CMS Interoperability and Patient Access final rule
Guidance for the Interoperability and Patient Access final rule.
Issued by: Centers for Medicare & Medicaid Services (CMS)
Issue Date: July 17, 2020
Policies and Technology for Interoperability and Burden Reduction
On September 15, 2021, CMS published three FAQs which explain that CMS will not take enforcement action against certain payers for the payer-to-payer data exchange provision of the May 2020 Interoperability and Patient Access final rule until future rulemaking is finalized. CMS’ decision to exercise enforcement discretion for the payer-to-payer policy until future rulemaking occurs does not affect any other existing regulatory requirements and implementation timelines outlined in the final rule. Please review the relevant FAQs for details.
As of July 1, 2021, two of the policies from the May 2020 Interoperability and Patient Access final rule are now in effect. On April 30, 2021, the requirements for hospitals with certain EHR capabilities to send admission, discharge and transfer notifications to other providers went into effect. On July 1, 2021, CMS began to enforce requirements for certain payers to support Patient Access and Provider Directory APIs. Additional information is available on the FAQ page and in the other information available below.
CMS continues to build on its roadmap to improve interoperability and health information access for patients, providers, and payers. When implemented effectively, health information exchange (interoperability) can also reduce the burden of certain administrative processes, such as prior authorization. Our regulations will drive change in how clinical and administrative information is exchanged between payers, providers and patients, and will support more efficient care coordination.
The CMS regulations include policies which require or encourage payers to implement Application Programming Interfaces (APIs) to improve the electronic exchange of health care data – sharing information with patients or exchanging information between a payer and provider or between two payers. APIs can connect to mobile apps or to a provider electronic health record (EHR) or practice management system to enable a more seamless method of exchanging information. The regulations also include policies which may reduce burdens of the prior authorization process by increasing automation and encouraging improvements in policies and procedures to streamline decision making and communications.
On this page you can find links to resources that will be useful for implementing the APIs to support the policies of these rules. In particular we encourage stakeholders to use the general information for the Health Level 7 (HL7) Fast Healthcare Interoperability Resources (FHIR) Implementation Guides (IGs) referenced in the CMS regulations.
Quick Links – Can’t wait to find what you are looking for? Skip ahead with these links below:
- CMS Interoperability and Patient Access Final Rule
- CMS Interoperability and Prior Authorization Proposed Rule
- Guidance for States
- Best Practices for Payers and App Developers
- Patient Privacy and Security Resources
Implementation Support for APIs
Patient Access API
Provider Access API
Provider Directory API
Documentation Requirements Lookup Service API
Prior Authorization Support (PAS) API
CMS issued two key rules related to interoperability and burden reduction. Information to help understand the technical requirements is provided below. To learn more about the operational policy provisions, please refer to the overview or fact sheet.
The Interoperability and Patient Access final rule (CMS-9115-F) put patients first by giving them access to their health information when they need it most, and in a way they can best use it. This final rule focused on driving interoperability and patient access to health information by liberating patient data using CMS authority to regulate Medicare Advantage (MA), Medicaid, Children's Health Insurance Program (CHIP), and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs).
Recognizing the challenges faced by payers during the COVID-19 public health emergency, CMS exercised enforcement discretion for the Patient Access API and Provider Directory API policies for MA, Medicaid, CHIP and QHP issuers on the FFEs* effective January 1, 2021 through July 1, 2021. CMS began enforcing these new requirements on July 1, 2021.
*QHP Issuers on the FFEs are not required to implement the Provider Directory API under this rule.
Link to the Interoperability and Patient Access final rule: https://www.federalregister.gov/documents/2020/05/01/2020-05050/medicare-and-medicaid-programs-patient-protection-and-affordable-care-act-interoperability-and
Read the Fact Sheet to learn more about the policies for Interoperability and Patient Access final rule.
The Interoperability and Prior Authorization proposed rule (CMS-9123-P) builds on the policies finalized in the CMS Interoperability and Patient Access final rule. This proposed rule emphasizes the need to improve health information exchange to achieve appropriate and necessary access to complete health records for patients, health care providers, and payers. This proposed rule also focuses on efforts to improve prior authorization processes through policies and technology, to help ensure that patients remain at the center of their own care. The rule enhances certain policies from the CMS Interoperability and Patient Access final rule, and adds several new provisions to increase data sharing and reduce overall payer, health care provider, and patient burden through the proposed improvements to prior authorization practices.
Link to the December 2020 Interoperability and Prior Authorization proposed rule: https://www.federalregister.gov/documents/2020/12/18/2020-27593/medicaid-program-patient-protection-and-affordable-care-act-reducing-provider-and-patient-burden-by
Read the Fact Sheet to learn more about the policies for the Interoperability and Prior Authorization proposed rule.
Office of the National Coordinator for Health Information Technology's (ONC) 21st Century Cures Act Final Rule
The Department of Health and Human Services (HHS) finalized technical as well as content and vocabulary standards in the ONC 21st Century Cures Act final rule, which CMS adopted to support these API policies. Other HL7 IGs are available for provider, payer and prior authorization APIs, which are not yet mandatory. However, if payers choose to use them, it will limit burden and support our mutual path forward towards an interoperable health care system. In addition, CMS continues to work with HL7 and other industry partners to ensure IGs and additional resources are freely available to payers to use if they choose to use them.
In August 2020, CMS released a letter to state health officers detailing how state Medicaid agencies should implement the CMS Interoperability and Patient Access final rule in a manner consistent with existing guidance. There are many provisions in this regulation that impact Medicaid and CHIP Fee-For-Service (FFS) programs, Medicaid managed care plans, and CHIP managed care entities, and this letter discusses those issues. Additionally, this letter advises states that they should be aware of the ONC’s 21st Century Cures Act final rule on information blocking. The link for the letter is:
This document includes links to useful information and best practices to help payers and developers build and maintain a FHIR-based API, as well as best practices for third-party app developers.
This document provides an overview of what is required to be included in a payer’s patient resource document and some content payers may choose to use to help meet this requirement. Use of this document is not required; it is to support payers as they produce patient resources tailored to their patient population.
FHIR Release 4.0.1 provides the first set of normative FHIR resources. A subset of FHIR resources is normative, and future changes on those resources marked normative will be backward compatible. These resources define the content and structure of core health data, which developers to build standardized applications.
HL7 Version 4.0.1 FHIR Specification Release 4, October 30, 2019
SMART on FHIR provides reliable, secure authorization for a variety of app architectures with the OAuth 2.0 standard. This profile is intended to be used by app developers that need to access FHIR resources by requesting access tokens from OAuth 2.0 compliant authorization servers. The profile defines a method through which an app requests authorization to access a FHIR resource, and then uses that authorization to retrieve the resource.
SMART Application Launch Framework IG Release 1.0.0, November 13, 2018
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and RESTful manner. This specification defines the core OpenID Connect functionality: authentication built on top of OAuth 2.0 and the use of claims to communicate information about the end-user. It also describes the security and privacy considerations for using OpenID Connect.
OpenID Connect Core 1.0 Incorporating Errata Set 1, November 8, 2014
The USCDI is a standardized set of health data es and component data elements for nationwide, interoperable health information exchange. CMS required that payers share the USCDI data they maintain with patients via the Patient Access API, and with other payers via the Payer-to-Payer Data Exchange.
United States Core Data for Interoperability USCDI, February 2020, Version 1
Implementation Support for APIs:
The IGs and related resources may be used for the Patient Access, Provider Access, Payer Access, Provider Directory, and Prior Authorization APIs. These guides provide information payers can use to meet the requirements of CMS rules without having to develop an independent approach, which will save time and resources. In addition, the reference implementations available on the applicable websites allow payers to see the APIs in action and support testing and development.
Payers are required to make a patient’s claims and encounter data available via the Patient Access API.
HL7® FHIR® CARIN Consumer Directed Payer Data Exchange IG (also referred to as the CARIN IG for Blue Button®) URL: http://hl7.org/fhir/us/carin-bb/STU1
Payers are required to make a patient’s clinical data, defined as those data the payer maintains that are included in the USCDI version 1, available via the Patient Access API.
HL7 FHIR® Da Vinci PDex IG: Version STU 1.0.0. URL: http://hl7.org/fhir/us/davinci-pdex/STU1
HL7 FHIR® US Core IG STU 3.1.0. The PDex IG is based on the US Core IG, with the following additions designed for payer-related use cases:
- A Medication Dispense resource has been added to record a member’s prescription drug claims
- A Device resource has been added to broaden support for devices that are not implantable
- A payer-specific Provenance resource has been added
- A Coverage resource has been added that defines the constraints for representing the subscriber information to the Payer. This along with the patient’s first name, last name, date of birth and gender allows the payer to identify the member in their system for which the most responsible physician (MRP) was the performer
- Additional information to review:
- Member matching:
- SMART on FHIR App Launch:
- REST Interaction Scopes:
- Member matching:
Under the CMS Interoperability and Patient Access final rule, Part D Medicare Advantage plans must make formulary information available via the Patient Access API. In addition Medicaid and CHIP FFS and managed care must make preferred drug lists available. The IG to help members select a coverage type during enrollment for the medications they are currently on is HL7 FHIR Da Vinci - PDex US Drug Formulary IG: Version STU 1.0.1.
Under the CMS Interoperability and Patient Access final rule and the CMS Interoperability and Prior Authorization final rule, Medicaid FFS programs, CHIP FFS programs, Medicaid managed care plans, and CHIP managed care entities are required to make provider directory information available via the Provider Directory API. The CMS Interoperability and Patient Access final rule includes MA organizations. This API must be accessible via a public-facing digital endpoint on the payer’s website. The IG is the HL7 FHIR Da Vinci PDex Plan Net IG: Version STU 1.0.0.
Prior Authorization Improvements through Technology
The CRD IG defines a workflow to allow payers to provide information about coverage requirements to healthcare providers through their clinical systems at the time treatment decisions are made. This will ensure that clinicians and administrative staff have the capability to make informed decisions and meet the requirements of the patient’s insurance coverage. The IG is: HL7 FHIR Da Vinci - CRD IG: Version STU 1.0.0.
Documentation Templates and Rules
The DTR IG specifies how payer rules can be executed in a provider context to ensure that documentation requirements are met. In turn, provider burden will be reduced because of reduced manual data entry. The IG: HL7 FHIR Da Vinci - DTR IG: Version STU 1.0.0.
The PAS IG defines a way to directly submit prior authorization requests from EHR or practice management systems (PMS). Direct submission of prior authorization requests from an EHR or PMS can reduce costs for both providers and payers. It can also result in faster prior authorization decisions, which will lead to improved patient care experiences. The IG is: HL7 FHIR Da Vinci - PAS IG: Version STU 1.0.0.
Payer Coverage Decision Exchange (PCDE)
The PCDE IG defines a mechanism for sharing information from one payer (the previous payer) to a 'new' payer when a patient has switched plans to help ensure continuity of care and reduce/eliminate the need for repeating lab or diagnostic tests, re-trying previous therapies, etc. The IG is: HL7 FHIR Da Vinci - PCDE IG Version STU 1.0.0.
The Bulk Data specification explains how to transmit data on large populations of patients through FHIR, such as moving clinical data into an analytical data warehouse, sharing data between organizations, or submitting data to regulatory agencies. This specification has not been adopted by HHS or CMS; however, some federal and private organizations are using it. We encourage payers to consider testing its usability within their own organizations.
Additional Bulk Data resources:
- SMART Server Reference Implementations
- Bulk Data Discussion Group (Bulk Data)
- End of Technical Standards -
Questions? E-mail CMS Health Informatics and Interoperability Group at CMSHealthInformaticsAndInteroperabilityGroup@cms.hhs.gov
To view the CMS Interoperability and Patient Access final rule (CMS-9115-F) in the Federal Register, go to:
To view the ONC's 21st Century Cures Act final rule, go to: https://www.healthit.gov/curesrule. If you need more information, you can reach ONC via their feedback form: https://www.healthit.gov/form/healthit-feedback-form
To view the CMS Interoperability and Prior Authorization proposed rule (CMS-9123-P) in the Federal Register, go to: https://www.federalregister.gov/documents/2020/12/18/2020-27593/medicaid-program-patient-protection-and-affordable-care-act-reducing-provider-and-patient-burden-by
HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the Section 508 Help Desk.
DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.