Skip to main content
U.S. flag

An official website of the United States government

Return to Search

Transaction FAQs

Guidance for transaction frequently asked questions.


Issued by: Centers for Medicare & Medicaid Services (CMS)

Issue Date: August 02, 2020

Q: If a patient or health plan subscriber uses his or her credit or debit card to pay for premiums, deductibles and/or co-payments, is that “transaction” considered a HIPAA standard, and must it be in a HIPAA compliant format with HIPAA compliant content?

A: No. The HIPAA standards must be used by “covered entities,” which are health plans, health care clearinghouses and health care providers who conduct any of the standard transactions electronically. The HIPAA standards do not apply to patients or health plan subscribers, unless they are acting in some capacity on behalf of a covered entity, and not on behalf of themselves. An individual, acting on behalf of himself or herself, is not a covered entity and is therefore not subject to the HIPAA standards. Transactions conducted between subscribers or patients and health plans or health care providers are not transactions with adopted HIPAA standards.

Q: What electronic health care transactions are required to use the standards under HIPAA?

A: As required by HIPAA, on August 17, 2000, the Secretary of Health and Human Services adopted standards for the following administrative and financial health care transactions:

  • Health care claims and equivalent encounter information
  • Enrollment and disenrollment in a health plan
  • Health care payment and remittance advice
  • Health plan premium payments
  • Health care claim status requests and responses
  • Referral certification and authorization
  • Eligibility inquiry and response
  • Coordination of benefits

Additional standards may be adopted in the future.

Q: Do the HIPAA transaction requirements, including the operating rules, apply to transactions between a health plan and its policyholders?

A: No, the HIPAA transaction requirements, including the operating rules, generally apply to electronic transactions between HIPAA covered entities. A covered entity is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with HIPAA transactions. Policyholders, patients, and members are not covered entities, and therefore are not subject to the HIPAA transaction requirements.

Q: How do I know whether to use the National Drug Code (NDC), the Healthcare Common Procedural Coding System (HCPCS), or another code set when reporting drugs and biologics on HIPAA transactions?

A: The HIPAA Electronic Transactions and Code Set rule did not adopt a standard for reporting drugs and biologics in HIPAA transactions other than those for retail pharmacies. Therefore, covered entities are compliant when using the HCPCS or NDC code set to meet business needs. In the absence of an adopted code set for drugs and biologics, the X12 implementation guides adopted as HIPAA standards must be consulted. If you currently use HCPCS to report drugs and biologics you may continue to do so. You may also use the NDC code set if you meet the conditions for use specified in the implementation guide/TR3 Report. The NDC code set must be used for reporting drugs and biologics on retail pharmacy transactions.

Q: If a health plan does not conduct a particular HIPAA transaction – for example, the health care claim status transaction – is it required to comply with the operating rules adopted for the transaction?

A: If a covered entity is required to comply with the standards for a particular transaction, then the covered entity is also required to comply with the operating rules for the transaction.

Q: What transactions does the "Version 5010" Final Rule for HIPAA standards include?

A: The Version 5010 final rule adopted new versions of the ASC X12 and NCPDP standards for HIPAA transactions. The rule adopted Version 5010 to replace Version 4010/4010A, and Version D.0 to replace Version 5.1

The Version 5010 standard for transactions include:

  • Health care claims or equivalent encounter information for professional, institutional, and dental services
  • Eligibility for a health plan (inquiry and response)
  • Referral certification and authorization; health care claim status (inquiry and response)
  • Enrollment and disenrollment in a health plan
  • Health care payment and remittance advice
  • Health care premium payments
  • Coordination of benefits

The D.0 standard for pharmacy transactions includes:

  • Claims
  • Eligibility requests and responses
  • Referral certification and authorization
  • Coordination of benefits

The Version 5010 final rule also adopts a new NCPDP standard for Medicaid pharmacy subrogation. This standard allows State Medicaid agencies to conduct pharmacy subrogation transactions with certain payers to more efficiently recoup funds for payments that they have made for Medicaid recipients, in cases where another third-party payer has primary financial responsibility. Medicaid agencies and their trading partners had been using proprietary formats, without the benefit of standardization.

Q: Is a health plan or health care provider compliant with the HIPAA transactions and code sets regulations if a health care clearinghouse transmits HIPAA standard transactions on its behalf?

A: Yes. However, if a covered entity chooses to use a business associate to conduct transactions on its behalf, the covered entity must require the business associate to comply with all HIPAA transaction standards, operating rules, and code sets on behalf of the covered entity. For more information regarding business associate requirements, see the final rule published on January 25, 2013 (78 FR 5566).

Q: Do the HIPAA requirements for the eligibility for a health plan transaction and health care claims transaction, including the standards and operating rules, apply to issuers of long-term care nursing home fixed indemnity policies?

A: No, under the definition of "health plan" at 45 CFR 160.103, issuers of long-term care nursing home fixed indemnity policies are not health plans. Therefore, HIPAA administrative simplification requirements, including operating rules, do not apply to those plans.

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.