On January 14, 2025, the departments of Labor, Health and Human Services, and Treasury, as well as the Office of Personnel Management, issued FAQs About Consolidated Appropriations Act, 2021 Implementation Part 69. The FAQs provides guidance on both the gag clause prohibition compliance and the No Surprises Act. Health plans and their vendors, including third-party administrators (TPAs), will want to be aware of a new requirement to ensure that contracts do not have prohibited gag clauses.
Gag Clause Prohibition and Attestation FAQs
Generally, group health plans and health insurers offering group or individual cover cannot enter into an agreement with a provider, association of providers, network, TPA, or other service provider offering access to a network that directly or indirectly restricts the plan or insurer from:
- Making provider-specific cost or quality-of-care information or data available to active or eligible participants, beneficiaries, and enrollees of the plan or coverage, plan sponsors, or referring providers.
- Electronically accessing de-identified claims and encounter information or data for each participant, beneficiary, or enrollee in the plan or coverage consistent with applicable privacy regulations, upon request.
- Sharing such information or data described in (1) and (2), or directing such data be shared, with a business associate consistent with applicable privacy regulations.
By December 31 of each year, plans and insurers must submit a gag clause prohibition compliance attestation (GCPCA) to the departments.
Does a plan or issuer have a contract with a prohibited gag clause if its TPA or other service provider has an agreement with another party that restricts the plan or insurer from providing, electronically accessing, or sharing information?
Yes. A plan or issuer violates the gag clause prohibition if its TPA has a contract that prohibits the TPA from sharing relevant information with the plan or insurer even though it is not a party to the TPA’s other agreement. To avoid violating the gag clause prohibition, the departments expect that plans and insurers will include provisions in their direct contracts prohibiting TPAs and other service providers from executing downstream agreements with other parties that restrict the plan or insurer from sharing information or data. The departments view such downstream agreements as an “indirect” restriction on the plan or issuer. Plans, insurers, and their service providers will want to be mindful of this new requirement. Although the gag clause prohibition does not apply directly to TPAs and other service providers, the departments have indirectly required their compliance by requiring plans and insurers to achieve their compliance contractually. Thus, TPAs and other services providers will want to ensure their contracts with downstream entities allow their plan and insurer clients to meet their GCPCA obligations since plans and issuers are likely to require contractual representations about whether those contracts comply with the gag clause prohibition.
Does an agreement violate the gag clause prohibition if it allows the plan or insurer to share de-identified claims data with a business associate only at the discretion of a health care provider, association of providers, TPA, or other service provider offering network access?
Yes. An agreement has a prohibited gag clause if it permits the plan or insurer to share de-identified claims data with a business associate only at the discretion of a health care provider, network, association of providers, TPA, or other service provider offering network access.
What restrictions on access to de-identified claims and encounter information or data violate the gag clause prohibition?
Prohibited gag clauses include limitations on the scope, scale, or frequency of electronic access to de-identified claims and encounter information or data to the extent such limitations place unreasonable limits on access to the information upon request. Unless the information or data is otherwise electronically accessible to the plan or insurer, prohibited gag clauses related to audit or claims review include:
- Limitations on access to a statistically significant or the minimum necessary number of de- identified claims.
- Limitations on the scope of access to the data to specific, narrow purposes (such as limiting access to an audit).
- Unreasonable limitations on the frequency of claims reviews (for example, no more than once per year).
- Limitations on the number and types of de-identified claims that a plan or issuer may access.
- Restrictions on the data elements of a de-identified claim that a plan or issuer may access.
- Limiting access to de-identified claims data to the TPA’s or service provider’s physical premises.
The departments noted that this is not an exhaustive list and that they may provide additional examples of prohibited gag clauses.
How do plans and insurers submit a GCPCA if they entered into an agreement that violates the gag clause prohibition?
If a plan or issuer has an agreement that violates the gag clause prohibition and has been unable to remove the noncompliant provision from their agreement, the plan or insurer must identify the noncompliant provision as part of their attestation. This requirement applies to both a direct agreement between the plan/issuer and the service provider and a downstream agreement between the service provider and another entity that restricts the use of such relevant information or data. Once the plan or issuer has identified the noncompliant provision, it may use the text box labelled “Additional Information” in the GCPCA webform system on step 3 to include the provision as part of its attestation. The additional information includes:
- Any prohibited gag clauses that a service provider has refused to remove.
- The name of the TPA or service provider with which the plan or insurer has the agreement containing the prohibited gag clause.
- Conduct by the service provider that shows the service provider interprets the agreement to contain a prohibited gag clause.
- Information on the plan’s or insurer’s requests that the prohibited gag clause be removed from such agreement.
- Any other steps the plan or insurer has taken to come into compliance with the provision.
The prohibited gag clauses might still prompt enforcement action by the departments. The departments will take into account good-faith efforts to self-report a prohibited gag clause in the event of any enforcement action. Nonetheless, a plan or insurer submitting such additional information is considered to satisfy their obligation to submit a GCPCA.
We note that the scope of this FAQ (FAQ-9) is unclear. The departments state that this requirement applies to both a direct agreement between the plan/issuer and the service provider and a downstream agreement between the service provider and another entity that restricts the use of such relevant information or data. However, reading the FAQs in the context of the statute, which is limited in scope to an agreement to which the plan or issuer is a party, the departments appear to be saying that an agreement between a plan or issuer and a service provider must contain assurances from the service provider that the plan or issuer will have the access required by the statute. The practical effect is for the service provider to ensure that it can, in fact, provide such access. If an agreement does not contain such an assurance, the agreement would appear to have a gag clause under these FAQs. Another interpretation of these FAQs is that the plan or issuer must identify gag clauses in downstream agreements to which they are not a party. If that is what the departments are saying, that would appear to be counter to the terms of the statute.
No Surprises Act FAQs
The No Surprises Act protects group health plan or group or individual health insurance participants, beneficiaries, and enrollees against surprise medical bills for certain out-of-network services. The departments established a federal independent dispute resolution (IDR) process to resolve disputes between plans or insurers and providers, facilities, or providers of air ambulance services about the out-of-network rate for certain items and services. The departments’ regulations and guidance provided methodology for calculating the qualifying payment amount (QPA) for those out-of-network services. In Texas Medical Association v. United States Department of HHS (also known as TMA III), the Eastern District of Texas vacated and remanded certain parts of these regulations and guidance. In response, the departments issued several FAQs (FAQs About Consolidated Appropriations Act, 2021 Implementation Part 62 and FAQ About Consolidated Appropriations Act, 2021 Implementation Part 67). On October 30, 2024, in TMA III, the Fifth Circuit issued an opinion and order that partially reversed the district court’s decision. The latest FAQs provide guidance in response to that decision.
How should plans and insurers calculate the QPA after the Fifth Circuit’s TMA III decision?
Unless the Fifth Circuit decides to rehear its panel's TMA III decision and alters its judgment, plans and insurers must calculate QPAs using a good-faith, reasonable interpretation of applicable statutes and regulation that remain in effect after the decisions of both the Fifth Circuit and district court once the Fifth Circuit issues its mandate. However, the departments recognize the significant amount of time and resources it will again take to review and recalculate QPAs. For items and services furnished before August 1, 2025, the departments will extend the enforcement discretion provided in FAQs 62 and 67 under the relevant No Surprises Act provisions for any plan, insurer, or party to the IDR payment dispute process that uses a QPA calculated under the departments’ 2021 methodology (in other words, the regulations and guidance in effect before the district court's TMA III decision).
Because the Fifth Circuit has not yet issued its mandate, plans and issuers can continue to rely on QPAs that have already been calculated using a good-faith, reasonable interpretation of the departments’ 2023 methodology (in other words, FAQ 62). Once the Fifth Circuit issues its mandate, the departments will exercise enforcement discretion for QPAs calculated using a good-faith, reasonable interpretation of the 2023 methodology for items and services furnished before August 1, 2025. This enforcement discretion for QPAs using the 2021 or 2023 methodology applies to (1) patient cost-sharing; (2) providing required disclosures with an initial payment or notice of denial of payment; and (3) providing required disclosures and submissions under the IDR process. The FAQ notes that HHS will exercise enforcement discretion for a provider, facility, or provider of air ambulance services that bills, or holds liable, a participant, beneficiary, or enrollee for a cost-sharing amount based on a QPA calculated using the 2021 or the 2023 methodology, for items and services furnished before August 1, 2025.
How should plans and insurers make disclosures about the QPA to nonparticipating providers, facilities, and providers of air ambulance services with an initial payment or notice of denial of payment, and in a timely manner upon request?
Plans and insurers should make these disclosures about the QPA consistent with prior guidance, which was not affected by the Fifth Circuit’s decision. A plan or insurer may certify that it determined a QPA in compliance with the applicable rules if it used a good-faith, reasonable interpretation of the applicable statutes and regulations that remain in effect after the decisions of both the Fifth Circuit and the district court in TMA III.
The departments will exercise enforcement discretion for disclosures regarding a QPA provided with an initial payment or notice of denial of payment. Specifically, for items and services furnished before August 1, 2025, the departments will exercise enforcement discretion when the plan or insurer using the 2021 or 2023 methodology certifies that the QPA was determined consistent with the applicable regulations. However, the plan or insurer must disclose in a timely manner upon request that it is using a QPA calculated using the 2021 or 2023 methodology, as applicable.
When must a plan or insurer provide the required disclosures when an initial payment or notice of denial is sent electronically while required disclosures are sent using paper?
The departments note that a plan or insurer is not relieved from sending required disclosures with each initial payment or notice of denial when the plan’s or issuer’s method of electronic transmission of the initial payment or notice of denial does not allow for the disclosures to be sent with the transmission. When sending an initial payment or notice of denial electronically and required disclosures on paper for out-of-network emergency services and applicable non-emergency items, a plan or insurer must transmit the required disclosures on or near the date it sends the initial payment or notice of denial of payment. The plan or insurer must ensure that it sends all this no later than 30 calendar days after receipt of the information necessary to decide the claim. For out-of-network air ambulance services, the plan or insurer must transmit the required disclosures on or near the date that it sends the initial payment or notice of denial. The plan or insurer must ensure that it sends all this no later than 30 calendar days after the provider of air ambulance services transmits the bill for services.
What is the deadline to initiate open negotiation when required disclosures are received on paper after the initial payment or notice of denial is sent electronically?
When the plan or insurer sends disclosures in a timely manner, the period to initiate open negotiation ends 30 business days after the provider, facility, or provider of air ambulance services has received both the initial payment or notice of denial of payment and the required disclosures. However, at its discretion, a provider, facility, or provider of air ambulance services may initiate open negotiation after receiving the initial payment or notice of denial even if it has not yet received the required disclosures. If a provider, facility, or provider of air ambulance services receives an initial payment or notice of denial but has not received the required disclosures at all, or has received disclosures sent outside the required timeframe, then it may initiate open negotiation or request an extension to initiate the IDR process.
After a certified IDR entity makes a payment determination for a qualified IDR item or service, may a plan or insurer recalculate cost-sharing if the recalculation results in a cost-sharing amount that exceeds the amount calculated using the lesser of the billed charge or the QPA?
No. The cost-sharing amount for out-of-network emergency services and applicable non-emergency items and services must be calculated using the recognized amount under the No Surprises Act (or lesser of the billed charge or QPA for out-of-network air ambulance services). The departments noted that the have received reports of some plans and insurers generating new explanations of benefits (EOBs) after an IDR payment decision was made. The FAQ states that a plan or insurer cannot recalculate or increase a participant’s, beneficiary’s, or enrollee’s cost-sharing based on the amount of the certified IDR entity’s payment determination (or for any other reason) if it would result in a cost-sharing amount that exceeds the permitted amount calculated using the recognized amount (or lesser of the billed charge or the QPA for out-of-network ambulance services). The departments remind plan and insurers that payments made after a certified IDR entity makes a payment determination must be made in full and cannot be reduced based on any prohibited increase in cost-sharing displayed on an EOB generated after an IDR payment determination.
Conclusion
It is likely that the departments will issue further guidance on gag clauses and the No Surprises Act in the future. Gag clause prohibition compliance and reporting is not impacted currently by any court cases but, due to the FAQs, will require careful attention by plans and issuers. In particular, plans and insurers will need to ensure that their contracts with TPAs and other service providers contain representations that the TPA or other service provider does not have any contracts with other parties that might prevent the plan or issuer from receiving required information or data. Meanwhile, TPAs and other service providers should make sure that their contracts with other parties do not have terms that prevent them from representing that they do not have any contracts with downstream entities that might cause a plan or insurer to violate the gag clause prohibition since plans and insurers will likely be requesting such representations after the departments’ new FAQ.
Notably, TMA III is still making its way through the courts, so compliance with the No Surprises Act might be impacted by future decisions. In the meantime, plans and insurers should be certain to follow the updated guidance in the departments’ FAQs.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.
If you have any questions, or would like additional information, please contact one of the attorneys on our Employee Benefits & Executive Compensation team.