Provider Access API

No. The CMS Interoperability and Prior Authorization final rule (CMS-0057-F) only requires impacted payers to make patient data available via the Provider Access API with in-network or enrolled providers with whom the patient has a treatment relationship (if the patient did not opt out). However, we encourage payers to allow out-of-network or unenrolled providers access to patient information via the Provider Access API to the extent permitted by law, if the payers can verify the provider has a treatment relationship with the patient. For state Medicaid and CHIP FFS programs specifically, data sharing with out-of-network and unenrolled providers would need to comply with Medicaid confidentiality rules as required by section 1902(a)(7) of the Social Security Act, implemented at 42 CFR part 431, subpart F and through a cross-reference at 42 CFR 457.1110(b) for CHIP.

For more information on best practices for patient and provider messaging related to the Provider Access API, please review our Best Practices Document found here.  (PDF)

Impacted payers will determine whether the provider has a treatment relationship with the patient using a patient attribution process. Patient attribution is a method of identifying a patient-provider treatment relationship and is a critical component to ensure that patient health data are shared only with appropriate providers. In the CMS Interoperability and Prior Authorization final rule (CMS-0057-F), we did not require impacted payers to use a particular attribution process or standard, which allows payers flexibility to use processes or standards that impose the least burden and meet their internal requirements. Eligibility and coverage verification processes are well established between payers and providers, and some payers may use this existing process as an attribution query. For new patients, payers could accept proof of an upcoming appointment to verify the provider-patient treatment relationship. For on-going treatment relationships, historical claims data can be used. 

While CMS is not being prescriptive in how payers should design their attribution processes, we note that payers should consider the potential burden on providers as well as other laws that apply to data sharing for treatment purposes. CMS is exploring how it may provide additional resources on attribution to payers and providers.

For more information on best practices for patient and provider messaging related to the Provider Access API, please review our Best Practices Document found here. (PDF)

Impacted payers are required to allow patients to opt out of the Provider Access API data exchange with all providers. This means that if a patient chooses to opt out of the Provider Access API exchange with their payer, they have opted out of having their data go to any provider with whom they have a treatment relationship under this API policy. The CMS Interoperability and Prior Authorization final rule (CMS-0057-F) does not require payers to provide more granular options for opting out of exchange with some providers and opting in for others. However, while they are not required to do so, we encourage payers to consider options to enable patients to opt out with more granular controls for individual providers. CMS chose not to require a more granular opt out policy due to concern about the potential administrative and technical burden it could place on impacted payers. We will continue to weigh the benefits of providing patients with more control over their API data sharing and consider whether to propose such a requirement in future rulemaking.

For more information on best practices for patient and provider messaging related to the Provider Access API, please review our Best Practices Document found here. (PDF)