Locke Lord QuickStudy: Get Ready to Attest: The Departments ‎Release “Further ‎‎Guidance” on Gag Clause Prohibitions

Locke Lord LLP
May 16, 2023

On February 23, 2023, the Departments of Labor, Health and Human Services, and Treasury (collectively the “Departments”) released guidance to initiate the enforcement provisions related to the “gag clause” prohibitions contained in and compliance attestations required by the transparency provisions of the Consolidated Appropriations Act of 2021 (“CAA”), which is codified in Section 9824 of the Internal Revenue Code of 1986, as amended (“Code”), Section 724 of the Employee Retirement Income Security Act of 1974, as amended (“ERISA”), and Section 2799A-9 of the Public Health Service Act (“PHS Act‎”), as amended (together the “Gag Clause Laws”).[1] See the FAQs available at Part 57 of the Affordable Care Act Frequently Asked Questions‎‎ (“ACA FAQ 57”). Below is a brief summary of the rules relating to the Gag Clause Laws found in ACA FAQ 57 and suggested next steps for employer plan sponsors.

What Are Gag Clauses and Compliance Attestations?

The Gag Clause Laws prohibit “gag clauses”. “Gag clauses” are any provisions in an agreement between a group health plan or issuer (i.e., insurance carrier) and a health care provider, network or association of providers, third-party administrator (“TPA”), or other service provider offering access to a network of providers that would directly or indirectly restrict the group health plan ‎from providing cost or care information to plan participants or accessing de-‎identified claims data, or sharing such information in compliance with privacy regulations (or requiring that such information be shared with a ‎business associate). ‎ The Gag Clause Laws also require that group health plans and issuers submit an annual attestation of ‎compliance with the prohibitions on gag clauses (a “Compliance Attestation”).

Who Must Submit Compliance Attestations?

All employer-sponsored group health plans (whether fully insured, level funded, or self-insured) are subject to the Compliance Attestation requirements, except for excepted benefits (such as ‎standalone dental or vision plans and certain employee assistance programs) health care flexible spending accounts, and health reimbursement arrangements.

When Must Compliance Attestations Be Submitted?

The first Compliance Attestation submission is ‎due by December 31, 2023, and the submission will cover the period of December 27, 2020 through ‎the date of the Attestation.‎ Subsequent submissions will be due by December 31st of each year ‎‎thereafter, and will cover the respective periods between the most recent submission and the current submission.

How Must Compliance Attestations Be Submitted?

Compliance Attestations must be submitted electronically through this CMS website, and the instructions and user ‎manual are available here. For more information, see Q5 through Q13 of ‎ACA FAQ 57 (link above).‎

Can Compliance Attestation Submissions Be Delegated?

Yes. According to ACA FAQ 57, plans can satisfy their Compliance Attestation obligations by ‎having third parties, such as insurance carriers or TPAs, submit the attestation on ‎their behalves.‎

Next Steps for Employer Plan Sponsors

  • Fully Insured Plans. Confirm with the insurance carrier that the carrier will be (i) complying with the Compliance Attestation ‎‎requirement on its own behalf, and (ii) whether the carrier will submit the group health plan’s Compliance Attestation on behalf of the plan.

NOTE: For fully insured plans, the group health plan and the insurance carrier are ‎‎each required to ‎‎annually submit a Compliance Attestation. ‎However, ‎if the carrier submits the Compliance ‎‎Attestation on behalf of the plan, the plan ‎will be ‎considered to have complied with this ‎‎requirement.‎

  • Self-Funded Plans. Confirm with the TPA whether the TPA will assist with the Compliance Attestation requirement or whether the plan sponsor must submit this for the group health plan.

NOTE: Since TPAs that are also carriers (i.e., TPAs that offer fully insured plans and act as TPAs for self-‎insured ‎group health plans) are permitted to submit a single Compliance Attestation on ‎behalf of ‎themselves, their fully insured group plans, and their self-insured ‎administrative ‎services only (“ASO”) clients, we anticipate that most plans will not have to carry out the Compliance Attestation themselves. However, the plan sponsor is ‎‎ultimately liable for any failure to attest (even if the failure is by the ‎‎TPA), so it is important to amend the ASO to require that the TPA carry out this service and for the TPA to indemnify the plan sponsor for any failure to attest.

  • All Plans. Review the terms of the existing contracts or ASOs and remove any direct gag clauses or indirect restrictions on the disclosure of data in violation of the Gag Clause Laws prior to submitting Compliance Attestations before the December 31, 2023 deadline. Amend such agreements to specify the manner in which the carrier or TPA ‎will handle compliance with the Gag Clause Laws and submission of the Compliance Attestation on behalf of the employer-sponsored group health plan.‎

As is the case with many of the CAA requirements, complying with the Gag Clause Laws and Compliance Attestation requirements is a complex process with numerous parties to involve and steps to take. While the December 31, 2023 deadline is still several months away, now is a good time for plan sponsors to begin consulting with their ERISA attorneys, reviewing their agreements with the carriers/TPAs, and discussing roles and responsibilities with their TPAs and service providers.


[1] The Gag Clause Laws have been effective since December 27, 2020, ‎the date on ‎which the CAA was signed into law; however, enforcement of the ‎Compliance Attestation requirement was delayed pending ‎further guidance on the gag clause ‎provisions, which has now been issued by the Departments.‎ ‎