Skip to content
Health Plans

What Is the Gag Clause Prohibition Compliance Attestation?


· 5 minute read


· 5 minute read

QUESTION: We have heard there is a reporting requirement for group health plans relating to the prohibition against gag clauses in plan agreements. What should we know about this requirement?

ANSWER: As you note, group health plans are prohibited from entering into any agreement with a provider, network of providers, or entity offering access to a network of providers that includes any contractual term directly or indirectly restricting the plan’s ability to make specific data and information available to another party (a “gag clause”). Specifically, this includes restrictions on disclosing provider-specific cost or quality-of-care information, restrictions on electronic access to de-identified participant and beneficiary claim information (consistent with applicable privacy protections), and restrictions on sharing these types of data or information. Examples of gag clauses include a provision in a TPA agreement that restricts disclosure of provider rates because they are considered proprietary, or one that only allows access to provider-specific cost and quality-of-care information at the TPA’s discretion. Beginning in 2023, plans must annually attest to their compliance with the gag clause prohibition.

The attestation is made by submitting a Gag Clause Prohibition Compliance Attestation (GCPCA) through CMS’s Health Insurance Oversight System (HIOS). Information to be reported includes the reporting entity’s name and EIN, plan number (for ERISA plans), type of reporting entity, contact information, and information about the type of provider agreement to which the attestation relates. An agency webpage provides detailed instructions, a user manual, and a reporting template.

The requirement to make the attestation applies to insurers and group health plans, including ERISA plans, non-federal governmental plans, and church plans subject to the Code, regardless of grandfathered or grandmothered status. Plans providing solely excepted benefits, health reimbursement arrangements (HRAs), and other account-based plans need not submit attestations. Self-insured plans may enter into an agreement with a service provider to make the submission, but the legal requirement remains with the plan. An insurer that provides administrative services to self-insured plans may submit a single attestation covering the insurer, its fully insured plans, and its self-insured plan clients; the agencies recommend coordination to avoid duplication.

The first GCPCA, covering the period from December 27, 2020 (or, if later, the plan’s effective date) through the date of attestation, is due no later than December 31, 2023. Subsequent attestations are due each December 31. Failure to submit the GCPCA may result in agency enforcement action.

For more information, see EBIA’s Self-Insured Health Plans manual at Sections XXIX.D.5 (“Gag Clause Prohibition Compliance Attestation”) and XXIII.B (“Contracting With Service Providers”). See also EBIA’s ERISA Compliance manual at Sections XXX.E.16 (“Prohibition on Gag Clauses in Group Health Plan Agreements”) and XXI.C.1 (“Other Reporting Requirements”).


Get all the latest tax, accounting, audit, and corporate finance news with Checkpoint Edge. Sign up for a free 7-day trial today.

More answers