New No Surprises Act and Gag Clause Guidance Issued

On January 14, 2025, the Departments of Labor, Health and Human Services, and the Treasury (“the Departments”) issued FAQ Part 69 to clarify:

• Open negotiation and notice and disclosure requirements for plans or issuers, and providers related to the Independent Dispute Resolution (“IDR”) process,
• The coordination of the surprise billing rules between plans or issuers, providers, and facilities about the out-of-pocket rate for items or services subject to the No Surprises Act (“NSA”) in cases where state law does not provide a method for determining the out-of-pocket rate,
• Plan sponsor responsibilities related to gag clauses included in subordinate agreements, and
• The Gag Clause Prohibition compliance attestation (“GCPCA”) requirements when gag clauses remain in provider agreements.

NSA Background

Since its initial passage under the Consolidated Appropriations Act, 2021 (the “CAA”), the NSA provides protections against surprise medical bills for participants, beneficiaries, and enrollees of a group health plan offered by a health insurance issuer with respect to certain out-of-network costs. This is primarily achieved by limiting individual cost-sharing for NSA covered claims to an amount based on the qualified payment amount (“QPA”). However, the method for calculating the QPA has been the subject of litigation. As a result, plans and issuers face significant challenges in calculating QPAs that comply with the NSA.

NSA IDR Process

As part of the NSA, the Departments established a federal Independent Dispute Resolution (“IDR”) process for resolving disputes between plans or issuers and providers, facilities, or providers of air ambulance services related to reimbursement amounts subject to the NSA. The payment determination that results from the IDR process relies heavily on the QPA. Notably, FAQ 69 addresses the impact of recent litigation on the final rules, including a United States Court of Appeals for the Fifth Circuit opinion, which partially reversed an opinion of the lower district court regarding provisions related to the methodology for calculating QPAs, and affirmed the district court’s decision to vacate certain deadline provisions.

Additionally, FAQ 69 addresses several other implementation questions under the NSA including:

• QPA payment calculation for purposes of determining patient cost-sharing,
• Requirements for initial payments or notices of denial of payment and related disclosures when the disclosures are not provided at the same time or in the same format,
• Requirements for the initiation of open negotiation periods and the federal IDR process,
• Requirements for patient cost sharing for OON emergency services and applicable non-emergency items and services,
• Clarification that cost sharing for individuals may not be increased after the IDR process results in a payment determination, and
• Extending enforcement discretion related to QPA calculation for claims before August 1, 2025.

Gag Clause Prohibition Attestation Compliance

As previously reported, group health plans and health insurance issuers (“carriers”) are prohibited from entering into an agreement with a health care provider, network or association of networks, third-party administrator (“TPA”), or other service provider offering access to a network that would directly or indirectly restrict the plan or issuer from:

1. Making provider specific cost or quality of care information available to eligible participants, beneficiaries, and enrollees of the plan,
2. Electronically accessing de-identified claims and encounter information upon request, and
3. Sharing such information as described above with a business associate.

These prohibitions are collectively referred to as the “Gag Clause Prohibition,” which went into effect on December 27, 2020. Along with this prohibition, plans and issuers must annually submit an attestation of compliance, the GCPCA, with these requirements to the Departments.

The Departments have previously issued guidance on these requirements, including clarification on the meaning of “gag clause” and the attestation process. FAQ 69 continues the trend of answering questions about the prohibition and requirements. This latest FAQ provides the following clarifications:

• Downstream agreements that contain gag clauses violate the Gag Clause Prohibition.
  • For this purpose, a downstream agreement is where the TPA or other service provider that offers access to a network of providers may have separate agreements with entities other than the plan (or carrier) to provide or administer the plan’s (or carrier’s) network. Restrictions in those downstream agreements will also constitute a prohibited gag clause if the plan (or carrier) is restricted from providing, electronically accessing or sharing information described in (1).
• Agreements between healthcare providers, networks, TPAs, or other service providers and plans may not restrict de-identified claims data from being shared between the plan and a business associate,
• A limitation on the scope, scale, or frequency of electronic access to de-identified claims and encounter information is a restriction on de-identified claims and encounter information or data that is prohibited by the Gag Clause Prohibition, to the extent the provision places unreasonable limits on the ability of plans and issuers to access such information upon request. The FAQ includes the following examples of some restrictions on an audit or claims review that would be considered an impermissible gag clause:
  • Limiting access to a statistically significant or the "minimum necessary" number of de-identified claims;
  • Limiting the scope of access to the data to specific, narrow purposes (such as limiting access to the context of an audit);
  • Unreasonably limiting the frequency of claims reviews (e.g., no more than once per year);
  • Limiting the number and types of de-identified claims that a plan or issuer may access;
  • Restricting the data elements of a de-identified claim that a plan or issuer may access; and
  • Providing access to de-identified claims data only on the TPA's or service provider's physical premises.
• Plans and issuers that are aware of the presence of a gag clause in their agreements must still submit the annual GCPCA. They may use the GCPCA webform system in the text box labelled “Additional Information” on Step 3 for this purpose. Such additional information includes (but is not limited to):
  • any prohibited gag clauses that a service provider has refused to remove;
  • the name of the TPA or service provider with which the plan or issuer has the agreement containing the prohibited gag clause;
  • conduct by the service provider that shows the service provider interprets the agreement to contain a prohibited gag clause;
  • information on the plan's or issuer's requests that the prohibited gag clause be removed from such agreement; and
  • any other steps the plan or issuer has taken to come into compliance with the provision.

It is important to note that The Departments have indicated that a plan or issuer that submits an attestation of compliance that includes such additional information will be considered to satisfy the requirement to submit a GCPCA, and the Departments will consider good-faith efforts to self-report a prohibited gag clause in any enforcement action.

Employer Action

The requirements of the NSA are handled by carriers and TPAs but typically at an additional cost per claim subject to NSA requirements. Employers sponsoring group health plans may receive communications from carriers or TPAs related to this guidance. Plan sponsors may also want to confirm that their carriers or TPAs are complying with all NSA requirements related to calculation and disclosure of QPAs as it relates to the QPA calculation method.

Plan sponsors should also expect to comply with the GCPCA requirements.

• For fully insured plans, most carriers are subject to the gag clause prohibition and will submit the attestation on behalf of the carrier’s own responsibility and that of the plan. Employers sponsoring fully insured plans should confirm the carrier will submit the GCPCA and that their contracts are free from prohibited gag clauses.
• For self-funded plans (including level funded), most TPAs and other vendors will not submit the GCPCA on behalf of the plan. This is an employer’s responsibility. It will be important to confirm with vendors that there are no gag clauses (including in downstream agreements). As noted in the FAQ, even if there are gag clauses in the agreements, plans must still submit the attestation.
• A limitation on the scope, scale or frequency of electronic access on de-identified claims is a prohibited gag clause as is restricting plans from accessing de-identified claims data. Carriers or TPAs that impose limits or restrictions on accessing de-identified claims data or sharing such data with business associates of the plan have impermissible gag clauses.

We will continue to monitor developments in this area.