You’ve probably heard about the Centers for Medicare & Medicaid Services’ (CMS’) Interoperability and Prior Authorization Final Rule — CMS-0057-F — which represents a pivotal change in healthcare data exchange and accessibility. This rule introduces essential modifications aimed at improving the efficiency of healthcare interoperability, particularly in the realm of data sharing access and prior authorization processes. 

The rule proposal was initially paused at the start of the new presidential administration for additional review, and will now look to build upon the previously issued interoperability concepts introduced with CMS-9115-F back in March 2020. Let’s unpack what this new rule means for the healthcare sector, especially for the payers and providers who will be impacted.

Overview of the Rule

The rule mandates the implementation of several Application Programming Interfaces (APIs) that are designed to facilitate seamless data exchange and enhance the accessibility of patient information among healthcare providers. Several provisions also aim to improve prior authorization processes.

Who’s Impacted?

The rule is applicable to a broad spectrum of payers, including Medicare Advantage (MA) organizations, Medicaid and Children’s Health Insurance Program (CHIP) agencies, and Qualified Health Plan (QHP) issuers on the Federally-Facilitated Exchanges (FFEs). 

On the provider side, eligible hospitals and critical access hospitals (CAHs) that are a part of the Medicare Promoting Interoperability Program, as well as clinicians participating in the MIPS Promoting Interoperability performance category, are affected.

The Three Access APIs

The Final Rule consists of three API provisions around data access: patient access, provider access, and payer-to-payer access. These three guidelines build upon those already created by CMS-9115-F rule, which primarily aimed to advance interoperability by liberating patient data.

Within two of these APIs — provider access and payer-to-payer — CMS aims to improve education on these changes for patients and providers, mandating that payers provide plain language resources that speak to the benefits of API data exchange.

Here’s a quick overview of each provision’s requirements:

• Patient Access API: Expanding upon CMS-9115-F’s earlier requirements around allowing patients to easily access their claims and encounter information (including cost), this provision includes new requirements around data. Starting January 1, 2027, payers will be required to include information on patients’ prior authorization requests and decisions. In addition, beginning January 1, 2026, payers will need to report aggregated, de-identified metrics to CMS about patient use of this API. 
• Provider Access API: In this provision, payers are mandated to make available individual claims and encounter data, as well as prior authorization information, in ONC’s USCDI standardized format to in-network providers with whom the patient has a treatment relationship by January 1, 2027. This provision complements the 2020 final rule that included new policies around requiring payers to make provider directory information publicly available through an API.
• Payer-to-Payer API: Similar to the Provider Access API, starting January 1, 2027, payers must share individual claims data, encounter data, and prior authorization information, in the USCDI format to previous and concurrent health plans. If the patient opts in, new payers will have to request patient data from any prior payers no later than one week after the start of coverage. The Payer-to-Payer API improves upon a provision in the CMS-9115-F rule, in which health plans are required to exchange certain patient clinical data at the patient’s request so that they could take that information with them as they enroll in different health insurance plans over time.

Prior Authorization: Speeding Things Up

A significant aspect of the rule is the optimization and standardization of the prior authorization process, in which a clinician requests approval from a health plan before a service is delivered to their patient to qualify for payment coverage. The rule aims to expedite decision-making and enforce transparency in denials. This initiative is expected to alleviate the common delays and frustrations associated with prior authorization, thereby improving patient care and provider efficiency.

Under the Prior Authorization API, health plans must populate their API with a list of items and services that require prior authorization from the payer and identify their documentation requirements. In addition, the API has to support the creation and exchange of prior authorization requests from providers and responses from payers.

To speed up timelines, payers are also required to send standard prior authorization decisions within seven calendar days, and expedited decisions within 72 hours. To increase transparency, payers must provide a specific reason for denial, regardless of how the request was submitted.

Standardizing Data Exchange Standards Across All APIs

To help the impacted organizations better understand which interoperability standards should be used for each API, CMS provided a table summarizing standard applicability across all five APIs.

A Call to Tech Up for Health Plans & Providers

CMS is giving the impacted payers another three years to meet the above requirements, with the deadline set on January 1, 2027. For health plans and provider organizations, this timeline presents an opportunity to be proactive in enhancing their digital infrastructure. By starting the adoption process early and using a phased approach, organizations can meet all of CMS’ requirements without creating sudden and unnecessary abrasion. 

The Final Rule becomes even more exciting when viewed through the lens of TEFCA. In December 2023, the Trusted Exchange Framework and Common Agreement (TEFCA) established the U.S.’s first Qualified Health Information Networks (QHINs). With an expansive, nation-wide footprint, these networks plan to work together to share healthcare data, build towards a common foundation, and improve interoperability for the industry.

Navigating all of this change can be complex. However, there are existing standards in place to provide guidance. Chief among these is Fast Healthcare Interoperability Resources (FHIR), which offers a unified framework for data exchange. Created by Health Level 7 (HL7), this foundational architecture is lauded for its ease-of-use and fast implementation, mainly due to the fact that it adopts existing standards and technologies that software developers are already familiar with. As such, FHIR sets the standard for the APIs that CMS has provisioned in its final rulings on interoperability. It allows for a true unified patient record, with potential applications in multiple channels.

The CMS Interoperability and Prior Authorization Final Rule is the next crucial step towards a more integrated, transparent, and efficient healthcare system. It calls for health plans, provider organizations, and their relevant business associates to embrace electronic data exchange, in efforts to ensure that they’re able to get the right data for the right patient, at the right time. By continuing to adopt these compelling new frameworks, we can truly evolve towards a more interoperable ecosystem, optimize our value-based care investments, and deliver the best patient outcomes.