Sarah Borders, CEBS July 8, 2024 10 min read

Attestations for Gag Clause Prohibition Compliance Due by December 31, 2024

The Departments issued joint FAQ guidance related to compliance with the prohibition of “gag clauses” as required under the Consolidated Appropriations Act of 2021 (CAA). Specifically, the rules require plans and issuers to submit a compliance attestation no later than December 31, 2024 and then each year thereafter by December 31st.
 Who this applies to:

  • Large employers with fully insured and self-funded health plans
  • Small employers with fully insured and level-funded health plans

Go Deeper:
What is a gag clause and what is prohibited?

The CAA prohibits group health plans and insurance carriers from entering into agreements with providers, TPAs, or other service providers whose agreements include language that would constitute a “gag clause,” specifically:

  1. restrictions on the disclosure of provider-specific cost or quality of care information or data to referring providers, the employer plan sponsor, participants, beneficiaries, or enrollees, or individuals eligible to become participants, beneficiaries, or enrollees of the plan or coverage;
  2. restrictions on electronic access to de-identified claims and encounter information or data for each participant, beneficiary, or enrollee upon request and consistent with the privacy regulations promulgated pursuant to section 246(c) of HIPAA, GINA, and the ADA; and 
  3. restrictions on sharing information or data described in (1) and (2), or directing that such information or data be shared, with a business associate, as defined in 45 CFR 160.103, consistent with applicable privacy regulations.

For example, if a contract between a TPA and a group health plan states that the plan will pay providers at rates designated as “Point of Service Rates,” but the TPA considers those rates to be proprietary and therefore includes language in the contract stating that the plan may not disclose the rates to participants, that language prohibiting disclosure would be considered a prohibited gag clause (would not be allowed).
As another example, if a contract between a TPA and a plan says that the employer’s access to provider-specific cost and quality of care information is only at the discretion of the TPA, that contractual provision would be considered a prohibited gag clause.
Self-insured employer plan sponsors and fully-insured carriers must ensure that their agreements with health care providers, networks or associations of providers, or other service providers offering access to a network of providers do not contain these or other provisions that violate the prohibition on gag clauses. However, a health care provider, network or association of providers, or other service provider may place reasonable restrictions on the public disclosure of this information.
What attestation is required?
In addition to ensuring agreements do not contain such gag clauses, ALL plans and issuers are required to submit a Gag Clause Prohibition Compliance Attestation (GCPCA) directly to CMS online HERE no later than December 31, 2024 and each year thereafter.
Will the carrier or TPA submit the GCPCA on the employer’s behalf?
Employers and advisors will need to confirm with carriers, service providers and TPAs on what level of assistance will be provided.

  • Fully insured group health plans: the plan sponsor and the insurance carrier are both required to submit the GCPCA each year by December 31st. However, a fully insured plan sponsor may shift liability to the carrier through a written agreement.
  • Self-funded and level-funded plans may satisfy the requirement to provide a GCPCA by entering into a written agreement under which the plan’s service provider(s) (such as a TPA, including an issuer acting as a TPA) will attest on behalf of the employer plan sponsor. However, even if the plan enters into an agreement with the TPA, the legal requirement to remove any gag clauses and provide an attestation rests on the plan sponsor.

Who is exempt?
Generally, plans consisting of only excepted benefits, HRAs and ICHRAs are not required to attest as these plans do not typically need to enter into agreement with providers. Instead, these arrangements are usually integrated with other medical coverage that is required to submit an attestation (e.g., HRAs integrated with group health plan and ICHRAs with individual medical coverage).
However, all group health plans regardless of size, funding strategy or grandfathered status must submit the required attestation.
What is the penalty?
The FAQ mentions that plans and issuers who fail to submit their GCPCA by the December 31st deadline may be subject to enforcement action, but no specific penalties are provided.
What are the changes to the 2024 Attestation Instructions (see Appendix 4.1)?

  1. Selection for the “attestation year.”
  2. Field for the “attestation period.”
  3. Employer plan types expanded to include ERISA plans, non-federal governmental plans, and church plans.
  4. The term “Reporting entity” changed to “Responsible Entity.”
  5. Selections for “Responsible Entity” (i.e., which entity is attesting)
  6. Sections for types of provider agreements
  7. Text box for submitter to enter “Other Limitations”
  8. Modified language to remove forward-looking agreement actions.
  9. Definitions added to the Appendix 4.2
  10. Language added to accommodate date ranges and other information provided through the submission process. 

Next steps for employers
Many TPA service agreements include provisions requiring compliance with applicable law, which presumably would override any contrary existing provisions. Nonetheless, plan sponsors and advisors will need to review applicable agreements for gag clauses and remove them.
In addition, employers sponsoring fully insured, level-funded, or self-insured plans should be in contact with their service providers to understand what level of assistance they will be providing in submitting the GCPCA by December 31, 2024.
Instructions, templates, and other information is provided on the CMS GCPCA website:


Sarah Borders, CEBS

Principal, Benefits Compliance Solutions. Sarah has spent the last 15 years in the employee benefits industry, has numerous designations and serves on NAHU’s Employer Working Group Subcommittee and is an active board member of Austin AHU. She recently stepped down as Vice President of Benefits Compliance at one of the nation's largest brokerage firms to start her own compliance consulting practice. Her designations include an active license with the Texas Department of Insurance, CEBS (Certified Employee Benefits Specialist), Certified Health Care Reform Professional, HIPAA certification and Health Care Service Associate. She holds an MBA from Texas A&M Corpus Christi and a BA from University of Incarnate Word. Her consulting firm, Benefits Compliance Solutions, partners with employers to identify unknown risks and avoid hundreds of thousands of dollars in fines and lawsuits from failure to comply with their healthplan obligations.