Compliance Briefing — January 1, 2022

Executive briefing: On 1 January 2022 the No Surprises Act (NSA) became fully effective, extending federal balance-billing protections to commercially insured patients receiving emergency care, non-emergency services at in-network facilities, and air ambulance transport. The Department of Health and Human Services (HHS), Department of Labor, Department of the Treasury, and Office of Personnel Management share enforcement, while the Centers for Medicare & Medicaid Services (CMS) coordinates oversight with state regulators. Health systems, physician groups, payers, and revenue cycle vendors must now operate within an intricate compliance regime that blends new patient notice requirements, good faith cost estimates, independent dispute resolution (IDR), and data submission obligations.

Regulatory scope and expectations

The NSA prohibits out-of-network providers from billing patients more than applicable in-network cost-sharing amounts for emergency services and for non-emergency services performed at in-network facilities unless notice-and-consent rules are satisfied. It also requires providers and facilities to furnish good faith estimates (GFEs) for uninsured and self-pay patients, while group health plans and insurers must send advanced explanations of benefits (AEOBs) upon request. Air ambulance services are covered across the board. Enforcement draws on interim final rules—Part I (July 2021), Part II (September 2021), and the October 2021 IDR rule—as well as subsequent guidance clarifying batching rules, qualifying payment amount (QPA) calculations, and audit protocols. The Consolidated Appropriations Act, 2021, empowers HHS to levy civil monetary penalties up to $10,000 per violation, though providers may request waivers by demonstrating corrective action.

Operational priorities for providers and facilities

Hospitals, ambulatory surgery centers, and physician practices must embed NSA requirements into front-end scheduling, clinical operations, and back-end billing systems:

• Eligibility workflows. Registration teams need scripting and system prompts to identify NSA-protected encounters, capture insurance details, and trigger notice-and-consent protocols where permissible. Electronic health record (EHR) vendors should surface payer network status and QPA data at the point of care.
• Good faith estimate automation. Providers must calculate itemized GFEs within one business day for services scheduled at least three days in advance. Revenue cycle systems should generate estimates using historical charge data, payer-negotiated rates, and service bundles, with logic to include co-providers expected to furnish care (e.g., anesthesiologists, pathologists). Document retention policies must store GFEs for at least six years.
• Billing edits. Claims scrubbers should enforce NSA flags that prevent balance bills from being generated. For out-of-network clinicians practicing at in-network facilities, billing teams must adjust charges to in-network cost-sharing levels and reflect patient payments received.
• Dispute intake. Establish dedicated queues to manage patient complaints forwarded by state regulators or HHS. Intake teams require procedures for triaging grievances, documenting investigations, and coordinating restitution when violations occur.

Operational leaders should align NSA workflows with state surprise billing laws, many of which remain in force and in some cases supersede federal rules. Multi-state health systems need jurisdiction-specific playbooks and contract language clarifying whether the federal IDR process or state arbitration applies.

Governance moves for boards and executives

Boards of directors overseeing provider organisations must confirm that NSA compliance is embedded in risk management frameworks. Governance actions include:

• Compliance oversight. Audit and compliance committees should receive quarterly dashboards detailing NSA complaints, IDR notices, GFE timeliness, and refund activity. Meeting minutes should document deliberations and escalation decisions.
• Policy ratification. Boards should approve enterprise policies covering NSA notice-and-consent, GFE production, dispute handling, and delegation of authority for IDR submissions. Policies must cite federal regulations (45 CFR Parts 149 and 26 CFR 54.9816-4) and link to departmental procedures.
• Training accountability. Directors should mandate competency-based training for frontline staff, billing teams, and medical leadership. Completion rates and knowledge assessments help demonstrate effective compliance programmes during CMS audits.
• Third-party governance. Where outsourced revenue cycle vendors or physician staffing companies interact with patients, boards must ensure contracts include NSA obligations, indemnification terms, and audit rights.

Executive leadership should also coordinate messaging to medical staff, emphasising that physicians remain responsible for communicating costs and complying with notice-and-consent steps even when administrative teams provide support.

Payer and plan sponsor responsibilities

Group health plans and insurers face parallel obligations. They must calculate the QPA—the median of contracted rates for similar services in a geographic region—using 2019 data adjusted for inflation. Claims adjudication engines should automatically apply QPA-based cost-sharing and issue initial payment determinations within 30 calendar days. Plans must also respond to provider open negotiation notices and prepare IDR submissions. Self-funded employers frequently delegate these tasks to third-party administrators (TPAs) but remain fiduciaries under the Employee Retirement Income Security Act (ERISA); governance committees should review service agreements to confirm NSA performance standards and reporting cadences.

Payers need to produce AEOBs starting no earlier than 2023 once technical standards finalise, but in the interim must coordinate with providers on GFE data exchange. Many implement HL7 FHIR-based APIs or secure file feeds to transmit estimate details. Network management teams should reassess contract language to address NSA compliance, including requirements for directory accuracy, notification obligations, and IDR cost allocations.

Independent dispute resolution workflow

The IDR process is central to resolving payment disputes. After a 30-day open negotiation period, either party may initiate IDR within four days. Entities must register with the federal IDR portal, select certified arbiters, and submit documentation—including offers, QPA calculations, and supporting evidence—within strict deadlines. Finance and legal teams need playbooks specifying when to pursue IDR, approval thresholds for settlement offers, and recordkeeping protocols. Since the Fifth Circuit’s August 2023 decision vacating aspects of the IDR fee guidance does not affect 2022 operations, organisations should still plan for administrative fees (initially $50 per party, later increased) and potential batching of similar claims where allowed.

Operational excellence in IDR requires data analytics. Organisations should track win/loss ratios, average adjudicated rates compared with QPAs, and root causes of disputes (e.g., missing documentation, payer underpayments). These insights inform contract negotiations and highlight training needs for coding teams.

Sourcing and technology enablement

NSA compliance relies on accurate data and responsive vendors. Key sourcing actions include:

• Revenue cycle platforms. Evaluate EHR and practice management vendors for NSA-specific functionality such as automated GFE generation, notice templates, and IDR documentation packages. Update statements of work to include configuration timelines, data quality requirements, and remediation commitments.
• Price transparency partners. Many organisations pair NSA programmes with Hospital Price Transparency and Transparency in Coverage rule initiatives. Procurement teams should assess whether existing shoppable service estimators and machine-readable file publishers can integrate NSA GFE logic and AEOB data feeds.
• Legal and arbitration support. Retain external counsel experienced in state and federal surprise billing disputes to advise on strategy and monitor litigation that could affect IDR methodology. For high-volume providers, consider panel agreements with certified IDR entities to secure capacity.
• Call center outsourcing. If patient financial counseling is outsourced, ensure vendors adhere to NSA scripting, maintain call recordings for six years, and escalate complaints promptly. Contracts should define performance guarantees tied to compliance metrics.

Technology roadmaps must include data governance. Organisations should implement master data management for payer contracts, maintain provider directories reflecting network status, and integrate credentialing systems with scheduling platforms to prevent inadvertent out-of-network assignments. Cybersecurity teams must secure the transmission of GFE and AEOB data, particularly when sharing sensitive cost information through APIs.

Training and change management

Compliance leaders should deploy role-based training modules that cover NSA scenarios, documentation standards, and escalation routes. Simulation exercises—such as mock patient complaints or IDR filings—reinforce readiness. Communication plans should clarify that NSA protections apply regardless of patient consent in emergencies, highlight penalties for non-compliance, and explain the process for refunding overpayments within 30 business days.

Provider relations teams must engage employed and affiliated clinicians. Medical staff bylaws may need amendments addressing NSA compliance expectations, disciplinary actions for violations, and requirements for timely documentation of GFEs and patient communications. Quality and safety committees should examine how NSA intersects with emergency department throughput, clinical handoffs, and equity goals.

Monitoring and metrics

Key performance indicators (KPIs) help organisations stay ahead of enforcement. Suggested metrics include:

• Percentage of scheduled procedures with timely GFEs delivered.
• Number of NSA-related patient complaints and resolution times.
• Volume of open negotiation notices initiated and settled without IDR.
• IDR success rate and variance between final payment amounts and QPAs.
• Refund timeliness for overpayments identified through internal audits.

Compliance analytics teams should benchmark KPIs across facilities, highlight outliers, and coordinate corrective action plans. Annual program effectiveness reviews should document policy updates, technology enhancements, and lessons learned for board oversight.

Forward look

Federal agencies continue to refine NSA implementation. CMS issues quarterly guidance, updates IDR portal functionality, and publishes enforcement reports summarising complaint volumes. Litigation challenging the weight of the QPA in arbitration persists, and rulemakings may adjust IDR factors. Providers should anticipate integration with price comparison tools, AEOB automation, and the Advanced Explanation of Benefits requirements once technical standards finalise. Maintaining disciplined governance, operational readiness, and sourcing partnerships positions organisations to navigate evolving expectations.

Key resources

• CMS No Surprises Act Implementation Resources
• Requirements Related to Surprise Billing; Part II (Interim Final Rule)
• Federal Independent Dispute Resolution Operations Manual

Zeph Tech equips compliance and revenue cycle teams with NSA workflow automation, payer data integrations, and dispute analytics that keep patient protections enforceable from day one.

Related briefings

Curated signals from the same pillar or overlapping topics.

Compliance · Credibility 88/100 · January 1, 2022

Compliance Briefing — January 1, 2022

Large EU public-interest entities entered their first EU Taxonomy climate reporting cycle on 1 January 2022, demanding cross-functional data governance, board oversight of KPI attestations, and sourced evidence for…

Compliance · Credibility 89/100 · December 30, 2021

Compliance Briefing — December 30, 2021

HKMA’s GS-1 Climate Risk Management module establishes board accountability, risk integration, and disclosure expectations that Hong Kong banks must embed into strategy and ICAAP planning.

Compliance · Credibility 90/100 · January 4, 2022

Compliance Briefing — January 4, 2022

The UK National Security and Investment Act commenced on 4 January 2022, requiring deal teams to hardwire mandatory notification controls, board escalation paths, and supplier diligence across 17 sensitive sectors.

Compliance · Credibility 88/100 · December 21, 2021

Compliance Briefing — December 21, 2021

The EU Whistleblower Protection Directive’s 21 December 2021 transposition deadline activates mandatory internal reporting channels, timelines, and anti-retaliation safeguards for companies with 250+ workers.

Compliance · Credibility 89/100 · February 1, 2022

Compliance Briefing — February 1, 2022

EU CSDR settlement discipline took effect 1 February 2022, forcing market participants to embed fail penalties, buy-in workflows, and governance for cross-venue operations.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook — Zeph Tech

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room — Zeph Tech

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• SOX Modernization Control Playbook — Zeph Tech

  Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.