Frequently Asked Questions

Consolidated Appropriations Act (CAA)

Who has to comply with CAA?

The CAA applies to every employer health plan that is subject to ERISA. The CAA amends ERISA (Employee Retirement Income Security Act), and ERISA applies to most health plans, regardless of size or funding methodology, unless they are specifically exempted.


What happens if I don’t comply?

Health plans are subject to penalties of $100 per employee, per day, without limit. In addition, plans will be exposed to participant lawsuits for damages due to non-compliance.

What do I have to do to comply?

Follow the Department of Labor regulations and guidance provided by your broker/consultant to formulate a fiduciary process. There are four key areas of compliance that must be addressed:

  • Removal of Gag Clauses from service provider contracts.
  • Establish reporting requirements for pharmacy and prescription drug disclosures.
  • Benchmark all direct and indirect compensation from all service providers.
  • Mental Health Parity with other medical benefits.

Do I need help with complying?

Regulations are vague and do not contain all the tools needed for a good faith compliance effort. Most plans should seek an outside third-party expert, or their broker/consultant if they are trained in CAA compliance. HPfid is one such resource to help with compliance education and tools.

By when do I have to comply?

Gag Clause Prohibition attestation is due December 31st, 2023 for plan years 2020, 2021 & 2022. Then by December 31st for each year thereafter. Submission of RX data is due annually by June 1st of the current plan year. 

Are there benefits to complying beyond the avoidance of penalties and litigation?

Yes. The establishment of a fiduciary process will gain access for employers to plan data that will enable them to utilize the most cost-efficient networks, plan designs and third-party vendors, thus lowering total costs. HPfid regularly helps clients save hundreds of thousands of dollars on healthcare through benchmarking and data analysis.



What size employers does CAA apply to?

ERISA governed employer health plans with two or more employees.

Does CAA apply to nonprofits?

Yes, if they sponsor an ERISA health plan.


Can you explain how this will lower our healthcare costs? 

When you own your own data, you can better design your plan to focus on individual health care situations that your plan has. 

If you have more than one plan, do you have to complete this process for each of them individually? Example: One TPA, but two different networks.

It’s ONE attestation, but it can cover many plans. They all need to receive the gag clause prohibition compliance letter. 


Where do we report the data required under CAA? 

HHS (Health and Human Services) & DOL (Department of Labor) – Information at HPfid tells you where those sites are. Attestation is done online. You do not report to the IRS, even though they are responsible for some of this information.



Does CAA Compliance apply to medical only? What about Dental & Vision?

Applies to all “Group Health Plans”, including dental and vision plans, but at this time, only group medical plans with be the focus of governmental compliance deadlines & fines. We expect that dental and vision plans will be monitored by 2024. We recommend getting the process started now.

How does this work with HIPAA regulations? Can participants come back and state that you used my data against me? 

One of the exceptions to HIPAA is that you can use data for purposes of administering your health plan. You, however, cannot broadcast this information to break HIPAA laws.



Do you expect BUCAH’s to comply with our compliance requests or to resist sharing more data? 

We expect push back. BUCAH’s have had control over information for many years and data is a powerful tool in the arsenal against increased health plan costs.

How long will it take to activate a full process and prepare to attest? 

Start now. The expected time is roughly 6-8 weeks, comfortably. Once you’re familiar with the process, yearly renewal will get easier by repetition.






Once we have access to our data, how do we analyze it? 

There are data platforms available. Please discuss with your broker/plan sponsor or turn to HPfid for assistance. 

Who does what? Clarification on governmental authorities and the role they have in CAA compliance.

(Department of Labor) is the biggest authority on CAA Compliance.
HHS (Health and Human Services) receives drug cost reporting and analysis related to MHPAEA. IRS (Internal Revenue Service) exacts the fines associated to CAA non-compliance.






Are government plans subject to ERISA, and therefore the CAA?

Employee benefit plans established and maintained by governmental employers are exempt from ERISA requirements. This exemption includes plans maintained by the federal, state or local governments.

This topic is complicated by State laws which have the intent of establishing fiduciary standards for governmental plans similar for those of private plans, meant to protect the rights of government employees. These laws vary by State and mirror some of the protections afforded under CAA.

Further complicating the issue is many of these governmental plans have “copied and pasted” their plan documents from a fully insured version of an ERISA plan and include ERISA language. This can cause an otherwise exempt plan to become subject to ERISA.

What are the chances the “payers” are going to provide full data files to fiduciaries even if gag clauses are removed from their contracts?

This is a subjective question. The onus on the fiduciary to only be party to contracts with no gag clause that restricts their ability to access their cost and quality health plan data. First step is confirming compliant contracts and agreements. The next step would be actually accessing the plan data. If the TPA or PBM (data source) refuses to provide data, the fiduciary must document this and take affirmative action to work with a new vendor who will provide such data and support CAA transparency.

Note: Most employers are not equipped to accept or analyze data. It’s important for the plan sponsor to assess and engage data platforms to store their data.


Should my broker be helping me with gathering this information?

YES. If your benefit advisor/broker is your source for guidance on employee benefit plan regulation, they should be very proactive in supporting your responsibilities to CAA and protecting the interests of your participants.

Be advised that many benefit advisory firms are not proactive with CAA education, transparency regulations and fiduciary process. This may be a function of conflicts of interest they have with non-transparent revenue streams tied to your plan.

Understand that the CAA is employer law. The liability for compliance rests 100% with the employer, not the benefit advisor.


How do you handle carriers, like Cigna, stating that they are not sharing attestation and also state they don’t have gag rules? 


What the national carriers say is relevant but not conclusive. Trust but verify. The onus is on the employer as a Fiduciary to confirm relevant legal agreements with TPA’s, PBM’s and networks. It is best practice to confirm CAA compliant language in writing and document your process and assessments. You must read your agreements or retain counsel to assist you. Your benefit advisor is a candidate to do this as well. 

As it relates to attestation, most TPA’s, PBM’s and Network (PPO) administrators (BUCA), agree the attestation function rests with all self-funded health plan sponsors. For fully insured plans, many of these entities are offering to attest to gag clause prohibition compliance on behalf of your employer. 

Trust but verify. Get a copy. Screenshot and confirm your plan has been attested by you or a third party.


If you have a PBM, and the PBM had a gag clause with the network pharmacy, not with the plan, are you in violation? 


CAA GCPC applies to contract to which the fiduciary is a party. Not those contracts between BUCA, TPA and PBM’s. 

To the extent a vendor is pointing at a third party agreement as an excuse to provide data, push harder for your access to data. If they refuse, you need to document this. Then take action to move on from that vendor relationship to a CAA compliant data sharing vendor.


Are enforcement activities/litigation and/or penalties retroactive back to 2021 or forward only?

Enforcement is retroactive to the compliance dates missed. The best practice to mitigate enforcement and litigation risk is a documented fiduciary process. Creating an affirmative defense.


Can the employer sue the TPA for violating the CAA?

CAA is Employer Law. The party of interest in most lawsuits will be the plan sponsor and its fiduciaries. The CAA is not aimed at TPA’s. They will comply with Gag Clause Prohibition and provide access to data on their own accord.


Will implementing a medical price transparency technology partner satisfy the fiduciary responsibility for Plan Sponsors? 

In and of itself this does not pass the standard of being a CAA compliant, documented fiduciary process. Plan sponsor fiduciaries need to perform specific duties and document their process with a repeatable fiduciary process each year. This process will certainly include price transparency.


What can fiduciaries do to provide employees with the necessary information to mark smart healthcare decisions and protect themselves from lawsuits?

First, the best protection from lawsuits and/or enforcement penalties is a documented, CAA compliant, fiduciary process that includes a timely attestation. 

Second, a documented compliance fiduciary process creates an affirmative defense to litigation and penalties.


Employers have been working hard to provide healthcare benefits for their employees. Why penalize the employer vs. the carriers who have been making money behind a curtain?

CAA fiduciary process is not a penalty. It is simply the responsibility of health plan sponsors who oversee benefit design, unit cost, vendor selection, legal agreements, and cost sharing on their health plan. Due to conflicts with “big healthcare”, employers need to perform these functions with a prudent and critical eye to hidden costs and conflicts of interest in their health plan structure to protect the wellbeing and financial assets of the plan, employee participants, and enrolled dependents. 

The penalties and lawsuits only apply to employers who fail to activate and document a prudent fiduciary process that protects participants. The employer is not a victim, they have a duty that has been apart of ERISA since 1974. CAA activates this duty because big healthcare, national TPA’s and PBM’s evolved to create cost and revenue streams that do not add value and prevent affordable healthcare.


Are municipalities exempt?

Municipalities are generally governed by State Law, not ERISA (Federal). CAA amends ERISA so State Public Entities are not the primary purview of CAA. That said, most states have a strong fiduciary standard for health plan sponsors. Confirm with your state as it relates to fiduciary duties for cities, counties, school districts and state colleges, etc.

Important: All health plan sponsors will benefit from a prudent fiduciary process to expose, assess, and remove unnecessary costs. 

The best reason to activate a data driven fiduciary process is to pay less for healthcare.


What other CAA providers exist? How is HPfid different and what is the cost for the HPfid service? 

We see 2-3 similar offerings in the marketplace. Two versions are a product of retirement plan fiduciary consulting. Healthcare plans are very different from retirement plans. We believe its critical that the health plan fiduciary process be led by healthcare experts. Understanding the depth of the specific conflicts of interests, funding methods, health plan cost and quality data, etc. HPfid was created by heath care strategy, compliance, and health claim data experts who are also fiduciary guides and consultants.

Plan sponsors need to discern the most qualified guides to remove cost and conflicts of interests within their health plans.


How long does it take for me to complete the CAA process with HPfid?


Two answers: First in 2023, then in 2024.

2023: Most employers who follow our Playbooks with guide an employer to create a good faith compliance effort on the four pillars and be in a defensible position to complete the gag clause prohibition attestation within four hour or so between now and the 12/31/23 deadline.

2024: Building on the foundation of CAA 2023, plan sponsors should budget 2-3 hours per quarter for fiduciary meetings and process. Using as their guide with secure documentation of their process. 

Beyond the investment of time and resources to comply, 2024 is the opportunity to expose unnecessary cost layers and pay less for healthcare moving forward. As much as 20-30% less.