Article by Dorothy Cociu, published in HR Tech Outlook and Manage HR magazines. Read the full article at either site.
By: Dorothy Cociu, RHU, REBC, GBA, RPA
President, Advanced Benefit Consulting & Insurance Services, Inc.
Another year, another new Federal requirement for health plans and employers who sponsor them. So, what is it this year? Besides of course the CAA’s RxDC filing requirements in HIOS (originally due December, 2022, but pushed back to January 31, 2023 for reference years 2020 and 2021, and June 1, 2023 for 2022 reference years, which had employers, brokers, TPAs, pharmacy benefit managers and more scrambling to comply with), we now have the end of the year filing requirement for the CAA’s Gag Clause Prohibitions and Attestations.
Hopefully, this isn’t the first time you’re hearing about this requirement… Perhaps it’s more like “Oh, yeah, another annoying filing requirement… I guess I better start thinking about that now.”
Yes, it is another requirement within CMS’ HIOS portal, but the good news is, it’s not as difficult as the RxDC Submission Process. But I will get to that process later. Let me start from the beginning.
So, what does this all actually mean? Basically, it means that employer-sponsored group health plans and issuers (like insurance companies and HMOs) cannot have any “gag clauses” in their contracts that directly or indirectly restricts specific data and information that a plan or issuer can make available to another party in their contracts. I’ll come back to this later.
Background
The CAA was one of the largest bills ever passed by Congress, and had several years of requirements for health plans, plan sponsors, issuers, PBMs, TPAs and more. One of the last provisions of the CAA is the prohibition on Gag Clauses in provider and other agreements. This last provision has a looming due date for CMS’ HIOS System filing of December 31, 2023.
The CAA’s Gag Clause Prohibition requirements came from Section 201 of Division BB of the Consolidated Appropriations Act, 2021, and it amended IRC Section 9824, ERISA Section 724 and the PHS Act Section 2799A-9. What this means is that it is enforced by three separate government entities; the Department of Labor (DOL), Health & Human Services (HHS) and Treasury (Departments). Complaints related to parties not complying with the Gag Clause Prohibition requirements can be submitted at either CMS or the DOL.
There have been no actual regulations issued for the Gag Clause Prohibition and Attestation requirements, because the Departments felt that the statutory language is “self-implementing,” or easy enough for applicable parties to comply directly from the statutory language plus any FAQs or other guidance issued. The Departments did issue FAQs in 2021 and 2023. FAQ Part 49 was issued in August, 2021, and new guidance was issued in February, 2023 by the Departments in FAQ Part 57.
Effective Date and Filing Date
The effective date was actually December 27, 2020, meaning that plans could not enter into a contract with gag clauses as of that date.
The gag clause prohibition compliance attestation must be file on or before December 31, 2023, and each year thereafter by December 31.
The first attestation is due no later than December 31, 2023, and should cover the period beginning December 27, 2020 through the date of the attestation.
Prohibition on Gag Clauses
A “gag clause” under the CAA prohibits restrictions on the disclosure of provider-specific cost or quality of care information or data to referring partners, the plan sponsor, participants, beneficiaries, or enrollees, or individuals eligible to become participants, beneficiaries or enrollees of their plan or coverage. The CAA also puts restrictions on electronic access to de-identified claims and encounter information or data for each participant, beneficiary, or enrollee upon request with the privacy regulations included in laws like HIPAA, GINA or the ADA, including, on a per claim basis, the following:
- Financial information, such as the allowed amount, or any other claim-related financial obligations included in the provider contract;
- Provider information, including name and clinical designation;
- Service codes; or
- Any other data element included in the claim or encounter transactions;
- Restrictions on sharing information or data or directing that information or data to be shared with a “business associate,” consistent with privacy regulations, including HIPAA.
I asked our attorney, Marilyn Monahan of Monahan Law Office, to describe what a gag clause is. “A gag clause is a contractual term that directly or indirectly restricts specific data and information that a plan or issuer can make available to another party,” stated Marilyn. “The clauses at issue here are typically found in contracts between plans and issuers, on the one hand, and health care providers, a network or association of providers, a TPA, or another service provider offering access to a network of providers, on the other hand.”
I also asked Marilyn to describe what the purpose of the gag clause prohibition is, and what are they trying to accomplish? “This is all about transparency,” replied Marilyn. “They want plans and consumers to have as much information as possible so that they can make informed decisions about plan design and health care options. Without the prohibition on gag clauses, the third parties may restrict access to information that is necessary to fulfill the goal of transparency.”
To be more specific, these gag clause prohibitions basically came from other provisions within the CAA and prior legislation (like the ACA) that required transparency, including the disclosure of pricing information on medical costs and services, Machine Readable File requirements, and most recently, the requirement of Online Price Comparison Tools, where plan participants can compare online prices for services from one provider to another. These gag clause provisions can’t be put into contracts that could take away from the requirements of any of these other CAA requirements related to such Transparency and Price Comparison tools. Health plans and Issuers cannot have any direct, indirect, explicit or non-explicit provisions that would prevent a plan or issuer from providing, accessing, or sharing information required in the CAA.
In the past, gag clauses could be found (but of course are now prohibited) in agreements between a health plan or issuer and any of the following parties: a health care provider; a network or association partner; a third party administrator (TPA); or another services provider offering access to a network of providers.
The FAQs gave some good examples of these types of provisions:
Example: If a contract between a TPA and a group health plan states that the plan will pay providers at rates designated as “Point of Service Rates,” but the TPA considers those rates to be proprietary and therefore includes language in the contract stating that the plan may not disclose the rates to participants or beneficiaries, that language prohibiting disclosure would be considered a prohibited gag clause.
Example: If a contract between a TPA and a plan provides that the plan sponsor’s access to provider-specific cost and quality of care information is only at the discretion of the TPA, that contractual provision would be considered a prohibited gag clause.
Attestation of Compliance
Employers sponsoring health plans and health insurance issuers (carriers or HMOs) are required to submit a Gag Clause Prohibition Compliance Attestation (GCPCA) that confirms that they are compliant with this CAA provision by December 31 of each year, and the first attestation is due for the period beginning December 27, 2020 through 2023 on December 31, 2023. Again, this is an annual requirement, so be prepared to do these filings, or subcontract with a third party to do them for you, each year, no later than December 31.
It is important to note that both the group health plan (employer plan sponsor) and the health insurance issuers are legally obligated to make such attestations.
Entities that must comply include the following:
- Health insurance issuers offering group health insurance coverage;
- Health insurance issuers offering individual health insurance coverage, including student health insurance coverage and individual health insurance coverage issued through an association; and
- Fully-insured and self-insured group health plans, including ERISA plans, non-federal governmental plans, and church plans subject to the IRC
These provisions apply to grandfathered and non-grandfathered plans, and small and large group plans. They do not apply to account-based plans (such as HRAs), excepted benefits, and stand-alone dental and vision plans.
Reporting Entities Required to Attest
- Issuers offering individual health insurance coverage, including: Student health insurance plans, Grandfathered and Grandmothered plans, Policies sold on or off Exchanges, and Policies sold through an association
- Issuers offering group health insurance coverage, including: Grandfathered and Grandmothered plans, Policies sold on or off Exchanges, and all other group health insurance plans
- Group health plans, including the following to the extent they are considered group health plans: ERISA plans (or sponsors of ERISA plans), Non-Federal governmental plans, such as plans sponsored by state or local governments, Church plans and Grandfathered group health plans under the ACA
Entities Not Required to Attest
- Account-based plans, such as health reimbursement arrangements (HRAs),including individual coverage HRAs
- Issuers and group health plans that offer only excepted benefits coverage, including, but not limited to: Hospital indemnity or other fixed indemnity insurance, Disease-specific insurance, Dental, vision, and long-term care, and Accident-only, disability, and workers’ compensation
- Issuers that offer only short-term, limited-duration insurance
- Medicare and Medicaid plans
- State children’s health insurance program plans
- Basic Health Program plans
What Do You Attest To?
I asked Marily to explain what are employers specifically asked to provide an attestation on. “Plan sponsors are asked to attest that their group health plan has not entered into any contracts that contain gag clauses,” stated Marilyn. “With respect to the webform that must be executed by this December 31, the attester must attest that “the group health plan(s) . . . on whose behalf I am signing will not enter into an agreement, and has not, subsequent to December 27, 2020, entered into an agreement with a health care provider, network or association of providers, third-party administrator, or other service provider offering access to a network of providers that would be directly or indirectly restrict the group health plan(s) or health plan(s) or health insurance issuer(s) from” disclosing the types of information outlined in the law.”
The attestation language for December 31, 2023’s filing can be found on the CMS website as well as in the FAQs. It includes the following:
I attest that, in accordance with section 9824(a)(1) of the Internal Revenue Code, section 724(a)(1) of the Employee Retirement Income Security Act, and section 2799A-9(a)(1) of the Public Health Service Act, the group health plan(s) or health insurance issuer(s) offering group health insurance coverage on whose behalf I am signing will not enter into an agreement, and has not, subsequent to December 27, 2020, entered into an agreement with a health care provider, network or association of providers, third-party administrator, or other service provider offering access to a network of providers that would be directly or indirectly restrict the group health plan(s) or health plan(s) or health insurance issuer(s) from—
- Providing provider-specific cost or quality of care information or data, through a consumer engagement tool or any other means, to referring providers, the plan sponsor, participants, beneficiaries, or enrollees, or individuals eligible to become participants, beneficiaries, or enrollees of the plan or coverage.
- Electronically accessing de-identified claims and encounter information or data for each participant, beneficiary, or enrollee in the plan or coverage, upon request and consistent with the privacy regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the amendments made by the Genetic Information Nondiscrimination Act of 2008 (GINA), and the Americans with Disabilities Act of 1990 (ADA), including, on a per claim basis— a. Financial information, such as the allowed amount, or any other claim-related financial obligations included in the provider contract.
- Provider information, including name and clinical designation.
- Service codes; or
- Any other data element included in claim or encounter transactions; or
- Sharing information or data described in items (1) or (2), or directing that such data be shared, with a business associate as defined in section 160.103 of title 45, Code of Federal Regulations (or successor regulations), consistent with the privacy regulations promulgated pursuant to section 264(c) of HIPAA, the amendments made by GINA, and the ADA.
I am attesting on behalf of group health plans, including non-federal governmental plans, and health insurance issuers offering group health insurance coverage. (Check box on attestation form)
What Employer Plan Sponsors Need to Do
What employers need to do depends on whether you have a Self-Funded or Fully Insured health plan. The “reporting entity” is the plan or issuer subject to the law that has entered into an agreement that may be subject to the prohibition (either directly or indirectly). The reporting entity is responsible for compliance with the annual mandate.
Self-Funded Plans
Self-funded health plan sponsors may either attest to the gag clause prohibitions in the HIOS portal or enter into a written agreement with a service provider, such as your TPA, to attest on the plan’s behalf. However, it’s important to understand that even if you subcontract this task to a third party, the self-funded employer remains liable and responsible for the legal obligation.
If you enter into a third-party agreement, you should get it in writing that the third party will be responsible for filing the attestation in HIOS, and then be sure to receive a copy of the confirmation of the filing after the filing is complete. If you file yourselves, you need to register in HIOS; two parties are required to register in the portal; a Submitter and an Attester.
As brokers and consultants, to assist our self-funded clients, we registered in the HIOS system to assist our clients as needed (just as we did for the RxDC HIOS filings), or do the filing for them, should their TPA or other vendor not be prepared to do the filing or, if their filing is billable, so that is of course an option for employers. You should always check to see if you have a reliable resource to do this for you or work with you. Although we do it on a complimentary basis for our clients, that may not always be the case. TPAs or other brokers or consultants or other vendors may charge for this service.
Fully Insured Plans
For fully insured employers, be advised that both the issuer (your carrier) and the plan sponsors are required to comply. However, the FAQ’s state that ““With respect to fully-insured group health plans, the group health plan and the issuer are each required to annually submit a Gag Clause Prohibition Compliance Attestation. However, when the issuer of a fully-insured group health plan submits a Gag Clause Prohibition Compliance Attestation on behalf of the plan, the Departments will consider the plan and issuer to have satisfied the attestation submission requirement.” Therefore, it is important to note that employers should contact their carriers and obtain a written commitment from them to comply.
Some carriers have already sent out e-blasts stating whether or not they will be performing this function for you. Please look for this in your email. Some say they will do it, some say they will not, and others are silent on this function (i.e. no correspondence to date). It’s your responsibility to verify they are doing this for you (or not doing it). Be sure to keep copies of those emails for your records. We also recommend that our fully insured clients forward those emails to us as well so that we can keep a record of what carrier is doing what for each fully insured client. If you haven’t received a confirmation from your carriers, you will be responsible for the attestation. ABC can also enter your attestation into HIOS, but we will need confirmation from you that your carrier is not doing this function (for example, forward the email to us that tells you they are not doing this on your behalf). You should retain the email or other notification from your issuer (carrier) that states that they will be filing on your behalf.
Marilyn advised “Employers should definitely get something in writing—from either their carrier or third party service provider—confirming that the attestation will be made on the employer’s behalf.”
HIOS Attestation Process
As stated above, the Reporting Entity is the employer plan sponsor or issuer that is subject to the law and has entered into an agreement, either directly or indirectly, that may be subject to the prohibition. The reporting entity is responsible for compliance on an annual basis with the mandate.
I asked Marilyn for her thoughts on the actual attestation process, and the differences between self-funded and fully insured employers. “The registration process is much faster and more straightforward than it was for the RxDC reporting process,” stated Marilyn. “Also, you do not have to submit the same type of detailed plan data that was required for RxDC reporting. If your plan is fully insured, and the carrier confirms in writing that it will attest on your behalf, you have satisfied your reporting obligation. If your plan is self-funded, you will need to first identify the third-party service providers that may have contracts subject to the rules, and then obtain their written agreement to attest on your behalf. This may require you to reach an agreement with more than one third party. If they do not agree to do so, it is the employer’s legal responsibility to attest.”
There are two persons involved with the attestations.
Attester – The attester attests on behalf of the Attesting Entity (or Reporting Entity). A health plan or issuer may authorize any appropriate individual within the organization, such as the plan administrator of a group health plan, to attest on behalf of the plan or issuer. This should be a high-level employee of the employer that has the legal authority to act.
A service provider, such as a TPA or broker that has been provided the authority to make the attestation on behalf of the plan or issuer, may authorize any appropriate personnel within that organization to make the attestation.
Submitter- A Submitter may submit the data on the Attester’s behalf, subject to the Attester’s review and signature.
Again, it’s a two-step process, requiring two individuals to register in HIOS and do the required reporting; the submitter submits and the attestor verifies the data is correct and signs the attestation.
Similar to the RxDC process, you must submit data into the HIOS portal on the CMS website. This is not the same as the RxDC portal. They have created a new portal for reporting, and it appears that they learned some valuable lessons during the RxDC reporting process, and have made it simpler and more user friendly for submissions. The good news is, you don’t have to go through Regtap, like you did for RxDC reporting.
“For employers, the ‘attester’ is someone with the legal authority to act on behalf of the group health plan, and who is authorized to electronically sign the GCPCA via the CMS webform,” stated Marilyn. “For a third party who is attesting on the employer’s behalf—such as a TPA—the attester is someone with the legal authority to sign the GCPCA on behalf of the TPA.”
The first step in the process is to obtain an authentication code by going to the Gag Clause Prohibition Compliance Attestation website at https://hios.cms.gov/HIOS-GCPCA-UI and selecting “Don’t have a code or forgot yours?” The user will be asked to provide the user’s e-mail address. The system will generate an authentication code and send it to the e-mail address provided. The user can then return to the Gag Clause Prohibition Compliance Attestation website, enter the e-mail address and code where indicated, and select “Login to the system” to proceed with submitting the attestation. This step only takes a few minutes. You should receive a code in your email very quickly so that you can enter the code and login.
There is a short description and what to expect directly under the home page graphic you see above, that summarizes what you need to do.
If you’re filing for only one employer (such as an employer filing just their own attestation), the reporting entity should use the GCPCA webform to provide the Reporting Entity’s information. (Option A in the Instructions.) The Excel Template is not required. The webform will prompt the Submitter/Attester to answer a series of questions about the Submitter, the Attester, the Reporting Entity, and the plan. The Attester will then make the attestation, and when complete, the Attester may download a confirmation receipt as a pdf file. It’s pretty simple.
If the Attesting Entity is attesting for multiple reporting entities (such as a TPA or broker), you should use both the GCPCA webform and the Excel Template to report information about the Reporting Entities on whose behalf it is attesting. (Option B in the Instructions.) You’ll be prompted to attach the excel template, upload it and then attest to it. The instructions for submitting an attestation, a system user manual, and a reporting entity Excel Template for plans and issuers to submit the required attestation an be found at: https://www.cms.gov/cciio/programs-and-initiatives/other-insurance-protections/gag-clause-prohibition-compliance
Creating an Attestation Submission
You will be asked to enter the submitter’s contact information, which will include the name, position title, email address, phone number, name of employer, type of entity (such as group health plan, issuer, TPA, Behavioral Health or other service provider), then enter the Attestor’s contact information (same as above as applicable for attester). You will then need to provide the Reporting Entity’s details, such as plan number, plan type (for example, health insurance issuer, non-federal government plan, ERISA Plan, non-ERISA plan, etc.), point of contact, employer ID number, mailing address, email address, phone number, point of contact. You will need to drag and drop the excel template (you’ll need to save as a TXT file) and upload it, review and attest.
Non-Compliance Enforcement
Failure to file could result in enforcement action from any of the Departments, which may be a $100 per day excise tax under the IRS code or a civil penalty under ERISA.
Overall Recommendations for Employers
I asked Marilyn if there is anything she would recommend to those attesting to the gag clause prohibition? Marilyn replied: “Confirm that the gag clauses have been removed from the contracts. In addition, read the CMS instructions and understand what you are being asked to attest to.”
Does Marilyn provide any cautions for employers? “Calendar the deadline for this year and every year thereafter. If your plan is self-funded, add this to the list of services you expect the service provider to perform on your behalf, and confirm whether there will be an additional charge. Do not leave this process to the last minute, in case you have difficulty obtaining the cooperation of the third parties involved in the process. Remember that although you have until December 31, 2023, to make the attestation, the requirement to remove the gag clauses is already in effect, and has been for some time.”
Remember, it’s really not as complicated as you might think. Compared to the RxDC reporting, the Gag Clause Prohibition Attestation is a “piece of cake!” ##
Author’s Note: I’d like to thank Marilyn Monahan for her assistance with this article. Marilyn can be reached at marilyn@monahanlawoffice.com. I can be reached at dmcociu@advancedbenefitconsulting.com. Be sure to listen to our podcast series, Benefits Executive Roundtable, which begins Season 5 on September 12, 2023!
Reference Sources & Resources:
Gag Clause Prohibition Compliance Attestation website at https://hios.cms.gov/HIOS-GCPCA-UI
The instructions for submitting an attestation, a system user manual, and a reporting entity Excel Template for plans and issuers to submit the required attestation an be found at: https://www.cms.gov/cciio/programs-and-initiatives/other-insurance-protections/gag-clause-prohibition-compliance
FAQS About Affordable Care Act and Consolidated Appropriations Act, 2021 Implementation Part 57 (July 2023)- https://www.cms.gov/files/document/aca-part-57.pdf
Health Insurance Oversight System (HIOS) Gag Clause Prohibition Compliance Attestation (GCPCA) User Manual – https://www.cms.gov/files/document/hios-gcpca-usermanual-020000.pdf
Monahan Law Office Webinar, July 28, 2023, “Prohibition on Gag Clauses and Attestation Requirement,” by Marilyn Monahan
