Last week the Centers for Medicare & Medicaid Services (CMS) reminded health plans and health insurance issuers that the deadline for electronically filing attestations of compliance with the prohibition against so-called gag clauses is fast approaching and that all attestations must be filed no later than December 31, 2023, and thereafter annually on December 31 of each year. The first compliance attestation covers the period from December 27, 2020 or the effective date of the applicable health plan or insurance coverage through the date of the attestation. Health plans should confirm that they are prepared to comply with the December 31, 2023 deadline and undertake any remediation that may be necessary. Entities that do not submit their attestation by the deadline may be subject to enforcement action.
Background
In Section 201 of the Consolidated Appropriations Act, 2021 (CAA 2021), Congress enacted new transparency requirements that prohibit plans and issuers from entering into gag clauses, which are contract terms that directly or indirectly restrict a health plan or issuer from disclosing certain information. Section 201 became effective on December 20, 2020.
Section 201 also requires health plans and issuers to annually provide a Gag Clause Prohibition Compliance Attestation (GCPCA) to the Secretaries of the Departments of Treasury, Labor, and Health and Human Services (the Departments), as applicable, that the plan or issuer is in compliance with the prohibition. In FAQs issued in 2021, the Departments stated that no regulations would be issued to implement the gag clause prohibition and that plans and issuers should implement a good faith reasonable interpretation of the statute. However, the Departments also stated that additional guidance would be issued explain how plans and issuers should submit their GCPCAs. Since then, the Departments have issued another set of FAQs, instructions for submitting the GCPCA, User Manual, Reporting Entity Excel Template and Webform available on the CMS webpage regarding the GCPCA requirement.
Plans and Issuers Covered
The GCPCA requirements apply to the following issuers and plans:
- Health insurance issuers (offering individual and group coverage); and
- Fully insured and self-insured group health plans, including ERISA plans, non-federal governmental plans and church plans.
The GCPCA requirements do not apply to the following issuers and plans:
- Plans or issuers offering only excepted benefits;
- Issuers offering only short-term, limited-duration insurance;
- Medicare and Medicaid plans;
- Children’s Health Insurance Program (CHIP) plans;
- The TRICARE program;
- The Indian Health Service program; and
- Basic Health Program plans.
Covered Contracting Entities
The gag clause prohibition applies to contracts between a group health plan or health insurance issuer and a health care provider, network or association of providers, third-party administrator, or other service provider offering access to a network of providers.
Covered Information and Data
The prohibition applies to contracts between the entities identified above that restrict the plan or issuer from providing information regarding cost and quality of care information as well as deidentified claim and encounter information.
Specifically, Section 201 prohibits contractual restrictions that apply to:
- The disclosure of provider-specific cost or quality of care information or data to referring providers, the plan sponsor, participants, beneficiaries or enrollees, or individuals eligible to become participants, beneficiaries or enrollees of the plan or coverage;
- Electronic access to de-identified claims and encounter information or data for each participant, beneficiary or enrollee upon request and consistent with the privacy regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Genetic Information Nondiscrimination Act of 2008 (GINA) and the Americans with Disabilities Act (ADA);1 and
- Sharing the information identified above with a HIPAA business associate in compliance with applicable privacy laws.
A term in a contract is considered a prohibited gag clause if it functions to restrict (even if not explicitly) a plan or issuer from providing, accessing or sharing the information described in Section 201. This includes provisions that treat the information as proprietary or allow release of the information only at the discretion of the contracting party.
The Attestation
The following requirements apply to the attestation:
- Detailed Information: Detailed information must be provided regarding the person submitting the information, the person attesting to compliance and the reporting entity;
- Authority to Attest: The attester must affirm that they have the authority to attest on behalf of the reporting entity listed in the GCPCA webform. A health plan may satisfy the attestation requirement by entering into a written agreement with a service provider such as a TPA under which the service provider will provide the attestation on behalf of the plan. However, the legal requirement to provide the timely attestation remains with the plan.
- Compliance With Gag Clause Prohibition: The attester must read and certify the attestation text, affirming that the reporting entity is in compliance with the prohibition on gag clauses.
- Accuracy of Information: The attester must attest that to the best of their knowledge, all information provided in the submission is accurate; and
- Electronic Signature and Submission: The attester is required to enter their first and last name to electronically sign the attestation and then select the “Submit” button to submit the attestation. Plans and issuers must submit the attestation via a specific online interface.
For more information about the GCPCA requirements, please contact Harvey Rochman at hrochman@manatt.com.
1 De-identified claim and encounter information includes (i) financial information, such as the allowed amount, or any other claim-related financial obligations included in the provider contract; (ii) provider information, including name and clinical designation; (iii) service codes; or (iv) any other data element included in claim or encounter transactions.