What Providers Need to Know
CMS is rolling out a new management approach for the Medicare Health Eligibility Transaction System (HETS) Electronic Data Interchange (EDI), and it comes with a new compliance step. HETS is a foundational system for verifying Medicare eligibility and benefits. Going forward, Medicare providers and suppliers must complete annual attestation of authorized third-party relationships with trading partners that submit 270 eligibility inquiries and receive 271 eligibility responses. For revenue cycle teams, if access is disrupted, downstream billing accuracy can be impacted leading to reimbursement delays.
What HETS EDI attestation is—and why CMS is requiring it
CMS is requiring this attestation to ensure that only authorized parties receive Medicare eligibility data. Typically, providers contract with clearinghouses to act as a middleman and obtain patient eligibility information to give to a provider. CMS is requiring that every provider organization attest that each clearinghouse accessing Medicare eligibility data on their behalf is authorized to do so. HETS EDI enables providers and suppliers to check Medicare beneficiary eligibility using 270/271 eligibility transactions. Many organizations don’t submit those transactions directly, they rely on clearinghouses and eligibility/benefits verification vendors or other third parties to run the transactions on their behalf.
Under CMS’s updated approach, providers must attest to affirm their active relationship with any third-party entity (clearinghouse) that performs these eligibility checks for them. The practical intent is to ensure CMS, via the provider’s Medicare Administrative Contractor (MAC), has clear, validated visibility into who is accessing HETS on a provider’s behalf—and that access is tied to legitimate, current business relationships.
HETS EDI Attestation Timeline
- March 31, 2026 – Target deadline to complete attestation
- May 11, 2026 – New CMS system goes live
CMS has not detailed final enforcement consequences. Providers should plan as if attestation will be required to avoid interruptions.
Operational issues attestation may cause
Even when the risk of immediate loss of access is considered low, the attestation requirement introduces several real-world challenges, starting with provider-side dependency and signature constraints. CMS requires that the attestation be completed by an authorized or delegated official enrolled in PECOS. This means vendors, including R1 staff, can support but cannot complete attestations on a client’s behalf. Any delay in identifying the correct PECOS official—or getting time on their calendar—can slow compliance.
Data gathering can be fragmented across vendors and sites. To attest accurately, provider organizations must compile details that may be scattered across contracts, onboarding records, IT teams and vendor contacts, especially for multi-site health systems.
“Providers need to understand this is not a one-and-done compliance process,” said Connor McLarren, manager of Regulatory Compliance & Regulatory Affairs at R1. “It’s an annual requirement and new provider locations must be included every year. If a new site begins submitting eligibility checks through a vendor and the relationship isn’t attested, that site could face transaction issues later. So, health systems need to make this part of their ongoing operational and compliance workflows.”
Finally, there are technical compliance considerations. CMS has expressly required the originating IP address for every HETS transaction and prohibits manipulation or obfuscation. Organizations using complex network routing, security tools, or third-party infrastructure should confirm their setups won’t inadvertently create compliance risk.
Top action items for compliance readiness
To keep Medicare eligibility workflows running smoothly, providers should prioritize the following steps:
- Inventory all third-party eligibility relationships used for Medicare 270/271 transactions (clearinghouses and EDI/eligibility vendors).
- Collect required attestation data, including National Provider Identifier (NPI), Provider Transaction Access Number (PTAN), vendor unique HETS ID, relationship effective start date and termination date if applicable, plus signer name and email.
- Identify the correct PECOS authorized/delegated official who will complete the attestation and ensure they’re prepared to act.
- Complete attestations through the appropriate MAC. All MAC jurisdictions have attestation capacity.
- Confirm scope and accuracy. R1’s current interpretation is that facility/site-level enrollment is acceptable, though CMS may refine expectations later.
- Plan for annual renewal and change management. Maintain a centralized record of vendor HETS details and update it for new locations or vendor transitions.
- Review IP address handling to ensure HETS traffic is not being artificially altered or obscured.
For revenue cycle leaders, the bottom line is clear and bright—treat HETS EDI attestation as a governance and continuity requirement. Proactive coordination among enrollment officials, operational teams and vendors now will reduce last-minute scrambling and help protect the eligibility checks that keep cash flow moving.
