is reviewed by external health-tech ERISA counsel; your plan should still have its own.
Consultants run point-in-time analyses, build slide decks, and sit on quarterly calls. PlanLedger gives you a continuous, tamper-proof record — the kind a court has to accept — for ~10% of the cost. Many of our customers run both: PlanLedger for the system of record, a consultant for negotiation strategy.
Those tools log into PBM portals on your behalf, which violates the PBM's Terms of Service and creates contract risk for you. PlanLedger never logs into a portal and never stores credentials. We work with what your PBM is legally obligated to give you.
No. PlanLedger sits next to your existing PBM. You stay in your contract. We just make sure the contract is being honored — and that you can prove you checked.
Three steps and a sign-off. Step 1: drop in (or auto-receive) your monthly claims file. Step 2: review the AI-flagged disputes and export a per-PBM Dispute Pack to file. Step 3: upload responses your PBM sent you last cycle — our AI classifies each one. Then your Primary signs off and the cycle is sealed in your ledger.
You can export every byte at any time, even after cancellation. The living ledger and Fiduciary Package generation require an active subscription, but a frozen, signed copy of every prior cycle's package is yours forever via your export.
Yes — claims data is PHI. PlanLedger is built HIPAA-ready: BAAs with every subprocessor in the boundary, AWS BAA covering Bedrock, S3, KMS, and Lambda; Supabase Team + HIPAA add-on; row-level security and per-tenant KMS keys. Trust Center has the full subprocessor list.
The Primary (named ERISA fiduciary on your plan) is the only role that can sign off in normal operation. The Primary may name up to two Delegates per cycle who can do the work. A Backup is auto-escalated only if the Primary misses the cycle.
$5 per eligible employee per month, flat. We charge for the ledger — not the outcome. This keeps our incentives aligned with your fiduciary record, not with how aggressive your disputes are.
Yes. Brokers get a referral link, a per-client portal with read-only access to client Fiduciary Packages, and a 15% recurring rev-share via Stripe Connect. See /for-brokers.
Get started
Free for 30 days. One full Compliance Task on the house. No credit card. Your data is yours forever, even if you cancel.