Summary: On May 24, 2024, the Department of Health and Human Services (HHS), the Department of Labor (DOL), and the Department of the Treasury (collectively, the Departments) released updated Gag Clause Prohibition Compliance Attestation submission instructions detailing the requirements for health plans to submit annual gag clause prohibition compliance attestations (GCPCAs) to the Departments for 2024.
Employers are advised to start preparing to submit this GCPCA for 2024, the deadline of which is December 31, 2024.
This article serves as a reference guide with detailed instructions and the Centers for Medicare & Medicaid Services (CMS) user manual screenshots for those employers sponsoring group health plans who are required to submit GCPCAs directly to the Departments, rather than relying on their carrier/third-party administrator (TPA), or other plan service provider to submit on their behalf.
Read on for more information.
CAA Gag Clause Prohibition Background
The Consolidated Appropriations Act of 2021 (CAA), enacted by Congress on December 27, 2020, includes a provision prohibiting health plans (and health insurance carriers) from entering into agreements with health care providers and/or networks, third-party administrators (TPAs), or other plan service providers that include language constituting gag clauses. The Departments state that gag clauses, for these purposes, are contractual terms that directly or indirectly restrict specific data and information a plan can make available to another party. In this context, gag clauses contain language that directly or indirectly restricts a plan from:
- Disclosing provider-specific cost or quality of care information, through a consumer engagement tool or any other means, to referring providers, the plan sponsor, plan participants, and other individuals eligible to enroll in the plan.
- Upon request, obtaining electronic access to de-identified claims and encounter data for each plan participant (pursuant to applicable privacy regulations), including:
- Claim-related financial information, such as allowed amount
- Provider information, such as name and clinical designation
- Service codes
- Any other data element included in claim or encounter transactions
- Sharing information or data outlined in (1) and (2) above with a business associate of the plan, in accordance with applicable privacy regulations.
CAA Gag Clause Prohibition Examples |
Example 1: A contract between a TPA and a group health plan states the plan will pay providers at certain designated rates, which the TPA considers to be confidential or proprietary and includes language in the contract prohibiting the plan from disclosing those rates to plan participants. This provision prohibiting disclosure would be considered a prohibited gag clause under the CAA. Example 2: A contract between a TPA and a group health plan provides that the plan sponsor’s access to provider-specific cost and quality of care information is only at the discretion of the TPA. This provision would be considered a prohibited gag clause under the CAA. |
Although health care providers and/or networks, TPAs, and other plan service providers may impose reasonable restrictions on the public disclosure of this information, plans must ensure that their agreements with these providers do not contain language in violation of the CAA’s prohibition on gag clauses.
The intention of these gag clause prohibitions, like other CAA health plan provisions, is to increase and enhance health plan cost transparency. See prior Risk Strategies articles detailing other recent plan cost transparency provisions here, here, and here.
Covered Health Plans
As a reminder, the chart below details which health plans are subject to the annual GCPCA requirement:
Type of Plan |
Required to submit annual GCPCA? (Yes/No) |
ERISA Group Health Plan[1] including
|
Yes |
Non-federal governmental plans[3] |
Yes |
Church plans |
Yes |
Individual health coverage plans
|
Yes |
Tribal health plans that qualify as ERISA plans or state or local government plans[4] |
Yes |
Excepted benefit plans, including:
|
No |
Retiree-only group health plans |
No |
Short-term, limited duration insurance policies |
No |
Health Reimbursement Arrangements (HRAs) and other account-based plans, including individual coverage HRAs (ICHRAs) |
No |
Medicare and Medicaid plans |
No |
Children’s Health Insurance Program (CHIP) plans |
No |
TRICARE and Indian Health Service program plans |
No |
Annual GCPCA
Health plans are required to submit a GCPCA on an annual basis confirming their compliance with this gag clause prohibition requirement, as confirmed by the February 2023 Departments FAQs guidance.
The first GCPCA, covering the period from December 27, 2020 through the end of 2023, was due by December 31, 2023.
After December 31, 2023, GCPCAs are due by December 31 of each year, covering the period since the last preceding GCPCA.
The Departments created a dedicated website (accessed here) detailing the GCPCA process with helpful resources for health plans, insurance carriers, and other service providers, including links to the attestation submission site, a user manual, and submission instructions.
Noteworthy Changes for 2024
The updated GCPCA submission instructions contain several noteworthy changes for 2024, highlighted below:
- The term “Reporting Entity” is now changed to “Responsible Entity” but the definition remains the same (see below):
Definition of “Responsible Entity” (previously “Reporting Entity”): A Responsible Entity is a plan or issuer that is subject to Code section 9824, ERISA section 724, and/or PHS Act section 2799A-9, as applicable, and has directly or indirectly—generally through a third-party administrator (TPA) or another vendor, such as a Pharmacy Benefit Manager (PBM), Independent Practice Association (IPA), or Behavioral Health Manager (BHM)—entered into an agreement(s) with health care providers, a network or association of providers, TPAs, or other service providers offering access to a network of providers.
The Responsible Entity is responsible for ensuring it annually attests, or that another party (such as its TPA or vendor) attests on its behalf, and that the Responsible Entity complies with the prohibition on gag clauses.
- Clarification between “Attestation Period” and “Attestation Year”:
The “Attestation Period” generally begins as of the day immediately following the date of the prior attestation and extends to the date of the current attestation.
The “Attestation Year” is the year in which the GCPCA is submitted and covers the “Attestation Period.”
The webform now reflects the “Attestation Period” field.
Example: For a GCPCA submitted on October 10, 2024, a Responsible Entity that submitted its GCPCA for the prior Attestation Year on November 30, 2023, would have an Attestation Period of December 1, 2023, to October 10, 2024, and an Attestation Year of 2024.
- More group health plan categories: In Step 1 (identifying the type of entity that the Submitter works for), the categories are now expanded to include three different types of group health plans:
- ERISA group health plan (GHP) or sponsor of ERISA plan, including a plan sponsored or established by a union
- Non-federal governmental group health plan
- Church plan
- Clarification of labels in webform and template regarding the types of provider agreements listed below (Step 3):
- Medical network
- Pharmacy benefit manager network
- Behavioral health network
- Other
- Single group health with more than one plan option: An employer that sponsors a single group health plan offering more than one plan option within the group health plan (such as an HMO and a PPO) is a single plan/Responsible Party required to submit a single GCPCA, even if one or more plan options are fully insured and the others are self-funded.
GCPCA Submission Process
Generally, employers sponsoring group health plans are advised to rely on their carriers, TPAs, and other plan service providers to comply with these CAA gag clause prohibition rules since employers do not typically enter into agreements directly with health care providers and networks on behalf of their group health plan. Employers should receive written confirmation from their carriers, TPAs, PBMs, and other plan service providers that all current plan-related contracts do not contain prohibited gag clause language.
Fully Insured Plans: Employers with fully insured group health plans may rely on their insurance carriers to submit their GCPCA. The February 2023 FAQs confirm that fully insured plans will be considered in compliance with this requirement when their carriers submit the GCPCA on their behalf. Fully insured plan sponsor employers should receive written confirmation from their carriers that they will submit the GCPCA on the plan’s behalf well in advance of the December 31, 2024 deadline.
Self-Funded Plans: Employers with self-funded group health plans (including level-funded plans) are directly responsible for the GCPCA requirement but may contract with their plan service providers (e.g., TPAs, PBMs, and/or managed behavioral health organizations) to submit the GCPCAs on their behalf via a written agreement. Self-funded plans should be aware that (as with most compliance obligations) if a service provider fails to submit the required GCPCA, the self-funded plan bears the ultimate responsibility for such failures.
Carriers, TPAs, and other plan service providers have already started to contact their group health plan sponsor clients with next steps on completing and submitting GCPCAs to the Departments. Employers are advised to pay close attention to these communications and respond accordingly to ensure timely compliance with these requirements.
However, certain carriers, TPAs, and PBMs have already notified their group health plan sponsor clients (particularly self-funded plan sponsor clients) that they will not be submitting the GCPCAs on their behalf. This means that these group health plans are responsible for directly submitting their GCPCAs to the Departments.
How to Submit the GCPCA Directly
Get started by clicking here to access the GCPCA webform.
Scroll through the CMS user manual screenshots directly below for detailed instructions on how to submit the required GCPCA.
Click the left and right arrows to navigate through the screenshots
Additional GCPCA Submission Process Notes
- Most single employer group health plans that are responsible for directly submitting their GCPCAs to the Departments are considered a single “Responsible Entity” and are only required to complete the GCPCA webform as detailed in the CMS user manual screenshots above.
- The downloadable GCPCA Responsible Entity Excel template is required only for attestations on behalf of more than one Responsible Entity (multiple Responsible Entities), which generally applies to carriers, TPAs, and other plan service providers (rather than single employer group health plans).
- The GCPCA instructions and CMS user manual provide detailed information for those multiple Responsible Entities that are required to populate and upload the Excel template with their GCPCA webform.
Employer Next Steps
Although the GCPCA is due by December 31, 2024, those plan sponsors who must submit their GCPCA directly to the Departments can be proactive and complete the GCPCA webform now to ensure compliance with this requirement well in advance of the year-end deadline.
Don’t forget – plans that do not submit their annual GCPCAs by the December 31, 2024 deadline are at risk of enforcement action by the Departments.
Risk Strategies is here to help. Contact your Risk Strategies team members with any questions or contact us directly at benefits@risk-strategies.com.
[1] Including grandfathered and grandmothered group health plans.
[2] The revised 2024 instructions provide details on who is the Responsible Entity for MEWAs.
[3] Including plans sponsored by states, counties, school districts, and municipalities.
[4] New in the 2024 GCPCA submission instructions.
The contents of this article are for general informational purposes only and Risk Strategies Company makes no representation or warranty of any kind, express or implied, regarding the accuracy or completeness of any information contained herein. Any recommendations contained herein are intended to provide insight based on currently available information for consideration and should be vetted against applicable legal and business needs before application to a specific client.