Are payers impacted by the Interoperability and Patient Access final rule (CMS-9115-F) required to offer a public facing Provider Directory API? What information are they required to include through the Provider Directory API for in-network providers and contracted networks?

Medicare Advantage (MA) organizations, Medicaid state agencies, Medicaid managed care plans, Children’s Health Insurance Program (CHIP) state agencies and CHIP managed care entities are required to offer a public facing Provider Directory API which must include data on a payer’s network of contracted providers. ^[1]

Because Qualified Heath Plan (QHP) issuers on the Federally-Facilitated Exchanges (FFEs) at 45 CFR 156.221(i) were already required to make provider directory information available in a specified, machine-readable format, we did not require that QHP issuers would have to make provider directory information available through an API.

Impacted payers, other than the QHP Issuers on the FFEs, must make certain information accessible through the Provider Directory API, including provider names, addresses, phone numbers, and specialties. Directory information must be available to current and prospective enrollees and the public within 30 calendar days of a payer receiving provider directory information or an update to the provider directory information. ^[2] There are additional content requirements for the provider directory under the Medicaid and CHIP managed care program at 438.10(h)(1) and (2).

CMS does not specify how payers manage access to APIs for provider directories for providers managed through contracted networks. Therefore, payers may make appropriate business decisions for ensuring availability of the Provider Directory APIs, making them accessible, and providing information or links on the payer website to direct interested parties to those application programming interfaces (APIs).

The Provider Directory API must be publicly available and exclude the security protocols related to user authentication and authorization and any other protocols that restrict the availability of this information to particular persons or organizations (see 85 FR 25543).

What are the requirements for the Provider Directory API for Medicare Advantage (MA) organizations that offer Medicare Advantage Prescription Drug (MA-PD) plans, with respect to including the mix and number of pharmacies in their network?

MA organizations that offer MA-PD plans must make available, at a minimum, pharmacy directory data and include the pharmacy name, address, phone number, number of pharmacies in the network, and mix (specifically the type of pharmacy, such as “retail pharmacy"). ^[3] In the Interoperability and Patient Access final rule (CMS-9115-F), CMS encouraged MA-PD plans to build a Provider Directory API that is conformant to the Health Level Seven International® (HL7®) PDex Plan-Net Implementation Guide (85 FR 25529). 

May a payer require the developer of a third-party application or the third-party application itself to register in order to use the Provider Directory API?

In the CMS Interoperability and Patient Access final rule, we finalized that impacted payers must implement and maintain a publicly accessible Provider Directory Application Programming Interface (API) that does not require user authentication and authorization or any other protocols that restrict the availability of this information to particular persons or organizations^[4]. However, this does not mean that impacted payers may not require developers to register their app in order to receive an API key or access the Provider Directory API. This is a standard procedure to assure the security of an API server and track which apps are making API calls. The requirement to make the information available without authentication or authorization applies to the user, not the app.

Footnotes

• ^[1] 42 CFR § 422.120; 42 CFR § 431.70; 42 CFR § 438.242(b)(6); 42 CFR § 457.760; 42 CFR § 457.1233(d)(3).
• ^[2] Id.
• ^[3] 42 CFR § 422.119(b)(2).

• ^[4] 42 CFR 422.120(a) for Medicare Advantage organizations, 42 CFR 431.70(a) for state Medicaid Fee-for-Service (FFS) programs, 42 CFR 438.242(b)(6) for Medicaid managed care plans, 42 CFR 457.760(a) for state Children’s Health Insurance Program (CHIP) FFS programs, and 42 CFR 457.1233(d) for CHIP managed care entities.