CMS Rule Drives New Era of API-Enabled Data Sharing & Prior Authorization Reform

On January 17, 2024, the Centers for Medicare & Medicaid Services (CMS) unveiled a long-awaited final rule aimed at advancing interoperability and enhancing prior authorization processes. This regulation leverages API technology to drive transparency, efficiency, and reduce provider, patient, and payer burden. This blog provides a brief overview exploring its history, key provisions, impacted stakeholders, exceptions, required standards, and compliance timelines.

A Long-Awaited Development

The journey towards this final rule has seen several important milestones. In 2020, a version of the rule was proposed but ultimately pulled back, with a newly proposed rule issued December 2022. After reviewing over 900 public comments CMS published the final regulation on January 17, 2024. This thoughtful process allowed CMS to incorporate industry feedback while balancing the imperative to advance data access, exchange and use for enhancing healthcare for patients.

Impacted & Excluded Parties

Payers, including the following are obligated to comply with the final rule:

• Medicare Advantage (MA) Organizations
• State Medicaid and Children’s Health Insurance Programs (CHIP)
• Qualified Health Plan issuers on Federally facilitated Exchanges (FFEs)
• Medicaid Managed Care Plans and CHIP Managed Care Entities
• Providers, particularly MIPS-eligible clinicians and eligible hospitals are encouraged to adopt electronic prior authorization processes.

Providers:

• Eligible hospitals and critical access hospitals in the Medicare Promoting Interoperability Program
• Merit-Based Incentive Payment System (MIPS) eligible clinicians

Excluded parties:

The final rule excludes:

• Issuers offering only stand-alone dental plans (SADPs)
• QHP issuers offering only QHPs in the Federally facilitated Small Business Health Options Program Exchanges (FF-SHOPs)
• State-based Exchanges on the Federal Platform (SBE-FPs)

Compliance Timelines

CMS finalized January 1, 2026, as the compliance date for impacted payers to:

• Report Patient Access API metrics to CMS
• Make standard and expedited prior authorization decisions within specific timeframes
• Send notices to providers, including a specific denial reason for denied prior authorizations, and
• Publicly report prior authorization metrics on their websites

CMS finalized January 1, 2027, as the compliance date for impacted payers to implement Provider Access, Payer-to-Payer, and Prior Authorization APIs.

APIs, Required Standards and Recommended Implementation Guides

The final rule included requirements to implement or modify the following APIs:

• Patient Access API (already in force but new information required to be added)
• Provider Access API
• Payer-to-Payer API
• Prior Authorization API (formerly known as PARDD)

The required standards and implementation specifications in this final rule include the following:

Standards:

• United States Core Data for Interoperability (USCDI)
• HL7® Fast Healthcare Interoperability Resources (FHIR®) Release 4.0.1
• HL7 FHIR US Core Implementation Guide (IG) Standard for Trial Use (STU) 3.1.1
• HL7 SMART Application Launch Framework Implementation Guide Release 1.0.0
• FHIR Bulk Data Access (Flat FHIR) (v1.0.0: STU 1)
• OpenID Connect Core 1.0

Recommended Implementation Guides (IGs):

• HL7 FHIR CARIN Consumer Directed Payer Data Exchange (CARIN IG for Blue Button®) IG Version STU 2.0.0
• HL7 SMART App Launch IG Release 2.0.0 to support Backend Services Authorization
• HL7 FHIR Da Vinci Payer Data Exchange (PDex) IG Version STU 2.0.0
• HL7 FHIR Da Vinci PDex US Drug Formulary IG Version STU 2.0.1
• HL7 FHIR Da Vinci PDex Plan-Net IG Version STU 1.1.0
• HL7 FHIR Da Vinci Coverage Requirements Discovery (CRD) IG Version STU 2.0.1
• HL7 FHIR Da Vinci Documentation Templates and Rules (DTR) IG Version STU 2.0.0
• HL7 FHIR Da Vinci Prior Authorization Support (PAS) IG Version STU 2.0.1

Key Prior Authorization Provisions

One of the key features of the rule is the implementation of electronic prior authorization for medical services and products (excluding drugs) by January 1, 2027. The rule enforces the adoption of FHIR interoperability standards, enabling more seamless data exchange. The goals are to reduce burden on providers and payers while improving the patient access to care experience.

The rule also sets new prior authorization decision timeframes that payers must meet. The new timeframes are 7 days for standard requests and 72 hours for expedited requests. The compliance date is January 1, 2026

To ensure accountability, the regulation requires impacted payers to publicly report prior authorization metrics on their websites beginning January 1, 2026. The transparency of performance data is intended to highlight areas needing improvement. Additionally, prior authorization data and details must be made available through other adopted APIs - the Provider Access, Patient Access and Payer-to-Payer APIs. This expands access to authorization information beyond the specific Prior Authorization API.

An interesting inclusion in the accompanying press release references the National Standards Group announcement of "Enforcement Discretion" of existing HIPAA requirements for organizations wishing to provide a FHIR only solution.

Looking Forward

The CMS Advancing Interoperability and Improving Prior Authorization Final Rule represents a transformative step towards a more interconnected healthcare landscape. Stakeholders seeking a deep understanding of its implications are encouraged to reach out to Point-of-Care Partners (POCP) by emailing me (kim.boyd@pocp.com) or Brian Dwyer (brian.dwyer@pocp.com ) to set up a discussion to explore your short and long-term strategic challenges and compliance requirements.

We encourage stakeholders who aren’t directly impacted or required to comply with this rule to consider the critical business transformation benefits of adopting APIs to support more timely and less burdensome data exchange both internally and with external partners.

Stay tuned for future content from POCP, delving into the nuanced details of this rule and anticipating future policy activities in the dynamic healthcare technology space.