The Consolidated Appropriations Act of 2021 (CAA) prohibits group health plans and issuers from entering into agreements with health care providers, third party administrators (TPAs) or other service providers that contain “gag clause” provisions which directly or indirectly restrict the plan or insurer from: 

• Making provider-specific cost or quality-of-care information available to active or eligible participants, beneficiaries, enrollees, plan sponsors or referring providers 

• Electronically accessing de-identified claims information for each participant, beneficiary or enrollee upon request and consistent with applicable privacy regulations 

• Sharing the information described above or directing such information to be shared with a business associate, consistent with applicable privacy regulations 

Gag Clause Prohibition Compliance Attestation (GCPCA) Due by December 31: 

Group health plans and issuers are required to submit attestations annually by December 31^st each year through the GCPCA submission portal. 

Who Must Submit? 

The attestation requirement applies to fully insured and self-insured group medical plans (including pharmacy benefits) and stand-alone behavioral health, wellness, telehealth or other programs offering medical benefits.   

• Fully Insured Plans: Both the plan sponsor and issuer are responsible for the attestation.  However, the requirement is considered satisfied if the issuer submits an attestation on behalf of the insured health plan. 

• Self-Insured Plans: The plan sponsor is responsible for the attestation but may delegate to a TPA via written agreement. 

HIPAA excepted benefits, account-based plans, limited duration coverage and Medicare / Medicaid plans are generally not subject to the requirement.  

New for 2025: 

In January 2025, the Department of Labor released FAQs that provided examples of impermissible restrictions, as well as the following clarifications and guidance: 

• Downstream Agreements: Agreements between TPAs or other service providers and third parties that restrict access to cost, quality, or claims data would be a prohibited gag clause.  Plan sponsors are expected to include language in their agreements with TPAs or service providers prohibiting such downstream agreements.   

• Discretionary Clauses: Agreements that allow access to cost, quality, or claims data only at the discretion of the TPA or other provider are considered prohibited gag clauses. 

• Reporting Non-Compliance: Health plans and issuers who have entered into non-compliant agreements must still submit an annual GCPCA and identify any non-compliant provisions and service providers.  

Client Actions: 

• Review agreements with TPAs and other service providers for prohibited gag clauses and document efforts to remove  

• Obtain TPA or service provider confirmation that no downstream agreements impermissibly restrict data access  

• Add language to TPA or other service provider agreements prohibiting them from entering into downstream agreements that contain impermissible restrictions  

• Coordinate with TPAs or carriers to determine who will submit the attestation 

Additional Resources: 

The GCPCA webpage contains additional information and resources, including electronic submission instructions, user manual and FAQs 

GCPA submission website 

This alert is for general informational purposes only and is not legal advice. If legal advice, counsel, or representation is needed, the services of a legal professional should be sought. For additional information or clarification, please contact your Piper Jordan account team directly for assistance.