Skip to content

Severe flooding in Washington state. Find safety information and coverage support. View flood resources

Compliance Alert

Gag clause attestation deadline approaching

The Baldwin Group
|
Updated: November 6, 2025
|
4 minute read

Overview

As the end of the year is approaching, it is time for employer-sponsored health plans to complete a mandatory compliance task: the Gag Clause Prohibition Compliance Attestation (“GCPCA”), required by the Consolidated Appropriations Act of 2021 (“CAA”).

The annual attestation is due by December 31, 2025.

Action Items

The key to a smooth attestation is knowing the plan type and coordinating with service providers (insurers/TPAs/other issuers).

1. Fully insured health plans

For fully insured plans, both the health plan (employer/sponsor) and the insurance company (issuer) are technically responsible for the attestation.

  • Action: In practice, the Centers for Medicare & Medicaid Services considers the requirement satisfied if the insurance company submits the attestation on the plan’s behalf.
  • Best practice: Confirm in writing with the insurance company that they are submitting the attestation for the plan and maintain the written agreement in the plan’s compliance files. No further action may be required from the employer if the insurance company attests.

2. Self-funded health plans

For self-funded plans (including level-funded), the plan sponsor (employer) is ultimately liable for ensuring the attestation is submitted.

  • Action: The plan may choose to submit the attestation or delegate the task to the third-party administrator (“TPA”) or other service provider (pharmacy benefit manager (“PBM”), behavioral health vendor).
  • Crucial step: If the plan chooses to delegate, the plan must have a written agreement stating the service provider will submit the attestation. Although the service provider may complete the submission, the legal responsibility remains with the plan sponsor. If the TPA misses the deadline, the plan sponsor is still responsible.
  • Best practice: Determine the plan’s delegation strategy and obtain written confirmation now. If the TPA will not file, the plan must be prepared to submit the attestation directly through the CMS web portal.

3. Review plan contracts

Regardless of the plan type, plan sponsors should ensure that current contracts—and any downstream agreements the TPA/PBM enters—do not contain prohibited gag clauses. If the plan is aware of a noncompliant provision that a service provider refuses to remove, the plan must still submit the attestation and use the “Additional Information” text box to self-report the issue.

Key takeaway

The December 31, 2025 deadline for the CAA Gag Clause Attestation is a firm obligation. The complexity lies not just in the filing, but in the underlying requirement to ensure the plan’s service agreements do not restrict data access.

The Baldwin Group is prepared to assist plans with confirmation of who is responsible for the submission and get the necessary confirmation for plan records. Proactive verification is the best defense against non-compliance and potential enforcement action.

Summary

What is a “gag clause” and why the obligations?

A “gag clause” is a contractual provision that prevents a health plan or insurance company from sharing certain information related to healthcare price and quality.

The CAA includes a transparency rule that prohibits plans and insurance companies from entering contracts with providers, TPAs, PBMs, or other service providers (including downstream agreements) that restrict the plan or issuer from:

  1. Providing provider-specific cost or quality-of-care information to participants, the plan sponsor, and others.
  2. Electronically accessing de-identified claims and encounter data (such as allowed amounts, provider names, and service codes).
  3. Sharing the above information with a HIPAA business associate.

This rule is designed to ensure plan sponsors and participants can access the data they need to make informed decisions and manage costs, without being restricted by service provider contracts.

The GCPCA is a formal, annual certification submitted to the Departments of Labor, Health and Human Services, and the Treasury (“the Departments”) confirming that the health plan has been and is in compliance with this prohibition.

Who needs to file?

The attestation applies to most group health plans, including:

  • Fully insured medical plans;
  • Self-funded (including level-funded) medical plans; and,
  • ERISA plans, church plans, and governmental plans.

Note: Plans that only offer “excepted benefits” (such as stand-alone vision or dental) or account-based plans (such as Health Reimbursement Arrangements (HRAs) and Health Flexible Spending Accounts (FSAs) are generally not required to attest.

Additional Information & Related Resources

For questions regarding this Alert or any other related compliance issues, please contact your Baldwin Group client experience team.

For more information

We’re ready when you are. Get in touch and a friendly, knowledgeable Baldwin advisor is prepared to discuss your business or individual needs, ask a few questions to get the full picture, and make a plan to follow up.

Connect with Us

This document is intended for general information purposes only and should not be construed as advice or opinions on any specific facts or circumstances. The content of this document is made available on an “as is” basis, without warranty of any kind. The Baldwin Insurance Group Holdings, LLC (“The Baldwin Group”), its affiliates, and subsidiaries do not guarantee that this information is, or can be relied on for, compliance with any law or regulation, assurance against preventable losses, or freedom from legal liability. This publication is not intended to be legal, underwriting, or any other type of professional advice. The Baldwin Group does not guarantee any particular outcome and makes no commitment to update any information herein or remove any items that are no longer accurate or complete. Furthermore, The Baldwin Group does not assume any liability to any person or organization for loss or damage caused by or resulting from any reliance placed on that content. Persons requiring advice should always consult an independent adviser.

The Baldwin Group offers insurance services through one or more of its insurance licensed entities. Each of the entities may be known by one or more of the logos displayed; all insurance commerce is only conducted through The Baldwin Group insurance licensed entities. This material is not an offer to sell insurance.

Related Insights

Stay in the know

Our experts monitor your industry and global events to provide meaningful insights and help break down what you need to know, potential impacts, and how you should respond.

View related insights
Compliance
What is a "point solution" and why is compliance challenging?
What is a point solution? “Point Solutions” are offered by third-party vendors in the employee benefits marketplace and include a...
Read More  
Compliance
A road map for point solution compliance assuredness
Use this roadmap to understand how legal and tax obligations may apply to specific benefit offerings and to guide program...
Read More  
Compliance
Mental Health Parity Cost Projections and Behavioral Health Transition Plan​
Behavioral Health is Indicative of a High-performing Culture​ Behavioral health (that is, mental health and substance use disorder, collectively) is...
Read More  
Compliance
Overview of the HIPAA Complete Solution for Privacy &Security Compliance
Part I: Overview of HIPAA Standards and Requirements  To improve the efficiency and effectiveness of the health care system, the...
Read More  
Compliance
Understanding HIPAA Excepted Benefits
What are Excepted Benefits? Excepted benefits are benefit products that are designed to supplement comprehensive medical coverage. They often provide...
Read More  
Let's make it possible

Partner with us to build solutions that align with your business, individual, or employee needs and open new possibilities for your future.

Connect with us