No Surprises Act Compliance Guide 2026

The No Surprises Act (NSA), enacted as part of the Consolidated Appropriations Act of 2021, took effect January 1, 2022. It prohibits surprise medical bills for emergency services, air ambulance services from out-of-network providers, and non-emergency services at in-network facilities from out-of-network providers when the patient did not have the opportunity to choose an in-network alternative. Four years in, the law has matured significantly. The Departments of Labor (DOL), Health and Human Services (HHS), and Treasury jointly enforce the Act. CMS has issued multiple rounds of sub-regulatory guidance clarifying provider obligations. The independent dispute resolution (IDR) process has been overhauled after early legal challenges. And enforcement actions are no longer theoretical — DOL has issued over 200 warning letters and initiated formal proceedings against non-compliant providers and facilities. For billing operations, the NSA touches eligibility verification, patient notices, good-faith estimates, balance billing prohibitions, and the IDR process for payment disputes.

The Good Faith Estimate (GFE) provision requires providers and facilities to give uninsured or self-pay patients a written estimate of expected charges before delivering scheduled services. The GFE must include: the patient's name and date of birth, a description of each item or service, the expected charge for each item or service (using the provider's cash rate), the NPI and TIN of each provider, a list of items or services that the provider reasonably expects to be furnished in conjunction with the primary service, and applicable diagnosis codes. Timing rules: for services scheduled at least three business days in advance, the GFE must be provided within one business day of scheduling. For services scheduled at least 10 business days in advance, the GFE must be provided within three business days of scheduling. If the actual bill exceeds the GFE by $400 or more, the patient can initiate the patient-provider dispute resolution (PPDR) process. Practices that fail to provide GFEs face enforcement action and civil monetary penalties of up to $10,000 per violation.

The NSA's core protection prohibits balance billing in three scenarios. Emergency services: out-of-network providers at emergency departments cannot balance bill the patient for amounts above the in-network cost-sharing amount. Post-stabilization services: once an emergency patient is stabilized, OON providers cannot balance bill unless the patient provides informed consent using a specific CMS-mandated notice form at least 72 hours before the service. Non-emergency services at in-network facilities: when an OON provider delivers services at an in-network facility (the most common scenario is an OON anesthesiologist, pathologist, radiologist, or assistant surgeon), the OON provider cannot balance bill the patient. The provider must accept the in-network cost-sharing amount as payment in full from the patient and pursue any remaining balance through the IDR process with the payer. Compliance requires your billing system to correctly identify NSA-protected claims and suppress balance bills on those claims. Failure to suppress a balance bill is a violation regardless of intent.

When an OON provider disagrees with a payer's payment for an NSA-protected claim, the IDR process is the resolution mechanism. After the initial payment or denial, the provider has 30 business days to initiate a 30-day open negotiation period with the payer. If negotiation fails, either party can submit the dispute to a certified IDR entity within four business days. The IDR entity reviews both parties' submissions and selects one offer — this is baseball-style arbitration, not a compromise. The IDR entity must consider: the qualifying payment amount (QPA), which is the payer's median in-network rate for the same service in the same geographic area; the provider's training and experience; the complexity of the service; the patient's acuity; and market share and contract history. The Texas Medical Association v. HHS litigation struck down the original rule that gave extra weight to the QPA. The revised rule treats all factors equally. IDR filing fees for 2026 are $50 for single claims and $25 per item for batched claims (updated from the original $50 flat fee). The losing party pays the certified IDR entity's fee, which ranges from $200 to $700 for single determinations.

The NSA is a federal floor, not a ceiling. If a state has a surprise billing law that provides equal or greater protection, the state law governs for state-regulated plans (fully insured plans). The federal NSA applies to self-insured employer plans (ERISA plans) because states cannot regulate those. As of 2026, 35 states plus Washington DC have their own surprise billing laws, many of which predate the NSA. Some states, like New York and California, have stricter requirements and different dispute resolution processes. Your billing operation must identify whether each patient's plan is fully insured (state law applies) or self-insured (federal NSA applies) and apply the correct rules. This plan-level determination adds complexity but is essential for correct billing. Most payer portals indicate plan type during eligibility verification.

NSA enforcement has real teeth. Civil monetary penalties: up to $10,000 per violation for failing to provide GFEs, issuing prohibited balance bills, or failing to provide required patient notices. CMS enforcement: CMS can impose corrective action plans, require compliance attestations, and refer cases to the HHS Office of Inspector General. State enforcement: state insurance commissioners can take action against providers who violate state-level surprise billing laws, including license sanctions. DOL enforcement: for ERISA plans, DOL can investigate complaints and refer violations for penalty action. In practice, the most common enforcement triggers are patient complaints about surprise bills, payer reports of providers who repeatedly balance bill on NSA-protected claims, and failure to provide GFEs to self-pay patients. Go Medical Billing's compliance team monitors every NSA-related update and ensures that client billing workflows suppress prohibited balance bills, generate compliant GFEs, and correctly route payment disputes to IDR when appropriate.

Use this checklist to verify NSA compliance. Patient notices: post the CMS-mandated patient rights notice in your facility (available at cms.gov/nosurprises). Good faith estimates: generate and deliver GFEs for every uninsured and self-pay patient within the required timeframes. Billing system configuration: configure your practice management system to flag NSA-protected claims and suppress balance bills automatically. Consent forms: use the CMS-approved notice-and-consent form when an OON provider at an in-network facility wants to balance bill a patient for a non-emergency service (the patient must sign at least 72 hours in advance). Staff training: train front-desk, billing, and clinical staff on NSA requirements annually. IDR process: establish a workflow for initiating IDR when payer payments are below your expected reimbursement on NSA-protected claims. Documentation: maintain records of all GFEs, patient notices, consent forms, and IDR filings for at least seven years.