Benefits Magazine Extra articles provide you with bonus content on a mix of benefits topics as well as deep dives and analyses on the latest benefit trends and compliance issues. Visit to see the latest Benefits Magazine Extras as well as the bimonthly print edition. 

Group health plans and health plan issuers are prohibited from entering into service agreements that contain gag clauses and must annually attest to their compliance under the Consolidated Appropriations Act, 2021 (CAA). The author describes the challenges of complying with this provision.

Amid the chaos of the years 2020 and 2021, Congress passed the Consolidated Appropriations Act, 2021 (CAA)—what some consider to be the most extensive health plan compliance package to emerge since the Affordable Care Act (ACA).

CAA was enacted on December 27, 2020 and includes new rules and reporting requirements intended to promote health care transparency. While CAA may be known to most as the legislation that includes the No Surprises Act, this is not where the compliance responsibility for plan sponsors ends.

Title II of the appropriations bill reflects one of the most controversial and complicated portions of CAA,<1> known as the gag clause prohibition and attestation rules. Section 201 is appropriately titled “Increasing Transparency by Removing Gag Clauses on Price and Quality Information.” Though many plan sponsors appreciate the benefits of prohibiting gag clauses in their vendor contracts, federal misunderstanding of market player dynamics has made this portion of the law one of the most controversial health care compliance discussions in 2023.

What is the gag clause prohibition?

The gag clause prohibition bars group health plans and health insurance issuers from entering into any agreements with various types of service providers (e.g., health care providers, networks of providers, third-party administrators (TPAs), pharmacy benefit managers (PBMs), etc.) that contain language that either directly or indirectly restricts the plan from accessing certain types of plan information and/or data.

This component of CAA prohibits restrictions on access to provider-specific cost or quality-of-care information/data and electronically accessed de-identified claims information/data. Further, service agreements cannot restrict plans from sharing the aforementioned information with a business associate contracted with the plan.

Such gag clauses allow service providers to keep strategic business information regarding price or quality of care under their plans from being shared within the marketplace. Limiting plans from making this information fully transparent may give that service provider a leg up against competitors.

Common examples of gag clauses include the following.

*Clauses that consider rate of pay information proprietary and place limitations on disclosing these rates to participants and/or business associates of the plan

*Clauses that include limitations/restrictions on quality-of-care information or de-identified claims data in the form of confidentiality agreements or sole discretion of the contracted service provider

*Clauses that limit the plan’s ability to share information with mutually agreed upon business associates at the sole discretion of the contracted service provider

The overall purpose of CAA was to increase transparency for plan sponsors of price, quality and data directly related to their administration of their health and welfare plans. To fulfill their fiduciary duty to act in the best interest of the plan participants, plan sponsors must focus on what is financially best for the plan as well as whether the plan is compliant and meeting the needs of the plan participants. Having access to pricing and quality of care information helps plan sponsors fulfill their fiduciary duty.

Does this mean that plans have no limitations on the information they can access from service providers?

No, the statute permits reasonable restrictions on the public disclosure of this information, allowing service providers to balance complying with the rule with their business interests in the marketplace. The statute, unfortunately, does not define reasonable restrictions, which has left this term up to interpretation.

What types of plans must comply with the gag clause prohibition?

In alignment with various other CAA sections, fully insured and level-funded/self-insured group health plans, including Employee Retirement Income Security Act (ERISA) plans, non-federal governmental plans and church plans, are required to comply with the prohibition rules.

What is the gag clause prohibition attestation?

Plans are required to comply not only with the prohibition on gag clauses but also to annually attest to the government that their service agreements do not include any prohibited gag clauses.

Simple, right? In theory, yes. The attestation requirement is simple when plans need to attest to only one calendar year of service agreements. But the postponement of the original attestation deadline has made compliance more complicated, because the initial attestation due by December 31, 2023 encompasses contracts from December 27, 2020 through December 31, 2023. In a perfect world, a plan could have been in compliance with all its agreements since December 27, 2020, when the rule originally went into effect. Assuming said plan changed little to none of its service providers, the attestation should take less than five minutes to submit. The federal government assumed that much of the marketplace fits this ideal scenario when designing the  attestation instructions. However, such multiyear consistency is rarely the case for group health plan sponsors.

Because of this, while finding the contracts applicable to this attestation period may be easy, attesting to their compliance could be difficult. The plan must first audit its contractual agreements for the full attestation period to determine whether they are truly free of prohibited gag clauses. The difficulty in reviewing contracts for multiple plan years only compounds the issue from a compliance perspective. Assuming that most plan sponsors and human resources departments do not have someone on staff who specializes in contract reviews, this will mean that plans can expect to have an additional cost tacked on for compliance obligations annually to comply with the CAA.

Different plan funding arrangements may approach this compliance review differently:

*Fully insured plans: These plans likely have a carrier attesting on their behalf but will want to verify with that carrier. The Departments will consider the attestation requirement fulfilled for fully insured plans if their carrier submits this requirement. Plan sponsors are still ultimately responsible for the gag clause prohibition requirement and may want to have the service agreements reviewed by a third party.

*Level-funded plans: These plans may have a carrier offering to attest on their behalf, or they may contract with a TPA or other third party to attest on behalf of their plan. Plans will want to ensure that all agreements are being attested to on their behalf. If a service provider is only attesting to a portion of the plan’s agreements, the plan will still need to submit an attestation for the remaining contractual agreements. Plans are still ultimately responsible for the compliance of their service agreements, as well as the submission of their attestations.

*Self-funded plans: These plans have the largest hurdle to overcome currently.  Self-funded plans (not including level-funded plans) may have a carrier and/or TPA offering to attest on their behalf, but it is unlikely. While self-funded plans can contract with a TPA or another third party to attest on their behalf, the review process may be more challenging. These plans likely have a longer list of applicable vendor agreements to review for compliance and may have to resort to a partial attestation if the plan sponsor cannot confirm the compliance of all the service provider agreements.

What should plans do if they find gag clauses?

Plans that find gag clauses within their written agreements should reach out to the service provider and attempt to bring those contractual agreements to compliance. Service providers may amend their agreements, allowing the plan sponsors’ the ability to attest to compliance.

This is where things begin to get more complicated. The requirements of compliance and attestation, read with the assumption that all service providers began to make compliant agreements after December 27, 2020. However, for plan sponsors that review their contracts and find gag clauses or potential gag clauses within, guidance on next steps is very scarce. The FAQs provided by CMS simply advise plans to either reach out to the No Surprises Help Desk, submit a complaint online, or contact the applicable state authority with concerns. ERISA plans are advised to contact the DOL for further assistance.<1>

How does this attestation differ from the other reporting requirements in CAA?

The gag clause prohibition attestation is much simpler than RxDC reporting, which is the other CAA-established reporting requirement that plan sponsors had to first begin complying with in June of this year. RxDC reporting calculations are predominantly tied to data and numbers, and the submission process is technologically complex. Gag clause prohibition attestations, conversely, are fillable form statements. Though the submission process is simpler for these attestations, analyzing contracts for language that restricts parties from doing or not doing certain actions to determine whether an attestation can be filed is much more nuanced than the calculations required for RxDC reporting.

Both reports are submitted online through a Centers for Medicare and Medicaid (CMS) portal designed specifically for that compliance obligation.

Key Challenges

Following are the three key challenges that plans are commonly facing in complying with the gag clause requirements.

1. Variety of responses from service providers

With many of the compliance obligations plans face annually, much of the difficulty lies in how service providers respond to those compliance obligations as well. National carriers responded in vastly different ways once it was announced that the first attestations would be due by December 31, 2023. Some carriers were more than happy to help their clients in attesting or providing a confirmation of compliance in reference to their agreements, while others took a more hands-off approach, likely making it challenging for some plans to comply with gag clause prohibition requirements.

2. Plan funding arrangements and assistance

Plan funding arrangements have played a crucial role as well in determining how difficult it is for groups to meet their compliance obligations. This process is less difficult for fully insured plans, which have fewer service provider agreements to review. The Departments have announced that carriers for these groups can fulfill the attestation requirement on their behalf. Similarly, though there was some initial reluctance, many carriers have ultimately agreed to help level-funded plans with this compliance obligation.

Self-funded plans have, unfortunately, landed with the short straw for this CAA requirement. They not only often have more service provider agreements to review, they also may not have anyone offering to attest on their behalf. Self-funded plans can contract with their TPAs to do their attestation for them, but not every TPA is willing to do so.

3. Visibility and attesting with certainty

The gag clause prohibition attestations are directly tied to the language within contractual agreements. As mentioned, this includes the agreements between the plan and all its service providers, not including coverage of excepted benefits. The statutory requirements assume that plan sponsors have complete visibility into all of the written agreements from the period of December 27, 2020 through December 31, 2023. But a lot can change for a plan over potentially four plan years in total.

This creates a unique challenge for plans, in that they need to attempt to review all of the agreements for almost four plan years of time potentially. On top of the lengthy time frame for the first attestation period, plans may also lack knowledge or the ability to review the compliance of all agreements applicable to their plan for this first attestation. Plans will have to rely on their service provider partners to provide all the applicable agreements if they do not already possess them in their own records. While many carriers have sent confirmations of compliance either with an email or a more formal public statement on their website, these written statements are a trust exercise in themselves. How can plan sponsors know for certain that all of those agreements are actually in compliance? The answer is that there is no way to know with 100% certainty unless the plan sponsor reviews the documentation itself.

Liability, penalties, where does this leave plans?

It is unclear what, if any, penalty will potentially befall plans that fail to meet the compliance responsibilities associated with the gag clause prohibition and attestation rules. FAQs from (CMS) state that plans failing to attest by the deadline may be subject to “enforcement action.”  Unfortunately for plan sponsors there are no deadline extensions discussed or provided, whether in the statutory language or the guidance from the Departments. CMS has decided to permit partial attestations for this first, multiyear submission. This provides an “out” of sorts for groups that cannot attest to the compliance of all their service providers for the full reporting period. Going forward, however, plan sponsors will need to submit a full attestation annually at the end of each calendar year (December 31).

The first attestation is due by December 31, 2023 through the CMS Gag Clause Prohibition Compliance Attestation (GCPCA) portal. Plans that have reviewed the written agreements for compliance should complete their attestation through the online webform dashboard on the GCPCA page. Plan sponsors must have all applicable plan identifying information (e.g., employer identification number (EIN), plan number, plan name, attestor information, etc.) prior to completing their attestation. The process can be completed in less than 30 minutes. After completing a compliance review and submitting their attestation, plan sponsors should document all gag clause compliance related actions, including the agreements reviewed, in preparation for the December 2024 attestation.

As this reporting requirement evolves, additional guidance from CMS could improve the process for plan sponsors. While the Departments have provided contact numbers and emails if plans suspect potential gag clause issues, the statutory language still holds plan sponsors ultimately responsible for compliance. This first attestation, as it has been designed, leaves those attesting with an all-or-nothing game. They  can either attest to the compliance of every agreement for each service provider or simply not attest to that service provider at all. The lack of explanation about liability or penalties involved with this compliance obligation has left many plans confused, stressed and in many circumstances lacking in finite answers of how to move forward.

Marissa Rufo is a compliance advisor, regulatory affairs, and subject matter expert at MZQ Consulting, LLC, a benefits compliance and Affordable Care Act reporting firm in Pikesville Maryland. Her legal background focused on litigation including broad civil litigation, personal injury, employment/union contracts as well as civil and criminal tax controversy. Rufo earned her B.A. degree from the University of Maryland. She also completed a dual degree program earning a J.D. and M.B.A. degrees from the University of Baltimore School of Law and School of Business, respectively.



Guest Contributor

Recommended Posts

Educating DC Plan Participants for the Long Hike to Retirement

Kathy Bergstrom, CEBS

Many years ago, I visited Grand Canyon National Park with my mom and aunt. It was unseasonably hot, but I wanted to walk down into the canyon on the Bright Angel Trail. My companions were not up for the hike, so I […]

Building and Designing for DEI: Creating Employee Benefits That Work for All

Guest Contributor

Benefits Magazine Extras articles provide you with bonus content on a mix of benefits topics as well as deep dives and analyses on the latest benefit trends and compliance issues. Foundation members can visit to view the full bimonthly print edition of the magazine.  Global […]