← Blog/Healthcare EDI
Healthcare EDI

HIPAA EDI Compliance in 2026: What Healthcare Providers Must Know

HIPAA Title II mandates specific electronic transaction standards for every covered entity. Non-compliance carries penalties up to $1.9 million per violation category per year. This guide explains what is required, what trips providers up, and how to stay clean.

CR

Christopher Rosecrans

April 14, 2026 · 16 min read

HIPAA Title II: The Administrative Simplification Rules

When most people say "HIPAA compliance," they are thinking about Title II, Subtitle F — the Administrative Simplification provisions. This subtitle directed HHS to adopt national standards for electronic healthcare transactions, unique identifiers, and security standards. The goal was to reduce the administrative overhead of healthcare billing, which in the mid-1990s consumed roughly 25 cents of every healthcare dollar.

The resulting regulations — codified in 45 CFR Parts 160, 162, and 164 — require covered entities (healthcare providers, health plans, and clearinghouses) and their business associates to:

Important: Covered Entities vs. Business Associates

If your organization processes EDI transactions on behalf of a covered entity — as a billing service, clearinghouse, or EDI platform — you are likely a Business Associate and subject to the HIPAA Security Rule and relevant transaction standards. A Business Associate Agreement (BAA) is required. SignalEDI executes BAAs with all healthcare customers as part of the onboarding process.

The 12 HIPAA-Mandated Transaction Sets

HIPAA designates 12 standard electronic transactions (technically, 8 transaction sets covering more use cases when you count paired request/response pairs). Every covered entity that conducts these transactions electronically must use the specified standard format.

Transaction SetNameDirectionWho Uses It
837PHealthcare Claim (Professional)Provider → PayerPhysicians, clinicians, labs
837IHealthcare Claim (Institutional)Provider → PayerHospitals, SNFs, home health
837DHealthcare Claim (Dental)Provider → PayerDental practices
835Healthcare Payment / Remittance AdvicePayer → ProviderAll providers receiving payment
270Eligibility Benefit InquiryProvider → PayerFront desk, scheduling systems
271Eligibility Benefit ResponsePayer → ProviderReal-time/batch eligibility
276Claim Status RequestProvider → PayerBilling departments
277Claim Status ResponsePayer → ProviderBilling / AR follow-up
278 (Request)Authorization/Referral RequestProvider → PayerUtilization management
278 (Response)Authorization/Referral ResponsePayer → ProviderPrior auth workflows
820Premium Payment for Insurance ProductsEmployer → PayerHR/benefits teams
834Benefit Enrollment / MaintenanceEmployer/Plan Sponsor → PayerOpen enrollment, life events

It is worth noting that the mandate applies to electronic transactions. A provider who submits claims on paper is not covered by the electronic transaction standards — but if they send a single claim electronically, they must use the compliant format for all electronic submissions. The practical result is that nearly every provider above a very small scale is subject to HIPAA EDI requirements.

Deep Dive: Key Transaction Sets Explained

837 — Healthcare Claims

The 837 is the electronic equivalent of the CMS-1500 (professional) and UB-04 (institutional) paper claim forms. It contains the claim header (billing provider, rendering provider, patient demographics, payer information) and service lines (procedure codes, diagnosis codes, dates of service, charges).

The three flavors — 837P, 837I, 837D — share the same base structure (the TS837 transaction set) but differ in which loops are required, which code sets are used (CPT vs. HCPCS vs. CDT vs. ICD-10-PCS), and the institutional/professional claim distinction at the CLM segment level.

Critical compliance points: The NPI must appear in the rendering provider loop (2310B NM1*82), the billing provider loop (2010AA NM1*85), and potentially the service facility loop. Using legacy provider IDs (UPINs, Medicaid provider numbers) as substitutes for NPIs is a compliance violation.

835 — Healthcare Payment and Remittance Advice

The 835 is sent by payers to providers to explain how a claim payment was calculated. It maps to the ERA (Electronic Remittance Advice). For a detailed breakdown of the 835 structure, CLP/CAS/SVC segments, and payment posting workflows, see our complete guide to EDI 835 remittance advice.

HIPAA requires that if a payer sends payment electronically, they must send the corresponding 835 electronically as well. Payers cannot send an EFT payment without an accompanying 835 — a rule that, when enforced by the ACA Operating Rules, significantly improved reconciliation rates for providers after 2013.

270/271 — Eligibility and Benefit Inquiry/Response

The 270 allows a provider to query a payer for a patient's benefit information before or during service. The 271 is the payer's response, containing coverage details, copays, deductibles, and benefit limitations. Real-time 270/271 exchanges (sub-second response) have become the standard for scheduling and check-in workflows. See our guide on EDI 270/271 real-time eligibility verification for implementation details.

276/277 — Claim Status

The 276 allows providers to query claim status without a phone call. The 277 response includes the claim's current status, payer-assigned claim control number, and if the claim was rejected, the applicable claim adjustment reason codes (CARCs). CAQH CORE Operating Rules specify that payers must respond to 276 inquiries within one business day and must support real-time responses for claims submitted within the prior 24 months.

278 — Prior Authorization

The 278 transaction handles requests and responses for prior authorizations, referrals, and health care services reviews. CMS adopted a rule in 2024 requiring all payers (Medicare Advantage, Medicaid, CHIP, and QHP plans) to support electronic prior authorization via 278 or a FHIR-based API by January 2027. Providers that implement 278-based prior auth workflows now will be ahead of this compliance curve.

834 — Benefit Enrollment and Maintenance

The 834 is the electronic enrollment file that employers and health insurance exchanges send to insurers to add, change, or terminate member coverage. Errors in 834 processing are a major source of eligibility discrepancies: a member who was terminated in the employer's HR system but whose termination 834 was rejected will appear active in the payer's system until the file is reprocessed — sometimes for months.

Companion Guides and Implementation Requirements

The base X12 005010 implementation guides define the transaction structure. But each payer publishes a companion guide that narrows the allowed values and adds payer-specific requirements. Companion guides are not optional — they define which optional fields the payer requires, which code sets the payer will accept, and how specific scenarios (coordination of benefits, crossover claims, accident cases) must be reported.

What a Companion Guide Typically Specifies

  • Which ICD-10-CM diagnosis codes require additional specificity (e.g., require 7th character extensions)
  • Required vs. situational segments that the payer treats as mandatory (e.g., many payers require CLM05-3 even though the base guide marks it situational)
  • Payer-specific loop iterations limits (e.g., max 50 service lines per claim even though X12 allows more)
  • National Drug Code (NDC) reporting requirements for drug claims
  • Coordination of Benefits (COB) claim requirements when Medicare is secondary
  • Contact information for the payer's EDI help desk and testing environment

The CAQH CORE Operating Rules layer additional requirements on top of companion guides. Phase I and II CORE Rules (now mandatory under the ACA) specify: maximum response times for real-time transactions (≤20 seconds for 270/271), minimum data content requirements for 835 responses, and connectivity requirements (all payers must support HTTPS-based connections in addition to whatever proprietary connectivity they offer).

Common HIPAA EDI Violations and Their Root Causes

Based on HHS Office for Civil Rights enforcement activity and common issues flagged during payer audits, these are the most frequent HIPAA EDI compliance failures:

01

Non-standard transaction formats

High

Using proprietary or custom EDI formats — or submitting ANSI X12 004010 transactions that should be 005010 — is the most direct HIPAA violation. This often happens when legacy billing software was never upgraded after the 5010 mandate took effect in 2012.

02

Missing or invalid NPI

High

Using legacy UPIN identifiers, tax identification numbers in the NM109 element without NM108='XX' (NPI qualifier), or submitting individual rendering provider claims without the rendering provider NPI in loop 2310B are all NPI compliance violations.

03

Refusing to conduct electronic transactions

Medium

A payer cannot require providers to use paper for transactions that HIPAA has standardized electronically. Conversely, a provider who opts into electronic transactions cannot send a proprietary format and demand the payer accept it. The obligation is bilateral.

04

Improper claim adjustment reason code usage

Medium

On 835 remittances, using reason code (CARC) CO-45 ('charges exceed your contracted/legislated fee arrangement') is correct for contractual adjustments, but many payers misuse OA (Other Adjustment) codes as catch-alls, which violates CORE Operating Rule requirements for explanation of adjustment.

05

Operating Rule non-compliance

Medium

Payers who do not meet the CAQH CORE response time SLAs for real-time 270/271 transactions — or who do not support HTTPS-based connectivity — are in violation of the ACA-mandated operating rules. Providers can file complaints with CMS.

06

Security Rule failures affecting EDI transport

High

Transmitting ePHI over unencrypted connections, failing to log access to SFTP servers containing claim files, or not having a BAA with your EDI vendor are Security Rule violations that intersect with EDI operations.

Penalties: What Non-Compliance Actually Costs

HIPAA civil penalties for covered transaction violations are assessed by the HHS Office for Civil Rights (for Security Rule violations) and potentially by CMS (for transaction standard violations). The penalty tiers are tiered by culpability:

TierCulpability LevelPer ViolationAnnual Cap (same type)
Tier 1Did not know (reasonable diligence)$137 – $68,928$2,067,813
Tier 2Reasonable cause (not willful neglect)$1,379 – $68,928$2,067,813
Tier 3Willful neglect — corrected$13,785 – $68,928$2,067,813
Tier 4Willful neglect — not corrected$68,928 – $2,067,813$2,067,813

Penalty values above are adjusted for inflation per the Federal Civil Penalties Inflation Adjustment Act. Note that these caps apply per violation category per calendar year — a covered entity with systematic non-compliance across multiple transaction types could face penalties in multiple categories simultaneously.

Beyond civil penalties, state attorneys general have independent authority to bring HIPAA actions and have done so with increasing frequency since the 2009 HITECH Act amendments. Criminal penalties (up to 10 years imprisonment) apply to individuals who knowingly obtain or disclose PHI for commercial advantage.

2026 Compliance Checklist for Healthcare Providers

Use this checklist to assess your current compliance posture:

Transaction formats

All electronic transactions use ANSI X12 005010 (or NCPDP for pharmacy). No 4010 or proprietary formats.

NPI compliance

All claims include the billing provider NPI (NM1*85) and rendering provider NPI (NM1*82) where applicable. No UPIN or legacy IDs.

BAA with EDI vendor

Your EDI clearinghouse or platform has signed a Business Associate Agreement with your organization.

835 electronic receipt

You can receive 835 ERAs electronically for all payers. You are not accepting paper EOBs from payers who send EFT.

270/271 real-time eligibility

Your scheduling and check-in systems can query eligibility before each visit. Manual phone eligibility verification is exception-only.

278 prior authorization

You are preparing for or have implemented 278 electronic prior auth for payers subject to the 2027 CMS mandate.

Transport security

All EDI connections use TLS 1.2+ (HTTPS or SFTP with strong ciphers). No FTP without encryption.

Monitoring and logging

All EDI transactions are logged with timestamps. You receive and act on 999 acknowledgments within 24 hours.

Companion guide compliance

Maps are validated against each payer's current companion guide, not just the base X12 spec.

CORE Operating Rules

Your EDI platform meets CAQH CORE Phase I and II response time SLAs for real-time transactions.

Related Reading

Frequently Asked Questions

Q: Does HIPAA require me to use a clearinghouse?

No. HIPAA requires you to use standard transaction formats; it does not require you to route transactions through a clearinghouse. You can connect directly to payers (direct payer EDI) or use a clearinghouse as an intermediary. Many providers use clearinghouses because they simplify multi-payer connectivity — instead of maintaining separate connections to hundreds of payers, they have one clearinghouse connection. However, you must still have a BAA with any clearinghouse that handles your ePHI.

Q: Are telehealth and behavioral health providers subject to the same HIPAA EDI requirements?

Yes. If you submit claims electronically and meet the definition of a covered entity (healthcare provider who transmits health information electronically in connection with a HIPAA-covered transaction), you are subject to the transaction standards regardless of specialty. Behavioral health providers sometimes use process exceptions for substance use disorder claims (42 CFR Part 2 requirements), but the underlying 837 format requirements still apply.

Q: What is the difference between HIPAA compliance and CORE compliance?

HIPAA mandates the transaction formats (which standard to use). CAQH CORE Operating Rules specify how to use them — response time requirements, minimum data content rules, connectivity standards. CORE compliance is mandatory for health plans subject to ACA Section 1104. Providers benefit from CORE compliance even though they are not directly required to certify — a payer that meets CORE SLAs will respond to your 270 queries faster and with more consistent data.

Q: Can I be penalized for my clearinghouse's EDI non-compliance?

Technically, a clearinghouse is an independent covered entity and is directly responsible for its own compliance. However, if your clearinghouse is submitting non-compliant transactions on your behalf and your practice is receiving the benefit, HHS could examine whether your selection and oversight of the clearinghouse constituted reasonable diligence. At minimum, you should verify that your clearinghouse holds CORE certification and that your BAA includes compliance warranties.

Q: How often are HIPAA transaction standards updated, and how do I stay current?

The base X12 standards are updated through X12's normal standards development process, but HHS must formally adopt changes via rulemaking before they become mandatory. The current mandate (005010, adopted 2012) has been stable. However, companion guides update frequently — some payers release updated guides annually. CMS publishes a HIPAA administrative simplification page with current adopted standards. SignalEDI maintains a real-time companion guide library and alerts you when a partner's guide changes.

HIPAA-Compliant EDI

Meet every HIPAA EDI requirement out of the box

SignalEDI is built for healthcare — 837, 835, 270/271, 276/277, 278, 834, and 820. BAA included. CORE-certified. Current companion guides maintained automatically. View pricing or compare plans.

Start Free Trial →Compare Plans