Blog

Group Health Plan Gag Clause Attestation 2024 Submission Reference Guide

Written by National Employee Benefits Practice | Jul 16, 2024 1:02:54 PM

Summary: On May 24, 2024, the Department of Health and Human Services (HHS), the Department of Labor (DOL), and the Department of the Treasury (collectively, the Departments) released updated Gag Clause Prohibition Compliance Attestation submission instructions detailing the requirements for health plans to submit annual gag clause prohibition compliance attestations (GCPCAs) to the Departments for 2024.

Employers are advised to start preparing to submit this GCPCA for 2024, the deadline of which is December 31, 2024.

This article serves as a reference guide with detailed instructions and the Centers for Medicare & Medicaid Services (CMS) user manual screenshots for those employers sponsoring group health plans who are required to submit GCPCAs directly to the Departments, rather than relying on their carrier/third-party administrator (TPA), or other plan service provider to submit on their behalf.

Read on for more information.

CAA Gag Clause Prohibition Background

The Consolidated Appropriations Act of 2021 (CAA), enacted by Congress on December 27, 2020, includes a provision prohibiting health plans (and health insurance carriers) from entering into agreements with health care providers and/or networks, third-party administrators (TPAs), or other plan service providers that include language constituting gag clauses. The Departments state that gag clauses, for these purposes, are contractual terms that directly or indirectly restrict specific data and information a plan can make available to another party. In this context, gag clauses contain language that directly or indirectly restricts a plan from:

  1. Disclosing provider-specific cost or quality of care information, through a consumer engagement tool or any other means, to referring providers, the plan sponsor, plan participants, and other individuals eligible to enroll in the plan.
  2. Upon request, obtaining electronic access to de-identified claims and encounter data for each plan participant (pursuant to applicable privacy regulations), including:
    • Claim-related financial information, such as allowed amount
    • Provider information, such as name and clinical designation
    • Service codes
    • Any other data element included in claim or encounter transactions
  3. Sharing information or data outlined in (1) and (2) above with a business associate of the plan, in accordance with applicable privacy regulations.

CAA Gag Clause Prohibition Examples

Example 1: A contract between a TPA and a group health plan states the plan will pay providers at certain designated rates, which the TPA considers to be confidential or proprietary and includes language in the contract prohibiting the plan from disclosing those rates to plan participants. This provision prohibiting disclosure would be considered a prohibited gag clause under the CAA.

Example 2: A contract between a TPA and a group health plan provides that the plan sponsor’s access to provider-specific cost and quality of care information is only at the discretion of the TPA. This provision would be considered a prohibited gag clause under the CAA.

Although health care providers and/or networks, TPAs, and other plan service providers may impose reasonable restrictions on the public disclosure of this information, plans must ensure that their agreements with these providers do not contain language in violation of the CAA’s prohibition on gag clauses.

The intention of these gag clause prohibitions, like other CAA health plan provisions, is to increase and enhance health plan cost transparency. See prior Risk Strategies articles detailing other recent plan cost transparency provisions here, here, and here.

Covered Health Plans

As a reminder, the chart below details which health plans are subject to the annual GCPCA requirement:

Type of Plan

Required to submit annual GCPCA? (Yes/No)

ERISA Group Health Plan[1] including

  • fully insured plans,
  • self-funded plans, and
  • Multiple Employer Welfare Arrangements (MEWAs)[2]

Yes

Non-federal governmental plans[3]

Yes

Church plans

Yes

Individual health coverage plans

  • Student health plans
  • Association plans

Yes

Tribal health plans that qualify as ERISA

plans or state or local government plans[4]

Yes

Excepted benefit plans, including:

  • Hospital indemnity or other fixed indemnity insurance
  • Disease-specific insurance
  • Stand-alone dental, vision, and long-term care plans
  • Employer on-site health clinics
  • Accident-only, disability, and workers’ compensation plans

No

Retiree-only group health plans

No

Short-term, limited duration insurance policies

No

Health Reimbursement Arrangements (HRAs) and other account-based plans, including individual coverage HRAs (ICHRAs)

No

Medicare and Medicaid plans

No

Children’s Health Insurance Program (CHIP) plans

No

TRICARE and Indian Health Service program plans

No

Annual GCPCA

Health plans are required to submit a GCPCA on an annual basis confirming their compliance with this gag clause prohibition requirement, as confirmed by the February 2023 Departments FAQs guidance.

The first GCPCA, covering the period from December 27, 2020 through the end of 2023, was due by December 31, 2023.

After December 31, 2023, GCPCAs are due by December 31 of each year, covering the period since the last preceding GCPCA.

The Departments created a dedicated website (accessed here) detailing the GCPCA process with helpful resources for health plans, insurance carriers, and other service providers, including links to the attestation submission site, a user manual, and submission instructions.

Noteworthy Changes for 2024

The updated GCPCA submission instructions contain several noteworthy changes for 2024, highlighted below:

  1. The term “Reporting Entity” is now changed to “Responsible Entity” but the definition remains the same (see below):

    Definition of “Responsible Entity” (previously “Reporting Entity”): A Responsible Entity is a plan or issuer that is subject to Code section 9824, ERISA section 724, and/or PHS Act section 2799A-9, as applicable, and has directly or indirectly—generally through a third-party administrator (TPA) or another vendor, such as a Pharmacy Benefit Manager (PBM), Independent Practice Association (IPA), or Behavioral Health Manager (BHM)—entered into an agreement(s) with health care providers, a network or association of providers, TPAs, or other service providers offering access to a network of providers.

    The Responsible Entity is responsible for ensuring it annually attests, or that another party (such as its TPA or vendor) attests on its behalf, and that the Responsible Entity complies with the prohibition on gag clauses.

  2. Clarification between “Attestation Period” and “Attestation Year”:

    The “Attestation Period” generally begins as of the day immediately following the date of the prior attestation and extends to the date of the current attestation.

    The “Attestation Year” is the year in which the GCPCA is submitted and covers the “Attestation Period.”

    The webform now reflects the “Attestation Period” field.

    Example: For a GCPCA submitted on October 10, 2024, a Responsible Entity that submitted its GCPCA for the prior Attestation Year on November 30, 2023, would have an Attestation Period of December 1, 2023, to October 10, 2024, and an Attestation Year of 2024.

  3. More group health plan categories: In Step 1 (identifying the type of entity that the Submitter works for), the categories are now expanded to include three different types of group health plans:
    • ERISA group health plan (GHP) or sponsor of ERISA plan, including a plan sponsored or established by a union
    • Non-federal governmental group health plan
    • Church plan
  4. Clarification of labels in webform and template regarding the types of provider agreements listed below (Step 3):
    • Medical network
    • Pharmacy benefit manager network
    • Behavioral health network
    • Other
  5. Single group health with more than one plan option: An employer that sponsors a single group health plan offering more than one plan option within the group health plan (such as an HMO and a PPO) is a single plan/Responsible Party required to submit a single GCPCA, even if one or more plan options are fully insured and the others are self-funded.

GCPCA Submission Process

Generally, employers sponsoring group health plans are advised to rely on their carriers, TPAs, and other plan service providers to comply with these CAA gag clause prohibition rules since employers do not typically enter into agreements directly with health care providers and networks on behalf of their group health plan. Employers should receive written confirmation from their carriers, TPAs, PBMs, and other plan service providers that all current plan-related contracts do not contain prohibited gag clause language.

Fully Insured Plans: Employers with fully insured group health plans may rely on their insurance carriers to submit their GCPCA. The February 2023 FAQs confirm that fully insured plans will be considered in compliance with this requirement when their carriers submit the GCPCA on their behalf. Fully insured plan sponsor employers should receive written confirmation from their carriers that they will submit the GCPCA on the plan’s behalf well in advance of the December 31, 2024 deadline.

Self-Funded Plans: Employers with self-funded group health plans (including level-funded plans) are directly responsible for the GCPCA requirement but may contract with their plan service providers (e.g., TPAs, PBMs, and/or managed behavioral health organizations) to submit the GCPCAs on their behalf via a written agreement. Self-funded plans should be aware that (as with most compliance obligations) if a service provider fails to submit the required GCPCA, the self-funded plan bears the ultimate responsibility for such failures.

Carriers, TPAs, and other plan service providers have already started to contact their group health plan sponsor clients with next steps on completing and submitting GCPCAs to the Departments. Employers are advised to pay close attention to these communications and respond accordingly to ensure timely compliance with these requirements.

However, certain carriers, TPAs, and PBMs have already notified their group health plan sponsor clients (particularly self-funded plan sponsor clients) that they will not be submitting the GCPCAs on their behalf. This means that these group health plans are responsible for directly submitting their GCPCAs to the Departments.

How to Submit the GCPCA Directly

Get started by clicking here to access the GCPCA webform.

Scroll through the CMS user manual screenshots directly below for detailed instructions on how to submit the required GCPCA.

Click the left and right arrows to navigate through the screenshots

Additional GCPCA Submission Process Notes

  • Most single employer group health plans that are responsible for directly submitting their GCPCAs to the Departments are considered a single “Responsible Entity” and are only required to complete the GCPCA webform as detailed in the CMS user manual screenshots above.
  • The downloadable GCPCA Responsible Entity Excel template is required only for attestations on behalf of more than one Responsible Entity (multiple Responsible Entities), which generally applies to carriers, TPAs, and other plan service providers (rather than single employer group health plans).
    • The GCPCA instructions and CMS user manual provide detailed information for those multiple Responsible Entities that are required to populate and upload the Excel template with their GCPCA webform.

Employer Next Steps

Although the GCPCA is due by December 31, 2024, those plan sponsors who must submit their GCPCA directly to the Departments can be proactive and complete the GCPCA webform now to ensure compliance with this requirement well in advance of the year-end deadline.

Don’t forget – plans that do not submit their annual GCPCAs by the December 31, 2024 deadline are at risk of enforcement action by the Departments.

Risk Strategies is here to help. Contact your Risk Strategies team members with any questions or contact us directly at benefits@risk-strategies.com.

 

[1] Including grandfathered and grandmothered group health plans.

[2] The revised 2024 instructions provide details on who is the Responsible Entity for MEWAs.

[3] Including plans sponsored by states, counties, school districts, and municipalities.

[4] New in the 2024 GCPCA submission instructions.