Legal Alert: Updates to the Consolidated Appropriations Act (CAA) from 2021

Don’t Forget About Your Gag Clause Attestations

When the Consolidated Appropriations Act, 2021 (the “CAA”) was enacted on December 27, 2020, it included a provision that prohibits group health plans and health insurance carriers from entering into certain agreements that, either directly or indirectly, restrict the release of certain information related to provider networks and de-identified encounter data, among other things. Such restrictions are commonly referred to as “gag clauses.” The CAA also requires plans and carriers to attest annually that their agreements do not include such impermissible gag clauses.  

The first gag clause attestation was due on December 31, 2023, with the next one coming due by December 31, 2024, which covers the period between the last attestation and the date this year that the attestation is submitted. The attestation was modified somewhat for 2024, including, among other things, a new requirement to include an attestation year (i.e., the year the attestation is submitted), a new requirement to include the attestation period (i.e., the date range for the attestation, which is the period between when the last gag clause attestation was submitted and the current gag clause submission), and a section to include the plan type (ERISA plan, non-federal governmental plan, or church plan).  

Key gag clause attestation requirements and considerations are described below, though more extensive FAQs can be located (along with the instructions, forms, and user manuals for submitting the attestations) on the CMS website.

What is a gag clause?

Under the CAA, a gag clause is defined as:

  • restrictions on the disclosure of provider-specific cost or quality of care information or data to parties such as the plan sponsor, participants, beneficiaries, or referring providers;
  • restrictions on electronic access to de-identified claims and encounter information or data for each participant, beneficiary, or enrollee upon request and consistent with HIPAA, GINA, and ADA privacy regulations, including, on a per claim basis—
    • Financial information, such as the allowed amount, or any other claim-related financial obligations included in the provider contract;
    • Provider information, including name and clinical designation;
    • Service codes; or
    • Any other data element included in claim or encounter transactions;
  • or restrictions on sharing information or data described in (1) and (2), or directing that such information or data be shared, with a business associate.  

The gag clause provisions of the CAA (specifically Code section 9824, ERISA section 724, and PHSA §2799A-9(a)(1)), generally prohibit plans and carriers from entering into agreements with providers, TPAs, or other service providers that include such provisions.  

Where would I typically find a gag clause?

Gag clauses in this context might be found in agreements between a plan or carrier and any of the following parties:

  • a health care provider;
  • a network or association of providers;
  • a third-party administration (“TPA”) or pharmacy benefits manager (“PBM”);
  • or another service provider offering access to a network of providers.  

Thus, a group health plan should confirm that its carrier, TPA and/or PBM agreements do not contain prohibited clauses. These clauses would typically be found in confidentiality or other privacy provisions of the agreements, though it is important for the agreements to be thoroughly reviewed. We would suggest working with your counsel to review the agreement to determine whether it impermissibly restricts access to specific information that would be otherwise covered under the gag clause provisions, or whether there is language that only restricts access to such information in conformity with the gag clause requirements of the CAA or other applicable state or federal law.

To which plans do the gag clause restrictions apply?

All group health plans (excluding FSAs, HRAs or other excepted benefits such as dental or vision) and insurance carriers are subject to these prohibitions. This includes self-funded and fully insured plans and grandfathered plans, as well as non-ERISA plans sponsored by non-federal governmental employers (i.e., state and local governmental employers), and church plans subject to the Internal Revenue Code.  

What is the attestation requirement?

The CAA required group health plans and health insurance carriers to attest annually to the government that they have no “gag clauses” in their contracts. Plans and carriers must complete the GCPCA form electronically using the form provided by the Agencies.  

When is the attestation/GCPCA form due?

The attestation is due on or before December 31, 2024, and covers the period since the last preceding attestation.  

Who is responsible for completing the attestation for our group health plan?

That depends on whether the plan is fully insured or self-funded and your contractual arrangement with the carrier or TPA. While both the carrier and group health plan are required to submit a GCPCA with respect to a fully insured plan, a carrier may submit a GCPCA with respect to a fully insured plan that will satisfy the plan’s obligation. We expect that most carriers will agree to complete the attestation for their fully insured plans. Self-funded plans can contract with their TPA and/or their PBM to complete the attestation on behalf of the plan; however, the plan is ultimately responsible for ensuring the attestation is timely completed. It is important to communicate with your carrier or TPA before the December 31, 2024 deadline to determine who will be completing the attestation on behalf of the plan. We recommend ensuring that responsibility for completing the GCPCA is assigned well before the December 31st deadline so there are no surprises. The Agencies released an instruction manual for the webform to assist with completing the attestation, when ready for filing. Note, entities reporting on behalf of multiple responsible entities are required to also submit an excel spreadsheet.  

Are there penalties if our group health plan does not complete the attestation?

There are no specific penalties outlined in the CAA; however, in the FAQs, the Agencies indicate that failing to submit the attestation by the deadline may subject the plan or carrier to enforcement action. In such cases, it’s possible for the Agencies to assess a penalty of up to $100 per day per affected individual.  

Where can I find more information on gag clauses and completing the attestation?

The FAQs are a good place to start, as well as the HIOS GCPCA User Manual, which explains how to use the GCPCA module within the Health Insurance Oversight System (“HIOS”).  

Next Steps for Employers

In preparation for submitting their attestations, employers should consider the following:

  • If you have a fully insured plan and the carrier is the same carrier as last year, you may want to confirm the same process will be used again this year (e.g., the carrier files the attestation for you or provides you with certification that the plan is in compliance and you submit your own attestation). If it is a new carrier, then you should consult with the carrier to determine whether they will be submitting the attestation for the plan.
  • Similarly, if your plan is self-funded, and you have the same TPA as last year, you may consider confirming that the TPA will use the same process again this year (e.g., the TPA files the attestation for you or provides you with certification that the plan is in compliance and you submit your own attestation). If it is a new TPA, then you should review the TPA contract and/or consult with the TPA to determine whether they will be submitting the attestation for the plan.
  • If you have separate TPAs, such as a TPA for medical and a PBM for prescription drug benefits, then you will want to ensure the process each of the TPAs will use.
  • If your arrangement with your carrier, TPA, or PBM is such that you will be responsible for filing the attestation, ensure you have read all of the instructions for submitting the attestation and that you have completed the registration process. We recommend registering in advance of the filing deadline to be safe.
More Information

For additional information, contact our Employee Benefits team.


This alert was prepared for OneGroup by Barrow Weatherhead Lent LLP, a national law firm with recognized experts on the Affordable Care Act. Contact Stacy Barrow or Nicole Quinn-Gato at [email protected] or [email protected].

The information provided in this alert is not, is not intended to be, and shall not be construed to be, either the provision of legal advice or an offer to provide legal services, nor does it necessarily reflect the opinions of the agency, our lawyers, or our clients. This is not legal advice. No client-lawyer relationship between you and our lawyers is or may be created by your use of this information. Rather, the content is intended as a general overview of the subject matter covered. This agency and Barrow Weatherhead Lent LLP are not obligated to provide updates on the information presented herein. Those reading this alert are encouraged to seek direct counsel on legal questions.

© 2024 Barrow Weatherhead Lent LLP. All Rights Reserved.

Please note coverage can not be bound or a claim reported without written acknowledgment from a OneGroup Representative.