The Consolidated Appropriations Act has been nothing if not consistent in reworking the approach to how group health plans are designed, operated, and reported. A leading contender for the most formidable task under the CAA would likely be the Gag Clause Prohibition Compliance Attestation (GCPCA), a labor-intensive and arduous proclamation that you are, in fact, compliant.

The Departments of Labor (the “DOL”) and Health and Human Services (“HHS”) are now emphatically enforcing the CAA requirements for transparency in health coverage by requiring the gag clause attestations. In short, a gag clause is a contractual provision that restricts the amount of specific data and limits the circumstances in which a plan or provider may share with other parties. Before the CAA, gag clauses were common in many TPA, PBM, or healthcare provider agreements, to name a few. With the enactment of CAA, such clauses are prohibited in regard to specific items, and plans must annually submit an attestation that they have not entered into any contractual agreements, including clauses deemed in violation of CAA.

The CAA prohibits the following from being subject to a gag clause:

• Provider-specific cost or quality of care information or data through consumer engagement tools or any other means
• Electronic de-identified claims and encounter information or data for individuals upon request
• The ability to share information or data in 1) and 2) above (or to direct information be shared) with a HIPAA business associate, consistent with HIPAA, GINA, and the ADA

To be clear, healthcare providers, networks, or other service providers are not prohibited from placing reasonable restrictions that are not listed above.

Time is of the essence! The first Compliance Attestation is due no later than December 31, 2023, and must cover a timeframe starting December 27, 2020 (or the effective date of the plan or health insurance coverage if later) through the date of attestation.

According to the CMS website, “In order to satisfy the requirement to submit an annual attestation of compliance, plans, and issuers should submit their attestation via the webform by selecting the link for ‘Gag Clause Prohibition Compliance Attestation’ at Gag Clause Prohibition Compliance Attestation | CMS. “

Make no mistake, the instructions are lengthy, the templates are detailed, and the responsibilities are defined but complicated.

Compliance Attestations must be submitted by:

• Health insurance issuers in both the group health and individual markets,
• Fully insured as well as self-insured group health plans, including plans that are grandfathered and grandmother

Entities not required to attest:

• Plans or issuers offering only excepted benefits
• Issuers offering only short-term, limited-duration insurance
• Medicare and Medicaid; a state’s Children’s Health Insurance Program (“CHIP”)
• Tricare; the Indian Health Services Program; Basic Health Programs plans
• HRAs, including ICHRAs and other account-based group health plans

Now the important question is, who is a reporting entity? According to CMS, a Reporting Entity is defined as:

“A Reporting Entity is a plan or issuer that is subject to Code section 9824, ERISA section 724, and PHS Act section 2799A-9, as applicable, and has directly or indirectly—generally through a third-party administrator (TPA) or a vendor, such as a Pharmacy Benefit Manager (PBM), Independent Practice Association (IPA), or Behavioral Health Manager (BHM)—entered into an agreement(s) with health care providers, network or association of providers, third-party administrators, or other service providers offering access to a network of providers. The Reporting Entity is responsible for ensuring it annually attests, or that another party (such as its TPA or vendor) attests on its behalf, that the Reporting Entity complies with the prohibition on gag clauses.”

The Reporting Entity is responsible for ensuring it annually attests, or that another party (such as its TPA or vendor) attests on its behalf, that the Reporting Entity complies with the prohibition on gag clauses. A plan may attest on its own behalf.

Impact on Fully Insured Plans

The statute requires fully insured group health plans (employer) and insurance carriers offering group health insurance coverage to submit a GCPCA annually. However, if the insurance carrier submits a GCPCA on behalf of the plan, the Departments will consider both the plan and issuer to have satisfied the attestation submission requirement. Issuers can attest for fully-insured plans, including non-Federal governmental and church plans.

Impact on Self-Insured Plans

Self-funded may satisfy the GCPCA requirement by entering into a written agreement under which the plan’s service provider agrees to attest on its behalf. For example, the TPA of the plan submits the GCPCA for the plan.

If the plan utilizes more than one TPA, each one may attest on the plan’s behalf with respect to the benefit it administers. However, be cautious if this option is selected. For if a self-funded plan enters into such an agreement, and a TPA fails to submit the plan’s attestation, the plan will be in violation of the requirement and subject to applicable penalties.

A valid concern of any Plan Sponsor may be possible penalties for noncompliance with the GCPCA. Plan Sponsors who fail to comply with the GCPCA requirements may be subject to civil penalties of up to $100 per day per affected individual.

We highly recommend that Plan Sponsors work closely with legal counsel to ensure any contracts in place do not contain prohibited gag clauses. It is also imperative that plans and issuers contact their attesting entity directly to review contracts with any reporting entities to confirm intentions to attest and submit. Proof of the submission is also highly recommended.