Summary: Employers sponsoring group health plans are required to submit their annual gag clause prohibition compliance attestations (GCPCAs) to the United States Departments of Health and Human Services, Labor, and the Treasury (collectively, "the Departments") for 2025 by December 31, 2025.
Read on for more information and next steps.
CAA Gag Clause Prohibition Background
The Consolidated Appropriations Act of 2021 (CAA), enacted by Congress on December 27, 2020, includes a provision prohibiting health plans (and health insurance carriers) from entering into agreements with health care providers and/or networks, third-party administrators (TPAs), pharmacy benefit managers (PBMs), or other plan service providers that include language constituting gag clauses. The Departments state that gag clauses, for these purposes, are contractual terms that directly or indirectly restrict specific data and information a plan can make available to another party. In this context, gag clauses contain language that directly or indirectly restricts a plan from:
- Disclosing provider-specific cost or quality of care information, through a consumer engagement tool or any other means, to referring providers, the plan sponsor, plan participants, and other individuals eligible to enroll in the plan.
- Upon request, obtaining electronic access to de-identified claims and encounter data for each plan participant (pursuant to applicable privacy regulations[1]), including:
- Claim-related financial information included in the provider contract, such as the allowed amount,
- Provider information, including name and clinical designation,
- Service codes, or
- Any other data element included in claim or encounter transactions.
- Sharing information or data outlined in (1) and (2) above with a business associate of the plan, in accordance with applicable privacy regulations.
CAA Gag Clause Prohibition Examples
Example 1: A contract between a TPA and a group health plan states the plan will pay providers at certain designated rates, which the TPA considers to be confidential or proprietary and includes language in the contract prohibiting the plan from disclosing those rates to plan participants. This provision prohibiting disclosure would be considered a prohibited gag clause under the CAA.
Example 2: A contract between a TPA and a group health plan provides that the plan sponsor’s access to provider-specific cost and quality of care information is only at the discretion of the TPA. This provision would be considered a prohibited gag clause under the CAA.
Although health care providers and/or networks, TPAs, and other plan service providers may impose reasonable restrictions on the public disclosure of this information, plans must confirm that their agreements with these providers do not contain language in violation of the CAA’s prohibition on gag clauses.
The intention of these gag clause prohibitions, like other CAA health plan provisions, is to increase and improve health plan cost transparency. See prior Risk Strategies articles detailing other recent plan cost transparency provisions here, here, and here.
Covered Health Plans
As a reminder, the chart below details which health plans are subject to the annual GCPCA requirement:
|
Type of Plan
|
Required to submit annual GCPCA? (Yes/No)
|
|
ERISA Group Health Plan[2] including
- fully insured plans,
- self-funded plans, and
- Multiple Employer Welfare Arrangements (MEWAs)[3]
|
Yes
|
|
Non-federal governmental plans[4]
|
Yes
|
|
Church plans
|
Yes
|
|
Individual health coverage plans
- Student health plans
- Association plans
|
Yes
|
|
Tribal health plans that qualify as ERISA plans or state or local government plans
|
Yes
|
|
Excepted benefit plans, including:
- Hospital indemnity or other fixed indemnity insurance
- Disease-specific insurance
- Stand-alone dental, vision, and long-term care plans
- Employer on-site health clinics
- Accident-only, disability, and workers’ compensation plans
|
No
|
|
Retiree-only group health plans
|
No
|
|
Short-term, limited duration insurance policies
|
No
|
|
Health Reimbursement Arrangements (HRAs) and other account-based plans, including individual coverage HRAs (ICHRAs)
|
No
|
|
Medicare and Medicaid plans
|
No
|
|
Children’s Health Insurance Program (CHIP) plans
|
No
|
|
TRICARE and Indian Health Service program plans
|
No
|
Annual GCPCA
Health plans are required to submit a GCPCA on an annual basis confirming their compliance with this gag clause prohibition requirement, as confirmed by the February 2023 Departments FAQs guidance.
The first GCPCA, covering the period from December 27, 2020 through the end of 2023, was due by December 31, 2023.
After December 31, 2023, GCPCAs are due by December 31 of each year, covering the period since the last preceding GCPCA.
The Departments created a dedicated website (accessed here) detailing the GCPCA process with helpful resources for health plans, insurance carriers, and other service providers, including links to the attestation submission site, a user manual, and submission instructions. The Centers for Medicare & Medicaid Services (CMS) is collecting GCPCAs on behalf of the Departments.
Recent GCPCA Guidance
The Departments released an FAQs document in January 2025, providing clarifying guidance for health plans regarding the CAA gag clause prohibition generally and the GCPCA requirement in particular.
Specifically, these FAQs addressed how certain restrictions in “downstream agreements” or certain agreement restrictions with respect to sharing de-identified claims data would be considered prohibited gag clauses. The Departments generally define “downstream agreements” as separate, direct agreements between a health plan’s TPA and/or other service providers to provide or administer the plan’s network, and do not involve the health plan itself as a party to the agreement. These FAQs also provided a non-exhaustive list of restrictions on an audit or claims review that would be considered prohibited gag clauses to the extent the provision places unreasonable limits on the ability of plans to access such information or data upon request.
As such, these restrictions, whether in downstream agreements or with respect to sharing de-identified claims data, must be self-reported as a prohibited gag clause in the plan sponsor’s GCPCA. Click here for a Risk Strategies article with more details.
GCPCA Submission Process
Generally, employers sponsoring group health plans are advised to rely on their carriers, TPAs, and other plan service providers to comply with these CAA gag clause prohibition rules since employers do not typically enter into agreements directly with health care providers and networks on behalf of their group health plan. Employers should receive written confirmation from their carriers, TPAs, PBMs, and other plan service providers that all current plan-related contracts do not contain prohibited gag clause language.
Fully Insured Plans: Employers with fully insured group health plans may rely on their insurance carriers to submit their GCPCA. The February 2023 FAQs confirm that fully insured plans are considered in compliance with this requirement when their carriers submit the GCPCA on their behalf. Fully insured plan sponsor employers should receive written confirmation from their carriers that they will submit the GCPCA on the plan’s behalf well in advance of the December 31, 2025 deadline.
Self-Funded Plans: Employers with self-funded group health plans (including level-funded plans) are directly responsible for the GCPCA requirement but may contract with their plan service providers (e.g., TPAs, PBMs, and/or managed behavioral health organizations) to submit the GCPCAs on their behalf via a written agreement. Self-funded plans should be aware that (as with most compliance obligations) if a service provider fails to submit the required GCPCA, the self-funded plan bears the ultimate responsibility for such failures.
Carriers, TPAs, and other plan service providers have already started contacting their group health plan sponsor clients with next steps on completing and submitting GCPCAs to the Departments. Employers are advised to pay close attention to these communications and respond accordingly for timely compliance with these requirements.
Certain carriers, TPAs, and PBMs have been unwilling to submit GCPCAs for their self-funded plan sponsor clients. This means that these group health plans are responsible for directly submitting their GCPCAs to the Departments, and should carefully review the current CMS submission instructions (accessed here) and user manual (accessed here).
NOTE: Most single-employer group health plans that are responsible for directly submitting their GCPCAs to the Departments are considered a single "Responsible Entity" and are only required to complete the GCPCA webform accessed here.
Next Steps for Employer Group Health Plan Sponsors
Although the GCPCA deadline is December 31, 2025, those employer group health plan sponsors who must submit their GCPCA directly to the Departments can be proactive and complete the GCPCA webform now to comply with this requirement well in advance of the year-end deadline.
Don’t forget — plans that do not submit their annual GCPCAs by the December 31, 2025, deadline may be subject to enforcement action by the Departments.
Contact your Risk Strategies account team for assistance with your GCPCA submission, or contact us directly here.
[1] Including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Genetic Information Nondiscrimination Act of 2008 (GINA), and the Americans with Disabilities Act of 1990 (ADA).
[2] Including grandfathered and grandmothered group health plans.
[3] The revised 2024 instructions provide details on who is the Responsible Entity for MEWAs.
[4] Including plans sponsored by states, counties, school districts, and municipalities.
