Data Strategy Briefing — May 1, 2020
CMS published the Interoperability and Patient Access final rule, imposing API, payer-to-payer exchange, and admission-discharge-transfer event notification requirements across Medicare and Medicaid programs.
Executive briefing: The Centers for Medicare & Medicaid Services (CMS) published the Interoperability and Patient Access Final Rule (CMS-9115-F) in the Federal Register on . The rule enforces patient access to health information via standardized APIs, mandates payer-to-payer data exchange, and requires event notifications to providers. It applies to Medicare Advantage (MA) plans, Medicaid managed care plans, Children’s Health Insurance Program (CHIP) managed care entities, and Qualified Health Plans (QHPs) on federally facilitated exchanges.
Key requirements
Covered payers must implement FHIR-based Patient Access APIs allowing members to access claims, encounter data, formulary information, and clinical data starting in July 2021 (enforcement discretion extended due to COVID-19). Payers must also deploy Provider Directory APIs and, for MA and Medicaid managed care plans, support payer-to-payer data exchange to facilitate continuity of care when members switch plans.
The rule mandates admission, discharge, and transfer (ADT) event notifications from hospitals to providers and care team members to improve care coordination. CMS prohibits information blocking by requiring payers to share data without special effort, aligning with ONC’s Cures Act Final Rule.
Technical specifications
CMS references the HL7 FHIR US Core profiles and the CARIN Blue Button implementation guide for claims and encounter data. Payers must adopt OAuth 2.0 authorization, OpenID Connect, and SMART on FHIR specifications to support third-party applications. Security requirements include multi-factor authentication for developer portals, regular penetration testing, and clear privacy policies.
Provider Directory APIs must deliver provider names, addresses, specialties, and network affiliations, accessible without authentication. Payers should publish OpenAPI specifications and sandbox environments for developers.
Payer-to-payer data exchange
Beginning in January 2022 (enforcement delayed), payers must exchange clinical data (USCDI) at a member’s request when transitioning between plans. Plans must maintain the data for at least five years and share with new payers in a secure, standards-based format. CMS encourages adoption of FHIR-based exchange, referencing the HL7 Da Vinci PDex implementation guide. Members can request data from current and former plans, enhancing longitudinal health records.
Payers must document processes for authenticating member requests, ensuring security, and tracking exchanges. Contracts with delegated entities should include obligations to support data sharing.
Event notifications
Hospitals, psychiatric hospitals, and critical access hospitals participating in Medicare and Medicaid Conditions of Participation must send electronic ADT notifications to primary care practitioners, post-acute providers, and care coordinators. Notifications must be sent in near real time, include patient demographics and location, and comply with HIPAA privacy requirements. Hospitals can use existing EHR capabilities or third-party networks to transmit notifications.
Providers must update policies to integrate notifications into care management workflows, ensuring timely follow-up and documentation. Health information exchanges (HIEs) and vendors can facilitate compliance.
Privacy and security considerations
While CMS encourages patient-directed app usage, payers must educate members on privacy risks and provide resources such as the CMS model privacy notice. Payers cannot deny app connections solely based on security concerns but may deny access if an app poses unacceptable risk, documented through objective criteria.
Payers must implement API security controls, including encryption, access logging, and breach detection. Vendor management programmes should assess third-party developers with whom members share data.
Operational impact
Payers need cross-functional teams spanning IT, compliance, legal, and member services. They must develop developer portals, manage OAuth client registrations, and support consumer help desks. Data quality initiatives are critical to ensure accurate claims and clinical data. Payers should integrate FHIR APIs with existing data warehouses, EHR interfaces, and analytics platforms.
Member communications must explain API availability, data scope, and privacy considerations. Customer service teams require training to support members using third-party apps. Metrics should track API usage, member satisfaction, and data sharing success.
Enforcement and penalties
CMS can audit compliance through documentation requests, technical testing, and on-site reviews. Non-compliance can result in corrective action plans, civil monetary penalties, or contract sanctions. CMS coordinates with state Medicaid agencies and insurance departments to oversee managed care organisations.
Payers should maintain detailed compliance documentation, including API specifications, security assessments, member communications, and incident response logs. Regular internal audits help identify gaps before CMS inspections.
Action plan
- Immediate: Inventory data sources, assess FHIR readiness, and establish governance structures. Select technology partners or build internal teams for API development and security.
- 30–60 days: Develop API implementation roadmaps, including testing, sandbox deployment, and developer onboarding. Create member education materials and privacy notices.
- 60–90 days: Launch pilot APIs, conduct security assessments, and integrate ADT notification workflows. Finalise payer-to-payer exchange procedures and documentation.
- Continuous: Monitor CMS guidance, ONC interoperability updates, and industry implementation guides. Track API performance metrics, member feedback, and compliance audits, adjusting processes as needed.
Implementing the CMS Interoperability and Patient Access Final Rule enhances patient empowerment, supports value-based care, and aligns payer operations with national interoperability goals.
Coordination with ONC and other agencies
The CMS rule complements the ONC Cures Act Final Rule, which establishes API certification criteria and information blocking enforcement. Payers must ensure their implementations align with ONC’s USCDI data classes and consent frameworks. Coordination with the Office of Inspector General (OIG) is essential because OIG enforces penalties for information blocking by health IT developers and networks. State Medicaid agencies may issue additional guidance or contractual amendments to enforce compliance.
CMS collaborates with the Office for Civil Rights (OCR) to ensure HIPAA compliance, particularly for patient-directed sharing. Payers should monitor OCR guidance on app privacy, breach notification, and right of access to avoid enforcement actions.
Vendor and partner integration
Payers often rely on vendors for API platforms, developer portals, and data aggregation. Contracts must specify service levels, security requirements, and compliance obligations. Vendors should support FHIR updates, such as new versions of US Core or CARIN implementation guides. Payers need processes to validate vendor performance, conduct security assessments, and manage incidents.
Collaboration with providers, HIEs, and analytics partners is vital. Data sharing agreements should address responsibilities for ADT notifications, ensure consistent terminology, and define escalation paths for data quality issues. Partnerships with digital health developers can expand member services while reinforcing privacy expectations.
Measuring success
Organisations should establish KPIs for API adoption (number of registered apps, API calls, unique members using apps), data quality (error rates, timeliness), and care coordination outcomes (reduced readmissions linked to ADT notifications). Feedback loops with members and providers help refine services and identify usability issues.
Regular reporting to executive leadership and boards ensures visibility into interoperability progress, compliance status, and strategic benefits such as improved member engagement and care management efficiency.
Follow-up: CMS began enforcing the patient-access and provider-directory APIs in July 2021, and its 2023 CMS-0057 final rule adds payer-to-payer exchange, prior-authorisation metrics, and tighter compliance timelines through 2027.
Sources
- Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Interoperability and Patient Access for Medicaid Managed Care Plans, CHIP Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans on the Federally-facilitated Exchanges, and Health Care Providers — Centers for Medicare & Medicaid Services; Federal Register publication establishing CMS interoperability, patient access API, and event notification requirements across federal health programmes.
- Interoperability and Patient Access final rule (CMS-9115-F) fact sheet — Centers for Medicare & Medicaid Services; CMS summary detailing applicability, compliance timelines, and enforcement priorities for the Interoperability and Patient Access rule.