Health Plan Gag Clause Attestation Submission Reference Guide

CAA Gag Clause Prohibition Background

The Consolidated Appropriations Act of 2021 (CAA), enacted by Congress on December 27, 2020, includes a provision that prohibits health plans (and health insurance carriers) from entering into agreements with health care providers and/or networks, third-party administrators (TPAs), or other plan service providers that include language constituting gag clauses. The FAQs state that gag clauses are contractual terms that directly or indirectly restrict specific data and information a plan can make available to another party. In this context, gag clauses contain language that directly or indirectly restricts a plan from:

1. Disclosing provider-specific cost or quality of care information, through a consumer engagement tool or any other means, to referring providers, the plan sponsor, plan participants, and other individuals eligible to enroll in the plan.
2. Upon request, obtaining electronic access to de-identified claims and encounter data for each plan participant (pursuant to applicable privacy regulations), including:
   • Claim-related financial information, such as allowed amount
   • Provider information, such as name and clinical designation
   • Service codes
   • Any other data element included in claim or encounter transactions
3. Sharing information or data outlined in (1) and (2) above with a business associate of the plan, in accordance with applicable privacy regulations.

The intention of these gag clause prohibitions, like other CAA health plan provisions, is to increase and enhance health plan cost transparency.

Annual GCPCA

Health plans are required to submit a GCPCA on an annual basis confirming their compliance with this gag clause prohibition requirement. The first attestation, covering the period from December 27, 2020 through the attestation date, is due by December 31, 2023.

After December 31, 2023, GCPCAs will be due on December 31^st of each year, covering the period since the last preceding attestation.

The Departments created a dedicated website (accessed here) detailing the GCPCA process with helpful resources for health plans, insurance carriers, and other service providers, including links to the attestation submission site, a Centers for Medicare & Medicaid Services (CMS) user manual, and submission instructions.

Covered Health Plans

Click here for an extensive list from our previous article detailing which health plans are required to submit GCPCAs. As a brief refresher, ERISA group health plans, both fully insured and self-funded plans, as well as non-federal governmental plans and church plans, are all required to submit GCPCAs on an annual basis. On the other hand, excepted benefit plans, such as standalone dental and vision plans, as well as account-based plans, including flexible spending accounts (FSAs) and health reimbursement arrangements (HRAs) are not required to submit these attestations.

GCPCA Submission Process

We previously advised employers sponsoring group health plans to rely on their carriers, TPAs, and other plan service providers to comply with these CAA gag clause prohibition rules since employers do not typically enter into agreements directly with health care providers and networks on behalf of their group health plan.

• Fully Insured Plans: Employers with fully insured group health plans may rely on their insurance carriers to submit their GCPCA. The February 2023 FAQs confirm that fully insured plans will be considered in compliance with this requirement when their carriers submit the GCPCA on their behalf. For good measure, fully insured plan sponsor employers are encouraged to receive written confirmation from their carriers that they will submit the first required GCPCA in a timely manner, well in advance of the December 31, 2023 deadline.
• Self-Funded Plans: Employers with self-funded group health plans (including level-funded plans) are directly responsible for the GCPCA requirement but may contract with their plan service providers (e.g., TPAs, pharmacy benefit managers (PBMs), and/or managed behavioral health organizations) to submit the GCPCAs on their behalf via a written agreement. Note though, as with most compliance obligations, if a service provider fails to submit the required attestation, the self-funded plan bears the ultimate responsibility for such failures.

Carriers, TPAs, and other plan service providers have contacted their group health plan sponsor clients with next steps on completing and submitting GCPCAs to the Departments. Employers are advised to pay close attention to these communications and respond accordingly to ensure timely compliance with these requirements.

However, certain carriers, TPAs, and PBMs have already notified their group health plan sponsor clients (particularly self-funded plan sponsor clients) that they will not be submitting the GCPCAs on their behalf. This means that these group health plans are responsible for directly submitting their GCPCAs to the Departments.

How to Submit GCPCA

Get started by clicking here to access the GCPCA webform.

Scroll through the CMS user manual screenshots directly below for detailed instructions on how to submit the required GCPCA.

Click the left and right arrows to navigate through the screenshots

Additional GCPCA Submission Process Notes

• Most single employer group health plans that are responsible for directly submitting their GCPCAs to the Departments are considered one “Reporting Entity” and are only required to complete the GCPCA webform as detailed in the CMS user manual screenshots above.
• The downloadable GCPCA reporting entity Excel template is required only for attestations on behalf of more than one Reporting Entity (multiple Reporting Entities), which generally applies to carriers, TPAs, and other plan service providers (rather than single employer group health plans).
  • The GCPCA instructions and CMS user manual provide detailed information for those multiple Reporting Entities that are required to populate and upload the Excel template with their GCPCA webform.

Although the first GCPCA is due by December 31, 2023, those plan sponsors who must submit their GCPCA directly to the Departments can be proactive and complete the GCPCA webform now to ensure compliance with this requirement well in advance of this upcoming year-end deadline.

Risk Strategies will continue to closely track GCPCA-related developments and provide updates when available. Contact your Risk Strategies team members with any questions or contact us directly at benefits@risk-strategies.com.