HIPAA and Good Faith Estimates (GFE): What Providers and Patients Need to Know

Good Faith Estimate Requirements

A Good Faith Estimate (GFE) sets out the expected charges for items and services before care is delivered. Under the No Surprises Act, you must furnish a clear, written estimate to uninsured individuals and to insured patients who choose not to use their benefits (Self-Pay Patient Compliance). Patients use the GFE to anticipate costs and compare options.

Who receives a GFE

• Uninsured patients seeking items or services.
• Insured patients who request to pay out of pocket and decline a claim submission.
• Individuals requesting a cost estimate without scheduling yet.

What a compliant GFE includes

• Patient identifiers (name and contact details) and the convening provider or facility responsible for the estimate.
• Plain-language description of the primary item or service and any reasonably expected ancillary services (e.g., labs, imaging, anesthesia).
• Itemized expected charges for each service, including professional and facility components where applicable.
• Relevant diagnosis codes (ICD-10), service codes (CPT/HCPCS/DRG), and the provider/facility identifiers (NPI and TIN) with service location.
• The anticipated date(s) or timeframe of service and any assumptions used to calculate charges.
• Disclosures stating the GFE is an estimate, that actual charges may vary, and that patients may use Patient-Provider Dispute Resolution if billed substantially more than estimated.

Format and delivery

• Provide the GFE in writing, either electronically (such as via a portal or secure email) or on paper, in accessible and understandable language.
• Group expected charges by provider or facility when multiple entities are involved, and keep a copy for Medical Record Retention.
• Use straightforward layouts and clearly separate professional, facility, and ancillary estimates.

No Surprises Act Compliance

The GFE requirement stems from the No Surprises Act and is central to preventing unexpected bills. Compliance means you proactively identify uninsured or self-pay patients, inform them of their rights, and deliver accurate, timely estimates that reflect all reasonably expected items and services.

Key compliance practices

• Designate a convening provider or facility to compile a single, consolidated estimate that includes known co-providers.
• Standardize pricing inputs (chargemasters, fee schedules) and use templates to ensure each estimate contains required disclosures.
• Embed checkpoints in scheduling and registration workflows to capture self-pay elections and trigger GFE generation.
• Update estimates when material clinical or scheduling changes occur and document all communications.

HIPAA Privacy Rule Protections

GFEs can include protected health information (PHI) and must be handled under the HIPAA Privacy Rule and Security Rule. Treat each estimate as part of the patient’s designated record set and safeguard it accordingly.

Permitted sharing and minimum necessary

• You may use and disclose PHI in a GFE for treatment, payment, and healthcare operations. Share only the minimum necessary for payment and operations; treatment disclosures may include more detailed information to coordinate care.
• Provide copies to the patient or their personal representative upon request and document access disclosures.

Electronic Health Records Safeguards

• Administrative Physical Technical Safeguards: conduct risk analyses, implement policies, train workforce members, manage role-based access, and maintain business associate agreements.
• Technical controls: unique user IDs, multi-factor authentication, audit logs, encryption in transit and at rest, automatic logoff, and integrity checks.
• Physical controls: facility access limits, device and media controls, and secure disposal of records.

Patient access and transparency

• Honor HIPAA access rights promptly (generally within 30 days, with limited extension) and provide electronic copies when requested.
• Explain how estimates were calculated and which charges are included versus excluded.

Timelines for Providing GFEs

Deadlines are measured in business days (Monday–Friday, excluding federal holidays) from scheduling or request:

• If an item or service is scheduled at least 10 business days in advance: provide the GFE no later than 3 business days after scheduling.
• If scheduled 3–9 business days in advance: provide within 1 business day after scheduling.
• If a patient requests a GFE without scheduling: provide within 3 business days of the request.
• When material changes occur (for example, revised clinical plan or date), issue an updated estimate as soon as practicable and before the service when feasible.

Patient Dispute Resolution Process

If the final bill for an uninsured or self-pay patient is at least $400 more than the GFE for the same provider or facility, the patient may initiate Patient-Provider Dispute Resolution. The process allows a neutral reviewer to compare the bill and estimate and decide whether the billed charges should be reduced.

How to prepare and respond

• Patients should file promptly after receiving a bill and include the GFE and all supporting documents.
• Providers should submit timely documentation explaining any medically necessary or unforeseeable changes that impacted charges.
• Maintain respectful communication and consider offering corrections or payment plans when appropriate.

Record Retention Obligations

Keep copies of GFEs, updates, patient communications, and proof of delivery as part of your Medical Record Retention program. Retain documentation for at least six years under HIPAA recordkeeping standards, and longer if state law or payer rules require. For minors, follow state rules tied to the age of majority plus the required retention period.

• Archive versions to show what the patient received at each point in time.
• Preserve audit trails within your EHR and document security controls as part of your Electronic Health Records Safeguards.

Coordination with Co-Providers and Facilities

Many services involve multiple entities (for example, surgeon, anesthesiologist, pathology, and facility). The convening provider or facility should identify known co-providers early and request their expected charges to assemble a single, patient-friendly estimate.

Practical coordination steps

• Map common care pathways to pre-identify typical co-providers and ancillary services.
• Use secure channels to exchange only the information necessary to generate accurate cost inputs, consistent with the HIPAA Privacy Rule.
• Display each entity’s expected charges and contact details within the consolidated GFE, and note any services that cannot be reasonably predicted.
• Set internal turnaround expectations so co-providers submit inputs in time to meet GFE timelines.

Conclusion

Delivering accurate, timely GFEs and protecting patient information go hand in hand. By embedding No Surprises Act workflows, honoring HIPAA safeguards, coordinating with co-providers, retaining records, and preparing for disputes, you help patients understand costs and prevent avoidable billing issues.

FAQs.

What information must be included in a Good Faith Estimate?

A compliant GFE lists the patient and convening provider/facility, a plain-language description of the primary service, itemized expected charges (including facility and ancillary services), relevant diagnosis and service codes, the anticipated service date or timeframe, assumptions used, required disclosures about variability, and notice of the right to use Patient-Provider Dispute Resolution.

How does HIPAA affect the sharing of Good Faith Estimates?

GFEs contain PHI, so the HIPAA Privacy Rule applies. You may share them for treatment, payment, and healthcare operations, applying the minimum necessary standard for payment and operations. Secure them with Electronic Health Records Safeguards and the Administrative Physical Technical Safeguards, and provide copies to patients or their personal representatives upon request.

What are the timelines for providers to deliver a Good Faith Estimate?

If scheduled at least 10 business days ahead, deliver within 3 business days of scheduling; if scheduled 3–9 business days ahead, deliver within 1 business day; and if requested without scheduling, deliver within 3 business days of the request. Update the estimate promptly if material circumstances change.

Can patients dispute bills exceeding the Good Faith Estimate?

Yes. Uninsured or self-pay patients may initiate the Patient-Provider Dispute Resolution process when the bill from a single provider or facility is at least $400 more than the GFE for the same items or services.

How long must providers retain Good Faith Estimates?

Retain GFEs, updates, and related communications for at least six years under HIPAA recordkeeping standards, and follow any longer state Medical Record Retention requirements. Keeping version history and proof of delivery is recommended.