On Jan. 14, 2025, the Departments of Health and Human Services, Labor and the Treasury (Departments) issued frequently asked questions (FAQs) on the implementation of several federal transparency requirements, including the prohibition on gag clauses. Bolton Health is bringing this to your attention to ensure you fully understand your legal rights with respect to medical and pharmacy contracts. Please contact your Bolton representative if you would like to discuss a process to thoroughly vet current and future contracts.
Highlights
- New FAQs provide guidance on the federal prohibition on gag clauses and related attestation requirement.
- The FAQs clarify that agreements with TPAs and other service providers should prohibit these service providers from entering into downstream agreements that restrict the plan from accessing or sharing relevant information or data.
- The FAQs also provide examples of impermissible clauses (see page 2).
Background
Federal law prohibits group health plans and health insurance issuers from entering into agreements with third-party administrators (TPAs) or other service providers offering access to a network of providers that contain gag clauses (i.e., provisions that restrict the plan or issuer from providing, accessing or sharing certain information about provider price and quality and de-identified claims).
Health plans and issuers must annually submit an attestation of their compliance with the prohibition of gag clauses to the Departments. These attestations are due on Dec. 31 of each year. Health plans and issuers that do not submit their attestations by the deadline may be subject to enforcement action.
New Guidance
The Departments’ FAQs provide the following clarifying guidance for health plans regarding the gag clause prohibition and attestation requirement.
Downstream Agreements
A health plan’s TPA or other service provider may have separate agreements (downstream agreements) with other entities to provide or administer the plan’s network. If such downstream agreements restrict the health plan from providing, accessing or sharing the relevant information or data, this would be a prohibited gag clause, even if the plan is not a party to the agreement. The Departments expect that, in their direct contracts with TPAs or other service providers, plans will include provisions that prohibit the TPA or other service provider from entering into a downstream agreement that restricts the plan from accessing or sharing relevant information or data.
De-identified Claims Data
To comply with the prohibition on gag clauses, health plans cannot enter into an agreement with a TPA or other service provider that restricts the plan from providing de-identified claims data to a business associate (consistent with applicable privacy rules), except at the discretion of the TPA or other service provider.
The following clauses are examples of impermissible gag clauses:
▪️ "The Plan shall only be granted access to a maximum of 5% of the total de-identified claims data from the previous calendar year, and only to the extent necessary to perform an audit, as determined by the TPA."
▪️ "Access to de-identified claims data shall be strictly limited to the purposes of conducting an audit and shall not be used for any other purpose, including but not limited to operational analysis, plan design changes, or vendor management."
▪️ "The Plan may request access to de-identified claims data no more than once per calendar year and must submit a formal request to the TPA at least 90 days in advance of the requested review date."
▪️ "The Plan is restricted to accessing no more than 500 de-identified claims per year, and only for outpatient services. Inpatient, emergency, and pharmacy claims will not be made available."
▪️ "The Plan may only access the following data elements from de-identified claims: diagnosis codes, procedure codes, and total claim amount. All other data elements, including but not limited to patient age, provider identifiers, or geographic location, are excluded from access."
▪️ "The Plan shall review de-identified claims data only on the premises of the TPA or carrier. Remote access to the data, whether electronically or otherwise, is prohibited."
▪️ "The Plan shall not share any claims data, including de-identified claims data, with any third-party business associate unless prior written consent is obtained from the TPA or carrier. Additionally, the business associate must execute a non-disclosure agreement (NDA) approved by the TPA or carrier before receiving any data."
▪️ "The Plan shall pay an access fee of $10,000 per request for de-identified claims data, regardless of the number of records requested, which must be paid prior to receiving any data."
▪️ "The Plan must implement and maintain cybersecurity policies, including encryption protocols, multifactor authentication, and third-party security audits, at the Plan's sole expense. The Plan must also maintain a dedicated cybersecurity insurance policy with a minimum coverage of $25 million, as approved by the TPA or carrier."
