Gag Clause - CAA

Under the Consolidated Appropriates Act, a group health plan or insurer may not enter into an agreement with a health care provider, network or association of providers, Third Party Administrator (TPA), or other service provider offering access to a network of providers that would directly or indirectly restrict a group health plan or insurer from providing provider-specific cost or quality of care information or data, electronically accessing de-identified claims and encounter information or data for each enrollee or sharing that information or data with a business associate.

A health care provider that contracts with an insurer or health plan may not prohibit the insurer or health plan from providing provider-specific cost or quality information or data through a consumer engagement tool or other method. This information may be shared with the plan sponsor, members or individuals eligible to participate in the plan.

Group health plan contracts or agreements will not be permitted with the provider, network or association of providers, TPAs or other service providers if they:

  • Restrict access to cost or quality data to enrollees, plan sponsors or providers.
  • Prevent electronic access of deidentified claims or encounter information for enrollees in a plan including:
    • Financial information such as allowed amount or claims-related financial obligations included in the provider contract.
    • Provide information including name and clinical designations
    • Service codes or other data elements in claim or encounter transactions.

Individual health plan contracts or agreements must adhere to Health Insurance Portability and Accountability Act of 1996 (HIPAA), Genetic Information and Nondiscrimination Act of 2008 (GINA) amendments, and Americans with Disabilities Act of 1990 (ADA) in regard to sharing of data for plan designs, plan administration, and plan financial, legal and quality improvement activities with business associates.

Existing privacy protections remain in place and may not be changed, such as HIPAA.

No contracts or agreements with providers, networks or association of providers, TPAs are permitted if the data or information would violate HIPAA.

The insurer or health plan must submit an attestation confirming compliance, annually on Dec. 31, beginning with Dec. 31, 2023.

Surest Confirmation of Compliance (pdf)
UHC Confirmation of Compliance (pdf)
UMR Comfirmation of Compliance (pdf)