No Surprises Act Compliance: What Healthcare Organizations Need to Know for Billing in 2026

The No Surprises Act has generated over $4.4 billion in patient billing protections since taking effect on January 1, 2022 — and enforcement is intensifyin...
The No Surprises Act has generated over $4.4 billion in patient billing protections since taking effect on January 1, 2022 — and enforcement is intensifying. In 2025 alone, CMS and state regulators issued more than 2,800 compliance actions against providers and facilities, with penalties reaching $10,000 per occurrence. For a mid-sized health system processing 200,000 encounters annually, a systematic compliance gap could translate to seven-figure liability in a single audit cycle.
Yet four years in, 38% of medical practices report difficulty maintaining full compliance, according to MGMA — particularly around Good Faith Estimates and the Independent Dispute Resolution process. This guide covers what the No Surprises Act requires, where organizations most commonly fail, and how to build compliance into your revenue cycle heading into 2026.
What the No Surprises Act Requires — and Who It Affects
The No Surprises Act (NSA), formally Title I of the Consolidated Appropriations Act of 2021 (Public Law 116-260), established federal protections against surprise medical bills for patients with private insurance (group and individual plans), uninsured and self-pay patients, and federal employee health plans (FEHB).
The law does not apply to Medicare, Medicaid, CHIP, TRICARE, Indian Health Service, or VA patients — those programs have their own billing protections.
Compliance obligations fall on all healthcare providers, healthcare facilities (hospitals, ASCs, freestanding EDs), air ambulance providers, and health plans/insurers. There are no exemptions based on practice size, specialty, or geography.
The Three Core Protections
| Protection | Who It Protects | What It Prevents |
|---|---|---|
| Balance billing ban | Insured patients receiving emergency care or non-emergency care from out-of-network providers at in-network facilities | Providers billing patients for the difference between their charge and the insurer's payment |
| Good Faith Estimates | Uninsured and self-pay patients | Patients receiving bills substantially exceeding the estimated cost of care |
| Independent Dispute Resolution | Providers and plans in payment disagreements | Prolonged payment disputes delaying provider reimbursement |
Good Faith Estimate Requirements
The Good Faith Estimate (GFE) provisions are among the most operationally demanding aspects of the law. They require providers and facilities to give uninsured and self-pay patients a written cost estimate before delivering scheduled services.
When a GFE Is Required
| Scenario | Delivery Deadline |
|---|---|
| Service scheduled 3+ business days in advance | Within 1 business day of scheduling |
| Service scheduled 1-3 business days in advance | Within 3 business days of scheduling |
| Patient requests a GFE at any time | Within 3 business days of the request |
What a GFE Must Include
Each Good Faith Estimate must contain the following elements:
- Patient name and date of birth
- Description of the primary item or service — in clear, understandable language (not just CPT codes)
- Itemized list of expected items and services — including all reasonably expected ancillary services (labs, imaging, anesthesia, facility fees, etc.)
- Applicable diagnosis codes (ICD-10) and expected service codes (CPT/HCPCS) for each item
- Expected charges for each listed item or service from each provider and facility
- Name, NPI, and TIN of each provider and facility expected to furnish services
- Location(s) where services will be provided
- A disclaimer that the estimate is not a contract, that actual charges may differ, and that the patient has the right to initiate the patient-provider dispute resolution process if the final bill exceeds the GFE by $400 or more
The $400 Threshold
This is the critical number. If a patient's final bill exceeds the Good Faith Estimate by $400 or more, the patient has the right to dispute the charges through the patient-provider dispute resolution (PPDR) process. This process is separate from the IDR process used for provider-payer disputes.
A Selected Dispute Resolution (SDR) entity reviews the dispute and determines whether the provider must adjust the bill to match the GFE. Providers who regularly exceed their estimates face both financial adjustments and regulatory scrutiny.
Multi-Provider GFE Coordination
When a service involves multiple providers — surgeon, anesthesiologist, facility, pathologist — the convening provider (typically the one scheduling the primary service) must identify all co-providers, request their GFE information, compile a single consolidated estimate, and deliver it within the required timeframes. If a co-provider fails to respond, the convening provider must still provide the estimate using their best information and note the gap.
This coordination requirement is where most GFE compliance failures occur. It demands cross-organizational data sharing, standardized communication workflows, and reliable tracking.
Balance Billing Protections
The balance billing provisions are the most visible part of the No Surprises Act and the original impetus for the legislation. They prohibit providers from billing patients more than the applicable in-network cost-sharing amount in specific situations.
Emergency Services
For emergency services at any facility, providers are prohibited from balance billing. This covers ED visits (including all services furnished as part of the visit), post-stabilization services until safe transfer or informed consent, and out-of-network air ambulance services. Cost-sharing must be calculated as if the provider were in-network, and patient payments count toward the in-network out-of-pocket maximum.
Non-Emergency Services at In-Network Facilities
Out-of-network providers at in-network facilities cannot balance bill unless specific notice and consent requirements are met. This commonly affects anesthesiologists, radiologists, pathologists, neonatologists, assistant surgeons, hospitalists, and intensivists.
The Notice and Consent Exception
Out-of-network providers can balance bill for non-emergency services at in-network facilities only if they: (1) provide written notice at least 72 hours before the service that they are out-of-network, (2) include a good faith estimate of charges, (3) clearly state the patient's right to choose an in-network alternative, and (4) obtain a signed consent form — separate from general consent-to-treat forms — acknowledging the patient understands they may receive a higher bill.
This exception does not apply to ancillary services (anesthesiology, pathology, radiology, neonatology), emergency services, or situations with no in-network alternative. For most facility-based specialties, balance billing is prohibited regardless of notice and consent.
Independent Dispute Resolution (IDR) and Its Revenue Cycle Impact
When a provider and a health plan cannot agree on a payment amount for a service covered by the balance billing protections, either party can initiate the Independent Dispute Resolution (IDR) process — also known as the federal arbitration process.
How the IDR Process Works
| Stage | Timeframe | What Happens |
|---|---|---|
| Open negotiation | 30 business days after initial payment or notice of denial | Provider and plan negotiate directly |
| IDR initiation | 4 business days after failed negotiation | Either party can initiate IDR through the federal IDR portal |
| IDR entity selection | 3 business days | Parties jointly select a certified IDR entity, or HHS assigns one |
| Offer submission | 10 business days | Each party submits a final payment offer and supporting information |
| IDR decision | 30 business days after entity selection | The IDR entity selects one of the two submitted offers — no splitting the difference |
| Payment | 30 calendar days after decision | The losing party must pay within this window |
What the IDR Entity Considers
The IDR entity must begin with the Qualifying Payment Amount (QPA) — the plan's median in-network rate for the same service in the geographic region. It then weighs additional factors: provider training and quality metrics, service complexity and patient acuity, market share and provider concentration, facility teaching status, case mix, good faith network negotiation efforts, and prior contracted rates.
The entity may not consider billed charges, usual and customary rates, Medicare/Medicaid rates, or the amount the provider would have charged an uninsured patient.
Revenue Cycle Impact
Volume: Over 490,000 IDR disputes have been filed since 2022, far exceeding CMS projections of 22,000 per year. The backlog has pushed some disputes 6-9 months beyond statutory timelines.
Cost: The 2026 administrative fee is $150 per party per dispute (up from $50 initially). IDR entity fees range from $200-$700 for single determinations and $268-$938 for batched cases — borne by the losing party.
Cash flow: Providers receive only the plan's initial payment while disputes are pending. For organizations with hundreds of out-of-network claims, this creates significant AR impact.
Administrative burden: Each submission requires documentation assembly, QPA calculation, and case monitoring — consuming 2-4 hours of staff time per dispute without automation.
Provider Obligations and Compliance Requirements
Beyond the core protections above, the NSA imposes ongoing compliance obligations.
Required Disclosures and Notices
Public disclosure of patient protections. Providers must post NSA protection information on their website, in physical locations (waiting rooms, check-in areas), and on billing statements.
Standard notice to insured patients. A one-page notice about balance billing protections must be provided to every privately insured patient — both physically and digitally — and available in the 15 most common languages in the provider's geographic area.
Notice of the right to a GFE. All providers must prominently inform uninsured and self-pay patients of their right to a Good Faith Estimate, both in the facility and on the website.
Provider Directory and Continuity Obligations
Providers must submit accurate directory information to each participating plan and update it promptly when it changes. If a patient relies on an inaccurate listing, the provider may be treated as in-network for cost-sharing purposes. Additionally, when a provider's network status changes, they must cooperate with continuity-of-care arrangements for patients in active treatment, accepting in-network rates during the transition.
Common Compliance Failures and Penalties
The Most Frequent Violations
Based on enforcement actions and audit findings through 2025, the most common compliance failures include:
1. Failure to provide Good Faith Estimates — or providing incomplete ones. Providers fail to identify qualifying patients, miss delivery timeframes, or omit required elements (particularly co-provider charges and diagnosis/service codes).
2. Improper balance billing. Billing systems not configured to recognize NSA-protected claims, resulting in patients receiving balance bills that should have been suppressed.
3. Missing or inadequate notices. Required notices not posted, not available in required languages, or buried within other forms where patients are unlikely to see them.
4. Invalid notice and consent. Consent forms that fail statutory requirements, notices delivered outside the 72-hour window, or consent obtained for services where the exception does not apply (ancillary services).
5. Incorrect cost-sharing calculations. Applying out-of-network cost-sharing to NSA-protected claims, or failing to apply patient payments toward in-network out-of-pocket maximums.
Penalty Structure
The No Surprises Act establishes both federal and state enforcement mechanisms:
| Violation Type | Maximum Penalty | Enforced By |
|---|---|---|
| Balance billing violation (per occurrence) | Up to $10,000 | CMS (for providers in states without enforcement) or state regulators |
| Failure to provide GFE | Up to $10,000 per violation | CMS or state regulators |
| Failure to post required notices | Varies by state; federal backstop up to $10,000 | State regulators with federal backstop |
| Pattern of violations | Referral for investigation; potential exclusion from federal programs | HHS Office of Inspector General |
| Health plan violations | Up to $100 per day per affected individual, with annual maximums of $500,000 | Departments of Labor, Treasury, and HHS |
State enforcement amplifies the risk. California, Texas, New York, Florida, Colorado, and others have enacted their own surprise billing laws with penalties that can exceed the federal floor. Penalties are assessed per occurrence, not per audit — a single billing process error affecting 500 patients could generate $5 million in penalty exposure.
How AI Automates No Surprises Act Compliance
Manual NSA compliance requires staff to correctly classify every encounter, generate accurate documents within tight timeframes, and coordinate across providers and systems. AI-driven revenue cycle automation addresses each failure point systematically.
Automated Patient Identification and Classification
The first compliance step — determining whether an encounter triggers NSA protections — is where manual processes most commonly fail. Is the patient commercially insured or self-pay? Is the service emergent? Is the provider in-network for this specific plan? Are co-providers out-of-network?
AI-powered eligibility verification answers these questions automatically at scheduling, pre-service, and check-in. The system flags NSA-triggering encounters and routes them to the appropriate compliance workflow — GFE generation, notice and consent, or balance billing suppression — without manual classification.
Intelligent Good Faith Estimate Generation
Accurate GFEs require data from multiple sources: fee schedules, historical charges, expected ancillary services, co-provider identification, and diagnosis-specific service patterns. AI automates this by:
- Predicting the full scope of services based on the scheduled procedure, historical patterns, and clinical protocols
- Identifying all co-providers likely to be involved and pulling their expected charges
- Generating the estimate with all required elements (itemized services, codes, NPIs, TINs, disclaimers)
- Delivering the estimate through the patient's preferred channel within the required timeframe
- Tracking delivery and acknowledgment for audit documentation
This transforms a 20-45 minute manual process into an automated workflow that takes seconds, with higher accuracy and complete audit trails.
Automated Notice Generation and Delivery
AI systems automatically generate the correct notices based on insurance status and service type, deliver them through QuickVoice-powered channels (SMS, email, patient portal, automated voice calls) with delivery confirmation, manage language requirements, and create audit-ready documentation of every notice delivered.
Balance Billing Suppression
AI-driven claims processing automatically identifies NSA-protected claims, calculates cost-sharing at in-network rates, suppresses patient balances beyond the in-network amount, applies payments toward in-network out-of-pocket maximums, and routes remaining balances to dispute workflows rather than patient billing. This eliminates improper balance billing — the most financially punitive compliance failure — as a systemic risk.
IDR Process Automation
For organizations regularly engaging in IDR, AI automatically calculates the QPA and flags underpayments, assembles supporting documentation for submissions, tracks cases through every stage with deadline alerts, and analyzes outcomes to inform negotiation and contracting strategy.
Compliance Monitoring and Reporting
AI-powered compliance dashboards provide real-time visibility into GFE generation and delivery rates, balance billing suppression accuracy, notice delivery gaps, IDR case outcomes, and upcoming regulatory deadlines. This moves compliance from a periodic audit exercise to a continuous monitoring function — identifying and correcting gaps before they become violations.
Preparing for 2026 Enforcement Updates
The regulatory landscape for the No Surprises Act continues to evolve. Several developments are shaping compliance requirements for 2026 and beyond.
GFE Expansion to Insured Patients
CMS has signaled its intent to expand GFE requirements to insured patients — not just uninsured and self-pay. This expansion, delayed from its original 2024 timeline due to operational complexity, would dramatically increase GFE volume. Organizations with automated generation are positioned to absorb the expansion; those using manual processes face a serious capacity problem.
Enhanced IDR Process Reforms
The IDR process has been subject to extensive litigation and multiple rulemaking rounds. Key 2026 developments include updated batching rules affecting filing strategy and costs, refined QPA calculation methodology with greater transparency, efforts to reduce the backlog through additional certified IDR entities, and enhanced outcome data reporting requirements.
State Enforcement and Price Transparency Convergence
States are increasingly asserting primary enforcement roles — with state-specific penalty increases, proactive audit programs targeting high-volume providers, expanded patient complaint portals, and tighter coordination with federal regulators.
The NSA also does not exist in isolation. It sits alongside the Hospital Price Transparency Rule and the Transparency in Coverage Rule. These three regulatory streams are converging toward a comprehensive price transparency framework, and organizations should build compliance infrastructure that addresses all three through unified data and workflows.
Compliance Checklist for 2026
Use this checklist to assess your organization's readiness:
| Area | Key Requirements |
|---|---|
| Good Faith Estimates | Process to identify uninsured/self-pay patients at scheduling; GFEs generated and delivered within 1-3 business days; all required elements included (co-provider charges, codes, NPIs); multi-provider coordination workflow tested; delivery tracked with audit documentation; scalable for expansion to insured patients |
| Balance Billing | Systems configured to identify NSA-protected claims; cost-sharing calculated at in-network rates; patient balances suppressed; notice-and-consent process meets statutory requirements; consent forms reviewed by legal counsel |
| Notices & Disclosures | Required notices posted on website and in facilities; standard notice available in 15 most common local languages; right-to-GFE notice prominently displayed; delivery tracked and documented |
| IDR Readiness | Staff trained on process and timeline; documentation assembly workflow established; QPA calculation methodology documented; outcomes tracked and analyzed; filing fee budget allocated |
| Technology | Eligibility verification auto-identifies NSA triggers; GFE generation automated; balance billing suppression built into claims processing; compliance dashboards active; audit trail comprehensive |
The Bottom Line
The No Surprises Act is not a one-time compliance project — it is an ongoing operational requirement touching eligibility verification, cost estimation, patient communication, claims processing, and payment resolution. Organizations that treat it as a checkbox exercise expose themselves to escalating penalties and regulatory scrutiny.
The organizations handling NSA compliance most effectively have embedded compliance logic into their automated revenue cycle workflows. When eligibility checks flag NSA triggers automatically, GFEs generate without manual intervention, balance billing is suppressed systemically, and IDR documentation assembles itself — compliance becomes a background function, not a burden. With enforcement intensifying and requirements expanding, 2026 is the year to build the infrastructure that makes compliance automatic.
QuickIntell's AI-native revenue cycle platform automates No Surprises Act compliance end-to-end — from real-time eligibility classification with QuickAuth to automated GFE generation, balance billing suppression, and patient notification through QuickVoice. Built on SOC 2 Type II and HIPAA-certified infrastructure, QuickIntell ensures compliance is systematic, auditable, and scalable. See how it works for your organization.
Internal Links:
- Article #12 (Eligibility Verification Best Practices for 2026)
- Article #13 (Medicare's 2026 Prior Authorization Changes)
- Article #11 (Prior Authorization Automation Guide)
- Article #22 (Building a Modern RCM Tech Stack)
- Article #10 (SOC 2 and HIPAA Certifications Explained)
Ready to Transform Your Revenue Cycle?
See how QuickIntell's AI-powered platform can reduce denials, accelerate payments, and eliminate administrative burden for your organization.
Related Articles
Patient Payment Collection Strategies That Actually Work: From Statements to Self-Service
The average American family with employer-sponsored insurance now pays over $8,400 per year in out-of-pocket healthcare costs -- premiums excluded. Individ...
How AI Improves the Patient Financial Experience: Estimates, Eligibility, and Communication
American patients owe more than $220 billion in medical debt, and the problem isn't just the cost of care — it's the experience of paying for it. A 2024 su...
Disclaimer: This content is for informational purposes only and does not constitute medical, legal, or financial advice. Consult qualified professionals for guidance specific to your situation.