Agencies Issue Guidance on Gag Clause Prohibition Requirement and How to Submit Annual Attestations of Compliance


The Consolidated Appropriations Act, 2021 (CAA) prohibits employer-sponsored group health plans from entering into agreements that contain “gag clauses.” The prohibition generally restricts plans from entering into agreements with health care providers, third party administrators (“TPAs”), or other service providers that directly or indirectly restrict the plan from (i) furnishing provider-specific cost or quality of care information to referring providers, plan sponsors, or participants or beneficiaries, (ii) electronically accessing de-identified claims information for a participant or beneficiary, and/or (iii) sharing the above information with business associates (as defined under HIPAA). The CAA also requires group health plans to submit an annual filing attesting to the absence of gag clauses in its agreements.

The gag clause prohibition went into effect immediately upon the enactment of the CAA on December 27, 2020; however, the DOL, HHS, and IRS (the “Agencies”) previously indicated that, pending the issuance of further guidance, plans were to implement the requirements prohibiting gag clauses using a good faith, reasonable interpretation of the statute, and the annual attestation requirement would be delayed pending such further guidance.

On February 23, 2023, the Agencies jointly issued FAQ guidance (Part 57) addressing the gag clause prohibition requirements and specifying that the first attestation of compliance will be due by December 31, 2023, and it will cover the period from December 27, 2020 through December 31, 2023. Subsequent attestations will be due by December 31 of each following year.

What Does the New FAQ Guidance Say About the Gag Clause Prohibition in General?

The FAQs explain that a gag clause is a “contractual term that directly or indirectly restricts specific data and information that a plan or issuer can make available to another party.” Specifically, this includes restrictions on disclosing provider-specific cost or quality-of-care information, restrictions on electronic access to de-identified participant and beneficiary claim information (consistent with applicable privacy protections), and restrictions on sharing these types of data or information. Examples include a TPA’s attempts to restrict disclosure of provider rates because it considers them proprietary, or to allow access to provider-specific cost and quality-of-care information only at the TPA’s discretion. The FAQs note, without elaboration, that “reasonable restrictions” may be placed on public disclosure of this information.

How Do Plans Submit Annual Attestations of Compliance?

In conjunction with issuing the new FAQ guidance, the Agencies published instructions, a user manual, and an Excel template file to assist with submitting the annual attestations of compliance. The annual attestations are to be submitted through a newly created “GCPCA webform” portal on CMS’s Health Insurance Oversight System (HIOS) website.

Attestations generally are required for all ERISA group health plans, including grandfathered and grandmothered group health plans. However, attestation is not required for excepted benefits, and the agencies will not enforce the requirement against health reimbursement arrangements (HRAs) or other account-based plans.

What Does this Mean for a Typical Employer?

Employers who sponsor ERISA group health plans are responsible for meeting the gag clause prohibition and annual attestation requirements. However, like many other CAA requirements, employers are permitted to have their insurance carriers, TPAs, or other third parties submit the annual attestations of compliance with the gag clause prohibition on their behalves.

For an employer that sponsors a fully insured plan, the employer will be considered to have met its annual attestation requirement if the employer has a written agreement in place with the carrier (or, at least, written confirmation from the carrier) indicating that the carrier will complete the annual attestation requirement on the employer’s behalf.

For an employer that sponsors a self-funded plan (including a level-funded plan), the employer can enter into an agreement with (or receive written confirmation from) the TPA or another service provider that the TPA/service provider will submit the attestation on the employer’s behalf; however, such an agreement will not fully relieve the employer/plan from liability for meeting the requirement (although it is possible that it could provide contractual recourse against the TPA or other service provider to the extent they fail to meet the requirement).

About Maynard Nexsen

Maynard Nexsen is a full-service law firm with more than 550 attorneys in 24 offices from coast to coast across the United States. Maynard Nexsen formed in 2023 when two successful, client-centered firms combined to form a powerful national team. Maynard Nexsen’s list of clients spans a wide range of industry sectors and includes both public and private companies. 

Related Capabilities

Media Contact

Tina Emerson

Chief Marketing Officer 

Direct: 803.540.2105

Jump to Page