Application Programming Interfaces (APIs) and Relevant Standards and Implementation Guides (IGs)
Application Programming Interfaces (APIs) and Relevant Standards and Implementation Guides (IGs)
The Centers for Medicare & Medicaid Services (CMS) Interoperability and Patient Access Final Rule (85 FR 25510) requires Medicare Advantage (MA) organizations, Medicaid Fee-for-Service (FFS) Programs, Medicaid managed care plans, Children's Health Insurance Program (CHIP) FFS programs, CHIP managed care entities, and Qualified Health Plan issuers on the Federally-Facilitated Exchanges (FFEs) to implement application programming interface (API) technology to advance health data exchange. The CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F) builds on CMS' previous rule by outlining requirements for additional information that certain payers must provide via the Patient Access API and new requirements for certain payers to implement three additional APIs: Provider Access API, Payer-to-Payer API, and Prior Authorization API. The APIs finalized in CMS-9115-F and CMS-0057-F must meet certain technical standards to drive interoperability and increase provider and patient access to health information. The APIs are described below along with standards required by rulemaking and the Implementation Guides (IGs) CMS recommends payers use to support implementation—eliminating the need to develop an independent approach, which will save time and resources.
Impacted payers may use updated standards, specifications, or IGs for each of these APIs, under the following conditions: the updated version of the standard is required by other applicable law; or (1) the updated version of the standard is not prohibited under other applicable law, (2) the National Coordinator has approved the updated version for use in the ONC Health IT Certification Program, and (3) the updated version does not disrupt an end user’s ability to access the data required to be available through the API. We note that for the required standards at 45 CFR 170.215, several updated versions have been approved by the National Coordinator for use in the ONC Health IT Certification Program, including, but not limited to, the US Core IG STU 6.1.0, the SMART App Launch IG Release 2.0.0, and the Bulk Data Access IG (v2.0.0: STU 2).
Patient Access API
Through the already established Patient Access API, impacted payers are required to make information available to patients about prior authorization requests and decisions (excluding those for drugs) by January 1, 2027.
United States Core Data for Interoperability (USCDI) Version 1.0.0 and Version 3.0.0
Provider Access API
Impacted payers are required to implement and maintain APIs for payer to provider data sharing of individual claims and encounter data (excluding provider remittances and enrollee cost-sharing information), data classes, and data elements in a content standard adopted by the Office of the National Coordinator for Health IT (ONC) (USCDI) and specified prior authorization information (excluding those for drugs) by January 1, 2027.
United States Core Data for Interoperability (USCDI) Version 1.0.0 and Version 3.0.0
Payer-to-Payer API
Impacted payers must implement and maintain a Payer-to-Payer API to make available claims and encounter data (excluding provider remittances and enrollee cost-sharing information), all data classes, and data elements in a content standard adopted by ONC (USCDI), and information about prior authorizations (excluding those for drugs and those that were denied).
Provider Directory API
Under the CMS Interoperability and Patient Access Final Rule and the CMS Interoperability and Prior Authorization Final Rule, Medicaid FFS programs, CHIP FFS programs, Medicaid managed care plans, and CHIP managed care entities are required to make provider directory information available via the Provider Directory API. The CMS Interoperability and Patient Access Final Rule includes MA organizations. This API must be accessible via a public-facing digital endpoint on the payer’s website.
Prior Authorization API
The CMS Interoperability and Prior Authorization Final Rule requires impacted payers to implement and maintain a Prior Authorization API to automate the process for providers to determine whether a prior authorization is required, identify prior authorization information and documentation requirements, as well as facilitate the exchange of prior authorization requests and decisions from their electronic health records (EHRs) or practice management system. We note that under the Health Insurance Portability and Accountability Act (HIPAA), covered entities are required to use the currently adopted standard for prior authorization transactions. The name of the HIPAA prior authorization transaction is the X12 278. The National Standards Group (NSG) announced an enforcement discretion for Health Insurance Portability and Accountability Act (HIPAA) covered entities that implement Fast Healthcare Interoperability Resources® (FHIR®) based Prior Authorization APIs as described in the CMS Interoperability and Prior Authorization final rule. In response to the final rule, NSG will not take HIPAA Administrative Simplification enforcement action against HIPAA covered entities that choose not to use the X12 278 standard as part of an electronic FHIR® prior authorization process.
Read the enforcement discretion (PDF)