When the Consolidated Appropriations Act, 2021 (the “CAA”) was enacted on December 27, 2020, it included a provision that prohibits group health plans and health insurance carriers from entering into certain agreements that, either directly or indirectly, restrict the release of certain information related to provider networks and de-identified encounter data, among other things. Such restrictions are commonly referred to as “gag clauses.” The CAA also requires plans and carriers to attest annually that their agreements do not include such impermissible gag clauses.
On August 20, 2021, the DOL, IRS, and HHS (the “Agencies”) jointly released an FAQ which explained that the prohibition on gag clauses was self-implementing, meaning that regulations would not be released anytime soon and that plans and carriers should use a reasonable, good faith interpretation of the statute in the meantime. The FAQ also stated that the attestation requirement would be delayed until further guidance was released.
In February 23, 2023, the Agencies released new FAQs, which provide information for completing and submitting the attestation, the first of which is due on December 31, 2023.
The following provides general information about gag clauses and completing the Gag Clause Prohibition Compliance Attestation (GCPCA).
What is a Gag Clause?
Under the CAA, a gag clause is defined as:
- restrictions on the disclosure of provider-specific cost or quality of care information or data to parties such as the plan sponsor, participants, beneficiaries, or referring providers;
- restrictions on electronic access to de-identified claims and encounter information or data for each participant, beneficiary, or enrollee upon request and consistent with HIPAA, GINA and ADA privacy regulations, including, on a per claim basis—
- Financial information, such as the allowed amount, or any other claim-related financial obligations included in the provider contract;
- Provider information, including name and clinical designation;
- Service codes; or
- Any other data element included in claim or encounter transactions; or
- restrictions on sharing information or data described in (1) and (2), or directing that such information or data be shared, with a business associate.
The gag clause provisions of the CAA (specifically Code section 9824, ERISA section 724, and PHSA §2799A-9(a)(1)), generally prohibit plans and carriers from entering into agreements with providers, TPAs, or other service providers that include such provisions.
Where would I Typically Find a Gag Clause?
Gag clauses in this context might be found in agreements between a plan or carrier and any of the following parties:
- a health care provider;
- a network or association of providers;
- a third-party administration (“TPA”) or pharmacy benefits manager (“PBM”); or
- another service provider offering access to a network of providers.
Thus, a group health plan should confirm that its carrier, TPA and/or PBM agreements do not contain prohibited clauses. These clauses would typically be found in confidentiality or other privacy provisions of the agreements, though it is important for the agreements to be thoroughly reviewed. We would suggest working with your counsel to review the agreement to determine whether it impermissibly restricts access to specific information that would be otherwise covered under the gag clause provisions, or whether there is language that only restricts access to such information in conformity with the gag clause requirements of the CAA or other applicable state or federal law.
To which plans do the gag clause restrictions apply?
All group health plans (excluding FSAs, HRAs or other excepted benefits such as dental or vision) and insurance carriers are subject to these prohibitions. This includes self-funded and fully insured plans and grandfathered plans, as well as non-ERISA plans sponsored by non-federal governmental employers (i.e., state and local governmental employers), and church plans subject to the Internal Revenue Code.
What is the attestation requirement?
The CAA required group health plans and health insurance carriers to attest annually to the government that they have no “gag clauses” in their contracts. Plans and carriers must complete the GCPCA form electronically using the form provided by the Agencies.
When is the attestation/GCPCA form due?
The first attestation is due no later than December 31, 2023, and covers the period beginning December 27, 2020, or the effective date of the applicable group health plan or health insurance coverage (if later), through the date of attestation. Subsequent attestations, covering the period since the last preceding attestation, are due by December 31 of each year thereafter.
Who is responsible for completing the attestation for our group health plan?
That depends on whether the plan is fully insured or self-funded and your contractual arrangement with the carrier or TPA. While both the carrier and group health plan are required to submit a GCPCA with respect to a fully insured plan, a carrier may submit a GCPCA with respect to a fully insured plan that will satisfy the plan’s obligation. We expect that most carriers will agree to complete the attestation for their fully insured plans. Self-funded plans can contract with their TPA and/or their PBM to complete the attestation on behalf of the plan; however, the plan is ultimately responsible for ensuring the attestation is timely completed. It is important to communicate with your carrier or TPA before the December 31, 2023 deadline to determine who will be completing the attestation on behalf of the plan. We recommend ensuring that responsibility for completing the GCPCA is assigned well before the December 31st deadline so there are no surprises. The Agencies released an instruction manual for the webform to assist with completing the attestation, when ready for filing.
Are there penalties if our group health plan does not complete the attestation?
There are no specific penalties outlined in the CAA; however, in the FAQs, the Agencies indicate that failing to submit the attestation by the deadline may subject the plan or carrier to enforcement action. In such cases, it’s possible for the Agencies to assess a penalty of up to $100 per day per affected individual.
Where can I find more information on gag clauses and completing the attestation? The FAQs are a good place to start, as well as the HIOS GCPCA User Manual, which explains how to use the GCPCA module within the Health Insurance Oversight System (“HIOS”).