What Employer Need to Know about the Gag Clause Prohibition Compliance Attestation (GCPCA)

Compliance Deadline: December 31, 2025

Applies To: All Employers

What Are Gag Clauses in Health Plans?

A gag clause is contractual language that restricts your health plan or insurance carrier from sharing critical healthcare cost and quality data. The Consolidated Appropriations Act of 2021 (CAA-21) prohibits these clauses to increase transparency in employer-sponsored healthcare.

Why the GCPCA Matters for Employers

Gag clauses previously prevented you from accessing valuable information about:

• Provider-specific cost data
• Quality-of-care metrics
• Claims information for plan participants
• Healthcare utilization patterns

Removing these restrictions empowers you to make informed decisions about your employee benefits strategy and control rising healthcare costs.

Which Employer Health Plans Must Submit the GCPCA?

The gag clause prohibition and attestation requirement applies to:

• Fully insured group health plans (all sizes)
• Self-insured group health plans (all sizes)
• ERISA-governed plans
• Non-federal governmental plans
• Church plans
• Grandfathered health plans under the ACA

Exemptions

• Health Reimbursement Arrangements (HRAs)
• Account-based health plans
• Excepted benefits (dental, vision standalone plans)

What Contracts Cannot Include Gag Clauses?

Your agreements with the following service providers must not restrict data transparency:

1. Healthcare providers and provider networks
2. Third-party administrators (TPAs)
3. Pharmacy benefit managers (PBMs)
4. Other health plan service providers

Prohibited Contractual Restrictions

Federal regulations prohibit contract terms that prevent your plan or issuer from:

1. Sharing Provider Cost and Quality Data

Your plan must be able to provide provider-specific cost and quality information to:

• Referring physicians and healthcare providers
• Plan sponsors (your organization)
• Plan participants and their dependents
• Eligible future participants

2. Accessing De-Identified Claims Data

Your plan must have electronic access to de-identified claims and encounter data for participants, consistent with:

• HIPAA privacy rules
• Genetic Information Nondiscrimination Act (GINA)
• Americans with Disabilities Act (ADA)

3. Sharing Information with Business Associates

Your plan must be able to share permitted data with business associates and consultants while maintaining HIPAA compliance.

How to Submit Your GCPCA: Step-by-Step Guide

For Fully Insured Plans

If your health plan is fully insured, your insurance carrier can submit the GCPCA on your behalf. When the issuer submits for the plan, both entities satisfy the requirement.

Employer Action Required:

1. Confirm with your insurance carrier that they will submit the attestation by December 31, 2025.
2. Request written confirmation of submission.

For Self-Funded Plans

As the plan sponsor of a self-insured plan, you are ultimately responsible for GCPCA compliance.

Delegation Option: You may enter into a written agreement with your TPA or other service provider to submit the GCPCA on your behalf. However, legal responsibility remains with your organization.

Employer Action Required:

1. Review contracts with your TPA or service providers
2. Execute a written agreement specifying attestation responsibilities
3. Verify submission before the December 31, 2025 deadline
4. Maintain documentation of compliance

GCPCA Submission Process and Portal Access

The Department of Labor, Health and Human Services, and Treasury Departments provide a dedicated portal for submissions through the Centers for Medicare and Medicaid Services (CMS).

Submission Resources

Access the official CMS Gag Clause Attestation Portal to submit your compliance attestation. Download helpful resources from the CMS Gag Clause Compliance page:

• Step-by-step submission instructions
• System user manual
• Reporting entity Excel template
• Technical guidance documentation

Compliance Checklist for Employers

Don't wait until December to address this requirement. The CMS portal may experience high traffic near the deadline, and contract amendments with vendors can take weeks to negotiate and execute. Use this checklist to ensure your organization meets the December 31, 2025 deadline:

Immediate Actions:

• Identify all group health plans requiring attestation
• Review existing contracts with TPAs, carriers, and service providers
• Identify any problematic gag clause language in current agreements
• Determine attestation submission responsibility (carrier, TPA, or internal)

Before Deadline:

• Remove or amend contracts containing prohibited gag clauses
• Execute written agreements delegating attestation submission (if applicable)
• Register for the CMS attestation portal
• Gather required plan information and documentation
• Submit attestation through the CMS portal
• Obtain confirmation of successful submission
• Document compliance for audit purposes

Ongoing:

• Review new vendor contracts for prohibited language
• Prepare for annual attestation requirement in future years
• Leverage newly accessible data to optimize plan performance

Penalties for GCPCA Non-Compliance

While the guidance primarily focuses on compliance requirements, employers should understand that failure to submit the required attestation may result in:

• Department of Labor enforcement actions
• Potential excise taxes under Internal Revenue Code provisions
• ERISA violations for applicable plans
• Legal liability as plan fiduciary

Business Benefits of Gag Clause Elimination

Beyond regulatory compliance, the prohibition on gag clauses provides strategic advantages:

1. Cost Management: Access to provider-specific pricing enables data-driven network design and vendor negotiations.
2. Quality Improvement: Quality-of-care metrics help you steer employees toward high-performing providers.
3. Strategic Planning: Claims data analysis supports benefits strategy development and cost forecasting.
4. Vendor Accountability: Transparency requirements strengthen your position in TPA and carrier negotiations.

GCPCA FAQs for Employers

Does the attestation requirement apply to small employers?

Yes, the requirement applies to group health plans of all sizes, including small employer plans.

What if we have multiple health plan options?

Each group health plan requires a separate attestation, though coordination with carriers may streamline the process.

Is this a one-time requirement?

No, the attestation is required annually. Plans should prepare for ongoing compliance.

Can we rely on our broker to handle this?

While brokers can assist with the process, legal responsibility remains with the plan sponsor. Ensure clear delegation agreements are in place.

What happens if our TPA fails to submit on time?

The plan sponsor remains liable. Implement monitoring procedures and request submission confirmation well before the deadline.

Next Steps for Plan Sponsors

The December 31, 2025, deadline is approaching. Take action now to ensure compliance:

1. Review your plan documentation to identify all applicable health plans
2. Audit existing service provider contracts for prohibited gag clause language
3. Contact your insurance carriers and TPAs to clarify attestation responsibilities
4. Register for the CMS portal and familiarize yourself with submission requirements
5. Document your compliance efforts for recordkeeping and audit purposes

Review the Department of Labor FAQ guidance for comprehensive information about the gag clause prohibition.

Need help with GCPCA compliance? Get in touch with a OneDigital team member to guide you through the requirements while helping you leverage transparency for a competitive advantage.