Gag Clause Attestation Requirements: Is Your Group Health Plan Still Compliant?

By Todd Taylor  |  Last updated: May 10, 2026

Most HR teams didn’t hear about gag clause attestation until the filing deadline was already close. That’s a problem, because the requirement has been in place since the Consolidated Appropriations Act of 2021 (CAA 2021) took effect, annual attestations are now a standing compliance obligation, and the Department of Labor (DOL), Department of Health and Human Services (HHS), and Department of the Treasury are all watching.

If your group health plan contains any contractual provision that restricts access to provider cost or quality data, or if you’re not entirely sure whether it does, this article is your audit starting point.

What Is a Gag Clause, and Why Does It Matter?

A gag clause is a contractual provision in an agreement between a health plan (or health insurance issuer) and a healthcare provider, network, or third-party administrator (TPA) that restricts the plan from sharing certain data with plan sponsors, members, or other parties.

Specifically, CAA 2021 prohibits group health plans and health insurance issuers from entering into agreements that prevent them from:

The policy intent is straightforward: employers can’t make smart purchasing decisions — and employees can’t make informed care decisions — when critical pricing and quality data is locked behind contractual walls. Gag clauses have historically been embedded in agreements between insurers, TPAs, and provider networks. CAA 2021 broke that wall down legislatively.

Customizing Employee Benefits Packages

The Attestation Requirement: Who Files, What They Certify, and When

Under CAA 2021, both health plans and health insurance issuers must annually attest to the federal agencies that their plan agreements do not contain prohibited gag clauses.

Who Is Responsible for Filing?

This is where many employer plan sponsors get confused. The obligation to attest falls on the plan — but the entity that actually submits the attestation depends on your plan structure:

  • Fully insured plans: The health insurance issuer (your carrier — Aetna, UnitedHealthcare, BCBS, etc.) is responsible for filing on behalf of both the issuer and the plan. Employers with fully insured coverage do not file directly, but they remain responsible for ensuring their issuer has attested. Silence from your carrier is not confirmation.
  • Self-funded plans: The plan sponsor (the employer) is responsible for filing. However, the plan sponsor may contractually delegate this responsibility to a TPA. That delegation must be explicit and documented — verbal assurances don’t satisfy the regulatory requirement.
  • Level-funded plans: Treated similarly to self-funded arrangements. Confirm with your TPA whether they are filing on your behalf and obtain written documentation.

Where and How to File

Attestations are submitted through the Gag Clause Prohibition Compliance Attestation (GCPCA) portal, operated by the Centers for Medicare & Medicaid Services (CMS). The portal is accessible at hios.cms.gov, and filers need a CMS Enterprise Portal account to submit.

Filing Deadlines

  • The initial attestation deadline was December 31, 2023 (covering plan years through that date)
  • Annual attestations are due by December 31 each year going forward
  • Plans and issuers must attest even if no prohibited gag clauses are present — the attestation is confirmatory, not just corrective

If your plan missed the 2023 or 2024 deadline, do not wait. File immediately. There is currently no grace period codified in regulation, and late filing exposes the plan to enforcement risk.

What Exactly Are You Attesting To?

The attestation certifies that the plan or issuer has not entered into, and has not renewed, any agreement with a provider, network, or TPA that contains a gag clause as defined under CAA 2021.

This sounds simple. In practice, it requires your legal or compliance team — or your broker — to review the actual contractual language in:

  • Your carrier or TPA services agreement
  • Your network access agreement (particularly relevant for self-funded plans using a leased network)
  • Any downstream agreements with stop-loss carriers, pharmacy benefit managers (PBMs), or specialty vendors that touch your plan’s data

The specific provisions to flag include any language that:

  • Prohibits or restricts the plan from sharing cost or quality data with the plan sponsor
  • Restricts the plan from providing de-identified claims data to the employer upon request
  • Conditions access to preferred pricing on non-disclosure agreements that limit data sharing
  • Restricts providers from sharing information with patients about cost, quality, or available alternatives

Some of these clauses are obvious. Others are buried in definitions sections, data use addenda, or exhibit language. A surface-level contract review is not sufficient — the review needs to be clause-by-clause.

Who Pays The Premium In A Group Health Plan

The Compliance Gaps Employers Keep Missing

Based on the structure of the GCPCA requirement and common plan arrangements, there are several recurring gaps worth flagging:

1. Assuming your carrier handles it — without confirming Fully insured employers are often told that their carrier is “taking care of it.” That may be true. But under the regulation, the plan also bears compliance responsibility. Request written confirmation from your carrier that they have filed, and retain that confirmation in your plan documents. If the carrier has not filed, you are still exposed.

2. TPA delegation that isn’t documented Self-funded employers who delegate attestation to their TPA without a written agreement that specifically assigns that responsibility have a gap. The delegation must be explicit, and the plan sponsor should receive confirmation of filing each year.

3. PBM and network contracts not reviewed Many employers review their primary TPA agreement but overlook PBM contracts, specialty network arrangements, and ancillary vendor agreements. These contracts can and do contain data restriction language. Every vendor agreement that touches plan data needs to be reviewed.

4. Missing the ongoing monitoring obligation CAA 2021 doesn’t just prohibit gag clauses in new agreements — it prohibits them in renewed agreements as well. If you renew your carrier or TPA contract annually (as most employers do), the compliance review is an annual obligation, not a one-time project.

Practical Steps for HR and Benefits Teams

Here is a working compliance checklist your team can implement before the next December 31 deadline:

Step 1: Identify your plan’s filing responsibility Determine whether your plan is fully insured, self-funded, or level-funded — and confirm who is obligated to file.

Step 2: Obtain confirmation from your carrier or TPA For fully insured plans, request written confirmation that your carrier has filed the GCPCA attestation. For self-funded plans using a TPA, confirm delegation in writing and obtain proof of filing.

Step 3: Conduct a contract review Have your legal counsel or benefits broker review all plan-related vendor contracts for gag clause language — including TPA agreements, network access contracts, PBM agreements, and specialty care arrangements.

Step 4: Create a compliance file Document your review process, findings, delegation agreements, and filing confirmations. This file is your audit trail if the DOL, HHS, or IRS ever inquires.

Step 5: Set an annual calendar reminder Gag clause attestation is now a recurring obligation. Build it into your compliance calendar alongside ACA 1094/1095 reporting, PCORI fees, and other annual filing deadlines.

How To Design An Employee Benefits Package

What Happens If You’re Not Compliant?

The CAA 2021 doesn’t prescribe specific civil penalties for gag clause violations in the way that HIPAA or the ACA employer mandate does. However, the agencies have broad enforcement authority, and non-compliance creates real risk:

More importantly, if a prohibited gag clause is actually in force and operating, the plan may be restricting the employer’s access to data they’re legally entitled to — affecting their ability to manage costs, benchmark performance, and fulfill their fiduciary obligations under ERISA.

The Bigger Picture: Price Transparency as a Cost Management Tool

The gag clause prohibition isn’t just a compliance checkbox. It’s a legislative signal that the federal government expects employers to use cost and quality data — and holds them responsible for demanding access to it.

Employers who are actively using de-identified claims data and provider cost benchmarks are finding real cost management opportunities: identifying high-cost, low-quality utilization patterns; renegotiating network agreements; and steering employees toward higher-value care settings. That work is only possible if the data flows freely.

Compliance with the attestation requirement is step one. What you do with the data access it protects is where the real value is.

Bottom Line

If your plan is self-funded or level-funded and you haven’t filed a GCPCA attestation — or confirmed that your TPA has done so on your behalf — act immediately. If your plan is fully insured, confirm in writing that your carrier has filed and document that confirmation.

The December 31 annual deadline doesn’t move. Build this into your compliance cycle now, while there’s time to review contracts and correct any gaps before the next filing window closes.

Taylor Benefits Insurance Agency works with employers across all plan structures to navigate CAA compliance requirements, including gag clause attestation. If you’re unsure whether your plan is compliant — or you’d like a second set of eyes on your vendor contracts — contact our team for a consultation.

Frequently Asked Questions

Employers should keep copies of contracts, vendor confirmations, and the submitted attestation form. It is also helpful to retain correspondence with insurers, third party administrators, and pharmacy benefit managers. These records help show that no gag clauses exist in agreements and provide proof if regulators request supporting documentation during a review or audit process.

Written by Todd Taylor

Todd Taylor

Todd Taylor oversees most of the marketing and client administration for the agency with help of an incredible team. Todd is a seasoned benefits insurance broker with over 35 years of industry experience. As the Founder and CEO of Taylor Benefits Insurance Agency, Inc., he provides strategic consultations and high-quality support to ensure his clients’ competitive position in the market.

We’re ready to help! Call today: 800-903-6066