No Surprises Act Compliance for Dermatology Practices: 2026 Guide
The No Surprises Act (NSA) took effect January 1, 2022. Most dermatology practices are aware that they need to provide Good Faith Estimates to certain patients — but four years in, there are still widespread compliance gaps in derm offices across the country. The most common: practices that aren't sure exactly who qualifies, exactly when the GFE must be delivered, or exactly what language must appear on it.
This guide answers those questions directly, updated for 2026 CMS guidance. It covers who triggers the GFE requirement, the timing rules, the mandatory content elements, the $400 dispute threshold mechanics, and the five most common compliance gaps we see in dermatology practices today.
Who Needs a GFE?
The NSA GFE requirement applies to uninsured and self-pay patients who are scheduled for services. It does not apply to patients whose insurance is being billed for that service.
Uninsured patients scheduled for any service expected to cost $400 or more.
Patients with insurance who choose not to use their insurance for the scheduled service (e.g., opting to pay cash for a non-covered or elective service).
Cash-pay cosmetic patients (Botox, fillers, laser, etc.) if the expected cost is $400 or more.
Patients whose insurance is being billed for the service. (Some states extend GFE rules to insured patients — check your state law.)
The $400 threshold is an aggregate for the scheduled visit — not per procedure. If a patient is coming in for a full skin exam plus a spot treatment, and the combined expected cost exceeds $400, the GFE is required even if no single procedure exceeds $400 on its own.
Timing: When must the GFE be delivered?
| Scheduling Lead Time | GFE Must Be Provided Within |
|---|---|
| 10 or more business days before the service | 3 business days of scheduling |
| 3–9 business days before the service | 1 business day of scheduling |
| Fewer than 3 business days before the service (including same-day) | Must still be provided before the service is rendered |
| Patient requests a GFE without scheduling | 3 business days of request |
For most dermatology practices, the standard new-patient and follow-up scheduling cadence falls in the "10+ business days" bucket — meaning the GFE must be generated and delivered within 3 business days of booking. This should be a standard step in your scheduling workflow, not an afterthought.
What Does "Self-Pay" Mean for a Derm Practice?
The term "self-pay" generates more confusion in dermatology than in most specialties — because derm practices frequently serve a mixed population of medical and cosmetic patients, and the insurance status of any given visit can be nuanced.
For NSA purposes, a patient is self-pay for a specific visit if:
- They have no insurance at all (uninsured)
- They have insurance, but the specific service is not covered by their plan (e.g., a cosmetic procedure, or a plan exclusion)
- They have insurance, but they have chosen not to file a claim for this visit — for any reason
- They are in a high-deductible plan and are expected to pay the full cost out of pocket, and they are not filing an insurance claim
The last category requires care. If an insured patient will be billed through insurance even if they'll ultimately pay the full deductible amount, they are not self-pay for NSA purposes — the insurer's EOB and network rates govern what they're charged. Only patients who are entirely outside the insurance billing process for that visit qualify.
The practical implication for most derm practices: your cosmetic patients — those paying cash for injectable treatments, laser procedures, or elective skin services — are almost always self-pay and almost always exceed the $400 threshold. They universally require GFEs. This is the most commonly missed category.
What Must Be in the GFE?
The NSA specifies the minimum elements that every Good Faith Estimate must contain. For dermatology practices, these are:
- Provider identification: Practice name, physical address, NPI (both group and individual if applicable), and Tax Identification Number
- Itemized services with billing codes: Each expected service listed individually with its CPT code, a plain-language description, and the expected charge
- Expected total cost: A clear sum of all itemized charges
- Patient rights notice: The federally mandated disclosure language, in at least 12-point font, informing the patient of their rights under the NSA
- $400 dispute threshold language: Explicit statement that if the actual bill exceeds the GFE by $400 or more, the patient may dispute it through CMS
- 120-day dispute window: Statement that the patient has 120 calendar days from the date of service to initiate the dispute process
- SDR process reference: Reference to the CMS patient-provider dispute resolution (SDR) process, including a way for the patient to reach CMS (cms.gov or 1-800-985-3059)
Practices sometimes ask whether a verbal estimate counts. It does not. The GFE must be in writing — delivered by mail, fax, secure email, or a patient portal. A verbal estimate, no matter how accurate, does not satisfy the NSA requirement.
HIPAA note: When delivering GFEs electronically, your transmission method must comply with HIPAA's minimum necessary and secure transmission standards. Patient portal delivery is the safest approach. Learn more about DermEstimator's HIPAA security practices.
The $400 Dispute Threshold Explained
The $400 threshold is the mechanism by which the NSA creates financial accountability for providers who issue inaccurate GFEs. Understanding how it works — and how it's calculated — matters for how you build your estimates.
The threshold applies to the total expected charges on the GFE versus the actual amount billed. It is not a percentage — it is a fixed dollar amount. If your GFE states a total of $800 and your actual bill is $1,199, you are $399 under the threshold and no dispute right is triggered. If the bill is $1,200, the threshold is met and the patient may dispute.
A few important mechanics:
- The dispute right is the patient's option, not automatic: The patient must proactively initiate the SDR process through CMS within 120 days. Not all patients will do so even when the threshold is breached.
- The dispute process has costs: Patients must pay a $25 administrative fee to initiate a dispute. This deters frivolous disputes but also deters legitimate ones.
- The GFE is a ceiling, not a target: Some practices have begun issuing intentionally inflated GFEs to avoid triggering the threshold. CMS has signaled this is not acceptable and may issue guidance restricting it.
- The threshold applies per GFE: If you issue a GFE for a Mohs consultation and a separate GFE for the surgery, the $400 threshold applies to each separately.
The best protection against disputes is an accurate GFE — one built on locality-adjusted, current-year fee schedule data with correct CPT codes and proper MPPR application. An accurate estimate that leads to an accurate bill rarely triggers disputes.
Common Compliance Gaps in Dermatology Practices
-
Not providing GFEs to cash cosmetic patients
This is the most common gap. Practices that have solid GFE workflows for medical derm patients (Mohs, excisions, biopsies) often have no process at all for cosmetic patients booking injectables, laser, or procedures. Any self-pay patient with an expected bill of $400+ requires a GFE — cosmetics are not exempt.
-
Using wrong CPT codes on the GFE
GFEs generated from generic templates often list placeholder CPT codes that don't match the actual planned service. A GFE for a complex excision that lists a shave removal code is not just inaccurate — it creates a billing code mismatch that complicates audits and disputes.
-
Missing or paraphrased patient rights language
The NSA requires specific disclosure language. Practices that summarize or paraphrase the patient rights notice — or use outdated 2022-era language from a template they downloaded years ago — are technically non-compliant even if the financial estimates are correct.
-
Not retaining copies in the patient record
The NSA requires that GFEs be retained in the patient's record. Practices that generate GFEs verbally, on scratch paper, or in a document that isn't saved to the EHR have no audit trail. During a complaint investigation, inability to produce the GFE is damaging.
-
No audit trail or timestamp
Even if you're saving GFEs, the document must be timestamped and linked to the scheduled appointment. A GFE saved as "patient_gfe.pdf" with no date in the filename or metadata is difficult to associate with a specific encounter during an audit.
How to Implement a Compliant GFE Workflow
A compliant GFE workflow for a dermatology practice doesn't need to be complex — but it does need to be consistent. Here's a step-by-step process that covers the key checkpoints:
When booking the appointment, front-desk staff confirm: Is the patient using insurance for this visit? If yes, no GFE needed (under federal rules — verify your state). If no (uninsured, cosmetic cash-pay, or patient electing not to use insurance), flag the appointment for GFE generation.
Using the planned procedures for the visit, generate a cost estimate using current-year, locality-adjusted fee schedule data. Apply MPPR correctly — including the add-on code exemption. Confirm CPT codes match the planned service. Use DermEstimator's estimating tool to automate this step.
Convert the estimate into a formal GFE document containing all required elements: provider info, itemized services with CPT codes, expected total, patient rights notice, $400 threshold language, 120-day window, and SDR reference. Use DermEstimator's GFE generator to produce NSA-compliant documents in under 60 seconds.
Deliver the GFE by mail, fax, secure email, or patient portal. Confirm delivery within the required window (3 business days for appointments scheduled 10+ days out; 1 business day for appointments 3–9 days out).
Archive the GFE in the patient's EHR or practice management system with a timestamp and link to the scheduled appointment. This is your audit trail. DermEstimator stores a copy automatically with each generated GFE.
This workflow should be baked into your scheduling script — just as you confirm insurance benefits, confirm self-pay status and flag for GFE generation. It takes under two minutes per patient when you have the right tools.
Frequently Asked Questions
Does the No Surprises Act apply to cash-pay cosmetic dermatology?
Yes. Any patient who is self-pay for a scheduled service expected to cost $400 or more must receive a Good Faith Estimate. This includes patients paying cash for cosmetic procedures like Botox, fillers, laser resurfacing, or any other elective service. The fact that the service is cosmetic rather than medical does not exempt the practice from the GFE requirement.
What is the $400 dispute threshold?
If a patient's actual bill exceeds the amount stated on the Good Faith Estimate by $400 or more, the patient has the right to initiate the patient-provider dispute resolution (SDR) process through CMS. The $400 threshold is a federal floor — state laws may set a lower threshold. The practice must include language about this threshold on every GFE.
What happens if I don't provide a GFE?
Failure to provide a Good Faith Estimate when required can result in civil monetary penalties under the No Surprises Act. CMS can investigate complaints filed by patients. Additionally, if a patient files a dispute and you cannot produce a GFE, your position in that dispute is materially weakened.
Does an insured patient need a GFE?
Under the federal NSA Good Faith Estimate rules, the GFE requirement applies specifically to uninsured and self-pay patients. Insured patients do not require an NSA GFE — however, some state laws extend GFE-type requirements to insured patients as well. Always verify your state's specific requirements. Note that patients with insurance who choose to not use their insurance for a specific service are treated as self-pay for that service and do require a GFE.
How long must I retain Good Faith Estimates?
CMS guidance requires that Good Faith Estimates be retained in the patient's medical record and accessible for at least the duration of the patient's dispute rights window (120 days from service date). Best practice is to retain GFEs for the same period as your general medical records retention policy — typically 7 years, or as specified by your state's law.