HHS Finalizes HIPAA Standards for Health Care Claims Attachments and Electronic Signatures and Signals More Regulatory Updates in 2026

On March 24, 2026, the U.S. Department of Health and Human Services (“HHS”), through the Centers for Medicare & Medicaid Services (“CMS”), published a long‑anticipated final rule adopting national Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) standards for health care claims attachments transactions and electronic signatures (the “Final Rule”). The Final Rule is intended to modernize HIPAA transactions by establishing standards for the electronic exchange of clinical documentation used to support health care claims and related inquiries and setting requirements for secure, authenticated electronic signatures when used with those transactions.

Additionally, HHS has signaled plans for further HIPAA updates in 2026, with the potential finalization of the 2021 care coordination proposed rule amending the Privacy Rule.

This alert outlines steps covered entities should take to comply with the new Final Rule and to prepare for Privacy Rule updates.

A. Overview of the Final Rule

One of the core purposes of HIPAA was to simplify the administration of health insurance claims and related transactions, requiring that they be conducted electronically and only in certain standardized data formats. These electronic transaction standards, however, technically did not apply to attachments that may be needed for an underlying transaction. Accordingly, the exchange of claims‑related supporting documentation has occurred through a variety of non-standard methods, including fax, mail, payor-specific portals and unstructured formats such as PDF documents. HHS found that the lack of uniform national standards has driven administrative burden, payment delays and higher costs, which led to the Final Rule. CMS explains that the purpose of adopting these standards is to support more consistent and efficient electronic exchange of supporting documentation between covered entities and health plans, similar to what already exists for the underlying transaction.

Summary of Key Changes

1. Standardizing Health Care Claims Attachments Transactions

The Final Rule adopts specific ASC X12 Version 6020 standards for claims attachment‑related transactions, including: X12N 275 (Additional Information to Support a Health Care Claim or Encounter) and X12N 277 (Health Care Claim Request for Additional Information). In addition, the Final Rule adopts HL7 implementation guides as HIPAA standards for the clinical content exchanged in claims attachments transactions, including HL7 Consolidated Clinical Document Architecture (C‑CDA) and HL7 Attachments Implementation Guide. Together, these standards enable the secure, electronic exchange of medical records, imaging, clinical notes, laboratory results and similar documentation in support of claims processing.

It is important to note that the scope of the Final Rule is limited to health care claims attachments only. CMS recognized that standardized attachment transactions also could support more streamlined processes for prior authorizations, but did not adopt additional standards governing prior authorization transactions or decision-making processes in the Final Rule.

2. Establishing Electronic Signature Standards

The Final Rule also expressly adopted standards for electronic signatures used in connection with health care claims attachments transactions. The electronic signature standards are intended to:

• Authenticate the identity of the sender;
• Ensure the integrity of the electronically transmitted information; and
• Support non‑repudiation and transactional security.

Importantly, the Final Rule limits the electronic signature standards to use in conjunction with claims attachments transactions and does not broadly mandate electronic signatures for all HIPAA transactions.

3. Updating HIPAA Administrative Simplification Regulations

The Final Rule revises and supplements definitions in 45 C.F.R. § 162.103 and adds new regulatory provisions governing health care claims attachments transactions in 45 C.F.R. §§ 162.2001–162.2002. These changes integrate claims attachments and electronic signatures into the existing HIPAA Transactions and Code Sets framework.

Who Is Affected

The Final Rule applies to all HIPAA covered entities that conduct standard electronic transactions, including health plans, health care clearinghouses and health care providers that transmit health information electronically in connection with covered transactions. Vendors, clearinghouses and other business associates that support claims processing and transaction workflows will also be directly impacted as a practical matter due to necessary system and process changes.

Effective Date and Compliance Timeline

The Final Rule becomes effective on May 23, 2026, and covered entities and health plans must comply with the new standards no later than May 26, 2028. CMS intentionally provided a two-year compliance period to allow organizations time to update systems, vendor arrangements and operational workflows.

B. HHS Signals Potential Finalization of the January 2021 Proposed Changes to HIPAA Privacy Rule

In addition to finalizing HIPAA standards for claims attachments and electronic signatures, HHS has recently indicated that it intends to resume progress toward finalizing the long‑pending HIPAA Privacy Rule notice of proposed rulemaking issued on January 21, 2021, titled “Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement” (the “2021 Privacy Rule Proposal”). OCR described the 2021 Privacy Rule Proposal as part of HHS’s Regulatory Sprint to Coordinated Care, intended to strengthen individuals’ engagement in their health care, facilitate care coordination and case management and reduce certain regulatory burdens, while continuing to protect the privacy of protected health information (“PHI”).

If finalized substantially as proposed, the 2021 Privacy Rule Proposal would make notable operational changes for covered entities and (in some respects) business associates, including:

• Strengthening the individual right of access (including electronic access) and related processes, including reducing the timeframe for responding to access requests from 30 to 15 days;
• Improving information sharing for care coordination and case management at the individual level;
• Removing the requirement to obtain an individual’s written acknowledgement of receipt of a Notice of Privacy Practices;
• Facilitating involvement of family members and caregivers in emergency or crisis circumstances, consistent with HIPAA’s permissions;
• Enhancing flexibilities for certain disclosures in emergencies or threatening circumstances by replacing the “professional judgment” standard with a “good faith” standard that would permit uses and disclosures of PHI for certain purposes based on a covered entity’s good faith belief that the disclosure is in the interest of the individual; and
• Reducing administrative burdens for covered entities, while preserving core privacy protections.

Practical Takeaways and Next Steps

The publication of the Final Rule and renewed momentum on the 2021 Privacy Rule Proposal signal that after years of no activity, HIPAA modernization is advancing on multiple regulatory fronts. Although its future is less certain, there is also a pending HHS rule that would significantly update the requirements of the HIPAA Security Rule and require substantial revisions to security policies, technical controls, governance structures and vendor oversight practices. Covered entities and business associates should monitor these developments and proactively assess their HIPAA compliance programs for potential updates.

With respect to the Final Rule, covered entities and business associates should begin planning for implementing compliance, including:

• Assessing current claims attachment workflows that rely on non-standard methods, such as fax or paper;
• Engaging EHR vendors, clearinghouses and revenue cycle partners to understand implementation timelines and responsibilities;
• Reviewing policies and procedures related to transaction security and authentication; and
• Evaluating electronic signature technologies to ensure alignment with the adopted HIPAA standards.

Although compliance is not required until May 26, 2028, early engagement will be critical given the operational and technological changes required to support standardized electronic claims attachments.

If you have questions or require assistance assessing the impact on your organization’s HIPAA compliance obligations, please contact:

• Stephane Fabus at (414) 721-0904 or sfabus@hallrender.com;
• Charise Frazier at (317) 977-1406 or cfrazier@hallrender.com;
• Liz Callahan at (248) 457-7854 or ecallahan@hallrender.com;
• Mark Swearingen at (317) 977-1458 or mswearingen@hallrender.com; or
• John Williams III at (202) 370-9585 or jwilliams@hallrender.com;
• Your primary Hall Render contact.

Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot give legal advice outside of an attorney-client relationship.