Are You Prepared for the December 31, 2025 Gag Clause Attestation Deadline?

Background    When the Consolidated Appropriations Act, 2021 (CAA) was enacted by Congress on December 27, 2020, the law included a provision preventing group health plans and health insurance carriers from entering into health plan services contracts (such as a third-party administrator or health care provider contracts) with gag clauses that restrict or prohibit the amount of information shared with plan participants or beneficiaries, but specifically: 

• Any provider-specific costs 
• Any quality-of-care or specific treatment option information. 
• Electronic access to de-identified health claims data, including claim-related financial information, service codes, or provider information. 
• Sharing any of the above dates with the plan’s business associates, as governed by the privacy regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 

  Gag Clause Prohibition Compliance Attestation (GCPCA)    Per the CAA, health plans, insurers, and other health plan vendors are required to attest to their compliance with the GCPCA annually by December 31st. The Departments have provided updated FAQs for 2025 that include additional details and clarifications for this year’s submission.  

Updates for 2025: Notable changes include: 

• Downstream Agreements: A “downstream agreement” exists when a plan’s TPA or other service provider has its own separate agreement with another entity to administer the plan’s network. The FAQs clarify that in situations in which these downstream agreements are written to restrict the plan’s ability to provide, access, or share data available to the carrier with the plan sponsor, business associates, participants, etc., the agreement indirectly violates the Gag Clause Prohibition despite the employer’s plan not being a party to said downstream agreement.  

• De-identified Claims Data: To the extent the terms of an agreement between a plan and TPA and/or other service provider prevent or limit a plan or issuer from sharing, or directing such information be shared, with a business associate, consistent with applicable privacy regulations, the agreement would violate the Gag Clause Prohibition. The FAQs provide the following examples of restrictions on an audit or claims review that would constitute an impermissible gag clause: 

  • Unreasonably limiting frequency of claims reviews 
  • Limiting the number and types of de-identified claims or restricting the data elements of a de-identified claim a plan or issuer may access 
  • Limiting the scope of access to the data to specific or narrow purposes 
  • Limiting access to statistically significant or the “minimum necessary”  
  • Providing access to de-identified claims data only on TPA’s and/or service provider’s physical premises.  
• Annual Attestation: The FAQs clarify that in cases in which an agreement violates the Gag Clause Prohibition, and the plan has been unable to remove the non-compliant provision, it is the plan’s responsibility to identify the non-compliant provision as part of their attestation. Plans may use the GCPCA webform system in the text box labelled “Additional Information,” on Step 3 for this purpose. Plans that submit an attestation that includes additional information will be considered to satisfy the attestation requirement and the Departments will take into account good-faith efforts to self-report a prohibited gag clause in the event the Departments bring enforcement action. 

Employer Actions: 

1. Determine whether contracts with carriers (e.g., medical carriers, TPAs, PBMs, managed behavioral health organizations, and/or other service providers offering access to a network of providers) contain gag clauses.  
2. Confirm whether their carriers will be assisting with the attestation.  
3. Fully Insured Plans: Plan sponsors with fully insured plans are typically able to rely on their carriers to submit the attestation. Submission by the carrier on the plan sponsor’s behalf will be considered satisfactory by the Departments. Fully insured plan sponsors should still retain confirmation that gag clauses are removed and that the submission has been made on their behalf for their records. 
4. Self-Funded Plans: Plan sponsors with self-insured or partially self-insured plans may satisfy the attestation requirements by entering into a written agreement in which the plan’s service provider(s) will attest on the plan’s behalf. While plan sponsors may be able to rely on their carriers, ultimately the legal requirement to submit the attestation remains with the plan. Plan sponsors should retain the confirmations from their carriers for their records. 
5. Prepare the GCPCA if carriers are not attesting on plan sponsors’ behalf or contract with a third-party to submit the attestation. Plan sponsors may opt to submit the attestation on their own behalf regardless of whether their carriers are attesting for them.  
6. If your agreements contain impermissible gag clauses, consider self-reporting by including additional information on Step 3 of the webform. 
7. Submit the attestation to CMS’s HIOS system by December 31, 2025.  

Innovative has been working with carriers to confirm their approach for 2025 and is prepared to assist employers with satisfying their reporting obligations ahead of the December 31st deadline. For additional information or assistance with the attestation, please contact your Account Team.