Gag Clause
Attestation Guide
October 2025

by Roxie Hixson · Oct 10, 2025

Overview

Gag Clause Prohibition

The Consolidated Appropriations Act, 2021 (CAA) amended the Employee Retirement Income Security Act (ERISA), the Public Health Services Act (PHSA), and the Internal Revenue Code to prohibit group health plans and health insurance carriers (referred to as “issuers” in the rules) from entering into agreements with providers, TPAs, PBMs or other service providers that include language that would constitute a “gag clause” (i.e., contract provisions that restrict specific data and information that a plan can make available to another party). A gag clause is contractual language that contains any of the following:

restrictions on the disclosure of provider-specific cost or quality of care information or data to referring providers, the plan sponsor, participants, beneficiaries, or enrollees;
restrictions on electronic access to de-identified claims and encounter information or data for each participant, beneficiary, or enrollee (consistent with the privacy regulations included in the Health Insurance Portability and Accountability Act (HIPAA), the Genetic Information Nondiscrimination Act (GINA), and the Americans with Disabilities Act (ADA); and
restrictions on sharing information or data described in (1) and (2) with a business associate (as defined by HIPAA privacy regulations).

Limiting access to de-identified claims data to specific purposes (e.g., audit only), limiting the frequency or scope of access (e.g., only annually), requiring data to be viewed only at the vendor’s facility (no electronic transfer), or making data access subject to vendor discretion or approval are all examples of prohibited restrictions. Even indirect restrictions (e.g., by TPAs or PBMs) may qualify as prohibited gag clauses.

The requirements went into effect on December 27, 2020.

The gag clause prohibition requirements apply to virtually all employer-sponsored health plans, but not excepted benefits (e.g., stand-alone dental or vision, health FSA, EAP), retiree-only plans, or account-based plans (e.g., HRAs).

Gag Clause Attestation

Plans and issuers must annually submit an attestation of compliance with these requirements to the Departments of Labor (DOL), Health and Human Services (HHS), and Treasury (collectively, “the Departments”). The first attestation was due by December 31, 2023 (attesting to compliance for 2021 – 2023). Subsequent attestations are due annually by December 31. Agency guidance indicates that service providers (e.g., carriers or TPAs) may attest for the group health plan on behalf of sponsoring employers, carriers and TPAs have taken a varied approach on this. If the service provider indicates a willingness to attest on behalf of the plan, the employer can rely on that attestation. However, if any of the service providers will not attest on the plan’s behalf, the employer will need to reach out to such service providers and ask them to confirm that no gag clauses are present in the contracts they have entered into with providers on behalf of the plan. The reality is that employers cannot do much more than ask for this confirmation since employers generally do not play a role in the contracting and may not have access to all contracts entered into on behalf of the plan.

The attestation requirement is a fairly straightforward process, requiring only some plan identifying information, employer contact information, and a checked box and signature to indicate compliance. This is all done via a website portal.

Gag Clause Attestation Resources

CMS created a webpage with information about how to comply with the gag clause prohibition as well as how to attest to compliance, which you can find here – Gag Clause Prohibition Compliance Attestation | CMS
The website for submitting the attestation can be found here – Gag Clause Attestation | Welcome!
Questions or difficulties with the attestation process can be submitted to – CMS_FEPS@cms.hhs.gov (put GCPCA in the subject line).

Which Plans Must Comply?

The gag clause prohibition and attestation requirements apply to all group health plans, but not excepted benefits (e.g., stand-alone dental or vision, health FSA, EAP), retiree-only plans, or account-based plans (e.g., any type of HRA, including individual coverage HRAs (ICHRAs)). Both fully-insured and self-funded plans are subject to the requirements, as well as grandfathered plans, grandmothered plans, ERISA plans, and non-ERISA plans. Therefore, in addition to group medical plans, telehealth programs and direct primary care arrangements are subject to the requirements. However, employee assistance programs (EAPs) and onsite clinics, which typically qualify as excepted benefits, would not be subject to the requirements.

Plans Subject to the Requirements	Plans NOT Subject to the Requirements
Fully-insured group health plans Self-funded group health plans Grandfathered plans Grandmothered plans Non-federal governmental plans Church plans Tribal health plans that qualify as ERISA plans or state or local government plans	Account-based plans (e.g., HRAs) Retiree-only group health plans Excepted benefits, including, but not limited to: Hospital indemnity or fixed indemnity insurance Disease-specific insurance Stand-alone dental, vision, and long-term care Employer on-site health clinics Accident-only, disability, and workers’ compensation Short-term limited-duration insurance Group health plans without any provider or service agreements in the U.S.

Plans Subject to the Requirements

Plans NOT Subject to the Requirements

Fully-insured group health plans

Self-funded group health plans

Grandfathered plans

Grandmothered plans

Non-federal governmental plans

Church plans

Tribal health plans that qualify as ERISA plans or state or local government plans

Account-based plans (e.g., HRAs)

Retiree-only group health plans

Excepted benefits, including, but not limited to:

Hospital indemnity or fixed indemnity insurance

Disease-specific insurance

Stand-alone dental, vision, and long-term care

Employer on-site health clinics

Accident-only, disability, and workers’ compensation

Short-term limited-duration insurance

Group health plans without any provider or service agreements in the U.S.

Each group health plan that is subject to the reporting is considered a “responsible entity” required to comply and attest to compliance. If an employer offers multiple group health plans with separate ERISA plan numbers, the employer must attest for each ERISA plan separately (although a spreadsheet listing out each plan separately and providing the information specific to each plan will allow the required information to be provided for each separate ERISA plan within a single attestation). On the other hand, if the employer has bundled its group health plans into a single ERISA plan (with a single ERISA plan number) by use of a WRAP document, then a single attestation can be filed on behalf of the employer’s single ERISA plan.

Beyond the carriers and TPAs involved with the group medical plan, there may be additional service providers that need to be considered as part of the attestation to the extent that they are involved in contracting with providers on behalf of the employer’s group health plan. For example, provider contracts with and coordinated by PBMs, behavioral health vendors (e.g., network agreements for mental health providers), telehealth arrangements, direct primary care arrangements, and other medical providers (e.g., access to preferred pricing for certain procedures if using particular providers) are also prohibited from having gag clauses and should be considered by the employer when attesting to compliance. NOTE: 2025 agency FAQs make clear that the gag clause prohibition extends to downstream agreements (i.e., contracts entered into by a TPA, PBM, or network on behalf of a plan). Even if the plan itself is not a direct party to a restrictive clause, the plan could be noncompliant if its vendors’ subcontracts limit data sharing. Plans are expected to include language in direct contracts requiring vendors not to enter into downstream agreements that would violate the prohibition.

When is the Attestation Due?

The first attestation was due by December 31, 2023 to attest to compliance for 2021 – 2023.

Subsequent attestations are due annually by December 31^st and should cover the period of time since the plan’s last attestation. For example, if the attestation was last completed November 15, 2024 and the attestation is now being completed on November 2, 2025, the plan must attest to compliance for November 16, 2024 – November 2, 2025.

Who Must Complete the Attestation?

Employers rely primarily on their carrier or TPA to contract with medical providers to provide services to group health plan participants. The Departments recognize this and allow employers to rely on their carrier or TPA to submit the attestation on behalf of their employer-sponsored plans. However, the carrier and/or TPA may not be willing to do so, especially if the employer separately contracts with other service providers on behalf of the group health plan (e.g., pharmacy carve-out with a PBM not managed by the carrier or TPA). When that is the case, the employer may have to attest on behalf of its group health plan, at least for some of its service providers.

Each plan must ensure that every contract tied to its group health coverage (carrier, TPA, PBM, behavioral health vendor, telehealth, etc.) is included in some attestation, whether submitted by the employer, carrier, or another service provider.

Plans and issuers are required to file an attestation each year even if certain vendor agreements remain under review or contain potential gag clauses. Such situations should be disclosed in the attestation form’s “Additional Information” section, along with a description of corrective actions taken.

Fully-Insured Group Health Plans

Carriers are required to submit an attestation regarding the group and individual health plans they offer, so the carrier could agree to attest on the employer’s behalf as well. Many carriers will offer to do so, in which case employers may rely on the carrier to submit the required attestation, but it is recommended that the employer seek assurance from the carrier that the attestation is being submitted on their behalf.

In some cases, the carrier may choose only to attest on its own behalf and not on behalf of the employer as plan sponsor. The carrier may have concerns about attesting on the employer’s behalf without knowing whether there are additional contracts with other service providers not coordinated by the carrier. If the carrier is not willing to attest on the employer’s behalf, or if the employer does have separate contracts in place with other service providers (e.g., PBM or telehealth provider), then the employer will need to attest on behalf of the plan.

Self-Funded Group Health Plans

The TPA and other service providers for a group health plan are not directly subject to the gag clause prohibition or attestation requirements, but such service providers are often directly involved in contracting on behalf of the group health plan and administering the plan accordingly. For this reason, the rules specifically permit the service providers to attest to compliance on behalf of the plan if the employer enters into a written agreement under which the plan’s service provider(s) will submit the required attestation. The Departments point out that if a self-funded plan chooses to enter into such an agreement with the plan’s service provider(s), the legal requirement to provide a timely attestation remains with the employer’s plan. It is certainly possible that the plan’s service providers will agree to attest on behalf of the plan, in which case the employers may rely on such attestation. However, for a self-funded plan, it is perhaps more likely that the employer will need to attest on behalf of the plan, at least for some of its service providers.

Attestation Process

Estimated time to complete the attestation: 15-30 minutes if all information needed for the attestation is available.

Step 1: Identify All Service Providers

Employers should make a list of all service providers in connection with its group health plan during the attestation period (i.e., from the date of the last attestation up through the date of the current attestation).

Step 2: Confirm Attestation/Compliance for all Service Providers

Employers should confirm which service providers will attest on behalf of the plan.

For any that will do so, the employer can rely on their attestation and should keep documentation or their written agreement to handle the attestation in the employer’s files.
For any service providers that will not attest on behalf of the employer’s plan(s), the employer should review related contracts to confirm there are no prohibited gag clauses. Alternatively, the employer should reach out to the service providers and ask for written confirmation that the contracts they handle on behalf of the group health plan do not contain any prohibited gag clauses. Such documents should be kept in the employer’s files. The employer will then need to go through the attestation steps set forth below.

Step 3: Website Access

Go to https://hios.cms.gov/HIOS-GCPCA-UI

Obtain Unique Authentication Code

Click on “Don’t have a code or forgot yours?”
Enter an email address and click “Get my unique code” (code will be emailed within 10 minutes or less).

Access Attestation Submission Form

Go back to the home submission page to enter the email address and code and login. NOTE: The authentication code will only provide access for 15 days, after which time it would be necessary to obtain a new code (however, previously entered information tied to the email address will be saved).

Step 4: Complete the Attestation Form

From the Gag Clause Prohibition Compliance Attestation (GCPCA) Dashboard, click on “Start a new submission” or “Start a new Gag Clause Prohibition Compliance Attestation.” Both boxes/links will take you to the same place, allowing you to begin the attestation process.

The attestation form is made up of 5 sections, and the form must be completed sequentially. It is necessary to complete a section and then click “Save and continue” before you can advance to the next section. It is possible to stop mid-process and then return and complete the other sections later by clicking either “Save and exit” at the end of the current section or by clicking “Return to GCPCA dashboard” at the top of the screen. The process can be picked up again at any time by logging in and clicking on the “Submission ID” number on the GCPCA Dashboard.

There are two roles in the attestation process, the “Submitter” and the “Attester”, but both roles could be played by the same individual. The Submitter is responsible for initiating the attestation process via CMS’ website and entering in the required information about the Submitter, the Attester, and the group health plan. The Attester is responsible for reviewing the information entered and signing off on the group health plan’s attestation of compliance with the gag clause prohibition rules. The Attester must have the legal authority to sign for the company (e.g., the person who signs off on the Form 5500 or Form 1094-C). An employer could authorize a third-party to act as the Attester on its behalf (e.g., via a written agreement).

Submitter Responsibilities

Sections 1 – 3 of the form will be completed by the Submitter. This portion of the form asks for information about the Submitter, the Attester, and about the responsible entity (e.g., employer EIN, group health plan number). Section 4 is a summary of the information provided in Sections 1 – 3 for the Submitter to review.

After confirming that the information entered is correct, the Submitter will either notify the Attester to review and complete the attestation in Section 5; or if the Submitter is also the Attester, the Submitter should move on to the final section and complete the attestation in Section 5.

Attester Responsibilities

The Attester should review the information in Section 4 to confirm accuracy and then Section 5 must be completed by the Attester (which may be the same individual as the Submitter). This section requires a formal attestation that the information entered is correct along with a signature.

Step 5: Confirm Submission

If the attestation is successfully submitted, the Attester should see a screen indicating the submission was successful along with the date and time. There is an option to download a receipt of the successful submission. It is recommended that the employer download the receipt and keep it in the employer’s files.

Screenshots along with further instructions for each of the 5 sections of the form can be found in Appendix A. FAQs can be found in Appendix B. In addition, you may find the CMS instructions and user manual helpful, both of which can be found on CMS’ main information page and within the gag clause attestation portal.

Appendix A – Attestation Process Screenshots

GCPCA Dashboard

Appendix B – FAQs

Does the timing of an attestation in one year affect the due date in subsequent years?

The timing of the attestation in one year does not affect the due date for the attestation the next year. The due date will always be on or before (by) December 31. However, the timing of the attestation will affect what period the plan is attesting for. For example, if the attestation is done December 5, 2025, it will be an attestation up through December 5, 2025. When the plan then attests next year (e.g., November 19, 2025), the attestation will cover the time frame December 6, 2025 through December 19, 2026.

See the following FAQ from CMS – https://www.cms.gov/files/document/aca-part-57.pdf

Q6: What is the due date for the Gag Clause Prohibition Compliance Attestation?
The first Gag Clause Prohibition Compliance Attestation is due no later than December 31, 2023, covering the period beginning December 27, 2020, or the effective date of the applicable group health plan or health insurance coverage (if later), through the date of attestation. Subsequent attestations, covering the period since the last preceding attestation, are due by December 31 of each year thereafter.

Some have asked whether an attestation must be made within 12 months of the previous attestation. The instructions require subsequent attestations to be filed no later than December 31 of each calendar year and to attest to compliance for the time period since the last attestation. There does not appear to be any requirement that a subsequent attestation be made within one year of the prior one.

How many attestations are required on behalf of a single group health plan?

The answer will vary depending upon the group health plan’s set-up. For example, for a fully-insured plan coordinated solely through a carrier, only a single attestation is generally required (and will likely be handled by the carrier). Similarly, for a self-funded group health plan, the TPA or employer could attest on behalf of all service providers in connection with the plan in a single attestation. However, it is also possible for the employer and/or different service providers to separately attest to compliance on behalf of the plan, resulting in multiple attestations tied to a single group health plan to ensure that there is a complete attestation as to all provider contracts in place for the group health plan.

There is a question in the submission form asking if the attestation is being submitted on behalf of all service providers involved with the plan. If “yes,” then only one submission would be required on behalf of the group health plan. If “no,” then any service provider that is not part of the attestation would also need to attest, or the employer would need to attest to such contracts. NOTE: An employer who is attesting will generally only submit a single attestation in connection with all service providers involved with its group health plan over the attestation period. The employer does not submit a separate attestation for each service provider, or for different time frames, but instead is able to attest to some or all service providers (if not other service providers will separately attest) in a single attestation.

If multiple employers participate in a single group health plan, does each participating employer attest separately?

Reporting is generally handled on a per plan basis, but reporting requirements may differ depending on whether the participating entities form a controlled group due to common ownership (under IRS §414 rules) or whether the plan is a multiple employer welfare arrangement (MEWA).

Controlled Group

When entities that are part of the same controlled group share benefit plans, the employers are treated as a single employer. Therefore, a single attestation by whichever company is designated the plan sponsor should be adequate if the attestation covers all service provider contracts tied to the group health plan.

MEWA

When a MEWA is formed, the MEWA may be treated as a single plan at the MEWA level if certain commonality and control requirements are met. However, more often, each participating employer is deemed to have a separate ERISA plan. If there is a single ERISA plan at the MEWA level, a single attestation by the MEWA plan sponsor would be adequate. On the other hand, if each participating employer sponsors a separate ERISA plan, then each participating employer is responsible for ensuring an attestation is submitted on behalf of their plan.

What if an employer changes carriers, TPAs or service providers during the attestation period?

If there was more than one carrier or TPA involved with the group health plan during the attestation period, the employer must ensure that the attestation covers all such contracts. The employer is responsible to confirm that no prohibited gag clauses existed in any applicable contracts with service providers during the attestation period and will need to ensure that all such service providers are attesting on behalf of the plan; alternatively, the employer would need to attest on behalf of any contracts that any of the service providers do not agree to attest to on the employer’s behalf.

An employer who is attesting will generally only submit a single attestation in connection with all service providers involved with its group health plan over the attestation period. The employer does not submit a separate attestation for each service provider, or for different time frames, but instead is able to attest to some or all service providers in a single attestation.

When must a spreadsheet be included in the attestation?

The spreadsheet is required only when the same responsible entity is attesting to multiple different group health plans. This will often be the case for carriers or TPAs reporting on behalf of employer plans but is less likely to be the case for employers completing the attestation. If all of the employer’s group health plans subject to the attestation have been bundled into a single ERISA plan, the employer may report on behalf of just the one plan and attest to all benefit arrangements at once. However, if they have not been bundled into a single ERISA plan by use of a wrap document and instead are separate ERISA plans, then the employer will need to use the spreadsheet to report on behalf of each of the separate ERISA plans.

What does “Are you attesting on behalf of all service providers” mean?

This question is not asking about how many different benefits or plans an employer maintains but instead is asking about the different types of provider agreements related to the employer’s group health plan(s). Whether an employer will attest on behalf of all service providers will vary. For example, a single group health plan may have separate contracts in place for its TPA and PBM, in which case there are two different service providers involved with the employer’s group health plan. In this example, if the employer is attesting to the agreements in place with the TPA and the PBM, the employer would answer “yes.” But if the employer is only attesting to the agreements in place with the PBM (because the TPA is separately attesting to the TPA’s agreements), then the employer should answer “no” and indicate that it is attesting solely on behalf of the PBM agreements.

What should an employer do if some of its service providers are unwilling to cooperate?

Most carriers and TPAs (and perhaps PBMs) will probably attest on behalf of the group health plan or will at least provide written confirmation of compliance with the gag clause prohibition for any of their contracts. However, other service providers such as telemedicine vendors and direct primary care arrangements may not be as helpful. Service providers beyond the carriers, TPAs and PBMs may think of themselves as providers and not as group health plans (and technically they are not group health plans). But the employer offering such arrangement to employees creates a group health plan subject to the gag clause prohibition and attestation requirements. Such service providers are less likely to agree to do the attestation because they are not directly required to do so, but the employer has the ability to review contracts in place with such service providers or could reach out and ask them to certify that they do not have any gag clauses in their contracts with providers. If the service provider is willing to provide that certification, then the employer has what is needed to attest to compliance, and the certification is kept in the employer’s files. If the service provider(s) will not provide a confirmation of compliance for its contracts, the employer still has a record of its good faith attempt to reach out to all service providers and could describe this effort in the “Additional Information” text box available in the attestation form.

Should documentation of verification/attestation from a service provider be included in the attestation submission?

There is not an option to upload anything into the attestation portal other than the spreadsheet used when reporting is done for multiple group health plans. CMS guidance indicates employers should keep in their records any communication with carriers, TPAs, PBMs, and other service providers confirming compliance with the gag clause prohibition.

Are the Submitter and the Attester the same person?

Sometimes, yes. When the employer is handling the attestation on behalf of their group health plan(s), one individual may play both roles as the Submitter and the Attester. It is also possible that an individual that does not have the authority to sign the attestation goes through and fills out all of the required information (playing the role of the Submitter), and then a separate individual with signing authority provides a final review and signature (playing the role of the Attester), in which case there would be two different individuals as the Submitter and Attester.

Is it okay to rely on a carrier’s or TPA’s attestation?

It should be reasonable to rely on the service provider’s representation that there are no gag clauses in their contracts. The reality is that the employer’s role in negotiating the contracts, and even access to the contracts themselves, may be limited, in which case many employers will have to rely on the service providers’ representations.

What is the penalty for noncompliance?

For failure to attest on behalf of a group health plan, the penalties are not clear. The FAQs from the tri-agencies state “Plans and issuers that do not submit their attestation, as required under Code section 9824, ERISA section 724, and PHS Act section 2799A-9, by the deadlines above may be subject to enforcement action.” Presumably, they could assess the standard $100 per violation per day excise tax that applies when a plan violates a requirement of the tax code.

Maybe…it may take some additional regulatory guidance and court decisions to force this behavior. It’s not perfectly clear what is and is not permitted under the current framework. It is certainly worth pushing back on any refusal to share such information and asking for clarification as to what permits the service provider to avoid providing the information in light of the gag clause prohibition.