Gag Clause Prohibition Compliance Attestation Required by Year End

By December 31, 2023, and by December 31 of each subsequent calendar year, Plans are required to attest that they have not entered into agreements with health care providers, network or association of providers, third-party administrators (TPA), or other service providers offering access to a network of providers that would directly or indirectly restrict the plan (or issuer) from:

  • Providing provider-specific cost and/or quality information to referring providers, plan sponsors, and participants; or
  • Electronically accessing de-identified claims and encounter information for each participant upon request and consistent with HIPAA’s privacy rules, including financial information, provider information, service codes, or other data elements included in claim or encounter transactions; or
  • Sharing the information described above with a business associate.

Such agreements are referred to as “gag clauses.” 

The attestation, referred to as the “Gag Clause Prohibition Compliance Attestation” (or “GCPCA”), must be filed using the Health Information Oversight System (HIOS) website established by HHS at The attestation filed using that website will satisfy the filing requirements for all three Departments. 

This alert reviews the background on the attestation requirement; what plans must attest; and how to attest.


Section 201 of title II (Transparency) of division BB of the Consolidated Appropriations Act, 2021 (the CAA) added provisions to  the Public Health Service Act (PHSA), the Employee Retirement Income Security Act (ERISA), and the Internal Revenue Code (Code) to prohibit the use of  “gag clauses” in provider agreements prohibiting disclosure of cost or quality of care information or data, and certain other information to active or eligible participants, beneficiaries, enrollees, plan sponsors, or referring providers, or restrict the plan or issuer from sharing such information with a business associate, consistent with applicable privacy regulations. A health care provider, network or association of providers, or other service provider may place reasonable restrictions on the public disclosure of this information. The PHSA, ERISA, and the Code, all require an annual attestation of compliance with the provisions prohibiting gag clauses.  

In FAQs Part 49, Q7, issued in August 2021, the Departments stated that the requirements prohibiting gag clauses should be implemented using a good faith, reasonable interpretation of the statute. The FAQ further stated that the Departments intend to issue guidance explaining how plans (and issuers) should submit their attestation. At that time, the requirements to submit a formal compliance attestation was anticipated by the end of 2022.

On February 23, 2023, the Department of Health and Human Services, Department of Labor and the Department of Treasury (collectively, “the Departments”) released FAQs Part 57 which provides information on the attestation of compliance group health plans must submit on or before December 31, 2023, and can be found at  Part 57.

FAQs Part 57, Q6, states that the first attestation for group health plans is due on or before December 31, 2023. The first attestation will cover the period beginning December 27, 2020,1 (or the effective date of the group health plan, or insurance coverage, if later) through the date of attestation. Subsequent attestations will be due by December 31 of each year thereafter.

What plans must attest

FAQs Part 57, Q8 states that health insurers, fully insured health plans, and self-insured health plans – including ERISA plans, non-Federal governmental plans, and church plans, must attest. It also states that plans providing for excepted benefits (for example, dental and vision coverage) and plans that consist only of health reimbursement arrangements (HRAs) or other account-based group health plans are not required to provide an attestation.

Compliance with the GCPCA requires that a plan may authorize “an appropriate individual within the organization” to attest on behalf of the Plan (See Q11). Plans will need to review existing service provider contracts and establish a uniform tracking system for new and existing contracts. 

Although both insurers and plans are required to attest, the Departments will consider both the plan and the insurer to have attested when the insurer attests, so fully insured plans should not have to make an attestation.

How to Attest

The “GCPCA” must be filed using the HIOS system website established by HHS at 2 (see Q7). The instructions for the online submission portal are found at:

A user manual providing guidance on the HIOS system and the Gag Clause Prohibition Compliance Attestation is available at:

Q9 permits a Plan Sponsor to designate another entity, such as a pharmacy benefit manager (PBM), third party administrator (TPA), or other service provider to attest on behalf of a self-insured group health plan (or health insurance issuer). The plan can separate the attestation into medical, pharmacy, behavioral health, and other benefits. For example, a plan could have the Pharmacy Benefit Manager attest for the pharmacy contracts, a separate medical vendor attest for everything else.

CHEIRON OBSERVATION: The method of attesting compliance with the gag clause prohibition is somewhat similar to the RxDC reporting under section 204 of the CAA. However, the information required for this attestation is much less involved. Plans who have not already done so should determine if each of their service provider agreements comply with this requirement. 

Cheiron health consultants can assist you with your reporting obligations. Cheiron is an actuarial consulting firm that provides actuarial and consulting advice. However, we are not attorneys, accountants, or clinicians. Accordingly, we do not provide legal services, tax advice, or medical advice.

1 December 27, 2020, is the date the CAA became law.

2 HIOS is the Health Information Oversight System that is maintained by HHS.