Understanding Gag Clause Prohibition Compliance

 

SUMMARY

The Consolidated Appropriations Act of 2021 significantly impacts group health plan fiduciaries by eliminating restrictions on data transparency and requiring fiduciaries to monitor their service providers. The Department of Labor mandates that plan sponsors ensure plan resources are used correctly, with failure to uphold fiduciary duties leading to severe penalties. This white paper explores the implications of gag clause prohibitions, the importance of claims audits, and how plan sponsors can comply with these regulations to safeguard their fiduciary responsibilities.


The impact of the CAA on Health Plan Fiduciaries

The Consolidated Appropriations Act of 2021 (CAA) introduces key provisions that:

  • Eliminate restrictions on data transparency

  • Require plan fiduciaries to monitor the performance of their service providers

The Department of Labor (DOL) mandates that sponsors of health plans ensure fiduciary obligations are met, preventing misuse of plan resources. Non-compliance can lead to financial, legal, and sometimes criminal penalties for the plan sponsor.

Gag Clause Prohibition Requirements

Under the CAA, group health plan sponsors cannot enter into agreements that restrict access to cost or quality of care information. This includes agreements with:

  • Third-Party Administrators (TPAs)

  • Insurers

  • Networks

  • Healthcare providers

The prohibition also mandates unrestricted electronic access to de-identified claims and encounter data for each participant, beneficiary, or enrollee, ensuring transparency while adhering to privacy regulations. This includes access for Business Associates subject to applicable privacy regulations.


CHALLENGES IN CLAIMS AUDITING DUE TO GAG CLAUSES

To fulfill their fiduciary obligation of monitoring service provider performance, many health plan sponsors consider claims audits as the "gold standard." However, they often face resistance from TPAs, insurers, and healthcare provider networks that impose restrictions on data access. These restrictions may include:

  • Allowing only “statistically valid random sampling” for audit selection

  • Providing “minimally necessary” data to limit the scope of audits

The HIPAA "minimum necessary rule" states that only the data necessary to accomplish an intended purpose should be disclosed. When plan sponsors request data, they are requesting the minimum necessary data to aid them in satisfying their fiduciary duty to administer plan cost-effectively. This aligns with HIPAA’s permitted disclosures for health care operations as defined under 45 CFR §164.501, including:

  • Population-based cost reduction activities

  • Medical reviews, legal services, and fraud detection

  • Cost management and business planning analyses

Refusal to provide data for auditing purposes is a clear violation of the CAA’s gag clause prohibitions.


REGULATORY GUIDANCE AND COMPLIANCE MEASURES

On January 14, 2025, the DOL, Health and Human Services (HHS), and the Treasury issued “FAQs About Consolidated Appropriations Act, 2021 Implementation Part 69”, providing additional compliance clarifications.

Q&A 8 of the guidance identifies several impermissible gag clauses, including:

  • Limiting access to a statistically significant number of de-identified claims

  • Restricting data access to specific, narrow purposes (e.g., audits only)

  • Unreasonably limiting claims reviews (e.g., no more than once per year)

  • Restricting the number and types of de-identified claims accessible

  • Limiting the data elements included in de-identified claims

  • Requiring access to de-identified data only on the TPA’s physical premises

The DOL has noted that this is not an exhaustive list and additional prohibited clauses may be shared in the future.


ANNUAL GAG CLAUSE PROHIBITION COMPLIANCE ATTESTATION

Health plans and insurers must submit a Gag Clause Prohibition Compliance Attestation (GCPCA) on an annual basis. The first attestation deadline was December 31, 2023, with subsequent attestations due annually by December 31.

Identifying Hidden Gag Clauses

Plan sponsors must carefully examine agreements for gag clauses, which may not be explicitly labeled as such. These restrictions can exist in:

  • Administrative Services Only (ASO) agreements

  • Non-disclosure agreements (NDAs)

  • Confidentiality agreements

  • Audit agreements

  • Agreements between claims payers and healthcare providers/networks

It is essential for plan sponsors to thoroughly review agreements to ensure compliance with the Gag Clause Prohibition Requirements to avoid potential penalties.


Conclusion

The CAA's gag clause prohibition provisions significantly impact health plan fiduciaries, requiring full transparency and unrestricted data access. Claims audits play a critical role in ensuring compliance, but plan sponsors must be vigilant in identifying hidden gag clauses that hinder their ability to fulfil fiduciary responsibilities. By conducting thorough agreement reviews and complying with annual attestations, plan sponsors can meet regulatory expectations, safeguard plan assets, and uphold their obligations to plan participants.