February 11, 2025
On January 14, 2025, the DOL, HHS, and IRS (the departments) issued FAQs Part 69, which provides additional guidance regarding the CAA 2021 gag clause prohibition and attestation requirement. The FAQs Part 69 follows prior gag clause FAQs (FAQs Part 57), which we covered in a February, 2023 article. (The Part 69 FAQs also address certain aspects of the No Surprises Act independent resolution process (IDR) following recent litigation; these IDR FAQs are not discussed in this article.)
The CAA 2021 prohibits group health plans and insurers from entering contracts with healthcare providers, provider networks, TPAs, or other service providers that directly or indirectly restrict 1) the disclosure of provider-specific cost or quality of care information to the plan sponsor or participants, 2) the plan or insurer’s electronic access to de-identified claim and encounter information (per privacy regulations), and 3) sharing the information in 1) or 2) with a business associate.
Plans and insurers must submit an annual attestation of compliance with these gag clause prohibitions.
The newly issued FAQs address several specific issues. First, FAQ #6 confirms that the gag clause prohibition not only precludes plans from directly entering into agreements that contain gag clauses, but also prohibits any restrictions contained in “downstream” agreements. For example, contract terms between a TPA and a provider network that restrict the TPA from sharing relevant cost information with a plan, so that the plan could not provide such information to a business associate, would indirectly restrict the plan (even if the plan is not a party to the network agreement). As a result, the plan would be in violation of the gag clause prohibition.
Accordingly, to ensure compliance with the gag clause prohibition, the departments expect plans to include provisions in their direct contracts with TPAs and other service providers that prohibit downstream agreements that violate the CAA 2021.
Employer Takeaway: This FAQ is consistent with prior informal CMS guidance stating that plans should request written confirmation from TPAs and other service providers that they have not entered network contracts with prohibited gag clauses. Employers should now seek to have such confirmation memorialized in their service contracts.
FAQ #7 states that the gag clause prohibition prohibits a plan or insurer from entering into an agreement that could have the effect of restricting the plan from providing de-identified claims data to a business associate. For example, if an agreement permits the plan to share de-identified claims data with a business associate only at the discretion of the TPA offering access to a network, the agreement contains an impermissible gag clause.
FAQ #8 explains that any limitation on the scope, scale, or frequency of electronic access to de-identified claim and encounter information or data is prohibited, to the extent the provision places unreasonable limits on the ability of plans to access such information or data "upon request" as required by the CAA 2021. The FAQ further provides the following non-exhaustive examples of restrictions on an audit or claims review that would be considered impermissible gag clauses:
Employer Takeaway: Access to de-identified claim and encounter data is important, particularly if a business associate is to perform a claims and cost review or analysis for the plan. Employers should pay particular attention to restrictions on access to de-identified claims and encounter data found in non-disclosure agreements (NDAs), which service providers typically require employers to enter before releasing data. These NDAs often attempt to narrowly define the scope of the plan’s access to data or ability to share it with a business associate.
Finally, FAQ #9 states that if a plan enters an agreement that violates the gag clause prohibition (including indirectly because of a TPA or service provider’s impermissibly restrictive downstream agreement), the plan must identify the noncompliant provision as part of their attestation using the Gag Clause Prohibition Compliance Attestation (GCPCA) webform system in the text box labeled "Additional Information" on Step 3. Such additional information should include the name of the TPA or service provider, conduct by the service provider that shows they interpret the agreement to contain a prohibited gag clause, information on the plan's requests to remove the prohibited gag clause, and any other steps the plan has taken to come into compliance with the provision.
According to the FAQ, if plans submit a GCPCA with such additional information, the provision could still be considered a prohibited gag clause and subject to enforcement action, but the plan will have satisfied the GCPCA requirement. However, the departments will consider the plan’s good faith effort to self-report a prohibited gag clause in any enforcement action.
Employer Takeaway: This FAQ highlights the importance of screening for gag clauses prior to entering contracts. Employers should discuss their attestation submission for noncompliant provisions with legal counsel, especially since the employer’s self-reporting in accordance with this FAQ does not necessarily alleviate enforcement action against the employer.
FAQs About CAA 2021 Implementation Part 69
PPI Benefit Solutions does not provide legal or tax advice. Compliance, regulatory and related content is for general informational purposes and is not guaranteed to be accurate or complete. You should consult an attorney or tax professional regarding the application or potential implications of laws, regulations or policies to your specific circumstances.
Sign up to have it delivered straight to your inbox.
Sign up