No gag clauses allowed: Plans must submit first annual attestation by Dec. 31

The Departments of Labor, Treasury, and Health and Human Services (collectively referred to as the “Departments”) have released guidance related to the anti-gag clause provisions included as part of the Consolidated Appropriations Act, 2021 (CAA) in the form of Frequently Asked Questions (FAQs) (opens a new window). This new guidance includes insight into compliance with the statutory provisions and includes details related to the annual attestation requirement for group health plans and carriers, including how attestations will be made.

The FAQs provide welcome guidance for plans and issuers to assist with complying with these requirements.

Key takeaways

  • The CAA prohibits plans and issuers from entering into contracts and/or agreements that restrict access to certain information related to plan benefit costs, quality of care, or certain claims information as well as prohibiting sharing that type of information with business associates.

  • Group health plans and issuers are required to submit an annual attestation of compliance with the applicable anti-gag clause provisions to the Departments.

  • The annual attestation must be done through a CMS portal and completed by Dec. 31 of the applicable year.

  • The first attestation for the period beginning Dec. 27, 2020 (and through Dec. 31, 2023), is Dec. 31, 2023.

  • A third party may submit the annual attestation on behalf of a group health plan; but for self-insured group health plans, a written agreement between the plan and the service provider must be in place.


As part of the CAA, group health plans and insurance carriers offering group health insurance are prohibited from entering into contracts and/or agreements with healthcare providers, provider networks, third-party administrators (TPAs) or other service providers offering access to a network of providers that include a gag clause, specifically:

  1. Restrictions on the disclosure of provider-specific cost or quality of care information or data to referring providers, the plan sponsor, participants, beneficiaries, or enrollees, or individuals eligible to become participants, beneficiaries, or enrollees of the plan or coverage;

  2. Restrictions on electronically accessing, upon request, coverage information or de-identified claims information for each plan participant to the extent allowed by HIPAA, the Genetic Information Nondiscrimination Act, or the Americans with Disabilities Act; the information plans must have access to include (in a per-claim or aggregate basis) financial information, such as the allowed amount or other claim-related financial obligations included in the provider contract, provider information, service codes or any other data element included in healthcare transactions leading to a claim for benefits; and

  3. Restrictions on sharing information or data described in (1) and (2), or directing that such information or data be shared, with a HIPAA business associate.

The provision was effective Dec. 27, 2020, and group health plans and carriers are required to use a good faith, reasonable interpretation in complying with the statutory requirements. The attestation requirement was paused until new implementation guidance was issued, which brings us to the new guidance.

So, what’s a gag clause?

The FAQs provide more clarity as to what constitutes an impermissible gag clause. The new guidance includes helpful examples of certain provisions that would be viewed as prohibited gag clauses, elaborating on the statutory language.

For instance, a contract between a group health plan and a TPA that outlines payment to network providers at a certain rate and then prohibits the plan from providing details about said contracted network rates to plan participants and beneficiaries claiming those network rates are proprietary would be impermissible under the CAA.

Additionally, if a contract between a TPA and a group health plan only allows the plan access to information related to network provider rates and/or details related to the provider’s quality of care at the discretion of the TPA, , that would be an impermissible gag clause under the rules.

The guidance is also clear that any provision that indirectly restricts access to this information is prohibited under the rule. Even if the provision does not directly restrict access or appropriate disclosure of the information but operates in a manner that does in fact restrict access to the information or the ability to disclose information, it is prohibited under the rules.

Lockton comment: Plan sponsors have likely experienced instances where carriers or TPAs have pushed back on certain plan data requests, even when the appropriate HIPAA privacy policies, procedures, agreements and safeguards are in place. The anti-gag clause provision will hopefully make obtaining plan information to ensure the plan is operating appropriately and in accordance with the plan documents an easier undertaking. But note… restriction against public disclosure of such information is still allowed.

What’s this about an attestation?

The CAA requires plans and carriers to submit an annual Gag Clause Prohibition Compliance Attestation (Annual Attestation) reflecting the group health plan or carrier is in compliance with the CAA gag clause prohibition provisions, effective Dec. 27, 2020. The Annual Attestation requirement was paused until further guidance was provided by the Departments, and here we are.

Who is required to submit an Annual Attestation?

The following entities are required to submit an Annual Attestation:

  • Fully insured and self-insured group health plans (including those subject to ERISA, church plans and non-Federal governmental plans, regardless of whether they are designated as grandfathered or grandmothered plans under the Affordable Care Act (ACA));

  • Health insurance carriers offering group or individual health coverage, including student health insurance coverage and individual health insurance coverage through an association.

Lockton comment: Caution here. This is a plan-by-plan requirement. If a particular employer sponsors multiple plans, multiple attestations may be required. But see the below section, “Can a service provider attest on behalf of the plan?”

The guidance also specifically excludes coverage of excepted benefits. Therefore, no attestation is required of certain entities (including employer plans) offering only excepted benefits, such as certain vision and dental plans, or of carriers offering only short-term, limited-duration insurance.

Additionally, the Departments will not enforce the Annual Attestation requirement against health reimbursement arrangements (HRAs) and other account-based group health plans (such as health FSAs) since by their nature, the plans do not utilize provider networks or enter into these types of agreements.

The FAQs also exclude Medicare plans, Medicaid plans, Children’s Health Insurance Program plans, Tricare and Indian Health Service programs.

When is the Annual Attestation due?

Annual Attestations related to contracts and/or agreements entered into on or after Dec. 27, 2020, must be submitted by Dec. 31, 2023.

Going forward, attestations are due by Dec. 31 of the applicable year.

How does one submit the Annual Attestation?

Annual Attestations are required to be submitted through the CMS HIOS portal (opens a new window).

Plan sponsors and issuers will need to obtain a unique authentication code in order to submit the attestation. To obtain an authentication code, the individual submitting the Annual Attestation will need to first go to the website and select “Don’t have a code or forgot yours” and enter in their email.

Lockton comment: The code will then be emailed to the individual, relatively quickly based on our test run.

Once in the system, the individual completing the attestation will be required to provide some basic identifying information and then upload a template Excel file containing plan-related details for the plan they are attesting on behalf of. More details, including these FAQs, instructions, a system user manual and the model Excel template form can be found here. (opens a new window)

Lockton comment: HIOS may sound familiar to many as it is the same portal used to submit the annual prescription drug cost reporting. However, the process for the attestation is much more straightforward and doesn’t require a HIOS account to comply.

Can a service provider attest on behalf of the plan?


As mentioned above, and relevant for plan sponsors, the plan itself is subject to the Annual Attestation requirement.

However, for self-insured group health plans, the plan can enter into a written agreement allowing for a third party such as a TPA, pharmacy benefit manager or another type of service provider to submit the Annual Attestation on their behalf. That being said, even when the written agreement is in place, the self-funded plan is still ultimately responsible for the submission of a timely and complete attestation.

For fully insured plans, however, if the carrier submits the Annual Attestation on behalf of the plan, the plan will be deemed to have satisfied the requirement.

Taking it a major step further, as welcome relief, these FAQs allow issuers to submit the Annual Attestation on behalf of all their fully insured group health plan policyholders. Moreover, issuers that both offer group health plan insurance and act as a TPA for self-funded pans may also submit the attestation for all their self-funded clients.

Lockton comment: In this latter case, the Departments recommend that the TPA and plan communicate and coordinate to ensure non-duplication of efforts so that multiple filings on behalf of the same plan are not made.

What should employer plan sponsors do now?

As stated earlier, the gag clause prohibition is currently in effect and plan sponsors should be taking steps to ensure compliance when entering into contracts and agreements with TPAs and other service providers offering access to a network of providers based on a good faith, reasonable interpretation of the statutory requirements.

Plan sponsors should work with their advisors and legal counsel to:

  • Determine whether any existing or impending plan-related contracts with any healthcare providers, networks or associations of providers, TPAs, or other plan-related vendors that offer access to provider networks contain restrictive language as described above. '

  • If contracts currently in effect include such gag clauses, these provisions must be removed.

  • Ensure the proper procedures are in place to submit the Annual Attestation by Dec. 31, 2023, and annually thereafter.

  • For self-insured plan sponsors who wish to have their TPA or service provider to submit the Annual Attestation on their behalf, obtain a written agreement from the TPA or service provider to submit timely and appropriately.

  • For fully insured plans, ensure the carrier is submitting the Annual Attestation on behalf of the plan.

Full Alert (opens a new window)Not legal advice: Nothing in this alert should be construed as legal advice. Lockton may not be considered your legal counsel, and communications with Lockton's Compliance Consulting group are not privileged under the attorney-client privilege.