Summary: The Departments of Health and Human Services, Labor and the Treasury (collectively, “the Departments”) published frequently asked questions (FAQs) on January 14, 2025, providing clarity and guidance with respect to the No Surprises Act (NSA) and the gag clause prohibition, both included in recent federal transparency requirements. This article will focus on the key provisions of the FAQs applicable to the gag clause prohibition compliance attestation (GCPCA) requirement, of notable interest to group health plans sponsored by employers.
Read on for more information.
With respect to the NSA provisions of the FAQs, some are very technical and operational in nature, particularly in connection with the federal Independent Dispute Resolution (IDR) process and timeframes. Those provisions primarily impact health plan insurance carriers, third-party administrators (TPAs) acting on behalf of group health plans, as well as healthcare providers and facilities, who are all the direct parties to the IDR process itself, rather than employers and covered plan participants. For this reason, those FAQs will not be discussed in this article.
The Consolidated Appropriations Act of 2021 (CAA), enacted into law on December 27, 2020, includes a provision prohibiting health plans (and health insurance carriers) from entering into agreements with healthcare providers and/or networks, TPAs, or other plan service providers that include language constituting gag clauses. The Departments state that gag clauses, for these purposes, are contractual terms that directly or indirectly restrict specific data and information a plan can make available to another party. In this context, gag clauses contain language that directly or indirectly restricts a plan from:
Although healthcare providers and/or networks, TPAs, and other plan service providers may impose reasonable restrictions on the public disclosure of this information, plans must ensure that their agreements with these providers do not contain language in violation of the CAA gag clause prohibition.
The intention of the CAA gag clause prohibition, like other CAA health plan provisions, is to increase and enhance healthcare price transparency. See prior Risk Strategies articles detailing other CAA-related plan cost transparency regulations here, here, and here.
As a reminder, the chart below outlines which health plans are subject to the annual GCPCA requirement:
|
Type of Plan |
Required to submit annual GCPCA? (Yes/No) |
|---|---|
|
ERISA Group Health Plan [1] including
|
Yes |
|
Non-federal governmental plans [2] |
Yes |
|
Church plans |
Yes |
|
Individual health coverage plans
|
Yes |
|
Tribal health plans that qualify as ERISA plans or state or local government plans |
Yes |
|
Excepted benefit plans, including:
|
No |
|
Retiree-only group health plans |
No |
|
Short-term, limited duration insurance policies |
No |
|
Health Reimbursement Arrangements (HRAs) and other account-based plans, including individual coverage HRAs (ICHRAs) |
No |
|
Medicare and Medicaid plans |
No |
|
Children’s Health Insurance Program (CHIP) plans |
No |
|
TRICARE and Indian Health Service program plans |
No |
Health plans are required to submit a GCPCA on an annual basis confirming their compliance with this gag clause prohibition requirement, as confirmed by the February 2023 Departments FAQs guidance.
The first GCPCA, covering the period from December 27, 2020, through the end of 2023, was due by December 31, 2023.
After December 31, 2023, GCPCAs are due by December 31 of each year, covering the period since the last preceding GCPCA. The next GCPCA deadline is December 31, 2025.
For your ready reference, click here for the Risk Strategies Group Health Plan Gag Clause Attestation 2024 Submission Reference Guide with detailed instructions on the 2024 GCPCA submission.
The Departments’ FAQs provide the following clarifying guidance for health plans regarding the CAA gag clause prohibition generally and the GCPCA requirement in particular.
A health plan’s TPA and/or other service provider may have separate agreements (referred to as “downstream agreements”) with other entities to provide or administer the plan’s network. If such downstream agreements restrict the health plan from providing, accessing or sharing the relevant information or data, the FAQs clarify that this restriction is considered a prohibited gag clause, even if the plan is not a party to the agreement.
To comply with the gag clause prohibition, the Departments expect that health plans will include provisions in their direct contracts with TPAs or other service providers that prohibit them from entering into a downstream agreement that restricts the plan from accessing or sharing relevant information or data.
Example: The terms of an agreement between a TPA and the owner of a provider network restrict the TPA from sharing the relevant information with a health plan, except under certain conditions, which have the effect of restricting a health plan from providing cost information to a business associate. The FAQs confirm these terms would indirectly restrict the plan even if the plan itself is not a party to the agreement with the provider network owner
As a result, the plan would be in violation of the gag clause prohibition.
To comply with the gag clause prohibition, health plans are prohibited from entering into an agreement with a TPA or other service provider that restricts the plan from providing de-identified claims data [3] to a business associate (in accordance with applicable privacy rules), except at the discretion of the TPA or other service provider.
Example: An agreement that permits the health plan to share de-identified claims data with a business associate only at the discretion of a healthcare provider, network or association of providers, TPA, or other service provider offering access to a network, is considered to contain a prohibited gag clause.
The CAA gag clause prohibition prohibits a plan from entering into such agreement because the agreement could have the effect of restricting the plan from providing de-identified claims data to a business associate.
The FAQs clarify that a limitation on the scope, scale, or frequency of electronic access to de-identified claims and encounter information or data is considered to be a restriction on de-identified claims and encounter information or data that is prohibited by the gag clause prohibition, to the extent the provision places unreasonable limits on the ability of plans to access such information or data upon request.
The following examples are provided in the FAQs as a non-exhaustive list of restrictions on an audit or claims review that would be considered prohibited gag clauses:
Limiting access to a statistically significant or the "minimum necessary" number of de-identified claims.
Limiting the scope of access to the data to specific, narrow purposes (such as limiting access to the context of an audit).
Unreasonably limiting the frequency of claims reviews (e.g., no more than once per year).
Limiting the number and types of de-identified claims that a plan or issuer may access.
Restricting the data elements of a de-identified claim that a plan or issuer may access; and
Providing access to de-identified claims data only on the TPA's or service provider's physical premises.
Even if a health plan is aware of a prohibited gag clause contained in their agreement with the plan’s carrier, TPA, or other service provider, they are still required to submit the annual GCPCA.
Plans must identify the noncompliant provision as part of their annual GCPCA, using the text box labeled “Additional Information” in Step 3 of the GCPCA online system for this purpose. Click here for the GCPCA user manual, updated in January 2025.
Such additional information should include the following information [4]:
Any prohibited gag clauses that a service provider has refused to remove.
The name of the TPA or service provider with which the plan has the agreement containing the prohibited gag clause.
Conduct by the service provider that shows the service provider interprets the agreement to contain a prohibited gag clause.
Information on the plan’s request that the prohibited gag clause be removed from such agreement; and
Any other steps the plan has taken to come into compliance with the provision.
Even if a health plan submits this additional information, the provision in question could still be considered a prohibited gag clause and may be subject to enforcement action by the Departments. However, the FAQs confirm that the Departments will take into account good-faith efforts by a health plan to self-report a prohibited gag clause in any such enforcement action.
This “good faith efforts” language included in the FAQs arguably provides some measure of comfort to health plans that are left with no choice but to self-report prohibited gag clauses in their annual GCPCA.
Generally, employers sponsoring group health plans are advised to rely on their carriers, TPAs, and other plan service providers to comply with the CAA gag clause prohibition regulations since employers do not typically enter into agreements directly with healthcare providers and networks on behalf of their group health plan.
Employer plan sponsors are generally advised to receive written confirmation from their applicable plan carriers, TPAs, pharmacy benefit managers (PBMs), and other plan service providers that all current plan-related contracts, including any applicable downstream agreements, with healthcare providers do not contain any prohibited gag clauses.
If a plan service provider will not remove a prohibited gag clause provision in the contract upon a plan sponsor’s request, the plan sponsor still must complete and submit the GCPCA, and self-report any prohibited gag clause provisions.
As a reminder, see below for general compliance steps with the GCPCA requirement:
Fully Insured Plans: Employers with fully insured group health plans may rely on their insurance carriers to submit their GCPCA as fully insured plans will be considered in compliance with this requirement when their carriers submit the GCPCA on their behalf [5].
Fully insured plan sponsor employers should receive written confirmation from their carriers that:
They will submit the GCPCA on the plan’s behalf well in advance of the December 31, 2025, deadline, and
Their contracts with network providers and other service providers, including any applicable downstream agreements, do not contain any prohibited gag clause provisions.
Self-Funded Plans (including Level-Funded Plans): Employers with self-funded group health plans (including level-funded plans) are directly responsible for the GCPCA requirement but may contract with their plan service providers (e.g., TPAs, PBMs, and/or managed behavioral health organizations) to submit the GCPCAs on their behalf via a written agreement. Self-funded plan sponsor employers should be aware (as with most compliance obligations) that if a service provider fails to submit the required GCPCA, the self-funded plan bears the ultimate responsibility for such failures.
Additionally, self-funded plans should work closely with their plan advisors and benefits counsel in closely reviewing claims audit/review provisions (and referencing the specific examples detailed above here) contained in the agreements and contracts with their TPA, PBMs, and other service providers. Plan sponsors should attempt to remove any problematic or questionable language from these agreements in light of this FAQs guidance.
Finally, it’s worth mentioning that this FAQs guidance was released on January 14, 2025, under the prior Presidential administration. As such, it is unclear if the Departments under the current administration will adhere to, and enforce, this most recent guidance with respect to the CAA gag clause prohibition. That being said, the CAA was enacted under the first Trump administration, and a recent Executive Order reaffirmed this administration’s commitment to healthcare price transparency, generally.
At this point, and in the absence of any current indication to the contrary, employer plan sponsors are advised to review this guidance for compliance efforts in advance of the GCPCA deadline of December 31, 2025.
Risk Strategies is closely following developments in this space and will provide updates when available.
Contact your Risk Strategies account team with any questions or contact us directly here.
Footnotes: