Understanding Gag Clause Prohibition Compliance
SUMMARY
The Consolidated Appropriations Act of 2021 significantly impacts group health plan fiduciaries by eliminating restrictions on data transparency and requiring fiduciaries to monitor their service providers. The Department of Labor mandates that plan sponsors ensure plan resources are used correctly, with failure to uphold fiduciary duties leading to severe penalties. This white paper explores the implications of gag clause prohibitions, the importance of claims audits, and how plan sponsors can comply with these regulations to safeguard their fiduciary responsibilities.
The impact of the CAA on Health Plan Fiduciaries
The Consolidated Appropriations Act of 2021 (CAA) introduces key provisions that:
Eliminate restrictions on data transparency
Require plan fiduciaries to monitor the performance of their service providers
The Department of Labor (DOL) mandates that sponsors of health plans ensure fiduciary obligations are met, preventing misuse of plan resources. Non-compliance can lead to financial, legal, and sometimes criminal penalties for the plan sponsor.
Gag Clause Prohibition Requirements
Under the CAA, group health plan sponsors cannot enter into agreements that restrict access to cost or quality of care information. This includes agreements with:
Third-Party Administrators (TPAs)
Insurers
Networks
Healthcare providers
The prohibition also mandates unrestricted electronic access to de-identified claims and encounter data for each participant, beneficiary, or enrollee, ensuring transparency while adhering to privacy regulations. This includes access for Business Associates subject to applicable privacy regulations.
CHALLENGES IN CLAIMS AUDITING DUE TO GAG CLAUSES
To fulfill their fiduciary obligation of monitoring service provider performance, many health plan sponsors consider claims audits as the "gold standard." However, they often face resistance from TPAs, insurers, and healthcare provider networks that impose restrictions on data access. These restrictions may include:
Allowing only “statistically valid random sampling” for audit selection
Providing “minimally necessary” data to limit the scope of audits
The HIPAA "minimum necessary rule" states that only the data necessary to accomplish an intended purpose should be disclosed. When plan sponsors request data, they are requesting the minimum necessary data to aid them in satisfying their fiduciary duty to administer plan cost-effectively. This aligns with HIPAA’s permitted disclosures for health care operations as defined under 45 CFR §164.501, including:
Population-based cost reduction activities
Medical reviews, legal services, and fraud detection
Cost management and business planning analyses
Refusal to provide data for auditing purposes is a clear violation of the CAA’s gag clause prohibitions.
REGULATORY GUIDANCE AND COMPLIANCE MEASURES
On January 14, 2025, the DOL, Health and Human Services (HHS), and the Treasury issued “FAQs About Consolidated Appropriations Act, 2021 Implementation Part 69”, providing additional compliance clarifications.
Q&A 8 of the guidance identifies several impermissible gag clauses, including:
Limiting access to a statistically significant number of de-identified claims
Restricting data access to specific, narrow purposes (e.g., audits only)
Unreasonably limiting claims reviews (e.g., no more than once per year)
Restricting the number and types of de-identified claims accessible
Limiting the data elements included in de-identified claims
Requiring access to de-identified data only on the TPA’s physical premises
The DOL has noted that this is not an exhaustive list and additional prohibited clauses may be shared in the future.
ANNUAL GAG CLAUSE PROHIBITION COMPLIANCE ATTESTATION
Health plans and insurers must submit a Gag Clause Prohibition Compliance Attestation (GCPCA) on an annual basis. The first attestation deadline was December 31, 2023, with subsequent attestations due annually by December 31.
Identifying Hidden Gag Clauses
Plan sponsors must carefully examine agreements for gag clauses, which may not be explicitly labeled as such. These restrictions can exist in:
Administrative Services Only (ASO) agreements
Non-disclosure agreements (NDAs)
Confidentiality agreements
Audit agreements
Agreements between claims payers and healthcare providers/networks
It is essential for plan sponsors to thoroughly review agreements to ensure compliance with the Gag Clause Prohibition Requirements to avoid potential penalties.
Conclusion
The CAA's gag clause prohibition provisions significantly impact health plan fiduciaries, requiring full transparency and unrestricted data access. Claims audits play a critical role in ensuring compliance, but plan sponsors must be vigilant in identifying hidden gag clauses that hinder their ability to fulfil fiduciary responsibilities. By conducting thorough agreement reviews and complying with annual attestations, plan sponsors can meet regulatory expectations, safeguard plan assets, and uphold their obligations to plan participants.