A requirement passed by Congress in 2021 becomes effective as of December 31, 2023. The Consolidated Appropriations Act (“CAA”) of 2021 prohibited “gag clauses” in contracts between insurance plans, insurance issuers, and providers. The law provides that a group health plan may not enter into an agreement with a healthcare provider, network or association of providers, third-party administrator, or other service provider offering access to a network of providers that would directly or indirectly restrict a group health plan from: a) providing provider-specific cost or quality of care information or data; b) electronically accessing de-identified claims and encounter certain information or data for each participant or beneficiary in the plan, upon proper request; or c) sharing information contained in a) or b), or directing that such data be shared, with a business associate as defined in the federal regulations. 26 U.S.C. § 9824(a)(1).
As of 2023, group health plans are required to submit a Gag Clause Prohibition Compliance Attestation (“GCPCA”) through the Centers for Medicare & Medicaid Services’ (“CMS”) Health Insurance Oversight System (“HIOS”), to attest that they have complied with the prohibition on gag clauses. The prohibition went into effect on December 27, 2020. The first GCPCA, covering the period from December 27, 2020 to the date of the first attestation, is due no later than December 31, 2023. Attestations for subsequent years are due every year on December 31. Failure to submit the GCPCA may result in agency enforcement actions.
The following entities are required to submit a Gag Clause Prohibition Compliance Attestation:
- Fully-insured and self-insured group health plans, including ERISA plans, non-Federal governmental plans; and church plans subject to the Code;
- Health insurance issuers offering group health insurance coverage; and
- Health insurance issuers offering individual health insurance coverage, including student health insurance coverage and individual health insurance coverage issued through an association.
Certain other entities are exempted from the attestation requirement, including plans or issuers offering only excepted benefit, such as limited scope dental or vision benefits. These requirements apply even if a plan or coverage is considered to be a grandfathered or grandmothered health plan. However, a plan or issuer otherwise attesting is not required to attest with regard to any coverage that it offers that is an excepted benefit. Employers who sponsor self-insured group health plans, in particular, should connect with the plans’ third-party administrators or other service providers to determine who will file the Gag Clause Prohibition Compliance Attestation. The CMS has issued guidance stating that a self- or partially self-funded plan may enter into a written agreement with a service provider for the provider to attest on the plan’s behalf.
Plans and insurers can submit the GCPCA by visiting https://hios.cms.gov/HIOS-GCPCA-UI. The information to be reported includes the reporting entity’s name and EIN, ERISA number (for ERISA plans), the type of reporting entity, contact information, and information about the type of provider agreement to which the attestation relates. The attestation will satisfy the parallel requirements under the Code, ERISA, and the PHS Act, as applicable.