
Most HR teams didn’t hear about gag clause attestation until the filing deadline was already close. That’s a problem, because the requirement has been in place since the Consolidated Appropriations Act of 2021 (CAA 2021) took effect, annual attestations are now a standing compliance obligation, and the Department of Labor (DOL), Department of Health and Human Services (HHS), and Department of the Treasury are all watching.
If your group health plan contains any contractual provision that restricts access to provider cost or quality data, or if you’re not entirely sure whether it does, this article is your audit starting point.
A gag clause is a contractual provision in an agreement between a health plan (or health insurance issuer) and a healthcare provider, network, or third-party administrator (TPA) that restricts the plan from sharing certain data with plan sponsors, members, or other parties.
Specifically, CAA 2021 prohibits group health plans and health insurance issuers from entering into agreements that prevent them from:
The policy intent is straightforward: employers can’t make smart purchasing decisions — and employees can’t make informed care decisions — when critical pricing and quality data is locked behind contractual walls. Gag clauses have historically been embedded in agreements between insurers, TPAs, and provider networks. CAA 2021 broke that wall down legislatively.

Under CAA 2021, both health plans and health insurance issuers must annually attest to the federal agencies that their plan agreements do not contain prohibited gag clauses.
This is where many employer plan sponsors get confused. The obligation to attest falls on the plan — but the entity that actually submits the attestation depends on your plan structure:
Attestations are submitted through the Gag Clause Prohibition Compliance Attestation (GCPCA) portal, operated by the Centers for Medicare & Medicaid Services (CMS). The portal is accessible at hios.cms.gov, and filers need a CMS Enterprise Portal account to submit.
If your plan missed the 2023 or 2024 deadline, do not wait. File immediately. There is currently no grace period codified in regulation, and late filing exposes the plan to enforcement risk.
The attestation certifies that the plan or issuer has not entered into, and has not renewed, any agreement with a provider, network, or TPA that contains a gag clause as defined under CAA 2021.
This sounds simple. In practice, it requires your legal or compliance team — or your broker — to review the actual contractual language in:
The specific provisions to flag include any language that:
Some of these clauses are obvious. Others are buried in definitions sections, data use addenda, or exhibit language. A surface-level contract review is not sufficient — the review needs to be clause-by-clause.

Based on the structure of the GCPCA requirement and common plan arrangements, there are several recurring gaps worth flagging:
1. Assuming your carrier handles it — without confirming Fully insured employers are often told that their carrier is “taking care of it.” That may be true. But under the regulation, the plan also bears compliance responsibility. Request written confirmation from your carrier that they have filed, and retain that confirmation in your plan documents. If the carrier has not filed, you are still exposed.
2. TPA delegation that isn’t documented Self-funded employers who delegate attestation to their TPA without a written agreement that specifically assigns that responsibility have a gap. The delegation must be explicit, and the plan sponsor should receive confirmation of filing each year.
3. PBM and network contracts not reviewed Many employers review their primary TPA agreement but overlook PBM contracts, specialty network arrangements, and ancillary vendor agreements. These contracts can and do contain data restriction language. Every vendor agreement that touches plan data needs to be reviewed.
4. Missing the ongoing monitoring obligation CAA 2021 doesn’t just prohibit gag clauses in new agreements — it prohibits them in renewed agreements as well. If you renew your carrier or TPA contract annually (as most employers do), the compliance review is an annual obligation, not a one-time project.
Here is a working compliance checklist your team can implement before the next December 31 deadline:
Step 1: Identify your plan’s filing responsibility Determine whether your plan is fully insured, self-funded, or level-funded — and confirm who is obligated to file.
Step 2: Obtain confirmation from your carrier or TPA For fully insured plans, request written confirmation that your carrier has filed the GCPCA attestation. For self-funded plans using a TPA, confirm delegation in writing and obtain proof of filing.
Step 3: Conduct a contract review Have your legal counsel or benefits broker review all plan-related vendor contracts for gag clause language — including TPA agreements, network access contracts, PBM agreements, and specialty care arrangements.
Step 4: Create a compliance file Document your review process, findings, delegation agreements, and filing confirmations. This file is your audit trail if the DOL, HHS, or IRS ever inquires.
Step 5: Set an annual calendar reminder Gag clause attestation is now a recurring obligation. Build it into your compliance calendar alongside ACA 1094/1095 reporting, PCORI fees, and other annual filing deadlines.

The CAA 2021 doesn’t prescribe specific civil penalties for gag clause violations in the way that HIPAA or the ACA employer mandate does. However, the agencies have broad enforcement authority, and non-compliance creates real risk:
More importantly, if a prohibited gag clause is actually in force and operating, the plan may be restricting the employer’s access to data they’re legally entitled to — affecting their ability to manage costs, benchmark performance, and fulfill their fiduciary obligations under ERISA.
The gag clause prohibition isn’t just a compliance checkbox. It’s a legislative signal that the federal government expects employers to use cost and quality data — and holds them responsible for demanding access to it.
Employers who are actively using de-identified claims data and provider cost benchmarks are finding real cost management opportunities: identifying high-cost, low-quality utilization patterns; renegotiating network agreements; and steering employees toward higher-value care settings. That work is only possible if the data flows freely.
Compliance with the attestation requirement is step one. What you do with the data access it protects is where the real value is.

If your plan is self-funded or level-funded and you haven’t filed a GCPCA attestation — or confirmed that your TPA has done so on your behalf — act immediately. If your plan is fully insured, confirm in writing that your carrier has filed and document that confirmation.
The December 31 annual deadline doesn’t move. Build this into your compliance cycle now, while there’s time to review contracts and correct any gaps before the next filing window closes.
Taylor Benefits Insurance Agency works with employers across all plan structures to navigate CAA compliance requirements, including gag clause attestation. If you’re unsure whether your plan is compliant — or you’d like a second set of eyes on your vendor contracts — contact our team for a consultation.
Employers should keep copies of contracts, vendor confirmations, and the submitted attestation form. It is also helpful to retain correspondence with insurers, third party administrators, and pharmacy benefit managers. These records help show that no gag clauses exist in agreements and provide proof if regulators request supporting documentation during a review or audit process.
We’re ready to help! Call today: 800-903-6066