Surprise Billing (No Surprises Act): The Only 3 Forms Your Small Practice Needs Now (45 CFR § 149.410)

The No Surprises Act changed how small practices may bill for emergency and certain out-of-network services by sharply limiting balance billing and tying any exception to strict notice, consent, and documentation rules under 45 CFR 149.410 and its companion provisions. For a lean clinic, these rules can feel abstract until they are turned into a tight set of forms that staff can actually use. This article frames compliance around three practical form types that every small practice should have: a one-page patient protections notice, a standard federal notice and consent package, and a simple internal NSA attestation log. When these forms are correctly implemented, retained, and tied to your billing workflows, they reduce the risk of unlawful balance billing, plan disputes, and patient complaints that can trigger enforcement under 45 CFR Part 149 Subpart E.

The No Surprises Act was written with big systems and health plans in mind, but its rules land directly on small practices that provide emergency services, post stabilization care, or non-emergency services in hospitals and other facilities. Under 45 CFR 149.410, nonparticipating emergency facilities and providers cannot bill more than the in network cost sharing for covered emergency services, and they can only step outside that protection when a tightly regulated notice and consent process is followed.

In practice, that means your practice has two basic choices in these situations: respect the statutory default and bill as if you were in network, or properly use the notice and consent exception and accept the paperwork that comes with it. The difference between compliance and a costly error often comes down to whether your staff use the right form in the right situation, at the right time, and can prove it later. Instead of drowning in guidance, small practices can focus on building and maintaining three forms that anchor every No Surprises Act interaction.

Understanding Legal Framework and Scope Under 45 CFR 149.410

45 CFR 149.410 sits inside Part 149, which implements the No Surprises Act protections for emergency services furnished at hospital emergency departments and independent freestanding emergency departments. It prohibits nonparticipating emergency facilities and nonparticipating providers from billing beyond the patient’s in network cost sharing for covered emergency services related to an emergency medical condition. The rule cross-references definitions and payment standards elsewhere, but for a clinic the key takeaway is simple: in most emergency situations you cannot “balance bill” the patient, regardless of your network status.

The regulation also creates a narrow exception. For certain post stabilization items and services that no longer qualify as emergency services, a nonparticipating provider or facility may bill more than in network cost sharing only if all notice and consent conditions in 45 CFR 149.410(b) and 45 CFR 149.420(c) through (g) are met. Among other things, the patient must be clinically stable, informed of in network alternatives, and given a detailed written notice including a good faith estimate of charges and a clear statement that they are waiving federal protections.

Separately, 45 CFR 149.430 requires providers and facilities to give patients a one-page disclosure explaining their No Surprises Act protections, including the prohibitions and exceptions in 149.410 and 149.420, and any state surprise billing rules that go further. Together, these sections drive the three forms discussed here. Federal law sets a national floor, but states may add stronger protections that narrow when notice and consent can be used. Your forms should be drafted to reflect the most protective rule that applies to your patients. When the framework is understood and embedded in forms, you reduce payment disputes, avoid recoupments, and lower the chance that a billing complaint turns into a regulatory investigation.

Enforcement of the balance billing rules under 45 CFR Part 149 is split between several actors. HHS, the Department of Labor, and the Department of the Treasury share federal enforcement authority, while state regulators enforce parallel rules for fully insured plans and may enforce state surprise billing laws that supplement or exceed federal requirements. Complaints may come from patients, plans, or providers and are routed through state or federal complaint processes, including the provider and facility complaint pathway in 45 CFR 149.450.

Common triggers tied to 45 CFR 149.410 and the related provisions include:

• Patient complaints that they received a large out-of-network bill for emergency or facility based services despite believing they were protected from surprise bills.

• Plan disputes where the payer asserts that notice and consent was invalid, that the patient could not legally waive protections, or that the provider failed to send the required documentation with the claim under 45 CFR 149.410(e).

• Pattern analysis by regulators showing repeated use of the notice and consent exception in situations that should remain fully protected under 45 CFR 149.410(c), such as truly unforeseen urgent needs.

For a small clinic, the best defense is a clean, repeatable form based process: a posted disclosure notice, a correctly completed federal notice and consent package when the exception legitimately applies, and an internal attestation that documents clinical stability, timing, and plan notification. When those pieces line up, it is much easier to demonstrate good faith compliance during any audit or complaint review.

Even though these obligations arise from the No Surprises Act and 45 CFR Part 149, they are often reviewed alongside HIPAA privacy and billing controls in a single audit or payer review. To help your practice survive that scrutiny, it helps to translate the legal text into a small set of controls that map directly to the three core forms.

1. Build and adopt a single No Surprises Act disclosure notice template

• How to implement: Use the federal Model Disclosure Notice Regarding Patient Protections Against Surprise Billing as your base, customizing it with any applicable state law protections and your contact information, while ensuring it explains the prohibitions in 45 CFR 149.410 and 149.420 in plain language.

• Evidence to retain: Keep the master template with revision dates in your policy manual, and periodically take photos or screenshots of posted signage and website placement to show that the one-page notice is publicly available and given to patients as required by 45 CFR 149.430.

• Low cost method: A simple word processing file and a laminated poster near check in are enough; your website can host a PDF or a text page with the same language.

2. Standardize use of the federal Standard Notice and Consent Documents for eligible services

• How to implement: Limit use of the notice and consent exception to the situations described in 45 CFR 149.410(b) and section 2799B 2(d) of the Public Health Service Act, such as certain post stabilization services or non-emergency out of network services at a participating facility. Staff must use the CMS Standard Notice and Consent Documents without altering required language, fill in the good faith estimate, list in network alternatives, and obtain signatures at least 72 hours in advance or within the three-hour same day window where allowed.

• Evidence to retain: Keep the signed notice and consent package in the patient record and in a central electronic folder organized by date of service, and verify that each package references the specific items and services billed. This directly supports the seven-year retention requirement in 45 CFR 149.410(d).

• Low cost method: Scan paper forms into your existing electronic health record or a secure shared drive, with a simple naming convention that includes the date, patient initials, and “NSA consent”.

3. Create an internal NSA notice and consent attestation form

• How to implement: Develop a one-page internal checklist that your clinical or billing lead completes whenever the notice and consent exception is used. The form should document the clinical stability determination, available in network options, timing of the notice and signature, and whether the situation was eligible under 45 CFR 149.410(b) rather than barred under 149.410(c). It should also include a field to confirm that a copy of the signed notice and consent will be sent to the plan or issuer as required by 45 CFR 149.410(e).

• Evidence to retain: File the internal attestation with the signed notice and consent, and use it during internal audits to verify that each consent event was properly handled.

• Low cost method: Use a simple checklist template printed on colored paper or in an electronic form tool your staff already use for other internal audits.

4. Wire the three forms into your scheduling and registration workflows

• How to implement: Update scripts and workflow diagrams so that front desk and clinical staff know exactly when to give the one-page disclosure notice, when the standard notice and consent package may be offered, and when they must not offer it because the protections remain non waivable under 45 CFR 149.410(c).

• Evidence to retain: Keep copies of updated scripts and brief training logs showing that staff were walked through the workflows, and periodically spot check charts to ensure that forms appear where they should.

• Low cost method: Integrate short prompts into existing intake forms and EHR templates instead of purchasing a new system.

5. Tie plan notification to your billing system

• How to implement: Configure your billing software or clearinghouse workflow so that any claim linked to a notice and consent event automatically includes a flag or attachment documenting that all 45 CFR 149.410(b) conditions were met and including a copy of the signed consent when required by 45 CFR 149.410(e).

• Evidence to retain: Save copies of claims with attached notices, or at least screen captures showing that the consent was transmitted, and link them to the internal attestation log.

• Low cost method: Use your existing electronic attachment functionality or send copies via secure payer portals rather than purchasing new interfaces.

When these controls are consistently applied, your three forms become a simple yet powerful toolkit: a public disclosure that sets expectations, a robust federal notice and consent package for rare waivers, and an internal attestation that makes audits and payer disputes far less painful.

Case Study

A small cardiology group provides on call coverage at a community hospital. The group is out of network with many plans, but the hospital is in network. After the No Surprises Act takes effect, a patient with employer coverage presents to the emergency department with chest pain and receives emergency services. Once stabilized, the cardiology group recommends an elective diagnostic procedure that can be scheduled later. The group would prefer to bill out of network rates for the follow-up procedure.

In the first scenario, the group uses its old workflow. Staff verbally tell the patient that the cardiologist is out of network, obtain a generic financial responsibility form, and proceed without using the federal Standard Notice and Consent Documents or determining whether the patient can safely travel to an in network provider. The claim is submitted with high out-of-network charges, and the plan applies No Surprises Act protections under 45 CFR 149.410 and 149.420, limiting payment to an in network cost sharing level. The patient receives a large balance bill and files a complaint. During the investigation, regulators find that no valid notice and consent was obtained, the patient was never offered an in network option as required, and no documentation shows a stability determination. The group is required to refund the balance billed amounts, adjust past claims, and enter into a corrective action plan that includes staff training, policy updates, and monitoring.

In the second scenario, the same group has implemented the three form approach. Before scheduling the elective procedure, the attending physician documents that the patient is stable and can safely receive care at a participating facility within a reasonable travel distance, satisfying the clinical requirement in 45 CFR 149.410(b)(1). Staff then provide the CMS Standard Notice and Consent Documents, including a detailed good faith estimate and a list of in network cardiology options, and give the patient time to decide. The patient elects to proceed with the out-of-network cardiologist and signs the consent.

The clinic completes its internal NSA attestation form, confirming clinical stability, timing of the notice, and that all criteria for the exception are met, and scans both the signed notice and the attestation into the record. When billing the claim, the group notifies the plan in accordance with 45 CFR 149.410(e) that notice and consent were obtained and attaches a copy of the signed documents. If the plan later questions the charges, the group can quickly produce a clean documentation trail that aligns with the regulation. Instead of a complaint and payback, the dispute is resolved through normal payer processes, and the group avoids penalties or reputational damage.

Use this checklist table to verify that your three core No Surprises Act forms and workflows are in place and functioning. Each task ties directly to the requirements in 45 CFR 149.410 and related sections.

By using this table as a living checklist and tying each row back to a regulatory citation, your practice can show regulators and plans that No Surprises Act compliance is deliberate, monitored, and documented.

Common Audit Pitfalls to Avoid Under 45 CFR 149.410

Before regulators or plans come calling, it helps to understand the mistakes that frequently surface in audits and complaint reviews involving 45 CFR 149.410. Avoiding these pitfalls protects both your patients and your revenue.

• Treating the federal Standard Notice and Consent Documents as optional patient education rather than a mandatory condition for using the notice and consent exception, leading to invalid waivers under 45 CFR 149.410(b) and 149.420.

• Offering notice and consent in situations where protections cannot be waived, such as unforeseen urgent medical needs that arise during a procedure, despite the explicit prohibition in 45 CFR 149.410(c).

• Modifying the federal language or combining the Standard Notice and Consent Documents with other financial forms so that key content is obscured, contrary to CMS instructions and the form and manner requirements tied to 45 CFR 149.410 and 149.420.

• Failing to provide a meaningful list of available in network providers when required, which can invalidate consent for post stabilization services at a participating facility under 45 CFR 149.410(b)(2)(i).

• Neglecting the seven-year retention requirement, making it impossible to prove later that valid notice and consent were obtained as required by 45 CFR 149.410(d).

• Omitting the required notification to the plan or issuer that all notice and consent conditions were met, or failing to include a copy of the signed notice and consent document where required by 45 CFR 149.410(e).

• Ignoring state surprise billing laws that further limit notice and consent, resulting in consents that may be facially compliant with federal rules but invalid under state law.

By consciously designing your three forms and workflows to avoid these pitfalls, you reduce the likelihood that any use of the notice and consent exception will later be challenged. That in turn lowers the risk of forced refunds, penalties, and reputational harm tied to 45 CFR 149.410.

No Surprises Act compliance cannot live only on paper; it must be visible in your culture and day to day operations. Start by assigning a single “NSA lead” who owns the three core forms, tracks updates to 45 CFR Part 149 Subpart E, and coordinates with your HIPAA and billing compliance leads so that forms, scripts, and technical workflows stay aligned.

Build a simple training cadence: a focused initial session introducing the patient protections notice, the standard federal notice and consent package, and the internal attestation form, followed by short annual refreshers and targeted training whenever state or federal guidance changes. Include No Surprises Act scenarios in new staff onboarding for front desk, clinical, and billing roles so that everyone understands when they may and may not use the notice and consent exception.

For monitoring, track a few straightforward metrics, such as the number of notice and consent events per quarter, the percentage with a completed internal attestation, and the number of patient complaints about surprise bills. Use periodic chart reviews to confirm that the right forms appear in the right situations and that 45 CFR 149.410(c) prohibitions are respected. Over time, this governance approach normalizes compliance as part of routine practice rather than an occasional fire drill.

For small practices, the No Surprises Act and 45 CFR 149.410 do not have to be overwhelming. If you center your approach on three well-designed forms, you can meet the core requirements without adding headcount or buying complex software. The key is to align a one-page patient protection notice, the federal Standard Notice and Consent Documents, and a concise internal NSA attestation form with your real world workflows, retention practices, and billing processes.

In the next thirty days, a small clinic can make tangible progress by taking a few focused steps:

1. Pull the latest Model Disclosure Notice and Standard Notice and Consent Documents and adapt them, with counsel as needed, so that they reflect both 45 CFR 149.410 and your state’s surprise billing rules.

2. Draft a one-page internal NSA notice and consent attestation form that documents clinical stability, in network options, timing, and plan notification for every notice and consent event.

3. Update your scheduling, registration, and billing workflows so that the three forms are triggered by clear conditions and are retained in a way that satisfies the seven-year requirement in 45 CFR 149.410(d).

4. Train staff using real patient scenarios, emphasizing when the notice and consent exception may not be used and how to respond to patient questions about protections.

5. Schedule a brief self audit in six months using the checklist table to confirm that forms are being used correctly and documentation is complete.

Recommended compliance tool:

CMS Standard Notice and Consent Documents paired with the HHS Model Disclosure Notice for patient protections.

Advice: 

Do not reinvent your own No Surprises Act forms until you have fully implemented and mastered the federal templates, then add only the minimum internal checklist you need for audits.

• 45 CFR 149.410 Balance billing in cases of emergency services
  

• 45 CFR 149.420 Balance billing in cases of non emergency services performed by nonparticipating providers at certain participating health care facilities
  

• 45 CFR 149.430 Provider and facility disclosure requirements regarding patient protections against balance billing
  

• Standard Notice and Consent Documents Under the No Surprises Act
  

• Sample Notice and Consent Form to Waive Surprise Billing Protections
  

• Model Disclosure Notice Regarding Patient Protections Against Surprise Billing
  

• FAQs About Affordable Care Act Implementation and Consolidated Appropriations Act, 2021 Part 55 (DOL, HHS, Treasury)