Sarah Borders, CEBS February 27, 2023 15 min read

Attestations for Gag Clause Prohibition Compliance Due December 31, 2023

On February 23, 2023, The Departments issued joint FAQ guidance related to compliance with the prohibition of “gag clauses” as required under the Consolidated Appropriations Act of 2021 (CAA). Specifically, the latest guidance requires plans and issuers to submit a compliance attestation no later than December 31, 2023, and then each year thereafter by December 31st.
What is a gag clause and what is prohibited?
The CAA prohibits group health plans and insurance carriers from entering into agreements with providers, TPAs, or other service providers whose agreements include language that would constitute a “gag clause,” specifically:

  • Restrictions on the disclosure of provider-specific cost or quality of care information or data to referring providers, the employer plan sponsor, participants, beneficiaries, or enrollees, or individuals eligible to become participants, beneficiaries, or enrollees of the plan or coverage;
  • Restrictions on electronic access to de-identified claims and encounter information or data for each participant, beneficiary, or enrollee upon request and consistent with the privacy regulations promulgated pursuant to section 246(c) of HIPAA, GINA, and the ADA; and
  • Restrictions on sharing information or data described in (1) and (2), or directing that such information or data be shared, with a business associate, as defined in 45 CFR 160.103, consistent with applicable privacy regulations.

For example, if a contract between a TPA and a group health plan states that the plan will pay providers at rates designated as “Point of Service Rates,” but the TPA considers those rates to be proprietary and therefore includes language in the contract stating that the plan may not disclose the rates to participants, that language prohibiting disclosure would be considered a prohibited gag clause (would not be allowed).
As another example, if a contract between a TPA and a plan says that the employer’s access to provider-specific cost and quality of care information is only at the discretion of the TPA, that contractual provision would be considered a prohibited gag clause.
Self-insured employer plan sponsors and fully-insured carriers must ensure that their agreements with health care providers, networks or associations of providers, or other service providers offering access to a network of providers do not contain these or other provisions that violate the prohibition on gag clauses. However, a health care provider, network or association of providers, or other service provider may place reasonable restrictions on the public disclosure of this information.
What attestation is required?
In addition to ensuring agreements do not contain such gag clauses, ALL plans and issuers are required to submit a Gag Clause Prohibition Compliance Attestation (GCPCA) directly to CMS online here no later than December 31, 2023, and each year thereafter.
Will the carrier or TPA submit the GCPCA on the employer’s behalf?
Since these rules were just issued, carriers, service providers, and TPAs will need time to review the instructions and understand how this will fit into their operational capabilities.

  • Fully insured group health plans: the plan sponsor and the insurance carrier are both required to submit the GCPCA each year by December 31st. However, a fully insured plan sponsor may shift liability to the carrier through a written agreement.


  • Self-funded and level-funded plans may satisfy the requirement to provide a GCPCA by entering into a written agreement under which the plan’s service provider(s) (such as a TPA, including an issuer acting as a TPA) will attest on behalf of the employer plan sponsor. However, even if the plan enters into an agreement with the TPA, the legal requirement to provide an attestation rest on the plan sponsor.
Who is exempt?
Generally, plans consisting of only excepted benefits, HRAs, and ICHRAs are not required to attest as these plans do not typically need to enter into agreement with providers. Instead, these arrangements are usually integrated with other medical coverage that is required to submit an attestation (e.g., HRAs integrated with group health plan and ICHRAs with individual medical coverage).
However, all group health plans regardless of size, funding strategy, or grandfathered status must submit the required attestation.
What is the penalty?
The FAQ mentions that plans and issuers who fail to submit their GCPCA by the December 31st deadline may be subject to enforcement action, but no specific penalties are provided.
Next steps for Employers
Many TPA service agreements include provisions requiring compliance with applicable law, which presumably would override any contrary existing provisions. Nonetheless, plan sponsors and advisors will need to review applicable agreements for gag clauses and remove them. In addition, employers sponsoring fully insured, level-funded, or self-insured plans should be in contact with their service providers to understand what level of assistance they will be providing in submitting the GCPCA by December 31, 2023.
Instructions, templates, and other information is provided on the CMS GCPCA website. Please contact your trusted advisors at Hausmann Group if you have additional questions. 

Sarah Borders, CEBS

Principal, Benefits Compliance Solutions. Sarah has spent the last 15 years in the employee benefits industry, has numerous designations and serves on NAHU’s Employer Working Group Subcommittee and is an active board member of Austin AHU. She recently stepped down as Vice President of Benefits Compliance at one of the nation's largest brokerage firms to start her own compliance consulting practice. Her designations include an active license with the Texas Department of Insurance, CEBS (Certified Employee Benefits Specialist), Certified Health Care Reform Professional, HIPAA certification and Health Care Service Associate. She holds an MBA from Texas A&M Corpus Christi and a BA from University of Incarnate Word. Her consulting firm, Benefits Compliance Solutions, partners with employers to identify unknown risks and avoid hundreds of thousands of dollars in fines and lawsuits from failure to comply with their healthplan obligations.