Group Health Plans Must Submit Gag Clause Attestations by December 31, 2023


On February 23, 2023, the U.S. Departments of Labor, Health and Human Services, and Treasury (the “Departments”) issued joint guidance (“Tri-Agency FAQs”) for group health plans and insurers regarding annual attestations on gag clause prohibition compliance as required under the Consolidated Appropriations Act, 2021 (CAA). Attestations will be due annually on December 31, and the first attestation will be due December 31, 2023.


The CAA, which went into effect on December 27, 2020, established protections for consumers related to transparency and surprise billing in health care. One of the several transparency-related provisions was the Gag Clause Prohibition Compliance Attestation (GCPCA) requirement for group health plans and insurers. Under this provision, group health plans and health insurance issuers offering group health coverage are prohibited from entering into agreements — with health care providers, a network or association of providers, third-party administrators (TPA), or other service providers — that contain gag clauses. 

A gag clause is a contractual provision that “directly or indirectly” restricts access to and sharing of specific data and information that an issuer or plan may make available to a third party. More specifically, group health plans and insurers are prohibited from entering into agreements which contain clauses that restrict electronic access to de-identified claims data or disclosure of provider-specific cost or quality of care information to certain third parties, including plan participants.1 In addition, agreements cannot restrict a plan or insurer from sharing the information or data described above with a business associate con­sistent with the privacy rules under the Health Insurance Portability and Accountability Act, Genetic Information Nondiscrimination Act, and the Americans with Disabilities Act.2 An example of a prohibited gag clause would be a contract between a TPA and a group health plan which states that the plan will pay providers at rates designated as “Point of Service Rates” — but which, because the TPA considers those rates to be proprietary, also includes language stating that the plan may not disclose the rates to plan participants. Group health plans and insurers must annually attest that they are in compliance with the gag clause prohibition.  

The Attestation Process

Which entities are subject to the attestation requirement? 

The Tri-Agency FAQs provide guidance on which entities are required to submit a GCPCA. Fully-insured and self-funded group health plans, including ERISA plans, non-Federal governmental plans and church plans (subject to the Internal Revenue Code) are subject to the GCPCA requirements. Further, the attestation requirements apply regardless of the plan’s grandfathered status. It is important to note that the GCPCA does not apply to “excepted benefits” (e.g., most dental and vision Health Flexible Spending Accounts and Employee Assistance Program plans). The Tri-Agency FAQs also clarify that the GCPCA does not apply to Health Reimbursement Arrangements (including ICHRAs) and other account-based group health plans.

What is the due date for the attestation? 

The GCPCA must be submitted annually. The first GCPCA is due no later than December 31, 2023, and applies to the period from December 27, 2020, through the date of attestation. Subsequent attestations (i.e., covering the period since the last preceding attestation) are due by December 31st of each year. 

How must the attestation be submitted? 

The Tri-Agency FAQs instruct plans and insurers to submit their attestations online3 and provide a corresponding user manual and set of instructions on how to complete and submit the attestation. In addition, the guidance includes a template for providing information required as part of the attestation, as well as a set of FAQs with advice on how to comply with the gag clause prohibition and attestation requirement. 

May third-party administrators and other entities submit the GCPCA on behalf of a group health plan? 

  • Self-funded group health plans may satisfy the GCPCA requirements by having their third-party administrator attest on the plan’s behalf if the parties agree to such in writing. The self-funded health plan should make sure that the administrative services agreement with their TPA confirms that the TPA will be timely submitting the required attestation on the group health plan’s behalf. Note that the employer will ultimately retain responsibility for GCPCA compliance, even where contractually delegating the attestation to the TPA. 
  • With respect to fully insured group health plans, both the group health plan and the insurance carrier are each required to annually submit the GCPCA. However, when the insurance carrier submits the attestation, the government will consider the group health plan and the insurance carrier to have satisfied the attestation submission requirement. Accordingly, employers with fully insured group health plans should not have to separately file the GCPCA because the insurance carrier will be submitting the required attestation, and the insurance carrier’s submission will also count as the group health plan’s submission.  

How is the GCPCA enforced? 

The Tri-Agency FAQs instruct interested parties to contact the No Surprises Help Desk or the Department of Labor if they suspect a violation of the plan’s compliance with the gag clause prohibition. 


In light of this guidance, plan sponsors should review their agreements with their TPAs and other service providers to identify gag clauses and amend accordingly. Plan sponsors should also coordinate with their insurers and service providers to determine who will be submitting the required attestation. Finally, group health plans should review their agreements with their TPAs and insurance carriers to ensure that these agreements address who will be filing the required GCPCA. 


1   However, a health care provider, network or association of providers, or other service providers may place reasonable restrictions on the public disclosure of this information. Pub. L. No. 116-260, tit. II, § 201, 134 Stat. 2890 (2021). 

2  The CAA prohibits clauses that restrict sharing the information described above with business associates for plan design, plan administration, and plan, financial, legal, and quality improvement activities. FAQs About Affordable Care Act and Consolidated Appropriations Act, 2021, Implementation Part 57 (“FAQ 57”). 

3  The website used for GCPCA submission is a module within the Health Insurance Oversight System, which is the same system used for RxDC reporting as required by the CAA.