Resources
CMS Claims Attachment Rule: Frequently Asked Questions for Health Care Providers and Organizations
Q: What is the CMS claims attachment rule?
A: The CMS claims attachment rule establishes HIPAA standards for documentation submitted to support electronic health care claims transactions and the digital signatures used in conjunction with them. The rule requires standardized electronic submission of supporting documentation using the Health Level 7 (HL7) framework.
Q: What is a health care claims attachment?
A: A health care claims attachment is supporting documentation requested by a health plan or payor to evaluate a health care claim. Examples may include medical records, clinical notes, diagnostic testing results, and other documentation necessary to support payment of a claim.
Q: Why is CMS requiring health care claims attachments to be submitted electronically?
A: While health care claims have been submitted electronically for many years, until now, there have been no standard requirements for how to submit the additional documentation supporting the claims when requested by a payor. For decades, that documentation has usually been submitted by fax or by postal mail, often causing significant delays in receipt and processing. The regulations, issued under HIPAA’s administrative simplification standards, are expected to both enhance security by requiring all submissions to meet specific standards for the protection of PHI and to improve efficiency by reducing processing times. CMS expects the new standards to save significant time and money across the health care industry.
Q: What is HL7 and why is it required for claims attachments?
A: HL7 is a widely adopted set of international standards used in health care to facilitate the exchange of information. HL7 operates as a sort of universal translator for health data. If each health provider, hospital department, payor, biller, and electronic health record system speaks a different language, the HL7 framework translates all of them into a common language so that different systems and providers can understand each other and exchange data more easily. In addition, the regulations require that electronic record transmissions be authenticated via digital signatures that adhere to the Digital Signatures Guide within the HL7 framework.
Q: Do health care claims attachments require digital signatures?
A: Yes. The regulations require that electronic record transmissions be authenticated using digital signatures that adhere to the Digital Signatures Guide within the HL7 framework.
Q: What are the new HIPAA requirements for health care claims attachments?
A: When payors request additional documentation to support a health care claim, affected entities will be required to adhere to standards within the HL7 framework to securely submit information such as medical records, clinical notes, and diagnostic testing results. Electronic record transmissions must also be authenticated using digital signatures that comply with the HL7 Digital Signatures Guide.
Q: When does the CMS claims attachment rule take effect?
A: The regulations became effective on May 26, 2026. However, the compliance enforcement date is May 26, 2028.
Q: Who must comply with the new health care claims attachment standards?
A: Entities that submit supporting documentation in connection with health care claims transactions will be required to comply with the new HIPAA standards for electronic submissions and digital signatures.
Q: Can providers still fax medical records or claims attachments?
A: No, once the regulations go into effect, faxing required documentation will no longer be permitted, outside of a few limited circumstances. The regulations are intended to replace the manual processes that currently rely on fax machines or postal mail. The new standards require the electronic submission of supporting documentation using standardized formats within the HL7 framework.
Q: Why has the health care claims attachment rule taken so long to implement?
A: Congress first called for electronic transaction standards for claims attachments with the original enactment of HIPAA and again through the Affordable Care Act in 2010. Despite existing standards for claims transactions, the implementation of attachment standards was delayed for many years. The final rule represents a significant step toward completing HIPAA’s long-standing administrative simplification goals.
Q: What should health care organizations do before the May 26, 2028, compliance deadline?
A: Organizations should begin planning now by evaluating their current claims submission processes, technology infrastructure, and vendor capabilities to identify any changes needed to achieve compliance.
Q: How can hospitals, providers, and health care organizations prepare for the new CMS claims attachment requirements?
A: Organizations should review their claims submission workflows, technology systems, digital signature capabilities, and vendor readiness to determine what changes may be necessary to support HL7-compliant electronic submissions before the deadline.
Read our full legal update, “CMS Finalizes Long-Awaited Standards for Health Care Claims Attachment Transactions,” to learn more about compliance and how affected entities can begin preparing now. Chambliss’ health care attorneys are ready to help clients navigate these changes. Please contact Cal Marshall, Jennifer Vessels, or your Chambliss relationship attorney if you have questions about the new requirements or need assistance planning for the 2028 deadline.


