Effective in 2020, the Consolidated Appropriations Act, 2021 (CAA) prohibits health plans and health insurance issuers from entering into contracts with health care providers, third-party administrators (TPAs), or other service providers that contain gag clauses (i.e., clauses restricting the plan or issuer from providing, accessing or sharing certain information about provider price and quality and de-identified claims).

Plans and issuers must annually submit an attestation of compliance with the CAA’s gag clause prohibition to the Departments of Labor, Health and Human Services, and the Treasury (Departments). The attestation is due on Dec. 31 each year, covering the period since the last attestation.

Employers should review their contracts with issuers, TPAs, or other health plan service providers to confirm they do not contain prohibited gag clauses. Also, employers should review what actions they may need to take to comply with the gag clause attestation requirement in advance of the deadline each year. Employers with fully insured health plans do not need to submit an attestation if the issuer of their health plan submits the attestation. Employers with self-insured health plans can contractually delegate this responsibility to their TPAs if their TPA is willing to submit the attestation.

Prohibition on gag clauses

A gag clause is a contractual term that directly or indirectly restricts specific data and information that a health plan or issuer can make available to another party. The CAA generally prohibits group health plans and issuers from entering into agreements with health care providers, TPAs, or other service providers that include certain gag clause language.

Specifically, these contracts cannot restrict a plan or issuer from the following three actions:

• Providing provider-specific cost or quality-of-care information or data to referring providers, the plan sponsor, participants, beneficiaries, or enrollees (or individuals eligible to become participants, beneficiaries, or enrollees of the plan or coverage).
• Electronically accessing de-identified claims and encounter information or data for each participant, beneficiary, or enrollee upon request and consistent with privacy rules under the Health Insurance Portability and Accountability Act (HIPAA), the Genetic Information Nondiscrimination Act (GINA), and the Americans with Disabilities Act (ADA).
• Sharing information or data described in 1 and 2 above or directing such information to be shared with a business associate, consistent with applicable privacy rules.

For example, if a contract between a TPA and a health plan provides that the plan sponsor’s access to provider-specific cost and quality-of-care information is only at the discretion of the TPA, that contractual provision would be considered a prohibited gag clause.

Employers must ensure their health plan agreements with TPAs or other service providers offering access to a network of providers do not contain provisions that violate the CAA’s prohibition of gag clauses. They should also include provisions that prohibit the TPA or other service providers from entering into a downstream agreement with a prohibited gag clause.

Downstream agreements

The Department's FAQs from January 2025 address how the prohibition on gag clauses applies to separate agreements that a health plan’s or issuer’s TPA or other service provider may have with other entities that provide or administer the plan’s network (i.e., downstream agreements). According to the FAQs, if such downstream agreements restrict the health plan or issuer from providing, accessing, or sharing the relevant information or data, this would be a prohibited gag clause, even if the plan or issuer is not a party to the agreement.

To comply with the gag clause prohibition, the Departments expect that, in their direct contracts with TPAs or other service providers, plans and issuers will include provisions that prohibit the TPA or other service provider from entering into a downstream agreement that restricts the plan or issuer from sharing relevant information or data.

De-identified claims data

The Department's FAQs from January 2025 clarify that, to comply with the prohibition on gag clauses, health plans, and issuers cannot enter into an agreement with a TPA or another service provider that restricts the plan or issuer from providing deidentified claims data to a business associate (consistent with applicable privacy rules), except at the discretion of the TPA or other service provider.

For example, if an agreement permits the health plan to share de-identified claims data with a business associate only at the discretion of a TPA or another service provider offering access to a network, the agreement contains an impermissible gag clause.

Also, a limitation on the scope, scale, or frequency of electronic access to de-identified claims and encounter information or data is considered to be a restriction on de-identified claims and encounter information or data that is prohibited by the gag clause prohibition to the extent the provision places unreasonable limits on the ability of plans and issuers to access such information or data “upon request” as required by the CAA.

Gag clause compliance attestations

Health plans and issuers must annually submit an attestation of their compliance with the CAA’s prohibition of gag clauses to the Departments. The first attestation was due on Dec. 31, 2023, covering the period beginning Dec. 27, 2020, through the date of the attestation. Subsequent attestations are due on Dec. 31 of each following year, covering the period since the last attestation. The deadline for submitting the next attestation is Dec. 31, 2025.

Gag clause attestations must be submitted electronically. The Departments have provided instructions for submitting the attestation, a system user manual, and FAQs, all of which are available here.

According to the Department's FAQs, health plans and issuers that do not submit their attestations by the deadline may be subject to enforcement action.

Covered health plans

The attestation requirement applies to fully insured and self-insured group health plans, including ERISA plans, nonfederal governmental plans, and church plans. Additionally, this requirement applies regardless of whether a plan is considered “grandfathered” under the ACA. However, plans that provide only excepted benefits and account-based plans, such as health reimbursement arrangements (HRAs), are not required to submit an attestation.

Relying on issuers/TPAs to submit attestation

With respect to fully insured group health plans, the health plan and the issuer are each required to submit a gag clause compliance attestation annually. However, when the issuer of a fully insured group health plan submits a gag clause compliance attestation on behalf of the plan, the Departments will consider the plan and issuer to have satisfied the attestation submission requirement. Thus, employers with fully insured health plans do not need to submit an attestation if the issuer of their health plan submits the attestation.

Employers with self-insured health plans can satisfy the gag clause compliance attestation requirement by entering into a written agreement under which the plan’s service provider, such as a TPA, will provide the attestation on the plan’s behalf.

However, even if this type of agreement is in place, the legal requirement to provide a timely attestation remains with the health plan. Also, some service providers have indicated they are unwilling to submit attestations for their self-insured groups. In this case, employers may need to submit the attestations for their health plans.

Disclosing prohibited gag clauses

Health plans and issuers are required to submit the annual gag clause attestation even if they are aware that they have entered into an agreement that violates the gag clause prohibition. Plans and issuers must identify the noncompliant provision as part of their attestation, using the text box labeled “Additional Information” in Step 3 of the online system for this purpose.

Such additional information should include:

• Any prohibited gag clauses that a service provider has refused to remove
• The name of the TPA or service provider with which the plan or issuer has the agreement containing the prohibited gag clause
• Conduct of the service provider that shows the service provider interprets the agreement to contain a prohibited gag clause
• Information on the plan’s or issuer’s requests that the prohibited gag clause be removed from such agreement
• Any other steps the plan or issuer has taken to come into compliance with the provision

Even if a health plan or issuer submits this additional information, the provision in question could still be considered a prohibited gag clause and may be subject to enforcement action by the Departments. However, the Departments will take into account good-faith efforts to self-report a prohibited gag clause in any such enforcement action.

Links and resources

• Frequently asked questions (FAQs) on the CAA’s prohibition on gag clauses from February 2023 and January 2025
• CMS Website for submitting gag clause attestations
• The latest instructions and user manual for submitting attestations

Provided to you by Christensen Group Insurance

‍This Compliance Overview is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. ©2025 Zywave, Inc. All rights reserved.