X12 278 Prior Authorization: Format, Fields, and Testing Guide

June 11, 2026 · 10 min read

The X12 278 transaction handles prior authorization in healthcare EDI. The 278-Request is sent by a provider to request authorization for a service, and the 278-Response carries the payer decision. Testing the full 278 cycle is critical for any implementation involving services that require prior authorization.

Overview

The 278 Health Care Services Review governs all utilization management transactions under HIPAA. It replaced paper-based prior authorization processes and phone-based auth requests. The implementation guide version for HIPAA 5010 is 005010X217.

Key Concepts and Structure

The 278 uses a hierarchical loop structure similar to the 837. The key loops are 2000A (Utilization Management Organization), 2000B (Requester), 2000C (Subscriber), 2000E (Patient), and 2000F (Service being authorized). The UM segment identifies the review type, and HCR in the response carries the authorization decision.

278 Prior Authorization Request/Response Cycle

Provider sends 278-Req

Includes patient, service, diagnosis codes, requesting and attending provider NPIs, and requested dates.

Payer adjudicates

Reviews medical necessity, benefit eligibility, network status, and plan coverage criteria.

Payer returns 278-Resp

HCR*A1=Certified, HCR*A3=Not Certified, HCR*A4=Modified. Auth number in REF*BB.

Auth number flows to 837

The authorization number from REF*BB in the 278 response is referenced in the 837 claim as REF*G1.

Testing Strategy

A complete 278 test suite must cover all authorization decision types and verify that authorization numbers flow correctly into downstream 837 claims.

Test Scenario Checklist

✓Full approval (HCR*A1) with authorization number in REF*BB

✓Partial approval with modified units (HCR*A4) and explanation in MSG

✓Denial with reason codes (HCR*A3) and AAA error segments

✓Authorization number flows correctly to 837P REF*G1 at claim level

✓Retro authorization — auth requested after service date

✓Urgent/emergent review type codes and response handling

Common Failure Patterns

These are the 278-related failures most commonly discovered on go-live day rather than in testing:

Authorization number missing from 837

The 278 response auth number (REF*BB) is not mapped into the 837 claim (REF*G1). Claims adjudicate without auth and are denied.

Wrong review type code in UM segment

UM02 review type must match the service type. Using prospective codes for concurrent reviews causes rejection.

Service dates don't match authorization window

Claims submitted outside the authorized date range (DTP*956/DTP*957) are denied regardless of auth number presence.

Testing Without PHI

Testing the 278 cycle requires realistic patient demographics, provider NPIs, diagnosis codes, and procedure codes — all of which would normally require PHI. Synthibase generates synthetic 278 transactions linked to the same members, providers, and payers as your 837 test data, giving you end-to-end authorization cycle testing without touching real patient data.

→

Why Healthcare IT Go-Lives Fail

The most common go-live failure patterns and how to avoid them

Generate synthetic EDI test data in minutes

Synthibase generates valid X12 EDI transactions from a synthetic patient registry. Zero PHI. Ready for go-live testing.

Start free trial →