The Consolidated Appropriations Act (CAA) of 2021 prohibits Gag Clauses in contracts between insurers/group health plans and: 1) health care providers, 2) third-party administrators (TPAs), 3) a network or association of providers, or 4) a service provider offering access to a network of providers. The rule to remove gag clauses was effective December 27, 2020.
In addition, the rule also requires insurers/group health plans to annually “attest” that they have no gag clauses in their contracts with service providers. The first attestation is due no later than December 31, 2023 and is due every year thereafter on the same date. Most insurers will complete this task for insured group health plans. Employers that sponsor self/level funded group health plans will likely need to file the attestation themselves, but there may be some service providers that agree to file the attestation for the group. The attestation must be submitted electronically via the U.S. Department of Health and Human Services (HHS) HIOS portal.
The Consolidated Appropriations Act (CAA) of 2021 added a significant number of new provisions and compliance obligations to insurers/group health plans with the intent to promote more transparency in health coverage in markets throughout the country. These provisions, along with the separate but related Transparency in Coverage Final Rules (TiCFR) are commonly referred to, collectively, as the Transparency Rules.
One transparency provision within the CAA prohibits Gag Clauses in contracts between insurers/group health plans and certain service providers. The rule was immediately effective on December 27, 2020, the day the CAA was signed into law.
There is a second part to this rule. Insurers and employers that sponsor plans must annually “attest” that they did not enter into any contracts with gag clauses. This attestation is formally referred to as the Gag Clause Prohibition Compliance Attestation (GCPCA), and it must be submitted electronically through the CMS (department within HHS) HIOS online portal.
Part 1: No Gag Clauses in Contracts
The CAA prohibits Gag Clauses in contracts between insurers/group health plans and their service providers. It applies to employers of any size that sponsor insured, self or level funded group health plans. Typically, after a law is in place, regulations that provide more information and effective dates are issued by the Departments (DOL, HHS and the Treasury). However, the Departments did not issue guidance on the rule because they consider the rule to be self-implementing. Thus, the rule was immediately effective as of the date the CAA was signed into law on December 27, 2020. This means that after this date, employers of any size that sponsor group health plans with any type of funding should be reviewing and removing any direct or indirect gag clauses from contracts with their service providers.
What is a service provider?
A service provider under this rule is defined as:
- a health care provider
- a network or association of providers
- another service provider offering access to a network of providers
- a third-party administrator (TPA)
What is a gag clause?
Generally, a gag clause is an agreement in a contract that prohibits the disclosure of certain information.
A gag clause in this context is a term in a contract that directly or indirectly restricts specific data and information that an insurer or an employer that sponsors a group health plan can access or make available to another party.
Specifically, when an insurer or employer that sponsors a group health plan enters into a contract with a service provider, the contract may NOT restrict an insurer or group health plan from:
- Providing provider-specific cost or quality-of-care information or data to referring providers, the plan sponsor, participants, beneficiaries or enrollees, including individuals eligible to become participants, beneficiaries or enrollees of the plan or coverage
- Electronically accessing de-identified claims and encounter information or data for each participant, beneficiary or enrollee as long as it is consistent with applicable privacy rules such as Health Insurance Portability and Accountability Act (HIPAA), the Genetic Information Nondiscrimination Act (GINA), and the Americans with Disabilities Act (ADA)
- Sharing such information (or directing that such information be shared with a business associate), as long the sharing process is consistent with applicable privacy rules.
An example of a prohibited gag clause would be a paragraph in a contract between a TPA and an employer-sponsored group health plan that states access to provider-specific cost and quality-of-care information is only at the discretion of the TPA.
The prohibition against Gag Clauses does not apply to:
- Issuers offering only short-term, limited-duration insurance
- Medicare and Medicaid plans
- State Children’s Health Insurance Program (CHIP) plans
- TRICARE program
- Indian Health Service program
- Plans under “Basic Health Program”
- HRAs and other account-based plans
Employer Steps to Remove Gag Clauses from Contracts
- Add reviewing contracts with service providers to your compliance calendar to confirm there are no gag clauses
- Create and maintain an internal Gag Clause compliance file that includes any applicable communications as well as your steps and efforts to comply
- Review contracts with service providers to ensure they do not contain gag clauses.
- Some explicit, direct violations will not be difficult to identify, but provisions that have the effect of restricting the disclosure of information or data may not be as obvious.
- For example, watch for provisions that would restrict provider-specific cost or quality information sharing with plan members, or claims data sharing or individual claims pricing
- Note that even if a service provider claims there are no gag clauses in your contract, you should still independently confirm same, and in any case, keep and file away (in your internal Gag Clause file) the service provider’s applicable statements and communications.
- If any gag clauses are present in a contract, take immediate steps to remove them.
Part 2: No Gag Clause "Attestations"
In addition to prohibiting the inclusion of gag clauses in contracts, the CAA of 2021 adds a second requirement for insurers and employers that sponsor group health plans. By no later than December 31, 2023 insurers and group health plans must “attest” they had no gag clauses in contracts with their service providers. That means the December 31, 2023 attestation must include contracts between December 27, 2020 (the effective date of the no gag clause rule) and December 31, 2023.
Thereafter, the attestation and submission must be completed annually on the same date. For example, the next attestation will be due by no later than December 31, 2024. That attestation will include contracts between January 1, 2024 through December 31, 2024.
Both the insurer and the employer that sponsors a group health plan must comply with the attestation rule, but if the plan is fully insured, there is no need for two separate attestations.
In other words, the Departments will consider the employer to have satisfied the attestation requirements after the insurer attests.
Note however that because they are still responsible, employers that sponsor insured plans should confirm the insurer actually and timely submits the attestation. The employers should also create and maintain a Gag Clause file to keep track of filing confirmations and other related communications.
Self/Level Funded Plans
Employers that sponsor self/level funded group health plans will need to file the attestation themselves or enter into a written agreement with the TPA/ PBM/BHM to file the attestation. Even if the TPA/PBM/BHM agrees to submit the attestation about the contract, the legal obligation to comply remains with the employer that sponsors the plan. In other words, if the TPA/PBM/BHM agrees to file the attestation but fails to do so, that would fall on the employer not the TPA/PBM/BHM. Thus, the employer should follow up and confirm the attestation was filed. Whether the employer submits the attestation or enters into an agreement with the TPA/PBM/BHM to submit it, employers should create and maintain a Gag Clause file to keep track of filing confirmations and other related communications.
The first attestation is due by no later than December 31, 2023.
- The 2023 attestation must include more than one year due to the time lapse between the effective date and the first attestation filing deadline. So, it must include any contracts beginning December 27, 2020 (date of the CAA of 2021) through December 31, 2023.
The December 31, 2024 attestation, and every annual attestation thereafter, will address contracts during the same calendar year.
- For example, the attestation that is due by December 31, 2024 will state whether the insurer and/or the employer (on behalf of the group health plan) entered into any contracts with gag clauses during the 2024 calendar year.
Employer Steps to Comply with No Gag Clause Attestations
Add submitting Gag Clause attestations to your compliance calendar.
Complete the Steps listed in Part 1 (above).
Watch for, carefully review, and respond timely to communications from your service providers that address whether they will/will not assist with filing attestations.
If necessary, proactively reach out to service providers if no communicationsIf you sponsor an insured group health plan, the insurer will likely file the attestation.
If you sponsor a self/level funded plan, you will likely need to file but you can enter into a written agreement to have the service provider file. Regardless of funding type, or agreement, follow up and confirm the attestation is actually filed and keep all confirmations/communications in your gag clause file.
- If you sponsor a self/level funded plan and you need to file an attestation yourself:
- Assign (now) someone within your organization to become familiar with HIOS so they can submit the attestation on time
- Read the last sub section of this article entitled Submitting Attestations through HIOS for more technical information and resources
Submitting Attestations through HIOS
Insurers and employers that sponsor group health plans must attest there are no gag clauses in their contracts with service providers. The attestations must be submitted electronically via the U.S. Department of Health and Human Services (HHS) HIOS online portal. HIOS is the acronym for the Health Insurance and Oversight System, and it is a web-based application that allows CMS, a department within HHS called the Center for Consumer Information and Insurance Oversight (CCIIO), to collect health insurance data and information.
Long before the December 31, 2023 deadline to file the first attestation, it is important for at least one person within your organization to become familiar with HIOS, understand how to move around within the system, and successfully file an attestation. Please take time now to assign yourself, or a person within your organization, to learn about the HIOS system and how to successfully submit attestations.
Here are important links to HIOS along with tips to get you started with their helpful instructions and resources:
Instructions for HIOS
- Go to https://hios.cms.gov/HIOS-GCPCA-UI and click on “don’t have a code or forgot yours”
- Once you have a code, go back to https://hios.cms.gov/HIOS-GCPCA-UI and insert the code and access the system
- Once in the system, open this link https://www.cms.gov/files/document/hios-gcpca-usermanual-020000.pdf on another screen. This link will open a document from CMS that contains written step by step instructions as well as helpful screen shots illustrating each step you will encounter within the online system. If you’d like, you can skip to page 8 of this document and start with section entitled “4 Get Started.
- For more information, including an overview and more detail about the rules and submitting the attestation, you can reference https://www.cms.gov/files/document/gag-clause-prohibition-compliance-attestation-instructions.pdf