Gag Clause Prohibition Compliance Attestations Due by December 31, 2025

A “gag clause” is a contractual term that directly or indirectly restricts certain data and information that a health plan or issuer can make available to another party. Under the prohibition, group health plans and insurers cannot enter into agreements that contain language that restricts the disclosure of provider-specific cost or quality of care information to certain third parties. Language that restricts electronic access to de-identified claims and encounter information for individuals upon request is also prohibited (consistent with privacy rules under HIPAA, GINA, and the ADA).

The attestation requirement applies to health insurance carriers and group health plans, including ERISA plans, non-federal governmental plans, church plans, and grandfathered plans – whether insured or self-insured. Excepted benefits (such as standalone dental and vision plans, Health FSAs, and EAPs), HRAs, and other account-based arrangements are not required to submit an attestation.

For fully insured group health plans, most carriers will complete the attestation on behalf of the plan. An employer-sponsor should nonetheless confirm this with the carrier on an annual basis.

Self-insured group health plans can enter into a written agreement with their TPA to complete the attestation on the plan’s behalf (though the legal responsibility for compliance will remain with the employer). Many TPAs, however, are not willing or able to fulfill this requirement. As a result, most employer-sponsors of self-insured group health plans will need to complete the attestation for their plan. 

The attestation is completed through the Centers for Medicaid and Medicare Services’ (CMS’s) Health Insurance Oversight System (HIOS). CMS makes available instructions for completing the attestation, a user manual for submission, and a link to the application.

Note that there is also a link to an Excel file to capture and upload data to CMS, but this is only required of entities reporting on behalf of multiple parties, such as an insurance carrier reporting on behalf of multiple health plans. Most employers will not use the Excel file and will instead enter their data directly within the HIOS platform.

After confirming with insurance carriers, TPAs, and/or other service providers that agreements do not contain gag clauses, below are steps an employer should take to complete the attestation (these are also detailed in the CMS instructional manual under Option A on p. 8):

Steps 1 and 2: Enter information in the system on the Submitter and the Attester. The Submitter is the individual who is filling in the information in the system; the Attester is someone with the legal authority to act on behalf of the employer. The Submitter and the Attester can be, but are not required to be, the same individual.

Step 3: Enter information about the Responsible Entity, which is the group health plan (or GHP). Information to be reported includes the employer’s name and EIN, the ERISA plan number, contact information, and information about the type of provider agreement(s) to which the attestation relates. An employer may submit an attestation that relates to some agreements under the plan, while another party, such as an insurance carrier, may submit a separate attestation that relates to the reamining agreements under the plan. In this instance, there is no need for the employer to indicate that another party will attest for the remainder of the agreements.

Step 4: If the Attester and Submitter are different individuals, the Submitter will verify the accuracy of the information entered and the system will then notify the Attester that the submission is ready. This notification will come in the form of an email to the Attester from CMS.

Step 5: The Attester will review the information in the system, electronically sign, and submit the attestation.

Employer-sponsors of group health plans should reach out to their carriers or TPAs to confirm whether the attestation will be completed on the plan’s behalf. If not, the employer will need to complete the attestation directly by following the steps above. Going forward, employers can look to include language about the annual completion of the attestation in carrier and TPA agreements.