Controlled Unclassified Information (CUI) is not a new concept, but its implications in the healthcare space are becoming increasingly important, especially for organizations that interact with federal programs, defense contracts, or public health agencies. From prior authorization documents to electronic health records shared with Medicare, proper CUI handling is essential for compliance, privacy, and security.
This guide offers a comprehensive look at how CUI markings apply to healthcare providers, coders, compliance officers, and medical billing teams. Based on real-world workflows and current federal guidelines, we’ll walk through how to identify, mark, and handle CUI across healthcare operations.
What Is Controlled Unclassified Information?
Controlled Unclassified Information refers to sensitive, unclassified data that must be protected under federal law or regulation. Unlike classified material, CUI doesn’t involve national security risks but still requires proper handling to prevent unauthorized access or misuse.
The CUI program was established by Executive Order 13556 to replace inconsistent agency-specific markings such as “FOUO” (For Official Use Only) or “SBU” (Sensitive But Unclassified). It introduces a uniform system for marking, safeguarding, and sharing sensitive information across all federal agencies and their partners, including healthcare entities.
In healthcare, CUI typically covers health information protected under federal laws such as:
-
The Health Insurance Portability and Accountability Act (HIPAA)
-
42 USC § 1320d (regarding individually identifiable health information)
-
Other statutes applicable to Medicare, Medicaid, or federal research funding
Why CUI Matters in Healthcare Settings
Healthcare organizations often share sensitive health data with government agencies, contractors, or federally funded partners. When that data meets the criteria for CUI, it must be labeled and handled under strict federal guidelines.
Here’s where this applies in healthcare:
-
Submitting prior authorization requests for federally funded programs like TRICARE or Medicare
-
Sharing clinical data for public health research or military treatment facilities
-
Managing EHR systems that interact with federal cloud platforms or contractors
-
Handling documents for value-based care audits under CMS programs
Failing to properly mark or secure CUI can lead to data breaches, audit findings, or violations of contract terms. For any provider working within or alongside federal systems, understanding CUI is essential.
Categories of CUI in Healthcare
Not all sensitive health information qualifies as CUI. The National Archives and Records Administration (NARA) maintains a CUI Registry, which lists all approved CUI categories. In healthcare, the most relevant are:
| CUI Category | When It Applies |
|---|---|
| Health Information (CUI HLTH) | When PHI is subject to federal laws like HIPAA or 42 USC § 1320d |
| Health Information – Specified (CUI//SP-HLTH) | When additional statutory protections apply beyond standard HIPAA rules |
| Legal, Financial, or Research-related CUI | When health data intersects with federal export controls, intellectual property, or legal proceedings |
For instance, clinical data sent as part of a Department of Defense prior authorization request would fall under CUI HLTH. If that same data also contains genetic information subject to GINA (Genetic Information Nondiscrimination Act), it may qualify as Specified CUI.
How to Properly Mark CUI in Healthcare Documents
1. Banner Markings
CUI banner markings go at the top of each document. They must include:
-
The word CUI
-
The category, such as HLTH
-
Any dissemination controls, such as NOFORN (Not Releasable to Foreign Nationals)
Example:
This marking tells users that the document contains health information with specified controls and should not be shared with foreign entities.
2. Footer Markings
While not mandatory, footer markings on each page are highly recommended for multi-page documents. They repeat the same format as the banner and help ensure the markings stay visible in case of file separation.
3. Portion Markings
If a document contains multiple types of content, such as both public and CUI sections, portion markings (like “CUI HLTH”) can be used for each paragraph or section. This is common in mixed-use documents like audit reports or payer summaries.
Real-World Workflow: CUI in Prior Authorization Submissions
Let’s walk through a real-world healthcare workflow where CUI markings are required.
Scenario:
A hospital submits clinical documentation for a prior authorization request to the Defense Health Agency for a TRICARE beneficiary.
Steps:
-
Document Creation
The nurse or physician writes a clinical summary including PHI. -
Coding Review
The medical coder adds CPT and ICD-10 codes. -
CUI Identification
Because the data involves a federal payer such as TRICARE, the compliance officer confirms it falls under CUI HLTH. -
Banner Applied
A header is added to the document:CUI HLTH -
Secure Transmission
The file is uploaded using a NIST 800-171 compliant secure file transfer tool. -
Audit Logging
Access logs are maintained in the event of a federal audit. -
Retention and Disposal
The document is stored in an encrypted archive and deleted after contractually defined retention periods.
This workflow satisfies CUI regulations while also aligning with HIPAA, CMS conditions of participation, and standard data protection best practices.
CUI Safeguards and NIST Compliance
Organizations that store or transmit CUI on non-federal systems must comply with NIST SP 800-171. This includes controls for:
-
Access control
-
Media protection
-
Audit logging
-
Data encryption
-
Incident response
Many healthcare providers using cloud-based systems or third-party billing vendors may be managing CUI without realizing it. Without proper configurations, they risk violating federal contract terms and exposing patient data to breaches.
Providers working with agencies like the Department of Veterans Affairs, TRICARE, CDC, or any HHS-sponsored program should conduct regular assessments of their compliance with NIST 800-171 and related frameworks.
Limited Dissemination Controls
Some CUI documents include Limited Dissemination Controls, which further restrict how information is shared. These may include:
-
NOFORN – Not to be released to foreign nationals
-
FED ONLY – Only federal agencies may access
-
NOCON – No dissemination to contractors
These restrictions are critical for protecting high-risk health data, particularly in public health emergencies, research, or military settings. Always include these controls in both the banner and electronic metadata when applicable.
FAQs About CUI in Healthcare
What’s the difference between CUI and HIPAA?
HIPAA is a privacy law that governs PHI. CUI is a federal marking system for sensitive unclassified information, which may include PHI when used in federal programs.
Does all PHI qualify as CUI?
No. Only PHI associated with a federal contract, grant, or regulation that requires special handling will qualify as CUI.
Do EHR vendors need to follow CUI rules?
Yes, if the system stores or processes data for a federal program. EHR vendors must meet applicable security controls, especially if their clients are covered under contracts with agencies like CMS or the Department of Defense.
Where can I find the official list of CUI categories?
The U.S. National Archives maintains a public CUI Registry, which outlines all CUI categories, including those relevant to healthcare.
Final Thoughts
CUI markings in healthcare are more than a federal formality. They are a foundational part of securing sensitive health data when interacting with government payers or partners. As medical billing and prior authorization processes increasingly involve federal systems, integrating CUI compliance into everyday operations becomes critical.
By training staff, applying correct markings, and aligning your workflows with NIST standards, your organization can confidently navigate federal healthcare engagements while minimizing compliance risk.