Under the rules adopted by Congress in the Consolidated Appropriations Act, 2021 (CAA), group health plans and health insurance issuers of both fully insured and self-funded plans must certify that their contracts with providers, networks, third-party administrators (TPAs), pharmacy benefit managers (PBMs), or other service providers do not contain “gag clauses.”
Under the CAA, a “gag clause” is any contractual term that directly or indirectly restricts the plan or issuer from sharing or giving access to certain data. Specifically, the prohibition covers:
- Sharing provider-specific cost or quality-of-care data with plan sponsors, participants, beneficiaries, enrollees or eligible individuals.
- Providing electronic access, upon request, to de-identified claims and encounter data (financials, service codes, provider identifiers, etc.), subject to applicable privacy laws.
- Allowing data to be shared with business associates, consistent with privacy rules under HIPAA, GINA, and the ADA.
The gag-clause prohibition is a core part of the CAA’s transparency agenda and is intended to ensure that cost and quality data, plus claims information, remain accessible to the plan sponsor, participants, and other stakeholders for monitoring, decision-making, and cost management.
The Gag Clause Prohibition Compliance Attestation (GCPCA) must be submitted through the Centers for Medicare & Medicaid Services (CMS) Health Insurance Oversight System (HIOS). Users access HIOS through the CMS Enterprise Portal and register for a CMS IDM account. Additional information is available in the HIOS Reference Guide
Who Must File and Who Can Delegate
Fully insured plans: The insurance carrier (issuer) technically must file the GCPCA and often does so on behalf of the employer. Plan sponsors should confirm in writing that the carrier will submit the attestation on their behalf and keep that confirmation on record.
Self-funded (or level-funded) plans: The employer plan sponsor is ultimately responsible for filing. Many self-funded plans rely on their TPA or other plan service providers (PBM, behavioral-health vendor, etc.) to submit the attestation. However, even when the plan delegates filing, the legal obligation remains with the plan sponsor.
In either case, plan sponsors should review all current contracts, including downstream agreements entered by TPAs and PBMs to ensure no prohibited gag-clause language exists, even if the sponsor is not directly a party to the agreement.
Employer Considerations
With the December 31, 2025, deadline just weeks away, plan sponsors should:
- Confirm in writing with carriers, TPAs or PBMs whether they will submit the GCPCA on the plan’s behalf.
- If the plan sponsor must file, review all provider, TPA, PBM, and network-vendor agreements now to confirm there are no gag-clause provisions (including in downstream agreements).
- If any prohibited clause exists, request that the vendor remove it. If not removed, be prepared to self-report the clause in the “Additional Information” section of the GCPCA form. The agencies have said that good faith self-reporting will be taken into account.
- Submit the GCPCA via the CMS HIOS webform before Dec. 31, 2025, and retain a copy of the confirmation receipt and related documentation with your plan’s compliance records.