Skip to main content

What Is the New Gag Clause Prohibition Compliance Attestation
and How Does Our Plan Comply?

Client Alert Applies To: Self-Funded, Fully-Funded, Large Group, and Small Group

As you may have heard, there is a new reporting requirement for group health plans relating to the prohibition against gag clauses in health plan agreements added by the Consolidated Appropriations Act, 2021 (CAA). While generally insurance carriers will make the attestation on behalf of fully insured plans, self-funded plan sponsors are responsible for making this attestation and will need to either ensure their plan third party administrator (TPA) is making the attestation on the plan’s behalf or make it themselves.

Under the CAA, group health plans are prohibited from entering into any agreement with a provider, network of providers, or entity offering access to a network of providers that includes any contractual term directly or indirectly restricting the plan’s ability to make specific data and information available to another party (a “gag clause”). Specifically, this includes restrictions on disclosing provider-specific cost or quality-of-care information, restrictions on electronic access to de-identified participant and beneficiary claim information (consistent with applicable privacy protections), and restrictions on sharing these types of data or information. Examples of gag clauses include a provision in a TPA agreement that restricts disclosure of provider rates because they are considered proprietary, or one that only allows access to provider-specific cost and quality-of-care information at the TPA’s discretion. Beginning in late 2023, plans must annually attest to their compliance with the gag clause prohibition.

The attestation is made by submitting a Gag Clause Prohibition Compliance Attestation (GCPCA) through CMS’s Health Insurance Oversight System (HIOS). Information to be reported includes the reporting entity’s name and EIN, plan number (for ERISA plans), type of reporting entity, contact information, and information about the type of provider agreement to which the attestation relates. An agency webpage provides detailed instructions, a user manual, and a reporting template.

The requirement to make the attestation applies to insurers and group health plans, including ERISA plans, non-federal governmental plans, and church plans subject to the Code, regardless of grandfathered or grandmothered status. Plans providing solely excepted benefits, health reimbursement arrangements (HRAs), and other account-based plans need not submit attestations. As noted above, this obligation also applies to insurance carriers, and if the insurance carrier submits the GCPCA on behalf of the fully insured plan, the plan is considered compliant. However, sponsors of fully insured plans should confirm that the insurance carrier is in fact making a submission. As was common with prescription drug disclosure, Moreton & Company expects that insurance carriers will inform fully insured plan sponsors whether the carrier will make the GCPCA on behalf of the fully insured plan.

Self-insured plans may enter into an agreement with a service provider (i.e., the plan TPA) to make the submission, but the legal requirement remains with the plan. An insurer that provides administrative services to self-insured plans may submit a single attestation covering the insurer, its fully insured plans, and its self-insured plan clients; the agencies recommend coordination to avoid duplication. Sponsors of self-funded plans should check with the plan’s TPA regarding the GCPCA, and if the TPA will make the attestation, enter into a written agreement confirming the same.

The first GCPCA, covering the period from December 27, 2020 (or, if later, the plan’s effective date) through the date of attestation, is due no later than December 31, 2023. Subsequent attestations are due each December 31. Failure to make the GCPCA may result in agency enforcement action. Fully insured and Self-funded plans should talk with their carrier/ TPA now regarding the GCPCA and whether the TPA or the plan sponsor (i.e., the employer) will be responsible for making the attestation. Additional information regarding the attestation process can be found here:

Please visit for more information and to view other client alerts. This Client Alert was written by Carolyn Cox, who provides our clients with compliance services. For additional questions, please contact Carolyn at 801-715-7110 or [email protected].
© 2023 by Moreton & Company. This Client Alert is intended to alert recipients to recent legal developments. It does not constitute the rendering of legal advice or recommendations and is provided for your general information only. If you need legal advice upon which you can rely, you must seek an opinion from your attorney.