Question: What is the CAA gag clause prohibition compliance attestation requirement, and when is it due?

Short Answer: The gag clause prohibition in the CAA prohibits health plans from entering into contracts that restrict specific data and information that a plan can make available to another party.  Plans must annually submit an attestation that they have not entered into any prohibited contractual restrictions.  New guidance confirms the first attestation is due by December 31, 2023, and subsequent attestations will be due by December 31 of each year thereafter.

The CAA Gag Clause Prohibition

The Consolidated Appropriations Act, 2021 (CAA) introduced multiple sweeping reforms for employer-sponsored group health plans that have been taking effect over staggered timeframes.  Although the CAA may not have been intended primarily as a health bill, it has proven to be the most significant set of health care reforms since the ACA.

For more details: Newfront Office Hours Webinar: 2022 Year in Review

One such CAA addition is the prohibition on plans entering into an agreement with a health care provider, network or association of providers, third-party administrator (TPA), or other service provider offering access to a network of providers that would directly or indirectly restrict the plan from releasing multiple components of specific data and information.  This provision is known as the “gag clause” prohibition, which is designed to increase transparency by removing gag clauses on price and quality information.

The CAA prohibits the following items in a plan contract from being subject to a gag clause:

1. Provider-specific cost or qualify of care information or data through a consumer engagement tool or any other means;

2. Electronic de-identified claims and encounter information or data for individuals upon request and consistent with HIPAA, GINA, and the ADA;

3. The ability to share information or data in 1) and 2) above (or to direct information be shared) with a HIPAA business associate, consistent with HIPAA, GINA, and the ADA.

Employers need to ensure that contracts with insurance carriers and TPAs do not include provisions designed to restrict access to such information.  For example, TPA contracts can no longer require that network provider cost information be proprietary and confidential by blocking access to outside parties or otherwise imposing unreasonable restrictions on the public disclosure of such information. 

These changes are part of the broader price transparency provisions of the CAA, which also include the patient protections against surprise billing, prescription drug cost reporting, machine-readable file cost disclosures, mental health parity comparative analysis disclosures, and participant-level cost-sharing disclosures.

For more details:

• The CAA Surprise Billing Notice

• The CAA Prescription Drug Reporting and TiC Participant-Level Disclosures

• The CAA Patient Protection Provisions Under the No Surprises Act

• The CAA Machine-Readable File Posting

• The Mental Health Parity Comparative Analysis Requirement

The Gag Clause Prohibition Compliance Attestation Requirement (GCPCA)

The CAA includes an annual attestation requirement for plans to certify their compliance with the gag clause prohibition.  This is referred to as the annual Gag Clause Prohibition Compliance Attestation, or “GCPCA”.

The Departments recently issued new Tri-Agency FAQ guidance confirming first GCPCA is due no later than December 31, 2023 to cover the period from the date of CAA enactment (December 27, 2020) through the date of the attestation.  Subsequent attestations will cover the period since the last preceding attestation and will be due by December 31 of each year thereafter.

For employer-sponsored group health plans, the GCPCA applies to both fully insured and self-insured plans and regardless of grandfathered status.

The GCPCA does not apply to “excepted benefits,” such as most dental, vision, health FSA and EAP plans.  The Tri-Agency FAQs (Q/A-8) confirm that the requirement also will not be enforced against HRAs (including ICHRAs) and other account-based group health plans because such arrangements will be integrated with other coverage that are required to complete the attestation.

Fully Insured Plans: Satisfying the GCPCA

With respect to fully insured group health plans, the group health plan (generally the employer) and the issuer (insurance carrier) are each required to annually submit the attestation.  However, when the insurance carrier submits a GCPCA on behalf of the plan, the Tri-Agency FAQ guidance (Q/A-10) confirms the Departments will consider both the plan and the issuer to have satisfied the attestation submission requirement.

Bottom Line: Employers sponsoring a fully insured medical plan should have no action item with respect to the GCPCA.  The insurance carrier is directly responsible for completing the GCPCA, and there is no need for the employer to separately complete the attestation.  Employers should nonetheless confirm that the carrier will be fulfilling the requirement on the plan’s behalf.

Self-Insured Plans: Satisfying the GCPCA

With respect to self-insured group health plans, including so-called “level funded” plans and other partially self-insured arrangements, the Tri-Agency FAQ guidance (Q/A-9) confirms that the employer may satisfy the attestation requirement by entering into a written agreement under which the TPA will complete the GCPCA on the plan’s behalf. 

Note that the employer retains ultimate responsibility for compliance—even where contractually delegating the attestation to the TPA.  Accordingly, employers should consider contractual terms providing that the TPA assumes responsibility for the attestation in a manner that protects the employer from potential liability for any failures.

Further guidance (Q/A-10) recommends that a TPA attesting on behalf of the plan first coordinate with each plan to ensure that the group health plan (generally the employer) does not intend to attest on its own behalf.  It is therefore likely that TPAs will be reaching out to employers to avoid duplication by confirming that the employer will not complete the GCPCA.

Bottom Line: Employers sponsoring a self-insured medical plan need to consult with the TPA to determine which party will complete the attestation.  Although the plan (employer) is directly responsible for the GCPCA, it is likely that most TPAs will agree to contractually assume the attestation requirement.

Enforcement

The Tri-Agency FAQ guidance (Q/A-13) directs interested parties with concerns about a plan’s or issuer’s compliance with the gag clause prohibition to contact the No Surprises Help Desk to submit a complaint, or contact the DOL.

Although not entirely clear, it appears that failures to comply with the GCPCA would fall under the standard IRC §4980D penalty scheme, which is $100 per day per affected individual for noncompliance.

Submitting the GCPCA

The attestation is completed at the Gag Clause Prohibition Compliance Attestation website, which includes instructions and a user manual.  To access the user interface, users must first obtain an authentication code from the website by entering an email address.  Employers completing the GCPCA may authorize any appropriate individual within the organization, such as the listed plan administrator, to attest on behalf of the plan.

Summary

Yet another CAA milestone will be checked off the list as plans begin to complete the first annual GCPCA, which is due by December 31, 2023.  Employers sponsoring a fully insured health plan will want to double-check that the carrier is completing the attestation on behalf of the plan, but generally there should be no action item in this situation.  Employers sponsoring a self-insured health plan (including level funded plans) will want to work with their TPA to contractually delegate the attestation requirement to the TPA where possible.

Relevant Cites:

ERISA §724:

(a) Increasing price and quality transparency for plan sponsors and consumers.(1) In general. A group health plan (or an issuer of health insurance coverage offered in connection with such a plan) may not enter into an agreement with a health care provider, network or association of providers, third-party administrator, or other service provider offering access to a network of providers that would directly or indirectly restrict a group health plan or health insurance issuer offering such coverage from—

(A) providing provider-specific cost or quality of care information or data, through a consumer engagement tool or any other means, to referring providers, the plan sponsor, participants or beneficiaries, or individuals eligible to become participants or beneficiaries of the plan or coverage;

(B) electronically accessing de-identified claims and encounter information or data for each participant or beneficiary in the plan or coverage, upon request and consistent with the privacy regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996, the amendments made by the Genetic Information Nondiscrimination Act of 2008, and the Americans with Disabilities Act of 1990, including, on a per claim basis—

(i) financial information, such as the allowed amount, or any other claim-related financial obligations included in the provider contract;

(ii) provider information, including name and clinical designation;

(iii) service codes; or

(iv) any other data element included in claim or encounter transactions; or

(C) sharing information or data described in subparagraph (A) or (B), or directing that such data be shared, with a business associate as defined in section 160.103 of title 45, Code of Federal Regulations (or successor regulations), consistent with the privacy regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996, the amendments made by the Genetic Information Nondiscrimination Act of 2008, and the Americans with Disabilities Act of 1990.

(2) Clarification regarding public disclosure of information. Nothing in paragraph (1)(A) prevents a health care provider, network or association of providers, or other service provider from placing reasonable restrictions on the public disclosure of the information described in such paragraph (1).

(3) Attestation. A group health plan (or health insurance coverage offered in connection with such a plan) shall annually submit to the Secretary an attestation that such plan or issuer of such coverage is in compliance with the requirements of this subsection.

(4) Rules of construction. Nothing in this section shall be construed to modify or eliminate existing privacy protections and standards under State and Federal law. Nothing in this subsection shall be construed to otherwise limit access by a group health plan, plan sponsor, or health insurance issuer to data as permitted under the privacy regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996, the amendments made by the Genetic Information Nondiscrimination Act of 2008, and the Americans with Disabilities Act of 1990.

Disclaimer: The intent of this analysis is to provide the recipient with general information regarding the status of, and/or potential concerns related to, the recipient’s current employee benefits issues. This analysis does not necessarily fully address the recipient’s specific issue, and it should not be construed as, nor is it intended to provide, legal advice. Furthermore, this message does not establish an attorney-client relationship.  Questions regarding specific issues should be addressed to the person(s) who provide legal advice to the recipient regarding employee benefits issues (e.g., the recipient’s general counsel or an attorney hired by the recipient who specializes in employee benefits law).