← Back to all briefings
Data Strategy 6 min read Published Updated Credibility 91/100

CMS finalizes Interoperability and Patient Access rule

CMS finalized rules requiring health plans to give patients FHIR API access to their claims and clinical data. Payers have until January 2021 to comply. If you work with healthcare APIs, FHIR just became mandatory.

Kodi C.

Editor & Research Lead

Accuracy-reviewed by the editorial team

Data strategy pillar illustration for Zeph Tech briefings
Data strategy, stewardship, and privacy briefings

CMS released the Interoperability and Patient Access final rule (CMS-9115-F) on , establishing notable requirements for healthcare data exchange. The rule mandates HL7 FHIR-based APIs for patient data access, requires payer-to-payer data exchange when members change plans, and enforces provider directory accuracy standards—basically reshaping how health information flows across the U.S. healthcare system.

FHIR API Mandates

The rule requires regulated payers to implement Patient Access APIs using the HL7 FHIR R4 standard. These APIs must provide patients electronic access to their claims data, encounter information, and clinical data that payers maintain. The standardized approach enables third-party applications to retrieve patient data with appropriate consent, fostering a market for patient-facing health applications.

Technical requirements specify FHIR setup guides including US Core profiles for clinical data representation. Payers must support OAuth 2.0 authorization flows enabling patients to grant application access. The API infrastructure must handle production-scale traffic while maintaining security and privacy protections required by HIPAA.

Implementation timelines gave payers until January 1, 2021 for initial Patient Access API deployment. Subsequent phases added requirements for drug formulary information, provider directory data, and expanded clinical content. Organizations needed to budget for significant engineering investment in FHIR infrastructure.

Payer-to-Payer Data Exchange

The rule introduced requirements for payer-to-payer data exchange, addressing continuity of care challenges when patients change health plans. When a member enrolls in a new plan, the receiving payer can request clinical and claims history from the member's previous payers, subject to member consent.

This capability addresses fragmentation in patient records that occurs when health coverage changes. Previously, clinical history remained siloed with former payers, forcing new providers to recreate diagnostic workups and potentially miss relevant medical history. Payer-to-payer exchange enables receiving plans to understand members' health status and care needs from enrollment.

Implementation requires careful consent management and data governance. Payers must explain data sharing to members and obtain appropriate authorization. Technical infrastructure must support both sending and receiving roles in the exchange, with security controls protecting health information in transit and at rest.

Provider Directory Requirements

The rule strengthens provider directory accuracy requirements, addressing longstanding complaints about inaccurate network information. Patients and referring providers often encounter "ghost networks" where listed providers are not actually accepting patients, have incorrect contact information, or have left the network entirely.

Payers must validate provider directory data quarterly and make corrections within specified timeframes. The rule requires provider directory APIs enabling programmatic access to network information. These APIs support care navigation applications and enable automated directory validation by provider organizations.

Provider data management processes must incorporate verification workflows, update mechanisms when providers report changes, and reconciliation procedures to identify stale records. Organizations need data quality metrics and monitoring to show compliance with accuracy requirements.

ADT Event Notification Requirements

The rule requires hospitals to send Admission, Discharge, and Transfer (ADT) notifications to relevant providers and care team members. When patients are admitted, discharged, or transferred, the admitting facility must transmit electronic notifications enabling care coordination and follow-up.

ADT notifications support transitions of care, a high-risk period for adverse events. Primary care providers receiving discharge notifications can schedule follow-up appointments and medication reconciliation. Care managers can intervene for high-risk patients leaving acute care settings. The requirement addresses gaps in care coordination that contribute to preventable readmissions.

Technical setup typically uses HL7 v2 ADT messages or FHIR-based notifications, depending on receiving system capabilities. Hospitals must establish connectivity with community providers and health information exchanges to deliver notifications broadly rather than only to affiliated providers.

Technical Implementation Considerations

Organizations implementing CMS-9115-F requirements face significant technical challenges. FHIR API development requires expertise in healthcare interoperability standards, OAuth security patterns, and flexible API infrastructure. Many payers lack internal FHIR capabilities and must build teams or engage setup partners.

Data transformation represents significant effort. Claims data exists in proprietary formats and must be mapped to FHIR resources following US Core profiles. Clinical data from various sources requires normalization and standardization. Data quality issues in source systems surface as API consumers encounter inconsistent or incomplete information.

Infrastructure must handle production traffic from potentially millions of patient-authorized applications. API gateways need rate limiting, monitoring, and security controls. Identity and access management must support patient authentication and application authorization at scale.

Compliance Timeline and Enforcement

CMS established phased compliance timelines recognizing setup complexity. Initial requirements took effect January 1, 2021, with subsequent phases adding capabilities through 2022 and beyond. The COVID-19 pandemic led CMS to exercise enforcement discretion during early setup periods.

Enforcement mechanisms include potential conditions of participation for federal health programs. Payers failing to implement required capabilities risk exclusion from Medicare Advantage, Medicaid managed care, and federally helped Exchange participation. These stakes motivated significant compliance investment despite setup challenges.

If you are affected, document good-faith setup efforts, track progress against timelines, and maintain communication with CMS regarding any compliance obstacles. Enforcement has focused on demonstrating progress and responsiveness rather than penalizing organizations making genuine setup efforts.

Strategic Implications

The interoperability rule accelerates healthcare's digital transformation. Patient-facing applications can now access full health records through standardized APIs, enabling innovations in care management, chronic disease support, and health engagement. The rule creates market opportunities for application developers and health technology companies.

Payers must adapt to a more transparent healthcare ecosystem where patients can easily compare plans based on data access capabilities. Organizations investing in superior interoperability infrastructure may gain competitive advantages in member acquisition and retention. The rule shifts power toward patients by enabling data portability and application choice.

Patient Access API

CMS Interoperability Rule mandates patient access APIs enabling consumers to access their health information through third-party applications. FHIR-based APIs provide standardized data formats and authentication mechanisms. Implementation timelines apply to CMS-regulated payers.

Technical Requirements

Patient access APIs must support FHIR R4 specification and SMART on FHIR authorization. Claims and clinical data must be available through standardized endpoints. Security measures protect patient data during API access.

Consumer Benefits

Patients gain ability to aggregate health information from multiple payers. Third-party applications enable personalized health management. Data portability supports informed healthcare decisions.

Implementation Challenges

Legacy system data extraction requires format transformation to FHIR standards. Data quality issues may affect API response accuracy. Testing validates API functionality across diverse client applications.

Ongoing Compliance

API availability monitoring ensures service continuity for patient access. Version management addresses FHIR specification evolution. Security assessments validate ongoing protection of patient data through API access. Documentation demonstrates compliance with CMS requirements. Regular testing validates data accuracy and completeness.

Provider Considerations

Patient-directed data sharing requires provider workflow adjustments. Staff training addresses patient inquiries about data access options. Integration with patient portals provides seamless access experiences.

Market Evolution

Third-party health applications use patient access APIs for innovative services. Competition drives application quality and feature development. Patient choice expands as API ecosystem matures.

Future Developments

CMS continues expanding interoperability requirements through subsequent rulemaking. Monitoring regulatory evolution informs implementation planning. Industry standards continue advancing data exchange capabilities.

Similar analysis

Additional analysis covering similar themes.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Data Strategy Operating Model Guide

    Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

  • Data Interoperability Engineering Guide

    Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

  • Data Stewardship Operating Model Guide

    Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published
Coverage pillar
Data Strategy
Source credibility
91/100 — high confidence
Topics
Healthcare interoperability · FHIR APIs · Patient access
Sources cited
3 sources (cms.gov, hl7.org, healthit.gov)
Reading time
6 min

Further reading

  1. CMS Interoperability Final Rule — cms.gov
  2. HL7 FHIR — hl7.org
  3. 21st Century Cures Act — healthit.gov
  • Healthcare interoperability
  • FHIR APIs
  • Patient access
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.