Legal Issues in Value-Based Care Contracts for Self-Insured Employers

Am J Manag Care. 2025;31(Spec. No. 15):e2-e6. https://doi.org/10.37765/ajmc.2025.89857

The transition from fee-for-service (FFS) reimbursement to value-based models has been a priority in US health policy for more than a decade. Federal initiatives, particularly through CMS, have piloted numerous alternative payment models, including the Medicare Shared Savings Program and the Accountable Care Organization Realizing Equity, Access, and Community Health (ACO REACH) model.^1,2 Yet adoption in the commercial sector, especially among self-insured employers, remains limited. Self-insured plans interested in entering value-based contracts face several legal challenges, including Employment Retirement Income Security Act of 1974 (ERISA) duties,³ privacy restrictions under the Health Insurance Portability and Accountability Act of 1996 (HIPAA),⁴ and antitrust oversight.

There are several unique legal challenges for self-insured plans, with ERISA fiduciary duties being foremost on the list. Employer plans are governed by ERISA, and their fiduciaries are required to act prudently and only in the interest of plan participants. Implementing a value-based contract that ties payments to quality metrics or population health outcomes creates several fiduciary questions. Does shifting risk to a provider expose plan participants to narrower networks or limited access that may conflict with fiduciary obligations? How should fiduciaries evaluate whether the incentive structures truly benefit plan participants rather than merely reduce employer costs?

An ongoing challenge to scaling value-based contracting in the commercial market is the lack of standardized data definitions and performance metrics. CMS has established mature data frameworks for its programs, including quality measures and risk-adjusted data sets, which enable outcome comparisons across populations. In contrast, employer-based contracts often lack uniformity and should incorporate the CMS Hospital Compare and the Merit-based Incentive Payment System quality measures, which provide nationally validated benchmarks for metrics such as readmission rates, medication reconciliation, and chronic disease management. Using standardized CMS data sets minimizes ambiguity and improves objective benchmarking.

From a legal point of view, incorporating CMS data sets requires careful implementation. Employers may lack direct access to claims-level data necessary for CMS-style analytics due to HIPAA limitations. Therefore, a value-based contract should define the permissible data aggregation process, which is typically through a third-party analytics vendor who acts as a business associate. CMS also frequently updates its quality metrics and risk adjustment methodologies. Any contracts should address how any updated benchmark data will be applied retrospectively to avoid the question of which version governs performance evaluation.

Using CMS-aligned data sets can reduce the administrative burden and promote comparability across markets. It can also signal good faith compliance with emerging federal policy direction. In 2024, CMS issued guidance under the Innovation Center Strategy Refresh emphasizing alignment between public and private value-based models.⁵ Adopting CMS data sets in employer-based value-based care models may assist in advancing symmetry between public and private models. Legally, this could support the development of federal safe harbors under ERISA or promote a more uniform national definition of value. However, in the absence of regulatory guidance, employers must still balance adherence to federal standards with the flexibility required to reflect their own plan demographics and risk profiles. Robust data exchange that is required in a value-based arrangement can present legal challenges as well. HIPAA compliance is essential, but data ownership issues also arise. Negotiations regarding data often focus on whether the value-based arrangement grants true ownership of the data or simply a license to use the data. For example, a self-insured plan typically requires ownership of its claims data, whereas the clinically integrated network and its providers want broad rights to use and analyze data to manage care, report on performance, and negotiate payments.

The secondary use of data is also a legal challenge. Employers often need deidentified data for their wellness programs, underwriting purposes, or predictive analytics. Keeping the secondary use of data within the perimeters of HIPAA and state law requirements requires careful negotiation among the parties.⁶

Most value-based models involve collaboration between providers to manage risk and facilitate care coordination. Such arrangements often raise antitrust concerns if they resemble price-fixing or market allocation. Joint negotiations in value-based arrangements must demonstrate efficiency and quality improvement to address antitrust issues.

Unlike FFS contracts, value-based arrangements with self-insured plans include withholds, shared savings, or retrospective reconciliations. This requires careful negotiations among the parties regarding risk allocation for disputed payment amounts, audit rights, and timing of settlement.

The transition from FFS to value-based contracting for self-insured employers is challenged by the systemic infrastructure of FFS. Current claims processing and payment infrastructure is designed around fee-for-service. Employers, third-party administrators, and providers rely on standardized billing codes and payment adjudication systems that don’t align well with outcome-based payments. There are many factors that may challenge the move to private value-based models by self-insured employers, but these can be addressed through strategic planning and commitment.

Regulatory fragmentation is another challenge to implementation. The Internal Revenue Service has several nondiscrimination rules for self-insured health plans that cover “highly compensated individuals” with respect to eligibility or benefits, as well as rules for “operational discrimination” and “multiple plan” rules on treating coverage groups separately.⁷

HIPAA prohibits discrimination against individuals based on health status with respect to eligibility, enrollment, or premiums.⁸ It also requires that special enrollees be treated the same as similarly situated individuals. Other laws affecting self-insured health plans include the Genetic Information Nondiscrimination Act, which prohibits health plans and group health insurance from discriminating on the basis of genetic information.⁹ ERISA fiduciary duties impose a legal check on plan design. If a value-based care design leads to discriminatory access or benefit tiers, fiduciaries must justify them under a “prudent design” standard.

Despite the various challenges described above, legal frameworks can assist in value-based contracting. Key options include the following:

Alternative Contracting Models

Shared savings agreements: Employers pay providers FFS rates but share in savings if cost benchmarks are achieved. This model mirrors the CMS Shared Savings Program and is designed to tie incentive payments to measurable outcomes. An example payment model includes baseline and target spending, where the parties agree to calculate a baseline cost per member per month (PMPM) based on the employer plan’s historical claims data for the prior 2 years, risk-adjusted for age, sex, and chronic condition categories. A target cost is typically established at 95% of the baseline cost PMPM. If the actual PMPM cost for the performance year is below the target cost and all quality metrics are met, then the health system would receive 50% of the net savings (the difference between the target cost and the actual cost). Savings distributions occur after completion of claims runout and validation by an independent auditor. If actual PMPM costs exceed 95% of the target cost, the provider would be responsible for 25% of the excess cost (shared losses), capped at 5% of the total annual payments. Performance payments are contingent upon meeting quality benchmarks jointly defined by the parties. Failure to meet at least 75% of quality benchmarks reduces shared savings payments proportionally.

Bundled payments: This model establishes a bundled payment arrangement between a health system and an employer plan to improve care coordination, quality, and cost efficiency for defined clinical episodes. The arrangement replaces traditional FFS reimbursement for selected procedures with a single comprehensive payment for all services within a defined episode of care. For example, the bundled payment would apply to specific clinical episodes, such as a total knee arthroplasty or a coronary artery bypass graft. Each episode of care includes an agreed-upon definition, such as all inpatient facility and professional services rendered during the index hospitalization, preoperative services provided within 30 days prior to the admission, or postacute care and related readmissions occurring within 90 days after discharge. The payment model example for a bundled payment could be as follows: “The plan shall pay the provider a fixed bundled payment of $28,000 per total knee arthroplasty episode, subject to risk adjustment for comorbidities.” The bundled payment should also include stop-loss and outlier protection; for example, if the provider’s cost exceeds the bundled payment by more than 20%, the plan would pay 50% of the excess cost. Catastrophic cases are excluded and reimbursed on a negotiated case-rate basis.

Worksite (employer-sponsored) health clinics: Worksite clinics are medical clinics established or sponsored by an employer, often through a third-party vendor, to provide primary or preventive care directly to employees and their dependents. These clinics are usually located onsite or near the workplace and are often integrated into a self-insured employer’s health plan. These clinics focus on managing chronic diseases in-house in the hope of reducing downstream hospital utilization. The payment model typically uses capitated or per-employee per-month vendor payments, aligning incentives with prevention. Worksite clinics can also serve as a data collection hub for population health metrics used in a shared savings or bundled payment model.

Direct primary care models: Direct primary care (DPC) is a membership-based model in which patients (or employers on their behalf) pay a fixed monthly fee directly to a physician or clinic in exchange for unlimited access to primary care services. The arrangement bypasses traditional insurance billing claim submission entirely. DPC is a form of prospective capitated payment, typically on a PMPM basis, which aligns incentives toward prevention and chronic disease management rather than volume. Employers often pair DPC with high-deductible plans.

Governance and Oversight Mechanisms

Contracts should include joint committees of employer and provider representatives to oversee performance metrics and compliance with ERISA duties. Recent litigation highlights the importance of governance oversight. In Lewandowski v Johnson & Johnson et al, the plaintiff, a Johnson & Johnson employee, brought a class action lawsuit under ERISA alleging that Johnson & Johnson and its Pension and Benefits Committee breached their fiduciary duties by mismanaging the self-funded group health plan’s pharmacy benefits program.¹⁰ The plaintiffs alleged a failure to prudently negotiate pharmacy benefits manager (PBM) contracts, excessive reliance on the PBM’s formulary favoring costly branded drugs over generics, and failing to consider alternative PBM models or specialty pharmacy carve-outs. The complaint alleged that these fiduciary failures led to plan participants incurring higher premiums, deductibles, and out-of-pocket expenses. The lawsuit reflects increased scrutiny of health plan fiduciaries and is a signal for future litigation regarding excessive drug costs and PBM oversight for self-insured plans.

Besides legal exposure from ongoing litigation, self-
insured plans have legal exposure from recent regulation regarding new compliance requirements. The Consolidated Appropriations Act of 2021 imposed new consumer protections, surprise billing restrictions, and expanded transparency for health plans, including mandates for PBM-plan contract disclosures and reporting of prescription drug costs.¹¹ The legislation requires health plan sponsors and fiduciaries to justify pharmacy contract terms, demonstrate prudent management, and prepare for ongoing audits and reporting requirements.

Data-Sharing Agreements

To enable performance measurement while complying with HIPAA, contracts should incorporate robust business associate agreements. Employers may receive deidentified or aggregated data, whereas providers retain responsibility for safeguarding protected health information. Legal drafting must strike a balance between transparency and compliance obligations.

Aligning With Federal Guidance

Employers and providers can align private value-based care arrangements with models recognized by CMS, such as accountable care organizations. Using federally endorsed measures provides legal defensibility and reduces the risk of fiduciary challenge.

For self-insured employers, value-based contracts represent both an opportunity and legal challenges. The persistence of the FFS system, combined with ERISA fiduciary duties, HIPAA restrictions, and operational barriers, explains why adoption remains limited. Yet with careful legal structuring through shared savings agreements, bundled payments, robust oversight, and dispute resolution frameworks, employers can mitigate risk and move incrementally toward value-based care. The following is a checklist for self-insured plans to begin the transition to value-based care:

• Develop the required data infrastructure and attribution strategy via data-sharing agreements and benchmarking data sets.
• Identify risk stratification and population health management by aligning resources to member health risk.
• Transition from FFS to outcomes-based models in stages, carefully selecting the right payment model.
• Establish transparent, actionable metrics for quality and performance benchmarks.
• Implement legal and compliance governance via careful contracting and internal committees.
• Integrate partners to support the transition to value-based care via vendors and a third-party administrator.
• Develop employee engagement and incentive design by aligning employee behavior with plan goals.
• Begin with a pilot program and a scalable framework by building internal experience before expanding systemwide.
  

Author Information

Ms Suchyta is a shareholder at Buchalter and a member of the Health Care & Life Sciences practice group.

REFERENCES

1. Shared Saving Program: program guidance & specifications. CMS. Updated August 1, 2025. Accessed October 29, 2025. https://www.cms.gov/medicare/payment/fee-for-service-providers/shared-savings-program-ssp-acos/guidance-regulations#quality
2. ACO REACH model. CMS. Updated September 24, 2025. Accessed October 29, 2025. https://www.cms.gov/priorities/innovation/innovation-models/aco-reach
3. Employee Retirement Income Security Act of 1974. 29 USC §1001-1461 (1974). Accessed October 29, 2025. https://www.govinfo.gov/content/pkg/COMPS-896/pdf/COMPS-896.pdf
4. Health Insurance Portability and Accountability Act of 1996. PL 104-191, 110 Stat 1936 (1996). Accessed October 29, 2025. https://www.govinfo.gov/content/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf
5. Innovation Center Strategy Refresh. CMS. Accessed October 29, 2025. https://www.cms.gov/priorities/innovation/strategic-direction-whitepaper
6. Administrative data standards and related requirements. 45 CFR §160, 162, 164. Amended September 11, 2025. Accessed October 29, 2025. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C
7. Amounts received under accident and health plans. 26 USC §105(h). Amended March 23, 2018. Accessed October 29, 2025. https://www.law.cornell.edu/uscode/text/26/105
8. Prohibiting discrimination against participants and beneficiaries based on a health factor. 29 CFR §2590.702. Amended February 24, 2014. Accessed October 29, 2025. https://www.ecfr.gov/current/title-29/subtitle-B/chapter-XXV/subchapter-L/part-2590/subpart-B/section-2590.702
9. Genetic Information Nondiscrimination Act. PL 110-233, 122 Stat 881 (2008). Accessed October 29, 2025. https://www.govinfo.gov/content/pkg/PLAW-110publ233/html/PLAW-110publ233.htm
10. Lewandowski v Johnson & Johnson et al, 3:2024cv00671 - document 70 (D.N.J. 2025). January 24, 2025. Accessed October 29, 2025. https://law.justia.com/cases/federal/district-courts/new-jersey/njdce/3:2024cv00671/540118/70/
11. Consolidated Appropriations Act of 2021. PL 116-260, 134 Stat 1182 (2020). Accessed October 29, 2025. https://www.govinfo.gov/content/pkg/PLAW-116publ260/pdf/PLAW-116publ260.pdf