Factors for compliance: CAA gag clause attestations

With the first of the CAA’s annual gag clause attestations due at the end of this year, we have been inundated with questions about the process, who is required to complete it, and what assistance TPAs and other industry players are providing to plans. While these obligations fall on health plans themselves, plan sponsors will almost universally rely on vendors like TPAs and networks for assistance. As such, the industry is in a state of flux as it waits for new “norms” to develop regarding best practices and what will be reasonable for a plan sponsor to expect as far as assistance. We have already seen the full gamut, from TPAs providing no assistance whatsoever, to submitting the plan’s attestation on its behalf, to actually reviewing contracts for their customers and submitting the attestation.

What we haven’t seen, however, is questions about the actual contract review process – what is a gag clause, and what are the situations in which one would or wouldn’t impact the plan’s attestation? To this point, it makes sense to look at the actual text of the CAA. The gag clause contract prohibition provides as follows:

…A group health plan … may not enter into an agreement with a health care provider, network or association of providers, third-party administrator, or other service provider offering access to a network of providers that would directly or indirectly restrict a group health plan or health insurance issuer offering such coverage from —

(A) providing provider-specific cost or quality of care information or data … to referring providers, the plan sponsor, enrollees, or individuals eligible to become enrollees of the plan or coverage;

(B) electronically accessing de-identified claims and encounter information or data for each enrollee in the plan or coverage, upon request and consistent with [applicable law]…

(i) financial information, such as the allowed amount, or any other claim-related financial obligations included in the provider contract;

(ii) provider information, including name and clinical designation;

(iii) service codes; or

(iv) any other data element included in claim or encounter transactions; or

(C) sharing information or data described in subparagraph (A) or (B), or directing that such data be shared, with a business associate…

Additionally, health plans must make an annual submission attesting that they are in compliance with this requirement (in other words, that their contracts are free of impermissible gag clauses).

These definitions are clear, and many, if not most, provider and network agreements will contain broad confidentiality clauses that qualify as gag clauses. What isn’t addressed in the regulations is how other contract language that interacts with these gag clauses impacts whether they would trigger the attestation requirement. For example, many contracts contain provisions stating that their confidentiality provisions don’t apply to any disclosures that would be required by law. Would such a provision save a contract containing a gag clause from triggering the attestation requirement? In our view this is a clear-cut no – the gag clause prohibition doesn’t require any disclosures be made by any entity, rather, it prohibits plans from entering into contracts that prohibit certain disclosures.

Another issue has more of a “gray area” however – what about when a contract contains a broad severability clause? These clauses essentially provide that if any provision of the contract is contrary to law, it is deemed removed and unenforceable. On the one hand, such a contract wouldn’t actually prohibit a plan from disclosing the information in question. On the other hand, the gag clause prohibition doesn’t just apply to enforceable gag clauses, and the law is aimed at transparency – the mere presence of a gag clause can have a chilling effect on transparency and discourage access and disclosure. Parties can disagree on whether a provision is enforceable, and the fear of a conflict over such a provision can be powerful.

Related: The CAA will ensure that doing the right thing is the only option

So, our suggestion would be to remove any such gag clauses and not to rely on severability provisions. If they cannot be removed or amended to comply with the CAA, the plan would have to disclose the presence of the gag clause(s) in its annual attestation. The industry is still going through growing pains to develop industry norms regarding this and a flurry of other new requirements imposed in recent years. Until that happens, we expect a great many more questions and challenges like these.

Andrew Silverio serves as Compliance and Oversight Counsel, primarily focusing on the most complex and emerging legal and regulatory issues, both internally and for our clients as a member of Phia Group Consulting. Andrew is also The Phia Group’s HIPAA privacy officer.