Skip to content
Gag Clause
Lian Loop2/26/24 2:10 PM5 min read

Gag Clause Prohibition Compliance: A Mechanism for Transparency

The Gag Clause Prohibition Compliance Attestation (GCPCA) is a provision of the Consolidated Appropriations Act of 2021 which promotes transparency so plan sponsors (employers) and participants (employees) can access data and information about the costs and quality of healthcare services. While it seems outlandish now, in the past, insurance plans were able to use gag clauses to prevent all of us from truly knowing the costs of our healthcare services because we didn't have full access to specific data and information. The GCPCA is designed to prevent the use of gag clauses so this information can be accessed and informed decisions about healthcare can be made. 

At a high level, the gag clause rule prohibits plans and issuers from entering into agreements with providers, third party administrators (TPAs), or other service providers that would restrict:

  • Provider-specific cost or quality of care information 
  • Electronic de-identified claims data
  • The ability to share information or data described above (or to direct that information to be shared) with a HIPAA business associate.

What is required?

A GCPCA must be submitted annually to the Department of Health and Human Services (HHS) by group health plans and health insurance issuers who offer group or individual health insurance coverage. HHS is collecting the attestations on behalf of the Departments of Labor (DOL), HHS, and the Treasury. The GCPCA can be submitted on an employer's behalf by their broker, insurer, TPA, pharmacy benefit manager (PBM) or other service provider. Ultimately, it is the employer's responsibility to comply with the gag clause prohibition. Therefore, the employer should proactively reach out to these entities to confirm if they will handle the attestation.

Which plans must comply?

The GCPCA applies to insurers as well as to fully insured. self-insured and level funded plans offering group or individual health coverage.

Fully insured plans:
  • Both the group health plan and insurer must adhere to the requirements, which encompasses the attestation
  • If the insurer opts to attest on behalf of a fully insured plan, agency guidelines indicate that the fully insured employer can depend on the insurer’s attestation that their provider contracts comply. Essentially, the insurer assumes the responsibility for the attestation.
  • Consequently, for compliance purposes of the CAA 2021 gag clause prohibition concerning that specific fully insured contract, the employer doesn't need to pursue further actions. However, this doesn't exempt them from compliance obligations related to any other plans they might sponsor.

Self-insured and level funded plans:
  • Responsibility & Compliance: The primary responsibility for compliance lies with the employer that sponsors the self-insured plan. The gag clause prohibition aims to ensure that sponsors of these plans are transparent about the medical coverage and are not restricted from discussing or disclosing any specific details about treatments or coverages.
  • TPA Role: Because TPAs are often engaged by employers to handle claims processing and other administrative functions of the self-insured plan, the DOL has indicated that a TPA can enter into a written agreement, to provide the attestation required by the gag clause prohibition.  However, this does not transfer the responsibility of compliance away from the employer. Instead, it merely means the TPA is assisting in the compliance process. Again, the ultimate burden and accountability for ensuring adherence remain with the employer sponsor of the self-insured plan.
  • Due to the direct relationship between the employer and the covered members in self-insured setups, ensuring compliance can sometimes be more complex than in fully insured scenarios. Employers must be diligent in reviewing their contracts and administrative practices to make certain they do not inadvertently violate the gag clause prohibition.

GCPCA submission process

Employers, brokers, insurers, TPAs, PBMs and other service providers should use this webform to satisfy the requirement to submit an annual attestation of compliance. Please note that the submission process doesn't require setting up a CMS Health Insurance Oversight System (HIOS) account.


Obtain Authentication Code:

  1. Visit the GCPCA website

  2. Click on "Don’t have a code or forgot yours?"

  3. Enter the submitter's email address.

  4. An authentication code will be dispatched to the given email, usually within 10 minutes. This code remains active for roughly 14 days.

GCPCA Webform Access:
  1. Revisit the GCPCA website

  2. Input the received email address and authentication code.

  3. Click on "Login to the system" to commence the attestation submission.

Complete the Attestation:

  1. Follow the instructions outlined in Section 2 of the GCPCA Annual Submission Instructions and refer to the HIOS GCPCA User Manual, which offers illustrative screenshots.

  2. Input details about the submitter, attester (someone with the legal authority to attest for the plan; could also be the submitter), and the reporting entity (like an ERISA plan).

  3. Define whether the submission pertains to all of the employer's plans or is specific to one, such as a medical plan.

  4. In situations where attestation is done for multiple entities, the GCPCA excel spreadsheet might be necessary. However, most employers can bypass this step.

Finalize the Attestation:

  1. The exact wording for the attestation is provided in the User Manual (referenced in Appendix B: Group Health Plan Attestation Language).

  2. Attesters won't provide a separate narrative or edit the given language. Instead, they'll only need to enter their full name and then finalize the attestation.

  3. A confirmation of successful submission will be shown, along with an option to download a receipt. The GCPCA dashboard will also reflect the status of the submission.

Technical support is available at the CMS Marketplace Help Desk 855-267-1515 or email (include "GCPCA" in the subject line for faster service).

Important dates

Entities that do not meet the attestation deadlines may face penalties which have yet to be determined. There is speculation that the penalties could be as much as $100 per day for each individual affected by a violation.

  • December 31, 2023: Deadline for the first GCPCA. This covers from December 27, 2020, or the commencement date of the relevant group health plan (whichever is later), up to the attestation date.
  • December 31, every following year: Deadline for subsequent attestations.  Each attestation should cover the period since the last one.

Value beyond compliance

The Gag Clause Prohibition Compliance Attestation is a step in the right direction to ensure that all of us have access to the information we need to ascertain the costs and quality of the healthcare we pay for and receive. In the long run, this provision will foster greater transparency, leading to more fully informed healthcare consumers and a more accountable healthcare system. 

As always, please feel free to reach out to us if you want more information or have questions.

Additional resources:



Lian Loop

A rich history in non-profits and healthcare consulting, Lian is a fact finder with high attention to detail. Her behind-the-scenes leadership and direction have paved a pathway forward for all of our clients and future team members for decades to come.

Related Articles