Buck Bond Group
No Surprises Act: Gag clause attestation due December 31

No Surprises Act: Gag clause attestation due December 31

by and Tags: ,

The gag clause prohibition of the No Surprises Act (NSA) requires group health plans and health insurance issuers to submit a Gag Clause Prohibition Compliance Attestation (GCPCA) by December 31 and annually thereafter. The prohibition on gag clauses restricts plans and issuers from entering into contracts that would preclude disclosures of certain information.

Download this FYI as a printable PDF.


The NSA was enacted in December 2020 under the Consolidated Appropriations Act (CAA) of 2021 and provided new protections against unanticipated out-of-network bills. In addition to the provisions regarding surprise medical billing, the NSA also included a new prohibition on “gag clauses” that restrict plans from providing cost or care information to plan participants, accessing de-identified claims data, and sharing the information, per privacy regulations, with a business associate. Plans must annually attest on a website provided by the Centers for Medicare and Medicaid Services (CMS).

Attestation requirements for group health plans

A “gag clause” is defined as a contractual term that directly or indirectly restricts specific data and information that a plan or issuer can make available to another party.1 Gag clauses may be found in agreements between a plan or issuer and a health care provider, a network or association, a third-party administrator (TPA), or any other service provider. These provisions include agreements that would directly or indirectly restrict a plan or issuer from: (1) providing provider-specific cost or quality-of-care information to the plan sponsor, participants, referring providers, or individuals eligible to become participants; (2) electronically accessing de-identified claims and encounter information (consistent with privacy rules under the Health Insurance Portability and Accountability Act (HIPAA), the Genetic Information Nondiscrimination Act (GINA), and the Americans with Disabilities Act (ADA)) on a per claim basis; or (3) sharing the information described in (1) or (2) with a business associate. However, the guidance clarifies that a health care provider, network or association of providers, or other service provider may place reasonable restrictions on the public disclosure of this information.

The NSA requires that all group health plans (including fully-insured, level funded, self-insured, and grandfathered plans) attest annually that they do not have any agreements that include these types of provisions. The first of these attestations will be due on December 31 and will cover the period from December 27, 2020 (or, if later, the effective date of the plan or insurance coverage) through the date of attestation. Plans and insurers must submit the attestation online through the CMS Health Insurance Oversight System. The attestation requirement does not apply to excepted benefits (such as standalone dental or vision plans), health reimbursement arrangements (HRAs), or other account-based plans (such as FSAs).

Self-insured plans may satisfy the requirement by entering into a written agreement with a TPA to submit the attestation on the plan’s behalf, although ultimately the plan sponsor is responsible for compliance. Self-insured plans who delegate the attestation reporting responsibilities to a service provider should request verification that the attestation was successfully submitted. Fully-insured plans must confirm with their carriers that they will comply with the requirement. If a carrier submits the attestation on behalf of a fully-insured plan, the plan will be considered compliant with this requirement.

The Departments released detailed instructions regarding the attestation submission process, and a user manual with step-by-step instructions for submitting the attestation through a portal.

In closing

It is critical that plan sponsors confirm that the agreements they have in place with an insurer or TPA comply with the prohibition on gag clauses, and that the plan or third-party will attest to such compliance annually. Although not specifically outlined in the NSA, failure to provide the attestation could result in a civil penalty of $100 per day, adjusted annually, for each individual affected by a violation.


1 FAQs about ACA and Consolidated Appropriations Act, 2021, Implementation Part 57 https://www.cms.gov/files/document/aca-part-57.pdf

Volume 46 | Issue 19