Changeflow GovPing Healthcare HHS Adopts Standards for Health Care Claims Att...

Priority review Rule Added Final

HHS Adopts Standards for Health Care Claims Attachments and Electronic Signatures

FR: Health and Human Services Department

Published May 26th, 2026

Detected March 24th, 2026

Summary

The Department of Health and Human Services (HHS) has finalized standards for health care claims attachments transactions and electronic signatures. This rule aims to streamline administrative processes within the healthcare industry by adopting new standards for these transactions.

View original document View source feed page

What changed

The Department of Health and Human Services (HHS) has issued a final rule adopting new standards for health care claims attachments transactions and electronic signatures. This action, published in the Federal Register, aims to enhance administrative simplification within the healthcare sector by standardizing these critical data exchange processes. The rule specifies the technical requirements and formats that covered entities must adhere to for these transactions.

Covered entities, including healthcare providers and potentially health plans and clearinghouses, must comply with these new standards by the effective date of May 26, 2026. Failure to adopt and implement these standards could lead to non-compliance with HIPAA's administrative simplification provisions. Compliance officers should review the specific standards adopted and ensure their systems and processes are updated to meet these requirements before the deadline.

What to do next

Review adopted standards for health care claims attachments and electronic signatures.
Update systems and processes to comply with the new standards.
Ensure compliance by the effective date of May 26, 2026.

Source document (simplified)

Legal Status This site displays a prototype of a “Web 2.0” version of the daily
Federal Register. It is not an official legal edition of the Federal
Register, and does not replace the official print version or the official
electronic version on GPO’s govinfo.gov.

The documents posted on this site are XML renditions of published Federal
Register documents. Each document posted on the site includes a link to the
corresponding official PDF file on govinfo.gov. This prototype edition of the
daily Federal Register on FederalRegister.gov will remain an unofficial
informational resource until the Administrative Committee of the Federal
Register (ACFR) issues a regulation granting it official legal status.
For complete information about, and access to, our official publications
and services, go to About the Federal Register on NARA's archives.gov.

The OFR/GPO partnership is committed to presenting accurate and reliable
regulatory information on FederalRegister.gov with the objective of
establishing the XML-based Federal Register as an ACFR-sanctioned
publication in the future. While every effort has been made to ensure that
the material on FederalRegister.gov is accurately displayed, consistent with
the official SGML-based PDF version on govinfo.gov, those relying on it for
legal research should verify their results against an official edition of
the Federal Register. Until the ACFR grants it official status, the XML
rendition of the daily Federal Register on FederalRegister.gov does not
provide legal notice to the public or judicial notice to the courts.

Legal Status

Rule

Administrative Simplification; Adoption of Standards for Health Care Claims Attachments Transactions and Electronic Signatures

A Rule by the Health and Human Services Department on 03/24/2026

Document Details Published Content - Document Details Agencies Department of Health and Human Services Office of the Secretary Agency/Docket Number CMS-0053-F CFR 45 CFR 160 45 CFR 162 Document Citation 91 FR 14350 Document Number 2026-05676 Document Type Rule Pages 14350-14405
(56 pages) Publication Date 03/24/2026 RIN 0938-AT38 Published Content - Document Details
PDF Official Content
- View printed version (PDF) Official Content
Document Details Published Content - Document Details Agencies Department of Health and Human Services Office of the Secretary Agency/Docket Number CMS-0053-F CFR 45 CFR 160 45 CFR 162 Document Citation 91 FR 14350 Document Number 2026-05676 Document Type Rule Pages 14350-14405
(56 pages) Publication Date 03/24/2026 RIN 0938-AT38 Published Content - Document Details
Document Dates Published Content - Document Dates Effective Date 2026-05-26 Dates Text Effective Date: This final rule is effective on May 26, 2026. The incorporation by reference of certain material listed in this rule is approved by the Director of the Federal Register as of May 26, 2026. Published Content - Document Dates
Table of Contents Enhanced Content - Table of Contents This table of contents is a navigational tool, processed from the
headings within the legal text of Federal Register documents.
This repetition of headings to form internal navigation links
has no substantive legal effect.
Public Comments Enhanced Content - Public Comments This feature is not available for this document.

Enhanced Content - Public Comments
- Regulations.gov Data Enhanced Content - Regulations.gov Data Additional information is not currently available for this document.

Enhanced Content - Regulations.gov Data

- Sharing Enhanced Content - Sharing Shorter Document URL https://www.federalregister.gov/d/2026-05676 Email Email this document to a friend Enhanced Content - Sharing

Print Enhanced Content - Print
- Print this document Enhanced Content - Print
Other Formats Enhanced Content - Other Formats This document is also available in the following formats:

JSON Normalized attributes and metadata XML Original full text XML MODS Government Publishing Office metadata More information and documentation can be found in our developer tools pages.

Enhanced Content - Other Formats
- Public Inspection Public Inspection This PDF is FR Doc. 2026-05676 as it appeared on Public Inspection on
03/20/2026 at 4:15 pm.

It was viewed
4061
times while on Public Inspection.

If you are using public inspection listings for legal research, you
should verify the contents of the documents against a final, official
edition of the Federal Register. Only official editions of the
Federal Register provide legal notice of publication to the public and judicial notice
to the courts under 44 U.S.C. 1503 & 1507. Learn more here.

Public Inspection
Published Document: 2026-05676 (91 FR 14350) This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Document Headings Document headings vary by document type but may contain
the following:

the agency or agencies that issued and signed a document
the number of the CFR title and the number of each part the document amends, proposes to amend, or is directly related to
the agency docket number / agency internal file number
the RIN which identifies each regulatory action listed in the Unified Agenda of Federal Regulatory and Deregulatory Actions See the Document Drafting Handbook for more details.

Department of Health and Human Services

Office of the Secretary

45 CFR Parts 160 and 162
[CMS-0053-F]
RIN 0938-AT38 ( printed page 14350) # AGENCY:

Office of the Secretary, Department of Health and Human Services (HHS).

ACTION:

Final rule.

SUMMARY:

This final rule implements requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Patient Protection and Affordable Care Act, as amended by the Health Care and Education Reconciliation Act of 2010, enacted on March 30, 2010—collectively, the Affordable Care Act. Specifically, this final rule adopts standards for health care claims attachments transactions, which will support health care claims transactions, and a standard for electronic signatures to be used in conjunction with health care claims attachments transactions.

DATES:

Effective Date: This final rule is effective on May 26, 2026. The incorporation by reference of certain material listed in this rule is approved by the Director of the Federal Register as of May 26, 2026.

Compliance Date: Compliance with these regulations is required by May 26, 2028.

FOR FURTHER INFORMATION CONTACT:

Geanelle G. Herring, (410) 786-4466.

Shaheen Halim, (410) 786-0641.

Shelley Harrow, (410) 786-6875—Regulatory Impact Analysis.

Christopher Wilson, (410) 786-3178.

SUPPLEMENTARY INFORMATION:

I. Executive Summary

A. Purpose/Need for the Regulatory Action

Despite the health care industry's widespread use of electronic health records (EHR) and broad implementation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) transaction standards, the exchange of health care claims attachments has remained largely manual, frequently relying on fax, mail, or portal uploads. This final rule adopts standards for the electronic exchange of clinical and administrative documentation to support claims-related processes. Standardizing health care claims attachment transactions is intended to reduce administrative burden and improve data exchange efficiency between health plans and health care providers.

B. Summary of the Provisions

This final rule implements requirements of the Administrative Simplification subtitle of HIPAA and the Affordable Care Act. Specifically, this final rule adopts definitions of “attachment information” and “electronic signature” in 45 CFR 162.103 and “health care claims attachments transaction” in § 162.2001. This rule also adopts standards for health care claims attachments transactions in § 162.2002(a) through (d) and standards for electronic signatures, to be used in conjunction with health care claims attachments transactions, in § 162.2002(e).

In this final rule, we are adopting the following X12N standards and Health Level 7 (HL7®) implementation guides (IG) for use by covered entities in health care claims attachments transactions:

X12N 277—Health Care Claim Request for Additional Information [006020X313].
X12N 275—Additional Information to Support a Health Care Claim or Encounter [006020X314].
HL7 IG for Clinical Document Architecture (CDA) Release 2: Consolidated CDA (C-CDA) Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume One—Introductory Material, June 2019 with Errata (HL7 C-CDA IG Volume One).
HL7 IG for CDA Release 2: C-CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume Two—Templates and Supporting Material, June 2019 with Errata (HL7 C-CDA IG Volume Two).
HL7 CDA Release 2 Attachment IG: Exchange of C-CDA Based Documents, Release 2, March 2022 (HL7 Attachments IG). [1 ]
HL7 IG for CDA Release 2: Digital Signatures and Delegation of Rights, Release 1 (Digital Signatures Guide).

C. Summary of the Differences Between the Notice of Proposed Rulemaking and Final Rule

The proposed rule included proposals to support both health care claims and prior authorization transactions, as well as a standard for electronic signatures to be used in conjunction with these transactions. Commenters expressed broad support for the HHS proposal to adopt health care claims attachment standards. Conversely, commenters overwhelmingly expressed two concerns about the proposals for prior authorization attachments standards: (1) potential misalignment when paired with the currently mandated X12N 278 transaction standard for prior authorization; and (2) potential misalignment between HHS's proposed attachment standard for prior authorization transactions with the requirements in CMS's then-proposed, but now finalized, rule titled: “CMS Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Advancing Interoperability and Improving Prior Authorization Processes for Medicare Advantage Organizations, Medicaid Managed Care Plans, State Medicaid Agencies, Children's Health Insurance Program (CHIP) Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans on the Federally-Facilitated Exchanges, Merit-Based Incentive Payment System (MIPS) Eligible Clinicians, and Eligible Hospitals and Critical Access Hospitals in the Medicare Promoting Interoperability Program final rule” (hereinafter referred to as the CMS Interoperability and Prior Authorization final rule) (89 FR 8758). Upon considering these comments, along with further analysis and consultations with standard setting organizations (SSO), we have elected not to finalize health care attachments standards supporting prior authorization transactions at this time.

In the proposed rule, we proposed the adoption of the 2017 iteration of one of the IGs (the HL7 CDA Release 2 Attachment IG: Exchange of C-CDA Based Documents, Release 1, March 2017) (HL7 Attachments IG) (87 FR 78438). Based on the comments received, we examined the history of changes to the HL7 Attachments IG and determined that the cumulative changes in the March 2022 iteration constitute “maintenance updates” because they refine the IG's existing content rather than adding new content. Further consultation with the designated standards maintenance organization (DSMO) indicates that the maintenance updates reflected in the March 2022 ( printed page 14351) iteration of the HL7 Attachments IG better facilitate the implementation of Version 6020 of the X12N 275 and X12N 277 standards for claims attachment, which the Secretary of Health and Human Services (the Secretary) is adopting in this final rule. Therefore, this final rule adopts the March 2022 iteration of the HL7 Attachments IG rather than the proposed March 2017 iteration.

D. Summary of Costs and Savings

Based on the estimates included in the Regulatory Impact Analysis (RIA), the primary net annualized cost, discounted at 7 percent, to the industries is approximately $303.75 million. This estimate includes the difference between the primary net annualized costs of $478.23 million, which includes the regulatory review costs of $14.13 million, and primary net annualized savings of $781.98 million.

II. Background

This background discussion presents a history of statutory provisions and regulations relevant to this final rule.

A. Legislative Authority for Administrative Simplification

1. Standards Adoption and Modification Under the HIPAA Administrative Simplification Provisions

Congress addressed the need for a consistent framework for electronic transactions and other administrative simplification issues in HIPAA (Pub. L. 104-191, enacted on August 21, 1996). Through subtitle F of title II of HIPAA, Congress added to title XI of the Social Security Act (the Act) a new Part C, titled: “Administrative Simplification,” which required the Secretary to adopt standards for certain transactions to enable health information to be exchanged more efficiently and to achieve greater uniformity in the transmission of health information. For purposes of this and later discussion in this final rule, we sometimes refer to this statute as the “original” HIPAA provisions.

Section 1172(a) of the Act provides that any standard adopted by the Secretary under the HIPAA Administrative Simplification provision shall apply, in whole or in part, to the following persons, referred to as “covered entities”: (1) a health plan; (2) a health care clearinghouse; and (3) a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction. In general, section 1172 of the Act provides that any standard adopted under HIPAA is to be developed, adopted, or modified by an SSO. The statute requires consultation with four organizations named at section 1172(c)(3)(B) of the Act. In adopting a standard, section 1172(f) of the Act requires the Secretary to rely upon recommendations of the National Committee on Vital and Health Statistics (NCVHS) and consult with appropriate federal and state agencies and private organizations.

Section 1172(b) of the Act provides that a standard adopted under HIPAA must be consistent with the objective of reducing the administrative costs of providing and paying for health care. The transaction standards adopted under HIPAA enable financial and administrative electronic data interchange (EDI) using a common structure, as opposed to the many varied, often proprietary, transaction formats on which the industry had previously relied. This lack of uniformity across transaction formats engendered an administrative burden.

Section 1173(g)(1) of the Act, which was added by section 1104(b) of the Affordable Care Act, further addresses the goal of uniformity by requiring the Secretary to adopt a single set of operating rules for each transaction. These operating rules are required to be consensus-based and reflective of the necessary business rules and operations affecting both health plans and health care providers.

Section 1173(a) of the Act provides that the Secretary must adopt standards for financial and administrative transactions, and data elements for those transactions, to enable health information to be exchanged electronically. The original HIPAA provisions require the Secretary to adopt standards for the following transactions: (1) health claims or equivalent encounter information; (2) health claims attachments; (3) enrollment and disenrollment in a health plan; (4) eligibility for a health plan; (5) health care payment and remittance advice; (6) health plan premium payments; (7) first report of injury; (8) health claim status; and (9) referral certification and authorization (prior authorization). Section 1104(b)(2)(A) of the Affordable Care Act added the requirement for the Secretary to adopt a standard for electronic funds transfers. Additionally, section 1173(a)(1)(B) of the Act requires the Secretary to adopt standards for any other financial and administrative transactions the Secretary determines appropriate.

Sections 1173(c) through (f) of the Act provide that the Secretary must adopt standards that: (1) select or establish code sets for appropriate data elements for each listed health care transaction; (2) address and ensure security for health care information; (3) specify procedures for electronic signatures in coordination with the Secretary of Commerce, compliance with which will be deemed to satisfy both state and federal statutory requirements for written signatures for the listed transactions; and (4) address the transmission of appropriate standard data elements needed for the coordination of benefits, sequential processing of claims, and other data elements for individuals who have more than one health plan. Section 1174 of the Act requires the Secretary to review the adopted standards and adopt modifications to them, including additions to the standards as appropriate, but not more frequently than once every 12 months.

Section 1175 of the Act prohibits health plans from refusing to conduct a transaction as a standard transaction. [2 ] It also prohibits health plans from delaying a transaction or adversely affecting, or attempting to adversely affect, a person or the transaction itself on the grounds that the transaction is in a standard format. Additionally, it establishes a timetable for covered entities to comply with any standard, implementation specification, or modification as follows: (1) for an initial standard or implementation specification, no later than 24 months following its adoption; and (2) for modifications, as the Secretary determines appropriate, but no earlier than 180 days after the modification is adopted.

Sections 1176 and 1177 of the Act establish civil money penalties (CMP) and criminal penalties to which covered entities may be subject, for violations of HIPAA Administrative Simplification provisions. The Department of Health and Human Services (HHS) administers the CMPs under section 1176 of the Act, while the U.S. Department of Justice administers the criminal penalties under section 1177 of the Act. Section 1176(b) of the Act sets out limitations on the Secretary's authority and provides the Secretary certain discretion with respect to imposing CMPs. For example, section 1176(b)(1) provides that no CMPs may be imposed with respect to an act if a penalty has been imposed under section 1177 of the Act with respect to such an act. Section 1176(b)(2)(A) generally precludes the Secretary from imposing a CMP for a violation corrected during the 30-day ( printed page 14352) period beginning when an individual knew or, by exercising reasonable diligence, would have known that the failure to comply occurred. The original HIPAA provisions are discussed in greater detail in the August 17, 2000 Health Insurance Reform: Standards for Electronic Transactions final rule (65 FR 50312) (hereinafter referred to as the Transactions and Code Sets final rule), and the December 28, 2000 Standards for Privacy of Individually Identifiable Health Information final rule (65 FR 82462). We refer readers to those documents for further information.

2. Affordable Care Act Amendments to HIPAA Administrative Simplification

Section 1104(c)(3) of the Affordable Care Act reiterated the original HIPAA requirement to adopt a health claims attachment standard, and directed the Secretary to promulgate a final rule to establish a transaction standard and a single set of associated operating rules. [3 ] Section 1104(c)(3) of the Affordable Care Act requires that the adopted standard be “consistent with the X12 Version 5010 transaction standards,” provides that the Secretary must adopt the standard and operating rules by January 1, 2014, to be effective no later than January 1, 2016, and that the Secretary may adopt the standard and operating rules on an interim final basis. We interpret the 24 month “effective date” under section 1104(c)(3) of the Affordable Care Act to mean that the compliance date for covered entities should be 24 months after the effective date of this final rule. Unlike the original HIPAA provisions, the Affordable Care Act provision makes no allowance for an extended period for small health plans to achieve compliance.

B. Prior Rulemaking

In the Transactions and Code Sets final rule (65 FR 50312), we implemented some of the HIPAA Administrative Simplification requirements by adopting standards for electronic transactions developed by SSOs, and medical code sets to be used in those transactions. We adopted X12 Version 4010 standards for administrative transactions, and the National Council for Prescription Drug Programs (NCPDP) Telecommunication Version 5.1 standard for retail pharmacy transactions, which were specified at 45 CFR part 162, subparts K through R.

Since then, we have adopted several modifications to the HIPAA standards, including in the Health Insurance Reform: Modifications to the Health Insurance Portability and Accountability Act (HIPAA) Electronic Transaction Standards final rule (hereinafter referred to as the Modifications final rule) which appeared in the January 16, 2009 Federal Register (74 FR 3296). That rule, among other things, adopted updated versions of the standards, X12 Version 5010, and the NCPDP Telecommunication Standard Version D.0 and equivalent Batch Standard, Version 1, Release 2. We also adopted the NCPDP Batch Standard Version 3.0 for the Medicaid pharmacy subrogation transaction. Covered entities were required to comply with Version 5010, Version D.0, and Version 3.0 standards on January 1, 2012, though with respect to the latter, small health plans were required to comply on January 1, 2013.

In the HIPAA Administrative Simplification: Standards for Electronic Health Care Claims Attachments proposed rule (hereinafter referred to as the Standards for Electronic Health Care Claims Attachments proposed rule), which appeared in the September 23, 2005 Federal Register (70 FR 55990), we proposed to adopt certain health care claims attachments standards. As opposed to a standard with generalized applicability, that proposed rulemaking proposed to adopt health care claims attachment standards with respect to specific services, including ambulance services, clinical reports, emergency department, laboratory results, medications, and rehabilitation services. However, public comments we received on those proposals persuasively argued that the standards lacked technical maturity and that interested parties were not ready to implement the electronic exchange of clinical data, so we did not finalize adopting them.

HHS issued a proposed rule titled: Administrative Simplification: Adoption of Standards for Health Care Attachments Transactions and Electronic Signatures, and Modification to Referral Certification and Authorization Transaction Standard that appeared in the December 21, 2022 Federal Register (87 FR 78438) (hereinafter referred to as the HIPAA Standards for Health Care Attachments proposed rule). In that proposed rule, we proposed new requirements for HIPAA covered entities that we believed would improve the electronic exchange of health information and a new electronic signature standard. We provided a 90-day public comment period.

We later issued a correcting document titled: Administrative Simplification: Adoption of Standards for Health Care Attachments Transactions and Electronic Signatures, and Modification to Referral Certification and Authorization Transaction Standard; Correction, which appeared in the March 17, 2023 Federal Register (88 FR 16392) (hereinafter referred to as the HIPAA Standards for Health Care Attachments proposed rule correction notice). That notice corrected typographical and technical errors in the HIPAA Standards for Health Care Attachments proposed rule by conforming the proposed regulations text to the proposed policies discussed in the preamble.

Subsequently, we extended the public comment period for the proposed rule by another 30 days via a notice that appeared in the March 24, 2023 Federal Register titled: “Adoption of Standards for Health Care Attachments Transactions and Electronic Signatures, and Modification to Referral Certification and Authorization Transaction Standard: Extension of Comment Period” (88 FR 17780). We believed it was important for the public to have the opportunity to review and comment on the corrected proposed rule because most of the corrections to the proposed rule were in the regulation text.

In the HIPAA Standards for Health Care Attachments proposed rule (87 FR 78445), we proposed to adopt attachments standards that would apply to health care claims or equivalent encounter transactions and to referral certification and authorization (prior authorization) transactions. [4 ] In this final rule, HHS adopts standards only for health care claims attachments transactions or equivalent encounter transactions, which will support health care claims transactions. HHS further adopts a standard for electronic signatures to be used in conjunction with health care claims attachments transactions. We thus refer to the attachment standards being adopted in this final rule as “health care claims attachment standards.” In section III.A. ( printed page 14353) of this final rule, we explain why we elected not to move forward with the proposals to adopt an attachments standard for prior authorization transactions.

C. Standards and Code Sets Organizations

The HIPAA Standards for Health Care Attachments proposed rule presented information about the organizations responsible for developing and maintaining the transaction standards and code sets that we are adopting in this final rule. Information about each organization's balloting process—the process by which they vet and approve the products they develop and changes thereto—is available on their respective websites. We provide links to these websites in this section.

As we stated previously, the law requires any standard adopted under HIPAA to be developed, adopted, or modified by an SSO. Section 1171 of the Act provides that an SSO is an organization accredited by the American National Standards Institute (ANSI) that develops standards for information transactions, data elements, or any standard that is necessary to, or will facilitate the implementation of, administrative simplification. Pursuant to section 1172(c)(3) of the Act, a HIPAA SSO must develop, adopt, and modify standards in consultation with certain organizations: the National Uniform Billing Committee (NUBC), National Uniform Claim Committee (NUCC), Workgroup for Electronic Data Interchange (WEDI), and American Dental Association (ADA). The two SSOs associated with this final rule are the Accredited Standards Committees (ASC) X12 and HL7, both of which maintain websites where the required IGs may be obtained. One other organization, the Regenstrief Institute (Regenstrief), a health research institution and not an SSO, maintains a code set named Logical Observation Identifiers Names and Codes (LOINC), which is important to this rulemaking.

1. X12 [5 ]

The first SSO associated with this final rule is X12, which develops and maintains standards for the electronic exchange of business-to-business transactions. An ANSI-accredited organization, X12 membership is open to all individuals and organizations. An X12 subcommittee known as Subcommittee N: Insurance (X12N) develops and maintains electronic standards specific to the insurance industry, including, but not limited to, health insurance. Comprised of volunteers, X12N develops standards for electronic health care transactions for common administrative activities including: (1) claims; (2) remittance advice; (3) claims status; (4) enrollment; (5) eligibility; (6) authorizations and referrals; and (7) electronic health care claims attachments. X12N is responsible for obtaining consensus on the standards from the entire organization and producing draft documents that it makes available for public review and comment, which it addresses as necessary before voting on any proposal. Proposals must then be reviewed and ratified by a majority of the X12N voting members and X12's executive committee.

2. HL7 [6 ]

The second SSO associated with this final rule is HL7, an ANSI-accredited SSO that develops and maintains standards for the exchange, integration, sharing, and retrieval of electronic health information that supports clinical practice and the management, delivery, and evaluation of health services. Its domain is principally clinical data, and its specific emphasis is the interoperability between health care information systems. HL7's membership is open to all individuals and organizations, and it focuses its interface requirements on the entire health care industry, not just a subset of it.

HL7 conducts a multi-step process called balloting to solicit feedback and comments on standards and specifications prior to publication. [7 ] A technical committee, such as a workgroup, develops the standard or specifications, which is then submitted for consideration under the balloting process. All HL7 members are eligible to vote and submit feedback on standards, regardless of whether they are members of the committee that developed the standard. Non-members may also vote on a given ballot for a standard, though to do so they must pay an administrative fee. After reviewing feedback received during voting, HL7 technical committees vote on “recommendations,” which require a two-thirds majority for approval. HL7 standards are available to the public on its website, and the website also describes in more detail HL7's balloting process. [8 ] HL7 standards are free and open source, and documentation is available to anyone to ensure that all implementers can equally access information.

3. The Regenstrief Institute (Regenstrief) [9 ]

Regenstrief is a health research institution that develops and maintains a code set, LOINC, which is the code system, terminology, and vocabulary for identifying individual clinical results and other clinical information. Regenstrief supports the development of a code system for attachments use cases and works closely with the HL7 Payer/Provider Information Exchange (PIE) Work Group (formerly known as the Attachments Work Group) to develop a set of LOINC codes to uniquely indicate the type and content of attachment information in electronic transmissions. Regenstrief maintains LOINC through its LOINC Committee, which is composed of volunteer representatives from academia, industry, and government who serve as subject matter experts in their domains of expertise. That committee establishes overall naming conventions and policies for the development process.

D. Industry Standards, Code Sets, and IGs

1. Electronic Data Interchange (EDI) and Transaction Standards

In the HIPAA Standards for Health Care Attachments proposed rule, we discussed how HIPAA transactions involve the electronic transmission of information between two parties to carry out health care-related financial or administrative activities (87 FR 78441). These activities include health insurance claims submissions and prior authorization requests, and HIPAA standards for those transactions require uniformity for EDI of those transmissions.

The benefit of HIPAA standards is that they use a common interchange structure, eliminating covered entities' need to have information technology (IT) systems that accommodate multiple proprietary, and potentially continually changing, data formats. The interchange structure uniformity enables covered entities to exchange medical, billing, and other information to process transactions more expeditiously and cost-effectively, reduces handling and processing time, and eliminates the risk of lost paper documents, thereby reducing administrative burdens, ( printed page 14354) lowering operating costs, and improving overall data quality.

HIPAA transaction standards specify: (1) data interchange structures (message transmission formats); and (2) data content (all of the data elements and code sets inherent to a transaction and not related to the format of the transaction). Implementation specifications detail the nature, location, and content format of each piece of information transmitted in a transaction. Standardization of transactions also involves: (1) specification of the data elements that are exchanged; (2) uniform definitions of those specific data elements in each type of electronic transaction; (3) identification of the specific codes or values that are valid for each data element; and (4) specification of the business actions each party must take to ensure the exchange of administrative transactions occurs smoothly and reliably, regardless of the technology employed.

a. IGs—X12

As discussed in section II.C.1. of this final rule, X12 develops and maintains standards for the electronic exchange of business-to-business transactions. X12N publishes transmission standards that apply to many lines of insurance business. For example, the X12N 820 message format for premium payment may be used for automobile and casualty insurance. X12 implementation specifications, referred to by the industry as IGs and written collaboratively by X12N workgroups, make these general standards functional for industry-specific uses. The specifications are based on X12 standards, but contain detailed instructions for using the standard to meet a specific business need. X12's implementation specifications for HIPAA transaction standards adopted by the Secretary are known as “Technical Reports Type 3” (TR3). Each X12N IG has a unique version identification number represented in a parenthetical, where the highest version number represents the most recent version. HHS adopted the then-updated Version 5010 of the X12 standards in the Modifications final rule (74 FR 3296), while this final rule adopts Version 6020 of the X12N 275 and X12N 277 standards, the rationale for which we discuss in section III. of this final rule.

b. IGs—HL7

HL7's PIE Workgroup develops standards for electronic health care attachments. The workgroup, which includes industry experts representing health care providers, health plans, and health technology vendors, is also responsible for creating and maintaining the IGs. The IGs are sets of instructions and associated code tables that describe, list, or itemize the content, format, and code to be sent, and specify how such information is to be conveyed in an electronic health care attachment.

The HL7 CDA is an XML-based (a computer programming language) markup standard that specifies the encoding, structure, and semantics of clinical documents for purposes of transmitting attachment information. XML-coded files have the same characteristics and information as hard copy documents, so regardless of how data are sent within a transaction, they can be read and processed by both people and machines. An important feature of the CDA standard is that it allows the entire body of an electronic document to be replaced by an image, for example, a scanned copy of a page or pages from a medical record. That permits the clinical content to be conveyed by an image or text document, but a header still supports automated document management. The CDA header contains standardized, machine-readable data elements, such as document type, patient and provider identifiers, and service dates that enable health information technology (health IT) systems to automatically route, index, associate, and manage attachment documents even when the document body consists of images or other non-structured content. This feature of the CDA standard is relevant because it accommodates health care attachments that may not be conducive to XML formatting, such as medical imaging, video, or audio files.

HL7 also produces the C-CDA standard that provides specifications for formatting document templates, depending on whether they are structured or unstructured, enabling the CDA to create numerous specific document types, known as templates. The HL7 C-CDA IG document templates are designed to be electronic versions of the most common types of paper document attachment information. Attachment information not included in a template may be created by using instructions included in the finalized unstructured document IG; supported unstructured formats include MSWORD, PDF, Plain Text, RTF Text, HTML Text, GIF Image, TIF Image, JPEG Image, and PNG Image.

2. Code Sets

Transaction data content standardization involves identifying the specific codes or values for each data element. Health care EDI requires many types of code sets, including large medical data code sets and classification systems for medical diagnoses, procedures, and drugs, and smaller code sets to identify categories, such as facility type, currency, units, or a state within the United States. Large data code sets include those developed and maintained by federal agencies, such as the Centers for Medicare & Medicaid Services' (CMS) Healthcare Common Procedure Coding System (HCPCS), and by private organizations, such as the American Medical Association's (AMA) Current Procedural Terminology (CPT®) and the ADA's Code on Dental Procedures and Nomenclature (CDT Code). [10 11 ] These code sets have been adopted through rulemaking under HIPAA in the Transactions and Code Sets final rule (65 FR 50312) and are mandated for use in federal and state health care programs, such as Medicare, Medicaid, and the Children's Health Insurance Program (CHIP). SSOs require or permit their use in their standards.

3. IGs as HIPAA Standards

Section 1172(d) of the Act directs the Secretary to establish specifications for implementing each of the adopted standards. As we explained previously, SSOs have developed IGs by which to implement the same standards for different business purposes. In the HIPAA Standards for Health Care Attachments proposed rule, we proposed an approach we have taken with previous HIPAA Rules that adopted a specific IG as both the “standard” and the “implementation specifications” for each health care transaction (87 FR 78442).

In pursuing this approach, we were mindful that section 1104(c)(3) of the Affordable Care Act requires that the Secretary promulgate a final rule to establish a transaction standard and a single set of operating rules for health care attachments that is “consistent with the X12 Version 5010 transaction standards.” We interpreted this requirement to mean that the proposed health care attachment implementation specifications must be compatible with X12 standards generally, meaning any standard we adopt for attachment information can be electronically transmitted by an X12 transmission standard in the same transaction (87 FR 78442). The Affordable Care Act was enacted in 2010, at which time we had adopted Version 5010 of the X12 standards. A decade later, we ( printed page 14355) interpreted the Affordable Care Act's mandate as referencing the then-current standards—the X12 Version 5010—but not specifically requiring adherence in perpetuity to a static standard, which would contravene the HIPAA standards paradigm that is premised on standards evolution over time and be contrary to logic as X12 continues to publish newer versions of its standards. Therefore, in the HIPAA Standards for Health Care Attachments proposed rule, we proposed to adopt Version 6020 of certain X12 standards (87 FR 78447).

Additionally, we proposed to adopt transaction standards that can be used together in a single electronic transmission (87 FR 78447 through 78449). HL7 standards can work in conjunction with other standards like X12. The HIPAA covered entities who would use the health care claims attachment standard are currently using X12 transaction standards, so adoption of a health care claims attachment standard using X12 standards, which are being finalized in this final rule, should have minimal impact on covered entities.

Separately, we are also aware that SSOs are developing and piloting other types of standards. In the HIPAA Standards for Health Care Attachments proposed rule, we solicited public comment on this and any alternative implementation specifications that may be considered compatible with X12 Version 5010 (87 FR 78442). Commenters were supportive of our proposals pertaining to claims attachments, however, commenters expressed concerns about the proposals to include prior authorization within the attachment transaction. Commenters identified additional standards for consideration, specifically the HL7 Fast Healthcare Interoperability Resources (FHIR®) standard. [12 ] We summarize the alternatives that commenters recommended we consider, and provide our full response to these comments, in section III.D.2. of this final rule.

E. The NCVHS Recommendations to the Secretary

In the proposed rule, we stated that the NCVHS is a statutorily designated advisory committee that provides the Secretary with recommendations on health information policy and standards (87 FR 78447). [13 ] Among the ways it does so is by convening regular forums with industry groups on key issues related to population health, standards, privacy and confidentiality, and data access and use. Pursuant to HIPAA, the NCVHS advises the Secretary on the adoption of standards, implementation specifications, code sets, identifiers, and operating rules for HIPAA transactions. For readers' reference, we include here the process discussion also found in the HIPAA Standards for Health Care Attachments proposed rule.

The NCVHS held a number of hearings and made several sets of recommendations to the Secretary on claims attachment standards, which are reflected in the administrative record and described in prior Federal Register notices. For example, the HIPAA Standards for Health Care Attachments proposed rule discusses the NCVHS subcommittee hearings, correspondence to the Secretary, and its March 30, 2022 recommendation urging prompt adoption of a claims attachments standard (87 FR 78443 and 78444).

The NCVHS Standards Subcommittee held a November 17, 2011 hearing on health claims attachments to gather information regarding new business needs, priorities, issues, and challenges. Participant testimony addressed the development status of standards and implementation specifications. Some organizations testified regarding their interest in serving as attachments operating rules authoring entities. In a letter to HHS dated March 2, 2012, the NCVHS Subcommittee on Standards advised HHS that it was premature to make formal recommendations regarding the adoption of any standard, implementation specification, or operating rule associated with health care attachments. [14 ] On May 5, 2012, the NCVHS recommended that the Council for Affordable Quality Healthcare (CAQH), a nonprofit entity whose stated mission is to improve the efficiency, accuracy, and effectiveness of industry-driven business transactions, be designated as the operating rules authoring entity. [15 ]

The NCVHS Subcommittee held a second hearing on health claims attachments on February 27, 2013, where it identified a trend toward convergence of administrative and clinical information. In a June 21, 2013 letter, the NCVHS recommended that the Secretary adopt a number of initial attachments-related transaction standards by January 1, 2016 (the date by which the Affordable Care Act required claims attachment standards to be effective), but advised HHS to take a comprehensive and incremental approach to considering attachment standards to promote innovation and flexibility. [16 ] The NCVHS noted there was industry consensus that adoption of standards should not be limited to “claim attachments,” but, rather, should be more inclusive of any kind of attachment with administrative or clinical information. It recommended that attachments-related transaction standards should be applied to claims, eligibility, prior authorization, referrals, care management, post-payment audits, and any other administrative processes for which supplemental information is needed. Among other recommendations, the NCVHS advised HHS that attachment standards should support structured and unstructured data, and both solicited and unsolicited transmissions. It further advised that attachments standards should be defined for two types of transactions: (1) Query (the electronic solicitation of an attachment); and (2) Response (the electronic transmission of an attachment). The NCVHS held another hearing on health care attachments on February 15, 2016, and on July 5, 2016 sent the Secretary a letter titled: “Recommendations for the Electronic Health Care Attachment Standard.” [17 ] This letter consolidated its previous recommendations on attachments and advised that updated versions of the available standards were ready for industry use, and there was unanimous testimony that the health care industry was eager to see them adopted. The NCVHS recommended that HHS complete additional rulemaking to adopt the recommended standards ( printed page 14356) considering the length of time that had elapsed since the 2005 publication of the previous, and, ultimately, premature Standards for Electronic Health Care Claims Attachments proposed rule (70 FR 55990), and subsequent technology advancement and stakeholder readiness.

On March 30, 2022, the NCVHS sent the Secretary a letter titled: “Recommendations to Modernize Aspects of HIPAA and Other HIT [(Health Information Technology)] Standards to Improve Patient Care and Achieve Burden Reduction.” [18 ] This letter continued to stress previous recommendations urging the Secretary to adopt a standard for electronic attachments as soon as possible, and also stated—

We recognize that there is ongoing debate and no definitive industry consensus about the role of attachments (i.e., documents) as opposed to data (i.e., a string of data elements not structured within a document). While the vision with APIs [(Application Programming Interfaces)] based on FHIR seem to be driving toward more of a data-driven transaction, we see more than sufficient industry demand for a document-based attachment standard, and we do not foresee any imminent demise of the utility of digital documents. We suggest short-term publication of an attachment rule, with consideration for emerging standards based on recent input from industry and other advisory group discussions. This could add immediate value for industry and could support future actions as HIPAA's procedural requirements may be updated to allow for non-document type digital attachment data. [19 ]

Based on the NCVHS's previous recommendations to the Secretary, and particularly in consideration of its most recent March 30, 2022 recommendation, we are finalizing adoption of a document-based attachments standard for healthcare claims or equivalent encounter transactions in this final rule.

F. Other Industry Recommendations

1. Consensus-Based Organization Support

Industry consensus-based organizations, which vet proposals before they are presented to the NCVHS, agree that the standards we proposed are sufficiently mature to support health care business needs. Both WEDI and the CAQH Committee on Operating Rules for Information Exchange (CORE) have described the benefits that adopting health care attachments standards would bring in automating and streamlining workflows that, today, are primarily manual processes and sources of significant administrative burden. We discussed their perspectives in the HIPAA Standards for Health Care Attachments proposed rule (87 FR 78443).

In May 2019, CAQH CORE issued a document titled: “Report on Attachments: A Bridge to a Fully Automated Future to Share Medical Documentation,” where it reported evidence from its 2018 environmental scan indicating a high degree of industry readiness and interest in the attachments standard. [20 ] The report noted that “the health care industry continues to wait for an electronic attachments standard that can simplify the exchange of necessary medical information and supplemental documentation.” Specifically, the report stated that “health plans, providers and vendors lack the direction needed to support broad use of automation in the attachment workflow, or for industry to coalesce around the use of even a small number of electronic solutions,” leading to largely manual, and often paper-based, processes, and ultimately underscoring the need to standardize electronic attachment exchange methods.

2. Other Recent Public Comment Support

CMS published the Reducing Administrative Burden to Put Patients Over Paperwork request for information (RFI), which appeared in the Federal Register on June 11, 2019 (84 FR 27070). That RFI solicited public comment on ideas for regulatory, subregulatory, policy, practice, and procedural changes to reduce unnecessary administrative burdens for clinicians, providers, patients, and their families, with an aim to improve quality of care, lower costs, improve program integrity, and make the health care system more effective, simple, and accessible. To be clear, the RFI did not relate to, and was not for the purpose of, soliciting comments on HHS's efforts pertaining to HIPAA Administrative Simplification. Nevertheless, many commenters, including organizations representing physician provider groups, insurance payers, health technology vendors, health care financial managers, and health IT standard advisory bodies, called for the publication of a HIPAA electronic attachments proposed rule to be accelerated, as well as guidance on other standards, such as electronic signature protocols to achieve these goals. These commenters indicated that adoption of a HIPAA attachments standard could help reduce administrative burden in many clinical and administrative situations where documents need to be shared, and relieve providers of current burdensome, largely paper-based, processes.

In preparation for its August 25, 2020 Standards Committee Meeting, the NCVHS invited the public to provide feedback on the CAQH CORE operating rules for prior authorization transactions. In response, commenters expressed their support for the adoption of an attachment standard. Commenters also provided input on current standards development efforts underway to address prior authorization challenges, including recommendations for the Secretary to explore or allow the use of other standards or alternative approaches. [21 ] In that regard, we acknowledge there is a growing base of evidence that may support our adopting attachment standards that rely on emerging technologies, such as APIs. We refer readers to section III.D.2. of this final rule for a summary of public comments received on the proposed rule regarding emerging technologies, such as APIs, and our response to them.

III. Provisions of the Proposed Rule, Analysis of and Responses to the Public Comments Received, and Final Provisions

In response to the HIPAA Standards for Health Care Attachments proposed rule, which appeared in the December 21, 2022 Federal Register (87 FR 78438), we received more than 120 timely pieces of correspondence commenting on health care claims and prior authorization attachments.

In general, commenters were supportive of HHS's efforts to adopt health care claims attachments standards that could potentially mitigate ( printed page 14357) longstanding issues pertaining to the manual transmission of health care claims attachments. Importantly, however, commenters recommended that HHS, at this time, adopt only standards for health care claims attachments transactions and not for prior authorization attachments transactions, as we had also proposed. We explain in this final rule that we are confining the scope of this rule's finalized policies to claims attachments transactions, and we explain our rationale for not finalizing our proposals to adopt the X12N 278 standard for prior authorization attachments transactions.

A. Decision Regarding the Adoption of X12N 278—Health Care Services Request for Review and Response (006020X315)

In the HIPAA Standards for Health Care Attachments proposed rule, we proposed to adopt Version 6020 of the X12N 278—Health Care Services Request for Review and Response (006020X315) as the standard a health plan must use to electronically request attachment information from a health care provider to support a prior authorization transaction (87 FR 78447). That standard, we noted, is unique in that it is also used for a health care provider's request for prior authorization, as reflected in § 162.1302(b)(2)(ii) (87 FR 78447). We also proposed to incorporate the same by reference in § 162.920. Version 6020 of the X12N 278 standard would have been a modification to the existing HIPAA transaction standard, as we previously adopted Version 5010 of the X12N 278 standard in the January 16, 2009 Modifications final rule (74 FR 3296).

The X12N 278 standard supports prior authorization transactions for health care that has yet to be rendered by the requesting provider, as well as responses from health plans for authorizations or for referrals to another provider, such as when a provider refers a patient to a specialist or for inpatient care. [22 ] Using the X12N 278 standard for prior authorization transactions, the health plan transmits a response to the health care provider. This response contains coded information that can then be utilized in a health care claim to indicate that the billed items or services were approved by the health plan before being rendered, or that a referral to another provider has been approved.

After reviewing public comments, we are not adopting an attachments standard for prior authorization at this time. Commenters cited limited industry experience implementing the X12N 278 standard for prior authorization attachments, variability in current prior authorization workflows, and potential conflict with other federal interoperability initiatives requiring FHIR-based prior authorization API capabilities. Instead, we are adopting standards only for health care claims attachments. This approach reflects current industry readiness and supports administrative simplification while allowing continued evaluation of evolving standards for prior authorization.

Comment: Although several commenters expressed support for HHS's efforts to reduce the burden of prior authorizations by adopting electronic standards to create a streamlined prior authorization process that meets the needs of health plans and providers, more commenters opposed HHS's finalizing the proposed adoption of X12N 278 standard with respect to prior authorization attachments transactions. Commenters asserted that: (1) there is a lack of agreement on data element standardization within the industry; (2) entities have a wide range of prior authorization workflows and common definitions; (3) previous attempts to leverage the X12N 278 standard to support prior authorizations have failed; (4) the X12N 278 standard for prior authorization transactions was never fully implemented in the industry; (5) the X12N 278 standard for prior authorization transactions will not support the requests or responses of a FHIR-based questionnaire; and (6) HHS's goal of efficient, cost-effective, simplified interoperability may be impeded by health IT vendors constantly having to deal with exceptions due to conflicting requirements across various rulemaking efforts.

Commenters also expressed concern that HHS's proposed X12N 278 standard for prior authorization attachments transactions that appeared in the HIPAA Standards for Health Care Attachments proposed rule may conflict with provisions of a CMS proposed (and now finalized) rule that appeared nearly simultaneously in the Federal Register, on December 13, 2022 titled: “Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Advancing Interoperability and Improving Prior Authorization Processes for Medicare Advantage Organizations, Medicaid Managed Care Plans, State Medicaid Agencies, Children's Health Insurance Program (CHIP) Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans on the Federally-Facilitated Exchanges, Merit-Based Incentive Payment System (MIPS) Eligible Clinicians, and Eligible Hospitals and Critical Access Hospitals in the Medicare Promoting Interoperability Program” (hereinafter referred to as the CMS Interoperability and Prior Authorization proposed rule) (87 FR 76238).

Commenters also requested clarification or provided HHS with certain recommendations for consideration in the event HHS finalized the adoption of the X12N 278 standard for prior authorization attachments transactions. A commenter recommended that if HHS were to adopt the X12N 278 standard, HHS should continue the use of Version 5010 and not adopt Version 6020 of the X12N 278 standard, asserting that it offers no additional functionality, is untested, and may contain errors.

Response: We appreciate the comments submitted in response to our proposal to adopt a standard for health care attachments transactions that would include the prior authorization transaction standard. Upon further consideration, and as we explain herein, we have elected not to finalize the prior authorization transaction standard proposal. Rather, we are adopting only the standards for health care claims attachments transactions. Our decision reflects substantive consideration of several interrelated concerns raised by commenters, many of which point to foundational issues that could have impeded effective implementation.

First, numerous commenters cited the lack of industry consensus regarding data element standardization. Prior authorization processes vary widely across health plans, and there is currently no agreed-upon, consistent set of data elements that supports a level of automation and interoperability consistent with HIPAA Administrative Simplification goals. While a standard like the X12N 278 is intended to create a unified structure, in practice the diversity of clinical and operational use cases would have made its application difficult to scale.

Second, commenters emphasized that prior authorization workflows differ significantly across organizations and are often not standardized even within the same type of entity. These workflows include clinical decision-making, review protocols, timing of documentation, and routing processes, all of which influence where and how attachment information is requested and supplied. While a technical standard could, in theory, be inserted into any ( printed page 14358) point in the workflow, the absence of shared operational expectations and integration strategies greatly increases the risk of fragmentation, workarounds, and vendor-specific implementations, which would undermine the goal of interoperability and could increase, rather than reduce, provider burden.

Third, many commenters pointed out that previous attempts to use the X12N 278 standard to support prior authorization have not been successful. There is limited industry adoption and very few operational use cases that demonstrate consistent, real-world functionality of the standard in the context of attachments. The lack of implementation and testing means that critical issues related to content sufficiency, response timing, and payload alignment remain unresolved. Interested parties also raised specific concerns that Version 6020 offers no additional functional value over Version 5010, and, in fact, could introduce unvetted changes that have not been adequately tested or validated.

In addition, we acknowledge commenters' concern that adopting a prior authorization attachment standard under HIPAA could conflict with requirements of the aforementioned, and now finalized, CMS Interoperability and Prior Authorization final rule that appeared in the January 17, 2024 Federal Register in which CMS mandated the use of a FHIR Prior Authorization Support API by CMS-regulated health plans and payers (89 FR 8758).

We also acknowledge certain commenters' suggestions that the current low adoption rate for Version 5010 of the X12N 278 standard may itself be attributable to the absence of a mandated prior authorization attachments standard. Though that is a plausible contributing factor, it would not mitigate the practical concerns about industry readiness, data variability, and implementation barriers that commenters identified. Simply requiring the use of a standard in this context—without sufficient groundwork to ensure feasibility and alignment—would risk ineffective uptake and could impose new burdens rather than resolve existing ones.

In light of these reasonable concerns, we concluded it would be imprudent to now proceed to finalize adoption of a prior authorization attachments standard, so the finalized policies in this final rule are limited to attachments for the health care claims or equivalent encounter transactions and associated electronic signature standards. This permits us to focus our regulatory resources, and the industry to focus its resources, on a narrower set of transactions for which there is stronger implementation maturity, standards infrastructure, and stakeholder alignment.

We remain committed to improving the prior authorization process and recognize the importance of establishing electronic standards that reduce burden and promote interoperability. We will continue to monitor testing of alternative transaction standards, including FHIR-based solutions, and will continue to engage with industry-led SSOs to evaluate readiness for potential adoption of a prior authorization attachments standard.

B. Overview of Final Requirements

Nearly every health plan has various requirements for health care providers to submit additional information beyond that contained in a HIPAA transaction. A health care provider may transmit this additional information in a “solicited” or an “unsolicited” fashion. In solicited transmissions, a health care provider transmits additional information pursuant to a health plan's specific electronic request (87 FR 78444). Conversely, in unsolicited transmissions there are no specific electronic requests. Rather, they typically occur pursuant to pre-established health plan requirements for health care providers to transmit additional information—to support, for example, certain diagnoses, items, services, or medications—that are set forth in trading partner agreements or other guidance (87 FR 78444).

Although health care providers may transmit this additional information electronically via an attachment to a health care claims transaction, today and historically health care providers have frequently transmitted the information via burdensome manual processes that often involve paper mail, fax, and phone because there have been no previously adopted HIPAA standards for health care claims attachments.

We are adopting standards for health care claims attachment transactions in this final rule. In doing so, we first define the term “attachment information.”

C. Definitions of Attachment Information and Health Care Claims Attachments Transaction

In adopting an attachment transaction standard, we determined we needed to define “attachment information” and “health care claims attachments transaction.” We proposed to separately define the two terms to prevent the definition of health care claims attachments transaction from becoming too unwieldy and further clarify this in our responses to comments later in this section.

1. Definition of Attachment Information

We proposed to define attachment information in § 162.103 as documentation that enables the health plan to make a decision about health care that is not included in either of the following:

A health care claims or equivalent encounter information transaction, as described in § 162.1101.
A referral certification and authorization transaction, as described in § 162.1301(a) and the portion of § 162.1301(c) that pertains to authorization. We used the term “attachment information” in our proposed definition of the health care claims attachments transaction in § 162.2001 to specify the information transmitted by a health care provider or requested by a health plan. The proposed rule discussed how the NCVHS recommended defining attachments as “any supplemental documentation needed about a patient(s) to support a specific health care-related event (such as a claim, prior authorization, or referral) using a standardized format” (87 FR 78444 and 78445, emphasis in original). [23 ] We incorporated key aspects of their recommendation into our proposed definition of “attachment information,” while attempting to ensure that the definition was broad and general enough to include all possible patient-related information that could be generated with respect to health care services. The full discussion of the proposed definition of “attachment information,” to which we refer readers, further details the NCVHS's recommendations for the definition to include reference to “documentation,” “supplemental,” and “needed” (87 FR 78445).

We solicited public comments on the proposed definition of “attachment information” and received feedback from interested parties, which we considered in developing this final rule.

Comment: Multiple commenters expressed support for the proposed definition of attachment information. Some commenters indicated that the definition proposed for attachment information sufficiently captures what is necessary for solicited and ( printed page 14359) unsolicited exchange of supplementary medical information.

Response: We appreciate commenters' support of our proposed definition of “attachment information.”

Comment: A commenter agreed that the proposed definition of “attachment information” needs to be broad and general enough to include all possible patient-related information that could be generated with respect to health care services. The commenter acknowledged that HHS explicitly defined the documentation as supplemental, meaning it is documentation “that is not included” in a health care claims or prior authorization transaction, which the commenter believed means that the health care attachment standards are dependent upon and linked to the accuracy and completeness of these other HIPAA transaction standards. The commenter also noted that effective adoption of the health care attachments standards is impossible without effective adoption of the other standards, and requested that HHS actively support and verify the effective use of those HIPAA transaction standards, and these health care attachment standards once finalized, as HHS did during the health care industry's transition from International Classification of Diseases (ICD), Ninth Revision (ICD-9) to ICD, Tenth Revision (ICD-10).

Response: We appreciate the commenter's observations supporting a broad and general definition of “attachment information,” and agree that the definition must be sufficiently inclusive to encompass the full range of patient-related documentation a health plan may require in support of a health care claim or equivalent encounter transaction.

We likewise agree with commenters that the finalized definition should appropriately exclude documentation already required or contained within other adopted HIPAA transaction standards and clarify that this exclusion is deliberate and consistent with the principles of administrative simplification and the goal of reducing duplicative documentation burdens.

As noted in the HIPAA Standards for Health Care Attachments proposed rule, we initially proposed a definition of “attachment information” that would have applied with respect to both claims and prior authorization transactions. For the reasons articulated in section III.A. of this final rule, we are not finalizing adoption of a prior authorization attachment transaction standard, so the finalized definition of “attachment information” applies only in the context of health care claims or equivalent encounter information transactions. This narrowed scope is reflected in the revised definition we are finalizing in § 162.103, which specifies that “attachment information” is documentation that enables a health plan to make a decision about health care that is not included in a health care claims or equivalent encounter information transaction, as described in § 162.1101.

Comment: Several commenters suggested changes to the proposed definition of “attachment information” or associated requirements on health plans. A commenter recommended that the definition be revised to state that attachment information should “enable providers to make decisions about what healthcare content the payer requires in the healthcare attachment.” Another commenter suggested that HHS dictate that payers, after receipt of an initial attachment, not be able to serially add documentation requirements.

A different commenter was concerned that too broad a definition could allow payers to require supplemental documentation for routine care such as vaccines, well child visits, or routine prescriptions, which could potentially increase financial burden on small and independent pediatricians who provide safety net care to rural or low-income or both populations. That commenter recommended that HHS consider adopting the NCVHS's definition of “attachment information” as it only included supplemental information without which a claim could not be properly adjudicated.

Response: We appreciate the commenters' concerns but do not believe it is appropriate or necessary to modify the definition of “attachment information” to account for such concerns as our proposal was intended to identify the type of documentation exchanged. Ultimately, payers' business and payment-decision rules fall outside the scope of HIPAA. In other words, though we appreciate that health care providers may experience added burden should health plans request additional documentation following an initial submission, HIPAA transaction standards govern the format and content of the electronic exchange, not payers' business practices or the quantum of documentation they may require. Therefore, we are finalizing a slightly modified definition of “attachment information,” revised only to account for the fact that we are not adopting prior authorization attachments standards.

We also continue to believe that it is crucial that the definition of “attachment information” in HHS's administrative simplification implementing regulations be broad and general enough to apply to all situations where a health plan requires attachment information to support a health care claims or equivalent encounter information transaction. In this final rule, we are adopting a definition of “attachment information” that incorporates key aspects of the NCVHS's definition. Though our definition of “attachment information” does not include the NCVHS-recommended term “supplemental,” it incorporates that concept as it specifies documentation “that is not included” in a health care claims or equivalent encounter information transaction, as described in § 162.1101, to express that the documentation would be supplemental.

In our finalized definition, we chose not to limit the definition strictly to documentation without which a claim “could not be adjudicated,” as suggested by the commenter, because such a narrow framing may not accommodate the diversity of documentation that different health plans may reasonably require based on their benefit structures, medical necessity criteria, or regulatory obligations. For example, certain documentation may not by itself determine a claim's payability but may still be necessary under specific plan policies or for administrative or compliance purposes.

The commenter was concerned that a broad definition of “attachment information,” such as the definition being finalized in this rule, could prompt health plans to require documentation for routine services, which could administratively or financially burden small health care providers, especially those serving rural or underserved populations. However, we note that nothing prohibits a health plan from requiring such documentation today under the manual processes currently in widespread use (which are more labor and resource intensive than an electronic transaction). Therefore, we do not agree that finalizing this definition of “attachment information” or the adoption of a standard for health care claims attachments in and of themselves would cause health plans to make broad requests for documentation. We also believe the definition we are finalizing appropriately balances flexibility with restraint by tying the use of attachment information directly to a standard claims or equivalent encounter transaction and explicitly excluding any information already required by the transaction standard itself, which would ensure that attachment information is supplemental in nature and transaction- ( printed page 14360) specific while also providing sufficient adaptability across diverse payer-provider contexts.

Comment: Multiple commenters stated that there was a critical need to improve the clarity of the proposed definition of “attachment information” as they believed the scope of the proposed definition could be expansively interpreted as applying to all use cases, permitting a “kitchen sink” approach to the eligible activities to which the mandated standards would apply, rather than the definition of “attachment information” being tied to “a specific transaction” such as the claims transactions. The commenters further stated that the proposed definition potentially would include any information exchange between a health care provider and other information source (for example, a clinical laboratory or immunization registry) and a health plan.

Response: We reiterate that we believe the definition of the term “attachment information” is adequately narrow. In the proposed, and finalized, definition of the health care claims attachments transaction in § 162.2001, “attachment information” refers to information transmitted by a health care provider or requested by a health plan that is necessary to make a decision about a health care claim and that is not included in the standard health care claims or equivalent encounter transaction, as described in § 162.1101. Though the definition must be sufficiently broad to encompass the various documentation that a health plan may require “to make a decision about health care,” it also must be clearly tied to the health care claim or equivalent encounter transaction. The finalized definition does not apply to all information exchanges between health care providers and other entities nor does it permit a “kitchen sink” approach to its application. It also would not authorize any action beyond those already permitted under health plan policies.

Therefore, we continue to believe the finalized definition of “attachment information” in § 162.103 appropriately balances clarity and flexibility, ensuring that it is broad enough to be functional in practice while remaining anchored to a defined transaction use case.

Comment: A commenter stated that they interpreted the language in the proposed definition of “attachment information” as not being inclusive of information needed for fraud, waste, and abuse purposes. The commenter recommended that HHS include a reference to fraud, waste, and abuse in the definition of “needed” in the proposed definition of “attachment information.” The commenter also pointed to HHS's language in the Executive Summary, part A, that the purpose of [the proposed] rule is to “determine the necessity of a health care service as part of making a coverage decision” and stated that fraud, waste, and abuse must be considered when a service is deemed medically unnecessary in order to maintain CMS program integrity.

Response: The definition of “attachment information” adopted in this final rule is intended to ensure that health plans have the documentation necessary to support proper claims processing and payment determinations. While this information may inform a payment determination, the determination itself may also depend on additional factors such as plan policies or clinical review requirements. Accordingly, certain documentation may be necessary for evaluating coverage without being solely determinative of claim adjudication. This approach would also allow health plans to use attachment information for administrative purposes, including fraud, waste, and abuse detection and prevention, without requiring a separate explicit reference to these activities in the definition.

2. Definition of the Health Care Claims Attachments Transaction

In the HIPAA Standards for Health Care Attachments proposed rule, we proposed to add a new Subpart T to 45 CFR part 162 —Health Care Attachments (87 FR 78446). In Subpart T, in § 162.2001, we proposed to define the “health care attachments transaction” for health care claims transactions and prior authorization transactions. Specifically, we proposed that any of the following different types of transmissions would constitute a “health care attachments transaction”: (1) the transmission of attachment information from a health care provider to a health plan in support of a referral certification and authorization transaction or in support of a health care claims or equivalent encounter transaction; and (2) a request from a health plan to a health care provider for attachment information. For each type of transmission, we specified the entity type from which the transaction is being transmitted and to which it is being sent, the information being transmitted, and the purpose of the transmission. We noted that the overarching purpose for each type of transmission—to enable a health plan to make a decision about health care—is incorporated into the definition of “attachment information.” We further specified the purpose for the two transmission types in § 162.2001(a), as discussed later in this section.

Because we are adopting only an attachment standard for health care claims, as that term is used in this rule to include health care claims or equivalent encounter information transactions, and not a standard that includes the prior authorization transaction, in § 162.2001 we rename what we had called the “health care attachments transaction” to the “health care claims attachments transaction.” [24 ] The finalized definition has been revised from what we had proposed to remove language specific to prior authorization (that had read in part, “in support of a referral certification and authorization transaction”) and reformat the outline structure to account for that, so that it applies exclusively to claims attachments. Aside from that, the definition remains the same as we had proposed.

In the HIPAA Standards for Health Care Attachments proposed rule, to align with the proposed rule's scope which addressed health care attachments for health care claims or equivalent encounter information and prior authorization transactions, we also proposed to make a conforming change to the definition of “transaction” in § 160.103. We proposed to replace “(10) Health claims attachments” with “(10) Health care attachments” (87 FR 78446). Because we are not adopting the prior authorization attachments standards, we are not finalizing this proposed change. But, to align with the focus on health care attachments for health care claims or other equivalent encounter information transactions, we retain the word “care” from our proposal and are finalizing the definition of “transaction” with modification, so it reads “Health care claims attachments.”

Comment: The majority of commenters who provided feedback on our proposed definition of the health care attachments transactions opposed the proposal. A commenter stated that because the proposed definition refers to attachments for both claims and prior authorization transactions and not just claims, it arbitrarily collapsed the two use cases into one definition, to which the commenter objected. The commenter indicated that using attachments for prior authorization transactions diverges from the statutory ( printed page 14361) construct, which could result in confusion and difficulty unraveling them down the road.

Another commenter recommended that the proposed health care attachments transaction definition include only attachment information created and maintained by a health care provider and explained that the proposed definition was too broad and could lead to the capture of all possible patient-related health services information. The commenter stated that such a broad definition might inadvertently cause disruption to claim adjudication processes and place a greater burden on health care providers, believing that it would not limit attachment information to only what was needed for a plan to make decisions about care. Instead, a health plan might demand all possible patient-related information that could be generated with respect to health care services before deciding whether or not to cover an item or service or when conducting a post-payment audit. The commenter also stated that health care entities, such as laboratories, do not create or routinely maintain all possible patient-related information that could be generated with respect to health care services; do not routinely receive electronic attachment information from clinicians; and cannot transmit this information to health plans when requested to support claims processing. The proposed definition, the commenter claimed, could cause laboratories to receive innumerable requests from health plans for electronic attachment information that they did not create and do not maintain.

Response: As discussed in section III.A. of this final rule, numerous commenters opposed our proposal to adopt a health care attachment standard to include prior authorization as a use case and opposed the adoption of a standard for prior authorization attachments transactions, and, after further consideration, we are not finalizing adoption of a standard for prior authorization attachments transactions. We further note that the health care claims attachment definitions and standards we are adopting in this rule do not include references, or otherwise extend, to prior authorization attachment transactions.

Our proposed definition of the “health care attachments transactions” was intended to encompass the different types of transmissions such a transaction would encompass. For each type of transmission, we specified the entity type from which the transaction would be transmitted and to which it would be sent, the type of information being transmitted, and the purpose for the transaction. We also noted in the HIPAA Standards for Health Care Attachments proposed rule that the overarching purpose for the two types of transmissions was to enable a health plan to make a decision about health care in support of the health care transaction and that specification of the information transmitted by a health care provider or requested by a health plan in support of the transaction was incorporated into the definition of attachment information (87 FR 78446).

We emphasize that HIPAA transaction standards govern the format and conduct of electronic transactions; determinations about the amount or type of documentation that a health plan may request in support of adjudication remain subject to health plan business rules and other governing law. The term “attachment information,” as defined in our finalized definition at § 162.103, is limited to documentation not included in a standard claims transaction that enables a health plan to make a decision about health care. These limitations ensure that the standard does not encompass all conceivable patient-related information.

We also clarify that this rule does not create new requirements for entities that do not originate or maintain the documentation at issue. The standard applies only to the exchange of documentation that a health care provider or other covered entity already maintains and transmits as part of a claims adjudication process.

Final Action: After considering the public comments, and for the reasons discussed previously, in § 162.103, we are finalizing, with modification, the definition of “attachment information” as: documentation that enables the health plan to make a decision about health care that is not included in a health care claims or equivalent encounter information transaction, as described in § 162.1101.

We are also finalizing the addition of a new Subpart T to 45 CFR part 162 —Health Care Claims Attachments. In Subpart T, in § 162.2001, we are finalizing the definition of the “health care claims attachments transaction” as the transmission of either of the following:

Attachment information from a health care provider to a health plan in support of a health care claim or equivalent encounter information transaction, as described in § 162.1101.
A request from a health plan to a health care provider for attachment information. Last, because we are not adopting an attachments standard for prior authorization transactions in this final rule, as discussed in section III.A. of this final rule, we are finalizing, with modification, the proposed definition of “transaction” in § 160.103 by amending paragraph (10) to add the word “care,” (Health care claims attachments).”

D. Attachments Transaction Standards

In the HIPAA Standards for Health Care Attachments proposed rule (87 FR 78445 through 78451), we proposed to adopt certain industry consensus standards that, when used together, provide the functionality necessary for the transmission of electronic health care attachment information. [25 ] The standards being adopted in this final rule are for requesting and transmitting attachment information. In this section, we describe the new requirements for covered entities to use: (1) certain X12N standards for requesting and transmitting attachment information and HL7 standards for clinical information content; and (2) electronic signatures standards. We also describe how the HL7 Attachments IG utilizes the LOINC code set to identify attachment information in a consistent manner.

1. Electronic Health Care Claims (or Equivalent Encounter Information) Attachments Transactions

Health plans often require health care providers to submit additional information in association with the claims payment process. Additional information is frequently in a format, such as medical imaging or free text, not supported by the discretely defined health care claims transaction standard data fields. Claims payment is a multi-step process that may include pre-payment review, payment adjudication, and post-payment activities such as audits or recoupment reviews. The claims attachment transaction standards adopted in this final rule apply to the transmission of solicited and unsolicited attachments used in support of these stages of the claims payment process, including post-payment review activities related to claim adjudication. These standards do not apply to attachments exchanged as part of a separate claims appeal or dispute resolution process. Appeals and related ( printed page 14362) transactions are outside the scope of this rule and would require separate standards to be adopted through future rulemaking.

In the HIPAA Standards for Health Care Attachments proposed rule, we proposed to adopt standards for requesting and transmitting attachment information, and to define attachment information in § 162.103, as documentation that enables the health plan to make a decision about health care that is not included in a health care claim or equivalent encounter information transaction, as described in § 162.1101. We also proposed to adopt X12N standards with respect to the transmission of attachment information and HL7 standards with respect to the clinical content of attachments. Specifically, as detailed in the sections that follow, we proposed to adopt three X12N TR3 implementation specifications for health care claims attachments (87 FR 78445) and three HL7 IGs for the clinical information embedded in those transactions (87 FR 78445).

a. Scope of Health Care Claims Attachments Transactions

Section 1173(a) of the Act requires the Secretary to adopt standards for “health claims attachments,” and section 1104(c)(3) of the Affordable Care Act reiterated that requirement, directing the Secretary to promulgate a final rule to adopt a transaction standard and a single set of associated operating rules. In the proposed rule, we stated that the proposed attachments standards would satisfy the requirement to adopt a standard to support health care claims but would also support prior authorization transactions (87 FR 78445). Because, as we have already explained, in this final rule we are finalizing only a definition for “health care claims attachments,” we use that term to refer to attachments for health care claims or equivalent encounter information transactions rather than the proposed rule's broader “health care attachments” phrase that was intended to include both the claims and prior authorization transaction standards.

We did not propose to adopt attachments standards for all health care transaction business needs. Rather, we stated that not only would it be challenging to identify standard specifications and appropriate codes for the full array of different health care attachment types used today, but also that it was important that covered entities gain experience with a limited number of standard electronic attachment types so that technical and business issues could be identified to inform potential future rulemaking for other electronic attachments standards (87 FR 78446).

We requested comments on alternative standards and approaches that could address the challenges described in section I.A. We summarize and respond to public comments submitted in response to this request in the next section.

2. Adoption of Electronic Health Care Claims Attachments Transaction Standards

In the proposed rule, we highlighted the NCVHS's July 5, 2016 recommendations to the Secretary on attachments standards, which are the same standards we proposed to adopt (87 FR 78446 and 78447). We title this section to only refer to the health care claims attachments standards that we are adopting in this final rule and emphasize that prior authorization attachments standards are not adopted in this final rule. But, because our proposal had been broader by including prior authorization attachments standards and thus generated comment on the broader proposal, our comment summaries and responses do include some discussion of the full scope of what had been proposed.

As mentioned in the proposed rule, and discussed again in section II.D.3. of this final rule, section 1104(c)(3) of the Affordable Care Act requires that the adopted attachments standard be “consistent with the X12N Version 5010 transaction standards” (87 FR 78440), which we interpret as requiring that the health care claims attachment implementation specifications we adopt should generally be compatible with X12N standards. Thus, any standard we adopt for health care claims attachments should be electronically transmitted by an X12N transaction standard in the same transaction.

While the NCVHS did not recommend specific versions of the X12N attachments standards, we proposed to adopt X12N Version 6020 for both the X12N 277—Health Care Claim Request for Additional Information (006020X313) and the X12N 278—Health Care Services Request for Review and Response Version (006020X315) as the standards a health plan must use to electronically request attachment information from a health care provider to support a prior authorization transaction. We proposed to adopt Version 6020 of the standards because they better harmonize with the X12N 275—Additional Information to Support a Health Care Claim or Encounter (006020X314) and the X12N 275—Additional Information to Support a Health Care Services Review (006020X316) (87 FR 78447), and we refer readers to the proposed rule for the full discussion of the use of these standards and their compatibility (87 FR 78446).

Comment: Multiple commenters supported the proposed attachment standards, noting the approach would enable continuous advancements in standards-based attachment content. Commenters underscored the importance that uniform standard requirements would have on furthering industry adoption of automated claims processes, which would help reduce the current manually intensive administrative burden, and, therefore, reduce costs. Similarly, one commenter stated that adopting unified standards would eliminate the need for proprietary data programs, reduce handling and processing time, eliminate the risk of lost paper documents, and, thereby, reduce administrative burden and lower costs.

Another commenter supported HHS's proposals to apply attachment standards for health care claims and prior authorization transactions. The commenter noted that while some in the industry are concerned with the lack of alignment in prior authorization standards (X12 versus FHIR), they agreed with HHS's proposed approach since the absence of an electronic attachments standard had contributed to low industry adoption rates for electronic prior authorization (ePA) transactions.

A commenter noted that, currently, health plans have requirements for submitting supporting documentation that health care providers must follow and that health plans may request further information from a health care provider to make an authorization decision. The commenter noted that health care providers must submit this information via burdensome manual processes through mail, fax, or a portal, with each health plan having different requirements. The commenter further noted that every player has a different portal to submit attachments, and managing the many access usernames and passwords is also burdensome. Therefore, the commenter stated that a standard attachment process, via a standardized electronic format, would greatly improve the process.

Another commenter noted that payers and providers would benefit from having a unified submission method for documents needed for prior authorization, claims, quality, audit, and other use cases. Another commenter stated that adopting the X12 standards ( printed page 14363) and C-CDA standards would improve patient outcomes.

Response: We thank commenters for the feedback on and support of our proposals. After careful consideration, we are adopting standards for health care claims attachments transactions to help combat the burdensome manual processes health care providers face today when transmitting supporting documentation required by health plans in association with the claims payment process. We agree with commenters that adopting standards for health care claims attachments will yield numerous benefits, including reducing administrative burden and costs, removing the need for proprietary data programs, cutting lengthy processing times, and eliminating the risk of lost paper documents. However, for the reasons extensively discussed in section III.A. of this final rule and as noted repeatedly elsewhere, we are limiting the scope of this rulemaking solely to the adoption of standards for health care claims attachments transactions.

Comment: Multiple commenters noted that the technology and regulatory spaces have significantly evolved over the years, with some expressing concern that HHS's proposals demonstrated “2016-based thinking” by proposing the use of X12N standards, which they stated would make the evolution of requesting and responding to supplemental data needs harder and more burdensome. One of these commenters noted that, while they support a national attachments standard for claims and prior authorizations, more flexible technologies are available that would reduce complexity. A commenter requested that HHS consider updating the required attachment standards as new methods are introduced and real-world tested. Another commenter stated that HHS proposed outdated standards, and that HHS should not require adherence to standards that would move the industry backward. Further, a commenter expressed concern about how the proposed standard requirements would fit into the business process for most health care provider organizations and expressed that even though discussion included in the proposed rule was about physically capturing data elements and the transport mechanisms, a more holistic approach would be required to bring the technical capabilities into a product suite to work for the end user. Another commenter expressed that by focusing on a document-based, as opposed to a data-driven, approach, HHS was proceeding down a standards pathway that would make the attachment standards incongruent with the standards mandated in other proposed and final rules, such as the CMS Interoperability and Prior Authorization proposed rule (87 FR 76238). Multiple commenters expressed concern regarding the proposal to adopt standards for prior authorization attachments transactions and recommended that HHS bifurcate the claims attachments and prior authorization attachments standards proposals to finalize only the proposed claims attachments standard. A commenter noted that section 1173(a)(1)(A) of the Act specifically calls for the establishment of a claims attachment standard, but contains no provision requiring prior authorization attachments.

Response: We thank commenters for their feedback on the proposed attachment standards and their observations about broader health IT and standards development trends. We acknowledge that industry technologies and regulatory requirements have evolved significantly since 2016 and agree that any adopted standard must balance progress with stability. Newer technologies may offer long-term potential to reduce complexity and improve flexibility in transmitting supplemental clinical information, and we will continue to consider their technical viability and operational maturity across a broad segment of the industry. The X12N standards for health care claims attachments that we finalize here have been used for many years in related HIPAA transactions, are supported by widely adopted infrastructure, and offer a known path for implementation and compliance. Standardizing attachments through X12N Version 6020 allows for the exchange of clinical content in a format that aligns with other existing administrative transactions, increases health care provider and health plan efficiency and reduces the need for burdensome manual submission processes.

While the 2016 NCVHS recommendation mentioned earlier noted the value of a broader attachments strategy that could extend beyond claims to include prior authorization, referrals, and other use cases, and although we had originally proposed a broader strategy to include other use cases, this final rule focuses specifically on claims attachments. This narrower scope is consistent with section 1173(a)(1)(A) of the Act, which requires the Secretary to adopt a health claims attachments transactions standard.

With respect to interoperability, we have taken the CMS Interoperability and Prior Authorization final rule (89 FR 8758) into consideration, and note that adopting a consistent, national claims attachment standard supports broader goals of administrative simplification and compatibility across systems.

Comment: A commenter stated that the proposed rule's reference to the limited uptake of the current referral certification and authorization transaction standard being due to not having established standards for attachments (87 FR 78446) may be a result of an onerous process for certification and authorization. The commenter stated that if limited uptake of the referral certification and authorization transactions is a standards issue, it is imperative that the new attachments standard be simple and practical in order to improve compliance rates.

Response: We thank the commenter for this input. We acknowledge that the limited uptake of the current referral certification and authorization transaction standard (X12N 278 Version 5010), which supports prior authorization, has been documented in multiple reports, but that is separate from the adoption of standards for health care claims attachments, which we are finalizing in this rule. We agree that any future attachment standards, particularly for prior authorization, must be practical and simple to implement in order to improve adoption rates. Past experiences with low utilization of the referral certification and authorization transaction, as mentioned in the 2016 NCVHS Hearing on attachments, demonstrate that overly complex standards or processes can pose barriers to adoption, even when standards are available. For this reason, simplicity in aligning with existing industry workflows, and coordination with SSOs and interested parties, are central considerations in our policy development as we continue to evaluate prior authorization attachments options.

Comment: Multiple commenters, citing numerous rationales, encouraged HHS to consider implementing the FHIR standard, including the HL7® FHIR® Da Vinci Clinical Data Exchange (CDex) IG, for prior authorization attachments transactions. At the larger policy level, commenters described FHIR as an alternative standard aligned with federal and industry interoperability objectives, consistent with administrative simplification principles, and synergistic with certified EHR capabilities. At the practical level, commenters cited FHIR's flexibility and the efficiency of FHIR questionnaires, its ability to support end-to-end prior authorization and provide automated and real time solutions, and its being a ( printed page 14364) more modern technology. Multiple commenters expressed concern regarding HL7 C-CDA unstructured document media types not supporting FHIR bundles (for example, application/json+fhir). Commenters also noted that use of the FHIR standard would allow systems to adopt FHIR specifications to enable greater advancements within the health care industry.

Multiple commenters expressed concern over HHS proposing two rules that included proposals on prior authorization: (1) the HHS HIPAA Standards for Health Care Attachments proposed rule (87 FR 78438); and (2) the CMS Interoperability and Prior Authorization proposed rule (87 FR 76238). Commenters noted that across these two rules, HHS and CMS proposed the use of two different standards, X12N and FHIR, for prior authorization transactions, which would require implementation of both standards and be confusing and cumbersome. A commenter expressed that doing so would be counterproductive to the goals of administrative simplification. Another commenter noted that adopting both X12N and FHIR standards would create confusion for providers, insurers, and vendors that could lead to delays in prior authorization processing and approvals, increased costs, and would likely result in providers using solely the X12N standard despite incentives to use the FHIR standard. Multiple commenters expressed support for the use of FHIR, citing a desire for alignment with the CMS Interoperability and Prior Authorization proposed rule. A commenter requested that HHS review the standards proposed in the CMS Interoperability and Prior Authorization proposed rule and allow providers to utilize both FHIR and X12 standards to meet the requirements in both rules, while another suggested we be thoughtful in considering how HHS's proposal aligns with CMS's proposal so as to avoid providers' duplication of efforts.

A commenter also recommended that HHS allow data-element driven data sharing via FHIR APIs, which would enable flexibility for targeted requests. Despite a stated preference for health care providers to adopt the FHIR standard and connect to APIs once finalized, a commenter recognized there would be providers that lack the means to finance their vendors' FHIR updates. They therefore proposed the adoption of a safe harbor for providers that would allow for the use of Version 5010 of the X12N 278 standard for prior authorization transactions and the X12N 275 standard for claims transactions.

Response: We appreciate these comments and thank commenters for sharing these important considerations. In its most recent letter to the Secretary (March 30, 2022), the NCVHS recommended that HHS move forward with publishing a claims attachments rule to address longstanding industry needs, while also continuing to monitor and consider emerging standards. [26 ] As discussed extensively in section III.A. of this final rule and as reiterated elsewhere, we are not in this final rule adopting attachment standards for prior authorization transactions. We note that the NCVHS's March 30, 2022, letter also recommended that CMS publish the CMS Interoperability and Prior Authorization proposed rule, which included proposals for FHIR-based APIs to support prior authorization workflows. This underscores both the ongoing demand for a claims attachments standard today and the importance of continuing to evaluate newer technologies for prior authorization and other use cases. We therefore finalize a claims attachments standard in this rule while leaving open the opportunity to adopt alternative standards applicable to prior authorization in other rulemaking.

Comment: A commenter noted that while they expect claims transactions to remain X12-based, the industry and technology have evolved significantly and are moving toward FHIR standards. Another commenter underscored the need for claims attachments standardization but noted industry concern with the specific technology proposed for the prior authorization attachments standard. The commenter stated that HIPAA regulations view the claims and prior authorization attachment standards separately, and that the claims process occurs after care has been delivered, as opposed to the prior authorization process which occurs in advance of care. Given the different workflows and points at which these two processes occur, the commenter stated the need for the processes to mirror one another or be adopted in tandem is diminished. A commenter stated that the proposed standards are an interim step to move health care providers and payers to electronic data submission. However, the commenter noted that to further advance ePA processes and reduce administrative burden, it is critical to align prior authorization attachments standards across all components of the ePA process, which includes the transmission of clinical information via health care attachments.

Response: We thank commenters for their perspectives on the need for attachment standards in both the health care claims and prior authorization contexts and agree that claims and prior authorization serve distinct business functions and operate under different workflows, with prior authorization typically occurring before items or services have been rendered and claims typically occurring afterwards.

In this final rule, as repeatedly noted, we have elected to adopt standards only for health care claims attachments. That focused approach accommodates the requirement at section 1173(a)(2)(B) of the Act that the Secretary adopt standards for the health claims attachment transaction and public feedback recommending that we not simultaneously finalize claims and prior authorization attachments standards in the same final rule. Finalizing only claims attachments standards now allows the industry to begin realizing the benefits of increased automation that reduces administrative burden, while providing additional time to align on prior authorization attachment standards in future rulemaking. We acknowledge the growing interest in APIs, such as FHIR based approaches, particularly for prior authorization transactions, and that FHIR for API-driven data exchange has already been adopted in other regulatory contexts, such as the CMS Interoperability and Prior Authorization final rule (89 FR 8758).

Finally, we emphasize that the decision not to adopt a standard for prior authorization attachments in this final rule should not be interpreted as abandoning the goal of reducing burden in that area. To the contrary, we recognize that prior authorization remains a major challenge across the health care system, and our action here is intended to allow targeted progress on claims attachments while maintaining flexibility to support emerging standards for prior authorization attachments through separate HHS-led policymaking efforts coordinated with interested parties, including health plans, health care providers, and industry. We encourage the participants in the standards development community to continue to explore how emerging paradigms for information exchange can be extended to address HIPAA transactions, and we welcome ( printed page 14365) further dialogue with interested parties about promising approaches.

Comment: A commenter highlighted the significant burden on health plans to ensure their systems can support the standards for health care claims and prior authorization attachments transactions for structured and unstructured documents. The commenter stated that by adopting an approach in the final rule whereby a health plan would be compliant by implementing the use of either, but not necessarily both, structured or unstructured claims and prior authorization documents by the compliance date, HHS could ease health plans' burden as they work to ensure their systems can accommodate structured and unstructured documents for claims and prior authorization attachments transactions. The commenter also noted that HHS could, under such an approach, require that health plans implement the other document type (whether structured or unstructured) within 1 year of the compliance date.

Response: Consistent with section 1104(c)(3) of the Affordable Care Act, we are finalizing a compliance date of 24 months after the effective date of this final rule by which all covered entities must comply. We believe that the fact that we are not finalizing adoption of a prior authorization attachments transaction standard ought to diminish the commenter's burden concerns. HIPAA covered entities will have to support structured and unstructured document types, but we understand the health care industry is moving in that direction and should be able to fully accommodate the requirement within this final rule's compliance timeframe. We encourage all HIPAA covered entities to begin testing their systems early to ensure smooth implementation.

Comment: A commenter noted that current HIPAA regulations do not require health plans to send X12N 277 (Health Care Claim Acknowledgment or Claim Status Response) transactions as a response to an X12N 837 (health care claim) or X12N 278 (standard for prior authorization) transaction. The commenter requested that HHS confirm whether any requirements finalized by this rulemaking would result in a health plan being required to respond to a X12N 837 or X12N 278 transaction with the X12N 275 (Additional Information to Support a Health Care Claim or Encounter) standard to inform the provider of whether the attachment information is needed. The commenter also requested clarification as to whether a health plan that may require an attachment for a claim or prior authorization may then deny the corresponding claim or item or service authorization should a provider fail to provide the attachment, which would have the effect of requiring the provider to resubmit the claim or prior authorization request with the appropriate attachment information.

Response: We appreciate the commenter's feedback and the opportunity to clarify the requirements for how health plans may request attachment information, while also reiterating that HIPAA specifies transaction standards requirements but does not directly address health plans' business rules. HIPAA regulations do not now (and this final rule does not alter this) require health plans to use the X12N 275 transaction to respond to an X12N 837 health care claim or an X12N 278 prior authorization transaction when requesting additional documentation. In other words, the X12N 275 standard may be used to support claim attachments, but HIPAA does not require its use as a mandatory response transaction.

Similarly, currently, the X12N 277 transaction may be used to notify a provider that claim attachment information is needed. HIPAA does not require its use, but health plans may elect to use it to communicate with health care providers about missing documentation. Health plans' business rules typically would specify when they may or may not deny a claim for failure to comply with health plan policies. While we do not currently require the use of the X12N 275 and X12N 277 transactions in these scenarios, we encourage health plans to adopt clear and consistent communication practices, including using these transactions where appropriate, to minimize administrative burden and avoid unnecessary claim denials.

Comment: Multiple commenters supported the proposed adoption of Version 6020 for the X12N 275, X12N 278, and X12N 277 standards. A commenter stated that adopting Version 6020 for these standards would be critical to attachment transactions functionality because Version 6020 includes two key fields: (1) the health plan assigned claim control number to aid with claim reassociation; and (2) the field to capture LOINC for required data elements to identify the specific attachment information. A commenter expressed their appreciation for Version 6020 being tested and implemented in real-world settings.

Response: We thank commenters for their feedback and support of Version 6020 of the standards as a business case in adopting a health care claims attachments transaction standard.

Comment: Multiple commenters expressed concern about HHS's proposal to adopt Version 6020 and, instead, recommended that we adopt a newer version of the X12N attachments standards, such as Version 8020, which a commenter noted has been published. A commenter supported the adoption of Version 6020 of the X12N 275 and X12N 277 standards but recommended that the attachments standards be updated to Version 8020 when possible, while another commenter expressed concern that we would adopt Version 6020 when X12 may recommend Version 8020 be implemented prior to, or shortly after, HHS's action. That commenter encouraged us to ensure that the proposed technical standards are supported, compliant, and not mandated for replacement for no less than 5 years after the implementation date.

Multiple commenters recommended that HHS consult with standards development organizations (SDO) to ensure that the appropriate versions of the standards are finalized and that versioning is aligned. A commenter noted that using the versions proposed in the proposed rule could lead to operational and implementation costs and requested that HHS collaborate with early adopters of the proposed attachments standards. A commenter stated that the proposed Version 6020 of the X12N attachments standards will be problematic for attachment standard transactions because health care providers currently use Version 5010 of the X12N standard, and Version 8020 is being utilized by X12. The commenter expressed the belief that HHS's proposal would create a scenario where the transaction standard floor is lower than the one X12 will potentially recommend, and that is currently used for claims transaction processing. A commenter noted concern over the alignment between the proposed standards in the proposed rule and future HIPAA standards. The commenter encouraged HHS to ensure that future adoption of X12N standards is compatible with the proposed health care attachments standards outlined in the proposed rule. Multiple commenters recommended that HHS wait to adopt attachments transaction standards until the NCVHS makes a determination about recommending the next version of X12N standards. A commenter also stated that the NCVHS is currently evaluating requests from X12 on the adoption of Version 8020 for the X12N 837 and X12N 835 payment/remittance advice standards. ( printed page 14366)

Response: We appreciate the commenters' recommendations and concerns regarding the adoption of specific versions of the X12N 275 and X12N 277 standards for health care claims attachments. Specifically, we understand commenters' concerns regarding the potential for Version 6020 to become outdated, especially since X12 has published Version 8020 and the NCVHS may be considering it. However, the NCVHS has not recommended that any newer version of these standards be adopted under HIPAA, and under the HIPAA regulatory framework, HHS is limited to adopting standards that have completed the formal SDO process and have undergone appropriate evaluation and recommendation, including through the NCVHS. Therefore, we are finalizing the adoption of Version 6020 of the X12N 275 and X12N 277 standards, as they are currently the most recent versions that provide the necessary functionality to support the exchange of attachments in conjunction with claims and are currently the viable and legally supportable standards for the claims attachment transactions.

We agree with commenters that it is important that the attachment standards and the broader suite of adopted HIPAA standards, such as the X12N 837 and 835, be aligned. We are committed to ongoing coordination with SDOs, such as X12, and with the NCVHS to ensure that any future updates to HIPAA standards, including consideration of Version 8020 or later, are harmonized across transaction types to reduce implementation burden and maintain interoperability. We also recognize the importance of maintaining stability in the adoption of new standards. The HIPAA statute allows for the periodic update of standards—indeed, as we discuss in section II.D.3., the HIPAA standards paradigm is premised on standards evolution over time—but we will strive to maintain reasonable implementation timelines and take commenters' feedback into account as we consider future rulemaking and versioning policies.

Finally, as we extensively discuss in section III.A. of this final rule and reiterate elsewhere, we are not finalizing the proposed adoption of standards for prior authorization attachments at this time and, therefore, in this rule, are not adopting an updated version of the X12N 278 transaction standard.

a. Adoption of X12N Standards for Health Care Claims Attachments Transactions

(1) Adoption of Standards for Request From a Health Plan to a Health Care Provider for Attachment Information

(a) X12N 277—Health Care Claim Request for Additional Information (006020X313)

In the proposed rule, we proposed to adopt the X12N 277—Health Care Claim Request for Additional Information (006020X313) as the standard a health plan must use to electronically request attachment information from a health care provider to support a health care claim in § 162.2002(e)(1), and also proposed to incorporate the same by reference in § 162.920 (87 FR 78447). We explained that the X12N 277 standard for claims transactions contains two noteworthy fields: (1) the health plan assigned claim control number that is assigned by the health plan to link the attachment request with the original claim, enabling reassociation when the provider responds via the X12N 275 transaction; and (2) the LOINC code set for HIPAA that is used to identify the specific type of attachment requested (87 FR 78447).

Comment: Multiple commenters strongly supported HHS's proposed adoption of the X12N 277 standard for claims attachments, and a commenter recommended that we finalize this standard as proposed. Commenters noted that the current claims attachment process is complex and cumbersome and that adopting consistent electronic claims attachment standards would reduce administrative burden and associated costs. A commenter urged HHS to strongly enforce this new standard, if finalized. Multiple commenters discussed how health plans have implemented an electronic claims attachment standard outside the HIPAA context and achieved significant efficiencies in denials, appeals, and time to payment using clinical documents rather than granular data elements for claims processing. A commenter noted that this example of successful real-world implementation and return on investment strengthens the argument for immediate claims attachments standards adoption.

Response: We thank these commenters for their support for our proposals to adopt a health care claims attachment standard.

HHS administers HIPAA Administrative Simplification requirements related to the format and content of electronic administrative health care transactions for which we have adopted standards. Consistent with our approach of responding to complaints of non-compliance and conducting proactive compliance reviews, should we identify a HIPAA covered entity that fails to conduct, or fails to properly conduct, an adopted transaction standard, it may be subject to enforcement action.

As discussed in the final action section, we are finalizing adoption of the X12N 277 transaction standard in § 162.2002(d). The regulatory text has been reordered to group related transaction standards together for clarity and ease of reference; this reordering does not change the requirements for the use of the standard.

(2) Adoption of Standards for Transmission of Attachment Information From a Health Care Provider to a Health Plan: X12N 275—Additional Information To Support a Health Care Claim or Encounter (006020X314) and X12N 275—Additional Information To Support a Health Care Services Review (006020X316)

We proposed to adopt, in § 162.2002(d), the X12N 275—Additional Information to Support a Health Care Claim or Encounter (006020X314) as the standard a health care provider must use to electronically transmit attachment information to a health plan to support a health care claims or equivalent encounter information transaction. We also proposed to incorporate the same by reference in § 162.920.

As discussed in the HIPAA Standards for Health Care Attachments proposed rule, the X12N 275 standard for claims transactions may be used with respect to both solicited and unsolicited attachment information (87 FR 78448). We noted in the proposed rule that the X12N 275 standard for claims transactions does not itself contain claims attachment information (87 FR 78448). Rather, the standard serves as the electronic envelope for health care claims attachment information such that the attachment information (which is embedded in an HL7 standard) is transported by the X12N 275. We describe in detail the specific HL7 standards for embedding attachment information in this section of the final rule.

Additionally, we proposed to adopt, in § 162.2002(c), the X12N 275—Additional Information to Support a Health Care Services Review (006020X316) as the standard a health care provider must use to electronically transmit attachment information for electronic prior authorization ( printed page 14367) transactions. We also proposed to incorporate the same by reference in § 162.920. We are not adopting that standard in this final rule as it only pertains to electronic prior authorization transactions. We clarify that in this final rule, we are only adopting the X12N 275—Additional Information to Support a Health Care Claim or Encounter (006020X314) standard for health care claims attachments.

The X12N 277 transaction set is used for claim status inquiries and responses. When a health care provider submits a claim and the payer needs additional information to continue the review or processing of that claim, it may send the provider a request through a X12N 277—Health Care Claim Request for Additional Information transaction, and the health care provider may use the X12N 275—Additional Information to Support a Health Care Claim or Encounter to transmit the requested information back to the payer. For example, with a surgery for which there is no HCPCS code, for solicited attachment information, the health plan would request attachment information using the X12N 277 standard for claims transactions, and the health care provider would use the X12N 275 standard for claims transactions to respond with the operative note. In a scenario with unsolicited attachment information, the health care provider would transmit the X12N 275 standard for claims transactions to enable the health plan to make a decision about the claim without additional requests for information.

Comment: Multiple commenters supported the adoption of the X12N 275 standard for health care claims transactions. Commenters stated that the present lack of attachments standards under HIPAA burdens the health care industry and noted that evidence from voluntary X12N 275 standard implementations has demonstrated the technical success of the transactions and cost savings. A commenter stated that, due to the X12N standards being foundational and widely implemented across health care providers, health plans, and health IT vendors, they believe it is appropriate to adopt the X12N 275 standard as the basis for exchange to support adoption at scale. A commenter recommended that HHS mandate a version of the X12N 275 standard that is consistent with HIPAA requirements at publication of the final rule. Another commenter expressed support for solicited and unsolicited claims attachment standards and noted that using the X12N 275 standard concurrently with a claims transaction will promote efficiency and decrease costs for providers and health plans. A commenter pointed out that Version 6020 of the X12N 275 standard includes the Binary Data Segment (BDS), which was not part of Version 5010, and is necessary for transmitting properly encoded clinical data.

Response: We thank the commenters for their feedback and support. We agree that the absence of adopted HIPAA attachment standards has contributed to variability and inefficiencies in documentation exchange processes across the health care industry. We appreciate commenters highlighting the value of using the X12N 275 standard for health care claims and encounters, including its technical success in voluntary implementations, alignment with widely adopted foundational X12N standards, and capacity to support health care provider, health plan, and vendor interoperability. We also agree that adopting a consistent standard for solicited and unsolicited claims attachments can reduce administrative burden and promote operational efficiency.

We acknowledge the specific support for Version 6020 of the X12N 275 standard and its enhancements over prior versions, including the BDS that supports the secure and structured transmission of clinical data in attachment transactions. Accordingly, in this final rule, we are adopting Version 6020 of the X12N 275 standard for use in the health care claims attachments transaction, as well as Version 6020 of the X12N 277 standard. We believe this establishes a clear, standards-based foundation for exchanging attachments that will enable greater automation, improve data integrity, and reduce costs across the health care system.

We appreciate commenters' recognition of the need for consistency and predictability in the standards adopted under HIPAA and will continue to engage with parties in the health care industry and SDOs to ensure that future standards development and updates are responsive to industry needs and remain aligned with the HIPAA regulatory framework.

Comment: A commenter stated the X12N 275 standard for health care claims and encounters will not work with unstructured documentation. Another commenter recommended that HHS permit trading partners to agree upon other documentation, not covered by the HL7 C-CDA, that would be allowed to be transported via the X12N 275 standard.

Response: We further evaluated the commenter's assertion that the X12N 275 standard for claims transactions would not work with unstructured documentation and determined the assertion is incorrect, having confirmed that the X12N 275 standard for claims transactions does support the submission of unstructured documentation. The versions that we are adopting in this final rule include the BDS, which, in the HL7 standard, is used to carry attachments, such as documents or images. Moreover, the C-CDA Release 2.1 supports structured and unstructured templates. Therefore, we believe that the standards we are adopting in this final rule are sufficient for broad industry-wide use.

Regarding the comment recommending that we permit trading partners to agree that documentation not covered by the HL7 C-CDA be allowed to be transported via the X12N 275 standard for claims transactions, the types of documentation supported by the HL7 C-CDA broadly cover those that may be requested for the claims payment process. However, we encourage covered entities to negotiate the types of documentation required for implementing the transaction standard during the development of their trading partner agreements.

Comment: A commenter noted that health IT vendors will have to engage in new development work should the proposed X12N 275 standard for claims attachment transactions be finalized as proposed, since such entities have not previously developed those transaction standards.

Response: As discussed previously, we acknowledge that covered entities, or their vendors, will incur a number of one-time costs to implement the new HIPAA transactions. However, over time, we believe the resultant automation will ultimately benefit the industry by reducing burden and costs. We account for this implementation burden in our impact analysis in section VI. of this final rule.

Comment: Multiple commenters expressed that a definition for baseline structured data is needed to achieve administrative burden relief. They also emphasized that it is important that the X12N 837 claim and encounter standard be supported by the X12N 275 standard for claims transactions for additional information at the time of a prior authorization request, initial claim submission, and for claims in paid or denied status.

Response: We do not believe that a definition for baseline structured data is needed because the HL7 C-CDA Release 2.1 broadly covers structured and unstructured document types that may be transmitted under the X12N 275 standard for claims attachment ( printed page 14368) transactions. We encourage interested parties to engage with SDOs and industry collaboratives to identify and refine the consensus around structured data elements. We also encourage covered entities to negotiate the types of documentation required for implementing the transaction standard during the development of their trading partner agreements.

Final Action: After consideration of the public comments we received, and after consultation with the SSOs, we are finalizing, with modification, our proposal regarding the adoption of certain X12N standards for requesting and transmitting attachment information.

In § 162.2002(c), we are adopting the X12N 275—Additional Information to Support a Health Care Claim or Encounter (006020X314) as the standard a health care provider must use to electronically transmit attachment information to a health plan to support a health care claim or equivalent encounter information transaction. We are also incorporating this standard by reference in § 162.920.

In § 162.2002(d), we are adopting the X12N 277—Health Care Claim Request for Additional Information (006020X313) as the standard a health plan must use to electronically request attachment information from a health care provider to support a health care claim. We are also incorporating this standard by reference in § 162.920.

E. Adoption of HL7 IGs for Health Care Claims Attachment Information

The HL7 CDA standard is the only currently available SSO-created, NCVHS-recommended implementation specification in the United States designed to support the HIPAA transactions. Other standards for the exchange of clinical information are being developed and piloted. However, due in part to its readiness, we stated in the proposed rule that we believe the HL7 CDA IG set is the most appropriate standard for adoption at this time (87 FR 78448).

We proposed to adopt the following three HL7 IGs as HIPAA standards for the attachment information included in health care attachments transactions:

HL7 IG for CDA Release 2: C-CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume One—Introductory Material, June 2019 with Errata (HL7 C-CDA IG Volume One).
HL7 IG for CDA Release 2: C-CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume Two—Templates and Supporting Material, June 2019 with Errata (HL7 C-CDA IG Volume Two).
HL7 CDA Release 2 Attachment IG: Exchange of C-CDA Based Documents, Release 1, March 2017 (HL7 Attachments IG). We refer readers to the detailed discussion in the proposed rule on the purpose and functionality of each IG and how they interact with each other (87 FR 78448).

These IGs provide specifications for creating and transmitting both structured and unstructured health care attachment documents. Structured documents are machine-readable with standardized sections and codes, while unstructured documents (for example, scanned images, video, patient logs, etc.) have metadata (that is, information that describes, explains, or gives context to other data) but no internal tagging. The HL7 Attachments IG also defines criteria for creating new templates when none exist.

In the HIPAA Standards for Health Care Attachments proposed rule, we proposed to adopt the March 2017 iteration of the HL7 Attachments IG. The SDO engaged in its regular maintenance process with respect to that IG, and, in March 2022, published the Release 2 iteration of it. Commenters on the proposed rule encouraged us to adopt the March 2022 iteration, as opposed to the March 2017 iteration that we had proposed to adopt.

We carefully examined the history of changes to the HL7 Attachments IG between March 2017 and March 2022 and determined that the cumulative changes reflected in the March 2022 iteration of the IG constitute “maintenance updates” because, rather than adding new content, the updates address errata in the existing IG content. Maintenance refers to “activities necessary to support the use of a standard adopted by the Secretary, including technical corrections to an implementation specification, and enhancements or expansion of a code set.” [27 ] Maintenance updates to standards are non-substantive in nature, unlike modifications to standards which require rulemaking to be adopted by the Secretary.

We also consulted the DSMOs, which apprised us that the maintenance updates reflected in the March 2022 iteration of the HL7 Attachments IG better facilitate implementation of Version 6020 of the X12N 275 and X12N 277 standards for claims attachments adopted by the Secretary in this final rule. Our own in-depth evaluation along with our consultations with the DSMOs persuade us that we can confidently conclude that adopting the newer March 2022 iteration of the HL7 Attachments IG would be functionally equivalent to adopting the March 2017 iteration of the HL7 Attachments IG with errata.

Having established that the March 2022 iteration is functionally equivalent to the proposed March 2017 HL7 Attachments IG with maintenance updates, and to avoid industry confusion with respect to which IG iteration should be used, in this final rule we are adopting the March 2022 iteration of the HL7 Attachments IG which is Release 2.

Comment: Multiple commenters expressed support for the adoption of the proposed HL7 IGs for the exchange of claims attachments information. A commenter stated that the HL7 C-CDA is widely implemented and has demonstrated its value through the flexibility it provides in delivering solicited and unsolicited information in various formats. Another commenter stated that if HHS proceeds with the implementation of the claims attachments standards for payment purposes, they support proceeding with the HL7 C-CDA standard for now.

Response: We thank commenters for their feedback and support of our proposal.

Comment: Multiple commenters expressed concern regarding HL7's indication that it will no longer make updates to the HL7 CDA and C-CDA standard, in favor of moving towards FHIR solutions, and recommended that HHS work with HL7 to continue maintaining the HL7 C-CDA standard or develop a plan for a FHIR-based solution. A commenter urged HHS to ensure that HL7 will continue to support and develop guides based on the HL7 CDA standard as needed.

Response: HL7 is required, as an SSO, to continue to maintain any IGs that are adopted by the Secretary as HIPAA standards. Like all SSOs, HL7 holds weekly workgroup meetings and quarterly membership meetings to ensure that adopted standards meet the needs of HIPAA covered entities and, should a modification be needed to a standard, the workgroup would undertake its process to update it. SSOs, SDOs, or DSMOs maintain their standards in accordance with ANSI requirements and their own ANSI-approved policies; maintenance is an ANSI requirement and is embedded in each SSO's processes, so it is not governed by expectations or assumptions.

We did include a request for comment in the HIPAA Standards for Health Care Attachments proposed rule (87 FR ( printed page 14369) 78444) on other standards to consider for prior authorization transactions, to which we received numerous comments advocating for the FHIR standard. We will consider these comments in our future planning with respect to the health care transaction standards adopted under HIPAA Administrative Simplification.

Comment: A commenter expressed support for an approach that enables advancing standards-based attachment content. Additionally, since it was not referenced in the proposed rule, multiple commenters sought clarification as to whether the HL7 CDA® R2 IG: C-CDA Templates for Clinical Notes STU Companion Guide Release 3 (US Realm) Standard for Trial Use, May 2022 (HL7 C-CDA Companion Guide) may be used under the proposed health care attachments template recognition approach.

Multiple commenters recommended that HHS consider adopting the HL7 C-CDA Companion Guide. The commenters noted the HL7 C-CDA Companion Guide provides additional templates and best practices useful for attachments transactions and guidance to document creators to ensure higher levels of consistency and quality.

A commenter noted that the HL7 C-CDA Companion Guide is the primary guide to specify templates for use in the Office of the National Coordinator for Health Information Technology's (ONC) [28 ] Certification Program (ONC Health IT Certification Program) and sought confirmation of its belief that it represents templates applicable to attachments without a separate template needing to be defined. The commenter stated additional rulemaking would be needed following the publication of the next version of the HL7 C-CDA Companion Guide if HHS decided to reference this IG in the final rule. The commenter expressed concern that this would hinder industry's ability to use the HL7 C-CDA Companion Guide. Commenters also encouraged HHS to make the HL7 C-CDA Companion Guide eligible for use without specifically being referenced under the proposed health care attachments template recognition approach so that future updates to templates used within the IG could be used immediately upon publication through the accepted process.

Response: We are adopting the C-CDA implementation specifications because they are already implemented and widely used in EHR systems. The HL7 C-CDA Companion Guide, which is a collection of IGs that provides standardized templates for structuring C-CDA documents, is a set of IGs defined by HL7 as a “library of C-CDA templates,” and their functionality allows that any templates created with them are compliant with the HL7 C-CDA standard. These templates essentially serve as blueprints for how specific medical information should be organized and presented when exchanging patient data between systems using the C-CDA standard. [29 ] If compatible with the HL7 C-CDA release adopted, these templates are acceptable for use once an associated LOINC code is available.

Comment: A commenter expressed support for a consistent format that would eliminate manual processes to send and receive data and allow for information to be automatically recorded into a patient's record, stating that this change would eliminate manual processes. The commenter also noted that health IT vendors are currently only required to support three HL7 C-CDA templates and stated that requiring health IT vendors to support all template types would require significant development effort while, concurrently, numerous other regulatory requirements go into effect. The commenter noted that integrating EHRs and revenue cycle products to support CDA generation would require significant development.

Response: We understand that covered entities, or their vendors, will incur a number of one-time costs to implement the new and modified HIPAA transactions, for which we account in the RIA (section VI. of this final rule). Health IT vendors are not covered entities and therefore are not directly required to comply with the requirements. While HIPAA covered entities must comply with the requirements of this final rule, they are not required to possess technology that implements every template in the C-CDA; rather the attachments they transmit must be in accordance with the standard. We are adopting both the HL7 CDA and X12N standards for health care claims attachments transactions. Our goal is to automate health care transactions as much as possible, which will ultimately decrease costs.

Comment: A commenter questioned the use of HL7 C-CDA templates to support prior authorization requests and stated that no health plans have mapped their clinical criteria to HL7 C-CDA templates to ensure all the data needed to make the prior authorization decisions are in those templates. The commenter stated that this lack of successful results from real-world testing is a critical issue and that payers use a data-element approach for prior authorizations rather than clinical documents. A commenter stated that the C-CDA unstructured document does not fully support the ability to carry a FHIR bundle, and that use of the C-CDA unstructured document would interfere with the IGs referenced in the CMS Interoperability and Prior Authorization proposed rule that was proposed at the time these comments were submitted. Specifically, the commenter referenced the HL7® FHIR® Da Vinci Coverage Requirements Discovery (CRD) and Document Templates and Rules (DTR) IGs, which support the use of questionnaire and responses, as part of data collection in the prior authorization process. The commenter noted it is important that real-time responses should be considered as part of the prior authorization workflow and recommended that HHS ensure that any requirements for the adoption of ePA APIs by CMS-denominated “impacted payers” be harmonized with current HIPAA prior authorization transaction standards and CMS's Interoperability and Prior Authorization rule, which has since been finalized.

Response: We appreciate the comments submitted in response to our proposal to adopt a prior authorization health care attachments transaction standard. As articulated in section III.A. of this final rule, and noted repeatedly elsewhere, we are not finalizing our proposal to adopt prior authorization with the health care claims attachments transaction standard.

Comment: A commenter recommended that C-CDA structured information be allowed and encouraged where appropriate, but not required. The commenter also stated that unstructured documents can, but should not be required to, utilize the Unstructured Document CDA template.

Response: Covered entities may use any adopted documentation format that is supported by, and compatible with, the standards adopted in this rule. The IGs we are adopting also support ( printed page 14370) unstructured data documents where the HL7 C-CDA structured documents are unable to support the document or do not exist. We note that health plans must specify the types of attachment information that will be necessary to support a claim and encourage health plans conducting electronic transactions with health care providers to accept electronically both structured and unstructured C-CDA documents.

Comment: Multiple commenters expressed that the proposed version of the HL7 Attachments IG is no longer current, noting that an updated version of the HL7 Attachments IG was published in March 2022. [30 ] A commenter recommended that HHS adopt the “most recent version” of all the proposed HL7 IGs in the final rule.

Response: We appreciate these comments and thank commenters for sharing these important considerations, which we interpret to mean that HHS should adopt the most recent iteration of the HL7 Attachments IG that was proposed, including its maintenance updates. As we explain earlier, based on the commenters' suggestions, we reviewed the March 2022 iteration of the proposed HL7 Attachments IG and consulted with standards maintenance organizations and found the March 2022 iteration of the HL7 Attachments IG is functionally equivalent to adopting the March 2017 iteration of the HL7 Attachments IG with errata. Therefore, in this final rule, we are adopting Release 2 of the HL7 Attachments IG, published in March 2022.

Comment: A commenter recommended that HHS work with the NCVHS to develop alternative approaches to meeting the HIPAA EDI requirements that represent a more contemporary basis of interoperability. Multiple commenters stated that the proposal would leave limited ability to improve on the current state of automated support to produce the relevant data to populate the requested document type with the minimum necessary information without substantive user involvement. A commenter further explained that the proposed rule would require the use of C-CDA-based attachments in accordance with the HL7 CDA® R2 Attachment IG: Exchange of C-CDA Based Documents, Release 1—US Realm (STU) and would cover approximately 106 recognized document types. Multiple commenters pointed out that thirteen document types in C-CDA R2.1, of which three are recognized in the ONC Health IT Certification Program and one is recognized in CMS's programs, have defined C-CDA templates, but no clear implementation guidance is provided for all the other 90+ document types that are referenced. Commenters pointed out that this means some would not have a clear C-CDA document to consider, for example, a physician letter or a patient consent for treatment in an unstructured C-CDA document, while others could be structured in C-CDA format, but no agreed upon document templates exist.

Response: We appreciate these comments and thank commenters for sharing these implementation considerations. The C-CDA standard is being adopted because it provides a widely recognized, structured format that supports interoperability and can accommodate a variety of clinical documents. The LOINC code system allows discrete identification of attachment types, including both structured and unstructured documents, and provides modifiers for templates and time windows where applicable. We believe that the C-CDA standard we are adopting broadly covers the types of documents that would be requested for health care claims. Though the standard we are adopting might not address all document types, it balances the need for standardization and efficiency with practical flexibility for health care providers while allowing the system to evolve as new document templates and business needs arise.

The document types in the HL7 Attachments IG have discrete data elements that allow HIPAA covered entities to exchange clinical information as both an unstructured and structured document. Should covered entities have future business needs that give rise to additional document types, these could be exchanged as unstructured documents by obtaining a LOINC code to identify the attachment type.

Comment: Multiple commenters recommended that HHS reconsider adopting the standard for claims attachments transactions, given the substantial guidance still needed to enable supporting a substantially less burdensome documents-based approach. One commenter stated that in order to support a consistent exchange through FHIR-based or X12-based transactions, attachment approaches between the CDex guide and the HL7 Attachments IG need to be aligned.

Response: We appreciate this information and encourage the industry to submit specific requests for changes and enhancements to the transaction standards to the SDO responsible for maintaining the standard.

Comment: Multiple commenters expressed support for the use of the HL7 CDA standard, HL7 C-CDA standard, and HL7 IGs for health care attachment transactions.

Response: We thank the commenters for their feedback and support of our proposal.

Comment: A commenter recommended that HHS name a specific version of the HL7 IGs as a “floor” and create a sub-regulatory advancement process. The commenter stated that without a requirement to use specific IGs, the industry will not achieve the level of interoperability necessary to support data exchange. The commenter recommended that HHS establish a process, such as the ONC Standards Version Advancement Process (SVAP), to allow technology to evolve through industry testing while also allowing the industry to provide public comment.

Response: We thank the commenters for their feedback. We note that section 1174(b)(2)(B)(i) of the Act provides authority permitting the routine maintenance, testing, enhancement, and expansion of code sets outside of the rulemaking process. We will further explore regulatory flexibilities with respect to modifications to adopted IGs. With respect to requiring that organizations adopt new and updated code sets, we note that such changes are generally considered maintenance updates, and the Secretary previously adopted LOINC as a code set for use with HIPAA health care transaction standards. Organizations can incorporate maintenance updates to a given IG, including its LOINC codes, without the need for the Secretary to engage in additional rulemaking.

Comment: A commenter recommended that HHS modify the rule to state that the HL7 C-CDA standard be used for all documents covered by the HL7 C-CDA, but not limit health insurance providers, hospitals, and clinicians to solely use HL7 C-CDA permitted documents.

Response: We reiterate that covered entities may use any adopted documentation format that is supported by, and compatible with, the standards adopted in this rule. Additionally, we note that the IGs we are adopting also support unstructured data documents where the HL7 C-CDA structured documents are unable to support the document or do not exist.

Comment: A commenter offered that mandating the HL7 IG standards for HIPAA transactions is an important step forward, but expressed concern that these standards have not yet been tested ( printed page 14371) for suitability to the dental industry. The commenter provided specific examples relating to dental claims, noting that only one dental health IT module is certified under the ONC Health IT Certification Program, meaning that the majority of dental EHR systems cannot produce HL7 C-CDA. The commenter noted that dental claims require images as supporting documentation in a variety of formats (for example, BMP, JPG/JPEG, TIFF/TIF, PNG, PDF, TXT, DOC/DOCX, DICOM, GIF), and recommended that HHS allow the use of these file formats instead of mandating the sole use of HL7 C-CDA to account for specialties that may rely on unstructured data exchanges, specifically noting concerns in cases where unstructured data such as MRIs and X-rays are needed. A commenter noted that the dental industry has worked with HL7 to develop two CDA R2 attachment standards and IGs tailored to the needs of the dental industry. These two IGs, which the commenter suggested should be considered for adoption, are: (1) the HL7 CDA® R2 IG: Orthodontic Attachment, Release 1—US Realm which aims to provide a CDA-based set of templates that can be used by a dental provider to a payer for claims; and (2) the HL7 CDA® R2 IG: Exchange of C-CDA Based Documents; Periodontal Attachment, Release 1—US Realm which is used to exchange dental clinical data.

Response: We agree that it is important that HIPAA-adopted standards support the needs of all health care types, including the needs of the dental industry. HL7 has developed two dental C-CDA standards, but, because the NCVHS has not yet recommended them for adoption and because we did not propose them in the HIPAA Standards for Health Care Attachments proposed rule, we cannot adopt them in this final rule. Should the NCVHS make such a recommendation to the Secretary, we may consider adopting these dental standards in future rulemaking. Upon publication of this final rule, we will consider outreach strategies and industry-wide policies and implementation issues, along with sector-specific approaches that may, for example, involve collaborating with multiple interested parties to conduct dental-specific outreach and education.

Final Action: After consideration of the public comments we received, we are finalizing our proposals to adopt the following HL7 IGs as HIPAA standards for the attachment information included in health care claims attachments transactions in § 162.2002(a) and (b):

HL7 CDA Release 2 Attachment IG: Exchange of C-CDA Based Documents, Release 2, March 2022 (HL7 Attachments IG).
HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume One—Introductory Material, June 2019 with Errata (HL7 C-CDA IG Volume One).
HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume Two—Templates and Supporting Material, June 2019 with Errata (HL7 C-CDA IG Volume Two).

F. LOINC for HIPAA Attachments

We stated in the HIPAA Standards for Health Care Attachments proposed rule (87 FR 78445) that health plans and health care providers must have a clear and unambiguous way to specify attachment information (for example, a discharge summary, surgical operation note, or cardiovascular disease consult note) to be transmitted or requested in a health care attachments transaction.

As we stated, the LOINC code set was developed for the following three principal purposes:

To identify the specific kind of information that a health plan electronically requests of a health care provider and a health care provider electronically transmits to a health plan (for example, a discharge summary or a diagnostic imaging report).
To specify certain optional modifier variables for attachment information (for example, a time period for which the attachment information is requested).
For structured attachment information, to identify specific HL7 IG: LOINC Document Ontology document templates. With respect to these three purposes, we discussed that the HL7 Attachments IG contains specific instructions for how to utilize the LOINC code set for HIPAA Attachments (87 FR 78445).

In the proposed rule, we included an overview on tools available from Regenstrief to support utilization of the LOINC for HIPAA Attachments (87 FR 78445).

Comment: Multiple commenters supported the use of the LOINC for HIPAA Attachments, with some stating that LOINC enables health plans to request documents, which will reduce processing delays caused by current inefficient document request processes. A commenter stated that the use of LOINC for HIPAA Attachments is logical, as Regenstrief has online tools for easier searches, including a LOINC database that effectively creates an attachments knowledge base with a twice-yearly release cycle. Commenters noted that they support use of LOINC for HIPAA Attachments to identify the specific kind of information communicated in an attachment request and response. Another commenter stated that the use of LOINC for HIPAA Attachments will help payer and provider relationships by establishing more rules regarding the use of standardized codes and defining specific documentation and terms.

Response: We thank the commenters for their support.

Comment: Multiple commenters expressed support for adopting flexible templates to enable continuous advances in standards-based attachment content. A commenter expressed support for the process discussed in the proposal (87 FR 78449) that accounts for the development of new templates not currently specified in the HL7 C-CDA IG Volume One, HL7 C-CDA IG Volume Two, or HL7 Attachments IG. The commenter noted that the C-CDA Companion Guide maintains templates and that the process discussed would afford flexibility for newly defined or updated templates to expand standards-based coverage of the currently permissible LOINC codes and any newly established LOINC codes. Multiple commenters recommended that HHS establish clear guidelines for when new codes can be requested and how long systems will have to incorporate new LOINC documents into their systems. A commenter recommended that HHS name a specific version of the LOINC for HIPAA Attachments and specify that organizations must adopt updated codes as they are issued.

Response: We thank commenters for their feedback, and we agree that our approach to adopting flexible standards will enable continuous advances in standards-based attachment content. We also acknowledge the commenters' concerns about establishing clear guidelines for when new codes can be requested and the timeframe by which LOINC documents are incorporated into systems. As mentioned earlier, the claims attachment transaction standards we are adopting incorporate numerous implementation specifications containing specific instructions for how to utilize LOINC for HIPAA Attachments to identify the specific information that a health plan electronically requests of a health care provider, including when a health plan can request such information and the time period a request covers. Regenstrief maintains a regular update process and ( printed page 14372) covered entities would be expected to utilize the LOINC for HIPAA Attachments codes that are valid at the time the transaction is initiated, as specified by the relevant implementation specification as discussed previously in section II.C.3. of this final rule. Commenters strongly support the adoption of the current version of the HL7 C-CDA standard in this final rule, and we are adopting the March 2022 iteration of the HL7 Attachments IG, as discussed previously.

Comment: Multiple commenters stated that providers and payers will require education on correct mapping of fields to use the LOINC code set. Multiple commenters encouraged HHS to ensure that multiple LOINC code sets are supported, and a commenter suggested that HHS require payers to offer providers a list to inform them which documents need to be attached.

Response: We agree with the commenters' points about the utility of education around implementing and using LOINC codes. As discussed in section VI. of this final rule, we anticipate that training will be needed once this rule is finalized. Health plans may choose to develop and create educational materials that contain lists of attachment documents and their associated LOINC codes as an educational tool for health care providers and systems designers.

Comment: A commenter stated that multiple LOINC codes may be needed for a single prior authorization transaction and recommended that HHS ensure that multiple LOINC codes will be supported and that an additional LOINC code validates that the list of required documents from the payer is complete. The commenter stated that delays in prior authorization decisions occur when payers change the nature and type of documentation for a prior authorization request.

Response: We thank commenters for sharing these considerations, but, as we discuss in section III.A. of this final rule, we are not finalizing our prior authorization proposal. Therefore, we need not address LOINC code issues specific to that use case.

G. Electronic Signatures

Section 1173(e)(1) of the Act provides that the Secretary, in coordination with the Secretary of Commerce, must adopt standards specifying procedures for the electronic transmission and authentication of signatures for HIPAA transactions. In the HIPAA Standards for Health Care Attachments proposed rule, we included a discussion of prior rulemaking related to electronic signatures (87 FR 78449), to which we refer readers for details. In the proposed rule, we recognized that electronic signatures would require certain implementation features, including message integrity, nonrepudiation, and user authentication, and proposed that the standard for electronic signatures would be digital signatures—electronic stamps that contain information about both the user creating the signature and the document being signed—as the only technically mature means available that could provide for nonrepudiation in an open network environment. We also provided an overview of our understanding of the use of signatures in health care and reasoning for our proposal regarding electronic signatures (87 FR 78449).

As such, in the HIPAA Standards for Health Care Attachments proposed rule, we proposed to define the term “electronic signature” and to adopt the HL7 Implementation Guide for CDA Release 2: Digital Signatures and Delegation of Rights, Release 1 (Digital Signatures Guide) (87 FR 78450). The HIPAA Standards for Health Care Attachments proposed rule (87 FR 78438) that appeared in the December 21, 2022, Federal Register contained the full definition of “electronic signature” and detailed information about the Digital Signatures Guide so that the public could provide informed comments. However, we acknowledge that a correction notice was published on March 17, 2023 (88 FR 16392) to provide the regulation text that inadvertently was not included in the proposed rule, while subsequently, on March 24, 2023, we published a notice (88 FR 17780) extending by 30 days the public comment period to allow an additional opportunity for the public to provide comment despite the fact there were no changes to the proposed definition of electronic signature or the proposed Digital Signatures Guide, and the proposed regulation text contained in the correction notice reflected the same proposed definition and standard. In this final rule, the definition of electronic signature, the Digital Signatures Guide, and the regulation text have not changed from these previous publications. We discuss this proposal and summarize and discuss the comments we received on it, in this section.

1. Definition of Electronic Signature

In the HIPAA Standards for Health Care Attachments proposed rule (87 FR 78449), we stated that an electronic signature can be any of several types of marks or data that indicate a signatory's intent to sign and included examples of electronic signatures.

We proposed to define the term “electronic signature” for purposes of the HIPAA Standards for Health Care Attachments proposed rule as broadly as possible to ensure that it would meet covered entities' current needs and could also encompass future electronic signature technologies. The proposed text in § 162.103 read: “Electronic signature means an electronic sound, symbol, or process, attached to, or logically associated with attachment information and executed by a person with the intent to sign the attachment information.” In this final rule we finalize the proposed definition of “electronic signature” in § 162.103 and the adoption of the Digital Signatures Guide in § 162.2002(e), with requirements for the use of electronic signatures limited to attachment information transmitted electronically in health care claims attachments transactions, in accord with the attachments transactions we are finalizing.

Comment: Multiple commenters expressed support for the proposed electronic signature definition and the proposed implementation requirements for the use of electronic signatures for health care attachments, offering that electronic signatures are a modern technology that will reduce burden and allow clinicians to focus on patient care rather than paperwork. A commenter expressed support for HHS's approach to electronic signatures that would allow health insurers and clinicians to maintain their existing practices regarding the use of electronic signatures, as there is a wide variety of electronic signature requirements and business practices across organizations. However, this commenter indicated that because the regulation text for the proposed definition and Digital Signatures Guide had not been provided in the December 21, 2022 proposed rule, the Secretary should publish an interim final rule (IFR) with this information and provide an additional opportunity to comment. Additionally, multiple commenters expressed support for HHS limiting the electronic signature requirements to just the adopted electronic standard transactions with no requirements on how a provider will implement a signing process for a health care attachment. Another commenter expressed support for HHS not establishing requirements for when, or by whom, a document should be signed. A commenter expressed support for flexibility, allowing future technologies, like electronic signatures, which could be incorporated as EHRs adopt them. ( printed page 14373)

Response: We thank commenters for their feedback and support for our proposals. As stated previously, a correction notice was published on March 17, 2023 (88 FR 16392) to provide the regulation text that inadvertently was not included in the proposed rule. We also published a notice on March 24, 2023 (88 FR 17780) extending the public comment period by 30 days despite the fact that the correction notice contained no changes to the proposed definition of electronic signature or the proposed adoption of the Digital Signatures Guide, and the proposed regulation text contained in the correction notice reflected the same language for the proposed definition and standard that was included in the proposed rule. In this final rule, these provisions remain unchanged. Therefore, we believe further rulemaking to obtain additional public comment on the definition of electronic signature, the Digital Signatures Guide, and the regulation text is unnecessary.

Comment: A commenter disagreed with the proposed use of non-computable electronic signatures, such as an image of a signature, stating this would not provide identity or support authentication and assertions. Another commenter requested that HHS clarify that health plans cannot require original digital signatures for unstructured documents used in health care attachments. A commenter recommended that HHS should clearly specify “signature” versus a “sound, symbol or process.” The commenter stated that the current wording could create confusion and complicate the intent of implementing a standardized process. Additionally, the commenter recommended defining an electronic signature as a digital copy of an original signature, attached to or logically associated with attachment information, and executed by a person with the intent to sign the attachment information.

Response: We thank the commenters for raising concerns about the limitations of non-computable electronic signatures, such as scanned images of handwritten signatures. We agree that these forms generally do not provide robust support for identity verification, authentication, or assertion of signer intent. To address these limitations, and as we proposed, this final rule adopts the Digital Signatures Guide, which supports key features necessary for secure electronic signatures, including user authentication, message integrity, and nonrepudiation.

We clarify that this rule does not prohibit health care providers or health plans from using other forms of electronic signatures in contexts outside of the adopted HIPAA standard transaction for health care claims attachments. However, when an electronic signature is used to sign attachment information at the time it is transmitted as part of a HIPAA-standard electronic health care claims attachments transaction, that signature must conform to the Digital Signatures Guide, as finalized in § 162.2002(e). This requirement does not apply to documents created prior to transmission that may later be included in a claims attachment; only signatures affixed in the course of a HIPAA-standard attachment transaction must meet the standard.

With respect to unstructured documents, such as scanned images or PDFs used in attachments, health plans may not impose these electronic signature requirements except when they are transmitted as part of a HIPAA standard claims attachments transaction. In that case, a signature must meet the requirements of the adopted standard, though a health plan may not impose additional electronic signature requirements beyond the adopted standard.

As previously discussed, the definition of electronic signature is deliberately broad to allow for industry flexibility and to avoid restricting current practices. We acknowledge the commenter's concern that the phrase “electronic sound, symbol, or process” could create confusion when implementing standardized processes, but this language is intended to encompass a wide range of electronic signature methods already in use across the health care industry, including digital images of handwritten signatures and other forms associated with the signed content. We are not altering the proposed definition that we finalize here, but should we find during the course of implementation of the adopted standard that covered entities require greater specificity, we may provide additional guidance or educational resources, as applicable, or consider further rulemaking.

Comment: Multiple commenters stated that if HHS chooses to finalize the proposed rule, industry should be included in discussions on defining when an electronic signature should be required.

Response: In the proposed rule, we stated that we are not proposing to specify when an electronic signature must be required. Instead, we defer to the industry to continue to establish those expectations (87 FR 78450) consistent with the considerations we mentioned previously, including federal and state laws and regulations, accreditation standards, best practices, and payer requirements. We clarify in this final rule that the finalized HIPAA electronic signature standard applies only to attachment information transmitted by a health care provider in a HIPAA-standard electronic health care claims attachments transaction. Thus, while the health care industry may continue to set expectations for electronic signatures in other contexts, compliance with the adopted HIPAA standard is required in the specific context of claims attachments transactions covered by this rule.

Comment: Multiple commenters provided feedback on the proposed definition of electronic signatures in the context of laboratories, explaining that laboratories face particular issues with respect to electronic signatures, highlighting confusion around what constitutes an electronic signature for electronically placed laboratory orders. Multiple commenters expressed concern regarding the scope of the electronic signatures definition and stated that the proposed definition could impact what is considered an appropriate electronic signature for individual data and medical records included in health care claims attachments, like laboratory orders. The commenters stated that the HL7 Version 2 (V2) messages used to communicate the laboratory order include data that identifies the ordering provider. A commenter noted that some laboratories have experienced declined payment claims for laboratory tests that were placed electronically in an EHR and subsequently transmitted over a secure connection using standard HL7 V2 messages. Multiple commenters also noted that HL7 V2 messages have been used for over a decade without concerns raised regarding the validity of the orders placed. To resolve the electronic signature issues that laboratories face and establish a plan to resolve variations in what constitutes an electronic signature, commenters recommended that HHS convene a stakeholder meeting with, among others, CMS's Clinical Laboratory Improvement Amendments office, ONC, HL7, the Electronic Health Record Association (EHRA), and the American Clinical Laboratory Association.

The commenters referenced language from previous CMS rulemaking, the Medicare Program; Payment Policies Under the Physician Fee Schedule and Other Revisions to Part B for Calendar Year (CY) 2011 final rule (75 FR 73170), which stated that the need for a signature only applies to requisitions, which are paper forms, but does not ( printed page 14374) impact interested parties who utilize an electronic process for ordering clinical diagnostic laboratory tests.

A commenter noted subsequent conflicting guidance from a CMS-authored Medicare Learning Network Matters fact sheet that suggested laboratory tests must be signed, and the 2012 Physician Fee Schedule final rule, which retracted the policy finalized in the 2011 Physician Fee Schedule final rule. Commenters sought clarification regarding whether the use of EHRs that electronically transmit the necessary data to the laboratory constitutes a valid, signed laboratory order that provides relevant evidence that an authorized health care provider ordered it. Additionally, commenters urged HHS to make it clear that the widely deployed current electronic laboratory ordering process would not be impacted by the HHS digital signature proposal and, therefore, would not require the provision of necessary evidence that the order was placed by an authorized health care provider, as this information is electronically traceable and readily available to both laboratories and providers.

Multiple commenters requested that HHS confirm that it is not proposing that original forms of medical record entries be subject to these requirements and that the proposed definition for digital signatures for health care claims attachments does not change the current policy regarding upstream clinical workflows or place additional requirements on the current electronic laboratory ordering process.

A commenter urged HHS to remove the example in the proposed rule at 87 FR 78449 that reads “[f]or example, for a laboratory to submit a claim for reimbursement of a laboratory test, a health plan may first require a physician visit and a signed physician order. When the laboratory later bills a health plan for the test, the plan may ask for evidence that it was ordered by an authorized health care provider; if the laboratory is unable to produce a signed order, it may not be reimbursed.” The commenter stated this could be interpreted to apply to laboratory orders, which is not the intended focus of the health care attachments rule.

Response: We appreciate commenters' concerns regarding the timing of signatures in clinical workflows and the implications for implementing digital signature requirements associated with this rulemaking, particularly with respect to laboratories. We recognize that, in practice, health care providers typically sign clinical notes or other documentation at the point of service or document creation, not at the point when a CDA is later generated and submitted as part of a claims attachment. As such, the process of adding a digital signature at the time of CDA generation may not align with established clinical and documentation workflows. To allay some concern, we clarify that this rulemaking applies solely to claims attachments transmitted as part of an electronic claim transaction and generated for that purpose and does not apply to, or alter, upstream clinical documentation processes or related provider practices. To be very clear, this final rule imposes no new requirements on clinical workflows, including, but not limited to, how laboratory orders are created, signed, and transmitted from EHRs to laboratory systems.

By contrast, administrative workflows may be affected. Covered entities may need to establish organizational policies or technical workflows that designate how, when, and by whom an electronic signature is applied to a CDA package at the time it is generated for submission as a claims attachment, notwithstanding that an original document was previously signed by a provider. As such, adding a digital signature at the time of attachment generation may differ from established administrative processes and system interfaces, particularly for laboratory documentation and HL7 V2 messages.

We also recognize the historical context cited by commenters, including CMS's 2011 and 2012 Physician Fee Schedule rules (75 FR 7310 and 76 FR 73026) and related CMS guidance, and the resulting concerns about inconsistencies across programs. The scope of this final rule is limited to electronic signatures affixed to, and part of the requirements associated with, HIPAA health care claims attachments transactions, contemporaneous with when such transactions occur. It does not alter existing CMS, or any other, policies regarding electronic laboratory orders or impose documentation standards beyond those required in the HIPAA transaction.

The signature required on a health care claims attachment—at the time of a health care claims attachment transaction—is distinct and different from a signature that may have been affixed for documentation required at the time that health care services were provided, such as an ordering provider's signature on a lab order or provider note. Should a document (created and signed earlier by a provider) later be requested as part of a claims attachment and should a health plan require a signature on the attachment, that signature must be a digital signature that complies with the standard adopted in this final rule. That signature may be applied by the individual or entity submitting the claim, or by an authorized delegate of that submitter; it is not necessary to obtain a new signature from the original author of the clinical document.

Regarding the commenters' concern with the example cited at 87 FR 78449, we acknowledge, in retrospect, it was susceptible to being interpreted as imposing new or conflicting requirements on laboratory ordering processes but emphasize that is not how it should be interpreted. Rather, our intent was to illustrate a scenario in which a health plan, in the context of adjudicating a claim, may request supporting documentation from a provider. Should a health plan require submission of such a document as part of health care claims processes pursuant to a HIPAA health care claims attachment transaction, and should it require on such documentation a signature, the digital signature requirements finalized here would apply to that attachment submission; they would not apply, however, to the original clinical order or its format.

We also recognize that questions may arise regarding who may apply the electronic signature on a claims attachment. The finalized standard does not prescribe that a signature must be applied by a specific individual, but, rather, requires that the electronic signature be executed by a person with the intent to sign the attachment information. This allows for organizational delegation consistent with provider policies, state laws, and payer requirements, provided that the signer has appropriate authority and that the technical specifications for authentication, message integrity, and nonrepudiation are met.

We acknowledge the concerns raised by interested parties associated with laboratories and appreciate the possibility that there may be aspects of laboratory-specific workflows, regulatory requirements, and data exchange practices, particularly in relation to ordering, documentation, and claims submission processes, that may require particular attention. We intend to work closely with covered entities generally—but will particularly focus on laboratory-related entities—to support and enforce consistent and practical implementation of this rule's electronic signature requirements. That will involve monitoring implementation challenges and prioritizing collaborative education and coordination to support successful adoption, while avoiding unintended disruption to established processes and operations. ( printed page 14375)

Stakeholder input will also inform our consideration of whether additional guidance or future rulemaking may be necessary to clarify the application of these requirements. Among other things, we will work with affected entities to identify any operational or technical barriers.

Comment: A commenter stated that an organizational delegation policy will have to be in place to add an electronic signature when the CDA is generated, which will need to be done before a technical solution could be implemented. The commenter stated that providers sign clinical notes at the time they are written, not when they create a CDA to send clinical notes electronically.

Response: We appreciate the commenter's concern regarding the timing of signatures in clinical workflows and any implications for implementing digital signature requirements under this rule. The electronic signature requirement finalized in this rule applies only to the claims attachment as transmitted in a HIPAA-standard electronic transaction, regardless of when the underlying clinical document was created. This means that this rulemaking does not require signatures on documents produced prior to the attachment request, though, as we have noted, health plan policies or other law may require that. Rather, pursuant to the requirements of this final rule, an electronic signature is required only on the attachment package being transmitted and only when a health plan requires an electronic signature.

As we clarified in a prior response, covered entities may need to establish organizational policies or technical workflows to designate how, when, and by whom the electronic signature is applied to the attachment package. In some cases, the signature may be applied at the point of CDA assembly, potentially by a delegate authorized to do so, based on pre-existing documentation and previously affixed clinical signatures. This approach is consistent with the flexibility offered in the Digital Signatures Guide, which supports organizational delegation models and does not prescribe specific timing or roles for signing. This clarification aligns with earlier discussion regarding laboratory documentation and HL7 V2 messages, emphasizing that the electronic signature applies to the administrative claims attachment artifact and does not alter upstream clinical workflows or document creation practices.

Comment: Multiple commenters expressed concern regarding the ambiguity of the proposed electronic signature definition and stated that it may create confusion and unintentionally force changes in clinical workflows. A commenter stated that the proposed rule does not address the absence of a practical way to obtain an electronic signature on an electronic test order and explained the ways that the X12N 275 standard, EHRs and Laboratory Information Systems (LIS), and CDA do not fulfill this need. The commenter also explained that the HL7 V2 standard, the HL7 Version 2.5.1 IG: Laboratory Orders Implementation Guide (LOI IG) from EHR, Release 1 and each LIS-EHR interface will have to be updated to include an electronic signature as part of an electronic order. The commenter also noted that guidance documents indicate a signature can be handwritten or electronic, but that there is little guidance on what constitutes an electronic signature.

Response: We appreciate commenters' concerns regarding the feasibility of applying electronic signatures to laboratory test orders and the potential impacts on clinical workflows. As we explain in this final rule, including in the previous responses, our finalized requirements pertain only to electronic health care claims attachments transactions, while the definition of “electronic signature” finalized in § 162.103 is deliberately broad to accommodate current industry practices and future innovations.

This final rule does not require that electronic test orders, such as those communicated in HL7 V2 messages or the HL7 2.5.1 LOI IG, include an electronic signature (whether such a signature might be required by virtue of some other law or practice would be beyond the scope of this rule). The electronic signature requirements finalized here only apply when a health care provider transmits attachment information electronically as part of a claims attachments transaction, and only if a health plan requires a signature on that attachment.

We acknowledge that laboratory test orders may later be requested by a health plan as a health care claim attachment. This final rule does not address clinical system configurations, but we will monitor implementation issues and, as necessary, engage with parties in the health care industry should additional guidance be necessary to clarify whether or how the requirements of this final rule interact with existing health IT infrastructure.

2. Electronic Signature Standard

In the HIPAA Standards for Health Care Attachments proposed rule, we provided an overview of electronic signatures and their ability to effectively authenticate a signer's identity (87 FR 78450). We included a discussion of the need to be able to electronically validate attachment information signed by a health care provider and nonrepudiation.

We proposed that, where a health care provider uses an electronic signature in a health care attachments transaction, the signature must conform to the implementation specifications in the Digital Signatures Guide. Specifically, we proposed to adopt in § 162.2002(f) (renumbered to § 162.2002(e) in this final rule) the HL7 IG for CDA Release 2: Digital Signatures and Delegation of Rights, Release 1 (Digital Signatures Guide) for electronic signatures for attachment information transmitted by a health care provider in an electronic health care claims attachments transactions specified in § 162.2001(a) (87 FR 78451). We also proposed to incorporate the same by reference in § 162.920. We refer readers to the proposed rule for the full discussion of the support provided by, and specifications of, the Digital Signatures Guide (87 FR 78450).

We solicited comments on the proposed definition of electronic signature and the proposed Digital Signatures Guide as the attachment information electronic signatures standard. We recognize that several commenters, particularly from the laboratory industry, raised important questions about how the finalized electronic signature requirement may intersect with longstanding laboratory workflows, electronic ordering processes, and regulatory obligations. While the digital signature requirement adopted in this rule applies only to the transmission of health care claims attachments and not to the underlying clinical documentation, as noted, we will closely monitor implementation to gauge whether it might be necessary for us to provide additional clarity to ensure consistent and practical implementation across provider types.

Comment: Multiple commenters expressed support for the adoption of the Digital Signatures Guide. A commenter stated that this will help to ensure authentication, message integrity, and nonrepudiation of electronic signatures for claim attachments.

Response: We thank commenters for their feedback and support for our proposal. ( printed page 14376)

Comment: A commenter disagreed with the adoption of the Digital Signatures Guide, stating that the level of authentication will be unnecessary, especially for exchange between entities that have signed business agreements or standard operating procedures (SOPs).

Response: We appreciate the commenter's perspective regarding the use of business agreements or SOPs to establish trust between entities. However, we do not believe that the existence of such agreements alone provides sufficient assurance of the authenticity and integrity of attachment information submitted as part of a claims transaction. As we noted in the proposed rule (87 FR 78450), the lack of an electronic signature means the attachment information cannot be relied upon to be accurate. Electronic signatures offer critical technical safeguards, namely authentication, message integrity, and nonrepudiation, that otherwise cannot be assured by SOPs alone.

Comment: Multiple commenters stated that accommodating the requirements of an electronic signature as described in the Digital Signatures Guide would require updates to workflow, operational interfaces between EHRs and laboratories, and HL7 V2 message formatting, thus increasing documentation burden with no clear benefit. Multiple commenters stated that the Digital Signatures Guide is applicable only to a CDA-based document but cannot be used in an HL7 V2 lab order message that solely contributes data that may be included in a health care attachment. The commenters stated that should HHS finalize the electronic signature proposal, there would be a need to update the CDA and FHIR specifications and corresponding electronic signatures.

Additionally, multiple commenters recommended that an electronic signature should only be required if requested or indicated as required by the health plan. A commenter recommended that the electronic signature proposal only apply to health care attachments as a distinct artifact submitted by a provider to support a claim or referral/prior authorization request to avoid impacting upstream clinical processes.

Response: We appreciate the commenters' concerns about potential impacts to workflows and system interfaces, particularly in relation to laboratory documentation and HL7 V2 messages. We clarify that the electronic signature standard adopted in this final rule applies only to health care attachments submitted as part of a claims transaction. As we previously noted, it does not alter or impose requirements on upstream clinical workflows, such as the creation or signing of clinical notes, lab orders, or other documentation. In some cases, a provider may have already signed the underlying clinical document, so it could be argued that applying a signature to a claims attachment at the time of claims submission is duplicative. To the contrary, a signature applied to a claims attachment would serve a distinct administrative purpose: ensuring authentication, message integrity, and nonrepudiation for the claims attachment itself, independent of the original clinical signature. This rule does not override or conflict with existing messaging or laboratory processes; it applies specifically to the signature applied to the attachment artifact submitted in a health care attachments transaction for claims purposes.

Our intent is to ensure that the electronic signature standard applies only where required for claims attachments when submitted in a health care attachments transaction, without affecting how clinical documentation is authored, signed, or transmitted in routine care.

Comment: Multiple commenters recommended that HHS not adopt the electronic signature provisions. Because the proposed rule regulation text in § 162.2002(f) (renumbered to § 162.2002(e) in this final rule) was missing, commenters expressed concern about HHS finalizing such a requirement.

Response: On March 17, 2023, we published a correction notice that fixed technical and typographical errors that appeared in the December 21, 2022 HIPAA Standards for Health Care Attachments proposed rule. Shortly after that, on March 24, 2023, to ensure that industry would be able to adequately comment on the corrected proposed rule, we extended the proposed rule comment period by 30 days via a Federal Register notice titled: Adoption of Standards for Health Care Attachments Transactions and Electronic Signatures, and Modification to Referral Certification and Authorization Transaction Standard: Extension of Comment Period (88 FR 17780). That notice was published prior to the expiration of the proposed rule's initial 90-day public comment period. While the proposed rule inadvertently omitted certain proposed regulation text—§ 162.2002(f) (renumbered to § 162.2002(e) in this final rule), that identified the electronic signature standard we proposed to adopt—the proposed rule did include fulsome preamble discussion of this policy and stated twice (87 FR 78449 and 78450) that the policy would be located in § 162.2002(f). While there is no doubt the correction notice (that did not introduce any new policies) and the comment period extension remedied any perceived shortcomings, even the initial notice of proposed rulemaking, through its fulsome preamble discussion, afforded adequate notice to afford public comment. We have adequate grounds to finalize this proposal.

Comment: A commenter stated that HHS should reiterate that trading partners should determine when an electronic signature is required in an electronic health care attachments transaction and that the HL7 standard is only needed when a health care provider uses an electronic signature in a health care attachments transaction.

Response: We agree. It is important to note that this final rule adopts a generalized definition for electronic signatures applicable to health care claims (or equivalent encounter information) attachments transactions only and adopts the requirement that electronic signatures conform to the standards in the Digital Signatures Guide. It is the health plan's prerogative to determine when and where signatures must be affixed to documents.

Comment: A commenter proposed the use of DocuSign, which the commenter asserted that the Internal Revenue Service uses as its document verification service.

Response: We thank the commenter for the suggestion. We did not propose use of DocuSign in the HIPAA Standards for Health Care Attachments proposed rule since it does not conform to the HIPAA Administrative Simplification transaction standards.

Comment: A commenter expressed that they do not believe a standard for electronic signatures is necessary. The commenter stated that the industry already has trust frameworks and verification for digital transactions between providers and payer organizations and questioned the need for further authentication via an electronic signature standard. Another commenter referenced the use of Trust Credentials and stated that electronic signatures must be bound to the real, ID-proofed identity of a person or organization. The commenter recommended that standards be consistent across federal agencies and digital signatures be verifiable by an out-of-band query to the issuer of the Trust Credential confirming identity and validity. The commenter provided ( printed page 14377) an overview of existing standards for identity proofing, authentication, and assertions that they stated have been adopted by ASTP/ONC and used by the Direct Standard and the Trusted Exchange Framework and Common Agreement (TEFCA). The commenter also explained how patients, providers, health plans, and devices are ID proofed under DirectTrust and that the real identity is bound to a Trust Credential. Additionally, the commenter described how a Trust Credential is assigned under TEFCA Individual Access Services. The commenter noted that x.509 Certificates are bound to a single entity to allow the ability to identify and remove one bad actor without revoking all credentials.

A commenter recommended that for the industry to reliably utilize digital signatures nationwide, HHS should consider implementing minimum identity assurance requirements using Identity Assurance Levels 2 (IAL2) and the NIST Special Publication (SP) 00-63A and stated that HHS should consider that digital signatures only work if both the signer and the verifier agree to use the same digital signature standard. The commenter recommended implementing Private Signing Key Protection to lower the likelihood of a stolen private key being used to forge a digital signature.

Response: We appreciate commenters' recommendations and perspectives regarding the need for an electronic signature standard, and we recognize that many organizations already operate under trust frameworks such as those supported by DirectTrust and TEFCA. We also understand the importance of identity assurance and credentialing in enabling secure, verifiable transactions.

In this final rule, we adopt the Digital Signatures Guide as the standard for electronic signatures on attachment information transmitted in electronic health care claims attachments transactions. We selected this guide because it supports the core features—authentication, message integrity, and nonrepudiation—essential to ensuring trust in electronic signatures.

While identity management, including credential issuance, proofing, and validation, is critical to the effectiveness of digital signature technologies, it is outside the scope of this regulation. The final rule does not establish minimum identity assurance levels or define a trust framework for all covered entities. We expect such entities to rely on credentialing authorities and certificate management protocols that align with industry's best practices, including those referenced by the commenters (for example, NIST SP 800-63A, IAL2, and x.509 certificate frameworks).

Comment: Multiple commenters recommended that HHS review existing processes that are relevant to these proposals. A commenter referenced the Drug Enforcement Administration's (DEA) definition at 21 CFR part 1311 of Electronic Prescription of Controlled Substances and the DEA's IFR, stating that HHS could use that as a guide. Multiple commenters recommended that HHS evaluate the ANSI X12.58 Security Structures control standard as an X12 native authentication, verification, integrity, and electronic signature method.

Response: We appreciate commenters' recommendations to evaluate existing standards and frameworks that support identity verification, message integrity, and electronic signature functionality, including the DEA's requirements for electronic prescriptions of controlled substances at 21 CFR part 1311 and the ANSI X12.58 Security Structures control standard.

The DEA's framework provides a model for authentication and nonrepudiation in clinical transactions, and the ANSI X12.58 standard was specifically developed to address security controls, including electronic signatures, in the context of X12-based EDI. These standards reflect valuable experience and technical insights into the secure exchange of health care data. With respect to the commenter's suggestion to evaluate the ANSI X12.58 Security Structures standard for authentication and digital signatures in X12 transactions, we appreciate this input. X12.58 is relevant because it provides a structured framework for securing X12-based transactions, including mechanisms for verifying sender identity, ensuring message integrity, and supporting nonrepudiation. While we are not adopting X12.58 as an electronic signature standard at this time, partly to maintain alignment with broader HIPAA standardization efforts and because industry adoption varies, we acknowledge its relevance for securing X12-based transactions.

In this rule, we are finalizing the adoption of the Digital Signatures Guide as the standard for digital signatures on health care claims attachments. We selected this IG because, as mentioned earlier, it directly aligns with the content structure of the adopted attachment standard and includes supplemental specifications to support authentication, message integrity, and nonrepudiation. The CDA-based digital signature model is compatible with the data formats and exchange protocols finalized for use in electronic claims attachments and was developed through consensus processes within the standards development industry.

We agree that there may be opportunities for broader alignment of electronic signature standards across federal programs. We will consider this input in any future rulemaking or technical guidance related to electronic transaction security and authentication. We also encourage ongoing industry collaboration and coordination across SDOs to promote convergence and reusability of authentication methods where appropriate.

Comment: Multiple commenters sought clarification on the relationship between the HIPAA Standards for Health Care Attachments proposed rule (87 FR 78438) that contained electronic signature proposals, and CMS's Interoperability and Prior Authorization proposed rule (87 FR 76238) which contained no such proposals. A commenter noted that there is an overlap of payers seeking attachment information to support prior authorization but that the CMS Interoperability and Prior Authorization proposed rule does not include any proposed requirements for digitally signing medical documentation. A commenter stated that the two proposed rules seem to have contradictory provisions and requested that HHS address these contradictions and confirm if the proposed digital signature requirements apply only to health care attachments and not to other areas of clinical workflow.

Response: We appreciate commenters' requests for clarification on any overlap between the electronic signature requirements finalized in this rule and the proposals in CMS's Interoperability and Prior Authorization proposed rule. We reiterate that in this final rulemaking, we are not finalizing the prior authorization attachments transaction that we had proposed, and the digital signature requirements adopted here do not apply to, or alter, the prior authorization processes or API requirements established under the CMS Interoperability and Prior Authorization final rule. Therefore, the digital signature standard being adopted in this rulemaking will apply only to health care claims attachments transactions. Accordingly, the requirements finalized in this rule operate independently and do not overlap with those applicable to prior authorization under other CMS regulations.

Final Action: After consideration of the public comments we received, we are finalizing our proposals, without ( printed page 14378) modification, to adopt the definition of electronic signatures in § 162.103 and the Digital Signatures Guide for use with health care claims attachments in § 162.2002(e).

H. Modification to a HIPAA Standard

1. Modifications to Standards

Section 1174 of the Act requires the Secretary to review the adopted standards and consider modifications to them, which include additions to the standards, as appropriate, but not more frequently than once every 12 months. Section 1174(b)(2)(B)(ii) of the Act requires that modifications must be completed in a manner that minimizes disruption and the cost of compliance.

Section 1175 of the Act prohibits health plans from refusing to conduct a transaction as a standard transaction. It also prohibits health plans from delaying the transaction or adversely affecting, or attempting to adversely affect, a person or the transaction itself on the grounds that the transaction is in standard format. It establishes a timetable for covered entities to comply with any standard, implementation specification, or modification as follows: for an initial standard or implementation specification, no later than 24 months (or 36 months for small health plans) following its adoption; for modifications, as the Secretary determines appropriate, but no earlier than 180 days after the modification is adopted. As authorized under the Act, HHS implemented 45 CFR 162.910, which sets out the standards maintenance process and defines the role of DSMOs. The two SSOs associated with this final rule are the ASC X12 and HL7.

In the HIPAA Standards for Health Care Attachments proposed rule, we proposed to modify the adopted Version 5010 of the X12N 278 standard for prior authorization transactions to Version 6020. We refer readers to the proposed rule for the full discussion of the maintenance process for health care transaction standards adopted by the Secretary, as well as an overview of the history of the NCVHS recommendations related to our proposals (87 FR 78451). We summarize public comments submitted regarding this proposal and provide our responses that follow.

Comment: A commenter expressed support for keeping up-to-date with newer versions of X12 standards, but recommended allowing historic versions for an extended period and/or allowing for a reasonable amount of time for systems to be upgraded to the newer X12 standard. The commenter indicated that 2 years would be a good starting point, but recommended a longer window where both standards would be allowed given the large number of requirements occurring over the next few years and specifically referenced several HHS initiatives and regulations. Another commenter recommended that HHS build language into the final rule allowing for regular version updates to standards so that providers and health systems could be more agile in communicating electronic health information. The commenter pointed out that there may be too much specificity in the standard version noted in the proposed rule and stated that some practitioners have had to navigate implementing Version 5010 without the ability to make changes in simple things such as dental documentation.

Response: We appreciate the commenter's feedback. HHS has considered similar recommendations regarding regular upgrades to standards to provide, by rulemaking, HIPAA covered entities with a more routine cadence in the adoption of updated standards and operating rules. We continue to assess potential alternatives within the scope of our authority and consistent with the law and will continue to work with industry to identify means by which updated standards can be more timely adopted and implemented. It is important to note that section 1174 of the Act requires the Secretary to review the adopted standards and adopt modifications to them as appropriate, but not more than once every 12 months. Moreover, modifications must be completed in a manner that minimizes disruption and the cost of compliance.

As discussed in the proposed rule, and again here in this final rule, section 1175(b)(1)(A) of the Act prescribes a 24-month period for which initial compliance is required, and in the case of a small health plan, 1175(b)(1)(B) of the Act allows 36 months for compliance. However, section 1104(c)(3) of the Affordable Care Act, under which we are adopting the health care claims attachment standards, reiterated the original HIPAA requirement to adopt a health care claims attachment standard and a single set of associated operating rules, and spoke specifically to timing, providing that the Secretary must adopt the standard and operating rules by January 1, 2014, to be effective no later than January 1, 2016, and that the Secretary may adopt the standard and operating rules on an interim final basis. We acknowledge that this final rule comes more than 10 years after the Affordable Care Act-specified adoption date, but interpret that provision to mean that for the attachment standards adopted under section 1104(c)(3) of the Affordable Care Act there should be a 2-year compliance date for all covered entities.

That same Affordable Care Act provision requires that the adopted standard be “consistent with the X12 Version 5010 transaction standards,” and we explain in the HIPAA Standards for Health Care Attachments proposed rule and in section II.D.3. and elsewhere in this final rule, our rationale for adopting Version 6020 with respect to the standards we are adopting as final. We also observe that HIPAA was enacted nearly 30 years ago, and, in that time, we believe that covered entities have gained experience moving from one version of a standard to the next.

2. Modification to Referral Certification and Authorization Transaction Standard

In the HIPAA Standards for Health Care Attachments proposed rule, we included a robust discussion of our proposal to adopt Version 6020 of the X12N 278 standard for a referral certification and authorization transaction for non-claims-related attachment requests and responses (87 FR 78451). We stated that although the NCVHS did not recommend a specific version of the standard, we proposed to adopt Version 6020 of the X12N 278 standard because Version 6020 better harmonizes with the X12N 275—Additional Information to Support a Health Care Services Review (006020X316) standard that we proposed to adopt for health care providers transmitting attachment information. For the full discussion, we refer readers to the proposed rule (87 FR 78451).

The referral certification and authorization transaction under § 162.1301 includes two transmission types from health care providers to health plans: prior authorization requests and referral certification requests. The X12N 278 standard is currently required for both types of transmission. Although it would have been technically feasible for us to have proposed to adopt Version 6020 only for prior authorization transmissions specified in § 162.1301(a) and retain Version 5010 for referral certification transmissions specified in § 162.1301(b), we instead proposed Version 6020 for both transmission types because it includes improvements over Version 5010 that better support both transmission types, and we believed it would have been more burdensome for covered entities to have to maintain both X12N 278 versions.

Comment: Multiple commenters expressed support for the proposed ( printed page 14379) adoption of Version 6020 of the X12N 278 transaction standard. A commenter noted that Version 6020 accommodates dental procedures, which reduces administrative burden. Conversely, multiple commenters disagreed with the proposed adoption of Version 6020 of the X12N 278 standard, noting that there have been significant advancements and version updates, and some commenters recommended that HHS consider alternative versions of the X12N 278 standard, like Version 8020. Multiple commenters expressed concern that implementing Version 6020 may increase cost and burden, and a commenter stated that there are issues with managing multiple standards and versions and gave the example that the X12N 837 claims standard could be in Version 8020, while the changes proposed could be at Version 6020 or Version 5010.

Response: As we explain in section III.A. of this final rule, we are not finalizing our proposal to adopt the prior authorization transaction standard, so we are not adopting the X12N 278—Health Care Services Request for Review and Response (006020X315), September 2014. We thank the commenters who supported our proposal and appreciate the commenters' suggestions to consider alternative versions of the X12N 278 standard, like Version 8020, and will continue to monitor and assess whether alternative versions of the current standard may better address the needs of the industry for enhanced administrative simplification.

Final Action: After consideration of the public comments we received, and for reasons previously discussed herein, we are not adopting a modification to the X12N 278 standard for prior authorization transactions.

I. Compliance Dates

We proposed to adopt new standards and a modification to a standard in the HIPAA Standards for Health Care Attachments proposed rule. Section 1175(b) of the Act provides for a compliance date not later than 24 months after the date on which an initial standard or implementation specification is adopted for all covered entities except small health plans. However, section 1104(c)(3) of the Affordable Care Act requires the adoption of standards for health care attachments and operating rules with a 2-year compliance timeframe for all covered entities and offers no extended timeframe for small health plans. In the HIPAA Standards for Health Care Attachments proposed rule, we proposed that the same health care attachments standards would apply to both claims and prior authorization attachments transmissions. As the transmission standard for each type of attachments transaction would be the same, we stated that we believed the compliance date for both types should also be the same. In addition, because we proposed to treat the two attachments processes together as one transaction in new Subpart T, we stated that adopting the same compliance timeframe for all covered entities would avoid the complications that a bifurcated compliance timeframe (that is, one for claims processes and another for prior authorization processes) may raise.

The effective date is the date the rule amends the Code of Federal Regulations (CFR), which is typically 60 days after the date of publication in the Federal Register.

We proposed to adopt the following eight standards for health care claims attachments transactions and electronic signatures:

HL7 IG for CDA Release 2: C-CDA Templates for Clinical Notes—Introductory Material, Release 2.1 (HL7 C-CDA IG Volume One).
HL7 IG for CDA Release 2: C-CDA Templates for Clinical Notes—Templates and Supporting Material, Release 2.1 (HL7 C-CDA IG Volume Two).
HL7 CDA Release 2 Attachment IG: Exchange of C-CDA Based Documents, Release 1 (HL7 Attachments IG).
X12N 275—Additional Information to Support a Health Care Services Review (06020X316).
X12N 275—Additional Information to Support a Health Care Claim or Encounter (06020X314).
X12N 277—Health Care Claim Request for Additional Information (006020X313).
X12N 278—Health Care Services Request for Review and Response (006020X315), September 2014.
HL7 IG for CDA Release 2: Digital Signatures and Delegation of Rights, Release 1 (Digital Signatures Guide). In accordance with section 1104(c)(3) of the Affordable Care Act, which requires the Secretary to adopt a transaction standard for health claims attachments and prescribes a uniform 2-year compliance date for all covered entities (with no special provision for small health plans, unlike the original HIPAA statute), we proposed that the compliance dates for the policies adopted in this final rule would be 24 months from the effective date of this rule. We stated that we would specify these compliance dates in § 162.2002.

Section 1175(b)(2) of the Act requires the Secretary to determine an appropriate compliance date for the implementation of modified standards, such as the modification of the X12N 275 standard from Version 5010 to Version 6020, by taking into account the time needed to comply due to the nature and extent of the modification. The Act also requires that the compliance date be no earlier than the last day of the 180-day period, beginning on the date the modification is adopted (that is, the effective date of the final rule in which the modification is adopted). As discussed in the HIPAA Standards for Health Care Attachments proposed rule, we proposed to adopt Version 6020 of these standards because they better harmonize with the X12N 275—Additional Information to Support a Health Care Claim or Encounter (006020X314) and the X12N 275—Additional Information to Support a Health Care Services Review (006020X316) standards we proposed to adopt for the routing/envelope of attachment information by the provider. We stated that X12 recommended to the NCVHS that all parties to those transactions use Version 6020 of the standards as they are most compatible with each other. In the proposed rule, we discussed that Version 6020 of the X12N 278, as the standard for referral certification and authorization transactions, would be used by a health plan in conjunction with Version 6020 of the X12N 275 standard, which a health care provider would use to electronically transmit attachment information to a health plan in support of a prior authorization request. As the X12N 278 standard would feature in the new health care attachments transaction, we stated that it would be important to align the compliance dates for the proposed modification to the X12N 278 standard and the health care attachments standards. Accordingly, we proposed that covered entities would need to comply with Version 6020 of the standard 24 months after the effective date of the final rule. We reflected this compliance date in § 162.1302 by: (1) revising paragraph (c) to specify only the standard identified in paragraph (b)(2)(i); and (2) adding new paragraph (d) to require covered entities to use, in paragraph (d)(1), Version 5010 X12N 278 for 24 months after the effective date of the final rule, and in paragraph (d)(2), Version 6020 X12N 278 on and after 24 months after the effective date of the final rule. We solicited comments on this proposed approach.

Comment: Multiple commenters expressed support for the proposed compliance date of 24 months for health ( printed page 14380) care attachments standards and electronic signatures standard, and the updated standard for referral certification and authorization transactions. A commenter stated that the proposed compliance date would provide sufficient time for providers, health plans, and clearinghouses to adopt new standards and IGs. A commenter noted the current voluntary use of standards and stated that limiting the scope to just claims attachments should allow for easy implementation within the 24-month timeframe for the industry.

Response: We appreciate the commenters' feedback and support. We are finalizing the 24-month compliance date for the health care claims attachment standards and the electronic signature standard that we adopt in this final rule. As we have noted, we will closely monitor the rule's implementation and, should we learn of concerns, will work with the industry to address them. Some commenters supported a 24-month compliance date for the modified standard for referral certification and authorization transactions (X12N 278 Version 6020), but we are not adopting that modification, as discussed in section III.A. and elsewhere in this final rule.

Comment: Multiple commenters recommended that HHS finalize a shorter compliance date, ranging from as soon as practical to 18 months, instead of the proposed compliance date of 24 months after the effective date of the final rule. Another commenter requested urgent adoption of the attachment standards, with a requirement for full implementation within 12 months of adoption, not 24 months as HHS proposed. That commenter stated that health plans have adequate notice from HHS to start planning and building the platform and stated that if a health plan expects that health care providers adapt to a health plan's demand to provide attachments with 2-3 months' notice, it is more than reasonable to expect health plans to implement electronic health care attachments standards within 12 months or less. The commenter believed that such requirement would comply with the statutory compliance timeframe of no later than 24 months following adoption, and stated that if any health plan has difficulty implementing the requirements, it could suspend its attachments for claims and prior authorization requirements until it was able to comply with electronic health care attachments standards, which the commenter believed would be the only fair solution for health plans, patients, and providers. Conversely, a commenter expressed appreciation for HHS's efforts to establish a timeline for the adoption of the final rule but encouraged HHS to be flexible as needed with the 24-month compliance date to give providers and health systems more time to be compliant with new requirements.

Response: We acknowledge the commenters' view that a shorter compliance period could allow the industry to benefit from the standards sooner and recognize the view that a shorter timeline could be permissible under the statute's “no later than 24 months” language. However, with respect to the health care claims attachment standards and the electronic signature standard that we are adopting in this rule, we are adopting a 24-month timeframe to ensure uniform industry implementation and prevent the fragmentation that variable compliance periods might engender. We appreciate the commenter's concern that health plans often require health care providers to meet aggressive timelines and that a shorter compliance date could encourage quicker benefits realization. Nevertheless, preparing for the adoption of new standards will require HIPAA covered entities, potentially along with their health IT vendors or service partners, to engage in a series of coordinated steps requiring careful planning that may include updating systems, training staff, and testing with trading partners. As such, we believe the 24-month timeframe is necessary to support successful implementation.

Regarding the suggestion that health plans suspend their attachment requirements should they be unable to comply on time, we clarify that once the compliance date is reached, all covered entities are legally required to use the adopted standards when conducting health care claims attachment transactions electronically. However, we encourage early preparation, coordination, and testing among trading partners to ensure readiness and minimize implementation burdens. We note that nothing in this rulemaking would prohibit a health plan from electing to limit or suspend its health care claims attachment requirements.

Comment: Multiple commenters expressed concern with the compliance date, citing the need for real-world testing of the proposed standards. A commenter stated that attachments transaction standards must be tested with all end-users, including physicians, in a variety of settings, including small, independent, and rural physician practices to ensure the standards are effective and efficient and suitable for adoption. Another commenter recommended HHS exercise enforcement discretion following the 24-month implementation period to allow industry-wide testing as it will likely require the full 24 months for implementation and testing.

Response: In accordance with section 1104(c)(3) of the Affordable Care Act, which requires the Secretary to adopt a transaction standard for health claims attachments and prescribes a uniform 2-year compliance date for all covered entities (with no special provision for small health plans, unlike the original HIPAA statute), the compliance dates for the policies adopted in this final rule are 24 months from the effective date of this rule.

We acknowledge the commenters' concerns about the need for real-world testing, especially among small, independent, and rural physician practices, and note that falls within the coordinated steps that we speak about in a previous response. We agree that end-user validation in a variety of clinical and operational settings is essential to the successful adoption of the standards and encourage interested parties to begin implementation and testing efforts as early as possible to ensure that all participants have sufficient time to validate workflows and system performance.

We also acknowledge the concern that some payers and vendors may need to undertake new development work for the adopted standards. A commenter, for example, noted that while certain EHR and revenue cycle systems previously implemented the X12N 276/277 claims status transactions, some payers did not do so at the time of the Version 4010 standards (we clarify that these statements reflect a commenter's perspective, not an HHS finding that payers failed to comply with adopted standards). We encourage such payers to work closely with vendors, clearinghouses, and providers to identify and address gaps early, and to comply with all adopted HIPAA standards.

Regarding a commenter's recommendation that we utilize enforcement discretion following the 24-month period, we emphasize that we will monitor implementation progress and, to the extent necessary, consider appropriate action, consistent with our general approach to HIPAA Administrative Simplification efforts.

Finally, we emphasize that early testing, collaboration with trading partners, and use of implementation resources will be essential for all covered entities to meet the compliance deadline. ( printed page 14381)

Comment: Multiple commenters recommended that HHS provide support similar to what was provided in the transition from ICD-9 to ICD-10. A commenter agreed with the 2-year timeframe only if HHS requires milestones, testing, and implementation support to ensure performance to the standards by the compliance date.

Response: We agree that consistent communication and implementation support are important to successful adoption of the standards. We strongly encourage covered entities to develop internal implementation timelines and testing schedules in collaboration with their trading partners to ensure readiness by the compliance date. As resources permit, we intend to support industry readiness through targeted outreach and the dissemination of educational materials, consistent with our role in past administrative simplification efforts. For example, during the ICD-10 transition, HHS collaborated closely with industry groups to develop technical resources, frequently asked questions (FAQs), and webinars. For this effort, we expect that industry organizations, such as WEDI and SSOs, including X12 and HL7, may again play a central role in developing and sharing technical guidance as they have with previous efforts, though we are not able to commit them to, or require, that. HHS's support activities, including education and technical assistance, are subject to resource availability and agency discretion, though we certainly hope to offer such support. Covered entities are responsible for ensuring timely compliance and should not rely solely on HHS-led efforts.

Comment: Multiple commenters suggested a 36-month timeframe from the date the final rule is published to implement Version 6020 of the X12N 278 standard, while a commenter emphasized it is likely that an updated version of that standard will be available prior to the compliance date proposed in the rule and recommended that HHS adopt the most updated version of the standard in the final rule.

Another commenter stated that organizations have likely begun some level of electronic implementation to streamline their own operations, and early pilots could be leveraged to accelerate conformance with the proposed standards. A commenter recommended that HHS consider extending the implementation period beyond 2 years to prevent overburden. Another commenter stated that while they support standardization, they would like additional time to develop workflows and properly implement standards. Other commenters recommended a subsequent 2-year voluntary transition period following the compliance period during which both current and new X12N standards would be allowed to support health IT developers and users. A commenter recommended that HHS engage health IT end users to conduct real-world testing on the proposed standards, including end-to-end transaction testing prior to requiring implementation. The commenter also recommended that health IT end users be involved in the implementation roadmap.

Multiple commenters requested that HHS consider the impact of competing regulatory requirements when establishing the compliance dates. Multiple commenters expressed concern with the demands that the implementation of simultaneous regulatory actions places on adopters, health IT developers, and industry. The commenters referenced several regulatory requirements, including the CMS Interoperability and Prior Authorization proposed rule, the Advanced Explanation of Benefits (AEOB) requirements called for in the No Surprises Act, [31 ] and the HHS Administrative Simplification: Modification to the NCPDP Retail Pharmacy Standards and Adoption of a New Pharmacy Subrogation Standard proposed rule (87 FR 67634). A commenter recommended implementing a 24-month transition date for adopting Version 6020 of the X12N 278 standard and accompanying health care attachment standard transactions should a compliance date be set in late 2025 or early 2026 as this approach would ease the weight of simultaneous implementation requirements of other rulemaking.

These commenters asserted that those other regulatory requirements, along with those of this rule, would demand significant planning and resources which may compete with other priorities and operations at their institution. A commenter recommended that HHS partner with the private sector to develop a cohesive roadmap across initiatives based on consumer needs, maturity of standards, and required resources to stagger implementation and enforcement. Other commenters suggested staggering the requirements for this rule and those of the CMS Interoperability and Prior Authorization proposed rule.

Response: We thank the commenters for their feedback and agree with the commenter's point that many organizations have begun some level of electronic implementation to streamline their own operations and likely can leverage those efforts to accelerate conformance with the proposed standards. Regarding the X12N 278 standard, as we discuss in section III.A. of this final rule and reiterate elsewhere, we are not finalizing the adoption of Version 6020 of the X12N 278 standard, mooting suggestions that we alter its compliance date or establish a transition period. Should we proceed with future X12N 278-related rulemaking, we would take into account the commenter's recommendations regarding a move to the newer version of the standard.

With respect to those standards we are adopting, and consistent with section 1104(c)(3) of the Affordable Care Act, we are finalizing a compliance date by which covered entities must comply with the standard not later than 24 months after the date on which an initial standard or implementation specification is adopted. Some commenters suggested a longer compliance period, with some also recommending we include a voluntary transition period, but the statute provides for a 24-month time period.

We recognize that meeting the required timeframe will require significant planning and the coordinated steps to which we refer in a previous response. We also acknowledge commenters' concerns regarding cumulative regulatory burdens, including requirements from the now-finalized CMS Interoperability and Prior Authorization final rule. While this rule does not provide for staggered compliance with other regulations, HHS will continue to engage with parties in the health care industry and federal partners to support coordinated policy development wherever feasible.

In response to recommendations for real-world testing and roadmap development, we agree that broad participation from implementers and end users—including small health care providers, health IT developers, and clearinghouses—is critical to successful adoption. We encourage private-sector leadership and public-private collaboration (for example, through WEDI, HL7, and X12) to develop implementation playbooks, testing frameworks, and milestone tracking tools. We also anticipate offering stakeholder education and support.

We also note that many covered entities have successfully implemented new or modified HIPAA transaction standards within a 24-month timeframe. We will monitor implementation ( printed page 14382) challenges and remain prepared to engage with interested parties as needed, but statutory requirements limit the compliance timeframe. Prompt planning and engagement by covered entities is essential to meeting the final compliance deadlines.

Comment: A few commenters recommended alternative compliance start dates from what was proposed in the HIPAA Standards for Health Care Attachments proposed rule. One of these commenters recommended that implementation be scheduled on a date other than the end of a calendar year and emphasized that financial planning be performed and approved in advance of actual expenditure. The commenter stated that it is unrealistic to expect that resources can be obtained and committed to compliance with the proposed regulation within the current budget year, given that the regulation requirements would not be finalized until a final rule is issued. Another commenter requested a compliance timeframe of at least 18 months for any new regulation on this matter and requested that consideration be given to timeframes for state entities to come into compliance due to significant changes to program and processes. A commenter stated the compliance date should not be aligned with the January 1 medical enrollment period of any year to allow payer and provider systems sufficient time for modifications without impacting medical enrollments during the initial weeks of the new year.

Response: We appreciate the concerns that commenters raised regarding the proposed compliance date. As we have repeatedly noted, section 1104(c)(3) of the Affordable Care Act requires a 2-year compliance timeframe. We recognize that implementing a new standard may involve significant planning and coordinated steps to which we refer to in a previous response, and, upon publication of this final rule, encourage covered entities to expeditiously begin planning to ensure their readiness to attain compliance in a timely manner.

Regarding timing in relation to the calendar year and enrollment periods, the 24-month compliance date does not fall on January 1 of any year, which should help mitigate disruptions to systems and operations during the annual medical enrollment cycle and allow payers and providers to focus on system changes during less operationally sensitive periods.

We are finalizing a compliance date that is 24 months after the effective date of this final rule, in accordance with section 1104(c)(3) of the Affordable Care Act.

Comment: A commenter stated that vendors will need at least 2 years to implement the process of updating the proposed standards and provided the explanation that, because XML is the standard format, time would be needed for training related to implementing the HL7 transactions.

Response: We understand this commenter to be concerned that additional time may be needed to comply because it will require the use of an HL7 implementation specification within an X12 transaction standard. However, we are aware that some in the industry, including at least one Medicare Administrative Contractor, have already successfully used the HL7 implementation specification within the X12 transaction standard, and have done so for over 15 years. This implementation includes publicly available companion guides and procedures, demonstrating that HL7 content can be effectively integrated and exchanged within the X12 transaction envelope, and providing a proven model for how HL7 documents can be used within X12 transactions. It also offers an early example of how vendors and clearinghouses can structure systems, interfaces, and workflows to support this type of transaction. Therefore, we believe the 24-month compliance period provides sufficient time for vendors and covered entities to prepare, test, and implement the standards adopted in this final rule.

Final Action: After considering the public comments we received, we are finalizing a 24-month compliance date after the effective date of this final rule for the adoption of the X12N 275—Additional Information to Support a Health Care Claim or Encounter (06020X314) and X12N 277—Health Care Claim Request for Additional Information (006020X313), and the HL7 IG for CDA Release 2: Digital Signatures and Delegation of Rights, Release 1 and other HL7 IGs adopted in this final rule.

J. Incorporation by Reference

This final rule incorporates by reference in § 162.920 the following standards: (1) X12N 275—Additional Information to Support a Health Care Claim or Encounter (006020X314); and (2) X12N 277—Health Care Claim Request for Additional Information (006020X313).

The X12N 275—Additional Information to Support a Health Care Claim or Encounter standard provides instructions to assist those who send additional supporting information or who receive additional supporting information to a health care claim or encounter.

The X12N 277—Health Care Claim Request for Additional Information standard contains the format and establishes the data contents of the Health Care Information Status Notification Transaction Set for use within the context of an EDI environment. This transaction set can be used by a health care payer or authorized agent to notify a health care provider, recipient, or authorized agent regarding the status of a health care claim or encounter or to request additional information from the health care provider regarding a health care claim or encounter, health care services review, or transactions related to the provisions of health care.

This rule incorporates by reference in § 162.920 the following IGs:

HL7 CDA R2—US Realm, Version: 2.1.0.1, September 2023 [32 ] —The standard specifies the structure and data content for the electronic exchange of clinical documents used as attachments in support of healthcare administrative transactions. The implementation guide defines how clinical documentation structured using the HL7 Clinical Document Architecture Release 2 and the HL7 C-CDA Release 2.1 may be packaged and transmitted to support requests for additional information associated with health care claims, prior authorization determinations, and other administrative processes. This standard also supports the electronic exchange of structured clinical documentation between health care providers, health plans, and their authorized agents.
HL7 IG for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume One—Introductory Material, August 2015 with 2019 June Errata..—The standard provides introductory guidance and implementation context for the Consolidated Clinical Document Architecture (C-CDA) templates used to exchange structured clinical documents. This volume describes the overall architecture, scope, design principles, and conformance framework for implementing clinical document templates based on the HL7 Clinical Document Architecture Release 2. This standard also supports the interoperable exchange of clinical documents across health information technology systems used by health care providers, health information exchanges, and other authorized entities. ( printed page 14383)
HL7 IG for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume Two—Templates and Supporting Material, June 2019—The standard specifies the detailed template definitions and supporting technical specifications for implementing Consolidated Clinical Document Architecture (C-CDA) clinical documents. This volume defines the structure, constraints, and required data elements for specific clinical document templates, sections, and entries used to represent patient clinical information using the HL7 Clinical Document Architecture Release 2 framework. The standard also enables health care providers, health information exchanges, and other authorized entities to create and exchange standardized clinical documents that support the interoperable communication of patient care information.
HL7 IG for CDA Release 2: Digital Signatures and Delegation of Rights, Release 1, Draft Standard for Trial Use, October 2014—The standard establishes specifications for representing digital signatures and delegation of signing authority within clinical documents structured using the HL7 Clinical Document Architecture Release 2 framework. The implementation guide defines mechanisms for applying digital signatures to ensure the integrity, authenticity, and non-repudiation of electronic clinical documents and for documenting circumstances in which an individual signs a document on behalf of another authorized party. These capabilities support the secure exchange and verification of electronically signed clinical documentation across health information technology systems.
The materials we incorporate by reference are available to interested parties and can be inspected at the CMS Information Resource Center, 7500 Security Boulevard, Baltimore, MD 21244-1850. The X12 IGs are available at www.X12.org. The HL7 IGs are also available through the internet at www.HL7.org. A fee is charged for the X12 standards. Charging for such publications is consistent with the policies of other publishers of standards.

Comment: A commenter requested that HHS clarify in the final rule that, contrary to what was stated in the proposed rule (87 FR 78453), HL7 does not charge a fee for the HL7 IGs.

Response: We appreciate the commenter's request for clarification. In the HIPAA Standards for Health Care Attachments proposed rule, we incorrectly stated that a fee is charged for all IGs. HL7 primary standards and other selected products are licensed at no cost. It is important to note that the no-cost license for HL7 standards includes some restrictions on how the standards may be used and distributed. A license that allows broader use is available to people and organizations with an HL7 membership. For additional information, access their Copyright policy. The HL7 IGs are available at no fee via the internet at https://www.hl7.org/legal/ippolicy.cfm. By contrast, there is a fee for the X12 standards, which are available via the internet of X12 at www.X12.org.

Final Action: After consideration of the public comments we received, and after consultation with the SSOs, we are finalizing the incorporation by reference of the standards we are adopting in this final rule in § 162.2002 (c) through (e) and 162.920(a). We are also finalizing the incorporation by reference of the IGs we are adopting in this final rule in § 162.2002(a), (b)(1), and 162.920(e).

K. Severability

This final rule implements requirements of HIPAA and the Affordable Care Act for the adoption of standards for health care claims attachments transactions, which will support health care claims transactions, and a standard for electronic signatures to be used in conjunction with health care claims attachments transactions.

To the extent a court may enjoin one provision of this final rule, HHS intends that the other provisions should remain in effect, ensuring the continuity of the regulations. We intend that any provision of the requirements of this rule that is held to be invalid or unenforceable by its terms or as applied to any person or circumstance would be construed so as to continue to give maximum effect to the provision permitted by law unless such holding is one of utter invalidity or unenforceability, in which event we intend that the provision would be severable from the other finalized provisions described in this section and in other sections and would not affect the remainder thereof or the application of the provision to persons not similarly situated or to dissimilar circumstances.

If any section, subsection, sentence, clause, phrase, word, provision or application of this final rule shall be found to be invalid, illegal, unconstitutional, or unenforceable, that finding shall not affect or undermine the validity of any other section, subsection, sentence, clause, phrase, word, provision, or application which can be enforced without the use of the offending portion of this final rule.

IV. Out of Scope Comments

We received several comments on subjects that were outside the scope of the proposed rule. We do not directly respond to those types of comments because they are outside the scope of this rulemaking.

V. Collection of Information Requirements

Under the Paperwork Reduction Act of 1995 (PRA), 44 U.S.C. 3501 through 3520, we are required to provide notice in the Federal Register and solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. To fairly evaluate whether an information collection should be approved by OMB, 44 U.S.C. 3506(c)(2)(A) requires that we solicit comment on the following issues:

The need for information collection and its usefulness in carrying out the proper functions of our agency.
The accuracy of our estimate of the information collection burden.
The quality, utility, and clarity of the information to be collected.
Recommendations to minimize the information collection burden on the affected public, including automated collection techniques. The burden associated with the information collection requirements contained in § 162.2002 of this document are subject to the PRA. The PRA package previously approved for the HIPAA health care transaction standards under OMB control number 098-0866 and titled: “CMS-R-218: HIPAA Standards for Coding Electronic Transactions” will be updated to include the requirements finalized in this rule. We solicited but did not receive any comments on this collection of information.

VI. Regulatory Impact Analysis (RIA)

A. Statement of Need

This rule finalizes the adoption of standards, in accordance with the HIPAA Administrative Simplification statutory provisions, for the electronic transmission of health care claims attachments. The health care industry has made it clear via testimony to the NCVHS, WEDI presentations, CAQH reports, public comment, National Standards Group (NSG) listening sessions, and direct inquiry that there is a clear need for the Secretary to adopt electronic transaction standards for claims attachments to bring consistent and reliable communication among the HIPAA covered entities. Because no claims attachment standard has been adopted, health plans, health care ( printed page 14384) providers, clearinghouses, and health IT vendors lack the direction needed to support broad use of automation in the attachment workflow or for the industry to coalesce around the use of even a small number of electronic solutions. In addition, the lack of attachment standards has deterred parties in the health care industry from investing in system implementations to automate the attachments workflow, requiring a large manual administrative burden for the exchange of medical documentation. Industry SSOs and stakeholder alliances report that automating this process will yield substantial labor cost savings.

Comment: A commenter expressed concern regarding the assumptions in the 2019 CAQH study cited in the proposed rule, stating that the data in this study is questionable and based on unreasonable assumptions given industry experience with previous standards, and that HHS cannot justify that the net benefits of adopting health care attachment standards will outweigh the costs to health care providers. The commenter also stated that the cost savings to the industry cited in the proposed rule do not account for the added cost of implementing both FHIR (pursuant to CMS rulemaking) and X12 updates during the same 24-month period, the ability to convert each to the other, clearinghouse costs, and ongoing maintenance of each. A commenter stated that health care claims cannot be separated from corresponding appeal transactions, and that the savings cited are unlikely to be realized unless appeal attachment standards are adopted.

Response: The commenters did not provide alternative data sources or analyses for our further consideration, and we note that our RIA in the HIPAA Standards for Health Care Attachments proposed rule involved a thorough analysis utilizing multiple sources. As reiterated at the beginning of this section, this analysis was informed by our assessment that considered the current environment, industry testimony to the NCVHS, WEDI whitepapers, CAQH studies, survey results produced by industry consensus-based organizations, and updated web-based research on specific topics.

For purposes of this final rule, we have updated data and calculations based on the 2024 CAQH Index report, focusing on health care claims attachments. [33 ] The RIAs included in the HIPAA Standards for Health Care Attachments proposed rule and the Modifications final rule, in addition to the CAQH Index Reports cited throughout this RIA, only provide an estimate of the direct costs of implementation and automation; appeals were not estimated, presumably because appeals data are difficult to obtain. We note that this final rule applies only to what is being adopted, which are health care claims attachments transaction standards. We may address other transactions, including the use of a prior authorization transaction standard in health care attachments, in other rulemaking.

The claims attachment transaction standards adopted in this final rule cover the transmission of solicited and unsolicited attachments related to various stages of the claims payment process, including post-payment review activities, but do not extend to attachments used in claims appeal processes. Costs to implement a FHIR standard fall outside of the scope of this final rule.

B. Overall Impact

We have examined the impacts of this rule as required by Executive Order (E.O.) 12866, “Regulatory Planning and Review”; E.O. 13132, “Federalism”; E.O. 13563, “Improving Regulation and Regulatory Review”; E.O. 14192, “Unleashing Prosperity Through Deregulation”; the Regulatory Flexibility Act (RFA) (Pub. L. 96-354); section 1102(b) of the Social Security Act; section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) (Pub. L. 104-4); and Subtitle E of the Small Business Regulatory Enforcement Fairness Act of 1996 (the Congressional Review Act) (5 U.S.C. 804(2)).

E.O.s 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select those regulatory approaches that maximize net benefits, including: (1) potential economic, environmental, public health and safety, and other advantages; (2) distributive impacts; and (3) equity. Section 3(f) of E.O. 12866 defines a “significant regulatory action” as any regulatory action that is likely to result in a rule that may: (1) have an annual effect on the economy of $100 million or more or adversely affect in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or State, local, or tribal governments or communities; (2) create a serious inconsistency or otherwise interfere with an action taken or planned by another agency; (3) materially alter the budgetary impact of entitlements, grants, user fees, or loan programs or the rights and obligations of recipients thereof; or (4) raise novel legal or policy issues arising out of legal mandates, or the President's priorities.

An RIA must be prepared for a regulatory action that is significant under section 3(f)(1) of E.O. 12866. Based on our estimates, the Office of Information and Regulatory Affairs (OIRA) has determined this rulemaking is significant under section 3(f)(1). In accordance with Subtitle E of the Congressional Review Act, OIRA has also determined that is a “major rule” as defined by 5 U.S.C. 804(2).

We believe that covered entities have already largely invested in the hardware, software, and connectivity standards being adopted in this final rule. We anticipate that the adoption of these changes will result in costs, but that those costs will be outweighed by the benefits that these changes will yield. Accordingly, we have prepared an RIA that, to the best of our ability, presents the costs and benefits of this final rule.

C. Detailed Economic Analysis

1. Anticipated Effects

The objective of this RIA is to summarize the costs and benefits of adopting new and modified standards for the exchange of health care claims attachment information consisting of the following provisions:

A code set to be used for health care claims attachments transactions.
X12 standards for requesting and transmitting attachment information and HL7 standards for clinical information content.
Electronic signatures standards. This portion of the analysis is informed by an earlier environmental scan produced for us in 2016 by the MITRE Corporation, a Federally funded research and development center. Data from that environmental scan was used since it was conducted to help develop the HIPAA Standards for Health Care Attachments proposed rule. However, we did not solely rely on the MITRE report. Additional data was obtained through industry testimony to the NCVHS, whitepapers, WEDI survey results, and updated web-based research on specific topics. [34 ] Since we did not receive any comments on the assumptions we made based on the 2016 MITRE Corporation environmental ( printed page 14385) scan, we continue to reference it in this final rule.

Consistent with statutory and regulatory requirements, any recommendations for the adoption of HIPAA standard updates are the outcome of an extensive, consensus-driven process that is open to all interested parties. The standards development process involves direct, participatory input from representatives of parties in the health care industry that are required to utilize the transactions. Both the standards adoption process and standards development processes are described in detail in section II. of this final rule.

For purposes of this analysis, we use the segmentation of parties in the health care industry laid out in the Modifications final rule, with some additional details on vendors supporting the integration of the administrative and clinical data. As discussed in the HIPAA Standards for Health Care Attachments proposed rule, and again in this final rule, health care providers and payers continue to use manual processing for health care attachments, therefore, these interested parties are relevant for purposes of this RIA because there is no adopted health care claims attachments standard. As noted in the most recent WEDI white paper, most payers send hard copy letters to request additional information to support a claim or prior authorization submitted by the health care provider. [35 ] These segments consist of the following:

Health Care Providers ++ Hospitals

++ Physicians

++ Dentists

++ Pharmacies

Health Plans ++ Private Health Plans and Issuers

++ Government Health Plans: Medicare, Medicaid, and Veterans Administration

Clearinghouses
Vendors ++ Practice Management System (PMS) Vendors

++ EHR Vendors

In analyzing the effects of the proposed rule, we referenced the 2019 and 2020 CAQH Index Reports issued on January 21, 2020 and February 3, 2021, respectively. [36 37 ] However, for this final rule, we are making reference to the 2024 CAQH Index Report. [38 ] The 2024 CAQH Index tracks adoption of HIPAA-mandated- and other electronic administrative transactions and measures progress related to reducing the costs and burden associated with administrative transactions exchanged across the medical and dental industries. The CAQH Index includes estimates of the number of annual transactions by submission mode (that is, phone, fax, mail, or email), electronic (that is, HIPAA standard) or partially electronic (that is, web portals or interactive voice response), as well as estimates of the associated labor cost and staff time. The reported costs and savings account for the labor time required to conduct transactions, not the time and cost associated with gathering information or the costs associated with the use of clearinghouses or third-party vendors.

With respect to the category of health care providers, the report does not provide a breakdown of the types of providers that contributed to the survey results, but it does distinguish between medical and dental providers and acknowledges partnering with both physician and hospital member organizations. Thus, we believe the medical providers' savings reported include hospital-related responses.

In contrast to the data on labor cost savings, we continue to be unaware of any reports or other industry estimates on the level of additional investments needed to fully implement these electronic processes for requesting and submitting attachment information, or the proportion of such costs that might be passed on to health care providers or health plan firms. By reviewing testimony submitted to the NCVHS and conducting web searches, such as for plan, clearinghouse, and vendor EDI instructions and services, we understand some interested parties' segments have already largely built or acquired the capacity to implement these proposals (albeit possibly in inconsistent and proprietary ways in the absence of federal standards). Similarly, based on the NCVHS testimony, others (particularly health care providers and their vendors) have partially implemented the standards. [39 ] Thus, we conclude that implementation and readiness to fully implement the standards being adopted in this final rule will vary among and within covered entity industry segments.

We also believe it is likely that firms directly involved in deploying additional capacity, particularly in upgrading PMS or EHR functionality, will not voluntarily share proprietary and competitive market-sensitive data on the level of additional investment needed, or on the effects on customer fees. Therefore, as further explained in the discussion of cost calculations, we estimate the incremental costs involved not through projected cost build-up, but rather as a function of the level of impact of implementing the previous HIPAA-standard modifications. We solicited comments on this approach and on the appropriateness of the aggregate level estimates, preferably seeking data reflecting estimated changes to firm-specific costs and customer-specific fees in a manner that facilitated aggregation, but we received no response or comments.

We expect that the regulatory requirements, combined with the administrative cost savings opportunities identified by CAQH, will result in broad adoption of these attachment standards. The remainder of this section provides details supporting the cost-benefit analysis for the provisions being finalized.

2. Affected Entities

As with previous HIPAA standards updates, all HIPAA covered entities will be affected by this final rule. Covered entities include all health plans, all health care clearinghouses, and health care providers that transmit health information in electronic form in connection with a transaction for which the Secretary has adopted a standard. Therefore, these covered entities will be required to use these standards for transactions that they conduct electronically. See the Transactions and Code Sets final rule for a discussion of affected entities (65 FR 50361).

In general, covered entities (or their vendors) will incur a number of one-time costs to implement the new transactions in this final rule. These costs likely will include analysis of business flow changes, software procurement or customized software development, integration of new software into existing provider/vendor systems, staff training, and collection of ( printed page 14386) new data, testing, and transition processes. For some entities, new vendors may be needed to create and validate the clinical documentation to be embedded in the attachment transactions. System implementation costs will account for most of the costs, with system testing alone likely accounting for a majority of costs for all covered entities. Ongoing operational costs will be expected to initially grow, as the implementation of electronic processes run in parallel with ongoing manual and partially automated processes, but will then be expected to decline as higher proportions of transactions are automated. These health IT-related costs will be offset by significant reductions in labor costs for what are, today, largely manual processes to locate, collect, package, and mail clinical records needed to support requests for additional documentation to support claims. Other offsetting cost savings are expected from lower postage and other mailing costs, reductions in reprocessing volume due to higher clean claim acceptance rates, and delay in receiving payment. [40 41 ]

It is likely that there are significant differences in readiness among payer and provider claims health IT systems, and we do not know the extent of incremental costs associated with health IT development, enablement (that is, upgrade or licensing fees paid by users), or workflow adjustment and training to facilitate compliance with the standards adopted in this final rule. So, though we are aware that the net benefits will likely vary among interested parties, we continue to lack the data to estimate these differential effects. An important consideration reflected in various industry testimonies submitted to the NCVHS is that some interested parties, particularly smaller health care providers, will continue to have the option to leverage existing clearinghouses to provide these information exchange services based on negotiated rates. This is a standard practice today, where clearinghouses already manage 85 percent of the conversion of paper-to-electronic formats, as well as reformatting of non-compliant to compliant electronic claim transactions for the industry. Given the high costs of manual and partially electronic means for exchanging required information, we believe this rule's implementation will yield significant net industry savings. However, the level and timing of uptake (as opposed to the retention of manual processes and clearinghouse intermediation) by provider entities is uncertain. We reflect this uncertainty with both the phasing in and estimation of minimums and maximums for costs and benefits. We solicited comments in the proposed rule on our RIA approach and assumptions.

Comment: Multiple commenters provided descriptions of additional burdens that covered entities would experience by implementing the policies as proposed. A commenter noted that California's Medicaid Management Information Systems Operations will have to include new training for call center agents and providers, new call scripts, and possible changes to the provider manuals. Another commenter stated that additional storage will present states with increased and expanding costs, as Medicaid programs are not allowed to charge fees for administering programs. Another commenter noted that there are other impacts that must be considered when assessing the proposals outlined in the proposed rule. The commenter provided several examples of operational processes, workflow changes, education and training, and additional work their institution would need to complete in order to comply with the proposed rule.

Response: We thank commenters for their feedback. Our estimates took into consideration business flow changes, software procurement or customized software development, integration of new software into existing provider/vendor systems, staff training, and collection of new data, testing, and transition processes, and we noted previously that some covered entities may require new vendors to create and validate the clinical documentation to be embedded in the attachments transactions. Our systems implementation costs account for most of the costs, with system testing alone likely to account for many costs estimated for all covered entities. Finally, regarding the concern raised about the potential for states to incur additional costs, such as administrative costs to operate the program, we encourage states to work, as appropriate, with CMS's Center for Medicaid and CHIP Services (CMCS) to determine if Federal Financial Participation (FFP) is available for state administrative costs.

Comment: A commenter stated that HHS underestimated the economic impact of this rule on all entities and expressed concern regarding the cost of using HIPAA transaction standards without widespread adoption. The commenter called out HHS's acknowledgement of those health plans that do not use automation in working with medical record documentation as part of their prior authorization request and claim adjudication processes, with the major concern being that these plans will not invest in the attachment standards systems and will continue to use manual processes. The commenter therefore recommended that HHS require that health plans invest in automation to mitigate manual processes. Based on their prior experience with the transaction modifications required by Version 5010 standard implementation and ICD-10 implementation, another commenter similarly stated that HHS significantly underestimated the costs to conform to the proposed requirements. The commenter also expressed that HHS's assumptions were erroneous and that the X12N 275 claims standard and Version 6020 of other transaction standards would create new implementation, revision, and support costs for states. Another commenter stated that savings would not be realized if payers do not also invest in systems to eliminate manual processes to interpret documentation submitted via the transactions.

Response: The commenters who stated that we underestimated the rules' costs offered no substantive data or additional information to counter our analysis. We further explain here our analysis, including some insignificant changes—such as updating the current year labor statistics and the use of the most recent CAQH index—that we made with respect to costs and benefits detailed in this final rule. Also, as discussed in section III.A. of this final rule and elsewhere, since we are not finalizing the proposal to adopt a modification to the prior authorization transaction standard, we do not reflect those calculations in this RIA. In sum, we made significant efforts to ensure the accuracy of the costs and benefits presented in this final rule.

The analysis included in the HIPAA Standards for Health Care Attachments proposed rule was based on the analysis performed in the Modifications final rule (74 FR 3296). The analysis was also updated for inflation through the use of various CAQH reports. Based on the estimates in the HIPAA Standards for Health Care Attachments proposed rule, the inflation data were adjusted using the 2000 to 2025 Consumer Price Index ( printed page 14387) (CPI). [42 ] When preparing the proposed rule, although later CAQH Index reports were available, we chose to use the 2019 report because we believed, at that time, the estimates based on the period during the COVID-19 public health emergency (PHE) years would have resulted in overestimates and not be relevant to future years. We now have the CAQH 2024 report, which indeed confirms several downward trends, confirming that the impact from the COVID-19 PHE has stabilized. Therefore, for the purposes of this final rule, we further updated the estimates by a factor of 23 percent, which represents a percentage increase consistent with both inflation and the CAQH report. More specifically, using the most recent CPI data and updating to the CAQH 2024 report (the latest full year), we find that an additional 23 percent must be added to account for inflation.

In the proposed rule, we stated that we utilized the CAQH national annual savings estimates as the basis for our cost estimates. The CAQH national annual savings estimates were calculated based on the potential savings achieved by the industry when transitioning from a reported state of 22 percent electronic processing for attachments to fully electronic processing. The potential cost savings by the industry are based on the premise of cost decreases as industry adoption increases. Although there have been previous apparent increases in electronic processing of health care attachments, we do not trend the benefits estimates forward because previously reported estimates of electronic processing adoption have tended to remain stable over a longer period. Because we believe that some portion of providers and their vendors may take longer to move from manual to fully automated transactions, we also assume a phased-in realization of the level of annual benefits projected by CAQH. For the purposes of this analysis, we generally estimate that most interested parties will realize the benefits in labor savings over a 3-year period at the rate of 50 percent in the first operational year, 75 percent in the second operational year, and 100 percent in and after the third year after the compliance date. We did not elect to require that health plans invest in automation because, with respect to the level and timing of the uptake of these standards, we assume that some portion of providers and their vendors may take longer to move from manual to fully automated transactions and that could potentially cause additional financial burden for some. Our analysis is summarized in Tables 6 and 7, which included multiple sources for estimation of minimum and maximums for costs and benefits and thereby accounted for the uncertainty around certain providers choosing to retain manual processes.

We are finalizing the RIA with the revisions described in the previous response. As this final rule will apply only to health care claims attachments transactions, the RIA does not include the prior authorization transaction as initially proposed.

3. Explanation of Cost Calculations

Based on consultation with industry workgroups, such as WEDI, we determined that the health care claims attachments standards adopted in this final rule are already in common use by entities engaged in other lines of business that exchange medical records (for example, the workers' compensation and liability insurance fields). Thus, there is clear evidence that the standards are fit for their intended purpose and have been successfully implemented in closely related business processes.

Although the claims attachments standards we are finalizing adoption of are initial standards, as described in section 1175 of the Act, health plans surveyed by CAQH in 2024 reported electronic transaction submission levels of 32 percent for attachments. Therefore, although we had not adopted the specification for attachments requests by the health plan (X12N 277 standard for claims transactions) and the response from the provider (X12N 275 standard for claims transactions) as HIPAA standards, some payer and provider systems already exchange electronic attachments using the standards we are finalizing adoption of in this rule. Moreover, HL7 C-CDA standards have been widely adopted by health IT developers participating in the ONC Health IT Certification Program; these standards are incorporated into certification criteria that are part of the definition of a Base EHR in 45 CFR 170.102. According to the latest available posted data, as of 2021, nearly 4 in 5 (80 percent) office-based physicians had adopted a certified EHR. [43 ]

Similarly, while the standards we are adopting for electronic signatures are also initial standards, they incorporate practices already implemented in health-care related reporting and monitoring systems. We anticipate that leveraging existing industry experience will limit incremental implementation costs for providers. At the same time, HHS continues to evaluate other electronic signature models for potential applicability to other HIPAA transactions or broader alignment across federal programs.

Given that some parts of the health care industry have experience implementing requirements similar to the standards that we are adopting in this final rule, we believe implementing these standards will be more similar to implementing standard modifications than to implementing transaction standards for the first time. Therefore, we anchor our cost estimates on the final cost estimates included in the Modifications final rule (74 FR 3322), updated for inflation, and then make certain adjustments to address unique aspects of certain industry segments. [44 ] While the systems required for implementing the specifications being adopted in this final rule have been continuously updated since the publication of the Modifications final rule, the technologies within the implementation specifications in this final rule are of the same type as those considered there and will be integrated into systems that continue to utilize similar business models.

The cost estimates in the Modifications final rule were based on an estimate of the total costs to implement the initial HIPAA transaction standards (Version 4010/4010A) and informed by industry interviews. [45 ] To determine the costs for each provider sub-segment (that is, hospitals, clinicians, and dentists), we established an estimate for what the total approximate Version 4010/4010A costs were for an individual entity within that sub-segment (based on the interviews and other data available through research) and then applied an estimated range of 20 to 40 percent of those costs to come up with estimated minimum and maximum costs for ( printed page 14388) Version 5010. As discussed in the Modifications final rule, the baseline range of 20 to 40 percent was accepted as a realistic proxy by the providers and plans that participated in the earlier interviews conducted to develop the regulatory cost benefit analysis (74 FR 3315). The purpose of those interviews was to identify more granular cost categories. It is important to note that through subsequent regulatory actions, we have solicited comments on our baseline ranges to aid in analyzing and validating overall cost estimates ranges by entity. Since we did not receive any comments on our estimated ranges, we continue to use the estimated range of 20 to 40 percent. For the purposes of this final rule, the estimated cost for each individual entity within a segment was then multiplied by the number of entities to establish the estimated costs for the entire segment.

With respect to the level and timing of the uptake of these standards, we assume that some portion of providers and their vendors may take longer to move from manual to fully automated transactions. For purposes of this analysis, we generally estimate that most interested parties will incur costs over a 4-year period at the rate of 50 percent in the first implementation year, 30 percent in the second implementation year, and 10 percent each in the third and fourth years. We developed this 4-year model based on feedback from industry interviews and historical data from prior standard transitions (for example, Version 4010 to 5010). Providers and vendors consistently shared that the largest investments are made in the first 2 years, with a gradual tapering off in the final 2 years. It also provides a structured approach to ensure that providers and vendors can manage costs and resources effectively, while gradually scaling up their automation efforts. We maintain these estimates for full implementation in this final rule.

We note that although many commenters on the Modifications final rule suggested that we underestimated the costs, commenters then provided no substantive data or additional information to counter our analysis. We are not aware of more recent public research relating to the costs of implementing modifications to HIPAA transaction standards. We invited public comments on our understanding and requested any available additional data to help us determine the costs of implementing modifications to HIPAA transaction standards more accurately.

Comment: A commenter stated that significant resources will be necessary to implement the rule's requirements and believed that those costs are missing from the RIA estimates. The commenter listed the following: (1) familiarization with the final rule; (2) requirements definition; (3) specification documentation; (4) system and procedures modification; (5) unit-string-system-UAT-Partner-E2E and B2B testing; (6) software deployment; (7) companion guide, instruction manual, and testing instruction updates; (8) website deployment; (9) outreach; (10) trading partner coordination; and (11) preparation of educational and notification materials.

Response: We thank the commenter for their feedback, but note the commenter offered no substantive data for our consideration, so we retain our analysis as is. We also reiterate, as we stated previously, that: (1) we included in our estimates consideration of business flow changes, software procurement or customized software development, integration of new software into existing provider/vendor systems, staff training, and collection of new data, testing, and transition processes; (2) for some covered entities, new vendors may be needed for the creation and validation of the clinical documentation to be embedded in the attachment transactions; and (3) our systems implementation costs considerations account for most of the costs, with system testing alone likely accounting for a majority of costs estimated for all covered entities.

Comment: A commenter noted HHS's assertion that entities have already largely invested in resources to conduct the proposed new and modified standards is untrue with respect to long-term and post-acute care (LT-PAC) providers that were excluded from the Health Information Technology for Economic and Clinical Health (HITECH) Act. The commenter also noted that the full benefits of these proposed regulations will likely not be realized by a significant number of resource-constrained LT-PAC providers.

Response: Although LT-PAC providers were not included in the HITECH Act, the X12 EDI transactions for health care claims attachments adopted in this final rule are not part of CMS's Meaningful Use or Promoting Interoperability programs, nor are those incentive programs relevant to the transactions addressed in this analysis. However, we believe that LT-PAC providers, like HIPAA covered entities, are likely to have the technical infrastructure or vendors in place to support development for the exchange of HIPAA mandated transactions and should be able to update those systems to accommodate attachments for claims. Should we learn that LT-PAC providers are lagging with full compliance with the requirements of this final rule, as resources permit, HHS will work with that industry segment.

4. Explanation of Benefits Calculations

To determine the benefits for each segment of the industry, we primarily relied upon the 2024 CAQH Index report. Based on survey responses, CAQH estimates that spending on labor time conducting attachment transactions accounts for about $590 million of spending on administrative transactions across the medical industry, with health care providers incurring about 88 percent of this, spending at an average cost of $6.30 for each manually processed attachment. CAQH estimates that moving from manual to electronic attachments transactions could save the health care industry $1.65 on average per transaction. These estimated savings would be split between health care providers and health plans and would be generated by the avoidance of 8 minutes in administrative labor time per attachment on average, as medical providers reported taking an average of 11 minutes to submit an attachment manually versus 3 minutes electronically. Comparable data on spending and savings opportunities on attachment transactions for dental providers were not available, although the survey reports that only 37 percent of dental attachment transactions in 2024 were fully electronic.

We utilized the 2024 CAQH national annual savings estimates as the basis for our benefits estimates. The CAQH national annual savings estimates are calculated based on potential savings moving from the reported state of 32 percent electronic processing for attachments to fully electronic processing. The total potential industry cost savings opportunity is an amount that decreases as industry adoption increases. Although there was an apparent increase in electronic processing of health care attachments transactions from 2020 to 2024, we do not trend the benefits estimates forward because previously reported estimates of electronic processing adoption have tended to remain stable over a longer period of time. The CAQH estimation methodology only includes labor time savings, which it assesses to be, by far, the most significant component of savings. We do not include estimates of other sources of savings, such as through the elimination of mailing costs, so our benefit estimates may have a tendency toward understating actual ( printed page 14389) industry savings. [46 ] Because we believe that some portion of health care providers and their vendors may take longer to move from manual to fully automated transactions, we also assume a phased-in realization of the level of annual benefits projected by CAQH. For purposes of this analysis, we generally estimate that most interested parties will realize the benefits in labor savings over a 3-year period at the rate of 50 percent in the first operational year, 75 percent in the second operational year, and 100 percent in and after the third year after the compliance date. The 3-year implementation timeline was chosen based on a combination of industry experience, realistic adoption timelines, and the desire to maintain consistency between implementation costs and savings. Past health care regulations often assumed multi-year implementation timelines to allow for adequate industry readiness. This 3-year timeline likely reflects lessons learned from prior transitions, where full compliance was phased in over a similar period. This approach also ensures that both costs and benefits are realized in a way that reflects typical patterns of adoption, while allowing for a gradual transition and adjustment period for interested parties in the health care industry.

Comment: A commenter underscored the benefits in using electronic authorizations such as time savings, financial savings, and a decrease in denials due to fewer administrative denials. Another commenter agreed with the time estimations regarding the submission of paper records versus electronic records. The commenter noted that some analyses of savings, such as those conducted by WEDI, do not explore the impact on private practice physical therapists. The commenter further noted that savings realized through implementation of the proposals would be split between health care providers and health plans but stated it is imperative that savings are split among those who actually provide care and not the insurance companies which can often stand in the way of paying for the provision of care.

Response: We thank the commenters for their feedback. The analysis included in this final rule addresses three types of providers: (1) clinicians; (2) hospitals; and (3) dentists. While further differentiation among each group is possible, the assumption is that the overall averages for each group capture the relevant utilization patterns for each of its subgroups, and we believe that further granularity, if the data existed, would not provide significantly different numbers. Private practice physical therapists are included in the group of clinicians. The commenters requesting a separate analysis for this group did not indicate its uniqueness, nor why the overall average for doctors does not suffice.

5. Costs and Benefits Determination for Each Industry

a. Hospitals

As previously discussed in the HIPAA Standards for Health Care Attachments proposed rule, to determine the costs for each health care provider sub-segment, we started with the minimum and maximum cost estimates included in the Modifications final rule for each type of entity. For hospitals, those estimates were within a range of $1,423 million to $2,848 million, adjusted for inflation (74 FR 3316). We further assume that hospital health IT developers will incur these costs, absorbing some portion of the costs as a cost of doing business incorporated in the current level of health IT service and maintenance agreements and passing some portion of the costs on to the hospital in the form of higher fees for enabling new functionality. This seems reasonable given our understanding that health IT vendors generally plan on, and finance, a certain level of ongoing system development through ongoing maintenance agreements, typically with annual increases, but also must keep these at a level that remains competitive in their niche market. [47 ] In other words, not all possible systems upgrades will be factored into current fees. We continue to have no information on how this allocation will be made and expect there will be many variations in practice, but, for purposes of this analysis, we again assume a 60/40 estimated cost split, with the vendor bearing 60 percent of the implementation costs and passing the remaining 40 percent on to the customer. In the HIPAA Standards for Health Care Attachments proposed rule, the cost estimates for hospitals were based on a range of costs from the Modifications final rule, adjusted for inflation, and costs were split between vendors and hospitals using that 60/40 estimated cost split, which is in line with industry practices. The 2024 CAQH report offers no information to alter this hospital/vendor cost distribution, and we continue to believe that a 60/40 split ensures that implementation costs and savings realizations are accounted for in a way that reflects the cost structure of health care.

As summarized in Table 1, this assumption results in the hospital share of costs to be in the range of $569 million to $1,139 million, with the remainder, in the range of $854 million to $1,709 million, to be borne by hospital health IT vendors.

( printed page 14390) To determine the benefits for hospitals, as discussed in the HIPAA Standards for Health Care Attachments proposed rule, we refer to the estimates of savings for medical providers reported by CAQH and assume that hospitals will achieve 20 percent of these savings (87 FR 78462). We continue to assume a rough 80/20 split between clinicians and hospitals because we believe the majority of health care claims attachments transactions will come from clinician practices, since plans and hospitals generally have other payment requirements for more expensive inpatient admissions and outpatient procedures, such that claims attachments would be required less frequently. So, we estimate the hospital share to be 20 percent of $650 million, or $130 million. To reflect the uncertainty around the ultimate level of uptake of these standards, we estimate a range of 25 percent below this point estimate between $98 million to $130 million in annual savings, as summarized in Table 2.

With respect to timing of costs and benefits, we assume hospitals will have both the capital and business interest to move promptly to achieve the return on investment and will incur all costs during the 2-year implementation period, which is the timing for HIPAA covered entities to use the adopted standard. Hospitals will realize the full level of annual savings in and after the first operational year following the proposed compliance date, as summarized in Tables 5 and 6.

b. Clinicians

As discussed in the HIPAA Standards for Health Care Attachments proposed rule (87 FR 784622), we continue to follow the same methodology for estimating clinician costs and benefits as used in the Modifications final rule (74 FR 3316). For clinicians, in both rules, these cost estimates were within a range of $665 million to $1,329 million, adjusted for inflation (74 FR 3317). We assume a comparable level of effort to implement the health care claims attachments standards being adopted in this final rule. We further assume that clinician practice PMS and EHR vendors will incur these costs, absorbing some portion of the costs as a cost of doing business incorporated in the current level of health IT service and maintenance agreements and passing some portion of the costs on to the practices in the form of higher fees for enabling new functionality. We again assume a 60/40 estimated cost split, with the vendor bearing 60 percent of the implementation costs and passing the remaining 40 percent on to the customer. As summarized in Table 1, this results in a clinician share of costs in the range of $266 million to $532 million, with the remainder in the range of $399 million to $797 million to be borne by physician PMS and EHR vendors. We further assume that some clinician practices and their vendors may take more time to implement the standards while continuing to use manual processes in the meantime. Therefore, we estimate clinicians will incur these costs over a 4-year period at a rate of 50 percent in the first implementation year, 30 percent in the second implementation year, and 10 percent each in the third and fourth years, as summarized in Table 5.

To determine the benefits for clinicians, we again referred to the estimates of savings for medical providers reported in the CAQH Index reports and calculated the remaining 80 percent of these savings. CAQH estimated the total annual savings opportunity for medical providers for fully automating attachments transactions to be $328 million. So, we estimate the clinician share to be 80 percent of $650 million, or $520 million. To reflect the uncertainty around the ultimate level of uptake of these standards, we estimate a range of 25 percent below this point estimate, or between $390 million to $520 million in annual savings, as summarized in Table 2. We further estimate that these benefits in labor savings will phase in over a 3-year period at the rate of 50 percent in the first operational year, 75 percent in the second operational year, and 100 percent in and after the third year after the compliance date, as summarized in Table 6.

c. Dentists

As discussed in the HIPAA Standards for Health Care Attachments proposed rule, for dentists, we follow the same methodology for costs as we do for clinicians (87 FR 78462). The Modifications final rule cost estimates for dentists were within a range of $456 million to $913 million, adjusted for inflation (74 FR 3317). We assume a comparable level of effort to implement the adopted health care claims attachments standards. We further assume that dental practice PMS and EHR vendors will incur these costs, absorbing some portion of the costs as a cost of doing business incorporated in the current level of health IT service and maintenance agreements and passing some portion of the costs on to the dental practices in the form of higher ( printed page 14391) fees for enabling new functionality. We again assume a 60/40 estimated cost split, in which the vendor will bear 60 percent of the implementation costs and the remaining 40 percent will be passed on to the customer. As summarized in Table 1, this results in a share of costs for dentists in the range of $182 million to $365 million, with the remainder in the range of $274 million to $548 million borne by dental practice PMS and EHR vendors. As with clinicians, we further assume that some dental practices and their vendors may take more time to implement the standards, while continuing to use manual processes in the meantime. Therefore, we estimate dentists will incur these costs over a 4-year period at the rate of 50 percent in the first implementation year, 30 percent in the second implementation year, and 10 percent each in the third and fourth years, as summarized in Table 5.

Given that the 2024 CAQH Index did not report on the potential savings opportunity for dental providers for full automation of attachments transactions, we take a different approach to benefits estimation. Comments included in testimony submitted to the NCVHS regarding the attachment standard during the 2016 NCVHS Hearing indicated that dentists supported the proposal to make the X12N 275 transaction the standard vehicle for transporting attachment content to dental claims. [48 ] These comments also indicated that many dental PMS vendor technologies may lack the capability to generate HL7 documents, requiring dentists to either upgrade existing systems or find alternative methods, such as using a clearinghouse or payer portals. Thus, we conclude that some dentists and their PMS vendors will incur costs associated with submitting attachment information to support claims, and others may maintain current manual or clearinghouse-mediated processes. Therefore, we assume that the savings opportunity for full automation of claims attachments for dentists will be a portion of the savings opportunity for medical providers. Since the total number of dental entities (118,045) is about 70 percent of the number of other provider entities (7,465 hospital establishments and 149,572 clinician firms), we estimate their savings opportunity will be no greater than 70 percent of the annual $328 million medical provider savings opportunity for attachments estimated by the CAQH 2024 Index. In addition, we assume that, given the relatively smaller size of dental practices, a greater proportion of dentists than clinicians may choose to retain manual processes. So, as summarized in Table 2, we estimate that the annual dentist savings opportunity is 50 percent of 70 percent of the medical provider opportunity, or $115 million (328 × 0.70 × 0.50). To reflect the uncertainty around the ultimate level of uptake of these standards, we estimate a range of 25 percent below this point estimate, or between $86 million to $115 million in annual savings. As with the clinician estimates, we further estimate that these benefits in labor savings will phase in over a 3-year period at the rate of 50 percent in the first operational year, 75 percent in the second operational year, and 100 percent in and after the third year after the compliance date, as summarized in Table 6.

d. PMS and EHR Vendors

In testimony given in the 2016 NCVHS Hearing, WEDI noted that a new functionality for providers implementing the attachment standards will be automating EHR systems to exchange data with the PMS and digital signatures. [49 ] Consistent with this assessment, the 2016 MITRE environmental scan, as discussed at the beginning of this section, found that many EHR vendors had the capability to send X12N 275 EDI transactions, but that substantial work remained to routinely and reliably extract structured clinical data for C-CDA attachments. Since that time, there has been both growth and consolidation in these industry segments. A health care provider entity's PMS and EHR systems may be bundled in one product offering, semi-integrated affiliated systems, or entirely independent systems offered by separate vendors. [50 ] So, readiness will vary widely for provider entities based on their health IT contractors.

Because developers of certified health IT are already familiar with CDA for meeting requirements under the ONC Health IT Certification Program, we believe all EHR vendors have some ability to extract data for C-CDA templates, although all may not have fully implemented or provided this functionality as part of core product offerings. A review of some of the largest EHR vendor websites in May 2021 provided informal evidence regarding C-CDA functionality. The results of this analysis suggested that about 80 percent of vendors had this functionality in place, 17 percent had at least partial functionality, and only 3 percent seemed to have none. The many other, smaller EHR vendors are likely in varying stages of readiness as well. Thus, we assume that additional implementation costs may be needed to reliably extract C-CDA documentation and to either integrate this content into internal EDI processes or exchange the documentation with another PMS.

Similarly, we assume PMS vendors contracted with clients that have a certified EHR have already largely developed the X12N 275 and X12N 277 standards for claims transactions, even if this functionality has not been enabled for all customers, and that the majority of the additional cost will be associated with receiving and managing the C-CDA payload. Because of this pre-existing functionality, we are again persuaded that implementing these final requirements is more akin to a standards upgrade than implementing a new standard for the first time. Based on the 2024 CAQH Index results that 32 percent of medical and 37 percent of dental attachment exchanges are occurring electronically, we are aware that some provider vendors have already successfully implemented the transmission of electronic attachments. Without data on the extent of the gaps, or on the difference in readiness between EHR and PMS vendors, we continue to assume similar costs across both types of vendors and treat them together. We also assume that other significant components of implementation costs will consist of trading partner testing and user training.

( printed page 14392) The results of the estimates are described for hospitals, clinicians, and dentists, as well as the split with their health IT vendors, in Table 1. We estimate that PMS and EHR vendor costs will add up across all customer segments to a range of $1,527 to 3,054 million. We assume some vendors or their customers or both may take more time to implement the standards. Therefore, we estimate vendors' costs will be incurred over a 4-year period at the rate of 50 percent in the first implementation year, 30 percent in the second implementation year, and 10 percent each in the third and fourth years, as summarized in Table 5.

We have not identified any evidence that suggests there will be savings for this segment as a result of the changes in this final rule and we do not include any estimates of benefits for this segment.

e. Clearinghouses

From remarks recorded at the 2016 NCVHS Hearing, we understand that, by 2016, many entities in the clearinghouse industry had already fully implemented the standards being adopted in this final rule and were exchanging the transactions and clinical payloads with government and commercial health care entities, as well as with entities in other lines of business. [51 ] Fundamental to the clearinghouse business role is the ability to normalize disparate data formats, including both structured and unstructured clinical data, and unwrap and convert the data into standard or proprietary formats based on the varying capabilities and needs of payer and provider clients. We assume that this ability has generally become the business norm throughout the clearinghouse industry. As a result, we assume that clearinghouses will not have significant new technology development costs as a result of these provisions but will have significant new trading partner testing costs.

To estimate clearinghouse implementation costs, we considered information provided by a commenter, described in the Modifications final rule, that identified as a large clearinghouse (74 FR 3318). This commenter reported that projected costs would be at least $3.5 million ($4.3 adjusted for inflation) and would be affected by the amount of testing that would be required with trading partners—both providers and health plans. Based on this data point, as summarized in Table 3, we estimate that 23 large clearinghouse entities will each incur $4.3 million in implementation costs, and that the remaining 139 smaller clearinghouses will each incur $1.8 million in implementation costs, for a segment total of $349 million. To reflect the uncertainty around these projections, we estimate a range of 25 percent below and above this point estimate of between $262 million to $436 million in total costs. And since we assume some customers may take more time to implement the standards, we estimate clearinghouse will incur costs over a 4-year period at the rate of 50 percent in the first implementation year, 30 percent in the second implementation year, and 10 percent each in the third and fourth years, as summarized in Table 5.

We have not identified any evidence that suggests there will be savings for clearinghouses as a result of the changes in this final rule and have not estimated any benefits for this segment.

f. Private Health Plans and Issuers

Based on our informal web searches conducted in May 2021 for plan websites that include EDI instructions for providers on submitting X12N 275 transactions, and the general absence of comments describing significant implementation burden in testimony submitted to the 2016 NCVHS Hearing, we believe health plans (or their clearinghouses) have generally already implemented the necessary technology to meet these final requirements. That includes: (1) currently implemented X12N transactions; and (2) at a minimum, having processes for collecting unstructured medical record data. Such data are currently used for auditing, risk coding validation, and other quality and utilization management processes. The 2024 CAQH Index reports that 32 percent of medical and 37 percent of dental attachment exchanges were occurring electronically in 2024. In addition, we understand that all health plans routinely collect medical record documentation from providers in a variety of ways, including through web portals and direct access to EHRs. [52 ] These facts suggest to us that health plans have either already automated these processes or have workarounds to manage the receipt of this information. Thus, we believe the additional effort associated with implementing our proposals may be limited to mapping existing backend processes to the new transaction processing front-end systems. Alternatively, the smaller the health plan, the more likely that entity may rely upon a clearinghouse for administrative and clinical data exchange and the more likely the status quo will continue.

In testimony during the 2016 NCVHS Hearing, WEDI noted that the functionality that will be new to payers in implementing the attachments standards will be the use of HL7 CDA LOINC codes, and other transport models that require different skill sets than EDI. Although payers routinely collect medical record documentation today, this does not necessarily mean that the ingestion, interpretation, and integration of clinical data is fully automated. However, we do not see evidence in testimony or public ( printed page 14393) comments that health plans anticipate a significant implementation effort related to additional technology development to handle the HL7 CDA and LOINC codes required by federal adoption of attachments standards. It is possible, given payer involvement with the rapid evolution of clinical data exchange standards, that health plans may not be incentivized to significantly enhance their current state of C-CDA handling, and may instead continue to rely on current processes, including the use of clearinghouses for intermediation where necessary. [53 ] For these reasons, we do not believe health plans will bear as significant a level of investment for system development for these final requirements as they did for the requirements of the Modifications final rule. However, they will likely incur implementation costs for trading partner testing if they exchange these transactions directly with providers rather than via clearinghouses.

In light of these considerations, we assume that the costs of implementation for health plans may be somewhat analogous to those for clearinghouses, but generally with fewer connections to test, since many transactions will be expected to continue to be exchanged through existing clearinghouse connections. Therefore, as summarized in Table 4, we estimate that private health plans will incur 50 percent of clearinghouse costs, and we increase that estimated range of $262 million to $436 million to reflect 4.8 times as many health plan entities (772/162 = 4.8). Thus, we estimate private health plans will incur implementation costs, driven mostly by trading partner testing, of $838 million (349 × 0.50 × 4.8). To reflect the uncertainty around these projections, we estimate a range of 25 percent below and above this point estimate of between $629 million to $1,048 million.

Given that we assume some portion of providers and their vendors may take longer to move from manual to fully automated transactions, we assume health plan testing costs will extend beyond the 2-year implementation period. So, for purposes of this analysis, we estimate that private health plans will incur costs over a 4-year period at the rate of 50 percent in the first implementation year, 30 percent in the second implementation year, and 10 percent each in the third and fourth years.

In estimating the benefits of the final rule for private health plans, we again referred to the estimates of savings reported by the 2024 CAQH Index report, but this time to those reported for plans. CAQH estimated the 2024 national annual plan savings opportunities for attachments. To reflect the uncertainty around the ultimate level of uptake of these standards, we estimate a range of 25 percent below this point estimate between $108 million to $144 million in annual savings. We further assume that plans will realize the benefits in labor savings over a 3-year period at the rate of 50 percent in the first operational year, 75 percent in the second operational year, and 100 percent in and after the third year after the compliance date, as summarized in Table 6.

g. Government Health Plans

Similar to private health plans, we believe Medicare, Medicaid (and state CHIP agencies in states where CHIP is administered separately), and the Veteran's Administration systems have largely implemented the ability to receive and manage health care claims attachment transactions through their health IT processing vendors and contracted managed care plans and will incur costs similar to the impacts estimated in the Modifications final rule for testing and training. We assume these costs will again largely be borne by the contracted vendors under existing contractual terms and agreements. Accordingly, to calculate government health plan costs, we used the same range of costs estimated in the Modifications final rule of $384 million to $734 million, adjusted for inflation. As discussed in the Modifications final rule, government systems costs are expected to occur across a number of federal and state agencies and include transition costs (73 FR 49770). For Medicare, since its cost structure is different from private plans, total Medicare costs include those that would be expended by the Medicare Administrative Contractors (MACs), durable medical equipment (DME) MACs, and other contractors. The costs are high, but the net benefit to Medicare relative to the private plans is slightly more positive. As we do with health care providers and private health plans, we further assume that costs will be incurred over a 4-year period. As summarized in Table 5, we estimate costs will be incurred at the rate of 50 percent in the first implementation year, 30 percent in the second implementation year, and 10 percent each in the third and fourth years.

To calculate government health plan benefits, we started with the point estimate of $238 million savings due to the standards adopted in the Modifications final rule (74 FR 3318). To reflect the uncertainty around the ultimate level of uptake of these standards, we estimate a range of 25 percent below this point estimate or between $179 million to $238 million in annual savings. As with other industry segments, and as summarized in Table 6, we further assume government health plans will realize the benefits in these savings over a 3-year period at the rate of 50 percent in the first operational year, 75 percent in the second ( printed page 14394) operational year, and 100 percent in and after the third year after the compliance date.

h. Pharmacies

We believe pharmacies will generally not be impacted by the changes in this final rule. Comments from NCPDP submitted to the 2016 NCVHS Hearing indicated that: (1) pharmacies use the X12N 837 to bill medications and supplies covered under the Medicare Part B program and for professional pharmacy services covered under a medical plan; and (2) the type of claims submitted by pharmacy providers using the X12N 837 rarely require an attachment. As a result, we assume pharmacies will be affected by these provisions only in rare cases to support the billing of retail pharmacy supplies and professional services claims. Based on an NCPDP whitepaper, we further understand that a pharmacy needing to send attachment information to support an X12N 837 claim will generally be expected to employ existing batch processes to send attachment information to the same clearinghouse that converts their NCPDP billing transactions to X12N 837 Professional Claims for formatting and transmittal in the X12N 275. [54 ] Therefore, we assume that final changes to information exchanges between clearinghouses and health plans will continue to be managed by clearinghouses that serve this particular market. As a result, we conclude that pharmacies will generally not be affected by this final rule, and we estimate no costs and benefits for this segment.

6. Summary of Costs and Benefits for This Final Rule

Tables 5 and 6 are the compilation of the estimated costs and benefits for all the standards adopted in this final rule. Bear in mind, except for pharmacies, all of the other industries mentioned will incur costs over a four-year period, starting with the implementation of the requirements finalized in this rule. On the other hand, except for pharmacies, clearinghouses, and venders, all the other industries will incur benefits over a 3-year period at the rate of 50 percent in the first operational year, 75 percent in the second operational year, and 100 percent in and after the third year after the compliance date. These benefits, henceforth, will continue into perpetuity.

( printed page 14395)

( printed page 14396)

( printed page 14397)

7. Regulatory Review Costs Estimate

One of the costs of compliance with a final rule is the necessity for affected entities to review the rule in order to understand what it requires and what changes the entity will have to make to come into compliance. We assume that 451,908 affected entities (listed in Table 2) will incur some of these costs, as they are the entities that will have to implement the final changes. The particular staff involved in such a review will vary from entity to entity but will generally consist of lawyers responsible for compliance activities (at all 451,908 entities) and individuals familiar with the technical X12N and HL7 standards at the level of a computer and information systems manager at private and government health plans, clearinghouses, and PMS and EHR vendors (a total of 1,937 entities). Using the Occupational Employment and Wages for May 2024 from the Bureau of Labor Statistics for lawyers (Code 23-1011) and computer and information system managers (Code 11-3021), we estimate that the national mean labor costs of reviewing this rule are $175.72 and $180.76 per hour, respectively, including overhead and fringe benefits. [55 ] We estimate that it will take approximately 2 hours for each staff person involved to review this final rule and its relevant sections and that, on average, one lawyer and two computer and information manager-level staff persons will engage in this review. For each entity that reviews the rule, the estimated costs are therefore $351.44 for lawyers, or $158.82 million (2 hours each × 1 staff × $175.72 × 451,908) for all affected entities. For each plan, clearinghouse, and PMS or EHR vendor, the estimated costs are therefore $180.76 for information system managers, or $1.40 million (2 hours each × 2 staff × $180.76 × 1,937) for all affected entities. Therefore, we estimate that the total cost of reviewing this rule is $160.22 million ($158.82 + $1.40).

D. Alternatives Considered

This rule finalizes the adoption of standards for health care claims attachments transactions, which support health care claims, as required by section 1173(a) of the Act. Our understanding is that the standards we are adopting in this rule are ready for full implementation across industry. We considered the following regulatory alternatives: (1) not adopt standards for health care claims attachments, allowing for the industry's continued use of multiple processes; (2) wait to adopt standards for health care claims attachments until alternate standards, such as FHIR standards, are ready for full implementation and recommended to the Secretary by the NCVHS and industry through all the HIPAA-required processes; and (3) adopt a different version of the X12 implementation specifications than Version 6020, the version proposed for adoption in the HIPAA Standards for Health Care Attachments proposed rule. We chose to proceed with the provisions in this rule after identifying significant shortcomings with each of these alternatives.

We chose to finalize adopting health care claims attachments standards rather than allowing for continued use of multiple processes because of the well-documented costs and administrative burdens associated with the many manual or partially electronic processes currently in use. These burdens were recently detailed in the 2024 CAQH Index. In response to multiple CAQH surveys, parties in the health care industry reported that the lack of federal standards and mandates has been a principal barrier to adoption of fully electronic standardized health care transactions. [56 ] Based on these survey responses, should we not adopt standards for health care claims attachments, most attachments transactions would use different (non-standard) software or electronic means, and some entities might continue to use fully manual processes. Not adopting standards for health care claims attachments transactions would also mean forgoing the opportunity to reduce the unnecessary back-and-forth between health care providers and health plans, accelerate claims adjudication and patient service approval timeframes, and reduce provider resources spent on manual follow-up activities.

Similarly, we chose not to hold off on finalizing the adoption of health care claims attachments standards until alternate standards, such as FHIR standards, are available and recommended by the industry, because we believe that adoption and implementation of the specifications in this final rule can immediately reduce the costs and burdens associated with the lack of national standards. While we are aware of HL7's efforts to create alternative implementation specifications to support health care claims attachments transactions, we note that, at the time of writing this final rule, these FHIR implementation specifications have not been finalized or tested. We also note that the HL7 CDA standard we are adopting in this final rule is the only currently available SSO-created, NCVHS-recommended standard with published implementation specifications designed to support claims attachments transactions. We believe that the industry's readiness for improvements to the manual or partially electronic process currently in place, as outlined in the multiple CAQH stakeholder surveys and supported by the NCVHS's recommendation to adopt the specifications in this rule, support finalizing the adoption of attachments standards at this time. We invited comments on our understanding of the readiness of possible implementation specifications for health care attachments that support both claim and prior authorization transactions and whether the industry supports postponement of an adopted standard as it had previously. Commenters overwhelmingly agreed that it was time for industry to adopt a health care claims attachment standard, however they raised concerns on requiring it with the prior authorization transaction standard.

Finally, we chose to finalize the adoption of Version 6020 of the X12N implementation specifications, rather than an alternate version such as Version 5010, because Version 5010 does not fully support health care claims attachments transactions. Version 6020 resolves technical issues and limitations in Version 5010 to enable attachments transactions that support health care claims. We also invited comments on any alternative implementation specifications that were not considered but met the criteria outlined in the HIPAA Standards for Health Care Attachments proposed rule. As stated previously, commenters agreed that moving to Version 6020 of the X12N implementation specifications was most appropriate for the actions being finalized in this rule.

E. Accounting Statement

As required by OMB Circular A-4, we have prepared an accounting statement in Table 7 showing the classification of the impact associated with the provisions of this rule. [57 ] Monetary annualized benefits and non-budgetary ( printed page 14398) costs are presented using 3 percent and 7 percent discount rates, over a 20-year time period.

F. Regulatory Flexibility Analysis

E.O. 13272 requires that HHS thoroughly review rules to assess and take appropriate account of their potential impact on small businesses, small governmental jurisdictions, and small organizations (as mandated by the RFA). The RFA requires agencies to analyze options for regulatory relief of small entities, if a rule has a significant impact on a substantial number of small entities. If a final rule has a significant economic impact on a substantial number of small entities, then the final rule must discuss steps taken, including alternatives considered, to minimize the burden on small entities. The Small Business Administration (SBA) advises that this absence of statutory specificity allows what is significant or substantial to vary, depending on the problem that is to be addressed in rulemaking, the rule's requirements, and the preliminary assessment of the rule's impact. Nevertheless, HHS typically considers a significant impact to be 3 to 5 percent or more of the affected entities' revenues.

The RFA requires agencies to analyze options for regulatory relief of small entities, if a rule has a significant impact on a substantial number of small entities. For purposes of the RFA, we estimate that “almost all,” of the affected entities are small entities as that term is used in the RFA (that is, small businesses, nonprofit organizations, and small governmental jurisdictions). The great majority of hospitals and most other health care providers and suppliers are small entities, either by being nonprofit organizations or by meeting the SBA's definition of a small business by having revenues of less than $9.0 million to $47.0 million in any 1 year.

Accordingly, it is our normal practice to treat all health care providers as small entities. For health care providers, the changes made final by this rule may involve software upgrades for practice management and EHR systems. Thus, we expect that the vast majority of clinicians and other health care provider practices will need to make relatively small changes in their systems and processes but may incur additional service fees from their system vendors for additional functionality. Some of the smallest provider entities may elect to continue their current manual processes. We include pharmacies in this analysis and consider most of them to be small businesses. While we believe that few health plans meet the small business size standard, many health plans are non-profit organizations and will be considered small businesses; but we are unable to identify data to help us distinguish the number of these entities and thus solicited industry feedback for this final rule. We address clearinghouses, but we do not believe that there are a significant number of clearinghouses that will be considered small entities because of the level of consolidation in the marketplace. Because this final rule adopts initial standards for the exchange of both administrative and clinical documentation, we also address provider PMS and EHR vendors in our discussion but continue to be unable to identify data that will help identify the proportion of firms in these markets that meet the small business size standards. State Medicaid agencies (and state CHIP agencies in states where CHIP is administered separately) are excluded from this analysis because states are not considered small entities in any RFA.

Table 5 presents the estimated implementation costs that will affect all ( printed page 14399) of the entities mentioned. The data in that table are used in this analysis to provide cost information.

We have determined that the covered entities and their vendors affected by this final rule will likely fall primarily in the categories listed in Table 8.

Table 9 shows the distribution of small firms and revenues. According to this table, we can see and understand the disproportionate impacts among small firms and between small and large firms. According to the U.S. Census 2022 Statistics of U.S. Businesses (SUSB), the average revenue amounts to approximately $1,007,051 for all 552,979 small businesses that earn between $9 and $47 million (see Table 8 for the distribution). That is, the total revenue amounts to approximately $597 billion.

( printed page 14400)

Table 10 combines the small firm's size and revenue data with the cost estimates determined in this final rule to understand the economic impact on small entities.

( printed page 14401)

1. Number of Small Entities

We used the most recent revenue data available from the U.S. Census 2022 SUSB to determine the number of small entities and their revenue.

( printed page 14402)

Based on the latest available U.S. Census 2022 SUSB data records, we estimate that 552,979 health care provider entities may be considered small entities either because of their nonprofit status or because of their revenues, as detailed in Table 11. Approximately 0.27 percent (1,494) of these are hospitals, 25.58 percent (141,446) are clinician practices, and 21.61 percent (119,497) are dental practices. We believe that health IT systems are still more likely to differ at the firm level rather than at the establishment level. We continue to believe that this way of counting may overstate the number of affected entities in these segments, given the recent trends toward consolidation among and between provider types and toward increasing integration of health IT systems across collaborating organizations. However, this overestimation may compensate for other types of affected health care providers potentially not reflected in these particular industries. We note that “hospitals” include general medical and surgical, psychiatric and substance abuse, and specialty hospitals (NAICS 622). We further note that the number of 7,020 hospital establishments reflected in the U.S. Census 2022 SUSB business data roughly compares with more recent 2024 data from the American Hospital Association (AHA) indicating a total of 6,120 US hospitals, of which approximately 25 percent are for-profit. However, we do not have more detail, including data on the size of the hospitals included in this 25 percent, in order to determine whether any should be excluded from the count of small entities.

For consistency purposes, we used SUSB 2017 business data records to obtain the number of small pharmacy firms since the code for that provider was no longer available in the 2022 data, where such entities were reported under multiple different codes. The 2017 data reported a total of 18,912 small pharmacy firms. [58 ] For 2022, the SUSB designates code 803 entities as Direct Health and Medical Insurance Carriers. Comparable data on the eight smaller Health Maintenance Organization Medical Centers are not available due to small cell size suppression. Although health plan firms may not qualify as small entities under the SBA receipts size standard, they may under a non-profit status. However, we are not aware of data that will help us understand the relationship between health plan firms and ownership tax status to quantify the number of such firms. Therefore, we are not including an analysis of the impact on small health plans.

Clearinghouses provide transaction processing and data translation services to both health care providers and health plans that will be critical to implementing this final rule. The applicable NAICS category includes many types of financial transaction processing firms other than those affected by this rule, so the Census business data cannot be used to identify small entities of interest. In previous rulemaking, we have identified a largely consolidated market (74 FR 3312). More recently, in 2024, the National Clearinghouse Association, Cooperative Exchange, indicated its 18 member companies represent over 85 percent of the clearinghouse industry and provide services to over 750,000 provider organizations, through more than 8,000 payer connections and 1,000 health IT vendors. [59 ]

Other vendors affected by this rule include provider PMS and EHR technology system vendors. Counting the affected entities in these two segments is complicated, in part because they are increasingly integrated. A health care provider entity's PMS and EHR systems may be bundled in one product offering, semi-integrated affiliated systems, or entirely independent systems offered by separate vendors. [60 ] We have not identified publicly available data on the number, size, or market share of these specific parties in the health care industry. NAICS industry categories 541611, PMS Vendors, or 561990, All Other Support Services (EHR Vendors) seem to be the ( printed page 14403) closest categories. According to the 2022 SUSB, these categories included over 102,686 small firms. However, this total seems out of proportion to other potential indicators of market size, leading us to believe it significantly overstates the affected entities of interest to this final rule. For instance: (1) the aforementioned Cooperative Exchange description of member firms scope cited connections with 1,000 health IT vendors; (2) in 2019, market research estimates indicated there were over 500 vendors offering some type of EHR product; (3) the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program final rule (85 FR 25642) estimated the number of certified health IT developers with health IT products capable of recording electronic health information certified in the 2015 Edition of Health IT certification criteria to be 458; and (4) the EHR Association, a trade association of EHR companies addressing national efforts to create interoperable EHRs in hospital and ambulatory care settings, lists 29 companies as members. [61 62 ] A web search for NAICS codes associated with a sampling of these EHR Association member companies yielded many different NAICS codes (including some with 561990), possibly reflecting widely varying scopes of other products and services offered by firms in this market segment. Without more definitive data on the firms specific to the health care provider PMS and EHR business markets, we continue to estimate that the number of affected firms is around 1,000, with the bulk of market share served by a relatively small number of large entities and the remainder of market share served by many smaller entities. However, we are still unable to determine how many of these smaller entities may meet small business standards and are not subsidiaries of larger firms, so we do not include them in this small entity analysis.

2. Costs to Small Entities

To determine the economic impact on the health care providers considered to be small entities for this analysis (identified in the previous section), we used the U.S. Census 2022 SUSB business data to collect revenue estimates and compared these to the net annualized primary cost estimates including the regulatory review costs ($14.13 million) as summarized in Table 10. When the net annualized primary cost estimates were determined, there were $34.46 million for the industries overall. We calculated the percentage of revenue represented by the primary estimates, and small businesses earning less than $100,000 exceeded the 3 to 5 percent of the revenue threshold, as summarized in Table 10 (11.7 percent). However, overall, all of the small businesses that earn between $100,000 or less and $499 million, did not exceed the 3 to 5 percent of the revenue threshold. That threshold is only 0.6 percent. If the net annualized costs are $34.46 million, then each of the 552,979 small businesses incurs a net annualized cost of $62.32, regardless of their size by receipts. That is, each firm would incur a cost of only $62.32. Thus, for the purposes of this RFA, there were no disproportionate impacts among small firms, and between small and large firms.

Therefore, for the purposes of the RFA analysis, we can conclude there is no impact on all the small entities. As a measure of significant economic impact on a substantial number of small entities, HHS uses a change in revenue of more than 3 to 5 percent. None of the small entities came close to meeting the 3 to 5 percent threshold. Even if the regulatory review costs were included in the cost estimates, the 3 to 5 percent change in revenue would still not be reached.

As such, we do not believe that this threshold will be reached by the requirements in this final rule. Therefore, the Secretary has certified that this rule will not have a significant economic impact on all the small entities identified.

Comment: A commenter expressed concern regarding HHS's assertion that the adoption of these changes will result in benefits that will outweigh the costs. The commenter recommended HHS consider mitigation strategies for Special Needs Plans (SNP), such as locally committed and smaller plans undertaking efforts to overcome challenges to comply with the final requirements in this rule, as these entities were not included in the analyses presented in the RIA section of the proposed rule.

Response: While we appreciate the commenter's concern, HHS was not provided with any alternative data to consider deriving with the estimated costs for SNPs. Therefore, for the purposes of this response and this final rule, we believe that SNPs fall into the category of health plans. We included an analysis of the impact specifically on small health plans in the proposed rule, and continue to do so in this final rule, and we received no comments on our small health plan cost assumptions. Moreover, as stated in section VI.C.1. of this final rule, an important consideration reflected in various industry testimonies submitted to the NCVHS is that some interested parties, particularly smaller health care providers, will continue to have the option to leverage existing clearinghouses to provide these information exchange services based on negotiated rates. This is a standard practice today, where clearinghouses already manage 90 percent of the conversion of paper-to-electronic formats, as well as reformatting of non-compliant to compliant electronic claim transactions for the industry.

However, because of the relative uncertainty in the data, the lack of consistent industry data, and our general assumptions, we invited public comments on the analysis, requesting any additional data that would help us determine more accurately the economic impact on all the industries affected by this final rule, and did not receive any. We note that we did, where appropriate, update our calculations using current data.

In addition, section 1102(b) of the Act requires us to prepare an RIA if a rule will have a significant impact on the operations of a substantial number of small rural hospitals. This analysis must conform to the provisions of section 604 of the RFA. For the purposes of section 1102(b) of the Act, we define a small rural hospital as a hospital that is located outside of a metropolitan statistical area and has fewer than 100 beds. This final rule will not have a significant effect on the operations of a substantial number of small rural hospitals because these entities will rely on contracted health IT vendors for the majority of implementation investment and efforts such hospitals elect to implement. We note that health care providers may choose not to conduct transactions electronically. Therefore, they will be required to use these standards only for transactions that they conduct electronically and will be expected to do so only when the benefits clearly outweigh the costs involved. As such, the Secretary has certified that this final rule will not have a significant impact on the operations of a substantial number of small rural hospitals.

G. Unfunded Mandates Reform Act (UMRA)

Section 202 of UMRA also requires that agencies assess anticipated costs and benefits before issuing any rule ( printed page 14404) whose mandates will require spending more in any one year than threshold amounts in 1995 dollars, updated annually for inflation. In 2025, this threshold is approximately $187 million. This final rule may impose mandates that will result in the expenditure by state, local, and tribal governments, in the aggregate, or by the private sector, of more than $187 million in any one year. In general, each state Medicaid agency, and each state CHIP agency in states where CHIP is administered separately, and any other government entity that is considered a covered entity, will be required to ensure that its contracted claim processors update software and conduct testing and training to implement the adoption of the new standards and modified versions of a previously adopted standard. However, we have no reason to believe that ongoing contractual payment arrangements for these services will necessarily increase as a result of the proposed changes. UMRA does not address the total cost of a rule. Rather, it focuses on certain categories of cost, mainly federal mandate costs resulting from imposing enforceable duties on state, local, or tribal governments, or on the private sector; or increasing the stringency of conditions in, or decreasing the funding of, state, local, or tribal governments under entitlement programs.

H. Federalism

E.O. 13132 establishes certain requirements that an agency must meet when it promulgates a final rule that imposes substantial direct requirement costs on state and local governments, preempts state law, or otherwise has federalism implications. This final rule will have a substantial direct effect on state or local governments, could preempt state law, or otherwise have a federalism implication because state Medicaid agencies, and state CHIP agencies when administered separately from Medicaid, or their contractors will be implementing new standards and a modified version of an existing standard for which there will be expenses for implementation and wide-scale testing.

I. Executive Order (E.O.) 14192, “Unleashing Prosperity Through Deregulation”

E.O. 14192, titled: “Unleashing Prosperity Through Deregulation” was issued on January 31, 2025, and requires that “any new incremental costs associated with new regulations shall, to the extent permitted by law, be offset by the elimination of existing costs associated with at least 10 prior regulations.” This final rule is considered an E.O. 14192 regulatory action. We estimate that this final rule will generate $333 million in annualized costs at a 7 percent discount rate, over a perpetual time horizon.

This final rule is subject to the Congressional Review Act (5 U.S.C. 801 et seq.) and has been transmitted to the Congress and the Comptroller General for review.

List of Subjects

45 CFR Part 160

Administrative practice and procedure, computer technology, health care, health facilities, health insurance, health records, hospitals
Medicaid
Medicare
CHIP Penalties
Reporting and recordkeeping requirements

45 CFR Part 162

Administrative practice and procedures, electronic transactions, health facilities, health insurance, hospitals, incorporation by reference
Medicaid
Medicare
CHIP reporting and recordkeeping requirements For the reasons set forth in this preamble, the Department of Health and Human Services amends 45 CFR parts 160 and 162 to read as follows:

PART 160—GENERAL ADMINISTRATIVE REQUIREMENTS

The authority citation for part 160 continues to read as follows:

Authority: 42 U.S.C. 1302(a), 42 U.S.C. 1320d-1320d-8, sec. 264 of Pub. L. 104 191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)), 5 U.S.C. 552; secs. 13400 and 13424, Pub. L. 111-5, 123 Stat. 258-279, and sec. 1104 of Pub. L. 111-148, 124 Stat. 146-154.

In § 160.103, revise paragraph (10) of the definition of “Transaction” to read as follows:

§ 160.103 Definitions. * * * * *

Transaction * * *

(10) Health care claims attachments.

PART 162—ADMINISTRATIVE REQUIREMENTS

The authority citation for part 162 continues to read as follows:

Authority: 42 U.S.C. 1320d—1320d-9 and secs. 1104 and 10109 of Pub. L. 111-148, 124 Stat. 146-154 and 915-917.

Section 162.103 is amended by adding the definitions of “Attachment information” and “Electronic signature” to read as follows:

§ 162.103 Definitions. * * * * * Attachment information means documentation that enables the health plan to make a decision about health care that is not included in a health care claims or equivalent encounter information transaction, as described in § 162.1101.

- * * * Electronic signature means an electronic sound, symbol, or process, attached to, or logically associated with attachment information and executed by a person with the intent to sign the attachment information.
- * * * 5. Section 162.920 is amended by:

a. Revising the introductory text and paragraph (a) introductory text; and

b. Adding paragraphs (a)(19) and (20) and (e).

The revisions and additions read as follows:

§ 162.920 Availability of implementation specifications and operating rules. Certain material is incorporated by reference into this part with the approval of the Director of the Federal Register under 5 U.S.C. 552(a) and 1 CFR part 51. To enforce any edition other than that specified in this section, the Department of Health and Human Services must publish a document in the Federal Register and the material must be available to the public. All approved incorporation by reference (IBR) material is available for inspection at the Centers for Medicaid & Medicare Services (CMS) and the National Archives and Records Administration (NARA). Contact CMS at: 7500 Security Boulevard, Baltimore, Maryland 21244; administrativesimplification@cms.hhs.gov; (410) 786-6597. For information on the availability of this material at NARA, www.archives.gov/federal-register/cfr/ibr-locations or email fr.inspection@nara.gov. The material may be obtained from the following source(s):

(a) ASC X12, 7600 Leesburg Pike, Suite 430, Falls Church, VA 22043; Telephone (703) 970-4480; www.X12.org. ASC X12N specifications and the ASC X12 Standard for Electronic Data Interchange Technical Report Type 3:

* * * * (19) The ASC X12N/006020X314, Additional Information to Support a Health Care Claim or Encounter (275), September 2014; as referenced in § 162.2002(c).

(20) The ASC X12N/006020X313, Health Care Claim Request for Additional Information (277), ( printed page 14405) September 2014; IBR approved for § 162.2002(d).

* * * * (e) Health Level Seven International (HL7), 3300 Washtenaw Avenue, Suite 227, Ann Arbor, MI 48104; Telephone (734) 677-7777; F www.hl7.org.

(1) HL7 CDA R2 Attachment Implementation Guide: Exchange of C-CDA Based Documents, Release 2—US Realm, Version 2.1.0.1; September 2023; IBR approved for § 162.2002(a).

(2) HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume One—Introductory Material, August 2015 with 2019 June Errata; IBR approved for § 162.2002(b).

(3) HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume Two—Templates and Supporting Material, June 2019; IBR approved for § 162.2002(b).

(4) HL7 Implementation Guide for CDA Release 2: Digital Signatures and Delegation of Rights, Release 1, Draft Standard for Trial Use, October 2014; IBR approved for § 162.2002(e).

Add subpart T, consisting of §§ 162.2001 and 162.2002 to read as follows:

Subpart T—Health Care Claims Attachments

162.2001 Health care claims attachments transaction. 162.2002 Standards for health care claims attachments transaction. § 162.2001 Health care claims attachments transaction. A health care claims attachments transaction is the transmission of either of the following:

(a) Attachment information from a health care provider to a health plan in support of a health care claims or equivalent encounter transaction, as described in § 162.1101.

(b) A request from a health plan to a health care provider for attachment information.

§ 162.2002 Standards for health care claims attachments transaction. The Secretary adopts the following standards for the period on and after May 26, 2028:

(a) For transmissions described in § 162.2001, HL7 CDA Release 2: Attachment Implementation Guide: Exchange of C-CDA Based Documents, Release 2—US Realm, Version 2.1.0.1 September 2023 (incorporated by reference, see § 162.920).

(b) For transmissions described in § 162.2001(a)—

(1) HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume One—Introductory Material, August 2015 with 2019 June Errata (incorporated by reference, see § 162.920)

(2) HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume Two—Templates and Supporting Material, June 2019 (incorporated by reference, see § 162.920).

(c) For transmissions described in § 162.2001(a), the ASC X12N/06020X314—Additional Information to Support a Health Care Claim or Encounter (275) (incorporated by reference, see § 162.920).

(d) For transmissions described in section 162.2001(b) that pertain to § 162.2001(a) transmissions, the ASC X12N/006020X313—Health Care Claim Request for Additional Information (277) (incorporated by reference, see § 162.920).

(e) For transmissions described in § 162.2001(a), where a health care provider uses an electronic signature, the HL7 Implementation Guide for CDA Release 2: Digital Signatures and Delegation of Rights, Release 1, Draft Standard for Trial Use, October 2014 (incorporated by reference, see § 162.920).

Robert F. Kennedy, Jr.,

Secretary, Department of Health and Human Services.

Footnotes

                         The proposed rule that preceded this final rule named an earlier iteration of this HL7 Attachments IG (Release 1, March 2017). The iteration of the HL7 Attachments IG named in this final rule (Release 2, March 2022) contains cumulative technical updates that are defined as “maintenance.” Additional discussion regarding this can be found in section III.E. of this final rule.

Back to Citation 2.

                         See [45 CFR 162.103](https://www.ecfr.gov/current/title-45/section-162.103) for the definition of standard transaction.

Back to Citation 3.

                         As we noted in the Administrative Simplification: Adoption of Standards for Health Care Attachments Transactions and Electronic Signatures, and Modification to Referral Certification and Authorization Transaction Standard proposed, at that time CAQH CORE had developed operating rules for attachments but the NCVHS had yet to evaluate them and make a recommendation to the Secretary, thus they were not proposed for adoption ([87 FR 78445](https://www.federalregister.gov/citation/87-FR-78445)).

Back to Citation 4.

                         We clarify that, in this final rule, we frequently use the shorthand “health care claims” to speak of health care claims or equivalent encounter information transactions under [45 CFR 161.1101](https://www.ecfr.gov/current/title-45/section-161.1101). We note that attachments would most likely be requested for health care claims (§ 161.1101(a)) involving payment, rather than for “equivalent encounter information” transactions (§ 161.1101(b)) involving the “transmission of encounter information for the purpose of reporting health care.”

Back to Citation 5.

                         X12. (n.d.). Retrieved from *<a href="https://x12.org/">https://X12.org/</a>.*

Back to Citation 6.

                         Health Level Seven International. (n.d.). Retrieved from *<a href="https://www.hl7.org/">https://www.HL7.org/</a>.*

Back to Citation 7.

                         Health Level Seven International. (n.d.). HL7 Balloting. Retrieved from *[https://confluence.hl7.org/display/HL7/HL7+Balloting](https://confluence.hl7.org/display/HL7/HL7+Balloting).*

Back to Citation 8.

                         Health Level Seven International. (n.d.). Retrieved from *<a href="https://www.hl7.org/">https://www.hl7.org/</a>.*

Back to Citation 9.

                         Logical Observation Identifiers Names and Codes from Regenstrief. (n.d.). Retrieved from *<a href="https://loinc.org/">https://loinc.org/</a>.*

Back to Citation 10.

                         CPT® is a registered service mark of the American Medical Association.

11.

                         The CDT code set is a proprietary code set.

Back to Citation 12.

                         Health Level Seven International. (2023). Guide to Using HL7 Trademarks. Retrieved from *[http://www.hl7.org/legal/trademarks.cfm?ref=nav](http://www.hl7.org/legal/trademarks.cfm?ref=nav).* HL7 requires the registered trademark with the first use of its name in a document, for which policies are available on its website at *[www.HL7.org](http://www.hl7.org/).*

Back to Citation 13.

                         At the time this final rule was being drafted, the NCVHS website was undergoing maintenance. National Committee on Vital and Health Statistics. (n.d.). Retrieved from *<a href="https://ncvhs.hhs.gov/">https://ncvhs.hhs.gov/</a>.* Website references herein to NCVHS recommendation and artifacts reflect access made prior to the initiation of maintenance mode and also appeared in the proposed rule. Current inquiries seeking NCVHS recommendation letters and other artifacts referenced herein should be directed to: *[FACMT@cdc.gov](mailto:FACMT@cdc.gov).*

Back to Citation 14.

                         National Committee on Vital and Health Statistics. (2012, March 2). Claim Attachments. Retrieved from *[https://ncvhs.hhs.gov/wp-content/uploads/2014/05/120302lt1.pdf](https://ncvhs.hhs.gov/wp-content/uploads/2014/05/120302lt1.pdf).*

Back to Citation 15.

                         National Committee on Vital and Health Statistics. (2021, May 5). Recommendations to Designate an Authoring Entity and Ensure Industry Collaboration for the Development of Operating Rules for Health Care Administrative Transactions. Retrieved from *[https://ncvhs.hhs.gov/wp-content/uploads/2014/05/120505lt.pdf](https://ncvhs.hhs.gov/wp-content/uploads/2014/05/120505lt.pdf).*

Back to Citation 16.

                         National Committee on Vital and Health Statistics. (2013, June 21). Attachments Standards for Health Care. Retrieved from *[https://ncvhs.hhs.gov/wp-content/uploads/2014/05/130621lt2.pdf](https://ncvhs.hhs.gov/wp-content/uploads/2014/05/130621lt2.pdf).*

Back to Citation 17.

                         National Committee on Vital and Health Statistics. (2016, July 5). Recommendations for the Electronic Health Care Attachment Standard. Retrieved from *[https://ncvhs.hhs.gov/wp-content/uploads/2018/03/2016-Ltr-Attachments-July-1-Final-Chair-CLEAN-for-Submission-Publication.pdf](https://ncvhs.hhs.gov/wp-content/uploads/2018/03/2016-Ltr-Attachments-July-1-Final-Chair-CLEAN-for-Submission-Publication.pdf).*

Back to Citation 18.

                         National Committee on Vital and Health Statistics. (2022, March 30). Recommendations to Modernize Aspects of HIPAA and Other HIT Standards to Improve Patient Care and Achieve Burden Reduction. Retrieved from *[https://ncvhs.hhs.gov/wp-content/uploads/2022/04/Recommendation-Letter-HIT-Standards-Modernization-to-Improve-Patient-Care-March-30-2022.pdf](https://ncvhs.hhs.gov/wp-content/uploads/2022/04/Recommendation-Letter-HIT-Standards-Modernization-to-Improve-Patient-Care-March-30-2022.pdf).*

Back to Citation 19.

                             National Committee on Vital and Health Statistics. (2022, March 30). Recommendations to Modernize Aspects of HIPAA and Other HIT Standards to Improve Patient Care and Achieve Burden Reduction. Retrieved from *[https://ncvhs.hhs.gov/wp-content/uploads/2022/04/Recommendation-Letter-HIT-Standards-Modernization-to-Improve-Patient-Care-March-30-2022.pdf](https://ncvhs.hhs.gov/wp-content/uploads/2022/04/Recommendation-Letter-HIT-Standards-Modernization-to-Improve-Patient-Care-March-30-2022.pdf).*

Back to Citation 20.

                         The Council for Affordable Quality Healthcare Committee on Operating Rules for Information Exchange. (2019). CAQH CORE Report on Attachments: A Bridge to a Fully Automated Future to Share Medical Documentation. Retrieved from *[https://www.caqh.org/hubfs/43908627/drupal/core/core-attachments-environmental-scan-report.pdf](https://www.caqh.org/hubfs/43908627/drupal/core/core-attachments-environmental-scan-report.pdf).*

Back to Citation 21.

                         National Committee on Vital and Health Statistics. (2020, August 25). NCVHS Standards Subcommittee on Standards Hearing on Request for NCVHS Review of CAQH CORE Operating Rules for Federal Adoption. Retrieved from *[https://ncvhs.hhs.gov/wp-content/uploads/2020/09/Standards-Transcript-8-25-20Final-508.pdf](https://ncvhs.hhs.gov/wp-content/uploads/2020/09/Standards-Transcript-8-25-20Final-508.pdf).*

Back to Citation 22.

                         
                        See [45 CFR 162.1301](https://www.ecfr.gov/current/title-45/section-162.1301).

Back to Citation 23.

                         National Committee on Vital and Health Statistics. (2016, July 5). Recommendations for the Electronic Health Care Attachment Standard. Retrieved from *[https://ncvhs.hhs.gov/wp-content/uploads/2018/03/2016-Ltr-Attachments-July-1-Final-Chair-CLEAN-for-Submission-Publication.pdf](https://ncvhs.hhs.gov/wp-content/uploads/2018/03/2016-Ltr-Attachments-July-1-Final-Chair-CLEAN-for-Submission-Publication.pdf).*

Back to Citation 24.

                         As we observe at n.4, while this also includes “equivalent encounter information” transactions (§ 161.1101(b)), attachments more likely would be requested for health care claims (§ 161.1101(a)) involving payment as opposed to the “transmission of encounter information for the purpose of reporting health care.”

Back to Citation 25.

                         For additional information about the business and operational processes involved in the exchange of these standards, we refer readers to the aforementioned November 2017 WEDI whitepaper and the HL7 CDA® R2 Attachment Implementation Guide: Exchange of C-CDA Based Documents, Release 1 (Universal Realm) for more technical information. Both are available at: *<a href="https://build.fhir.org/ig/HL7/CDA-ccda-2.1-sd/">https://build.fhir.org/ig/HL7/CDA-ccda-2.1-sd/</a>.*

Back to Citation 26.

                         National Committee on Vital and Health Statistics. (2022 March 30). Recommendations to Modernize Aspects of HIPAA and Other HIT Standards to Improve Patient Care and Achieve Burden Reduction. Retrieved from *[https://ncvhs.hhs.gov/wp-content/uploads/2022/04/Recommendation-Letter-HIT-Standards-Modernization-to-Improve-Patient-Care-March-30-2022.pdf](https://ncvhs.hhs.gov/wp-content/uploads/2022/04/Recommendation-Letter-HIT-Standards-Modernization-to-Improve-Patient-Care-March-30-2022.pdf).*

Back to Citation 27.

                         
                        See [42 CFR 162.103](https://www.ecfr.gov/current/title-42/section-162.103).

Back to Citation 28.

                         On July 25, 2024, HHS announced a reorganization to streamline and bolster technology, cybersecurity, data, and AI strategy and policy functions which had historically been distributed across HHS. As part of the reorganization, ONC has been renamed the Assistant Secretary for Technology Policy and Office of the National Coordinator for Health Information Technology (ASTP/ONC) and has assumed oversight over technology. For more information on this reorganization refer to the press release available at: *[https://www.hhs.gov/about/news/2024/07/25/hhs-reorganizes-technology-cybersecurity-data-artificial-intelligence-strategy-policy-functions.html](https://www.hhs.gov/about/news/2024/07/25/hhs-reorganizes-technology-cybersecurity-data-artificial-intelligence-strategy-policy-functions.html).*

Back to Citation 29.

                         Health Level Seven International. (HL7). Understanding C-CDA and the C-CDA Companion Guide. Retrieved from *[https://build.fhir.org/ig/HL7/CDA-ccda-2.1-sd/understanding_c-cda_and_the_c-cda_companion_guide.html](https://build.fhir.org/ig/HL7/CDA-ccda-2.1-sd/understanding_c-cda_and_the_c-cda_companion_guide.html).*

Back to Citation 30.

                         Health Level Seven International (HL7). (2022, March 8). HL7 CDA R2 Attachment Implementation Guide: Exchange of C-CDA Based Documents, Release 2—U.S. Realm. Retrieved from *[https://www.hl7.org/implement/standards/product_brief.cfm?product_id=464](https://www.hl7.org/implement/standards/product_brief.cfm?product_id=464).*

Back to Citation 31.

                         H.R. 133—116th Congress (2019-2020): Consolidated Appropriations Act, 2021. (2020, December 27).

Back to Citation 32.

                         This September 2023 document was issued as technical errata to the March 2022 document that has been referenced in an earlier section of this final rule, and does not contain substantive changes to the March 2022 specifications.

Back to Citation 33.

                         The Council for Affordable Quality Healthcare, Inc. (n.d.). 2024 CAQH Index Report. Retrieved from *[https://www.caqh.org/hubfs/Index/2024%20Index%20Report/CAQH_IndexReport_2024_FINAL.pdf](https://www.caqh.org/hubfs/Index/2024%2520Index%2520Report/CAQH_IndexReport_2024_FINAL.pdf).*

Back to Citation 34.

                         Guidance on Implementation of Standard Electronic Attachments for Healthcare Transactions November 2017 Workgroup for Electronic Data Interchange. Retrieved from *<a href="https://www.wedi.org/2017/11/17/guidance-on-implementation-of-standard-electronic-attachments-for-healthcare-transactions/">https://www.wedi.org/2017/11/17/guidance-on-implementation-of-standard-electronic-attachments-for-healthcare-transactions/</a>.*

Back to Citation 35.

                         Guidance on Implementation of Standard Electronic Attachments for Healthcare Transactions November 2017 Workgroup for Electronic Data Interchange. Retrieved from *<a href="https://www.wedi.org/2017/11/17/guidance-on-implementation-of-standard-electronic-attachments-for-healthcare-transactions/">https://www.wedi.org/2017/11/17/guidance-on-implementation-of-standard-electronic-attachments-for-healthcare-transactions/</a>.*

Back to Citation 36.

                         The Council for Affordable Quality Healthcare, Inc. (n.d.). 2019 CAQH Index Report. Retrieved from *[https://www.caqh.org/sites/default/files/explorations/index/report/2019-caqh-index.pdf](https://www.caqh.org/sites/default/files/explorations/index/report/2019-caqh-index.pdf).*

37.

                         The Council for Affordable Quality Healthcare, Inc. (n.d.). 2020 CAQH Index Report. Retrieved from *[https://www.caqh.org/hubfs/43908627/drupal/explorations/index/2020-caqh-index.pdf](https://www.caqh.org/hubfs/43908627/drupal/explorations/index/2020-caqh-index.pdf).*

Back to Citation 38.

                         The Council for Affordable Quality Healthcare, Inc. (n.d.). 2024 CAQH Index Report. Retrieved from *[https://www.caqh.org/hubfs/Index/2024%20Index%20Report/CAQH_IndexReport_2024_FINAL.pdf](https://www.caqh.org/hubfs/Index/2024%2520Index%2520Report/CAQH_IndexReport_2024_FINAL.pdf).*

Back to Citation 39.

                         NCVHS Letter to the Secretary of HHS on Recommendations for the Electronic Health Care Attachment Standard, July 5, 2016. Retrieved from *[https://ncvhs.hhs.gov/wp-content/uploads/2018/03/2016-Ltr-Attachments-July-1-Final-Chair-CLEAN-for-Submission-Publication.pdf](https://ncvhs.hhs.gov/wp-content/uploads/2018/03/2016-Ltr-Attachments-July-1-Final-Chair-CLEAN-for-Submission-Publication.pdf).*

Back to Citation 40.

                         NCVHS Letter to the Secretary of HHS on Recommendations for the Electronic Health Care Attachment Standard, July 5, 2016. Retrieved from *[https://ncvhs.hhs.gov/wp-content/uploads/2018/03/2016-Ltr-Attachments-July-1-Final-Chair-CLEAN-for-Submission-Publication.pdf](https://ncvhs.hhs.gov/wp-content/uploads/2018/03/2016-Ltr-Attachments-July-1-Final-Chair-CLEAN-for-Submission-Publication.pdf).*

41.

                         In an RIA that, in accordance with OMB Circular A-4, takes a society-wide perspective, changes in timing of payments represent a transfer, rather than a net societal cost savings.

Back to Citation 42.

                         U.S. Inflation Calculator. (n.d.). Current U.S. Inflation Rates: 2000-2026. Retrieved from *[https://www.usinflationcalculator.com/inflation/current-inflation-rates/#:~:text=To%20find%20annual%20inflation%20rates,rate%20in%202023%20was%203.4%25](https://www.usinflationcalculator.com/inflation/current-inflation-rates/#:~:text=To%2520find%2520annual%2520inflation%2520rates,rate%2520in%25202023%2520was%25203.4%2525).*

Back to Citation 43.

                         ASTP/ONC *HealthIT.gov.* (n.d.). Office-based Physician Electronic Health Record Adoption. Retrieved from *[https://www.healthit.gov/data/quickstats/national-trends-hospital-and-physician-adoption-electronic-health-records](https://www.healthit.gov/data/quickstats/national-trends-hospital-and-physician-adoption-electronic-health-records).*

Back to Citation 44.

                         Cost estimate ranges from the January 2009 Modifications final rule were adjusted for inflation using the Bureau of Labor Statistics Consumer Price Index Inflation Calculator, to reflect amounts for January 2020 and round up to the nearest whole number to match benefits estimates from the CAQH 2020 Index. Retrieved from *[https://www.bls.gov/data/inflation_calculator.htm](https://www.bls.gov/data/inflation_calculator.htm).*

Back to Citation 45.

                         Version 5010 Regulatory Impact Analysis-Supplement. September 2008. Retrieved from *[https://www.cms.gov/files/document/5010regulatoryimpactanalysissupplementpdf](https://www.cms.gov/files/document/5010regulatoryimpactanalysissupplementpdf).*

Back to Citation 46.

                         On the other hand, CAQH developed estimates from the experience of entities that voluntarily automated, and extrapolation from such voluntary experience to the regulatory context may generate a tendency toward overestimation of savings, on a per-unit basis and/or in the aggregate. We welcomed comments that would have facilitated refinement of estimates.

Back to Citation 47.

                         Pratt, M. (2018, May 30). The true cost of switching EHRs. Medical Economics Journal, 96(10). Retrieved from *[https://www.medicaleconomics.com/view/true-cost-switching-ehrs](https://www.medicaleconomics.com/view/true-cost-switching-ehrs).*

Back to Citation 48.

                         At the time this final rule was being drafted, the NCVHS website was undergoing maintenance. NCVHS Subcommittee on Standards. Agenda of the February 16, 2016 NCVHS Subcommittee on Standards Hearing. Retrieved from *<a href="https://ncvhs.hhs.gov/meetings/agenda-of-the-february-16-2016-ncvhs-subcommittee-on-standards-hearing/">https://ncvhs.hhs.gov/meetings/agenda-of-the-february-16-2016-ncvhs-subcommittee-on-standards-hearing/</a>.*

Back to Citation 49.

                         At the time this final rule was being drafted, the NCVHS website was undergoing maintenance. Transcript of the February 16, 2016 NCVHS Subcommittee on Standards. Retrieved from *<a href="https://ncvhs.hhs.gov/transcripts-minutes/transcript-of-the-february-16-2016-ncvhs-subcommittee-on-standards/">https://ncvhs.hhs.gov/transcripts-minutes/transcript-of-the-february-16-2016-ncvhs-subcommittee-on-standards/</a>.*

Back to Citation 50.

                         Pratt, M. (2018, May 30). The true cost of switching EHRs. Medical Economics Journal, 96(10). Retrieved from *[https://www.medicaleconomics.com/view/true-cost-switching-ehrs](https://www.medicaleconomics.com/view/true-cost-switching-ehrs).*

Back to Citation 51.

                         At the time this final rule was being drafted, the NCVHS website was undergoing maintenance. Transcript of the February 16, 2016 NCVHS Subcommittee on Standards. Retrieved from *<a href="https://ncvhs.hhs.gov/transcripts-minutes/transcript-of-the-february-16-2016-ncvhs-subcommittee-on-standards/">https://ncvhs.hhs.gov/transcripts-minutes/transcript-of-the-february-16-2016-ncvhs-subcommittee-on-standards/</a>.*

Back to Citation 52.

                         For example, see: Payer Access to EHRs: What Providers Need to Know. Journal of AHIMA. October 9, 2019. Retrieved from *[https://journal.ahima.org/page/payer-access-to-ehrs-what-providers-need-to-know](https://journal.ahima.org/page/payer-access-to-ehrs-what-providers-need-to-know).*

Back to Citation 53.

                         Final Report Of The Health Information Technology Advisory Committee's Intersection of Clinical And Administrative Data Task Force To The National Coordinator For Health Information Technology. (2020, November 17) A Path Toward Further Clinical and Administrative Data Integration. Retrieved from *[https://www.healthit.gov/sites/default/files/page/2020-11/2020-11-17_ICAD_TF_FINAL_Report_HITAC.pdf](https://www.healthit.gov/sites/default/files/page/2020-11/2020-11-17_ICAD_TF_FINAL_Report_HITAC.pdf).*

Back to Citation 54.

                         NCPDP White Paper on Pharmacy Professional Service Billing. Retrieved from *[https://www.ncpdp.org/NCPDP/media/pdf/WhitePaper/Billing-Guidance-for-Pharmacists-Professional-and-Patient-Care-Services-White-Paper.pdf?ext=.pdf](https://www.ncpdp.org/NCPDP/media/pdf/WhitePaper/Billing-Guidance-for-Pharmacists-Professional-and-Patient-Care-Services-White-Paper.pdf?ext=.pdf).*

Back to Citation 55.

                         U.S. Bureau of Labor Statistics. (2024, May 3). May 2024 National Occupational Employment and Wage Estimates. Retrieved from *<a href="https://data.bls.gov/oesprofile/">https://data.bls.gov/oesprofile/</a>.*

Back to Citation 56.

                         The Council for Affordable Quality Healthcare, Inc. (n.d.). 2024 CAQH Index Report. Retrieved from *[https://www.caqh.org/hubfs/Index/2024%20Index%20Report/CAQH_IndexReport_2024_FINAL.pdf](https://www.caqh.org/hubfs/Index/2024%2520Index%2520Report/CAQH_IndexReport_2024_FINAL.pdf).*

Back to Citation 57.

                         Management and Budget Office. (2003, October 9). Circular A-4, Regulatory Analysis. Retrieved from *[https://www.whitehouse.gov/wp-content/uploads/2025/08/CircularA-4.pdf](https://www.whitehouse.gov/wp-content/uploads/2025/08/CircularA-4.pdf).*

Back to Citation 58.

                         Note, the NAICS code for this industry changed in 2022, and now include NAICS 454110, Electronic Shopping and Mail Order Retail and 454390, Other Direct Selling Establishments; however, 2022 revenue data are not available. For this reason, 2017 revenue data will be used in this analysis.

Back to Citation 59.

                         From testimony submitted for the 7/23/2024 US Senate Finance Committee. Retrieved from *[https://s3.amazonaws.com/amo_hub_content/Association618/files/Cooperative%20Exchange%20-%20Senate%20Finance%20Committee%20-%20final.pdf](https://s3.amazonaws.com/amo_hub_content/Association618/files/Cooperative%2520Exchange%2520-%2520Senate%2520Finance%2520Committee%2520-%2520final.pdf).*

Back to Citation 60.

                         Pratt, M. (2018, May 30). The true cost of switching EHRs. Medical Economics Journal, 96(10). Retrieved from *[https://www.medicaleconomics.com/view/true-cost-switching-ehrs](https://www.medicaleconomics.com/view/true-cost-switching-ehrs).*

Back to Citation 61.

                         Green, J. (2019, October 18). Who are the largest EHR vendors. EHR in Practice. Retrieved from *[https://www.ehrinpractice.com/largest-ehr-vendors.html](https://www.ehrinpractice.com/largest-ehr-vendors.html).*

62.

                         HIMSS Electronic Health Record Association. (n.d.). EHR Association Members. Retrieved from *[https://www.ehra.org/membership/ehra-members](https://www.ehra.org/membership/ehra-members).*

Back to Citation BILLING CODE 4120-01-P

BILLING CODE 4120-01-C

[FR Doc. 2026-05676 Filed 3-20-26; 4:15 pm]

Published Document: 2026-05676 (91 FR 14350)