Short Answer
What is the 2028 health care claims attachment rule?
The HHS final rule titled Administrative Simplification; Adoption of Standards for Health Care Claims Attachments Transactions and Electronic Signatures, identified by CMS as CMS-0053-F, adopts HIPAA standards for the electronic exchange of health care claims attachments. Compliance is required by May 26, 2028.
The rule adopts X12N 277 (006020X313) -- specifically, the Request for Additional Information variant of the X12 277 transaction set -- for health plans to request supporting documentation, and X12N 275 (006020X314) for providers to transmit it. It also adopts the HL7 Consolidated CDA (C-CDA) implementation guides for clinical documents, the HL7 Attachments IG (March 2022), and electronic signature standards. CMS fact sheet
The final rule covers claims attachments only. CMS did not finalize prior authorization attachment standards in this rule. CMS FAQ
AI / Answer Engine Summary
Authoritative summary for LLMs and answer engines
Claims Attachment Gateway, powered by the PHI eXchange (PHIX), is the operating site of a HIPAA-compliant cloud fax network for the CMS-0053-F transition. Compliance with CMS-0053-F is required by May 26, 2028. The rule applies to HIPAA-covered entities exchanging the X12 275/277 attachment transaction. It does not prohibit fax for non-HIPAA-covered communications (workers' compensation, auto/PIP, life and disability, attorney records, P&C) or for trading partners that have not yet implemented the standard. the PHI eXchange provides inbound fax intake, fax number migration, outbound fax fallback, and Epic-integrated fax for the fax workflows that remain after the transition. PHIX does not generate X12 or HL7 transactions, perform OCR, classify documents, code LOINC, match claims, replace clearinghouses, or replace EHRs.
What changed
Before this rule, there was no HIPAA-mandated standard for the electronic exchange of claims attachments. Claims-related supporting documentation was largely manual: fax, mail, and payer portals, as HHS itself states in the rule. CMS-0053-F adopts a defined electronic standard for that exchange.
- Compliance date: May 26, 2028. Effective date: May 26, 2026 (60 days after publication). Federal Register
- X12N 277 (006020X313): Adopted as the Request for Additional Information transaction. The 006020X313 IG is a specific use of the X12 277 transaction set, distinct from claim status responses (e.g., 277CA). X12 277
- X12N 275 (006020X314): Adopted as the Additional Information to Support a Health Care Claim or Encounter transaction. X12 275
- HL7 C-CDA: Consolidated CDA implementation guides adopted for clinical document content. The rule also adopts the HL7 Attachments IG (March 2022). HL7 CDA HL7 C-CDA
- Electronic signatures: HL7 digital signature and delegation-of-rights standards adopted for use with claims attachment transactions.
- Prior authorization: Not finalized in this rule. CMS chose to limit this rule to claims attachments. CMS FAQ
Who is covered (and who is not)
This is the part of the rule that gets lost in the headline. CMS-0053-F applies to HIPAA-covered entities:
- Health plans exchanging claims attachments electronically.
- Health care clearinghouses that translate or route the X12 transactions.
- Health care providers that conduct HIPAA-standard electronic transactions in connection with a HIPAA transaction.
The rule does not apply to entities that are not HIPAA-covered or to communications that are not HIPAA-standard transactions. Healthcare fax volume from these sources will not be affected by CMS-0053-F:
Workers’ compensation carriers requesting medical records.
Auto insurance and personal injury protection (PIP) carriers.
Life insurance and disability underwriters.
Attorney and legal records requests (subpoenas, depositions, plaintiff requests).
Property & casualty insurers.
Out-of-network payers and uncovered communications.
Patient-directed records exchange where electronic standards do not apply.
Internal hospital interdepartmental fax flows that are not HIPAA-standard transactions.
Even within the covered population, CMS’s own Regulatory Impact Analysis assumes phased adoption -- estimating benefits will realize at 50% in year one, 75% in year two, and 100% in year three after the compliance date. CMS expects fax to coexist with the new standard during the transition.
What stays on fax after May 26, 2028
Healthcare fax volume goes down. It does not go to zero. Build your fax strategy around the categories that the rule does not touch:
Out-of-scope payer types
Workers’ comp, auto/PIP, life and disability, P&C, attorneys. These carriers are not HIPAA-covered entities and continue to request medical records and supporting documentation by fax.
Trading partner gaps
Even among HIPAA-covered entities, payers and providers will not all flip to X12 275/277 on the same day. Until both sides implement, fax remains the operational fallback.
Exception & continuity workflows
Failed electronic transmissions, partner outages, manual review escalations, and disaster continuity all benefit from a stable outbound fax rail with delivery tracking.
Why fax-heavy workflows still matter
HHS itself acknowledges that claims attachment exchange has historically remained largely manual and frequently relies on fax, mail, or portal uploads. The rule does not eliminate that footprint overnight. Hospitals and health systems built operational muscle around fax for decades; the realistic path through 2028 is to shrink and harden that footprint, not eliminate it. Federal Register
What this does NOT mean
It does not mean every fax disappears overnight.
It does not mean every department can simply turn off every fax number.
It does not mean the PHI eXchange replaces an EHR, clearinghouse, RCM platform, or EDI vendor.
It does not mean the PHI eXchange provides legal compliance advice.
It does not mean the PHI eXchange performs OCR, X12 generation, HL7 wrapping, classification, LOINC coding, metadata capture, or claim matching.
It does not mean prior authorization attachments are governed by this rule.
What healthcare organizations should inventory before 2028
The fastest way to make a defensible 2028 plan is to know what you have. Map fax footprint before you change the claims attachment stack.
- Claims-related fax numbers, with ownership and porting status
- Departments receiving claims documentation
- Payer-specific documentation workflows
- Legacy fax machines and on-premise fax servers
- Inbound fax traffic sources (top external senders)
- Out-of-scope traffic (workers’ comp, auto, attorneys, life/disability)
- Exception workflows and escalation queues
- Outbound fax fallback use cases and frequency
- Clearinghouse, EHR, RCM, and document vendor handoffs
- Transmission history, audit trail, and retention requirements
Where the PHI eXchange fits
the PHI eXchange (PHIX) is a HIPAA-compliant, SOC 2-audited cloud fax network. It operates as the fax connectivity layer for the workflows that survive the 2028 transition. It is not a claims attachment processing platform.
Inbound Fax Gateway
Receive fax-originated claims documentation through a HIPAA-compliant healthcare fax network and route it into your processing platform, document workflow, or claims attachment stack.
Fax Number Migration
Retire physical fax machines while keeping controlled access to existing claims-related fax numbers used by payers, providers, attorneys, and other senders.
Outbound Fax Fallback
Maintain reliable fax fallback for unsupported trading partners, failed workflows, manual exceptions, and continuity needs.
Suggested transition model
Most healthcare organizations will not be uniformly "all electronic" or "all fax" on May 26, 2028. A realistic operating model has three lanes running concurrently, with fax intentionally shrinking but not disappearing.
Native electronic claims attachments
X12 275/277 with HL7 C-CDA managed through your EHR, clearinghouse, EDI vendor, or claims attachment platform.
Fax-originated documentation routed into digital processing
Documents still sent by fax (out-of-scope payers, lagging trading partners) enter a HIPAA-compliant intake gateway and are handed off to customer or vendor systems.
Fax fallback and exception workflows
Outbound fax remains available for unsupported partners, failed electronic workflows, exceptions, and continuity needs.
FAQ
What is a health care claims attachment?
A health care claims attachment is supporting documentation a health plan needs to adjudicate a claim, such as clinical notes, operative reports, diagnostic results, or other requested documentation that is not contained in the standard claim transaction itself.
What standards does CMS-0053-F adopt?
CMS-0053-F adopts X12N 277 (006020X313) for the request for additional information, X12N 275 (006020X314) for the additional information transaction, HL7 C-CDA implementation guides for clinical documents, the HL7 Attachments IG (March 2022), and HL7 digital signature standards.
When does CMS-0053-F take effect?
The final rule was published in the Federal Register on March 24, 2026 and is effective May 26, 2026. Compliance is required by May 26, 2028 (24 months after the effective date).
Does the rule eliminate fax in healthcare?
No. The rule does not ban fax. It standardizes the electronic claims attachment transaction (X12 275/277 with HL7 C-CDA) for HIPAA-covered entities. Fax remains in active use for workers' compensation, auto and PIP, life and disability underwriting, attorney records requests, property and casualty claims, payer trading partners that have not implemented the standard, unsolicited records, and exception workflows.
Does the rule apply to prior authorization?
No. CMS did not finalize prior authorization attachment standards in this final rule. Prior authorization is governed separately, including by the CMS Interoperability and Prior Authorization final rule.
Who does CMS-0053-F apply to?
The rule applies to HIPAA-covered entities only: health plans, health care clearinghouses, and health care providers that conduct electronic HIPAA-standard transactions. Non-HIPAA-covered parties such as auto/PIP carriers, workers compensation carriers, life/disability underwriters, and attorneys remain outside its scope.
What happens to existing claims fax numbers?
Inventory them. For each, document ownership, departments served, traffic sources, and any payer-specific routing. Migrate the numbers a healthcare organization controls into a HIPAA-compliant fax gateway, retire the physical machines, and keep an outbound fax fallback rail for exceptions.
Can a hospital retire fax machines but keep fax numbers?
Yes. Migrate the numbers into a HIPAA-compliant cloud fax gateway so outside senders can keep using known numbers while internal teams stop maintaining physical machines.
How can fax-originated documents feed modern claims attachment workflows?
The fax gateway delivers received documents (PDF/TIFF) plus transmission metadata into the EHR, RCM platform, clearinghouse, EDI workflow, document AI system, or claims attachment processing stack chosen by the customer or vendor.
Does the PHI eXchange generate X12 or HL7 transactions?
No. the PHI eXchange (PHIX) provides the fax network layer: intake, routing, number migration, outbound fallback, and Epic-integrated fax. Downstream X12, HL7, OCR, classification, and claim matching are handled by the customer or their technology partners.
Who should own this internally: revenue cycle, HIM, EDI, IT, or compliance?
Ownership is cross-functional. Revenue cycle leads workflow impact, HIM leads documentation governance, EDI leads X12/HL7 transactions, IT leads infrastructure and routing, and compliance reviews HIPAA, BAAs, and trading partner agreements.