Skip to content
a close up of a calculator

Is Your Self-Insured Health Plan Open for Target Practice?

Sep 7, 2023

Within Division BB of the Consolidated Appropriations Act of 2021 (“CAA”), Congress introduced the annual Gag Clause Prohibition Compliance Attestation (“GCPCA”). The gag clause prohibition prohibits health plans from entering contracts restricting specific data and information that a plan can make available to another party. Plans must annually attest that they have not entered contracts with prohibited restrictions. The first attestation is due by December 31, 2023, covering the period beginning December 27, 2020, through the date of attestation. Subsequent GCPCAs are due by December 31 of each year and cover the period since the last GCPCA was submitted. The attestation includes many new fiduciary duties related to health plans, which opens the door to participant litigation and agency penalties.

The Department of Health and Human Services (“HHS”) is collecting the attestations on behalf of the Departments of Labor (“DOL”) and the Treasury (“IRS”) (the “Departments”). The GCPCA is an attestation of compliance with IRC §9824, ERISA §724, and the Public Health Service Act (“PHS”) §2799A-9. The Departments launched a website through the Centers for Medicare and Medicaid Services (“CMS”) for the submission of attestations. The website includes instructions, a user manual and reporting entity Excel templates. Any plan sponsor filing a GCPCA may authorize any appropriate individual within the organization, such as the plan administrator, to attest on behalf of the plan.

While many think of the CAA as a COVID law, the provisions included in Division BB represent the most significant changes to health care since the Affordable Care Act (“ACA”). These changes, which include the GCPCA, are part of the broader price transparency provisions of the CAA, which also include patient protections against surprise billing, prescription drug cost reporting, machine-readable file cost disclosures, mental health parity comparative analysis disclosures and participant-level cost-sharing disclosures. Breaking open payer-provider contracts with new transparency requirements has given plan sponsors a new window into how their healthcare benefit dollars are spent, and it should lead to lower costs.

With the start of open enrollment season at the end of this year, there is only a short time to make sure that as a health plan fiduciary, you have reviewed de-identified claims and encounter information data for each participant or beneficiary of the plan. Knowing the agencies will enforce these duties, poachers are already out in the woods waiting to snare your plan participants for litigation, already posting advertisements seeking potential employee plaintiffs.

While the plan sponsor may be inclined to rely on the third-party administrator (“TPA”) to complete the attestation, note that the legal liability rests with the plan sponsor even if the plan enters into a written agreement for the TPA to complete the attestation. Since the TPA has primary control over the information or contract provisions subject to the reporting requirement, this can create tension between the parties. The CAA raises the bar on fiduciary governance for health plans. However, plan sponsors and their fiduciaries can meet the challenge with a good faith four-step process.

Form a Health and Welfare Plan Committee

The plan sponsor should form a fiduciary health and welfare plan committee with a charter and delegation of fiduciary duties to the committee if it has not previously done so.

Evaluate and Request Vendor Compensation Information

Like a 401(k) plan, the law prohibits the health plan fiduciary from paying more than a reasonable amount for services provided to the plan. The service providers arranged through the TPA may receive a commission from the TPA instead of direct payment from the plan sponsor or health plan. Such a financial arrangement makes it difficult for the plan fiduciary to know what it has paid for the advisor’s services. Fortunately, the fiduciary will have easier access to information about compensation since the law requires certain service providers to disclose specified information to a responsible plan fiduciary about the direct and indirect compensation that the service provider expects to receive in connection with its plan services.

Absent a health plan committee, those selecting the services will be deemed the responsible plan fiduciary. Those persons will then be responsible for confirming that they have received adequate disclosure and determining that the compensation paid is reasonable based on the services provided. If the fiduciary determines that the disclosures are inadequate, they must contact the service provider for additional information. If the information is not forthcoming within 90 days, they must report the service provider to the DOL and terminate the contract. Unless the fiduciary can benchmark the fees for reasonableness, they may want to issue a request for proposal to similar service providers or ask its TPA what its costs would be if indirect fees were eliminated. The fiduciary should remember that the service provider may also receive indirect compensation from other group benefits, such as life, disability, and other insurance.

Without adequate procedures for hiring and monitoring TPAs and pharmacy benefit managers (“PBMs”) or failing to determine that the health and prescription drug plan’s negotiated network discounts reflect market pricing and are comparable to the claims experience of similar plans, health plan fiduciary risk participant litigation.

A 2021 case illustrates the importance of fee disclosures. In that case, a consultant working for Arthur J. Gallagher & Co. was sued for taking undisclosed commissions from Cigna. In this case, a school board alleged that the consultant accepted secret commissions from insurance carriers and breached his duties when he failed to act in the board’s best interests and made various misrepresentations related to compensation and conflicts of interest. The case settled for $585,000.

Confirm All Gag Clauses Are Removed

This seems like a simple mandate. However, the gag clause removal prohibits a group health plan from entering into an agreement with a TPA, health care provider or other vendor offering access to a network of health care providers that would directly or indirectly prevent the plan from accessing certain cost and quality information and providing that information to its business associates. For instance, contracts cannot restrict contracting pharmacies from telling participants what they would pay for a drug if they paid directly and did not engage their plan, including any contractual penalties imposed on pharmacies by PBMs for this type of disclosure. Furthermore, contracts cannot restrict disclosure of provider rates even if a TPA considers the information proprietary and cannot provide a TPA with unilateral discretion over access to provider-specific cost and quality information.

The law states that the fiduciary should be able to electronically access de-identified claims information, including financial information, provider information and service codes. However, it appears that some TPAs have erected barriers to access by requiring health plan fiduciaries to agree to unreasonable confidentiality restrictions before disclosing claims information. In addition, some PBMs do not consider themselves subject to the new law.

Several plan sponsors have recently sued their TPAs for access to this information to fulfill their fiduciary duties. This includes two pending cases involving Elevance Health, implicating the gag clause prohibition in the fight between plan sponsors and their TPAs to access claims data. Elevance has filed motions to dismiss both cases, and the briefings submitted both in support of and in opposition to the motions highlights fundamental disagreements between certain plan sponsors and TPAs about the scope of the gag clause prohibition. Access to this information is critical to avoid making fiduciary decisions in the dark.

Request Your Plan Drug Data from the PBM

Adding to the transparency requirements are the Prescription Drug Data Collection (“RxDC”) annual reports. On June 1, health plans submitted the second annual information report on prescription drugs and healthcare spending. This data included valuable information for the plan sponsor, since it includes the financial impact of rebates, fees and other drug manufacturer payments to the health plan and the impact on premiums and employee out-of-pocket costs. Plan sponsors should request their plan-level drug data from the PBM to improve the plan participants' value, which is aligned with their fiduciary duties.


Beyond the $100 per day per covered individual penalty provided for in the Code and ERISA for failing to fulfill the above obligations, fiduciaries have the right to expect greater alignment from their service providers and the responsibility to deliver it to the plan participants. Business as usual is no longer safe and certainly not responsible. While the GCPCA presents another administrative burden for the plan sponsor, it also allows the sponsor to improve value to both the employer and plan participants through increased transparency.

What's on Your Mind?

a black and white logo

Stephen Mehaffey

Stephen Mehaffey is an Associate Director in the firm’s Tax Services Group and has over 25 years of accounting experience. 

Start a conversation with Stephen

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.