What the new CMS Rule means for healthcare's fax machine era

"The 1980s called, and they want their fax machines back," said CMS Administrator Dr. Mehmet Oz in the official CMS press release announcing the new rule. He added that medical breakthroughs like augmented reality surgical tools "shouldn't have to coexist with administrative systems that often lag decades behind."

On March 20, 2026, the Centers for Medicare & Medicaid Services (CMS) finalized a landmark rule establishing the first-ever national standards for the electronic exchange of clinical documentation used to support healthcare claims. According to the CMS press release, the rule establishes "a consistent, easy-to-use electronic framework for transmitting this documentation, improving efficiency across the entire healthcare system." The rule sets a compliance deadline of May 26, 2028, for all HIPAA-covered entities, health plans, clearinghouses, and providers who conduct electronic transactions.

Read also: HHS final rule to standardize electronic health care claims attachments

Why this rule has been a long time coming

The final rule states, "the exchange of health care claims attachments has remained largely manual, frequently relying on fax, mail, or portal uploads." Clinical documentation such as medical records, X-rays, imaging, clinical notes, telemedicine visit records, lab results have long been transmitted using a patchwork of manual methods. When a health plan requests supporting documentation for a claim, a provider might fax dozens of pages, mail a physical envelope, or upload files to an incompatible portal. The process is slow, has errors, and is expensive for everyone involved.

CMS argues that relying on these outdated manual methods causes unnecessary delays and costs and the numbers back that up. According to the final rule's Regulatory Impact Analysis, the primary net annualized savings to the healthcare industry are estimated at $781.98 million, against net annualized costs of approximately $303.75 million, discounted at 7 percent.

What the rule actually requires

The final rule adopts the X12N 277 which is the Health Care Claim Request for Additional Information (006020X313) as the standard a health plan must use to electronically request attachment information from a provider, and the X12N 275 which is Additional Information to Support a Health Care Claim or Encounter (006020X314) as the standard a provider must use to transmit that information back. On the clinical data side, it adopts HL7 Implementation Guides including the Consolidated Clinical Document Architecture (C-CDA) Volume One and Volume Two, as well as the HL7 Attachments IG to create a structure for exchanging medical records, clinical notes, and diagnostic results.

Furthermore, the final rule also requires that "health plans and health care providers must have a clear and unambiguous way to specify attachment information to be transmitted or requested in a health care attachments transaction," a function served by the LOINC code set, which allows each attachment type to be identified with a standardized code that both parties can act on without manual interpretation.

The rule also establishes standards for electronic signatures, ensuring that documentation can be transmitted in a way that is both authenticated and legally valid. As CMS noted in its press release, these standards are designed to ensure "secure, authenticated transmission" of clinical information. One of the objections to going fully electronic in healthcare has been the question of verification, how do you ensure a digital record carries the same legal weight as a signed paper document? The e-signature framework addresses that.

Notably, while the original proposed rule that was issued in December 2022 under the Biden administration, included standards for both claims and prior authorization attachments, the final rule is explicit that "we have elected not to finalize health care attachments standards supporting prior authorization transactions at this time." The Department of Health and Human Services will continue evaluating alternative standards for prior authorization currently being tested by the industry.

Learn more: What is data standardization?

What this means for HIPAA compliance

Section 1173(a) of the Social Security Act, as added by HIPAA's Administrative Simplification subtitle, required the Secretary of HHS to adopt standards for electronic transactions, including health claims attachments. Congress reinforced that mandate again in Section 1104(c)(3) of the Patient Protection and Affordable Care Act further required the Secretary to adopt a transaction standard specifically for health claims attachments.

Covered entities should also be aware that HIPAA's existing Security Rule obligations don't pause during the transition period. Organizations moving clinical documentation workflows from fax and mail to electronic transmission will need to ensure their new systems satisfy the Security Rule's Administrative Safeguards requirement to conduct and document a risk analysis before deploying new electronic systems handling protected health information (PHI). Documentation of security analyses, remediation plans, sanctions policies, and system activity reviews must be retained for at least six years.

While the rule pushes covered entities toward structured electronic transactions, it is worth noting that HIPAA compliant email remains a separate obligation that this rule does not replace or fulfill. Organizations that use encrypted email to transmit PHI still need to ensure those workflows independently meet HIPAA's Security and Privacy Rule requirements.

What this means for providers

Instead of managing multiple incompatible documentation workflows for different payers, providers will eventually operate within a single, predictable electronic framework.

However, organizations that have not yet invested in EHR systems capable of generating and transmitting HL7-compliant documentation will need to do that before 2028. As CMS noted in its press release, every minute providers save on paperwork is another minute they can spend caring for patients.

What this means for payers

The ability to receive structured, machine-readable claims documentation rather than unstructured faxed pages requiring manual review opens the door to automation in claims adjudication. Payers will also need to build or update their intake systems to accept the X12 and HL7 formats specified in the rule.

FAQs

Will this rule apply to small, independent practices or just large health systems?

Yes, the rule applies to all HIPAA-covered entities that conduct electronic transactions, regardless of size.

What happens if an organization misses the May 2028 compliance deadline?

Non-compliant covered entities risk enforcement action and financial penalties from HHS's Office for Civil Rights, which oversees HIPAA violations.

Does this rule affect how patients can access their own medical records?

No, patient access rights are governed separately under the HIPAA Privacy Rule and the 21st Century Cures Act, and this rule does not change them.

Will this rule reduce claim denials?

Structured, standardized documentation is expected to reduce errors that trigger denials.