General

What are the application programming interfaces (APIs) required under the CMS Interoperability and Prior Authorization final rule (CMS-0057-F), and what are the general requirements for each?

The CMS Interoperability and Prior Authorization final rule requires impacted payers (specifically, Medicare Advantage​ [MA] Organizations, State Medicaid and Children’s Health Insurance Program [CHIP] agencies​, Medicaid managed care plans​ and CHIP managed care entities, and Qualified Health Plan [QHP] issuers on the Federally Facilitated Exchanges [FFEs]) to implement and maintain three new Fast Healthcare Interoperability Resources® (FHIR®) APIs:

  • The Provider Access API, to share with in-network providers with whom the patient has a treatment relationship the following data: individual claims and encounter data (without provider remittances and enrollee cost-sharing information), the data classes and data elements in a content standard adopted by the Office of the National Coordinator for Health Information Technology (ONC) in 45 CFR 170.213 (the United States Core Data for Interoperability (USCDI)), and certain prior authorization data.
  • The Payer-to-Payer Access API, to exchange with a patient’s new or concurrent payers when a patient changes payers or has two or more payers at the same time (e.g. individuals who are dually eligible for Medicare and Medicaid). Largely this same data must be shared (excluding information about denied prior authorizations), as well as both structured and unstructured administrative and clinical documentation submitted by a provider,
  • The Prior Authorization API, to allow a provider to query a payer’s system to determine whether prior authorization (PA) is required for specific medical items and services (excluding drugs), as well as to view a list of the payer’s list of covered items and services. In addition, this API must have the functionality to identify a payer’s documentation requirements for the items or services that require prior authorization. The API must also support the creation and exchange of the prior authorization requests themselves from providers and responses from payers (including whether the request was approved or denied, and a specific reason for any such denial).

Additionally, the CMS Interoperability and Prior Authorization final rule expands the requirements for the existing Patient Access API, finalized in the May 2020 CMS Interoperability and Patient Access final rule (CMS-9115-F, 85 FR 25510) to include information about the patient’s prior authorizations for items and services (excluding drugs). This prior authorization data must be accessible for at least one year after the last status change (e.g., approval, denial, expiration) of the prior authorization.

The chart below summarizes the main differences between the Patient Access, Provider Access, and Payer-to-Payer API requirements, standards, and related policies. However, see CMS-0057-F for a full discussion of these policies.

 Patient Access APIProvider Access APIPayer-To-Payer API
Data
Content*
Individual Claims and 
Encounter Data 
YesYesYes
 Provider remittances and 
patient cost-sharing info 
YesNoNo
 All data classes and data 
elements in a content 
standard adopted by the 
ONC in 45 CFR 170.213 
(the United States Core 
Data for Interoperability (USCDI)), 
YesYesYes
 Specific information about 
prior authorizations for 
items and services. 
YesYesYes
 Denied Prior Authorizations YesYesNo
 Unstructured documentation 
submitted by a provider to 
support a PA request 
NoNoYes
 Start date for required 
data (date of service)
January 1, 2016January 1, 2016Five years 
before the request 
Patient Permission Required N/AOpt OutOpt In
Required
Standards
FHIRYesYesYes
US Core IGYesYesYes
SMART IGYesYesNo
Bulk Data Access IGNoYesYes
OpenID Connect CoreYesNoNo
Extensions and Exemptions (for Medicaid and CHIP FFS only), and Exceptions (for QHPs on the FFEs only) Yes, for QHPs onlyYesYes

* Impacted payers are only required to share data that they maintain. They are not required to seek out data within this content that they do not maintain. 

Why are drugs excluded from the prior authorization requirements in the CMS Interoperability and Prior Authorization final rule?

CMS excluded drugs from both the Prior Authorization API and the process requirements for prior authorizations in the CMS Interoperability and Prior Authorization final rule (CMS-0057-F) because the standards, processes, and decision timeframes for issuing prior authorizations for drugs differ from those that apply to medical items and services. However, payers are not prohibited from including drugs covered under a medical benefit in their Prior Authorization APIs, as the Coverage Requirements Discovery (CRD) Implementation Guide [1] can accommodate information about certain medications. CMS may evaluate opportunities to address prior authorization for drugs in future policy proposals.

What is the CMS Medicare Fee-for-Service (FFS) Prior Authorization API and how can providers participate in testing, or use the application programming interface (API) for submitting prior authorization requests to Medicare?

Some providers participating in the Medicare FFS program may be able to submit prior authorization requests through a CMS Prior Authorization API. CMS’s Provider Compliance Group (PCG) is using Fast Healthcare Interoperability Resources® (FHIR®) for exchanging healthcare information electronically between different systems through its PCG-FHIR Server. Using the PCG-FHIR Server will allow for the processing of various healthcare transactions, including prior authorization requests. Review Contractors and Providers who are interested in testing and piloting the PCG-FHIR Server may visit the PCG website or email pcg-fhir@mettles.com.

How will payer application programming interface (API) endpoints be discovered by a payer when using each or any of the APIs required under the CMS Interoperability final rules?

Depending on the specific API, developers, providers, and other payers will need to discover payers’ digital endpoints individually, and each payer will have to maintain a contact list of other payers for data exchange.

Are commercial health plans considered impacted payers under the CMS Interoperability and Prior Authorization final rule?

The only commercial payers affected by this final rule are QHPs offered on the FFEs. The requirements in the CMS Interoperability and Prior Authorization final rule (CMS-0057-F) were finalized under CMS’s authority to regulate Medicare, Medicaid, and Qualified Health Plans (QHPs) offered on the Federally facilitated Exchanges (FFEs). The requirements do not apply to other health insurance issuers or group health plans. Impacted payers that offer both health plans subject to the requirements of the CMS Interoperability and Prior Authorization final rule and those that are not (e.g., commercial health plans outside the Exchanges, like employer-based plans) may voluntarily implement the application programming interface (API) and prior authorization policies across all their plans, as long as there are no conflicts with other Federal or state laws. In fact, CMS encourages all payers to voluntarily implement the policies in this final rule for all their plans, to ensure equal access to the services and benefits for all patients and members.


Page Last Modified:
11/14/2024 03:59 PM