Data Strategy Briefing — May 1, 2020

Executive briefing: The Centers for Medicare & Medicaid Services (CMS) published the Interoperability and Patient Access Final Rule (CMS-9115-F) in the Federal Register on 1 May 2020. The rule strengthens patients’ longitudinal access to clinical and administrative information by requiring health plans to expose standardized APIs, support payer-to-payer exchange, and ensure hospitals send event notifications to care teams. Applicability spans Medicare Advantage (MA) organizations, Medicaid and CHIP managed care plans, state Medicaid and CHIP fee-for-service programs, and Qualified Health Plan (QHP) issuers on federally facilitated exchanges.

The policy aligns CMS programs with the ONC Cures Act Final Rule on information blocking and is intended to reduce friction in data-sharing across payers, providers, and third-party apps. CMS retains oversight through Medicare conditions of participation (CoPs), managed care contract requirements, and enforcement discretion notices that adjust timelines when industry readiness is constrained.

Data-sharing mandates

Patient Access API: MA organizations, Medicaid and CHIP managed care entities, state Medicaid and CHIP programs, and FFE QHP issuers must provide beneficiaries with access to adjudicated claims, encounter data, clinical data they maintain (including data classes in the U.S. Core Data for Interoperability), and formulary information via a FHIR R4-based API. Plans must permit third-party applications chosen by members to retrieve this data at no cost, without degrading the data or imposing proprietary formats. CMS expects plans to publish clear documentation for beneficiaries explaining what information will be shared and how privacy protections apply.

Provider Directory API: Payers must publish participating provider names, addresses, phone numbers, specialties, and network statuses through a public, unauthenticated API to support care navigation. CMS requires directory information to be refreshed at least every 30 days and encourages synchronization with claims processing to reduce directory inaccuracies.

Payer-to-payer data exchange: When a member moves between plans, the sending payer must make the member’s claims and encounter data, as well as any clinical data it maintains, available to the receiving payer upon the member’s request. CMS referenced the HL7 Da Vinci Payer Data Exchange (PDex) implementation guide as a standards-based approach for exchanging USCDI-aligned data. Plans need policies for verifying member identity, maintaining records of disclosures for at least five years, and documenting how they will onboard new payers requesting the data.

Admission, discharge, and transfer notifications: Medicare- and Medicaid-participating hospitals and critical access hospitals must send real-time ADT notifications to a patient’s established providers, primary care practitioners, and post-acute providers when patients are admitted, discharged, or transferred. Hospitals may leverage intermediaries such as Health Information Exchanges but remain responsible for ensuring notifications go to the appropriate recipients as a CoP requirement.

API standards and privacy safeguards

CMS directs payers to build APIs consistent with HL7 FHIR Release 4, referencing the CARIN Blue Button implementation guide for claims and encounter data and the HL7 US Core profiles for clinical data. OAuth 2.0 and OpenID Connect underpin authorization flows, and CMS expects support for SMART on FHIR profiles so that third-party apps can request scopes aligned to member consent. Plans should publish machine-readable OpenAPI or Swagger documentation and provide sandbox environments with sample data to accelerate developer onboarding.

Privacy and security obligations include TLS encryption in transit, token lifetimes appropriate to the sensitivity of health data, auditable logging of API calls, and rate limiting that balances performance with abuse prevention. CMS advises payers to implement rigorous identity verification for member app connections, avoid credential sharing, and provide prominent privacy notices when members authorize third-party applications that may not be covered by HIPAA.

For payer-to-payer exchange, CMS recommends adopting FHIR-based PDex endpoints or trusted exchange frameworks to reduce reliance on mail or manual uploads. Plans should incorporate data quality checks to ensure USCDI data elements, such as medications, allergies, lab results, and clinical notes, are complete and mapped to standard vocabularies (e.g., SNOMED CT, LOINC, RxNorm) before transmission.

Compliance timelines and enforcement

CMS initially set 1 January 2021 compliance dates for Patient Access and Provider Directory APIs, with 1 July 2021 enforcement after COVID-19 flexibility. CMS’ March 2021 enforcement discretion notice allowed plans additional time to complete security reviews and testing but maintained expectations for production availability by July 2021. Hospitals were required to comply with ADT notification CoPs by 30 April 2021, aligning with the FY 2021 Inpatient Prospective Payment System final rule.

Payer-to-payer data exchange carried an applicability date of 1 January 2022. CMS later announced it would exercise enforcement discretion while pursuing additional rulemaking to strengthen standards and improve patient matching, signaling that plans should continue technical preparations even without active enforcement. Organizations should monitor CMS’ interoperability rulemaking docket for updates that may set new firm deadlines or expand data sets beyond USCDI v1.

Plans are expected to document readiness assessments, API uptime metrics, and member communications as part of compliance evidence. CMS can use audit authority under MA and Medicaid contracts, and hospitals risk survey findings if ADT notifications are not reliably transmitted. Coordination with state regulators is essential because some states have adopted parallel API and directory requirements within Medicaid managed care contracts.

Operational considerations for payers and providers

Governance and vendor oversight: Many plans rely on third-party API gateways or health information networks. Contracts should mandate adherence to FHIR R4, API uptime service-level objectives, breach notification terms, and data-use limitations that mirror CMS requirements. Clear delineation of responsibilities between payers and vendors reduces risk of noncompliance when integrating enrollment, claims adjudication, and clinical repositories.

Member identity and consent management: Secure member authentication, multifactor options, and explicit consent flows reduce the risk of unauthorized disclosures. Plans should provide accessible educational materials for beneficiaries on the differences between HIPAA-covered entities and consumer health apps, emphasizing how revocation of access works and how data may be reused by third parties.

Data quality and mapping: Implementing automated normalization to terminology standards and maintaining provenance metadata enable accurate patient safety decisions downstream. Plans should routinely validate that encounter data reflect network status, that formulary information is current, and that ADT notifications contain correct provider contact details to prevent alert fatigue.

Monitoring and security operations: Continuous monitoring of API traffic for anomalous patterns, periodic penetration testing, and documented incident response procedures are necessary to satisfy CMS expectations and broader cybersecurity obligations. Logging should capture app client IDs, scopes granted, response codes, and member identifiers in a privacy-preserving manner to support audits and forensics.

Strategic impact and next steps

By enforcing interoperable APIs across Medicare and Medicaid programs, CMS is accelerating a shift toward patient-directed exchange and app-based care coordination. Plans that implement robust developer portals, transparent consent flows, and accurate directories can differentiate on member experience while reducing administrative burden from paper record requests. Hospitals that integrate ADT notifications with care management workflows can reduce readmissions and support value-based care arrangements.

Teams should maintain a regulatory tracker for upcoming CMS interoperability proposals, monitor ONC’s evolution of USCDI, and participate in HL7 Da Vinci implementation testing to validate conformance. Investments in identity resolution, consent orchestration, and data observability will help organizations meet future requirements, such as expanded public health reporting and prior authorization APIs contemplated in subsequent CMS rulemaking.