Tri-Agency FAQ Provides Updated Guidance Regarding Compliance with the Gag Clause Prohibition

PDF

02.10.2025

On January 14, 2024, the Departments of Labor, Health and Human Services, and the Office of Personnel Management (the “Departments”) jointly released the FAQs About Consolidated Appropriations Act, 2021 Implementation Part 69 (the “FAQs”). The FAQs provide valuable guidance with respect to compliance with the gag clause prohibition.

Background

The gag clause prohibition, introduced under the Consolidated Appropriations Act of 2021 (the “CAA”), is designed to eliminate contractual barriers that inhibit transparency within the health care and insurance industries. Specifically, group health plans and health insurance issuers are prohibited from entering into agreements with health care providers, third-party administrators (TPAs), or other service providers that restrict the plan or issuer from:

(1) providing provider-specific cost or quality of care information or data, through a consumer engagement tool or any other means, to referring providers, the plan sponsor, participants, beneficiaries, or enrollees, or individuals eligible to become participants, beneficiaries, or enrollees of the plan or coverage;

(2) electronically accessing de-identified claims and encounter information or data for each participant, beneficiary, or enrollee in the plan or coverage consistent with applicable privacy regulations, upon request; or

(3) sharing such information or data described in (1) and (2), or directing such data be shared, with a business associate consistent with applicable privacy regulations.

In addition to these restrictions, plans and insurers are required to submit an annual Gag Clause Prohibition Compliance Attestation (“GCPCA”) to the Departments by December 31 of each year, affirming their compliance with these provisions.

The FAQs

The FAQs provide much-needed clarity on several aspects of the gag clause prohibition, particularly regarding its application to complex contractual relationships and data access protocols.

1. Application to Downstream Contracts.

First, the FAQs make clear that, if a plan contracts with a TPA that in turn contracts with provider/network entities, the TPA’s contracts with those downstream entities are also subject to the gag clause prohibition and may not from contain clauses restricting disclosure. The Departments view such arrangements as indirect restrictions that violate the gag clause prohibition.

2. Provider Discretion Over De-Identified Data.

Second, the FAQs provide that an agreement contains a prohibited gag clause if it allows disclosure of de-identified data based on the discretion of a provider or TPA.

3. Restrictions on Data Access.

Third, the FAQs provide that a limitation on the scope, scale, or frequency of electronic access to de-identified claims and encounter information or data is considered a prohibited gag clause.

4. Attestation Despite Non-Compliance

Finally, the FAQs clarify that if a plan is unable to remove a provision that violates the gag clause prohibition, it must still submit the GCPCA. This requirement applies not only to direct agreements between the plan and issuer but also to downstream agreements between a provider and another entity. Upon identifying a non-compliant provision, the plan should attest to the non-compliance and provide details about the prohibited gag clause in the “Additional Information” section of the attestation.

Employer Takeaways

The updated guidance provided in the FAQs has important compliance implications for employers and plan sponsors. To ensure adherence to the gag clause prohibition and mitigate risk, employers should take the following steps:

1. Review and Update Contracts

Employers should conduct a thorough review of all contracts with TPAs, network providers, and other service vendors. Special attention should be given to identifying and removing any prohibited gag clauses, including those in downstream agreements between TPAs and providers or network entities.

2. Ensure Unrestricted Data Access

Employers should confirm that providers and TPAs are not imposing any limitations on the scope, scale, or frequency of electronic access to de-identified claims and encounter data. Any contractual language that allows providers discretion over data disclosure or restricts data sharing with business associates should be amended to align with the gag clause prohibition.

3. Prepare for the GCPCA Submission

Employers and plan sponsors must submit the GCPCA to the Departments by December 31 of each year. Even if prohibited gag clauses are identified and cannot be immediately removed, the attestation must still be submitted. In such cases, plans should indicate non-compliance and provide details on the prohibited clauses and efforts being made to address them in the “Additional Information” section of the attestation.

4. Implement Ongoing Compliance Monitoring

Given the evolving regulatory landscape, employers should establish regular compliance checks and contract audits. This will help ensure that gag clause prohibition requirements are continuously met and that new agreements do not inadvertently introduce prohibited provisions.