[Federal Register Volume 89, Number 27 (Thursday, February 8, 2024)]
[Rules and Regulations]
[Pages 8758-8988]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-00895]



[[Page 8757]]

Vol. 89

Thursday,

No. 27

February 8, 2024

Part II





Department of Health and Human Services





-----------------------------------------------------------------------





 Centers for Medicare & Medicaid Services





-----------------------------------------------------------------------





42 Parts 422, 431, 435, et al.

45 Part 156





Medicare and Medicaid Programs; Patient Protection and Affordable Care 
Act; Advancing Interoperability and Improving Prior Authorization 
Processes for Medicare Advantage Organizations, Medicaid Managed Care 
Plans, State Medicaid Agencies, Children's Health Insurance Program 
(CHIP) Agencies and CHIP Managed Care Entities, Issuers of Qualified 
Health Plans on the Federally-Facilitated Exchanges, Merit-Based 
Incentive Payment System (MIPS) Eligible Clinicians, and Eligible 
Hospitals and Critical Access Hospitals in the Medicare Promoting 
Interoperability Program; Final Rule

  Federal Register / Vol. 89 , No. 27 / Thursday, February 8, 2024 / 
Rules and Regulations  

[[Page 8758]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services

42 CFR Parts 422, 431, 435, 438, 440, and 457

Office of the Secretary

45 CFR Part 156

[CMS-0057-F]
RIN 0938-AU87


Medicare and Medicaid Programs; Patient Protection and Affordable 
Care Act; Advancing Interoperability and Improving Prior Authorization 
Processes for Medicare Advantage Organizations, Medicaid Managed Care 
Plans, State Medicaid Agencies, Children's Health Insurance Program 
(CHIP) Agencies and CHIP Managed Care Entities, Issuers of Qualified 
Health Plans on the Federally-Facilitated Exchanges, Merit-Based 
Incentive Payment System (MIPS) Eligible Clinicians, and Eligible 
Hospitals and Critical Access Hospitals in the Medicare Promoting 
Interoperability Program

AGENCY: Centers for Medicare & Medicaid Services (CMS), Department of 
Health and Human Services (HHS).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule will improve the electronic exchange of health 
care data and streamline processes related to prior authorization 
through new requirements for Medicare Advantage (MA) organizations, 
state Medicaid fee-for-service (FFS) programs, state Children's Health 
Insurance Program (CHIP) FFS programs, Medicaid managed care plans, 
CHIP managed care entities, and Qualified Health Plan (QHP) issuers on 
the Federally-facilitated Exchanges (FFEs). This final rule will also 
add new measures for eligible hospitals and critical access hospitals 
(CAHs) to report under the Medicare Promoting Interoperability Program 
and for MIPS eligible clinicians to report under the Promoting 
Interoperability performance category of the Merit-based Incentive 
Payment System (MIPS). These policies, taken together, will reduce 
overall payer and provider burden and improve patient access to health 
information while continuing CMS's drive toward interoperability in the 
health care market.

DATES: These regulations are effective on April 8, 2024.

FOR FURTHER INFORMATION CONTACT: 
    Alexandra Mugge, (410) 786-4457, for general questions related to 
any of the policies in this final rule, or questions related to CMS 
interoperability initiatives.
    Lorraine Doo, (443) 615-1309, for issues related to the prior 
authorization process policies, or the Prior Authorization Application 
Programming Interface (API).
    Shanna Hartman, (410) 786-0092, for issues related to the Payer-to-
Payer API, the Electronic Prior Authorization measures for the MIPS 
Promoting Interoperability performance category and Medicare Promoting 
Interoperability Program, or any of the API standards and 
implementation guides (IGs) included in this final rule.
    David Koppel, (303) 844-2883, for issues related to the data 
exchange policies generally, Patient Access API policies, or patient 
privacy.
    Scott Weinberg, (410) 786-6017, for issues related to the Provider 
Access API policies.
    Amy Gentile, (410) 786-3499, for issues related to Medicaid managed 
care.
    Kirsten Jensen, (410) 786-8146, for issues related to Medicaid FFS.
    Joshua Bougie, (410) 786-8117, for issues related to CHIP.
    Natalie Albright, (410) 786-1671, for issues related to MA 
organizations.
    Carolyn Kraemer, (301) 492-4197, for issues related to QHPs.
    Elizabeth Holland, (410) 786-1309, for issues related to MIPS and 
the Medicare Promoting Interoperability Program.
    Russell Hendel, (410) 786-0329, for issues related to the 
Collection of Information and Regulatory Impact Analysis.

SUPPLEMENTARY INFORMATION: 

Table of Contents

I. Background and Summary of Provisions
    A. Purpose and Background
    B. Summary of Major Provisions
    C. Specific Terms Used in This Final Rule
    D. Global Comments
II. Provisions of the Proposed Rule
    A. Patient Access API
    B. Provider Access API
    C. Payer-to-Payer API
    D. Prior Authorization API and Improving Prior Authorization 
Processes
    E. Extensions, Exemptions, and Exceptions; Federal Matching 
Funds for Medicaid and CHIP
    F. Electronic Prior Authorization Measures for the Merit-Based 
Incentive Payment System (MIPS) Promoting Interoperability 
Performance Category and the Medicare Promoting Interoperability 
Program
    G. Interoperability Standards for APIs
III. Collection of Information Requirements
IV. Regulatory Impact Analysis

I. Background, Summary of Provisions, and Terms

A. Purpose and Background

    In the December 13, 2022 Federal Register (87 FR 76238), we issued 
the ``Medicare and Medicaid Programs; Patient Protection and Affordable 
Care Act; Advancing Interoperability and Improving Prior Authorization 
Processes for Medicare Advantage Organizations, Medicaid Managed Care 
Plans, State Medicaid Agencies, Children's Health Insurance Program 
(CHIP) Agencies and CHIP Managed Care Entities, Issuers of Qualified 
Health Plans on the Federally-Facilitated Exchanges, Merit-Based 
Incentive Payment System (MIPS) Eligible Clinicians, and Eligible 
Hospitals and Critical Access Hospitals in the Medicare Promoting 
Interoperability Program'' proposed rule (CMS Interoperability and 
Prior Authorization proposed rule), in which we proposed new 
requirements for MA, state Medicaid FFS programs, state CHIP FFS 
programs, Medicaid managed care plans, CHIP managed care entities, and 
QHP issuers on the FFEs (collectively ``impacted payers'') to improve 
the electronic exchange of health care information and streamline prior 
authorization for medical items and services. The proposed rule also 
included proposals for new electronic prior authorization measures for 
MIPS eligible clinicians (as defined at 42 CFR 414.1305) under the 
Promoting Interoperability performance category of the MIPS, as well as 
for eligible hospitals and CAHs under the Medicare Promoting 
Interoperability Program.
    This rule also builds upon the policies established in the 
``Medicare and Medicaid Programs; Patient Protection and Affordable 
Care Act; Interoperability and Patient Access for MA Organization and 
Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies and 
CHIP Managed Care Entities, Issuers of Qualified Health Plans on the 
Federally-Facilitated Exchanges, and Health Care Providers'' final rule 
(85 FR 25510, May 1, 2020) (hereinafter referred to as the ``CMS 
Interoperability and Patient Access final rule'').
    We received nearly 900 timely pieces of correspondence containing 
comments on the CMS Interoperability and Prior Authorization proposed 
rule. Some public comments were outside of the scope of the proposed 
rule and those out-of-scope comments are not addressed in this final 
rule. Summaries

[[Page 8759]]

of the public comments that are within the scope of the proposed rule 
and our responses to those public comments are addressed in the various 
sections of this final rule under the appropriate heading. However, in 
this section we address certain comments that pertain across policies 
or to the rule overall.
    In this final rule, we are finalizing our proposals with 
modifications in response to commenter feedback. Taken together, these 
final policies will help to increase health information data exchange, 
streamline prior authorization process policies, and help to address a 
significant source of provider burden and burnout to ultimately improve 
patients' access to timely care.

B. Summary of Major Provisions

    In the CMS Interoperability and Patient Access final rule, we 
required impacted payers (MA organizations, state Medicaid FFS 
programs, state CHIP FFS programs, Medicaid managed care plans, CHIP 
managed care entities, and QHP issuers on the FFEs) to implement and 
maintain a standards-based Patient Access API. The Patient Access API 
must allow patients, through the health apps of their choice, to easily 
access their claims and encounter information as well as clinical data, 
including laboratory results, provider remittances, and patient cost-
sharing pertaining to such claims, if maintained by the impacted payer 
(85 FR 25558). In this final rule, we are finalizing our proposal to 
require that impacted payers include information about certain prior 
authorizations in the data that are available through the Patient 
Access API. For those changes to the Patient Access API, we are 
finalizing compliance dates in 2027 (by January 1, 2027, for MA 
organizations and state Medicaid and CHIP FFS programs; by the rating 
period beginning on or after January 1, 2027, for Medicaid managed care 
plans and CHIP managed care entities; and for plan years beginning on 
or after January 1, 2027, for QHP issuers on the FFEs). In addition, 
starting January 1, 2026, we are requiring impacted payers to annually 
report to CMS certain metrics about patient data requests made via the 
Patient Access API. We are also finalizing our proposal to directly 
reference the content standard at 45 CFR 170.213, so that the data 
content requirement is automatically updated as HHS's Office of the 
National Coordinator for Health Information Technology (ONC) adopts new 
versions. As of this final rule's publication, the content standards 
adopted at 45 CFR 170.213 are USCDI v1, which will expire on January 1, 
2026, and USCDI v3.
    To improve coordination of care across the care continuum and 
movement toward value-based care, we are finalizing our proposal to 
require impacted payers to implement and maintain a Provider Access API 
that is consistent with the technical standards finalized in the CMS 
Interoperability and Patient Access final rule (85 FR 25558), including 
the Health Level Seven (HL7[supreg]) International Fast Healthcare 
Interoperability Resources (FHIR[supreg]) Release 4.0.1 standard. 
Providers can use that API to access current patient data from payers, 
including adjudicated claims and encounter data (excluding provider 
remittances and patient cost-sharing information), all data classes and 
data elements included in a content standard at 45 CFR 170.213 (USCDI), 
and prior authorization information. For the Provider Access API 
policy, we are finalizing compliance dates in 2027 (by January 1, 2027, 
for MA organizations and state Medicaid and CHIP FFS programs; by the 
rating period beginning on or after January 1, 2027 for Medicaid 
managed care plans and CHIP managed care entities; and for plan years 
beginning on or after January 1, 2027 for QHP issuers on the FFEs).
    We are finalizing, with modifications, our proposal to require 
impacted payers to implement and maintain a Payer-to-Payer API to 
exchange patient data when a patient moves between payers to ensure 
continued access to their health data and support continuity of care 
between payers. Specifically, the payer to payer data exchange will 
include adjudicated claims and encounter data (excluding provider 
remittances and patient cost-sharing information), all data classes and 
data elements included in a content standard at 45 CFR 170.213 (USCDI), 
and certain information about the patient's prior authorizations. 
Impacted payers will be required to request data from a patient's 
previous payer, with the patient's permission, no later than 1 week 
from the start of coverage or at the patient's request. Impacted payers 
will then be required to integrate any data they receive in response to 
that request into the patient's record, which could facilitate care 
continuity as patients move between payers. We are finalizing a policy 
that payers will be required to exchange five years of patient data, as 
opposed to the entire patient health record. Five years of data are 
sufficient to support care continuity and continuation of prior 
authorizations as necessary, as well as maintaining patient access to 
their most recent data without significant burden to payers. In 
addition, if a patient has two or more concurrent impacted payers, the 
impacted payers will be required to exchange the patient's data at 
least quarterly, to ensure that all impacted payers have a more 
complete patient record. For the Payer-to-Payer API policy, we are 
finalizing compliance dates in 2027 (by January 1, 2027, for MA 
organizations and state Medicaid and CHIP FFS programs; by the rating 
period beginning on or after January 1, 2027, for Medicaid managed care 
plans and CHIP managed care entities; and for plan years beginning on 
or after January 1, 2027, for QHP issuers on the FFEs).
    To improve the patient experience and access to care, we are also 
finalizing several new requirements for prior authorization processes 
that will reduce burden on patients, providers, and payers. To 
streamline the prior authorization process, we are requiring impacted 
payers to implement and maintain a Prior Authorization API. In the 
proposed rule, we used the term ``Prior Authorization Requirements, 
Documentation, and Decision API (PARDD API).'' For simplicity, we are 
finalizing the name of that API as simply the ``Prior Authorization 
API.'' This name change alone does not indicate any changes to the 
requirements or standards that we proposed.
    Providers can use the Prior Authorization API to determine whether 
a specific payer requires prior authorization for a certain item or 
service, thereby easing one of the major points of administrative 
burden in the existing prior authorization process. The Prior 
Authorization API will also allow providers to query the payer's prior 
authorization documentation requirements directly from the provider's 
system, which could facilitate the automated compilation of necessary 
information to submit a prior authorization request. For the Prior 
Authorization API policy, we are finalizing compliance dates in 2027 
(by January 1, 2027, for MA organizations and state Medicaid and CHIP 
FFS programs; by the rating period beginning on or after January 1, 
2027, for Medicaid managed care plans and CHIP managed care entities; 
and for plan years beginning on or after January 1, 2027, for QHP 
issuers on the FFEs).
    We are also finalizing our proposals to establish certain 
requirements for the prior authorization process, regardless of whether 
the payer receives the prior authorization request through the Prior 
Authorization API. We are requiring that impacted payers send notices 
to providers when they make a prior authorization decision, including a

[[Page 8760]]

specific reason for denial when they deny a prior authorization 
request. We are also finalizing our proposal to require impacted 
payers, except for QHP issuers on the FFEs, to respond to prior 
authorization requests within certain timeframes. Finally, we are 
requiring all impacted payers to publicly report certain metrics about 
their prior authorization processes, which will enhance transparency. 
For these prior authorization process policies, we are finalizing 
compliance dates in 2026 (by January 1, 2026, for MA organizations and 
state Medicaid and CHIP FFS programs; by the rating period beginning on 
or after January 1, 2026, for Medicaid managed care plans and CHIP 
managed care entities; and for plan years beginning on or after January 
1, 2026, for QHP issuers on the FFEs).
    We are finalizing, with modifications, our proposal for new 
electronic prior authorization measures for MIPS eligible clinicians 
under the MIPS Promoting Interoperability performance category and for 
eligible hospitals and CAHs under the Medicare Promoting 
Interoperability Program. To promote Prior Authorization API adoption, 
implementation, and use among MIPS eligible clinicians, eligible 
hospitals, and CAHs, we are adding new measures titled ``Electronic 
Prior Authorization'' under the Health Information Exchange (HIE) 
objective in the MIPS Promoting Interoperability performance category 
and the Medicare Promoting Interoperability Program, beginning with the 
calendar year (CY) 2027 performance period/2029 MIPS payment year and 
CY 2027 electronic health record (EHR) reporting period, respectively. 
As detailed in section II.F. of this final rule, we are finalizing a 
modification to our proposal for the Electronic Prior Authorization 
measure that will require a MIPS eligible clinician, eligible hospital, 
or CAH to report a yes/no attestation or (if applicable) an exclusion, 
rather than a numerator and denominator.
    We are additionally finalizing our proposals, with modifications, 
for more specificity as to which of the required standards at 45 CFR 
170.215 are applicable to each API. Impacted payers will only be 
required to use the specifications that CMS has identified as necessary 
for the Patient Access, Provider Access, Provider Directory, Payer-to-
Payer, and Prior Authorization APIs. Since the publication of the CMS 
Interoperability and Prior Authorization proposed rule, ONC has 
published the Health Data, Technology, and Interoperability: 
Certification Program Updates, Algorithm Transparency, and Information 
Sharing (HTI-1) final rule (January 9, 2024; 89 FR 1192) (hereinafter 
referred to as the HTI-1 final rule), which reorganized the structure 
of 45 CFR 170.215 to delineate the purpose and scope more clearly for 
each type of standard or implementation specification. The standards we 
are finalizing in this rule, including updated citations are as 
follows:
     Health Level Seven (HL7[supreg]) Fast Healthcare 
Interoperability Resources (FHIR[supreg]) Release 4.0.1 at 45 CFR 
170.215(a)(1) (HL7 FHIR).
     HL7[supreg] FHIR[supreg] US Core Implementation Guide (IG) 
Standard for Trial Use (STU) 3.1.1, which expires on January 1, 2026, 
at 45 CFR 170.215(b)(1)(i) (US Core IG).
     HL7[supreg] SMART Application Launch Framework IG Release 
1.0.0 which expires on January 1, 2026, at 45 CFR 170.215(c)(1) (SMART 
App Launch IG).
     FHIR[supreg] Bulk Data Access (Flat FHIR) IG v1.0.0: STU 1 
at 45 CFR 170.215(d)(1) (Bulk Data Access IG).
     OpenID Connect Core 1.0, incorporating errata set 1 at 45 
CFR 170.215(e)(1) (OpenID Connect Core).
    We refer readers to the HTI-1 final rule for further information 
(89 FR 1192). More detail about the required standards can be found in 
section II.G. and Table H3. We are also strongly recommending that 
payers use specific IGs to supplement the required standards at 45 CFR 
170.215. Additionally, we are finalizing our proposal to allow payers 
to voluntarily use updated versions of the standards, specifications, 
or IGs for each of these APIs prior to the adoption of updated versions 
in regulation, subject to certain conditions and provided the updated 
standard does not disrupt an end user's ability to access the data 
available through the API. We are also finalizing terminology changes 
related to the Patient Access API (in section II.A.2.d. of this final 
rule). These policies will take effect on the effective date of the 
final rule.
    We are finalizing, as proposed, some clarifications to existing 
Medicaid beneficiary notice and fair hearing regulations that apply to 
Medicaid prior authorization decisions. Because these are 
clarifications and improvements to existing regulations, as we 
proposed, Medicaid agencies will have to comply with these policies 
upon the effective date of a final rule.
    In our proposed rule, we proposed compliance dates in 2026 (by 
January 1, 2026, for MA organizations and state Medicaid and CHIP FFS 
programs; by the rating period beginning on or after January 1, 2026, 
for Medicaid managed care plans and CHIP managed care entities; and for 
plan years beginning on or after January 1, 2026, for QHP issuers on 
the FFEs), for all policies that require API development and 
enhancement. Based on commenter feedback and as noted previously, we 
are delaying the compliance dates in this final rule for the provisions 
that require API development and enhancement in 2027 (by January 1, 
2027, for MA organizations and state Medicaid and CHIP FFS programs; by 
the rating period beginning on or after January 1, 2027, for Medicaid 
managed care plans and CHIP managed care entities; and for plan years 
beginning on or after January 1, 2027, for QHP issuers on the FFEs). 
Throughout this rule, we generally refer to these compliance dates as 
``in 2027'' for the various payers.
    We believe this approximately 3-year timeline to recruit and train 
staff, update, or build the APIs, and update operational procedures 
will be sufficient to implement these policies, based on comments and 
public information from some payers and providers regarding similar 
initiatives already in progress. In addition to the 3-year 
implementation timeframe, we are finalizing our proposal to give state 
Medicaid and CHIP FFS programs an opportunity to seek an extension to 
the compliance dates, or an exemption from meeting certain 
requirements, in certain circumstances. Additionally, we are finalizing 
our proposal to provide an exceptions process for QHP issuers on the 
FFEs. We believe the approximately 3-year timeframe for implementation 
in the final rule will offer sufficient time for state Medicaid and 
CHIP FFS programs and QHP issuers on the FFEs to determine whether they 
can timely satisfy the API development and enhancement requirements in 
this final rule and to prepare the necessary documentation to request 
an extension, exemption, or exception, as applicable.
    Executive Order 13985 of January 20, 2021, entitled ``Advancing 
Racial Equity and Support for Underserved Communities Through the 
Federal Government,'' set administration policy that the ``Federal 
Government should pursue a comprehensive approach to advancing equity 
for all.'' \1\ CMS is committed to pursuing a comprehensive approach to 
advancing health equity for all, and the policies in this final rule 
are aligned with that Executive order because they represent efforts to 
mitigate existing inefficiencies in policies, processes, and technology 
that affect many patient populations. Some patient populations are more 
negatively affected by existing processes than

[[Page 8761]]

others and should realize greater benefits through the improvements 
these policies will provide. One of the main components of this final 
rule is our continued support for the individual's ability to select an 
app of their choice when accessing their health information. We want to 
ensure that members of all communities can access their health 
information and benefit from this technology. However, we are 
interested in the best ways to ensure that apps are available and 
accessible for individuals with disabilities, individuals with limited 
English proficiency, individuals with low literacy or low health 
literacy, and individuals with geographic, economic, or other social 
risk factors that may create barriers to accessing or using technology 
and apps.
---------------------------------------------------------------------------

    \1\ Executive Order 13985, sec. 1, 86 FR 7009 (January 20, 
2021).
---------------------------------------------------------------------------

    Our goal is to ensure that these proposed policies do not 
exacerbate current disparities or create unintended inequities that 
leave some communities or populations unable to benefit from this 
information sharing. Further, we seek to ensure that patient privacy 
considerations are built into the implementation of these proposed 
policies by using secure technologies, such as Open Authorization/Open 
ID (OAuth) 2.0 and OpenID Connect Core for authentication,\2\ as 
previously discussed in the CMS Interoperability and Patient Access 
final rule (85 FR 25520). While we proposed policies that we believed 
would address some health care inequities, we solicited comments about 
how to ensure that individuals from all communities and populations can 
actively benefit from our health care interoperability proposals.
---------------------------------------------------------------------------

    \2\ Health Level Seven International. Smart App Launch 
Implementation Guide, OpenID and Authentication for Smart Apps. 
Retrieved from https://hl7.org/fhir/smart-app-launch/.
---------------------------------------------------------------------------

C. Specific Terms Used in This Final Rule

    Our policies emphasize improving health information exchange and 
facilitating appropriate and necessary patient, provider, and payer 
access to information in health records. We also include several 
policies intended to reduce payer, provider, and patient burden by 
improving prior authorization processes and helping patients remain at 
the center of their care. Prior authorization refers to the process 
through which a health care provider, such as an individual clinician, 
acute care hospital, ambulatory surgical center, or clinic, obtains 
approval from a payer before providing care. Payers establish prior 
authorization requirements to help control costs and ensure payment 
accuracy by verifying that an item or service is medically necessary, 
meets coverage criteria, and, for some payers, is consistent with 
standards of care before the item or service is provided. A prior 
authorization is made up of two parts--a request from a provider and a 
decision by a payer. We refer to the provider's workflow and associated 
information and documentation as the ``prior authorization request'' 
and the payer's processes and associated information and documentation 
as the ``prior authorization decision.''
    For purposes of this final rule, references to QHP issuers on the 
FFEs exclude issuers offering only stand-alone dental plans (SADPs). 
Likewise, we are also excluding QHP issuers offering only QHPs in the 
Federally-facilitated Small Business Health Options Program Exchanges 
(FF-SHOPs) from the provisions of this final rule, as we believe that 
the standards could be overly burdensome for both SADP and Small 
Business Health Options Program (SHOP) issuers. We are finalizing an 
exceptions process for QHP issuers on the FFEs from the API 
requirements; the grant of an exception is conditioned upon our annual 
approval of a narrative justification, as further detailed in section 
II.E. of this final rule. For the purposes of this final rule, FFEs 
include FFEs in states that perform plan management functions. State-
based Exchanges on the Federal Platform (SBE-FPs) are not FFEs, even 
though patients in those states enroll in coverage through 
HealthCare.gov. Hence, QHP issuers in SBE-FPs will not be subject to 
the requirements in this final rule. We encourage SBE-FPs and State-
based Exchanges operating their own platforms (SBEs) to consider 
adopting similar requirements for QHPs on their Exchanges.
    Throughout this final rule, we use terms such as ``patient,'' 
``consumer,'' ``beneficiary,'' ``enrollee,'' and ``individual.'' Every 
reader of this final rule is a patient who has received or will 
receive, medical care at some point in their life. In this final rule, 
we use the term ``patient'' as an inclusive term. We understand that, 
historically, we have referred in our regulations to ``patients'' using 
the other terms previously noted. However, for the policies herein, we 
will use additional, specific terms applicable to individuals covered 
under the health care programs that we administer and regulate. We also 
note that when we discuss patients, the term includes, where 
applicable, a patient's personal representative. For example, a patient 
or their personal representative may opt into or out of certain types 
of information exchange under the policies in this final rule. But when 
we refer to a patient's medical needs or health records, we do not 
include the medical needs or health records of the patient's personal 
representative. Per the Standards for Privacy of Individually 
Identifiable Health Information (Health Insurance Portability and 
Accountability Act (HIPAA) Privacy Rule) \3\ issued under HIPAA (Pub. 
L. 104-191, enacted on August 21, 1996), as modified, at 45 CFR 
164.502(g), and related guidance, a ``personal representative'' is a 
person authorized under state or other applicable law to act on behalf 
of an individual in making health care-related decisions (such as a 
parent, guardian, or person with a medical power of attorney).\4\ Under 
the HIPAA Privacy Rule (45 CFR part 164, subpart E), the individual's 
personal representative generally may exercise the right to access the 
individual's protected health information (PHI). For many processes 
described in this final rule, a patient's personal representative could 
act on a patient's behalf, as permitted by the HIPAA Privacy Rule and 
other applicable laws.
---------------------------------------------------------------------------

    \3\ See 45 CFR parts 160 and 164, subparts A and E.
    \4\ U.S. Department of Health and Human Services. Health 
Information and Privacy. Retrieved from https://www.hhs.gov/hipaa/for-professionals/faq/2069/under-hipaa-when-can-a-family-member/index.html and https://www.hhs.gov/hipaa/for-professionals/faq/personal-representatives-and-minors/index.html.
---------------------------------------------------------------------------

    We also use terms such as ``payer,'' ``plan,'' and ``issuer'' in 
this final rule. Certain portions of this final rule are applicable to 
MA organizations, state Medicaid FFS programs, state CHIP FFS programs, 
Medicaid managed care plans (managed care organizations (MCOs), prepaid 
inpatient health plans (PIHPs), and prepaid ambulatory health plans 
(PAHPs)), CHIP managed care entities (MCOs, PIHPs, and PAHPs), and QHP 
issuers on the FFEs. Where certain provisions may not apply to specific 
plan or provider types, we have identified them separately from the 
aforementioned categories. We use the term ``payer'' in the preamble of 
this final rule as an inclusive term for all these entities and 
programs and, in the case of plans, plan types, but we also use 
specific terms as applicable in various sections of this final rule.
    We use the term ``policies that require API enhancement or 
development'' to describe the requirements that involve technical 
development work to either establish a new API, such as the Provider 
Access or Payer-to-Payer APIs, or to enhance the functionality of an 
existing API, such as the addition of

[[Page 8762]]

prior authorization data to the Patient Access API. We are finalizing 
these policies with compliance dates in 2027. As discussed throughout 
this rule, we are finalizing a modification to our proposal for certain 
requirements by establishing compliance dates in 2027, rather than in 
2026, as we proposed. Specifically, those policies include adding prior 
authorization information to the Patient Access API, implementing the 
Provider Access API (including a process for patients to opt out and 
disseminating educational resources to patients and providers), 
implementing the Payer-to-Payer API (including processes for gathering 
previous/concurrent payer information and for patients to opt in, and 
disseminating educational resources to patients), and implementing the 
Prior Authorization API. We are not including in the group of 
``policies that require API enhancement or development'' terminology 
changes for the Patient Access API, reporting Patient Access API 
metrics, changes to prior authorization processes, reporting prior 
authorization metrics, Medicaid notice and fair hearings changes, the 
MIPS and Medicare Promoting Interoperability measures, and updated 
standards. An explanation of why we are establishing these deadlines 
for each policy is found in section I.D.2. of this final rule and 
throughout this rule.
    We use the term ``items and services'' when discussing prior 
authorization in this final rule. Unless otherwise stated, the policies 
for prior authorization APIs and processes do not apply to drugs of any 
type, meaning any drugs that could be covered by the impacted payers in 
this final rule (for example, prescription drugs that may be self-
administered, administered by a provider, or that may be dispensed or 
administered in a pharmacy or hospital), because the processes and 
standards for prior authorization of drugs differ from the other 
``items and services'' included in our final policies. In the CMS 
Interoperability and Patient Access final rule, we finalized policies 
that require payers to send claims data related to prescription and 
other drug claims via a Patient Access API, and we are finalizing 
certain provisions related to claims data in this final rule. For 
example, Medicare Advantage Prescription Drug (MA-PD) plans that cover 
Part A, Part B, and Part D benefits, as well as supplemental benefits, 
are required to provide access to information about all those covered 
benefits through the Patient Access API at 42 CFR 422.119(b). 
Prescription and other drug information is part of a patient's record 
and giving patients, providers, and payers access to claims data for 
prescription and other drugs can offer valuable insights into a 
patient's health care, provide benefits for care coordination, and help 
avoid potentially harmful drug interactions. We acknowledge that there 
are existing laws and regulations that may apply to prior authorization 
of drugs for the impacted payers in this final rule. Thus, while the 
claims data included in this final rule and existing policies do 
include prescription and other drug claims, our policies in this final 
rule related to prior authorization do not include standards or 
policies for any drugs (as previously described), including covered 
outpatient drugs under Medicaid, and Medicare Part B or Part D drugs 
covered by an MA (including an MA-PD) plan.
    Additionally, we use the terms ``provider'' and ``supplier'' as 
inclusive terms composed of individuals, organizations, and 
institutions that provide or furnish health services, such as 
clinicians (that is, physicians and other practitioners), hospitals, 
skilled nursing facilities (SNF), home health agencies, hospice 
settings, laboratories, suppliers of durable medical equipment, 
prosthetics, orthotics, and supplies (DMEPOS), community-based 
organizations, as appropriate in the context used. When specifically 
discussing policies related to the Medicare Promoting Interoperability 
Program and the Promoting Interoperability performance category of 
MIPS, we refer to MIPS eligible clinicians, eligible hospitals, and 
CAHs.
    Throughout this final rule, we finalize API provisions in which we 
refer to the API functionality as a single API, though we acknowledge 
that payers may implement this functionality by using one or multiple 
APIs. For example, while we refer to the Patient Access API (discussed 
in section II.A. of this final rule) as a single API to describe the 
functionality, payers may achieve the same functionality with one or 
multiple APIs, depending on the implementation approach.
    An API is a set of commands, functions, protocols, or tools 
published by one software developer (``A'') that enables other software 
developers to create programs (applications or ``apps'') that can 
interact with A's software without needing to know the internal 
workings of A's software while maintaining data security and patient 
privacy (if properly implemented). This is how API technology enables 
the seamless user experiences, which are familiar in other aspects of 
patients' daily lives, such as travel and personal finance smartphone 
apps, which can function without being integrated into the smartphone's 
operating system. Standardized, secure, transparent, and pro-
competitive API technology can provide similar benefits for patients of 
health care services.\5\
---------------------------------------------------------------------------

    \5\ Office of the National Coordinator for Health Information 
Technology (n.d.). Application Programming Interfaces. Retrieved 
from https://www.healthit.gov/api-education-module/story_html5.html.
---------------------------------------------------------------------------

    Health Level 7 (HL7[supreg]) is the standards development 
organization (SDO) that develops the Fast Healthcare for 
Interoperability Resources (FHIR[supreg]) standard and IGs referenced 
throughout this final rule. HL7 requires the registered trademark with 
the first use of its name in a document, for which policies are 
available on its website at www.HL7.org.\6\
---------------------------------------------------------------------------

    \6\ Health Level Seven International (2023). Guide to Using HL7 
Trademarks. Retrieved from http://www.hl7.org/legal/trademarks.cfm?ref=nav.
---------------------------------------------------------------------------

    Finally, throughout this final rule we discuss the APIs in relation 
to the programmatic requirements to share data between payers, 
providers, and patients under specific rules. However, payers could use 
these APIs to exchange data for myriad purposes, beyond those in this 
final rule. For instance, a patient could request data outside the 
scope of this final rule, or program integrity entities could request 
data from payers (such as under the Inspector General Act of 1978). 
Nothing in this final rule prevents payers from sharing the requested 
data via these APIs, if technologically feasible, for appropriate 
purposes permitted by law. We encourage using these standards-based 
APIs for purposes beyond our requirements to improve the 
interoperability of health data, regardless of the use case.

D. Global Comments

    CMS received nearly 900 timely pieces of correspondence in response 
to the CMS Interoperability and Prior Authorization proposed rule. We 
summarize comments that are globally applicable to the final rule here. 
In this section, we address comments related to Medicare FFS 
implementation, the National Directory of Healthcare (NDH), final 
policy compliance dates, exclusion of drugs from the prior 
authorization policies in this final rule, the payers impacted by this 
final rule, the withdrawal of the ``Medicaid Program; Patient 
Protection and Affordable Care Act; Reducing Provider and Patient 
Burden by Improving Prior Authorization Processes, and Promoting 
Patients' Electronic Access to Health Information for Medicaid Managed 
Care

[[Page 8763]]

Plans, State Medicaid Agencies, CHIP Agencies and CHIP Managed Care 
Entities, and Issuers of Qualified Health Plans on the Federally-
Facilitated Exchanges; Health Information Technology Standards and 
Implementation Specifications'' proposed rule (December 2020 CMS 
Interoperability proposed rule) (87 FR 76239), and compliance and 
enforcement.
1. Medicare Fee-for-Service Implementation of Final Policies
    Although these requirements do not directly pertain to Medicare 
FFS, we want to ensure that people with Medicare can benefit from the 
policies in this final rule, regardless of their coverage or delivery 
system. We intend for the Medicare FFS program to be a market leader on 
data exchange, including through the Provider Access, Payer-to-Payer, 
and Prior Authorization APIs, and therefore we solicited comments on 
how these proposals could apply to Medicare FFS. We also encouraged 
other payers not directly impacted by this final rule to consider the 
policies in this final rule for voluntary adoption to reduce burden and 
support greater interoperability.
    A significant number of commenters expressed support for our 
intention to ensure that Medicare FFS will comply with the requirements 
of this final rule by the compliance dates we are establishing. We did 
not make any policy proposals regarding this effort, but we are 
considering comments as we plan our roadmap for implementation.
2. Compliance Dates and Enforcement
    For our proposals that require API enhancement or development, we 
proposed compliance dates in 2026 (by January 1, 2026, for MA 
organizations and state Medicaid and CHIP FFS programs; by the rating 
period beginning on or after January 1, 2026, for Medicaid managed care 
plans and CHIP managed care entities; and for plan years beginning on 
or after January 1, 2026, for QHP issuers on the FFEs) (87 FR 76289) 
and indicated that we thought that a 3-year timeline to recruit and 
train staff, update or build the APIs, and update operational 
procedures would be sufficient. In the proposed rule we used the term 
``implementation dates'' rather than ``compliance dates'' as we are 
using in this final rule. Because payers may implement APIs before the 
compliance dates, we want to be clear when we are discussing the 
regulatory deadlines in this final rule. This terminology does not 
indicate any changes to the substance of any proposals or finalized 
requirements.
    Comment: Many commenters expressed support for the proposed 
compliance dates in 2026. A commenter stated that the proposed 
compliance dates give impacted payers, health information technology 
(IT) developers, and providers sufficient time to prepare for 
widespread adoption and utilization. A commenter stated that the 
feasibility of implementation in 2026 will depend on the complexities 
of the implementation and the date the final rule is published. Another 
commenter suggested that CMS provide an implementation timeline with 
steps to ensure all parties are ready for implementation in 2026. 
Another commenter wrote that CMS should conduct pilots before the 
proposed 2026 compliance dates.
    Multiple commenters recommended that CMS establish a shorter 
timeframe for the revisions to the Patient Access API and the 
implementation of the new APIs. Commenters stated that the benefits of 
our prior authorization proposals are especially necessary and 
encouraged us to finalize compliance dates as early as possible. A 
commenter recommended that CMS require MA organizations to implement 
the requirements within 90 days of publication of this final rule. 
Another commenter stated that they believe that MA organizations have 
the revenue and resources to implement the provisions in CY 2024.
    Payers have indicated that they are already collecting information 
about how patients are using their Patient Access API, and many 
submitted comments based on the patient uptake they are witnessing. We 
did not receive comments that indicated that collecting and reporting 
these metrics would be a burden on payers.
    Multiple commenters expressed concern regarding the proposed 2026 
compliance dates, for most of the requirements in the rule. Other 
commenters emphasized that payers would have to begin work on 
implementation immediately following publication of this final rule to 
meet all requirements by the 2026 compliance dates. Multiple commenters 
recommended that CMS delay the compliance dates to 2027 or 2028, citing 
the feasibility of technology implementation and operational changes.
    Commenters indicated that state Medicaid and CHIP FFS programs may 
need more time to implement because they need to secure funding and 
engage in the state's procurement process. A commenter recommended 
compliance dates no earlier than January 1, 2027, with state Medicaid 
and CHIP agencies having the ability to request up to two 1-year 
extensions following that date. The commenter noted that due to unique 
funding cycles and procurement requirements, states could require more 
time than other payers to implement the proposed requirements.
    Multiple commenters weighed in on the amount of time that payers 
will need to implement the provisions in the proposed rule. Multiple 
commenters noted that the proposed requirements for payers to implement 
four APIs within less than 3 years from publication of the final rule 
would create a significant burden on payers. A commenter stated that 
developers will need 12-18 months from the publication of a final rule 
to design, develop, test, and release updated software. The commenter 
stated that payers will also need time to implement the updated 
functionality and train staff to assist patients and other API end 
users. Another commenter stated that developers would need 18 months 
per API. A commenter recommended that CMS finalize any policies with at 
least 24 months of lead time. Another commenter suggested that CMS 
provide at least 24 to 36 months after the publication of the final 
rule for payers to comply. Other commenters suggested 3 years between 
publishing a final rule and the compliance dates. Several commenters 
recommended that CMS consider a staggered implementation approach for 
the API requirements.
    Commenters indicated that, of our proposals, the technical 
development and enhancement of the required APIs would necessitate a 
longer implementation period than the prior authorization process 
improvements.
    Response: Having taken into consideration comments about the 
implementation timeline generally and about each of the policies 
specifically, we are finalizing our policies that require API 
development or enhancement with compliance dates in 2027. Specifically, 
MA organizations and state Medicaid and CHIP FFS programs must comply 
with those policies by January 1, 2027; Medicaid managed care plans and 
CHIP managed care entities must comply beginning with the first rating 
period that begins on or after January 1, 2027; and QHPs in FFEs must 
comply by the first plan year beginning on or after January 1, 2027. 
For simplicity, throughout this rule we generally refer to these 
compliance dates as ``in 2027'' for the various payers. However, we are 
finalizing some of our other policies with the proposed 2026 compliance 
dates, as noted in the Summary of Major Provisions.

[[Page 8764]]

    Specifically, we are finalizing 2026 compliance dates for the 
requirements that impacted payers report Patient Access API metrics to 
CMS, make standard and expedited prior authorization decisions within 
specific timeframes, send notices to providers, including a specific 
denial reason for denied prior authorizations, and publicly report 
prior authorization metrics on their websites. While these policies 
require a certain level of development and implementation effort, they 
are not as technically challenging as implementing the APIs. Thus, we 
believe a nearly 2-year implementation timeframe is sufficient and will 
allow payers to prioritize them for an earlier deadline.
    Because impacted payers should already have Patient Access APIs 
implemented based on requirements finalized in the CMS Interoperability 
and Patient Access final rule, reporting on usage of that API should 
not be a significant burden to payers. We proposed to gather those data 
to understand how the Patient Access API is being adopted across the 
industry. We do not believe there is any benefit to delaying this 
reporting requirement, as we need these data to help inform future 
policies.
    Importantly, the prior authorization policies we are finalizing 
with 2026 compliance dates should reduce the burden of prior 
authorization processes, even before the 2027 compliance dates for the 
API development and enhancement policies. Requiring impacted payers to 
send provider notices, including a specific denial reason, respond 
within specific timeframes, and report prior authorization metrics will 
apply regardless of how the payer received the prior authorization 
request, and are not dependent on the API. Therefore, we do not believe 
there is a reason to tie those requirements to the API compliance 
dates. Delaying the changes to prior authorization timeframes and 
procedures would only delay the benefits of those new policies.
    However, we are sensitive to the implementation burdens on payers, 
particularly for the final policies that require API development or 
enhancement. We understand that payers need time to design, develop, 
test, and implement major system changes to implement the new Provider 
Access, Payer-to-Payer, and Prior Authorization APIs. We considered 
finalizing staggered API compliance dates between 2026 and 2027, as 
some commenters suggested, but concluded that we are not in the best 
position to prioritize and understand what work can feasibly be 
completed by 2026 and what scope is better in a second phase for 2027. 
Instead, we are delaying the compliance dates for the three new APIs 
and modifications to the Patient Access API by 1 year from the proposed 
compliance dates to allow payers time to sufficiently plan, develop, 
test, and implement this technology. After considering the comments we 
received, we agree with the volume of commenters that indicated that 
more than 2 years is necessary from the publication of the final rule 
for payers to meet the new API requirements. In consideration of the 
schedule for this final rule's publication, we are finalizing 
compliance dates in 2027, for the new Provider Access, Payer-to-Payer, 
and Prior Authorization API requirements in this final rule. Throughout 
the final rule, we specify the exact regulatory citations that are 
being modified from our proposed rule to reflect the finalized 
compliance dates for each payer.
    We are addressing concerns specific to state Medicaid and CHIP 
programs with the availability of an extension for Medicaid and CHIP 
agencies, under which states could seek to delay implementation until 
2028, as discussed in section II.E. of this final rule. In that 
section, we also discuss the possibility of states receiving enhanced 
Federal Financial Participation (FFP) for expenditures related to 
implementing these requirements.
    Comment: Many commenters expressed concern regarding the lack of 
discussion in the proposed rule for mechanisms to ensure compliance 
with the provisions of the rule once finalized. Multiple commenters 
recommended that CMS clearly outline how it will conduct oversight and 
enforcement of the requirements in the rule and commenters recommended 
that CMS outline a process for formal oversight, audit, and 
enforcement, including financial penalties and other consequences to 
promote accountability. A commenter questioned the enforcement and 
oversight activities for the CMS Interoperability and Patient Access 
final rule (CMS-9115-F). Another commenter highlighted the lack of 
penalties for non-compliance with the Provider Directory API. Other 
commenters recommended that CMS develop a structured process for the 
public to report non-compliance. Multiple commenters recommended that 
CMS closely monitor payer compliance and impose civil monetary 
penalties on payers that are non-compliant.
    Response: As explained in the proposed rule and the CMS 
Interoperability and Patient Access final rule, each CMS program 
oversees compliance under existing program authorities and 
responsibilities for the different types of payers impacted by these 
API requirements (for example, MA organizations, Medicaid programs, 
etc.). Oversight and compliance procedures and processes vary among 
these CMS programs and CMS may choose from an array of possible 
enforcement actions, based on a payer's status in the program, previous 
compliance actions, and corrective action plans. Therefore, we do not 
address specific potential compliance and enforcement actions across 
impacted payers in this final rule, although we do discuss categories 
of enforcement actions that CMS could consider for various payers in 
the discussion later in this section. Patients and providers may submit 
an inquiry or complaint to the appropriate authority, depending on 
their coverage.
    For MA organizations, because these are program requirements, 
depending on the extent of the violation, CMS may take compliance 
actions from warning letters or requiring a corrective action plan, to 
enforcement actions including sanctions, civil money penalties and 
other measures specified at 42 CFR part 422, subpart O. If an MA 
enrollee believes a plan is not fulfilling its responsibilities with 
respect to the API requirements, they have a right to file a grievance 
with a plan under the procedures at 42 CFR 422.564. Individuals may 
also submit complaints about their MA plans to 1-800-MEDICARE and the 
online complaint system at https://www.medicare.gov/my/medicare-complaint. The State Health Insurance Assistance Programs (SHIP) are 
available to help Medicare beneficiaries, including with filing 
complaints.
    When states use enhanced funding for expenditures related to system 
modifications or enhancements, CMS's enforcement is based upon 45 CFR 
95.612 (Disallowance of FFP) and the methodology described in the 
Centers for Medicaid and CHIP Services (CMCS) Informational Bulletin 
(CIB), ``Medicaid Enterprise Systems Compliance and Reapproval Process 
for State Systems with Operational Costs Claimed at the 75 Percent 
Federal Match Rate,'' published May 24, 2023. If a state is not 
compliant with the requirements included in this final rule, the 
appropriate program policy team will address compliance enforcement.
    States are obligated by 42 CFR 438.66(b) and (c) to have a 
monitoring system for all of their managed care programs, including the 
performance of

[[Page 8765]]

each managed care plan, to ensure that all managed care plans are 
fulfilling their contractual obligations. States report the results of 
their monitoring activities in an annual Managed Care Program Annual 
Report, in accordance with 42 CFR 438.66(e). Further, per 42 CFR 
438.3(a), CMS must review and approve all managed care plan contracts. 
Should information in a state's Managed Care Program Annual Report or 
contract indicate a need for improvement or correction, CMS would work 
with the state to ensure that the issue is remedied. Patients or 
providers with concerns regarding Medicaid or CHIP FFS should contact 
their state Medicaid or CHIP agency. Patients and providers can contact 
Medicaid.gov@cms.hhs.gov">Medicaid.gov@cms.hhs.gov if the state agency is not responsive.
    For any concerns related to compliance by Medicaid managed care 
plans and CHIP managed care entities, enrollees and providers should 
first contact their managed care plan or managed care entity. Enrollees 
or providers can contact the state Medicaid or CHIP agency to report 
issues that they cannot resolve by working with the managed care plan 
or entity directly.
    Consistent with the authority under 45 CFR 156.715, the Center for 
Consumer Information and Insurance Oversight (CCIIO) performs 
compliance reviews of issuers in the FFEs. In addition, 45 CFR 156.800 
through 156.815 provides for additional enforcement remedies including 
Civil Money Penalties (CMPs) and Notices of Non-Compliance (NONCs) as 
well as paths to QHP issuer Suppression and Decertification. If 
enrollees in a QHP on the FFEs or their providers have concerns about 
an issuer's interoperability implementation, they should first contact 
their health plan with questions. For issues that they cannot resolve 
by working directly with the plan, enrollees and providers can contact 
the Marketplace Call Center at 1-800-318-2596 (TTY: 1-855-889-4325).
    CMS manages compliance with the HIPAA administrative transaction 
standards under the authority of the administrative simplification 
rules. Complaints about non-compliance can be submitted to CMS at 
https://asett.cms.gov/ASETT_HomePage.
3. Exclusion of Drugs
    In the CMS Interoperability and Prior Authorization proposed rule, 
we stated that we were excluding drugs from the Prior Authorization API 
and proposed process requirements for prior authorizations because the 
standards and processes for issuing prior authorizations for drugs 
differ from those that apply to medical items and services.
    Under state Medicaid programs and the MA program, there are similar 
timing requirements for prior authorizations for coverage of drugs. MA 
plans are required to respond to expedited requests for Part B drugs 
within 24 hours (42 CFR 422.572) and to non-expedited requests as 
expeditiously as the enrollee's health condition requires, but no later 
than 72 hours after receipt of the request (42 CFR 422.568). Further, 
MA-PD plans that cover Part A, B, and D benefits must comply with 
similar timelines in responding to prior authorization requests for 
Part D prescription drugs (42 CFR 423.568, 423.572). Similarly, under 
Medicaid (both FFS and managed care), if a state requires prior 
authorizations for covered outpatient drugs, a response must be 
provided within 24 hours of the request for prior authorization (see 
section 1927(d)(5) of the Social Security Act (the Act) and 42 CFR 
438.3(s)(6)). We acknowledge that other drugs do not meet the 
definition of ``covered outpatient drugs,'' including cancer drugs, 
special treatments, and other important medications, and thus are not 
subject to these prior authorization timeline requirements.
    Comment: A plethora of commenters provided input and requested that 
CMS reconsider the proposal to exclude drugs and instead include drugs 
in the prior authorization policies for all or some impacted payers.
    Some commenters expressed support for CMS's exclusion of drugs from 
the proposed requirements and CMS's decision to defer Prior 
Authorization API requirements for drugs to future rulemaking. Multiple 
commenters recommended that CMS make clear the exclusion of drugs from 
all the requirements in a final rule.
    Response: We believe it is clear throughout this final rule that 
none of the prior authorization policies apply to any drugs covered by 
any impacted payer. However, based on the overwhelming number of 
comments in support of our reconsideration of the policy, and 
additional conversations with SDOs and stakeholders, we will consider 
options for future rulemaking to address improvements to the prior 
authorization processes for drugs.
    Comment: Multiple commenters expressed disappointment that CMS 
excluded outpatient prescription drugs from the prior authorization 
process and Prior Authorization API policies in the proposed rule, 
explaining that drug prior authorizations constitute the majority of 
all prior authorizations. Multiple commenters recommended that CMS 
reconsider the exclusion of drugs from the proposed rule and suggested 
that CMS expand a final rule to include outpatient prescription drugs 
covered under a medical benefit.
    A few commenters specifically requested that CMS include drugs 
covered under a medical benefit in the prior authorization process and 
Prior Authorization API policies in the final rule and explained that 
the exclusion was troubling because health plans may cover physician-
administered drugs and specialty drugs through a patient's medical 
benefits, including specialty drugs. A commenter urged CMS to include 
administered drugs, which are inextricably related to other provider 
services. Some commenters stated that by failing to include 
administered drugs throughout the proposed rule, CMS is failing to 
address the biggest culprit of delay to timely care and administrative 
burden for cancer patients. Commenters described barriers to access for 
prescriptions for specialty drugs, cancer drugs, and certain drugs for 
chronic conditions that require ongoing re-authorizations. The 
commenters believed that including prescription drugs in our prior 
authorization policies would improve the effectiveness of this final 
rule and would support CMS's goals of reducing barriers and burdens in 
health care.
    Response: While we acknowledge the request for reconsideration, 
when making the decision to exclude prescription drugs from the 
proposed rule, we believed there would be operational complexities in 
applying the requirements of this rule to prior authorization for 
prescription drugs under current conditions and did not anticipate the 
overwhelming response to that exclusion under current conditions. Based 
on the scope and breadth of the comments, it is essential for us to 
conduct a thorough evaluation of both existing policies and standards, 
and the impact any mandatory changes will have on impacted payers, 
providers, and patients, as well as on other policies before making a 
proposal for public consideration. We are committed to ensuring 
transparency of the process, and the development of the right policy to 
support all entities who might benefit. We anticipate engaging with the 
public on this topic in the near future and encourage the public to 
provide additional feedback.
    Comment: Many commenters questioned whether impacted payers are 
permitted to include the functionality necessary to conduct prior 
authorization for drugs via the Prior Authorization

[[Page 8766]]

API. A commenter also requested that CMS require all payers to include 
drug-related prior authorization requirements in the Prior 
Authorization API to ensure prescribers have ready access to uniform 
policies, and patients have timely access to their medications. Another 
commenter recommended that CMS explain that even if prescription drugs 
are excluded from the requirements, the rule does not prohibit the 
sharing of drug prior authorization data via the Patient Access, 
Provider Access, and Payer-to-Payer APIs.
    Response: While we did not propose a requirement for prior 
authorization policies for drugs to be included in the Prior 
Authorization API, payers may add such coverage rules and requirements 
to their APIs; nothing in this final rule prohibits broader use of the 
required Prior Authorization API by impacted payers and we encourage 
them to do so to the extent permitted by law. The scope of the IGs for 
the Prior Authorization API includes prior authorization for 
medications covered under a medical benefit. We describe the IGs and 
the Prior Authorization API in further detail in section II.D.2. of 
this final rule. However, we note that a FHIR API cannot be used with a 
National Council for Prescription Drug Programs (NCPDP) SCRIPT standard 
because the data elements have not yet been mapped. Also, the 
HL7[supreg] FHIR[supreg] Da Vinci Prior Authorization Support (PAS) IG 
states it ``SHOULD NOT be used for any medication that is covered under 
a prescription drug program benefit where Prior Authorization is 
provided by another electronic exchange process (for example, NCPCP 
SCRIPT).'' \7\
---------------------------------------------------------------------------

    \7\ Health Level Seven International (n.d.) Use Cases and 
Overview. Retrieved from https://build.fhir.org/ig/HL7/davinci-pas/usecases.html#scope-of-work-flow.
---------------------------------------------------------------------------

    We confirm that nothing would prohibit an impacted payer from 
sharing the same information about prior authorizations for drugs that 
they are required to share for items and services via the Patient 
Access, Provider Access, and Payer-to-Payer APIs, if they choose.
    Comment: A commenter sought clarification on whether the prior 
authorization requirements would apply to supplies dispensed at a 
pharmacy, such as diabetic test strips. This commenter stated that an 
API would likely not provide any additional benefit or improve the 
timeliness of a decision and might increase handling timeframes while 
the API is in the early stages of use. This commenter recommended that 
pharmacy dispensable supplies maintain their current timeframes for 
coverage decisions. Another commenter recommended that CMS require 
impacted payers to include durable medical equipment (DME) administered 
under the DME benefit in the Prior Authorization API. Another commenter 
sought clarification on whether therapeutic devices are excluded from 
the Prior Authorization API requirements.
    Response: Supplies, including those dispensed at a pharmacy and 
DME, that are considered medical benefits and are not prescription 
drugs, are subject to the prior authorization requirements of this 
final rule. Payers will be required to include these supplies in their 
APIs, to the extent they are covered as a medical benefit and require 
prior authorization. DME, for example, includes continuous glucose 
monitors, test strips, lancets, orthotics, wheelchairs, and other 
devices. All prior authorizations covered as a medical benefit, 
including those for DME, supplies dispensed at a pharmacy, or 
therapeutic devices, must still meet the timeframe requirements 
established in this final rule, regardless of whether the request is 
made through an API or other means, as described in section II.D.4. 
However, for MA-PDs, this final rule excludes the entire scope of 
``Part D drugs,'' as defined at 42 CFR 423.100, from the scope of the 
prior authorization requirements; therefore, certain supplies that are 
included in the definition of Part D drugs at 42 CFR 423.100 are not 
subject to the prior authorization requirements adopted here.
4. Impacted Payers
    As stated previously, certain portions of this final rule apply to 
MA organizations, state Medicaid FFS programs, state CHIP FFS programs, 
Medicaid managed care plans, CHIP managed care entities, and QHP 
issuers on the FFEs. We received numerous comments regarding 
applicability to the payers impacted by the rule and summarize these 
comments and responses.
    Comment: Many commenters supported CMS's proposed categories of 
impacted payers for this rule. Specifically, commenters supported the 
inclusion of Medicaid and CHIP FFS, which were excluded from the payer 
to payer data exchange requirements in the CMS Interoperability and 
Patient Access final rule, and MA plans, which were excluded in the 
December 2020 CMS Interoperability proposed rule. Commenters noted that 
the benefits of interoperable data exchange will only accrue if there 
is widespread adoption by payers across the health care system.
    Response: We appreciate the support for the proposed types of 
impacted payers and agree that the more payers that implement the 
requirements of this final rule, the greater the beneficial impact will 
be on patients.
    Comment: A commenter requested clarification as to whether dental 
plans that provide coverage to MA enrollees or Medicaid beneficiaries 
are impacted payers and encouraged CMS to exclude those plans, akin to 
the exclusion of QHP issuers on the FFEs offering only SADPs. Another 
commenter specifically encouraged CMS not to exclude SADPs and to 
include dental plans for MA and Medicaid or CHIP managed care.
    Response: We did not propose new interoperability or prior 
authorization standards on SADPs on the FFEs because they have 
relatively lower enrollment and premium intake compared to individual 
market medical QHPs. Requiring those plans to comply with the 
requirements in this final rule could result in those issuers no longer 
participating in the FFEs, which would not be in the best interest of 
enrollees. These plans are therefore outside the scope of this final 
rule. We appreciate input from commenters who view prior authorization 
and interoperability as important for SADP enrollees and will continue 
to monitor this issue and work with stakeholders to understand how to 
best meet patient needs while considering the potential burden on 
payers.
    For Medicare beneficiaries enrolled in MA plans, when dental 
coverage is a supplemental benefit covered by the MA plans, it is 
offered by the MA organization, directly or through contract 
arrangements the MA organization uses to provide the MA supplemental 
benefit. Regardless of the mechanism, the dental coverage is part of 
the MA plan itself and offered under the MA organization's contract and 
bid with CMS, not a separate plan. MA organizations can project 
expenditures to comply with the policies in this final rule to 
incorporate into their overall operational costs when setting premiums.
    An organization that has a risk-based contract directly with a 
state to provide dental benefits only to Medicaid and CHIP 
beneficiaries is usually a PAHP. We proposed, at 42 CFR 438.210 and 
438.242 for Medicaid (applicable to separate CHIP through existing 
cross-references at 42 CFR 457.1230(d) and 457.1233(d)), that all PAHPs 
other than Non-Emergency Medical Transportation (NEMT) PAHPs, including 
those that cover dental benefits, would be subject to the requirements 
of this rule. Per 42 CFR 438.4, capitation rates, which are

[[Page 8767]]

required for all risk-based MCOs, PIHPs, and PAHPs, must be projected 
to provide for all reasonable, appropriate, and attainable costs that 
are required under the terms of the contract and for the operation of 
the managed care plan for the time period, as well as the population 
covered under the terms of the contract, in addition to meeting 
specific additional requirements at 42 CFR 438.4 through 438.7. 
Similarly, for separate CHIP, per 42 CFR 457.1201(c) and 457.1203(a), 
capitation rates are based on public or private payment rates for 
comparable services for comparable populations and must represent a 
payment amount that is adequate to allow the MCO, PIHP, or PAHP to 
efficiently deliver covered services to beneficiaries in a manner 
compliant with contractual requirements. Therefore, the concerns of 
upward pressure on premiums that impact participation that are 
applicable to SADPs offered on the FFEs are not present for Medicaid 
and CHIP risk-based managed care plans.
    Comment: A commenter suggested that CMS define the term ``payer'' 
to encompass health insurance issuers and group health plans subject to 
the Public Health Service Act. Multiple commenters expressed their 
concern that private payers, commercial plans, and employer-sponsored 
plans would not be subject to the rule requirements. A commenter 
expressed concern regarding the 150 million Americans who are in 
employer-sponsored coverage, who may not have access to the benefits of 
the proposed rule.
    Another commenter suggested that CMS could use its authority over 
the public sector Consolidated Omnibus Budget Reconciliation Act 
(COBRA) group health plans to extend interoperability requirements to 
those payers.
    Response: We appreciate commenters supporting implementation of the 
policies by private payers, commercial plans, and employer-sponsored 
plans. However, we proposed to impose these requirements under our 
authority to regulate issuers in the Exchanges that CMS operates, which 
does not apply to health insurance issuers and group health plans 
outside the FFEs. There is nothing prohibiting those payers from 
implementing the provisions in this final rule voluntarily, as long as 
there are no conflicts with other Federal or state laws, and we do 
encourage those plans to voluntarily meet the requirements of this 
final rule to allow patients they cover to have the same interoperable 
access to their data as impacted payers are required to provide.
    Title XXII of the Public Health Service (PHS) Act applies COBRA 
requirements to group health plans that are sponsored by state or local 
government employers. They are sometimes referred to as ``public 
sector'' COBRA to distinguish them from the Employee Retirement Income 
Security Act of 1974 (ERISA) and Internal Revenue Code requirements 
that apply to private employers. We did not make any proposals 
regarding public sector COBRA plans, so they are not included as 
impacted payers in this final rule, but we will consider whether we can 
and should propose similar interoperability requirements on such plans 
in future rulemaking.
    Comment: A commenter sought clarification regarding why CMS 
exempted SHOP issuers from the proposed rule.
    Response: As discussed in the proposed rule, we proposed to exclude 
QHP issuers offering only QHPs in the FF-SHOPs. We believe that the 
proposed standards would be overly burdensome for both SADP and SHOP 
issuers. Requiring issuers offering only SADPs and issuers offering 
only QHPs in the FF-SHOPs, which have relatively lower enrollment and 
premium intake compared to individual market medical QHPs, to comply 
with our proposals, could result in those issuers no longer 
participating in the FFEs, which would not be in the best interest of 
the enrollees.
    Comment: Multiple commenters recommended that CMS work with ONC and 
other Federal agencies, such as the Veterans Administration (VA), the 
U.S. Department of Defense (DoD), and other government payers, to bring 
additional data into the interoperability universe.
    Response: We continue to work with ONC and agencies across the 
Federal Government to move toward a fully interoperable health care 
system. We are committed to sharing any insights and best practices 
from our experience working with impacted payers with other agencies 
that provide health care coverage to inform their own interoperability 
goals. These are independent agencies over which HHS has no authority.
5. Withdrawal of Proposed Rule
    In the CMS Interoperability and Prior Authorization proposed rule, 
we explained that we were withdrawing the December 2020 CMS 
Interoperability proposed rule (87 FR 76239). We received multiple 
comments in support of this decision.
    Comment: Commenters supported our withdrawal of the December 2020 
CMS Interoperability proposed rule. Several commenters expressed that 
the burden of prior authorization has grown since that proposed rule 
was published and voiced their support for finalizing our proposals.
    Response: We appreciate the support and believe that the proposals 
that we are now finalizing reflect the feedback we received from the 
health care industry.
6. National Directory of Healthcare
    On October 22, 2022, we released a Request for Information (RFI) 
(87 FR 61018) to solicit public comments on establishing an NDH that 
could serve as a ``centralized data hub'' for health care provider, 
facility, and entity directory information nationwide. We also received 
many comments to this proposed rule that discussed the possibility of 
an NDH, particularly to discover payers' digital endpoints (in this 
case, a FHIR server's URL or IP address) to facilitate our Payer-to-
Payer API policy.
    Comment: Many commenters stated that the lack of a national 
directory makes it difficult to identify digital endpoints to 
facilitate payer to payer data exchange. Multiple commenters also 
expressed how important an NDH would be to the success of a Provider 
Access API, because as information on provider digital endpoints 
remains limited, widespread access to such a directory could advance 
efforts to connect payers to providers. Commenters urged CMS to 
establish an NDH before the API compliance dates and explained that not 
doing so could result in an industry-wide scramble and search for 
verified plan endpoints necessary for implementation. A commenter 
recommended that CMS establish and maintain a national payer directory 
that includes verified information on payers, including their API 
endpoints, contact information for their API project managers, and 
their readiness for participation in payer to payer data exchange. 
Another commenter stated they are currently trying to set up their own 
Payer-to-Payer API and encountered problems without a centralized 
location of payer endpoints. This led to issues identifying a new 
member's previous payer and making secure connections to exchange 
information. A commenter cautioned that a draft version of the National 
Directory IG developed by the FHIR at Scale Taskforce (FAST) originally 
published in September 2022 \8\ describes

[[Page 8768]]

a payer to payer data exchange but is based on the projected existence 
of a national directory of payer endpoints and governance framework. A 
commenter noted scalability issues that could arise without a national 
directory of endpoints to connect in a unified and meaningful manner.
---------------------------------------------------------------------------

    \8\ Health Level Seven International (n.d.). National Directory 
of Healthcare Providers & Services (NDH) Implementation Guide. 
Retrieved from https://build.fhir.org/ig/HL7/fhir-us-ndh/.
---------------------------------------------------------------------------

    Response: We understand that a directory of payer and provider 
digital endpoints would be highly beneficial to facilitate our Payer-
to-Payer, Provider Access, and Prior Authorization API requirements. 
Without such a directory, payers would need to discover other payers' 
endpoints one by one, and each payer would have to maintain a list of 
payers that they have previously connected with for data exchange. The 
Trusted Exchange Framework and Common Agreement (TEFCA) provides a 
directory of digital endpoints that can be used by TEFCA 
Participants.\9\
---------------------------------------------------------------------------

    \9\ Office of the National Coordinator for Health Information 
Technology (n.d.). Trusted Exchange Framework and Common Agreement 
(TEFCA). Retrieved from https://www.healthit.gov/topic/interoperability/policy/trusted-exchange-framework-and-common-agreement-tefca.
---------------------------------------------------------------------------

    Additionally, CMS is committed to exploring an NDH that contains 
payers' and providers' digital endpoints to facilitate more 
interoperable data exchange in healthcare for a variety of use cases, 
including support for the Payer-to-Payer, Provider Access, and Prior 
Authorization APIs.

II. Provisions of the Proposed Rule and the Analysis of and Responses 
to Public Comments

A. Patient Access API

1. Background
    In the CMS Interoperability and Patient Access final rule (85 FR 
25558), in order to give patients access to their own health 
information in a way most meaningful and useful to them, we required 
impacted payers to share, via FHIR APIs, certain information including 
patient claims, encounter data, and a set of clinical data that 
patients can access via health apps. Claims and encounter data, used in 
conjunction with clinical data, can offer a broad picture of an 
individual's health care experience. Patients tend to receive care from 
multiple providers, leading to fragmented patient health records where 
various pieces of an individual's record are locked in disparate, 
siloed data systems. With patient data scattered across these 
disconnected systems, it can be challenging for providers to get a 
clear picture of the patient's care history, and patients may forget or 
be unable to provide critical information to their provider. This lack 
of comprehensive patient data can impede care coordination efforts and 
access to appropriate care.
2. Enhancing the Patient Access API
    In the CMS Interoperability and Patient Access final rule (85 FR 
25558-25559), we adopted regulations that require certain payers, 
specifically MA organizations (at 42 CFR 422.119), state Medicaid and 
CHIP FFS programs (at 42 CFR 431.60 and 457.730), Medicaid managed care 
plans (at 42 CFR 438.242(b)(5)), CHIP managed care entities (at 42 CFR 
457.1233(d)), and QHP issuers on the FFEs (at 45 CFR 156.221), to 
implement and maintain APIs that permit patients to use health apps to 
access specified data. The Patient Access API must make available, at a 
minimum, adjudicated claims (including provider remittances and patient 
cost-sharing); encounters with capitated providers; and clinical data, 
including laboratory results, with a date of service on or after 
January 1, 2016, as maintained by the payer. Payers must make those 
data available via the Patient Access API no later than 1 business day 
after a claim is adjudicated or encounter or clinical data are 
received. In the CMS Interoperability and Prior Authorization proposed 
rule, we proposed various changes to enhance the Patient Access API 
that are discussed further elsewhere. We also received comments about 
the Patient Access API more generally, which we summarize and respond 
to in this section.
    To support the ongoing maintenance of the Patient Access API, we 
are requiring certain specifications and recommending certain IGs, as 
further discussed in this section and in section II.G. With the 
publication of the HTI-1 final rule, our cross references to 45 CFR 
170.215 have been updated to reflect the updated citations as needed. 
Changes to the structure of 45 CFR 170.215 and versions of the API 
standards codified there are discussed further in section II.G. and 
reflected throughout this final rule. For the Patient Access API, 
impacted payers must use the following standards: HL7 FHIR Release 
4.0.1 at 45 CFR 170.215(a)(1), US Core IG STU 3.1.1 at 45 CFR 
170.215(b)(1)(i), SMART App Launch IG Release 1.0.0 at 45 CFR 
170.215(c)(1) and OpenID Connect Core 1.0 at 45 CFR 170.215(e)(1). 
Impacted payers are permitted to voluntarily use updated standards, 
specifications, or IGs that are not yet adopted in regulation for the 
APIs discussed in this final rule, should certain conditions be met. 
For the standards at 45 CFR 170.215 required for the Patient Access 
API, updated versions available for use under our policy include, but 
are not limited to, US Core IG STU 6.1.0 and SMART App Launch IG 
Release 2.0.0, which have been approved for use in the ONC Health IT 
Certification Program.\10\ We refer readers to policies finalized for 
the Patient Access API in the Interoperability and Patient Access final 
rule, as well as section II.G.2.c. of this final rule for a full 
discussion on using updated standards. We are also recommending payers 
use the HL7[supreg] FHIR[supreg] CARIN Consumer Directed Payer Data 
Exchange IG (CARIN IG for Blue Button) STU 2.0.0, HL7[supreg] 
FHIR[supreg] Da Vinci Payer Data Exchange (PDex) IG STU 2.0.0, and 
HL7[supreg] FHIR[supreg] Da Vinci PDex US Drug Formulary IG STU 2.0.1. 
We also direct readers to section II.G. of this final rule for a 
discussion of the standards for the Patient Access API, and Table H3 
for a full list of the required standards and recommended IGs to 
support API implementation.
---------------------------------------------------------------------------

    \10\ Office of the National Coordinator for Health Information 
Technology (2023, September 11). Standards Version Advancement 
Process (SVAP). Retrieved from https://www.healthit.gov/topic/standards-version-advancement-process-svap.
---------------------------------------------------------------------------

    Comment: Multiple commenters expressed general support for the 
Patient Access API, as it would promote transparency and improve 
patient access to health data. Many commenters agreed that the proposed 
modifications to the Patient Access API would improve patient 
engagement, shared decision making, and be an opportunity for patients 
to improve health literacy. Commenters stated that it is critical to 
ensure that data are shared interoperability to prevent unnecessarily 
restrictive or expensive proprietary systems from inhibiting patient 
and provider access. A commenter noted that the API places the patient 
at the center of care, which could lead to improvements in quality care 
and a seamless patient experience. Other commenters noted that it will 
help improve predictability for patients and help them identify 
potential violations in mental health parity law and facilitate better 
communication between patients and providers. Another commenter noted 
that the most convenient way for patients to access their health 
information is via apps.
    Multiple commenters expressed support for the standardization of 
the Patient Access API across different payer types and coverage 
programs. A commenter stated that establishing standardized processes 
for the Patient Access API would benefit patients and enable them to 
have efficient and secure access to their records while maintaining 
their privacy.
    Response: We thank the commenters for their feedback and will 
continue to

[[Page 8769]]

look for ways to drive adoption and use of the Patient Access API to 
benefit patients. We agree that requiring a standard API will unlock 
potential for developers to create patient-friendly apps.
    Comment: Other commenters stated that they do not believe the 
Patient Access API will be a dominant means for accessing health care 
data because patients may get similar or better information elsewhere. 
Commenters stated that they have not seen significant uptake of health 
apps since the implementation of the Patient Access API. Commenters 
relayed that while they believe in the potential for the Patient Access 
API to improve the utility and portability of patient medical 
information, they have not seen robust utilization of these tools, 
possibly because many payers have their own portals. Some commenters 
believe that their members prefer to speak with a customer service 
representative, for instance, to discuss the status of their claims. 
Some payers noted that although they currently have a low rate of 
members using apps, they anticipated higher utilization as younger 
cohorts, who are more familiar with how smartphone apps can benefit 
their care, reach the age of Medicare eligibility.
    A commenter flagged that the Patient Access API could result in 
administrative costs being spread over a smaller than expected user 
base due to its low utilization. They recommended that CMS continue to 
monitor the utilization of the proposed APIs as it considers new 
functionalities and requirements.
    Multiple commenters expressed concerns that certain patients may 
not be able to access the Patient Access API due to a variety of 
factors (for example, limited access to technology/internet, software, 
or apps or low digital literacy), and they encouraged CMS to consider 
how it can help patients with limited digital or broadband access to 
have equitable access to necessary coverage information. Stating that 
some patients may not have access to the appropriate software or app, 
multiple commenters recommended that CMS require states and other 
entities to continue to provide written notices instead of relying on 
electronic communication via the Patient Access API. Commenters also 
recommended that CMS continue to monitor the Patient Access API usage 
and closely track any potential disparities in access due to social 
determinants of health (SDOH) or differences in digital literacy.
    Response: We understand that some patients cannot or may not want 
to access their health information electronically or through a health 
app. Nothing in this rule will require patients to use the Patient 
Access API to access their health information. Nor will the rule change 
any applicable obligation for payers to make information available in 
non-electronic formats, should such a requirement exist. For example, 
42 CFR 435.918(a) requires Medicaid agencies to give individuals the 
choice whether to receive notices electronically or by mail. Similar 
requirements for MA organizations can be found at 42 CFR 
422.2267(d)(2). Furthermore, under the HIPAA Privacy Rule, covered 
entities generally must provide individuals access to their PHI in the 
form and format requested by the individual, if it is readily 
producible in such form and format; or, if not, in a readable hard copy 
form or such other form and format as agreed to by the covered entity 
and the individual.\11\
---------------------------------------------------------------------------

    \11\ See 45 CFR 164.524(c)(2)(i).
---------------------------------------------------------------------------

    However, making available digital tools, such as standardized APIs 
and health apps that can access them, aligns with how many people 
interact with other industries today, such as banking and e-commerce. 
Making health information similarly available and interoperable 
broadens patients' options for accessing their records. While many 
patients may be satisfied using their payer's portal, and we do not 
wish to take that option away from them, using proprietary systems and 
data formats has led to a health care system where patient data are 
fragmented and often difficult to exchange between parties. Entities 
such as HIEs, health apps, and TEFCA Participants and Subparticipants 
may be able to gather data from payers, providers, and other sources to 
create a more comprehensive patient record than could be maintained by 
the payer alone. Advances in nationwide data sharing, such as payers' 
Patient Access APIs, connections across HIEs, and exchange enabled by 
TEFCA, can facilitate secure and reliable access to these data sources. 
That is the reason that CMS and HHS are invested in establishing open 
standards and requirements for payers and providers to use standardized 
technology. While many patients are most familiar with their payer's 
portal, until the Patient Access API provisions went into effect on 
January 1, 2021, their options may have been limited. We also 
anticipate that adoption will take time as patients learn about their 
options and choose methods for accessing their health information that 
work best for them.
    Comment: Multiple commenters recommended that CMS ensure that the 
Patient Access API allow caregivers and dependents to have access where 
patients have provided consent. A commenter urged CMS to explain how an 
individual can ensure caregivers have access to their health 
information via the Patient Access API. Another commenter recommended 
that CMS explain that representatives should be included in all 
relevant communication and considered as payers develop the API.
    Response: Per the HIPAA Privacy Rule at 45 CFR 164.502(g), a 
personal representative is a person authorized under state or other 
applicable law to act on behalf of the individual in making health care 
related decisions (such as a parent, guardian, or person with a medical 
power of attorney). With limited exceptions, a personal representative 
is treated as the individual for purposes of the HIPAA Privacy Rule. 
Similarly, our existing Patient Access API policies (at 42 CFR 
422.119(a) and (b)(1), 431.60(a) and (b), and 457.730(a) and (b) and 45 
CFR 156.221(a) and (b)) explicitly apply to patients' personal 
representatives.
    Payers likely have different processes and policies for designating 
someone as a personal representative under the HIPAA Privacy Rule and 
also may be subject to similar state laws. Nothing in this rule will 
require a change to those processes. Therefore, patients and personal 
representatives should contact their payer for the steps to ensure 
appropriate access to information via the Patient Access API. We do not 
explicitly require impacted payers to send to their patients' personal 
representatives the required educational resources. However, payers are 
required to post those resources on their public websites and to convey 
them via other appropriate mechanisms through which they ordinarily 
communicate with current patients. If payers send other resources to 
personal representatives on a patient's behalf, then educational 
resources should be sent to them as well. In addition, there may be 
program- or state-specific requirements to transmit such resources to a 
patient's personal representative.
    Comment: A few commenters recommended that CMS require payers to 
update patient information that they are told is incorrect by a patient 
or provider.
    Response: Under the HIPAA Privacy Rule, at 45 CFR 164.526, 
individuals have the right to have a covered entity amend PHI or a 
record about the individual in a designated record set for as long as 
the PHI is maintained in the designated record set, with certain 
exceptions. The Patient Access API does not require the impacted payer 
to

[[Page 8770]]

include the capability to send information from a patient to a payer. 
Therefore, while patients have the right under the HIPAA Privacy Rule 
to request that a HIPAA-covered entity (such as a provider or payer) 
amend their record, that functionality is out of scope for the Patient 
Access API.
a. Prior Authorization Information
    To enhance our policy finalized in the CMS Interoperability and 
Patient Access final rule, we proposed in the CMS Interoperability and 
Prior Authorization proposed rule to add information about prior 
authorizations to the categories of data required to be made available 
to patients through the Patient Access API. We stated that this 
proposal would apply to all prior authorization requests and decisions 
for items and services (excluding drugs) for which a payer has data in 
the patient's record, as discussed further in this section. We also 
proposed that the Patient Access API must include certain information 
about prior authorizations within 1 business day of receipt of, or 
change of status to, the prior authorization. The primary goal of the 
Patient Access API is to give patients access to their health 
information, and by expanding patient access to prior authorization 
information, we aim to help patients be more informed decision makers 
and true partners in their health care.
    As discussed in section I.D. of this final rule, our prior 
authorization proposals did not apply to drugs of any type that could 
be covered by an impacted payer, including, for example, outpatient 
drugs, drugs that may be prescribed, drugs that may be administered by 
a provider, drugs that may be dispensed or administered in a pharmacy 
or hospital, or over-the-counter (OTC) drugs.
    In section II.D. of this final rule, we finalize several proposals 
focused on making the prior authorization process less burdensome for 
providers and payers, which we anticipate will reduce delays in 
medically necessary access to covered items and services and improve 
patient outcomes. Giving patients access to information about prior 
authorization requests and decisions will enable them to take a more 
active role in their own health care.
    We are finalizing our proposal to require impacted payers to 
provide patients, through the Patient Access API, with access to 
information about prior authorization requests and decisions made for 
their care and coverage. However, we are finalizing a modification to 
our proposal and not requiring payers to share the quantity of items or 
services used under a prior authorization or unstructured documentation 
related to a prior authorization, as discussed elsewhere in this final 
rule. We are finalizing these changes with compliance dates in 2027 (by 
January 1, 2027, for MA organizations and state Medicaid and CHIP FFS 
programs; by the rating period beginning on or after January 1, 2027, 
for Medicaid managed care plans and CHIP managed care entities; and for 
plan years beginning on or after January 1, 2027, for QHP issuers on 
the FFEs), which is a year after the proposed 2026 compliance dates.
    Comment: A significant majority of commenters expressed support for 
CMS's proposal to include prior authorization information in the 
Patient Access API. Commenters listed multiple benefits to making prior 
authorization information available via the Patient Access API, 
including empowering patients in their care, reducing the burden of 
repeated inquiries to payers, and facilitating faster decisions by 
allowing patients to help providers submit the necessary documentation. 
Multiple commenters highlighted current challenges for patients to 
access their prior authorization information.
    Response: We appreciate commenters' feedback confirming the 
significant burden that prior authorizations processes place on 
patients. We received comments from across the industry that indicated 
that those processes could be improved by interoperable data exchange. 
Those comments have informed the policies we are finalizing to require 
impacted payers to make available via the Patient Access API certain 
information about prior authorizations.
    Comment: Multiple commenters expressed concerns that because many 
patients do not have an overall understanding of the prior 
authorization process, giving patients access to prior authorization 
information would add to existing confusion, and that this information 
may be overwhelming. Some commenters stated that they do not believe 
that additional requirements and burden on impacted payers around the 
Patient Access API are warranted based on current app adoption by 
patients. The commenters stated that there should be greater Patient 
Access API use before adding more requirements to the Patient Access 
API.
    Commenters cautioned against creating any expectations for patient 
involvement in a prior authorization process that they may not 
understand and over which they may have little control. Other 
commenters recommended that CMS explore strategies to promote access to 
timely prior authorization-related information for patients who cannot 
or do not want to use health apps.
    Response: We understand that not all patients will want to access 
their prior authorization data, and some may not be able to fully 
understand the information that is presented to them. However, we do 
not believe that this is a sufficient justification for not making 
those data available to patients who want that access and insight into 
their care. We strongly encourage payers to make data transparent and 
explain the processes involved in a patient's coverage in an easily 
understandable manner.
    We do not intend to create expectations for patient involvement in 
the prior authorization process but want to make that opportunity 
available where it can be beneficial to expedite prior authorization 
decisions. To the extent that program-specific requirements do not 
already require such disclosures to enrolled patients, we urge payers 
to make prior authorization information available to patients 
regardless of what method they use to inquire about their coverage or 
care--whether that is an online patient portal, a phone call to 
customer service agents, or an email inquiry. However, our proposals in 
this section only addressed information available to patients via the 
Patient Access API.
    Comment: Some commenters stated that, because prior authorization 
requests today are commonly submitted via multiple modalities, CMS 
should modify its proposal to require prior authorization information 
be included in the Patient Access API only if it came from requests 
submitted via a Prior Authorization API. Commenters flagged that prior 
authorization data received in non-standard formats, such as fax, would 
require significant resources for many payers to translate into a 
standard format to be shared via the Patient Access API. Commenters 
stated that adoption of electronic prior authorization by providers 
would be gradual, and it would be administratively complex and 
burdensome to require payers to convert prior authorizations submitted 
via phone or fax to electronic format. The commenters recommended that 
CMS make sharing prior authorizations received via phone or fax 
optional for payers.
    Response: We understand that data submitted for prior authorization 
requests via non-electronic or non-standardized modalities could 
require an additional step to make available through the Patient Access 
API. However, we also note that the burden of ingesting data from non-
standard and

[[Page 8771]]

non-electronic requests into a payer's prior authorization systems 
exists regardless of the requirement to share data with the patient. 
While sharing requests submitted via a Prior Authorization API might be 
simpler, as they are already in a FHIR format, we do not believe that 
the burden of converting data from the format payers currently use in 
their prior authorization systems outweighs the benefit of making prior 
authorization information available to patients. We also note that the 
same prior authorization data are largely required to be shared via the 
Provider Access and Payer-to-Payer APIs, thus creating an economy of 
scale by spreading the benefit to all parties while the burden of data 
translation would only have to happen once. We believe that all 
patients should have access to their prior authorization information, 
regardless of the process between their provider and payer.
    In section II.D. of this rule, we are finalizing a requirement for 
impacted payers to implement and maintain a Prior Authorization API and 
in section II.F. of this rule, we are finalizing a measure within MIPS 
to incentivize providers to use that Prior Authorization API. We are 
finalizing those policies to promote the adoption of electronic prior 
authorization and, therefore, expect that as electronic prior 
authorization increases over time, the overall burden of making 
available prior authorization information submitted and received 
through other modalities will decrease. We believe that payers will 
also encourage their providers to use electronic prior authorization to 
decrease that burden, which will lead to greater interoperability and 
data availability for patients.
    Also, if we required only prior authorization data submitted via a 
Prior Authorization API to be available via the Patient Access API, we 
would be excluding patients whose providers may not be able to 
implement electronic prior authorization for technological or other 
reasons. Therefore, we are finalizing a Patient Access API policy that 
covers data from all prior authorizations, regardless of the medium 
through which the payer receives the request.
    Comment: A commenter noted challenges that state Medicaid agencies 
would face to include prior authorization data in the Patient Access 
API. The commenter stated that there are differences between how states 
process prior authorizations today, with some state Medicaid agencies 
relying on manual processes.
    Response: State expenditures on designing, developing, installing, 
enhancing, or operating state Medicaid systems that can conduct 
electronic prior authorization may be eligible for enhanced Federal 
financial participation. Implementation of the Prior Authorization API 
should facilitate a faster and more automated workflow to make prior 
authorization data available. We encourage states to take this 
opportunity to determine whether modernizing prior authorization 
systems beyond the implementation of a Prior Authorization API can 
improve their prior authorization processes. We describe the enhanced 
Medicaid Federal matching percentages in fuller detail in section II.E. 
of this final rule.
    Comment: A commenter requested that CMS explain that the 
information it is requiring to be available does not need to be 
``pushed'' to a patient app, but should be available for query, if a 
patient chooses to use their app to retrieve their information.
    Response: We confirm that the Patient Access API works on a query 
mechanism and not a ``push.'' Our final policy requires that the data 
be available for a patient's app to query and receive from an impacted 
payer.
    Comment: Some commenters suggested that patients should be able to 
provide supporting documentation directly to their payer via the 
Patient Access API. The commenters stated that patients should have the 
choice to submit prior authorization requests themselves, or to have a 
provider or third party do it, and should also have the option to 
initiate, monitor, and appeal prior authorization decisions. Another 
commenter believed that patients should be able to challenge decisions 
and report delays.
    Response: We did not propose to require impacted payers to accept a 
prior authorization request or supporting documentation directly from 
patients. We fear that this would create confusion about the prior 
authorization process and whether the provider or patient is ultimately 
responsible for the submission of prior authorization requests and 
documentation. Providers are in the best position to understand the 
clinical requirements to obtain prior authorization and are responsible 
for using their clinical judgment to decide on the best course of 
treatment. As discussed, it is valuable for patients to have 
transparency into that process and be able to assist providers to 
submit necessary information. However, without a clinical 
understanding, patients may submit extraneous or irrelevant 
information. Furthermore, patients likely do not have systems that 
would be able to communicate and submit information via the Prior 
Authorization API. That would require the availability of an 
alternative system and negate some of the efficiencies the Prior 
Authorization API will bring to the prior authorization process. Taken 
together, such a requirement would add burden to payers and may end up 
delaying the prior authorization decision process. Nothing in this rule 
will prohibit a payer from accepting information directly from patients 
if that would benefit the payer's processes or patient care. 
Furthermore, payers are already required to have a process in place for 
patients or providers to appeal prior authorization decisions and to 
file a complaint with the appropriate Federal or state oversight 
agency.
i. Compliance Dates
    For the requirement to include prior authorization information in 
the data available via the Patient Access API, we proposed compliance 
dates in 2026 (by January 1, 2026, for MA organizations and state 
Medicaid and CHIP FFS programs; by the rating period beginning on or 
after January 1, 2026, for Medicaid managed care plans and CHIP managed 
care entities; and for plan years beginning on or after January 1, 
2026, for QHP issuers on the FFEs).
    Comment: Some commenters supported the proposed compliance dates. 
However, several commenters recommended that the compliance dates for 
adding prior authorization information to the Patient Access API be 
accelerated--with recommendations for July 1, 2024, January 1, 2025, or 
12 months after the finalization of this rule. Multiple commenters 
recommended earlier compliance dates due to the significant impact that 
this information could have on patient empowerment and information 
transparency.
    Conversely, multiple commenters recommended that CMS delay the 
proposed compliance date until the Prior Authorization API, discussed 
in section II.D. of this final rule, is widely adopted. Commenters 
stated that while the technical data standards may be mature, CMS 
should also consider the status of payers' data infrastructure, which 
may not have prior authorization information in a structured format to 
be shared via the Patient Access API. As discussed previously, some 
commenters recommended limiting the requirement to make prior 
authorization data available through the Patient Access API only to 
data contained in standardized HIPAA-compliant electronic prior 
authorization transactions, such as those facilitated by the Prior 
Authorization

[[Page 8772]]

API. These commenters recommended that CMS work with payers, providers, 
health IT developers, and consumer advocacy groups to first advance 
electronic prior authorization uptake before determining appropriate 
compliance dates. A commenter suggested CMS consider additional 
flexibilities and exceptions for impacted entities unable to comply 
with the proposed 2026 compliance dates.
    Another commenter recommended delaying the compliance dates by 
another 2-3 years to allow for simultaneous implementation with the 
``Administrative Simplification: Adoption of Standards for Health Care 
Attachments Transactions and Electronic Signatures, and Modification to 
Referral Certification and Authorization Transaction Standard'' 
proposed rule (hereinafter referred to as the HIPAA Standards for 
Health Care Attachments proposed rule) (87 FR 78438).
    Response: After reviewing public comments, we have elected to 
finalize the provision with a 1 year delay to the compliance dates, to 
2027 (by January 1, 2027, for MA organizations and state Medicaid and 
CHIP FFS programs; by the rating period beginning on or after January 
1, 2027, for Medicaid managed care plans and CHIP managed care 
entities; and for plan years beginning on or after January 1, 2027, for 
QHP issuers on the FFEs). While making data related to prior 
authorization available to patients is necessary and urgent, we also 
understand that it will take time for payers to implement the policies 
we are finalizing. We believe that the additional year will allow 
payers to ensure a smooth rollout of this additional functionality. 
However, we encourage payers to meet the requirements of this rule as 
soon as possible to benefit their patients.
    We decline to delay the compliance date for including prior 
authorization information in the Patient Access API until after the 
Prior Authorization API compliance dates and are finalizing the same 
compliance dates for both this policy and the Prior Authorization API. 
The purpose of the Prior Authorization API is to facilitate the 
exchange of structured prior authorization data, and we agree that 
receiving requests electronically may expedite payers' ability to make 
that information available to patients. However, even after the Prior 
Authorization API compliance dates, we expect that a number of prior 
authorizations are going to be submitted through other channels 
(hopefully in declining number). As discussed previously, payers will 
need to have the ability to share prior authorization information that 
is submitted via channels other than the Prior Authorization API, 
regardless of the compliance dates. By finalizing 2027 compliance 
dates, we are providing payers with an additional year beyond what we 
proposed to implement the needed functionality within their internal 
systems.
    Comment: A commenter suggested that prior authorization decisions 
issued before the compliance dates should not be required to be 
available via the Patient Access API.
    Response: We proposed, and are finalizing, that impacted payers 
must give patients access to existing prior authorization information 
maintained by the payer beginning on the compliance dates. In the CMS 
Interoperability and Patient Access final rule, we required payers to 
make available the specified data they maintained with a date of 
service on or after January 1, 2016, which meant that patients had 
access to their historical data beginning on the January 1, 2021, 
compliance date. That date range also applies to the prior 
authorization data that must be included. However, unlike the other 
categories of data, there is a period of time after which prior 
authorization data no longer needs to be available. As discussed 
elsewhere in this final rule, prior authorization information must be 
shared while the prior authorization is active and for 1 year after the 
last status change. As of the compliance dates, payers must make all 
required data available via the Patient Access API. However, it is 
unlikely that a significant number of patients will have data from many 
years before the compliance dates. On January 1, 2027 (or the actual 
compliance date), payers will be required to make available data about 
all active prior authorizations, regardless of how long they have been 
active, and any requests that have had a status update within the 
previous 1 year period (that is, since January 1, 2026, if a payer 
implements on these changes on that day).
ii. Data Content
    We proposed that the information required to be available through 
the API would include the prior authorization request and related 
administrative and clinical documentation, including all of the 
following:

    (1) The prior authorization status.
    (2) The date the prior authorization was approved or denied.
    (3) The date or circumstance under which the authorization ends.
    (4) The items and services approved.
    (5) The quantity used to date under the authorization.
    (6) If denied, the specific reason why the request was denied.

    In section II.D.3. of this final rule, we are finalizing that in 
the case of a prior authorization denial, the payer must give the 
provider a specific reason for the denial that is separate from the 
content requirements for the APIs finalized in this rulemaking. 
Including the reason in the Patient Access API can help patients 
understand why a payer denied a prior authorization request. The 
administrative and clinical documentation related to a prior 
authorization request that we proposed must be shared through the 
Patient Access API would include any materials that the provider sends 
to the payer to support a decision, for example, structured or 
unstructured clinical data including laboratory results, scores or 
assessments, past medications or procedures, progress notes, or 
diagnostic reports. For the reasons discussed, we are finalizing 
modifications to our proposals to not require impacted payers to 
include ``the quantity used to date'' or unstructured documentation in 
the data available via the Patient Access API.
    As further discussed in sections II.B. and II.C. of this final 
rule, we are requiring impacted payers to make available generally the 
same information about prior authorization requests and decisions via 
the Provider Access and Payer-to-Payer APIs. In this way, these prior 
authorization data can be available to all relevant parties. We note 
that the requirement to share information about prior authorizations 
via the Patient Access and Provider Access APIs is in addition to any 
notice requirements that apply to prior authorization requests and 
decisions, such as the requirement to notify providers of a decision 
within certain timeframes discussed in section II.D.5.b. of this final 
rule.
    Comment: Some commenters recommended that CMS require payers to 
make data more actionable and descriptive by including detailed reasons 
why a prior authorization request is pending. Many commenters 
recommended a status for when certain services do not require prior 
authorization. Conversely, to make status updates simpler via the 
Patient Access API, multiple commenters suggested only having a 
pending, active, denied, or expired status update. A commenter 
requested clarification on whether, in our proposal, the listed 
``another status'' was a status unto itself or used as a catch-all 
description of any statuses other than those listed.
    Response: While we consider five basic statuses (pending, active, 
denied,

[[Page 8773]]

expired, authorization not required) to cover the general scope of a 
prior authorization request and decision, we are neither defining the 
term ``status'' as used in this rule, nor these five basic statuses or 
the conditions under which they must be used by impacted payers. We 
understand that payers use a variety of processes and do not intend to 
prescribe exactly when a particular status must be used. Rather, we are 
indicating that impacted payers must make clear to patients (via the 
Patient Access API) and providers (via the Provider Access API 
discussed in section II.B. of this final rule), the status of a prior 
authorization decision, such as when it is pending, approved, denied, 
or expired or a request has been submitted for an item or service that 
does not require prior authorization. We expect payers will generally 
use those statuses, but they are also welcome to use other statuses 
that provide additional information or are more specific to the 
particular payer's process. Such statuses should be clear and 
understandable to patients and providers. For example, a payer could 
use statuses such as ``under appeal'' or ``expired--approved quantity 
used.'' However, in some cases, the status information available beyond 
``pending'' could be meaningless to patients if it refers only to the 
payer's internal processes.
    We also agree that patients could benefit from payers making it 
clear through the Patient Access API when an item or service submitted 
for prior authorization does not require prior authorization for 
coverage. However, we emphasize that a mere query as to whether prior 
authorization is required would not create a record that needs to be 
shared via the Patient Access API (or the Provider Access API). For 
instance, a provider may use the HL7[supreg] FHIR[supreg] Da Vinci 
Coverage Requirements Discovery (CRD) IG, which is the part of the 
Prior Authorization API that allows a provider to query whether a payer 
requires prior authorization before they will cover a specific item or 
service for a specific patient. Similar queries made through other 
channels, or submissions that are rejected for being unnecessary, need 
not be made available through the Patient Access API unless the request 
creates a record in the patient's data maintained by the payer. Though 
not required, impacted payers would be welcome to make that information 
available.
    Comment: Multiple commenters supported our proposal that the 
Patient Access API enhance transparency by including a specific reason 
for denial. Commenters stated that including a reason for denial would 
help beneficiaries dispute decisions in a more effective manner. A few 
commenters urged CMS to require impacted payers to disclose via the 
Patient Access API the specific coverage or clinical criteria upon 
which the impacted payer relied to issue a denial.
    Response: While we encourage payers to provide coverage or clinical 
criteria that they used to make a prior authorization decision if that 
information would help the patient or provider understand the prior 
authorization decision, many payers consider that specific information 
to be proprietary. In addition to potentially being proprietary, those 
clinical criteria may be significantly more complicated than the 
information we are requiring, and not easily understood by patients. 
Therefore, we did not propose to require that detailed clinical 
criteria for a prior authorization decision be shared with patients 
through the Patient Access API. Instead, we proposed and are finalizing 
that when a payer denies a prior authorization request, they must 
provide a specific reason for that denial through the Patient Access 
API. That reason may indicate which clinical criteria the patient did 
not meet to be approved for the items or services. We reiterate that 
the requirement that the specific reason for a denial be included in 
the Patient Access API is in addition to any other applicable 
requirements regarding notice of decisions, such as the requirement at 
42 CFR 422.568(e) that MA organizations issue a notice containing 
specific content when denying a prior authorization request and similar 
requirements for Medicaid managed care plans at 42 CFR 438.210(c) and 
for health insurance issuers offering individual health insurance 
coverage (which includes QHP issuers on the FFEs) at 45 CFR 
147.136(b)(3)(ii)(E).\12\
---------------------------------------------------------------------------

    \12\ For example, 45 CFR 147.136(b)(3)(ii)(E)(3) provides that 
individual health insurance issuers' notifications of any adverse 
benefit determination must include the reason or reasons for the 
determination along with the denial code and its corresponding 
meaning, and a description of the issuer's standard, if any, that 
was used in denying the claim. In the case of a notice of a final 
internal adverse benefit determination, this description must 
include a discussion of the decision.
---------------------------------------------------------------------------

    Comment: A few commenters questioned whether CMS would provide 
standardized denial codes and how much flexibility payers will have to 
define denial reasons.
    Response: In this final rule, we are requiring impacted payers to 
provide a specific reason for a denial. We did not propose standardized 
denial codes or a specific set of denial reasons for payers to use. 
However, there is a list of standardized codes that must be used when a 
prior authorization decision is sent to a provider via the adopted 
HIPAA standard, which is maintained by the SDO X12.\13\ While using 
those codes is not required for the Patient Access API, we strongly 
encourage payers and providers to evaluate the code set and make 
recommendations to X12 for updated or new denial codes, as appropriate. 
If those X12 denial codes meet the requirement for specificity, they 
could be used in both the HIPAA transaction and the Patient Access API.
---------------------------------------------------------------------------

    \13\ X12 Standards (2022, August). Service Review Decision 
Reason Codes. Retrieved from https://x12.org/codes/service-review-decision-reason-codes.
---------------------------------------------------------------------------

    Comment: A few commenters urged CMS to require payers to include 
plain language information about appealing a prior authorization 
decision, including processes to request internal review and external 
appeal of a decision and information about consumer programs to assist 
with appeals.
    Response: We did not propose to make that information available via 
the Patient Access API. Our educational requirements, discussed in the 
CMS Interoperability and Patient Access final rule (85 FR 25550-52), 
only cover using the Patient Access API and not the prior authorization 
process writ large. However, impacted payers are already required to 
include that information with a notice of denial.\14\ For requirements 
to make information about the appeals process available to patients via 
other modalities, see further discussion in section II.D. of this final 
rule. Depending on the specific requirements of their program, impacted 
payers may be able to meet that requirement by providing notice about 
the appeals process via the Patient Access API.
---------------------------------------------------------------------------

    \14\ See 42 CFR 422.568(e)(3) (for MA), 431.210(d) (for 
Medicaid), and 457.1180 (for CHIP) and 45 CFR 
147.136(b)(2)(ii)(E)(4) (for QHP issuers on the FFEs).
---------------------------------------------------------------------------

    Comment: Multiple commenters recommended that CMS not require the 
prior authorization information included in the Patient Access API to 
include the ``quantity used to date'' requirement, because that 
information would come from payer claims data. Commenters explained 
that those data are not a reliable source for patients and providers to 
track the number of authorized services used to date because of the lag 
time for processing claims. As such, payers would not be able to update 
that information until claims have been submitted and processed for the 
items or services covered by the prior authorization, which could 
result in inaccurate information being given to

[[Page 8774]]

a patient for weeks or months until claims are processed.
    Response: We understand that payers may not always have accurate or 
current information about the quantity of approved items or services 
that a patient has used as of a specific date under a prior 
authorization. Payers must rely on claims data for that information, 
which are often not current because there is typically a time lag 
between when an item or service is rendered and when the claim is 
submitted and/or processed. If a patient knows that they have used some 
quantity of the approved items and services, but is not sure of the 
specific quantity, receiving inaccurate information from their payer 
about the quantity used to date would lead to confusion and possibly 
unnecessary inquiries that take patients, providers, and payers time to 
resolve. Therefore, we are not finalizing our proposal to include 
``quantity of approved items or services used to date'' in the prior 
authorization information available via the Patient Access API. 
However, we are finalizing our proposal to require a total number of 
items or services approved under the prior authorization decision.
    Comment: Some commenters recommended that administrative and 
clinical documentation sent by the provider for prior authorization 
requests be included in the Patient Access API. However, multiple other 
commenters recommended that CMS not finalize its proposal to include 
supporting documentation for prior authorization requests. Some 
commenters specifically recommended that CMS not require payers to 
include data or forms that were not sent in a standardized electronic 
manner, such as via the Prior Authorization API. The commenters 
expressed concern about the feasibility for impacted payers to provide 
information that they received in a non-electronic or unstructured 
format (such as scanned documents or PDFs) and whether third-party 
patient apps can access or display such documentation. Instead, 
commenters recommended that CMS focus on requiring that discrete data 
elements and structured data related to prior authorizations be 
available to patients. While some commenters expressed that structured 
data may be duplicative or unnecessary, a majority of commenters 
indicated that including such data would not be overly burdensome for 
payers.
    Other commenters requested clarification regarding what types of 
provider-generated documentation would be required and some recommended 
that CMS assess the prior authorization information requirements 
against information already available in the APIs to mitigate redundant 
or duplicative information.
    Response: After reviewing the comments, we agree that the burden of 
requiring impacted payers to make unstructured documentation available 
via the Patient Access API outweighs the benefits such documentation 
would provide, so we are finalizing a requirement that the Patient 
Access API must include structured administrative and clinical 
documentation submitted by a provider related to the prior 
authorization request.
    Structured documentation includes any data received from a provider 
and stored in the payer's system in a standardized format with defined 
data attributes, such as USCDI or FHIR. Examples of structured 
documentation include data sent by the provider via a transaction 
standard for prior authorization(s), which utilizes standard code sets, 
data sent via a Prior Authorization API in a format other than as an 
attachment, or structured questionnaires that a payer requires 
providers to fill out when making the prior authorization request. 
Unstructured data include any attachments submitted by providers, such 
as radiological scans, large PDFs of clinical data, or, generally, 
another file that a provider sends to the payer as an attachment to the 
prior authorization request.
    We note that documentation received in an unstructured format does 
not need to be parsed and converted to structured data to be included 
in the Patient Access API. However, if a payer does parse the 
unstructured documentation to store the contained data in a structured 
format, those structured data would then be ``maintained'' by the 
payer, as defined in the CMS Interoperability and Patient Access final 
rule (85 FR 25538), and the payer would be required to make it 
available via the Patient Access API.
    At this time, the standards for transmitting documentation and 
attachments via the FHIR APIs are still under development and in 
testing, and thus not yet in widespread use across the industry. The 
developing standard for exchanging attachments via FHIR APIs is the 
HL7[supreg] FHIR[supreg] Da Vinci Clinical Data Exchange (CDex) IG.\15\ 
Version 2 of the IG completed the HL7 consensus-based process in 2023 
and was published as an STU, indicating that it is being prepared for 
additional testing by implementers before being proposed for adoption. 
Without the FHIR standard, payers might implement unstructured 
documentation attachments within the Patient Access API in a variety of 
ways, which would lead to confusion and lack of interoperability. At 
this time, attachments exchanged via CDex are considered unstructured 
documentation and would not need to be made available via the Patient 
Access API as part of the prior authorization information. If the CDex 
becomes a mature standard, we may reconsider in future rulemaking 
whether it would be beneficial to share unstructured documentation as 
attachments via the Patient Access API.
---------------------------------------------------------------------------

    \15\ Health Level Seven International (2023). Da Vinci Clinical 
Data Exchange. Retrieved from https://hl7.org/fhir/us/davinci-cdex/.
---------------------------------------------------------------------------

    We recognize that unstructured administrative and clinical 
documentation from a provider could be important to help patients 
understand the prior authorization process, so we encourage payers to 
make that information available when possible. Furthermore, the policy 
we are finalizing will require impacted payers to make available any 
documentation that a provider sends to the payer to support a prior 
authorization request that is received in a structured format. Since we 
are finalizing that only structured data be made available, and 
structured data are formatted in a way that makes them easily 
transmissible between systems, our final policy should place 
significantly less burden on payers than our proposal, while still 
giving patients access to information about their prior authorization 
processes.
    We note that some of that information may already be available via 
the Patient Access API as clinical data. However, we believe that there 
is value to patients being able to ensure that the clinical information 
reviewed by the payer is accurate and up to date. Therefore, it is 
important for payers to make available the specific clinical data that 
they are looking at to decide on the prior authorization request, even 
if that information may be elsewhere in the patient's record.
    Comment: Multiple commenters suggested that the Patient Access API 
should include information regarding whether the requesting provider is 
in-network or out-of-network, by requiring payers to fully implement 
the X12 270/271 transaction standards for health plan eligibility 
benefit inquiry and responses. Another commenter recommended that CMS 
require payers to make available via the Patient Access API the names 
and contact information for the in-network provider who can furnish the 
appropriate service within the time and distance standards required by 
law. Multiple commenters

[[Page 8775]]

believed that patients should be able to access prior authorization 
information via the Patient Access API regardless of their provider. A 
commenter noted consideration for varying network adequacy standards 
and that a patient may need to seek care from an out-of-network 
provider. A commenter noted that Medicaid managed care plans have wide 
discretion for measuring provider network adequacy and that a patient's 
provider should be able to offer the same services for prior 
authorization despite their network status with the patient.
    Response: This rule makes no distinction between in-network and 
out-of-network providers with regard to making prior authorization 
information available through the Patient Access API. Regardless of the 
requesting provider's network status, the required information must be 
shared with patients. We understand that it is important for patients 
to know whether the provider they are seeing is in their payer's 
network, but we do not believe that the appropriate place for that 
information is with prior authorization information. Furthermore, the 
FHIR API technical specifications and IGs for the Patient Access API 
are not built to include information on a provider's network 
participation. We note that in the CMS Interoperability and Patient 
Access final rule (85 FR 25563), we required MA organizations, state 
Medicaid and CHIP FFS programs, Medicaid managed care plans, and CHIP 
managed care entities to build and maintain a Provider Directory API. 
We encourage developers to integrate within their apps network 
information from payers' Provider Directory APIs for easy patient 
access.
    To the extent that a provider's network status may increase a 
patient's out of pocket costs, we encourage payers to inform patients 
before they receive items or services from an out-of-network provider 
to the extent that applicable programmatic requirements do not already 
require the payer to do so.
    Comment: A commenter recommended that a log of all instances that a 
patient's data was transferred via the Provider Access and Payer-to-
Payer APIs should also be documented and accessible under the Patient 
Access API.
    Response: We did not propose that payers must make that information 
available via the Patient Access API but encourage payers to do so for 
transparency with respect to when and with whom a patient's data are 
being shared. We will consider proposing to require this in future 
rulemaking.
iii. Timeline for Data Sharing
    We proposed to require impacted payers to make available, via the 
Patient Access API, information about prior authorization requests and 
decisions for items and services (excluding drugs) to patients no later 
than 1 business day after the payer receives the prior authorization 
request or there is another status change for the prior authorization. 
Examples of status changes include: a payer receives a request, a payer 
approves or denies a pending prior authorization request, or a provider 
updates a denied prior authorization request with additional 
information for reconsideration. We expect that impacted payers use a 
variety of terminology, but, generally, any meaningful change to the 
payer's record of the prior authorization request or decision will 
require an update to the information available to the patient.
    We proposed 1 business day as the appropriate timeframe because 
patients need timely access to the information to understand prior 
authorization processes and their available care options. As discussed 
further in section II.D. of this final rule, we proposed to require 
payers to make much of the same information about prior authorization 
requests and decisions available via the Prior Authorization API during 
the decision-making process. In addition, we stated that because 
impacted payers would be required to have the ability to exchange prior 
authorization information electronically, it would be reasonable for 
them to share prior authorization information with patients within 1 
business day of any update to the prior authorization request or 
decision.
    Comment: Many commenters expressed that the prior authorization 
process is opaque and burdensome to patients. Commenters stated that 
patients often wait for approval for critical items and services 
without status updates from their payer. Those commenters voiced 
support for the proposed requirement that payers make prior 
authorization information, including decision status and documentation 
information, available through the Patient Access API within 1 business 
day after the payer receives the request. Multiple commenters noted 
that this will provide greater transparency with respect to the prior 
authorization process.
    Response: We appreciate commenters confirming that our proposed 
policies would ease the burden of prior authorization processes and 
benefit patients and providers. We agree that timely access to 
information about their prior authorizations is important to increase 
transparency and ensure that patients understand their care and 
coverage.
    Comment: Multiple commenters, specifically payers, noted that the 
proposed 1 business day window may not be operationally feasible for 
payers. A commenter noted that, to implement this requirement, payers 
would need to develop an interface to move prior authorization data 
between multiple internal systems, which will be especially difficult 
for requests submitted in a non-electronic format. Other commenters 
noted business process and operational challenges that would make 1 
business day difficult and burdensome, such as the time to manually 
assess whether they can legally make the information available via the 
Patient Access API under applicable state law. A commenter stated that 
1 business day would not be feasible for Medicaid agencies due to the 
necessary updates to the Medicaid Management Information System (MMIS) 
systems.
    Many commenters recommended that CMS instead consider requiring a 2 
business day response requirement. A commenter recommended extending 
the proposed requirement to 2 business days until electronic Prior 
Authorization APIs are widely adopted and proven, and only then 
consider a 1 business day requirement. Another commenter recommended 
that CMS extend the timeframe window to 7 calendar days. Some 
commenters noted that although the prior authorization process would be 
automated by the implementation of the Prior Authorization API, they 
recommend extending the 1 business day timeframe for the Patient Access 
API to match the period a payer has to make a determination on the 
prior authorization.
    Response: We appreciate commenters' perspectives regarding the 
feasibility of a 1 business day timeframe. Per the comments we 
received, the most significant barrier to the 1 business day timeframe 
we proposed was the proposed requirement to include unstructured 
documentation with prior authorization information. As discussed 
previously, we are not finalizing a requirement to make available 
unstructured prior authorization documentation via the Patient Access 
API. That exclusion from the data required to be made available will 
reduce the amount of data translation and transformation required to 
have data available via the Patient Access API. In addition, as 
discussed in section I.D., we are delaying the compliance

[[Page 8776]]

dates by 1 year from our proposed 2026 to 2027 in order to give 
impacted payers additional time to make system changes necessary to 
meet the requirements of this final rule. We acknowledge that this may 
be particularly challenging for Medicaid and CHIP agencies based on 
existing MMIS systems. As discussed in section II.E. of this final 
rule, expenditures for required changes to states' MMIS or other state 
systems may be eligible for enhanced Federal financial participation. 
That funding may be available, not just for systems and processes that 
directly contribute to data available via the Patient Access API, but 
for other systems, such as those that track prior authorization 
requests and decisions. We also note that the Prior Authorization API 
discussed in section II.D. will greatly facilitate the movement of 
structured prior authorization data. Payers, including Medicaid and 
CHIP, should consider levers for promoting its usage by their 
providers.
    After reviewing comments, we believe that between the changes to 
the data that must be shared and the additional implementation time, 
payers will be able to make necessary changes to meet these 
requirements by the finalized compliance dates. Therefore, we are 
finalizing the timeframe as proposed and are requiring payers to make 
prior authorization information available via the Patient Access API 
within 1 business day of receiving a request. Impacted payers must 
update prior authorization information made available via the Patient 
Access API within 1 business day of any status change.
    Comment: Multiple commenters recommended that CMS retain the 
proposed 1 business day timeframe for prior authorization requests 
received via the Prior Authorization API but extend the timeframe for 
prior authorizations received through other channels (for example, by 
proprietary portal, fax, or phone). A commenter noted that, in the 
dental field, not all prior authorizations are submitted 
electronically. An additional commenter noted this timeframe does not 
provide impacted issuers adequate time to transfer information received 
by alternate methods (phone, fax) to interoperable, electronic formats. 
A commenter stated that the turnaround is not operationally feasible if 
the information is not received in a standardized format.
    Response: As discussed in the previous section, we are finalizing 
our proposal with a modification to require that only structured 
documentation related to prior authorizations be made available via the 
Patient Access API. We believe this modification will, in large part, 
address this issue. Payers will not be required to convert 
documentation from non-electronic or non-standardized prior 
authorization requests into standardized data that can be available via 
the Patient Access API. However, by requiring only the structured data 
elements, including documentation, and not unstructured documents or 
images, we believe that this will streamline that conversion process 
and make the 1 business day timeline feasible for payers.
    Comment: A commenter recommended that CMS create flexibility for 
delays between a provider sending the request and the payer's receipt. 
Another commenter recommended that CMS finalize a policy that the 1 
business day timeline for making prior authorization data available via 
the Patient Access API begins only once the payer has information 
adequate to adjudicate the prior authorization request, as defined by 
payers' prior authorization policies. The commenter noted that some 
payers may require additional time to gather the information and 
perform any necessary data transformation to the FHIR standards. 
Similarly, another commenter recommended that the 1 business day 
requirement only applies after a request is received via the X12 278 
transaction standard or Prior Authorization API electronic transaction 
that passes validation. Another commenter recommended that CMS require 
information about prior authorization be made available no later than 1 
business day after a payer makes a decision.
    Response: Our proposal was for the 1 business day timeframe to 
begin when the payer receives the prior authorization request. We are 
not requiring payers to share information that they do not possess. 
However, we disagree with the commenters' suggestions that the 1 
business day timeline should begin when the payer has sufficient 
information to adjudicate a prior authorization request, or an 
adjudication has been made. A payer could not know whether there is 
sufficient information in the request to make a decision before the 
request is reviewed. As other commenters noted, it is critical that 
patients know that a payer has received the prior authorization request 
made on their behalf, even if it has not yet been reviewed or 
adjudicated. In section II.D., we are finalizing a policy that requires 
certain payers to make a decision within 7 calendar days for standard 
requests and 72 hours for expedited requests. It may take a payer 
several days to review a prior authorization request, and not having 
any status updates during that time would leave patients and providers 
in limbo.
    We did not propose and are not finalizing a requirement that the 
timeline for making data available only applies to prior authorization 
requests received via an electronic HIPAA-compliant X12 278 transaction 
and/or FHIR transaction. We know that payers currently support a 
variety of modalities for providers to submit prior authorization 
requests, including online portals, phone, and fax. We believe that 
patients should have access to their prior authorization data within 
the same timeframe, regardless of how the prior authorization request 
was submitted. Because we are not finalizing the requirement to include 
unstructured documentation, receiving documentation in an unstructured 
format as part of a request will not hamper or delay a payer's ability 
to make the required prior authorization data available through the 
Patient Access API. A HIPAA-compliant X12 278 transaction is, by 
definition, composed of structured data, which must be made available 
through the Patient Access API, though attachments to such a 
transaction are likely unstructured documentation. Finally, we note 
that if the payer receives a request that does not pass validation or 
cannot be processed for some other reason, this could be an acceptable 
status to provide. If a payer's system fails to receive such a request, 
we cannot expect the data to be made available via the Patient Access 
API.
    Comment: A commenter recommended that CMS require providers to 
respond to payers' requests for information within a certain timeframe 
and include information on provider response timeliness in the Patient 
Access API.
    Response: We did not propose a timeline for providers to respond to 
payers' requests for additional information. However, it is entirely 
appropriate for a prior authorization status to be ``waiting for 
additional information from provider'' or similar. That would indicate 
to the patient that the provider must take some action to receive 
approval of the prior authorization, which would allow them to follow 
up with the provider to ensure that is done in a timely manner.
    Comment: A couple of commenters requested clarification about the 
relationship between our Patient Access API requirements and ONC's 
information blocking regulations at 45 CFR part 171. Specifically, 
commenters questioned the implications of the

[[Page 8777]]

information blocking regulations if payers also meet the definition of 
a health information network (HIN) or HIE at 45 CFR 171.102. They 
questioned whether our timeline requirement is compatible with the 
``21st Century Cures Act: Interoperability, Information Blocking, and 
the ONC Health IT Certification Program'' final rule (85 FR 25642) (ONC 
Cures Act final rule), which the commenter explained requires 
information to be made available to the patient ``without delay.''
    Response: Any impacted payer should consider reviewing the ONC 
Cures Act final rule to determine whether they are an actor (as defined 
at 45 CFR 171.102) and to ensure they are complying with any applicable 
information sharing policies. The information blocking regulations (45 
CFR part 171) are based on separate statutory provisions (see 42 U.S.C. 
300jj-52), unrelated to our authority to issue this rule. We encourage 
commenters to address questions or complaints regarding information 
blocking to ONC.\16\
---------------------------------------------------------------------------

    \16\ Office of the National Coordinator for Health Information 
Technology (2023, November 2). Information Blocking. Retrieved from 
https://www.healthit.gov/topic/information-blocking.
---------------------------------------------------------------------------

    We work closely with ONC and our other Federal partners to ensure 
that our regulations do not place conflicting requirements or 
unnecessary burdens on entities that are regulated by more than one 
Federal agency. However, comments specific to the information blocking 
regulations or other regulations issued by ONC are outside the scope of 
this rule. Additional information is available from the Information 
Blocking page of ONC's website: https://www.healthit.gov/topic/information-blocking.
iv. Length of Prior Authorization Data Availability
    We proposed to require that information about prior authorizations 
be available via the Patient Access API for as long as the 
authorization is active and at least 1 year after the last status 
change. We note that, under the proposal, information on denied and 
expired prior authorizations would be available for at least 1 year 
after expiring or being denied. We did not propose to require payers to 
share a patient's full prior authorization history because that could 
comprise a significant amount of information that may no longer be 
clinically relevant. Claims, encounter, and clinical data can provide 
valuable information about a patient's health history. With those data 
available through the Patient Access API, we believe that process-
related information about long-expired or denied prior authorizations 
will be irrelevant. Also, as payers' prior authorization policies may 
change over time, that information has a limited lifespan of usefulness 
to a patient's current care. At the same time, the API should include 
information about all active authorizations for as long as they are 
active, and, therefore, may include information related to ongoing 
care.
    Comment: A majority of commenters supported CMS's proposal to 
require prior authorization information to be available via the Patient 
Access API for as long as the authorization is active and for 1 year 
after the last status change. Commenters opined that this timeframe 
balanced the benefits of data availability and the burden of 
maintaining data.
    Some commenters suggested that CMS require payers to make prior 
authorization information available through the Patient Access API for 
longer than 1 year after the last status change. For example, some 
commenters suggested 3 years and others 5 years as the appropriate 
period to make information available after the last status change. 
Other commenters recommended that CMS require payers to make all prior 
authorization information available via the Patient Access API until 1 
year after the patient is no longer covered by that payer. Those 
commenters stated that historical prior authorization information may 
yet be relevant to a patient's care or could create a record for 
patients to demonstrate that they face repeated barriers in accessing 
care or receiving coverage. Finally, another commenter suggested that 
those data may be important for long-term treatment that exceeds 1 
year.
    Response: We continue to believe that 1 year after the last status 
change is the appropriate amount of time to require payers to make 
historical prior authorization information available to patients 
through the Patient Access API. There may be other requirements outside 
the scope of this rulemaking that require certain payers to make health 
care records available to individuals over a longer time period. 
Further, this rulemaking does not address the record maintenance 
requirements that apply to impacted payers. We only address the 
timeframe during which certain data must be made available through 
specific APIs. While background information may impact and improve 
patient care, we believe that the availability of claims and clinical 
data are more important to patients and providers than information 
about prior authorizations that have expired or been denied. In fact, a 
patient's claims or encounter data are likely to include any items or 
services that were subject to a past prior authorization. As finalized 
in the CMS Interoperability and Patient Access final rule, and as 
modified by this final rule, payers are also required to make available 
through the Patient Access API any claims and encounter data, and all 
data classes and data elements included in a content standard at 45 CFR 
170.213 (USCDI), which includes clinical data, maintained by the 
impacted payer with a date of service on or after January 1, 2016.
    As discussed previously, some commenters stated that including 
prior authorization information in the Patient Access API could lead to 
information overload and confusion for patients. While we do not 
believe that to be the case for active and recent prior authorizations, 
it may be so if patients were presented with a large amount of 
historical prior authorization data that may no longer be relevant. 
Therefore, we believe that 1 year is the appropriate timeframe for 
requiring prior authorization data to be available via the Patient 
Access API. We emphasize that for ongoing long-term care, any active 
prior authorizations must be included, even if they have been in that 
status for more than 1 year. Furthermore, we encourage payers to make 
these prior authorization data available for longer than 1 year if they 
believe it adds value to patients, providers, or themselves and their 
own processes.
b. Interaction With HIPAA Right of Access Provisions
    Previous CMS interoperability proposals have elicited numerous 
comments regarding the interaction between the Patient Access API and 
HIPAA Privacy Rule individual right of access.\17\ Per 45 CFR 164.524, 
an individual patient generally has a right of access to inspect and 
obtain a copy of PHI about themselves in a designated record set for as 
long as the PHI is maintained in the designated record set by a covered 
entity. This includes the right to inspect or obtain a copy, or both, 
of the PHI. Our Patient Access API policies complement that right by 
requiring payers to make available--through a standards-based and 
interoperable FHIR API (that is, the Patient Access API)--PHI that 
patients already have a right to access. It is critical that 
individuals have access to their own health information and the ability 
to share it with others who are

[[Page 8778]]

involved in their care, particularly when it could involve care 
coordination between providers or prior authorization.
---------------------------------------------------------------------------

    \17\ See CMS Interoperability and Patient Access final rule (85 
FR 25516-19) and December 2020 CMS Interoperability proposed rule 
(85 FR 82586).
---------------------------------------------------------------------------

    Consistent with the HIPAA Privacy Rule, we believe that it behooves 
us to require all impacted payers to have the capability to provide 
individuals' PHI via an industry standard FHIR API, so that patients 
can access their data through apps of their choice. We believe that, in 
addition to the other benefits described in this final rule, ensuring 
that patients can receive their PHI in a standard, interoperable format 
that they can use with the latest technologies will reduce instances of 
an individual requesting PHI in an electronic format that is not 
readily producible, which could reduce costs and burden for patients 
and payers.
    In the CMS Interoperability and Patient Access final rule, we 
established that the only reason payers could deny API access to a 
patient's preferred health app is if it would present an unacceptable 
level of risk to the security of PHI on the payer's system. These risks 
include, for example, insufficient authentication or authorization 
controls, poor encryption, or reverse engineering. The payer must make 
that determination using objective, verifiable criteria that are 
applied fairly and consistently across all apps and developers.\18\
---------------------------------------------------------------------------

    \18\ See 42 CFR 422.119(e) for MA organizations; 42 CFR 
431.60(e) for state Medicaid FFS programs, through the existing 
cross reference at 42 CFR 438.242(b)(5) for Medicaid managed care 
plans; 42 CFR 457.730(e) for state CHIP FFS programs, through the 
existing cross reference at 42 CFR 457.1233(d) for CHIP managed care 
entities; and 45 CFR 156.221(e) for QHP issuers on the FFEs.
---------------------------------------------------------------------------

    As we discussed in the CMS Interoperability and Patient Access 
final rule (85 FR 25518), disagreement with the patient about the 
worthiness of a health app as a recipient of patient data, or even 
concerns about what the app might do with the requested data, are not 
acceptable reasons to deny an individual's request. Impacted payers may 
offer advice to patients on the potential risks of permitting an app or 
entity access to the patient data required to be made available via the 
Patient Access API. However, such efforts generally must stop at 
education and awareness or advice related to a specific app. Payers can 
inform the patient that the patient may not want to allow an app to 
access their data without a clear understanding of how that app may use 
their data, including how the patient's personal data would be used or 
sold (a possibility for apps that are not covered entities or business 
associates under the HIPAA Privacy Rule and the Security Standards for 
the Protection of Electronic Protected Health Information \19\ [the 
Security Rule]). For instance, if a payer learns that a particular app 
has publicly known privacy or security vulnerabilities, they could 
inform patients who use that app to access their data of those known 
vulnerabilities. Per our policies finalized in the CMS Interoperability 
and Patient Access final rule, if a patient still wants to use the app, 
or does not respond to the payer's warning, the impacted payer is 
required to share their data via the API, absent an unacceptable 
security risk to the payer's own system. For more information on this 
ability to inform patients, see the CMS Interoperability and Patient 
Access final rule at 85 FR 25550. Again, the finalized policies in this 
rule do not affect or alter any obligations under the HIPAA Privacy and 
Security Rules.
---------------------------------------------------------------------------

    \19\ See also the HIPAA Security Rule, 45 CFR parts 160 and 164, 
subparts A and C.
---------------------------------------------------------------------------

    While FHIR itself does not define security-related functions, when 
used in combination with appropriate security controls (such as 
authentication and access control), a FHIR API can and should be 
implemented and maintained to comply with the HIPAA Security Rule, at 
45 CFR parts 160 and 164, subparts A and C, for secure data 
exchange.\20\ Furthermore, a covered entity is not liable for what 
happens to the PHI once the designated third party receives the 
information as directed by the individual.\21\
---------------------------------------------------------------------------

    \20\ Health Level Seven International (2022, May 28). HL7 FHIR 
Release 4. 6.1.0 FHIR Security. Retrieved from http://www.hl7.org/Fhir/security.html.
    \21\ Office for Civil Rights (2020, January 31). What is the 
liability of a covered entity in responding to an individual's 
access request to send the individual's PHI to a third party? 
Retrieved from https://www.hhs.gov/hipaa/for-professionals/faq/2039/what-is-the-liability-of-a-covered-entity-in-responding/index.html.
---------------------------------------------------------------------------

    Our policies in this section address how an impacted payer must 
make patients' data available to them. However, we do not have the 
authority to regulate health apps that individuals may wish to use, or 
what those apps do with patient data. Regardless of whether the HIPAA 
Privacy and Security Rules apply to a health app, and even where they 
do not apply, other Federal laws such as the Federal Trade Commission 
(FTC) Act may apply. Under section 5 of the FTC Act (15 U.S.C. 45(a)), 
the FTC has authority to challenge unfair or deceptive trade practices, 
including those related to the privacy and security of personal health 
information that apps collect, use, maintain, or share. For example, if 
an app discloses an individual's health information in a manner 
inconsistent with the app's privacy policy, terms of use, or an 
individual's reasonable expectations, or fails to take reasonable 
measures to assess and address privacy or data security risks, the 
developer of that app may be violating the FTC Act. The FTC has applied 
its section 5 authority to a wide variety of entities, including health 
apps.\22\ For more information about what laws may apply to health 
apps, see https://www.ftc.gov/business-guidance/resources/mobile-health-apps-interactive-tool.
---------------------------------------------------------------------------

    \22\ See U.S. v. Easy Healthcare Corp., Case No. 1:23-cv-3107 
(N.D. Ill. 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v; In the Matter 
of BetterHelp, Inc., FTC Dkt. No. C-4796 (July 14, 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/2023169-betterhelp-inc-matter; U.S. v. GoodRx Holdings, Inc., Case No. 23-
cv-460 (N.D. Cal. 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc; In the Matter of Flo 
Health Inc., FTC Dkt. No. C-4747 (June 22, 2021), https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc.
---------------------------------------------------------------------------

    The FTC also enforces the FTC Health Breach Notification Rule (16 
CFR part 318), which applies to most health apps and similar 
technologies that are not covered entities or business associates under 
HIPAA and, therefore, are not subject to the HIPAA Breach Notification 
Rule (45 CFR 164.400 through 164.414).\23\ The FTC's Health Breach 
Notification Rule sets forth steps that entities covered by that rule 
must follow when there has been a breach of unsecured personal health 
information. Any violation of the FTC's Health Breach Notification Rule 
is treated as an unfair or deceptive act or practice under section 18 
of the FTC Act and is subject to civil penalties of up to $50,120 per 
violation per day.\24\ In 2023, the Commission brought its first 
enforcement actions under the Health Breach Notification Rule.\25\
---------------------------------------------------------------------------

    \23\ Federal Trade Commission (January 2022). Complying with 
FTC's Health Breach Notification Rule. Retrieved from https://www.ftc.gov/tips-advice/business-center/guidance/complying-ftcs-health-breach-notification-rule. See also Federal Trade Commission 
(2021, September 15). Statement of the Commission on Breaches by 
Health Apps and Other Connected Devices. Retrieved from https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf.
    \24\ 16 CFR 1.98 makes inflation adjustments in the dollar 
amounts of civil monetary penalties provided by law within the 
Commission's jurisdiction.
    \25\ See U.S. v. Easy Healthcare Corp., Case No. 1:23-cv-3107 
(N.D. Ill. 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v; U.S. v. 
GoodRx Holdings, Inc., Case No. 23-cv-460 (N.D. Cal. 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc.

---------------------------------------------------------------------------

[[Page 8779]]

c. Patient Access API Metrics
    We proposed to require impacted payers to report metrics to CMS on 
an annual basis about how patients use the Patient Access API, in the 
form of aggregated, de-identified data. We stated that those reports 
would help CMS better understand whether the Patient Access API 
requirement is efficiently and effectively ensuring that patients have 
access to their health information and whether payers are providing 
that required information in a transparent and timely way. 
Additionally, we stated that aggregated usage data from every impacted 
payer would help us evaluate whether the Patient Access API policies 
are achieving the desired goals. We also stated that gathering this 
information would help us to provide targeted support or guidance to 
impacted payers, if needed, to help ensure that patients have access to 
their data and can use their data consistently across the impacted 
payer types.
    Specifically, we proposed that impacted payers annually report--
     The total number of unique patients whose data are 
transferred via the Patient Access API to a health app designated by 
the patient; and
     The total number of unique patients whose data are 
transferred more than once via the Patient Access API to a health app 
designated by the patient.
    Tracking multiple data transfers would indicate repeat access, 
showing that patients are either using multiple apps or allowing apps 
to update their information over the course of the year. While data 
transfers may not indicate to what extent patients are using apps to 
manage their health care, it would be a preliminary indicator of 
interest in the technology.
    Comment: A majority of commenters supported CMS's proposal to 
require impacted payers to report aggregated, de-identified data 
metrics on how patients use the Patient Access API to CMS annually.
    Response: We thank commenters for their feedback.
    Comment: Commenters recommended that these metrics only be used to 
evaluate the effectiveness of CMS's policies and to assess whether 
patients are using the Patient Access API in a volume sufficient to 
justify the administrative burden of existing and future requirements. 
A commenter stated that these metrics would not reflect factors within 
a payer's control and recommended that CMS work with FTC to have third-
party app developers directly report these metrics. Another commenter 
warned that these metrics may not account for patient preferences for 
portals or other resources aside from apps. A commenter recommended 
that neither CMS nor state Medicaid agencies attempt to regulate or 
oversee the usage of third-party apps by their users. Another commenter 
supported the annual public reporting of Patient Access API metrics 
provided that this information is not made publicly available in a 
manner that identifies specific payers or apps.
    Response: We acknowledge that patient app usage is generally 
outside the control of payers, though education can help patients make 
informed decisions. We emphasize that we proposed and will be 
collecting these metrics, not to evaluate or compare payers, but to 
help us understand how patients are using apps, the effectiveness of 
our Patient Access API policies, and to assess potential future 
rulemaking.
    Making data available via a FHIR API gives patients a wider range 
of options to access their data. Ultimately, patients must decide what 
method of accessing their health information is most useful to them. If 
patients prefer to use online portals, rather than apps, that could 
inform future rulemaking. However, to understand how patients are 
accessing data made available through the API using a heath app 
designated by the patient, we must have access to the relevant data. We 
do not intend to interfere with how a patient uses a third-party app 
(and neither should impacted payers, including state Medicaid 
agencies), but to provide them options to access their data in the way 
that best suits them. As discussed previously, the only permissible 
reason to deny or discontinue an app's access to an API is if the payer 
reasonably determines that the app presents an unacceptable level of 
risk to the security of PHI on the payer's systems.
    We do not have the authority to require app developers to report 
usage metrics, and even if we did collect data from them, it would not 
provide the information that we are seeking, as developers would not 
know a patient's health coverage status. For instance, a developer 
could tell us that an individual connected to a specific payer 
organization but would not be able to report whether the patient is 
covered under by an MA plan or QHP. Finally, as noted in the proposed 
rule, we do not intend to publicly publish these Patient Access metrics 
in a way that identifies specific payers or apps.
    Comment: A few commenters suggested that CMS establish an easy-to-
use standardized format for reporting Patient Access API metrics.
    Response: We appreciate the request from commenters and are 
finalizing a modification to our proposed regulatory text to require 
reporting in a specified form and manner to ensure consistency between 
impacted payers. We will issue specific format and process guidance for 
submitting Patient Access API metrics before reporting is required.
    Comment: Most commenters supported CMS's proposed metrics, as they 
could provide valuable information regarding Patient Access API 
adoption and use.
    Commenters voiced widespread support for the first metric to 
measure usage of the Patient Access API. Support for the second metric 
was mixed, with multiple commenters questioning its value to the API's 
policy evaluation. Commenters warned that this metric would be affected 
by many external factors, including the user experience of the app, as 
opposed to acts of the payer. Another commenter stated that the second 
measure would not provide meaningful insight into patient use patterns, 
and instead suggested that CMS should solicit information about usage 
patterns from app developers.
    Response: We understand that the metric on repeat usage may not 
provide a high level of statistical validity, which is why we are not 
requiring these metrics to be reported publicly. However, it is 
important for CMS to understand how many patients are using the Patient 
Access API and whether they have simply tried it once or are invested 
in using health apps to manage their data. These findings will help us 
monitor our interoperability policies and plan for the future. We did 
not receive any comments that indicated that submitting either of these 
metrics would be a significant burden for impacted payers.
    We acknowledge that these metrics could be affected by a plethora 
of external factors outside of payers' control. As noted previously, we 
are collecting these metrics to better enable us to evaluate our 
policies in this area. As we do not have regulatory authority over app 
developers, we did not propose to impose reporting requirements on 
them.
    Comment: A commenter requested that CMS explain what constitutes a 
``unique patient'' so that payers can identify unique patients in the 
same manner, so the results are not varied.
    Response: We define a unique patient by the record of the 
individual covered by the payer's benefits, not by the individual 
accessing the data. Therefore, if both a patient and their personal 
representative access their data, that will only be counted as usage by 
a

[[Page 8780]]

single patient for the purpose of these metrics.
i. Reporting Level
    We proposed to require MA organizations to report these data to CMS 
at the organization level, state Medicaid and CHIP FFS programs, 
Medicaid managed care plans, and CHIP managed care entities to report 
at the state level, and QHP issuers on the FFEs to report at the issuer 
level. We solicited comment on whether we should require payers that 
administer multiple plans under a single contract to report these data 
to CMS at the contract level. We also solicited comment on an 
alternative final policy that would permit MA organizations, Medicaid 
managed care plans, CHIP managed care entities, and QHP issuers on the 
FFEs to report aggregate data at higher levels (such as the parent 
organization level or all plans of the same type in a program).
    Comment: We received comments espousing a range of opinions on the 
appropriate level of reporting for impacted payers.
    Specifically for MA organizations, multiple commenters recommended 
a more granular metric reporting level, noting that reporting Patient 
Access API metrics at the plan level would better drive plan-specific 
improvement efforts and be more consistent with current industry 
practice. Conversely, a commenter stated that organization level would 
simplify report preparation since some MA organizations have ten or 
more separate plan contracts with CMS. A commenter recommended that CMS 
not require reporting at the more granular contract level as any 
metrics based on small populations could lead to skewed data.
    Many commenters supported our proposed reporting levels for Patient 
Access API use metrics for state Medicaid and CHIP FFS programs, 
Medicaid managed care plans, CHIP managed care entities, and QHP 
issuers on the FFEs.
    On the other hand, a commenter recommended that payers be required 
to report metrics at the county level, rather than the state level. 
Another commenter warned that too much aggregation can make data 
meaningless and stated that payers should prioritize data metrics that 
can be acted upon effectively. Conversely, a commenter recommended that 
CMS allow consolidation of Patient Access API use metrics at the 
holding or parent company level, which would aggregate that company's 
MA plans, Medicaid managed care plans, CHIP managed care entities, 
QHPs, and commercial plans. Another commenter suggested that CMS begin 
collecting metrics at a more aggregated level and wait to implement 
more refined data segmentation as a clear use case arises.
    Response: Upon further consideration, we determined that contract 
level is the more appropriate reporting level for MA organizations. 
Contract-level data are aggregated data that are collected from the 
plan benefit packages (PBPs) offered under an individual contract; it 
is specific to the contract to which it corresponds. CMS already 
requires MA organizations to annually report some contract-level data 
about their organization determinations to the agency. A consistent 
approach of contract-level reporting in the MA program will give us 
useful information while limiting payer burden. By requiring contract-
level reporting for these metrics, we ensure that the format of these 
reported data remain consistent with other data that MA organizations 
are required to report. There could be value to requiring MA 
organizations to report on a plan level in the future to get more 
discrete data. However, at this time, we believe that the burden of 
requiring MA organizations to report at the plan level, and the small 
sample sizes that some plans would have, outweigh the benefits of that 
information.
    We agree that requiring Medicaid managed care plans and CHIP 
managed care entities to report at the state level and QHP issuers on 
the FFEs to report at the issuer level balances the reporting burden 
and the meaningfulness of the data. Aggregating by holding company 
would provide data that are not particularly useful. Many commenters 
recommended that we use this information to monitor disparities in data 
access, which would be hindered without disaggregation between MA, 
Medicaid, CHIP, and QHPs. Similarly, we do not believe that 
additionally segmenting data into smaller geographic areas would 
provide useful information now, though in the future we may consider 
whether it would be beneficial.
    We note that CMS programs may assess whether to collect more 
detailed metrics than we are finalizing here. For instance, we may 
consider requiring in future rulemaking that MA plans report at a more 
discrete level. Similarly, should a state Medicaid or CHIP agency 
believe it would be beneficial, they may require additional metrics in 
their managed care contracts.
    Comment: A few commenters requested that we explain whether 
integrated care plans for dually eligible individuals, such as fully 
integrated dual eligible special needs plans (FIDE SNPs), should report 
consistent with MA organizations, at the contract level, or with 
Medicaid managed care plans, at the plan level.
    Response: An integrated care plan generally combines a dual 
eligible special needs plan (D-SNP), which includes FIDE SNPs and 
highly integrated dual eligible special needs plans (HIDE SNPs)--both 
as defined at 42 CFR 422.2, and a Medicaid managed care plan offered by 
the same parent organization. D-SNPs are a type of MA plan designed to 
meet the needs of individuals who are dually eligible for Medicare and 
Medicaid, also known as dually eligible individuals. Therefore, an MA 
organization will report information about Patient Access API usage by 
its D-SNP enrollees to CMS at the MA organization's contract level. The 
affiliated Medicaid managed care plan will report information about 
Patient Access API usage by its enrollees to CMS at the plan level.
    We understand that this means an organization that offers an 
integrated product for dually eligible individuals (for example, a FIDE 
SNP), may report twice and in different ways for the same population. 
We do not believe this duplication outweighs the benefits of capturing 
the data as we proposed, but we may consider future rulemaking to 
separate reporting for integrated D-SNPs from the overall MA 
organization.
ii. Annual Reporting
    We proposed that payers must report metrics from the previous 
calendar year to CMS by March 31st of each year. Under our proposal, in 
the first year the requirement would be applicable, payers would report 
CY 2025 data by March 31, 2026. A new MA organization, Medicaid managed 
care plan, CHIP managed care entity, or QHP issuer on the FFEs would 
naturally have no data to report in its first year of existence and 
would be required to report data following its first full calendar year 
subject to the Patient Access API requirement.
    Comment: Multiple commenters expressed support for CMS's proposal 
to require payers to share patient use metrics annually starting with 
CY 2025 to be reported to CMS by March 31, 2026. Some commenters 
recommended that we delay the first year of the reporting requirement 
to CY 2026, which would be reported no later than March 31, 2027. 
Another commenter suggested that we delay the reporting deadline 
because a technical solution would need to be in place by the end of 
late 2024 to have metrics for CY 2025 to report in March 2026.
    Response: We note that per the CMS Interoperability and Patient 
Access final rule, impacted payers were required to

[[Page 8781]]

implement the Patient Access API no later than January 1, 2021. The 
metrics that we proposed were not tied to the implementation of any 
other proposals in the CMS Interoperability and Prior Authorization 
proposed rule, including adding prior authorization information to the 
data available via the Patient Access API. Based on this rule's 
publication schedule, payers should have sufficient time to implement 
any necessary changes to report these metrics.
    Comment: A majority of commenters supported the proposed annual 
reporting requirement, though multiple commenters recommended that CMS 
consider requiring payers to report Patient Access API metrics 
quarterly. A commenter recommended that as the popularity for Patient 
Access API grows, use metrics should be reported on a quarterly basis.
    Commenters agreed that requiring payers to report data on API usage 
from the previous calendar year to CMS by March 31 provides an 
appropriate amount of time for payers to validate the data before 
submitting it to CMS.
    Response: After reviewing the comments, we agree that annual 
reporting is the appropriate frequency for these metrics. Given that we 
are looking to understand the overall usage of third-party apps and any 
patterns between payers, we do not believe that the burden of requiring 
payers to report these metrics quarterly would improve our 
understanding of whether patients are accessing the Patient Access API. 
We may in the future consider proposing more frequent reporting or 
additional metrics, but for the two metrics we are finalizing now, we 
do not expect that it would be beneficial to require payers to report 
more often than annually.
iii. Public Reporting
    In the preamble to our proposed rule, we stated that we do not plan 
to publicly report these metrics at the state, plan, or issuer level, 
but may reference or publish aggregated and de-identified data that do 
not include names of specific state agencies, plans, or issuers.
    Comment: Some commenters recommended that CMS require payers to 
publicly report Patient Access API metrics, as they believe that health 
IT companies and developers would benefit from the information. 
Commenters stated that by making these metrics public, CMS can help 
patients and stakeholders better understand the impact of access APIs 
and help inform future innovations that promote patient access and 
future decision making. A commenter recommended that CMS consider 
publicly reporting plan-reported information at the state, plan, or 
issuer level.
    Other commenters did not support CMS publicly reporting Patient 
Access API use metrics. Multiple commenters stated that this could 
provide inaccurate information and potentially reveal identifying 
information. A commenter cautioned that publicizing reports, 
particularly of the second proposed metric (the total number of 
patients whose data are transferred more than once to a specific third-
party app), may give consumers an inaccurate portrayal of API success.
    Response: There may be value to publicly reporting aggregated and 
de-identified data to give the public a sense of Patient Access API 
adoption across the industry. But we agree with commenters that, absent 
the proper context, those data could be perceived inaccurately or 
misleadingly. As discussed, some commenters expressed that there is 
currently low health app adoption among patients regardless of the type 
of payer. We also understand that low patient adoption does not 
necessarily indicate a lack of payer readiness or compliance. 
Therefore, until we are confident that these data can be presented in 
an easy-to-understand and meaningful way, we may publicly report 
aggregated and de-identified data, but will not include names of 
specific state agencies, plans, or issuers unless and until proposed 
through future rulemaking.
iv. Other Metrics
    We requested comment on what other Patient Access API metrics we 
should consider requiring payers to report to CMS and/or make available 
to the public in future rulemaking. For instance, we solicited comments 
on whether payers could report aggregated demographic information, such 
as sex, race, age, ethnicity, and geographic data and whether that 
could help identify underserved populations or disparities in patient 
access to health data and, if so, policies that should be considered to 
promote equity. We also solicited comments on the potential benefits 
and burdens of requiring payers to report the names of all apps that 
patients have used to access the payers' API each year. We considered 
collecting this information, or requiring payers to make it public, not 
for the purpose of recommending or endorsing specific apps, but to 
review for best practices and evaluate patient ease of use.
    Comment: Commenters provided many recommendations for additional 
Patient Access API metrics.
    Response: We greatly appreciate the wide range of metric 
suggestions, such as indicators on demographic information, 
utilization, query management, successful requests, and barriers to 
accessing records. We will continue to research additional ways to 
evaluate the effectiveness of the API for consideration in future 
rulemaking.
d. Patient Access API Amendments
    We proposed two minor terminology changes to the requirements 
finalized in the CMS Interoperability and Patient Access final rule (85 
FR 25558). Unlike most of our proposals, we proposed that these 
amendments would take effect on the effective date of the final rule. 
We proposed these changes to explain terms but did not expect them to 
substantively change any current regulatory obligation.
    First, we proposed to revise the description of the clinical data 
impacted payers must make available via the Patient Access API. These 
provisions, finalized in the CMS Interoperability and Patient Access 
final rule, currently require payers to make available ``clinical data, 
including laboratory results'' (85 FR 25536-40). We proposed to revise 
these paragraphs to specify that the data that payers must make 
available are ``all data classes and data elements included in a 
content standard at 45 CFR 170.213.'' That citation is to a content 
standard maintained by ONC of clinical data classes and data elements 
for interoperable health information exchange. Referring explicitly in 
the rule text to a data set in a standard at 45 CFR 170.213 will help 
avoid unnecessary confusion, as this reference will more clearly 
identify exactly what data must be available through the Patient Access 
API. Furthermore, this change brings us into greater alignment with the 
standards promulgated by ONC and used by certified health IT 
developers.
    As versions of the USCDI evolve, there may simultaneously be 
multiple versions of the standard referenced at 45 CFR 170.213 (as both 
v1 and v3 are listed at the time of publication of this final rule). In 
the HTI-1 final rule, ONC finalized the adoption of USCDI v3 in 170.213 
and finalized a January 1, 2026, expiration date for USCDI v1 (89 FR 
1192). For the ONC Health IT Certification Program, this allows for a 
transition period between standards, and, during that time, health IT 
developers could incorporate updated standards versions within their 
systems and complete required certification. During such a period, when 
45 CFR 170.213 includes more than one version of the USCDI standard, 
payers would be

[[Page 8782]]

allowed to use any of the then-referenced content standards to meet the 
requirement to make clinical data available through the Patient Access 
API. If a standard has a listed expiration date (as USCDI v1 is 
currently listed to expire on January 1, 2026), payers would not be 
able to be use it after expiration.
    Second, we proposed to revise the language previously finalized for 
denial or discontinuation of a health app's access to the API. 
Currently, the rules require impacted payers to make a determination to 
deny or discontinue access to the Patient Access API using objective, 
verifiable criteria that are applied fairly and consistently across all 
apps and developers through which ``enrollees'' or ``beneficiaries'' 
seek to access patient data. We proposed to change the terms 
``enrollees'' and ``beneficiaries'' to ``parties'' for consistency with 
our proposal to apply this provision to the Provider Access, Payer-to-
Payer, and Prior Authorization APIs. We stated that because parties 
other than patients, such as providers and payers, would be accessing 
these APIs, it would be more accurate to use the term ``parties'' 
rather than ``enrollees'' or ``beneficiaries.'' Those APIs are 
discussed further in sections II.B., II.C., and II.D. of this final 
rule.
    Comment: All comments we received on these technical language 
proposals supported our effort to keep the Patient Access API required 
data aligned with ONC's standards. However, we did receive a variety of 
comments on the USCDI standard currently referenced at 45 CFR 170.213. 
Those comments are discussed in section II.G. of this final rule.
    A commenter requested clarification on whether payers would be 
required to request information from providers to fill any data classes 
and data elements of the standard at 45 CFR 170.213 that are missing 
within their records. Similarly, another commenter requested that CMS 
explain that the requirement to provide claims and encounter data 
within 1 business day applies only to information available at the time 
of the request.
    Response: In the CMS Interoperability and Patient Access final 
rule, we defined ``maintain'' to mean the payer has access to the data, 
control over the data, and authority to make the data available through 
the API (85 FR 25538). Under that existing regulation, payers are 
required to share data that they maintain as part of their normal 
operations. Nothing in this final rule will change that existing 
policy; payers are not required to reach out to providers or other 
entities to gather data that the payer does not already maintain, if it 
is not part of their normal operations, to share via the Patient Access 
API. We thank commenters for their feedback and are finalizing this 
proposal without modification.
    We note that we are not modifying the Patient Access API 
applicability date for MA at 42 CFR 422.119(h), for Medicaid FFS at 42 
CFR 431.60(h), for CHIP FFS at 42 CFR 457.730(h), and for QHP issuers 
on the FFEs at 45 CFR 156.221(i) because these amendments do not 
substantively change any existing requirements finalized in the CMS 
Interoperability and Patient Access final rule.
e. Medicaid Expansion CHIP Programs
    In the CMS Interoperability and Prior Authorization proposed rule, 
we discussed implementation for states with Medicaid Expansion CHIP 
programs (86 FR 76279). See section II.E. of this final rule for that 
complete discussion, including a summary of public comments received 
and our final action statement.
f. Specific CHIP-Related Regulatory Framework
    For CHIP, we proposed amendments to 42 CFR 457.1233(d) that would 
align separate CHIP managed care API requirements with the Medicaid 
managed care plan API requirements, rather than with the CHIP FFS API 
requirements. In the CMS Interoperability and Patient Access final rule 
(85 FR 25559), we finalized requirements for separate CHIP managed care 
entities at 42 CFR 457.1233(d). API requirements for CHIP managed care 
entities were codified at 42 CFR 457.1233(d)(2) and (3) through cross-
references to CHIP FFS program requirements at 42 CFR 457.730 and 
457.760, respectively. On November 13, 2020, we published a final rule 
titled ``Medicaid Program; Medicaid and Children's Health Insurance 
Program (CHIP) Managed Care'' (85 FR 72754). In that rule, we removed 
42 CFR 457.1233(d)(1) through (3), and, at 42 CFR 457.1233(d), cross-
referenced to Medicaid managed care regulatory requirements at 42 CFR 
438.242. Therefore, the policies in the CMS Interoperability and 
Patient Access final rule (85 FR 25559) are applicable to separate CHIP 
managed care entities per 42 CFR 457.1233(d) through a cross reference 
to Medicaid managed care at 42 CFR 438.242. We apply the API 
requirements in this final rule to separate CHIP managed care entities 
through the existing cross reference at 42 CFR 457.1233(d) to Medicaid 
managed care at 42 CFR 438.242.
3. Other Requests for Comment
    We requested comment on a variety of topics on which we did not 
make specific proposals but are reviewing for future consideration. We 
appreciate commenters' submissions regarding the following:
     How we could and should apply these requirements to 
Medicare FFS and its existing prior authorization requirements and 
standards.
     What policy levers we might have to create norms or best 
practices for privacy policies by health app developers.
     How we could leverage ONC's TEFCA or other HHS HIE 
initiatives to facilitate secure interoperable data exchange with 
health apps.
     The availability of apps that are accessible to 
individuals with disabilities, availability of apps in a multitude of 
languages to ensure that individuals with limited English proficiency 
can understand the information provided, and availability of apps at 
appropriate literacy levels and in plain language.
BILLING CODE 4150-28-P

[[Page 8783]]

[GRAPHIC] [TIFF OMITTED] TR08FE24.000


[[Page 8784]]


BILLING CODE 4150-28-C
4. Final Action
    After considering the comments received, and for the reasons 
discussed in the CMS Interoperability and Prior Authorization proposed 
rule and our response to those comments (as summarized previously), we 
are finalizing our proposals with the following modifications:
     Impacted payers must make information about prior 
authorization requests and decisions available via the Patient Access 
API beginning 2027 (by January 1, 2027, for MA organizations and state 
Medicaid and CHIP FFS programs; by the rating period beginning on or 
after January 1, 2027, for Medicaid managed care plans and CHIP managed 
care entities; and for plan years beginning on or after January 1, 
2027, for QHP issuers on the FFEs), rather than in 2026.
     Impacted payers are not required to share the quantity of 
items or services used under a prior authorization via the Patient 
Access API.
     Impacted payers are not required to share unstructured 
documentation related to prior authorizations via the Patient Access 
API.
     MA organizations must report Patient Access API metrics at 
the contract level rather than at the proposed organizational level.
    See further discussion for exact details of the final requirements 
for impacted payers.
    Specifically, we are finalizing a requirement that, beginning 2027 
(by January 1, 2027, for MA organizations and state Medicaid and CHIP 
FFS programs; by the rating period beginning on or after January 1, 
2027, for Medicaid managed care plans and CHIP managed care entities; 
and for plan years beginning on or after January 1, 2027, for QHP 
issuers on the FFEs), impacted payers must make the all of following 
information available about prior authorization requests and decisions 
(excluding for drugs) available via the Patient Access API:
     The prior authorization status.
     The date the prior authorization was approved or denied.
     The date or circumstance under which the prior 
authorization ends.
     The items and services approved.
     If denied, a specific reason why the request was denied.
     Related structured administrative and clinical 
documentation submitted by a provider.
    We are finalizing the requirement that impacted payers make this 
information about prior authorizations available no later than 1 
business day after the payer receives a prior authorization request and 
must update that information no later than 1 business day after any 
status change. This information must be available for the duration that 
the authorization is active and at least 1 year after the prior 
authorization's last status change.
    We are finalizing a requirement that, beginning 2026, impacted 
payers must annually report Patient Access API metrics to CMS in the 
form of aggregated, de-identified data. Specifically, by March 31, MA 
organizations at the contract level, state Medicaid and CHIP FFS 
programs, Medicaid managed care plans and CHIP managed care entities at 
the state level, and QHP issuers on the FFEs at the issuer level must 
report the following metrics: (1) the total number of unique patients 
whose data are transferred via the Patient Access API to a health app 
designated by the patient; and (2) the total number of unique patients 
whose data are transferred more than once via the Patient Access API to 
a health app designated by the patient. Impacted payers must report the 
previous calendar year's metrics to CMS by March 31 following any year 
that they offered that type of plan.
    We are finalizing, as of the effective date of this final rule, the 
replacement of ``clinical data, including laboratory results'' with 
``all data classes and data elements included in a content standard at 
45 CFR 170.213'' in the required content for the Patient Access API. We 
are also finalizing, as of the effective date of this final rule, to 
change the terms ``enrollees'' and ``beneficiaries'' to ``parties'' at 
42 CFR 422.119, 431.60, and 438.62 and 45 CFR 156.221.
    These final policies apply to MA organizations, state Medicaid and 
CHIP FFS programs, Medicaid managed care plans, CHIP managed care 
entities, and QHP issuers on the FFEs at the CFR sections listed in 
Table B1.
5. Statutory Authorities for the Patient Access API Policies
    We note that we received no public comments on the statutory 
authorities for our Patient Access API policies.
a. MA Organizations
    For MA organizations, we proposed these new requirements and the 
revisions to current requirements under our authority at sections 
1856(b)(1) of the Act (to promulgate regulations implementing MA 
organization standards, including the requirements in section 1852(h) 
of the Act), and 1857(e)(1) of the Act (to add contract terms 
determined by the Secretary to be ``necessary and appropriate''). 
Section 1856(b)(1) of the Act requires the Secretary to establish 
regulatory standards for MA organizations that are consistent with and 
carry out Part C of the Medicare statute, Title XVIII of the Act. 
Section 1852(h) of the Act requires that MA organizations have 
procedures in place to maintain accurate and timely medical records and 
health information regarding MA enrollees and to assure enrollees have 
timely access to such records and information. Our policy for the 
Patient Access API is to require access for enrollees to specified 
medical records and health information through a specific mechanism 
from the MA organization. The Secretary is authorized under section 
1857(e)(1) of the Act to add new contract terms, including additional 
standards and requirements, for MA organizations that the Secretary 
finds necessary and appropriate and that are not inconsistent with Part 
C of the Medicare statute. The policies here meet this standard by 
addressing and facilitating access to enrollees' medical records and 
health information for the reasons identified in our discussions for 
each policy.
    The policy in section II.A.2.a. of this final rule that will 
require MA organizations to make an enrollee's prior authorization 
requests and related clinical documentation available through the 
Patient Access API will allow these enrollees to have access to that 
information in a convenient, timely, secure, and portable way, which is 
in enrollees' best interests. This requirement is consistent with 
section 1852(h) of the Act, which requires MA organizations to assure 
enrollees timely access to their records and data that is maintained by 
MA organizations. To ensure that MA organizations meet modern-day 
patient expectations of transparency, efficiency, and timeliness when 
providing prior authorization data to enrollees, it is essential for 
CMS to ensure that each MA organization has a standardized system in 
place that offers enrollees access to their own data, including data 
that pertain to their prior authorizations, using existing and emerging 
technologies of their choice, specifically in this case, health apps. 
Therefore, making these data available through the Patient Access API 
is consistent with our programmatic authority to establish standards to 
implement section 1852(h) of the Act and could help patients be more 
informed about and active in their own care, which could potentially 
lead to better health outcomes.
    Making this information available via the Patient Access API could 
help patients support the prior authorization

[[Page 8785]]

process as well. Patients could see what information is needed and what 
information has been provided on their behalf to facilitate a prior 
authorization request. Patients could provide missing information 
needed by the payer to reach a decision. This could allow MA 
organizations to address prior authorization requests more promptly, 
streamlining this process, and thus simplifying prior authorization for 
the MA organizations. This could also improve an enrollee's experience 
with the process, by facilitating more timely and potentially more 
successful initial prior authorization requests. This, again, supports 
efficient operation and timely provision of information and services.
    In addition, to ensure the requirements finalized in the CMS 
Interoperability and Patient Access final rule (85 FR 25558 through 
25559) would be most effective, CMS finalized in this rule that MA 
organizations report specific metrics to CMS on patient use of the 
Patient Access API. Section 1857(e)(1) of the Act explicitly authorizes 
the adoption of additional reporting to CMS by MA organizations where 
necessary and appropriate. Here, these metrics would facilitate CMS's 
oversight, evaluation, and administration of patient health data access 
in the Part C program and, therefore, this data collection is necessary 
and appropriate to adopt.
    In alignment with HHS's priorities and goals, CMS is focused on 
putting patients at the center of their own health care and ensuring 
that patients have secure access to their health information. We 
believe these policies are critical and appropriate to ensure that MA 
organizations stay abreast of industry standards and continue to offer 
enrollees not only quality coverage but also a quality customer 
experience.
b. Medicaid and CHIP
    Our finalized requirements in this section for Medicaid managed 
care plans and Medicaid state agencies fall generally under our 
authority in sections 1902(a)(4), 1902(a)(7), 1902(a)(8), and 
1902(a)(19) of the Act. Section 1902(a)(4) of the Act requires that a 
state Medicaid plan provide such methods of administration as are found 
by the Secretary to be necessary for the proper and efficient operation 
of the state Medicaid plan. Section 1902(a)(8) of the Act requires 
states to ensure that Medicaid services are furnished with reasonable 
promptness to all eligible individuals. Section 1902(a)(19) of the Act 
requires states to ensure that care and services under a Medicaid state 
plan are provided in a manner consistent with simplicity of 
administration and the best interests of the recipients.
    In addition, section 1902(a)(7) of the Act requires that states 
must provide safeguards that restrict the use or disclosure of 
information concerning Medicaid applicants and beneficiaries to 
purposes that are directly connected with the administration of the 
Medicaid state plan. The implementing regulations at 42 CFR part 431, 
subpart F, for section 1902(a)(7) of the Act list purposes that CMS has 
determined are directly connected with administration of Medicaid state 
plans (42 CFR 431.302) and require states to provide safeguards meeting 
certain requirements to restrict uses and disclosures of Medicaid 
beneficiary data, including requirements about releasing applicant and 
beneficiary information at 42 CFR 431.306.
    Our policy to require that the prior authorization data described 
in this section be shared via the Patient Access API would be 
consistent with the requirement at section 1902(a)(7) of the Act, 
providing that states may share these data only for purposes directly 
connected with the administration of the Medicaid state plan. The data 
sharing policy for the Patient Access API would be related to providing 
services for Medicaid beneficiaries, a purpose listed at 42 CFR 
431.302(c). As mentioned previously, giving a patient access to their 
own health information can make them a more active participant in 
ensuring they receive timely and appropriate care (for example, 
allowing them to monitor medications or access treatment history).
    The finalized requirement to make information about prior 
authorization requests and associated documentation available through 
the Patient Access API is expected to allow beneficiaries to more 
easily obtain information about the status of prior authorization 
requests submitted on their behalf. Beneficiaries could potentially use 
that information to make more informed decisions about their health 
care, improve the efficiency of accessing and scheduling services, and, 
if needed, provide missing information that the state (or Medicaid 
managed care plan, if applicable) needs to reach a decision. Receiving 
missing information more quickly could enable more prompt responses 
from state Medicaid FFS programs and Medicaid managed care plans to 
prior authorization requests, thus facilitating more timely and 
successful prior authorizations. This would help states fulfill their 
obligations to provide care and services in a manner consistent with 
simplicity of administration and the best interests of the recipients 
and to furnish services with reasonable promptness to all eligible 
individuals. Improving the prior authorization process could also help 
improve the efficient operation of the state plan by potentially 
improving the speed and consistency of prior authorizations, which 
could, in turn, facilitate faster access to care for beneficiaries. In 
these ways, these policies are authorized under section 1902(a)(4), 
(8), and (19) of the Act.
    Additionally, states must apply the safeguards described at 42 CFR 
431.306 when sharing beneficiary data via the Patient Access API. We 
remind states that to meet the requirements of that regulation, states 
must have consistent criteria for release and use of information (which 
should comply with the finalized Patient Access API requirements), in 
accordance with 42 CFR 431.306(a). Access to information concerning 
beneficiaries must be restricted to persons who are subject to 
standards of confidentiality that are comparable to that of the state 
Medicaid agency, in accordance with 42 CFR 431.306(b). The permission 
requirement at 42 CFR 431.306(d), which requires that the state agency 
obtain permission from a family or individual, whenever possible, 
before responding to a request for information from an outside source, 
is not relevant to this policy, because any request for beneficiary 
information would be from Medicaid beneficiaries themselves and the 
apps that they are authorizing to receive their information. 
Beneficiaries are not ``outside sources,'' and, while apps might be 
outside sources, information is shared with an app through this API 
only if the beneficiary has verified their identity (through 
authentication protocols) and authorized the app to receive 
information. We do not believe that any of the other requirements at 42 
CFR 431.306 are relevant because they cover data release and use in 
contexts outside of our policies in this section of the final rule. We 
note that while the beneficiary's permission is not required under 42 
CFR 431.306(d) for the Patient Access API we discuss here, state or 
other laws may require such permission.
    With respect to Medicaid managed care, and in addition to the 
general authorities cited previously mentioned regarding Medicaid 
programs, this policy will also help implement section 1932(b)(4) of 
the Act, which provides that each Medicaid MCO must establish an 
internal grievance procedure under which a beneficiary who is eligible 
for medical assistance may challenge the denial of coverage or payment 
for such assistance. CMS has traditionally extended requirements 
applicable to

[[Page 8786]]

Medicaid MCOs to other Medicaid managed care plan types as efficient 
and proper methods of administration under section 1902(a)(4) of the 
Act to ensure that Medicaid beneficiaries have the same protections, 
benefits, and responsibilities regardless of the type of managed care 
plan in which they are enrolled. Allowing beneficiaries to access the 
status of their denied prior authorizations within 1 business day could 
enable beneficiaries to file appeals timelier and receive faster 
resolution. Enabling beneficiaries to monitor the status of prior 
authorization requests submitted on their behalf is also consistent 
with how section 1932(c) of the Act indicates that timely access to 
care should be assured for beneficiaries. Knowing within 1 business day 
that a prior authorization has been approved could enable a beneficiary 
to more promptly schedule or obtain care.
    We also proposed to require state Medicaid agencies and Medicaid 
managed care plans to report Patient Access API metrics to CMS 
annually. These metrics will support CMS's oversight, evaluation, and 
administration of the Medicaid program, as it will allow us to evaluate 
beneficiary access to the Patient Access API. API usage could indicate 
that the policy is supporting program efficiencies and ensuring access 
to information in a timely and efficient way and in the best interest 
of beneficiaries, as intended, and as is consistent with section 
1902(a)(4) and (19) of the Act. Additionally, section 1902(a)(6) of the 
Act requires Medicaid state plans to provide that the state Medicaid 
agency will make such reports, in such form and containing such 
information, as the Secretary may from time to time require. These 
metrics will serve as a report to evaluate the implementation and 
execution of the Patient Access API.
    For CHIP, we finalized these requirements under the authority in 
section 2101(a) of the Act, which states that the purpose of Title XXI 
of the Act is to provide funds to states to provide child health 
assistance to uninsured, low-income children in an effective and 
efficient manner that is coordinated with other sources of health 
benefits coverage. This provision provides us with authority to adopt 
these requirements for CHIP because the finalized requirements increase 
patient access to their health information, which can improve the 
efficacy of CHIP programs, allow for more efficient communication and 
administration of services, and promote coordination across various 
sources of health benefits coverage.
    We believe that requiring CHIP agencies, as well CHIP managed care 
entities, to make CHIP beneficiaries' prior authorization data and 
other standardized data available through standards-based APIs will 
lead to these beneficiaries accessing that information in a convenient, 
timely, and portable way. This improved access will help to ensure that 
services are effectively and efficiently administered in the best 
interests of beneficiaries, consistent with the requirements in section 
2101(a) of the Act. We believe making patient data available in this 
format will result in better health outcomes and patient satisfaction 
and improve the cost effectiveness of the entire health care system, 
including CHIP.
    These policies align with section 2101(a) of the Act in that they 
also will improve the efficiency of CHIP programs. For example, adding 
information about prior authorization requests to the Patient Access 
API will allow beneficiaries to easily obtain the status of prior 
authorization requests made on their behalf. This will in turn allow 
patients to make scheduling decisions and provide any missing 
information needed by a payer to reach a decision, which makes the 
prior authorization process more efficient, streamlining the prior 
authorization process.
    Additionally, the safeguards for applicant and beneficiary 
information at 42 CFR part 431, subpart F, are also applicable to CHIP 
through a cross-reference at 42 CFR 457.1110(b). As discussed 
previously for Medicaid, giving CHIP beneficiaries access to their 
prior authorization statuses through the Patient Access API would be 
related to providing services to beneficiaries, which is described at 
42 CFR 431.302(c) as a purpose directly related to state plan 
administration. Allowing beneficiary access to prior authorization 
statuses also conforms with provisions for beneficiary access to their 
records at 42 CFR 457.1110(e). We remind states that when they share 
beneficiary information through the Patient Access API, they must 
comply with the privacy protections at 42 CFR 457.1110 and the release 
of information provisions at 42 CFR 431.306.
    Finally, by finalizing the requirement for state CHIP agencies and 
CHIP managed care entities to report Patient Access API metrics to CMS 
annually will help states and CMS understand how this API can be used 
to continuously improve the effectiveness and efficiency of state CHIP 
operations by providing information about its use, which is an 
indication of the API's uptake among patients, including how many only 
use it for a one-time setup consistent with 2107(b)(1) of the Act. The 
more we understand about the Patient Access API's usage, the better we 
can assess that the API is leading to improved operational efficiencies 
and providing information to beneficiaries in a way that supports their 
best interests.
c. Qualified Health Plan Issuers on the Federally-Facilitated Exchanges
    For QHP issuers on the FFEs, we finalized these new requirements 
under our authority at section 1311(e)(1)(B) of the Patient Protection 
and Affordable Care Act, as amended by the Health Care and Education 
Reconciliation Act of 2010 (Pub. L. 111-148, enacted March 23, 2010, 
and Pub. L. 111-152, enacted March 30, 2010, respectively) 
(collectively referred to as the Affordable Care Act) which affords the 
Exchanges the discretion to certify QHPs if the Exchange determines 
that making available such health plans through the Exchange is in the 
interests of qualified individuals in the state in which the Exchange 
operates.
    We believe generally that certifying only health plans that take 
steps to make enrollees' prior authorization requests and related 
clinical documentation available through interoperable technology would 
ultimately lead to these enrollees having access to that information in 
a convenient, timely, and portable way, which is in enrollees' best 
interests. Adding information about prior authorization requests to the 
Patient Access API would allow enrollees to easily obtain the status of 
prior authorization requests submitted on their behalf and use that 
information effectively to make more informed decisions about their 
health care, improve the efficiency of accessing and scheduling 
services, and, if needed, provide missing information needed by the 
issuer to reach a decision. This could allow QHP issuers on the FFEs to 
more promptly address prior authorization requests and would also 
facilitate more timely and potentially more successful initial prior 
authorization requests. We encourage SBEs (including SBE-FPs) to 
consider whether a similar requirement should be applicable to QHP 
issuers on SBEs.
    Finally, requiring QHP issuers on the FFEs to report Patient Access 
API metrics to CMS annually will help CMS assess the effect this API is 
having on enrollees and will inform how CMS could either enhance the 
policy or improve access or use through activities

[[Page 8787]]

such as additional patient education. These data could help CMS 
understand how best to leverage this API, and patient access to it, and 
to ensure this requirement is being met efficiently and adding value to 
CMS operations, including leading to the intended efficiencies.

B. Provider Access API

1. Background
    In the CMS Interoperability and Patient Access final rule, we 
required impacted payers to implement a Patient Access API (85 FR 
25558) that allows patients to access their health information through 
a third-party app. Patients who do so could then share their 
information with their provider during an appointment. For example, 
during a visit with a provider, a patient could share specific 
diagnoses, procedures, and tests accessed through the Patient Access 
API, to inform the discussion with their provider.
    In the CMS Interoperability and Patient Access proposed rule (84 FR 
7610), we had sought comment on the feasibility of implementing and 
maintaining a FHIR API for data exchange between payers and providers 
and received comments strongly supporting our concept to require data 
availability through a Provider Access API. Some commenters stated that 
allowing providers to receive data, including prior authorization 
information, directly from payers, would make FHIR-based data exchange 
significantly more valuable for patients, providers, and payers. More 
data could be available to help providers manage a patient's care and 
providers could reduce or eliminate duplicate tests. Payers might also 
see fewer duplicate requests for services, fewer appeals and, possibly, 
lower costs. In the final rule, we specifically agreed with commenters 
that making available information about prior authorization decisions 
via an API would reduce burden on providers and their staff (85 FR 
25541). We also discussed the potential benefits of payers sharing 
patient health information directly with providers (85 FR 25555) and 
encouraged payers to consider an API solution that would enable direct 
provider access to appropriate health information to support the 
delivery of care.
    While the Patient Access API was a significant first step toward 
sharing individual patient health information with providers, we 
believe it would benefit patients if payers were required to make 
patient data directly available to providers via a FHIR API. In the 
normal course of business, many providers already maintain EHRs and 
share data for a variety of purposes authorized by the patient and/or 
existing law. Therefore, in the CMS Interoperability and Prior 
Authorization proposed rule, we proposed to require impacted payers to 
implement and maintain a FHIR API that makes patient data available to 
providers who have a contractual relationship with the payer and a 
treatment relationship with the patient. The Provider Access API has 
the potential to allow payers to build upon their existing systems and 
processes to enhance access to patient data, while continuing to 
protect patient privacy and data security.
    We also proposed a patient opt out (rather than an opt in) policy 
that would require payers to allow patients to opt out of the Provider 
Access API. Finally, we proposed Provider Access API compliance dates 
in 2026 (by January 1, 2026, for MA organizations and state Medicaid 
and CHIP FFS programs; by the rating period beginning on or after 
January 1, 2026, for Medicaid managed care plans and CHIP managed care 
entities; and for plan years beginning on or after January 1, 2026, for 
QHP issuers on the FFEs).
    As mentioned in section I.A. of this final rule, these policies do 
not pertain to Medicare FFS. In the proposed rule, we solicited comment 
on whether our Provider Access API proposal could be implemented in the 
Medicare FFS program. We expect that a Medicare FFS implementation 
would generally conform to the same requirements that apply to the 
impacted payers under this final rule, so Medicare FFS providers and 
beneficiaries enrolled in Medicare FFS could also benefit from this 
type of data sharing. We solicited comment on whether these 
requirements could be implemented as proposed, how we could apply each 
of these proposals, and if there would be any differences implementing 
the Provider Access API for the Medicare FFS program as a Federal 
payer. CMS's Data at the Point of Care (DPC) project is currently 
piloting an API that makes Medicare FFS claims and Part D data 
available to certain providers. However, some differences exist for 
Medicare FFS. For instance, provider remittances and patient cost-
sharing information are not proprietary, so those data are shared in 
the DPC pilot; however, we proposed that impacted payers would not be 
required to share that information under our policies. Because the DPC 
API currently enables provider access to patient data and involves 
processes like authenticating the provider and verifying a patient 
treatment relationship with an attribution process, the information 
gained from the DPC pilot will be useful to impacted payers as we 
finalize proposals in this rule.
2. Requirements for Payers: Provider Access API for Individual Patient 
Information
    In the CMS Interoperability and Patient Access final rule (85 FR 
25558), we required impacted payers to make certain health information 
available through a Patient Access API when requested by a patient. We 
stated that it would be valuable for providers to have access to the 
same patient data, except for provider remittances and patient cost-
sharing information, through a FHIR API that allows a provider to 
request data for an individual patient, as needed, thereby providing 
them with further insight into the patient's health care. Research 
shows that patients achieve better outcomes when their record is more 
complete, and more data are available to the health care provider at 
the point of care.\26\ Making more comprehensive information available 
to providers could thus improve the care experience for patients. 
Ensuring that providers have access to relevant patient data at the 
point of care could also reduce the burden on patients to recall and 
relay information during an appointment and/or provide confirmation 
that the patient's recollection of prior care is accurate.
---------------------------------------------------------------------------

    \26\ Office of the National Coordinator for Health Information 
Technology (ONC) (2019, June 4). Improved Diagnostics & Patient 
Outcomes. Retrieved from https://www.healthit.gov/topic/health-it-basics/improved-diagnostics-patient-outcomes.
---------------------------------------------------------------------------

    Therefore, we proposed to require impacted payers to implement and 
maintain a Provider Access API to make current patients' information 
available to in-network or enrolled (as applicable) providers, at the 
provider's request. Under our proposal, an in-network provider is any 
provider or health care facility that is part of a specific health 
plan's network of providers with which it has a contract to furnish 
covered items or services. In the case of state Medicaid and CHIP FFS 
programs, that means any providers or health care facilities that are 
enrolled with the state as Medicaid or CHIP providers. We noted that 
this requirement would only apply to current patients. Once a patient 
is no longer enrolled with a payer, the payer would not need to share 
data with providers under our proposed policy.
    We explained that the Provider Access API would allow a provider to 
initiate a request when the provider needs access to a patient's data, 
such as prior to or during a patient visit. Both the Provider Access 
and Patient Access

[[Page 8788]]

APIs would facilitate the FHIR-based exchange of claims and encounter 
data, all data classes and data elements included in a content standard 
at 45 CFR 170.213 (USCDI), and certain information about prior 
authorizations maintained by the payer.
    We also stated that we believed that sharing claims and encounter 
data (without provider remittances and patient cost-sharing 
information) would complement the data classes and data elements 
included in a content standard at 45 CFR 170.213 (USCDI) by providing 
more information to support treatment and care coordination. Claims and 
encounter data, used in conjunction with clinical and other available 
data, can offer a broader, more complete picture of an individual's 
interactions with all their providers in the health care system. With 
that proposal, we intended to help providers gain efficient access to 
more comprehensive data on their patients. Specifically, we proposed to 
require impacted payers to make available any of the applicable patient 
data with a date of service on or after January 1, 2016, that they 
maintain. This timeframe for data to be included is consistent with the 
requirements of the Patient Access API, as finalized in the CMS 
Interoperability and Patient Access final rule (85 FR 25567), so payers 
should already be maintaining and making available the same set of data 
from this timeframe via a FHIR API.
    Finally, we explained that, unlike the Patient Access API, the 
Provider Access API would not include provider remittances and patient 
cost-sharing information. Many payers consider cost-sharing information 
proprietary and, while we do not necessarily agree with such a 
characterization, we believed that information would have limited 
benefit for treatment or care coordination and thus excluded it from 
the scope of data required to be accessible through the Provider Access 
API.
    We proposed that payers would be required to make available via the 
Patient Access and Provider Access APIs information related to prior 
authorization requests and decisions for items and services (excluding 
drugs). This information would include, as applicable:
     The prior authorization status.
     The date the prior authorization was approved or denied.
     The date or circumstance under which the prior 
authorization ends.
     The items and services approved;
     If denied, a specific reason why the request was denied.
     Related structured administrative and clinical 
documentation submitted by a provider.
    We proposed that information about prior authorizations be 
available via the Patient Access API for as long as the authorization 
is active, and for at least 1 year after the last status change, and 
that this would apply to the Provider Access API, as well. We noted in 
the proposed rule that this provision would be particularly relevant to 
denied and expired prior authorizations, to ensure that they would be 
available for at least a year after expiring or being denied. We did 
not propose to require payers to share a patient's full prior 
authorization history, because that could comprise a significant amount 
of information that may no longer be clinically relevant.
    In general, our proposal for the data that payers would have to 
make available through the Provider Access API, as well as the 
technical specifications, aligned with the requirements for the Patient 
Access API finalized in the CMS Interoperability and Patient Access 
final rule (85 FR 25558) and those that were proposed for the Patient 
Access API in the CMS Interoperability and Prior Authorization proposed 
rule (87 FR 76238).
    However, we further explained that there are a few notable 
differences between the requirements for a Patient Access API and those 
for a Provider Access API. The biggest difference is how and why the 
end user will access the data. For the Patient Access API, the patient 
is requesting access to their own data through a health app for their 
own reference and use, and potentially to share the data with a 
provider. For the Provider Access API, we expect that a provider will 
request and receive access to the patient's information through their 
EHR, practice management system, or other technology for treatment 
purposes. Providers will securely access their patients' data through a 
FHIR API using at least one of these systems. Providers will not access 
patient data through their own health app; rather, the data will flow 
from the payer to the provider's EHR or practice management system, 
which will allow them to incorporate the patient data into their 
records, should they choose to do so. For example, a provider who is 
preparing for an upcoming appointment may need more information about 
the patient than is contained in the patient's record in their own 
systems. Under this proposal, the provider would be able to request the 
additional data from the patient's payer. The payer would then be 
required to share the requested data no later than 1 business day after 
receiving a request from a provider who meets all other requirements to 
access the data.
    In the CMS Interoperability and Patient Access final rule we 
required standards for the Patient Access API by cross reference to 45 
CFR 170.215 (85 FR 25558). We proposed to require certain standards at 
45 CFR 170.215 that are applicable to the Provider Access API. We are 
finalizing our proposals for the Provider Access API with 
modifications, requiring impacted payers to use the following 
standards: HL7 FHIR Release 4.0.1 at 45 CFR 170.215(a)(1), US Core IG 
STU 3.1.1 at 45 CFR 170.215(b)(1)(i), SMART App Launch IG Release 1.0.0 
at 45 CFR 170.215(c)(1), and Bulk Data Access IG v1.0.0: STU 1 at 45 
CFR 170.215(d)(1). We are also recommending payers use the CARIN IG for 
Blue Button STU 2.0.0, PDex IG STU 2.0.0, and SMART App Launch IG 
Release 2.0.0 to support Backend Services Authorization. We proposed 
but are not finalizing to require impacted payers to use OpenID Connect 
Core for reasons discussed later in this section. We refer readers to 
Table H3 for a full list of the required standards and recommended IGs 
to support API implementation. We refer readers to section II.G. of 
this final rule for further discussion of the required and recommended 
technical standards for the Provider Access API.
    For Medicaid and CHIP managed care, we proposed that NEMT PAHPs, as 
defined at 42 CFR 438.9(a) and 457.1206(a) respectively, would not be 
subject to the requirement to establish a Provider Access API. As 
proposed at 42 CFR 438.242(b)(7) and by cross-reference at 42 CFR 
457.1233(d), all other Medicaid managed care plans and CHIP managed 
care entities (that is, MCOs, PIHPs, and non-NEMT PAHPs) would be 
subject to this final rule. We stated our belief that the unique nature 
and limited scope of the services provided by NEMT PAHPs, which only 
cover transportation and not medical care itself, justified their 
exclusion from the requirements of the Provider Access API. 
Specifically, we did not believe that providers have routine need for 
NEMT data; therefore, requiring NEMT PAHPs to implement and maintain a 
Provider Access API (and a Payer-to-Payer API, as discussed in section 
II.C.3. of this final rule) would be an undue burden. However, we did 
propose that NEMT PAHPs be subject to the requirements for the Patient 
Access API, Prior Authorization API, and prior authorization processes.
    We acknowledged that it could be helpful for all providers to have 
access to their patients' data regardless of contractual or enrollment 
relationships

[[Page 8789]]

with a patient's payer. However, we proposed to only require impacted 
payers to share data with in-network or enrolled providers. We 
recognized that this could make it more difficult for an out-of-network 
provider to create or access a more comprehensive care record for a 
patient. We considered requiring payers to make the data available to 
all providers, regardless of whether the provider is under contract or 
enrolled with the payer. We will continue to consider a requirement to 
share patient data with out-of-network providers for future rulemaking. 
To this end, we requested comment in the proposed rule on existing 
processes for sharing data with out-of-network providers. Though we did 
not propose to require it, we encouraged payers to share information 
via API with out-of-network or unenrolled providers to the extent 
permitted by law if they can verify a treatment relationship. For state 
Medicaid and CHIP FFS programs specifically, data sharing with out-of-
network and unenrolled providers would need to comply with Medicaid 
confidentiality rules as required by section 1902(a)(7) of the Act and 
implemented in our regulations at 42 CFR part 431, subpart F.
    We are finalizing our proposal to require impacted payers to make 
available to providers, via the Provider Access API, claims and 
encounter data (without provider remittances and patient cost-sharing 
information), all data classes and data elements included in a content 
standard at 45 CFR 170.213, and certain information about prior 
authorizations (excluding those for drugs). However, as with the 
Patient Access API policies, we are finalizing a modification to our 
proposal and not requiring payers to share the quantity of items or 
services used under a prior authorization or unstructured documentation 
related to a prior authorization. We are finalizing these changes to 
the Provider Access API policy with compliance dates in 2027 (by 
January 1, 2027, for MA organizations and state Medicaid and CHIP FFS 
programs; by the rating period beginning on or after January 1, 2027, 
for Medicaid managed care plans and CHIP managed care entities; and for 
plan years beginning on or after January 1, 2027, for QHP issuers on 
the FFEs), which is a year after the proposed 2026 compliance dates. 
Throughout this rule, we generally refer to these compliance dates as 
``in 2027'' for the various payers.
    To support the Provider Access API implementation and maintenance, 
we are requiring certain standards and recommending certain IGs, as 
further discussed later and in section II.G. of this final rule. With 
the publication of the HTI-1 final rule, our cross references to 45 CFR 
170.215 have been updated to reflect the updated citations as needed. 
Changes to the structure of 45 CFR 170.215 and versions of the API 
standards codified there, are discussed further in section II.G. and 
reflected throughout this final rule. For the Provider Access API, 
impacted payers must use the following standards: HL7 FHIR Release 
4.0.1 at 45 CFR 170.215(a)(1), US Core IG STU 3.1.1 at 45 CFR 
170.215(b)(1)(i), SMART App Launch IG Release 1.0.0 at 45 CFR 
170.215(c)(1), and Bulk Data Access IG v1.0.0: STU 1 at 45 CFR 
170.215(d)(1). Impacted payers are permitted to use updated standards, 
specifications, or IGs that are not yet adopted in regulation for the 
APIs required in this final rule, should certain conditions be met. For 
the standards at 45 CFR 170.215, updated versions available for use 
under our policy include, but are not limited to, US Core IG STU 6.1.0, 
the SMART App Launch IG Release 2.0.0, and the Bulk Data Access IG 
v2.0.0: STU 2, which have been approved for the ONC Health IT 
Certification Program.\27\ We refer readers to section II.G.2.c. of 
this final rule for a full discussion on using updated standards. We 
also recommend payers use the CARIN IG for Blue Button STU 2.0.0, PDex 
IG STU 2.0.0, and SMART App Launch IG Release 2.0.0 to support Backend 
Services Authorization. We refer readers to Table H3 for a full list of 
the required standards and recommended IGs to support API 
implementation.
---------------------------------------------------------------------------

    \27\ Office of the National Coordinator for Health Information 
Technology (ONC) (2023, September 11). Standards Version Advancement 
Process (SVAP). Retrieved from https://www.healthit.gov/topic/standards-version-advancement-process-svap.
---------------------------------------------------------------------------

a. General Comments
    Comment: Multiple commenters supported CMS's proposal to require 
impacted payers to develop and maintain a Provider Access API and 
recommended that CMS finalize the proposal. Multiple commenters also 
noted that the API would give health care providers invaluable insights 
into patient care, which could lead to better quality care, reduce 
duplicate services, and streamline provider workflows. A commenter 
recommended that CMS focus its efforts on the secure exchange of data 
from patients to providers via the Patient Access API, which could 
allow the patient to be an intermediary who can choose which payer data 
to share with the provider.
    Response: We agree with commenter sentiments about the various 
benefits to both providers and patients of providers having improved 
and direct access to patient data. As explained throughout this final 
rule, the requirements and standards for the Provider Access API will 
largely align with those currently in place and that we are finalizing 
for the Patient Access API. We anticipate that this alignment will 
provide consistency and help payers build on the work done to comply 
with the requirements for the Patient Access API. Enabling improved 
data sharing directly with providers, who have the clinical expertise 
to effectively use the data to improve patient care, is a logical next 
step for our API implementation requirements.
b. Compliance Dates
    Comment: Multiple commenters supported the proposed 2026 compliance 
dates for the Provider Access API, as the appropriate time when the IGs 
will be sufficiently mature. Other commenters supported earlier 
compliance dates for the Provider Access API, including dates in 
calendar years 2024 and 2025.
    By contrast, multiple other commenters requested that CMS delay the 
implementation of the Provider Access API. Many recommended the 
compliance dates for the Provider Access API be at least 3 years after 
the issuance of the final rule to allow for provider and payer 
collaboration. Commenters stated this would allow payers and providers 
to stagger the separate implementation of the HIPAA Standards for 
Health Care Attachment proposed rule (87 FR 78438). A commenter stated 
that delaying the implementation of the Provider Access API requirement 
would enable the industry to develop consistent attribution 
methodologies and establish opt out policies. A commenter suggested 
that if CMS finalizes its proposal to require payers to implement 
Provider Access APIs and require a response within 1 business day, it 
should delay the compliance dates until 2027.
    Multiple commenters flagged that CMS does not have to require 
implementation on any particular calendar date, since it would not 
affect an enrollee's plan benefits or premiums. A commenter 
specifically stated that the implementation does not need to be 
synchronized to the beginning of the plan benefit year for MA 
organizations and QHP issuers on the FFEs.
    A commenter sought clarification on the compliance dates as it 
relates to onboarding new providers to a payer's network, in order to 
ensure these new providers are following all applicable regulations, 
laws, and testing requirements by the proposed

[[Page 8790]]

compliance dates in 2026. Multiple commenters recommended that CMS 
develop the Prior Authorization API before fully implementing the 
Provider Access API. A commenter further recommended that CMS phase in 
implementation of the Provider Access API. They believe CMS should 
allow additional time for development of the Provider Access API to 
maximize its utility and provided suggestions for additional 
capabilities to do this.
    Response: After consideration of public comments, we are finalizing 
a 1 year delay in the compliance dates, to 2027 (by January 1, 2027, 
for MA organizations and state Medicaid and CHIP FFS programs; by the 
rating period beginning on or after January 1, 2027, for Medicaid 
managed care plans and CHIP managed care entities; and for plan years 
beginning on or after January 1, 2027, for QHP issuers on the FFEs). As 
discussed in section I.D. of this final rule, we are delaying the 
compliance dates for each of our policies that require API development 
and enhancement (though other policies on new reporting metrics and 
prior authorization processes are being finalized with different 
compliance dates). While making data related to prior authorizations 
available to providers is necessary and urgent, we also understand that 
the policies we are finalizing will take time for payers to implement. 
An additional year will give payers time for a smooth rollout of this 
new API, as well as to onboard their providers. Payers may communicate 
these policies to any new providers through the same channels they 
currently use to communicate participation rules, coverage guidelines, 
and other important plan information with new providers joining their 
network. Because we are delaying the compliance dates, we do not 
believe a phased implementation is necessary, even if the additional 
time is used to implement functionalities for the API that we are not 
requiring in this final rule. We emphasize that the compliance dates 
are merely a deadline, and we encourage payers to meet the requirements 
of this rule as soon as possible to benefit their patients and 
providers. The additional year will also give impacted payers the 
requested time to establish the required attribution and opt out 
processes (discussed in sections II.B.3.a. and II.B.3.b. of this final 
rule, respectively).
    Finally, we decline to delay the compliance dates for this policy 
until after the Prior Authorization API is implemented and are 
finalizing the same compliance dates for all three new APIs. We agree 
that the purpose of the Prior Authorization API is to facilitate the 
exchange of structured (as defined in section II.A.2.a.ii. of this 
final rule) prior authorization data, and therefore receiving requests 
electronically may expedite payers' ability to make that information 
available to providers. However, even after the Prior Authorization API 
compliance dates, we expect that a number of prior authorizations are 
going to be submitted through other channels (hopefully in declining 
number). A provider's access to this information should not depend on 
the method and process that a payer sets for providers to submit a 
prior authorization request. Rather, the purpose of our Provider Access 
API policies is that providers have access to their patients' data (if 
patients do not opt out). That means that payers will need to be able 
to share through the required APIs any prior authorization information 
that is submitted in ways other than the Prior Authorization API, 
regardless of the compliance dates. By finalizing 2027 compliance 
dates, we are providing payers an additional year beyond our proposal 
to implement the needed functionality within their internal systems. 
While we acknowledge that the compliance dates may not need to be at 
the start of a calendar, contract, or rating year, finalizing our 
proposal with specific compliance dates will ultimately reduce 
confusion for all parties.
    Comment: A commenter cautioned that without information that will 
be contained in an anticipated ONC proposed rule, it is difficult to 
provide realistic timelines for making prior authorization data 
available. They recommended that CMS offer an additional public comment 
period after the publication of this separate, anticipated ONC rule to 
allow the industry appropriate time to review the proposed changes that 
would be incorporated into the provider's workflow.
    Response: Regarding ONC regulations, we recognize that commenters 
are interested in future ONC policies which may relate to the policies 
in this rule. ONC issued both the HTI-1 proposed and final rules since 
the publication of our proposed rule. As discussed, cross references in 
this final rule have thus been updated accordingly. We will continue to 
work with ONC to explore the adoption of standards and health IT 
certification criteria where appropriate to streamline data exchange, 
support interoperability, and increase efficiencies associated with the 
policies in this final rule. We further note that the Unified Agenda, 
at the time of publication of this final rule, has been updated to 
include an entry for a proposed rule from ONC entitled ``Health Data, 
Technology, and Interoperability: Patient Engagement, Information 
Sharing, and Public Health Interoperability'' (RIN 0955-AA06). The 
description indicates that the proposed rule aims to advance 
interoperability, including proposals to expand certified APIs for 
electronic prior authorization.\28\ However, the policies in this rule 
can be finalized independently of future rulemaking by ONC and we are 
not providing an additional period for comment.
---------------------------------------------------------------------------

    \28\ Office of Information and Regulatory Affairs. Executive 
Office of the President (2023). Health Data, Technology, and 
Interoperability: Patient Engagement, Information Sharing, and 
Public Health Interoperability. Retrieved from https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202304&RIN=0955-AA06.
---------------------------------------------------------------------------

c. Identifying Providers and Networks
    Comment: Multiple commenters requested clarification on the 
definition of ``providers'' that are eligible to use the Provider 
Access API. A commenter recommended that CMS permit providers who use a 
Type 2 National Provider Identifier (NPI) number to use the Provider 
Access API. Multiple commenters also believed that providers other than 
physicians should have access to patient data via the Provider Access 
API. A commenter recommended that the final rule explain whether the 
Provider Access API can be used by clinical laboratories. Another 
commenter believed that a Tax Identification Number (TIN) should be 
used for patient attribution purposes, rather than an NPI because it 
would give an opportunity for multiple providers in the same practice 
to access a patient's information.
    Response: Providers who should have access to a patient's data are 
those, whether they are an individual, a facility, or a group of 
providers who have come together as an Accountable Care Organization 
(ACO), who are appropriately licensed, provide items or services 
eligible for coverage by the payer, and are enrolled with the payer or 
in the payer's provider network. Should a clinical laboratory, or other 
entity such as an ACO, meet these criteria, it would indeed be a 
provider who could use the Provider Access API to access patient data, 
assuming all other criteria outlined in this final rule are met. 
Multiple providers in the same practice may also be able to access a 
patient's data if the practice is enrolled with a plan under a Type 2 
NPI (that is, an organization's NPI), or if those providers are part of 
an ACO that is

[[Page 8791]]

requesting data on a provider's behalf, because all the providers in 
such organizations would be part of the payer's network. Furthermore, 
an ACO typically has business associate agreements with the providers 
that comprise the ACO, that should allow them to request data on the 
provider's behalf. Impacted payers may even elect to use patient 
rosters from such multi-provider practices or ACOs, as well as a 
practice's TIN, as part of its attribution process (see section 
II.B.3.a. of this final rule) since the patients on these rosters could 
be attributed to all the providers in these organizations.
    Comment: Multiple commenters sought clarification on how CMS 
defines a payer's network. A commenter inquired whether CMS's intention 
was to only include contracted providers who have both a contractual 
relationship with the payer and a treatment relationship with the 
patient, and as to which facilities are considered contracted or out-
of-network. Another commenter asked for CMS to further define 
``treatment relationship with the patient.'' A different commenter 
sought clarification on the definition of in-network providers for a 
plan that operates in multiple territories and has some providers that 
may be in-network for one location and out-of-network for another.
    A commenter further recommended that CMS consider how to allow for 
effective patient data transfers in more complex provider-facility 
relationships, meaning contracted individual and institutional 
providers. A commenter also recommended that CMS consider the nuances 
of cancer therapy networks when developing its final policies, as some 
payers utilize a cancer therapy network and cover services furnished by 
certain providers who may be considered out-of-network generally, but 
in-network for certain cancer treatments.
    Other commenters suggested that CMS explain whether impacted payers 
with leased networks would be subject to the in-network requirement and 
recommended that leased network providers not be considered in-network 
for purposes of the Provider Access API. One of these commenters raised 
the concern that requiring QHP issuers on the FFEs to share patient 
information with leased network providers would impose a burden on 
QHPs, noting that the in- and out-of-network status of these providers 
could depend on a plan's benefit package. These commenters noted that 
these networks are often rented or leased from other payers, and that 
the QHP issuer that is renting the network may not have control over 
provider contract standards.
    Response: We are finalizing that impacted payers will be required 
to make the specified patient data available to in-network or enrolled 
providers with whom the patient has a verified treatment relationship 
(determined via an attribution process, as discussed in section 
II.B.3.a. of this final rule), assuming the data access conforms to all 
other applicable laws and regulations, such as state privacy laws. As 
discussed elsewhere, a payer can establish a treatment relationship by 
determining whether the patient's claims history, proof of an upcoming 
appointment, or other information (for example, hospital admission 
letter) demonstrates a treatment relationship with the provider. 
Nothing in this final rule would require the information used to verify 
the provider's relationship to the patient to be shared or exchanged 
via the Provider Access API itself. We also remind readers that, though 
we are not requiring payers to share patient data with out-of-network 
or unenrolled providers, we encourage them to do so to the extent 
permitted by law if they can verify a treatment relationship.
    Impacted payers that operate in multiple service areas, and 
therefore have some providers that are in-network in a particular area 
but out-of-network in other areas, should treat the providers based on 
network status on a case-by-case basis, depending on the payer's 
service area applicable to each enrollee. For example, if Providers A 
and B are both in-network for the plan, but Enrollee C resides in a 
service area where only Provider A is in-network, then the plan can 
treat Provider A as in-network and Provider B as out-of-network for 
making Enrollee C's data available via the Provider Access API. 
However, we remind readers that while not required, it would still be 
permissible to grant access to the Provider Access API to Provider B. 
The fact that Provider B already has a contract with the payer would 
even help to mitigate the potential privacy, security, and program 
integrity concerns we discussed in the proposed rule. The presence of 
this contractual relationship is also why we agree with the commenter 
regarding providers who are part of a cancer therapy network. If 
providers are in-network for some services for a patient, then they are 
an in-network provider. Our goal with our Provider Access API policies 
is to maximize the number of providers who can use it.
    We acknowledge that there may be health care settings and 
facilities where only some of the providers are enrolled with or have a 
provider agreement with the impacted payer (as applicable). Under the 
HIPAA Privacy Rule, covered health care providers generally may 
disclose certain PHI to other health care providers for treatment 
purposes.\29\ Thus, there may be cases where a provider may share 
relevant patient data obtained via the Provider Access API with another 
provider who may not be in-network or enrolled with the impacted payer. 
However, under our requirements, payers would only be required to share 
data through the Provider Access API in response to requests from in-
network or enrolled providers (as applicable).
---------------------------------------------------------------------------

    \29\ See 45 CFR 164.506(a).
---------------------------------------------------------------------------

    Providers in a leased network are in-network for purposes of the 
Provider Access API requirement because the lease effectively creates a 
contract with the providers in that network. By way of example, QHP 
issuers on the FFEs include leased network providers in the Network 
Adequacy template they submit as part of the annual QHP Certification 
application process, to the extent that a network's providers are 
available to enrollees in that QHP and are treated by the issuer as 
providing in-network benefits.\30\ In addition, per 45 CFR 156.340, QHP 
issuers on the FFEs are responsible for their own compliance and the 
compliance of any delegated \31\ or downstream entities \32\ with all 
applicable Federal standards related to Exchanges.
---------------------------------------------------------------------------

    \30\ ECP and Network Adequacy (n.d.). Essential Community 
Providers and Network Adequacy. Retrieved from https://www.qhpcertification.cms.gov/s/ECP%20and%20Network%20Adequacy.
    \31\ A ``delegated entity'' is defined at 45 CFR 156.20 to mean 
any party that enters into an agreement with a QHP issuer on the 
FFEs to provide administrative services or health care services (for 
example, contracted providers).
    \32\ A ``downstream entity'' is defined at 45 CFR 156.20 as any 
party that enters into an agreement with a delegated entity or with 
another downstream entity to provide administrative services or 
health care services (for example, subcontracted providers).
---------------------------------------------------------------------------

d. Provider Adoption and Use
    Comment: Multiple commenters agreed with the scope of the Provider 
Access API, but expressed concern about potential penalties for 
providers who are unable to adopt technology that supports data 
exchange via this API.
    Response: We did not propose any requirements for providers to use 
the Provider Access API, nor did we propose penalties for providers who 
do not use the API. However, accessing patient data through the 
Provider Access API will improve providers' ability to furnish quality 
care to patients. We expect that providers too

[[Page 8792]]

will see the benefit of this technology and having patient data 
available directly from payers.
    Comment: Multiple commenters flagged that providers should have 
access to a patient's health information without technological or 
financial barriers, and that CMS should consider the costs to health 
centers, safety net providers, long-term and post-acute care (LTPAC) 
settings, and hospitals with low resources, as well as their unique 
needs with regard to implementing use of the Provider Access API. They 
believed that considering these provider types would ensure more 
widespread use of the API. A commenter stated that some small 
businesses do not have the staff or funding to set up a complex data 
exchange and they believed there is a need to engage them in 
discussions about the benefits of the health information exchange. 
Another commenter stated that the proposed rule did not offer any 
indication of available resources to help providers implement the API. 
A commenter recommended CMS consider investments that health centers 
make to ensure appropriate interoperability and access.
    A commenter urged CMS to track and counteract any equity issues 
that may manifest from operationalizing the Provider Access API. 
Multiple other commenters flagged that the true impact of APIs on 
everyday practices will not be understood until they are implemented 
and being used by providers, with another commenter recommending that 
CMS focus targeted efforts to engage provider specialties and groups 
who have traditionally lagged in uptake of interoperable technology.
    Response: We agree that technology should not be a barrier to 
accessing appropriate patient information and our policies are intended 
to make such access easier for providers. We recognize that there are 
care settings that lag in adoption of EHR and other health IT, and/or 
lack the staff or resources to make use of the Provider Access API, 
which could result in these care settings missing out on the benefits 
of data exchange. Nevertheless, making data available via a FHIR API, 
which ensures these data are available to any authorized system seeking 
to access it, will benefit settings that may not have sophisticated 
technological solutions. Furthermore, making these data available is a 
vital antecedent to increased data sharing and interoperability across 
the health care system. We will be closely monitoring implementation 
and use of the Provider Access API to assess its real-world impact on 
care delivery, such as the possible equity concerns described by the 
commenters, as well as continue to work with providers to encourage and 
enable them to use the API, should they wish to do so.
    Comment: Multiple commenters recommended that CMS seek to 
understand the current state of health IT and the needs of end users 
before mandating Provider Access API implementation. A commenter stated 
that the health IT infrastructure across the industry is not ready to 
support the APIs. Another commenter representing payers, providers, and 
clearinghouses in both the public and private sector noted that when 
they surveyed their payer members on the Provider Access API 
implementation, 64.3 percent of payers responded it would be ``very 
difficult or difficult'' to implement.
    Response: We disagree with the commenters' assessment that existing 
health IT infrastructure is not ready to support the Provider Access 
API. Payers are currently required to maintain a Patient Access API 
that enables the exchange of the same data as we are requiring to be 
available via the Provider Access API, with the caveat that this rule 
establishes new requirements to include information related to prior 
authorizations. The Patient Access API establishes the foundation to 
ensure that existing payer health IT infrastructure is indeed capable 
of also supporting the Provider Access API. For providers, as of 
October 2018, eligible professionals and hospitals collectively 
received over $38 billion in incentives to adopt, implement, upgrade 
(AIU), and demonstrate meaningful use of certified EHR technology 
(CEHRT) through the Medicare and Medicaid Promoting Interoperability 
Programs (formerly the Medicare and Medicaid EHR Incentive 
Programs).33 34 35 As of 2021, 78 percent of office-based 
physicians and 96 percent of non-Federal acute care hospitals had 
adopted CEHRT.\36\ CEHRT now incorporates functionality for standards-
based FHIR APIs. We thus believe health IT developers can build on 
these standards-based APIs to further develop functionality in provider 
systems that supports access to Provider Access APIs.
---------------------------------------------------------------------------

    \33\ Centers for Medicare and Medicaid Services (2018). 
Promoting Interoperability (PI) Program Medicare Incentive Programs. 
Retrieved from https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/October2018_MedicareEHRIncentivePayments.pdf.
    \34\ Centers for Medicare and Medicaid Services (2018). 
Promoting Interoperability (PI) Program Medicare Incentive Programs. 
Retrieved from https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/October2018_MedicareEHRIncentivePayments.pdf.
    \35\ Centers for Medicare and Medicaid Services (2017). MA 
Organization (MAO) Incentive Payments for Eligible Professionals. 
Retrieved from https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/May2017_MAO-Report.pdf.
    \36\ Office of the National Coordinator for Health Information 
Technology (ONC) (2020). National Trends in Hospital and Physician 
Adoption of Electronic Health Records. Retrieved from https://www.healthit.gov/data/quickstats/national-trends-hospital-and-physician-adoption-electronic-health-records.
---------------------------------------------------------------------------

    Comment: Multiple commenters underscored the need to establish 
incentives for providers to adopt the Provider Access API to offset any 
provider burden. Commenters cited quality measure reporting through the 
MIPS and CEHRT programs as possible avenues for incentives. Another 
commenter recommended that CMS and ONC work together to create 
incentives for vendors to improve EHR functionality and for providers 
to utilize the API, as well as provider educational resources to 
encourage adoption.
    Response: For reasons explained previously, we believe that 
providers will see the benefit of using the Provider Access API, but we 
intend to closely monitor providers' experience, as well as consider 
ways to encourage use of the API in future rulemaking, if need be. We 
remind readers that nothing in this final rule would prohibit impacted 
payers themselves from incentivizing and/or requiring use of the 
Provider Access API. However, should they choose to implement such a 
policy, we remind impacted payers to carefully weigh the expected 
benefits against any potential new burden on providers.
    Comment: Multiple commenters stated that the Provider Access API 
may be duplicative of existing resources (for example, HIEs or HINs, 
multi-payer portals, or other existing mechanisms for accessing claims 
data). Many other commenters supported creating the ability to 
integrate information from the Provider Access API into the provider's 
EHR system. These commenters recommended that CMS work closely with 
both providers and EHR vendors to ensure that integrating data from the 
Provider Access API is user-friendly and incorporated into the clinical 
workflow. They stated that that would make patient data from the 
Provider Access API organized and navigable. Another commenter stated 
that because patients often receive care from multiple health 
providers, they often have fragmented patient health records, which can 
make it difficult for providers to get a clear picture of a patient's 
health history.
    Multiple commenters, however, expressed concerns regarding the 
feasibility of the Provider Access API. A

[[Page 8793]]

commenter stated that the biggest challenge to the implementation of 
Provider Access API is that providers generally interact with many 
payers and it is not feasible for provider organizations to support 
many one-to-one connections with payers. The commenter stated that 
while it would be costly and risky, the urgency to implement a National 
Data Warehouse Exchange Hub/Clearinghouse has never been greater.
    Response: We understand commenters' concern about the potential for 
duplication of the Provider Access API functionalities that existing 
resources may provide. However, not all providers currently use or have 
access to other resources that can access patient data.37 38 
Further, the data we are requiring payers to make available under this 
final rule may not be available from other sources. Thus, the Provider 
Access API can be a valuable tool for providers, even if they currently 
have access to data via an HIE/HIN or other source. We anticipate that 
providers will find benefits to patient care from having patient data 
available from multiple sources.
---------------------------------------------------------------------------

    \37\ Office of the National Coordinator for Health Information 
Technology (ONC) (2021). Electronic Health Information Exchange by 
Office-based Physicians. Retrieved from https://www.healthit.gov/data/quickstats/electronic-health-information-exchange-office-based-physicians.
    \38\ Office of the National Coordinator for Health Information 
Technology (ONC) (2023). Interoperability and Methods of Exchange 
among Hospitals in 2021. Retrieved from https://www.healthit.gov/data/data-briefs/interoperability-and-methods-exchange-among-hospitals-2021.
---------------------------------------------------------------------------

    We emphasize that the responsibility for implementing and 
maintaining the Provider Access API falls on impacted payers, not on 
providers or provider organizations. Further, in this final rule, we 
prioritize sharing structured data elements through standardized APIs 
(see section II.A.2.a.ii. of this final rule). Thus, even though this 
final rule does not obligate providers to use the Provider Access API, 
we anticipate that health IT vendors will integrate data from this API 
for providers in a manner that is organized, navigable, and useful to 
providers. We encourage vendors to work with their clients so that 
information accessed via the Provider Access API is useful for filling 
in gaps in the patient record, rather than creating duplicative data, 
and providers can take full advantage of their benefits.
    Comment: Multiple commenters suggested that CMS should take steps 
to ensure that costs borne by EHR vendors are not passed onto 
providers, and that implementation is done in a manner that minimizes 
burden for providers. Multiple commenters also recommended that CMS 
explicitly require payers to allow providers to use the Provider Access 
API at no charge and that CMS should monitor and enforce such a 
requirement against payers who attempt to charge providers a user fee 
to access the APIs.
    Response: Our goal is to improve care and reduce burden on 
patients, health care providers, and payers. We also recognize that EHR 
vendors, providers, and payers have costs of doing business. We 
strongly encourage EHR vendors to only charge reasonable fees for any 
initial or periodic system configurations required to access payers' 
API endpoints. Furthermore, EHR vendors and payers should ensure that 
any fees charged per API call are necessary and reasonable based on any 
actual maintenance costs for that entity. We also strongly encourage 
payers to permit providers to use their Provider Access API at no cost 
to maximize usage and benefits to patient care, which would ultimately 
benefit the payer as well. We will continue to work with interested 
parties to ensure that health care providers are not unnecessarily 
burdened and to ensure that our regulations do not place conflicting or 
unnecessary burdens on entities that may be regulated by more than one 
Federal agency.
    Furthermore, EHR vendors and some impacted payers may be 
information blocking actors (as defined at 45 CFR 171.102) that must 
abide by ONC's regulatory requirements. Specific details of the 
information blocking regulations and other regulations issued by ONC 
are outside the scope of this final rule. Additional information about 
ONC information blocking regulations is available from the Information 
Blocking page of ONC's website: https://www.healthit.gov/topic/information-blocking. Questions may be sent to ONC's Health IT Feedback 
and Inquiry Portal at https://inquiry.healthit.gov/. Payers who are 
information blocking actors (as defined at 45 CFR 171.102) and have 
committed information blocking (as defined at 45 CFR 171.103) may be 
subject to civil money penalties by the HHS Office of the Inspector 
General (OIG). Interested parties should address questions regarding 
when particular practices might be considered information blocking to 
ONC.
    Finally, we did not propose to implement a prohibition against 
payers charging providers a user fee to access their APIs. We will 
closely monitor implementation of the Provider Access API and whether 
user fees present a significant impediment to interoperable data 
exchange. We will also be monitoring the frequency and type of feedback 
we receive from providers, patients, and payers related to burden and 
cost, to determine whether other policies might be ripe for 
consideration in future rulemaking. See section I.D.2. of this final 
rule for more information about CMS's enforcement and compliance 
policies.
    Comment: A commenter wanted to ensure that payers cannot require 
providers and clinical staff to use multiple different tools that might 
leverage the Provider Access API to treat patients. The commenter 
stated that providers should have autonomy to deliver care without 
having to add new technology that payers may require them to implement. 
Another commenter similarly recommended that CMS ensure payers do not 
increase burden on providers, stating that a significant burden would 
be placed on providers if their network participation gets conditioned 
on payer requirements to use the Provider Access API. Another commenter 
urged CMS to prohibit payers from placing additional contractual 
demands on providers, such as unrealistic turnaround times for 
physicians to retrieve patient information. The commenter expressed 
concerned that if providers cannot comply with payers' potential new 
requirements, they may be forced out of network.
    Response: This rule does not require payers to impose requirements 
to use the Provider Access API on their in-network or enrolled 
providers. However, both providers and patients can benefit from the 
improved interoperability facilitated by FHIR APIs, with providers in 
particular seeing the benefits of having more patient data available to 
them. Contractual requirements set by payers for their in-network or 
enrolled providers are out of the scope of this rule. Nonetheless, if 
payers do choose to require providers to use the Provider Access API in 
some capacity, or even if they develop and require their own apps, we 
expect that they would do so to improve coordination with the provider 
and patient care, and also in a way that does not add provider burden.
    Comment: A commenter noted that clinical data managed by payers are 
often derived from claims submitted by providers, which often results 
in them being in a different level of detail and format than clinical 
data exchanged between providers. The commenter stated that when the 
data are made available to providers, clear communication of those 
differences and accurate interpretation by the receiving provider's 
system is essential for enabling the provider to use the data to

[[Page 8794]]

address care gaps and make treatment decisions. The commenter added 
that because the data are derived from claims, which would have been 
submitted by many of the same providers requesting it from the payer, 
deduplication of the data can become more complex. They further 
recommended that standards for representing the provenance of data when 
transmitted from payers to providers be enhanced to avoid adding a 
reconciliation burden on providers who receive the patient data. 
Another commenter said that EHR vendors would need to develop a 
``curation function'' that could allow providers (and patients) to 
select the specific data to incorporate into the patient's record, 
warning that without this capability, there will be a significant 
amount of duplicate and junk data that will render the Provider Access 
API unusable.
    Response: We thank the commenter for the comments, and we 
appreciate the concerns regarding the level of detail, format, and 
potential duplication of data received by providers' systems. One of 
the IGs we recommend for the Provider Access API is the PDex IG (see 
Table H3 in section II.G. of this final rule) is a set of guidelines 
that describes how to exchange data between payers and providers. A key 
PDex IG feature is the capability to include provenance records, if 
they exist, when exchanging data. Provenance records describe where the 
data came from and how they were processed. The PDex IG strongly 
recommends that payers create provenance records when they are not 
included in a data set. We also strongly recommend provenance records 
in cases, like those cited by the commenter, when clinical data are 
derived from claims. The provenance profile contains contextual 
information about the data, including the data's original author(s), 
transmitters, and formats (including whether they are derived from a 
claim-related transaction). Thus, using the PDex IG can help mitigate 
the problem of duplicating data by including provenance information. We 
also strongly recommend that the data source be included at the point 
of record creation, so that users can appropriately understand the 
source and context of the data. While we acknowledge the potential 
complexity of deduplicating data, creating contextual provenance 
information could help providers' systems identify data that already 
exist in the system, which can make the data actionable, rather than 
duplicative. In this way, payers can help providers unlock the benefits 
of accessing patient information through the Provider Access API. 
Finally, nothing in this final rule obligates providers to incorporate 
data they access via the Provider Access API into their patient's 
record, if they do not believe there is a benefit.
    Comment: A commenter suggested that CMS permit payers to include 
audit rights and penalties in their provider contracts to ensure that 
payers are able to monitor and regulate information access requests, as 
the structure of the proposed rule effectively asked payers to trust 
that providers who request access to patient information have a valid 
need to access that information.
    Response: Nothing in this final rule prohibits impacted payers from 
including additional requirements in their provider contracts and/or 
terms of service for requesting patient data. However, we emphasize 
that our requirement to provide access is limited to in-network 
providers who have a treatment relationship with the patient. We 
understand that payers need to ensure that provider requests are 
appropriate, so it follows that those entities would want to define 
roles and responsibilities through provider contracts, as these are 
established vehicles which delineate other payer requirements. If 
payers choose to implement such requirements, or a separate terms of 
service agreement, we strongly encourage them to balance the benefits 
to patients against any additional burden this would place on 
providers. Further, our requirements on the impacted payer will ensure 
that patients are informed of their data sharing options and will have 
the opportunity to opt out of data sharing under this policy if they do 
not wish for their providers to have access to their data. Any 
requirements that payers implement to use the Provider Access API must 
not conflict with the HIPAA Rules, or any other applicable law. See 
sections II.B.2.j. and II.B.3.b.ii. for discussions on the interaction 
of this final rule with the HIPAA Rules.
    Comment: Multiple commenters cautioned that this rule puts a large 
burden on payers with little burden on providers and that given the 
number of resources needed to implement the API, provider uptake is 
critical. A commenter further stated that this rule requires payers to 
build a new API and share information with providers without asking 
providers to contribute or share information with payers, which they 
believe will lead to a breakdown in communication between providers and 
payers.
    Response: As discussed previously, the technical requirements for 
the Provider Access API align almost identically with those already 
established for the Patient Access API (85 FR 25510) that impacted 
payers are currently required to maintain. We also emphasize that our 
recommended IGs will provide further clarity for payers on how to 
implement the APIs, thus reducing some of the implementation burden. As 
we discuss in section II.B.3., we are not being prescriptive as to how 
impacted payers implement their attribution and opt out processes, so 
that they can design processes that work best for them. We believe that 
all parties will see the benefit of improved data exchange facilitated 
by the Provider Access API. Because this final rule does not prohibit 
it, impacted payers may also decide to require providers to share 
certain data with them as part of their network/enrollment 
requirements. In fact, we understand that such requirements already 
exist in some situations. However, should payers implement such 
polices, we expect that they would do so only to the extent that it 
would benefit patient care and not add provider burden. We strongly 
encourage payers to carefully weigh any expected benefits against this 
potential burden. Finally, the Health IT Certification Program has 
already established requirements for FHIR APIs in EHR systems, which 
creates the capability for providers to make data available to payers 
via FHIR APIs. Using those APIs would allow payers to implement any 
requirements in a way that imposes minimal burden on providers.
    Comment: A commenter recommended that CMS explain whether only 
providers, not EHR vendors, can trigger a request for patient records.
    Response: We are only requiring impacted payers to make patient 
data available to in-network or enrolled providers. Vendors are not 
permitted to request data for themselves, as they are not providers and 
thus cannot meet the criteria for making such a request. However, an 
EHR vendor may request the patient data via the provider's system at 
the behest of a provider who is eligible to request the data, with 
appropriate authentication and if consistent with other applicable law.
e. Data Content
    Comment: Multiple commenters recommended that CMS streamline the 
proposed required data to limit duplicative information and potentially 
overwhelming providers. A commenter recommended that CMS initially 
focus the Provider Access API on sharing claims data before introducing 
other

[[Page 8795]]

types of data. Another commenter recommended that CMS consider the 
burden that this proposal may place on providers if they must maintain 
multiple versions of USCDI and whether it would even be feasible for 
their EHR to support this.
    Multiple commenters, however, suggested additional data that should 
be made available via the Provider Access API. Some commenters 
suggested that to facilitate a simpler prior authorization request 
process, CMS consider requiring payers to make patients' insurance 
coverage information readily available to providers through the 
Provider Access API. A commenter recommended that patient data 
collected by payer-owned providers and health service companies also be 
included in the Provider Access API.
    Response: We understand the concern over duplicative information, 
and it is not our intention to increase provider burden. Under this 
final rule, we are only requiring the exchange of data that are already 
structured, meaning they can be received by the provider's system in a 
standardized format with defined data attributes--this includes data 
classes and data elements in the USCDI and FHIR resources (see more 
discussion of how we define structured documentation in section 
II.A.2.a.ii. of this final rule). Most EHR systems use standardized 
clinical data in their systems today and, if certified under the ONC 
Health IT Certification Program, are also required to use the data 
classes and data elements in the content standard at 45 CFR 170.213 
(USCDI). There are IT solutions available for providers' EHRs or 
practice management systems, such as Substitutable Medical 
Applications, Reusable Technologies (SMART) on FHIR apps, that can make 
the data received via the Provider Access API actionable and avoid 
duplicative information. Further, for administrative ease and 
consistency, we are keeping the required types of data consistent 
(excluding provider remittances and patient cost-sharing information, 
as explained elsewhere in this final rule) with those required under 
the Patient Access API. We did not propose to include patients' 
insurance coverage information, to which providers should already have 
access through existing channels with payers or from patients 
themselves. However, a Health Insurance Information data class has been 
added to USCDI v3, and includes the data elements Coverage Status, 
Coverage Type, Relationship to Subscriber, Member Identifier, 
Subscriber Identifier, Group Identifier, and Payer Identifier.\39\ As 
payers adopt USCDI v3 (as required after January 1, 2026, under the 
regulations at 45 CFR 170.213), this information would be required to 
be available.
---------------------------------------------------------------------------

    \39\ Office of the National Coordinator for Health Information 
Technology (ONC) (2023). Health Insurance Information. Retrieved 
from https://www.healthit.gov/isa/uscdi-data-class/health-insurance-information#uscdi-v3.
---------------------------------------------------------------------------

    We remind impacted payers that if there is additional information 
beyond that which we are requiring that they do or can share with 
providers, they can use the Provider Access API as a mechanism for 
sharing that information, as permitted by applicable law. To the extent 
that impacted payers maintain patient data (per the CMS 
Interoperability and Patient Access final rule [85 FR 25536]) collected 
by payer-owned providers and health service companies, only the data 
elements specified in this final rule are included in the Provider 
Access API requirements.
    Comment: A commenter recommended that CMS support the development 
of content and technical standards for prior authorization decisions 
that can be incorporated into IGs for testing before requiring 
inclusion of prior authorization information in the Provider Access 
API.
    Response: Our recommended IGs (listed in Table H3) are currently in 
production and several versions of the IGs have been updated since 
publication of the proposed rule. Additionally, the recently published 
PDex IG STU 2.0.0 specification includes a prior authorization profile 
that enables payers to communicate prior authorization decisions and 
changes to the status of a prior authorization requests. The process 
for IG development is open and we encourage industry engagement in 
their further development via opportunities such a HL7 FHIR 
Connectathons.
    Comment: A commenter recommended that CMS require USCDI v3, since 
the proposed Provider Access API would not be implemented until 2026. 
The commenter stated that the USCDI v1 does not have digital data 
standards for social determinant of health (SDOH), sexual orientation 
and gender identity (SOGI), nor other data standards important for 
public health capabilities, and this could be a missed opportunity to 
drive national digital data standardization in this area. The commenter 
suggested this requirement would create a business case and drive 
adoption of standards and a move by industry to align.
    Response: At the time the proposed rule was published, USCDI v1 was 
the only standard included at 45 CFR 170.213. The HTI-1 final rule, 
however, finalized that USCDI v1 expire on January 1, 2026, and also 
adopted USCDI v3 at 45 CFR 170.213 (89 FR 1210). Both versions will be 
available USCDI versions at 45 CFR 170.213 until January 1, 2026. Until 
this date, payers may meet the Provider Access API requirements by 
sharing all data classes and data elements in either USCDI v1 or v3. 
After January 1, 2026, payers must make available all data classes and 
data elements in USCDI v3. ONC accepts submissions from the public for 
new USCDI data classes and data elements through the USCDI ONC New Data 
Element and Class (ONDEC) Submission System \40\ and regularly 
publishes updated versions of the USCDI.\41\ Any change in a content 
standard at 45 CFR 170.213 will go through notice-and-comment 
rulemaking. Impacted payers are permitted to voluntarily use updated 
standards, specifications, or IGs that are not yet adopted in 
regulation for the APIs discussed in this final rule, should certain 
conditions be met. We specifically encourage impacted payers to make 
all data classes and data elements available from more advanced 
versions of the USCDI prior to the expiration date. We refer readers to 
section II.G.2.c. of this final rule for a full discussion on using 
updated standards.
---------------------------------------------------------------------------

    \40\ Office of the National Coordinator for Health Information 
Technology (ONC) (n.d.). USCDI ONDEC (ONC New Data Element and 
Class) Submission System. Retrieved from https://www.healthit.gov/isa/ONDEC.
    \41\ Office of the National Coordinator for Health Information 
Technology (ONC) (n.d.). United States Core Data for 
Interoperability (USCDI). Retrieved from https://www.healthit.gov/isa/united-states-core-data-interoperability-uscdi.
---------------------------------------------------------------------------

    Comment: A commenter noted that while there is a FHIR resource for 
a scheduled appointment, it is not included in USCDI v1, which means a 
provider cannot send an appointment even when they have implemented the 
latest version of USCDI. The commenter stated that adding that element 
would require additional EHR vendor development.
    Response: All data classes and data elements included in a content 
standard at 45 CFR 170.213 (USCDI) for dates of service after January 
1, 2016, maintained by the payer are required to be made available to 
the provider who requests them (assuming all other applicable 
requirements specified in this final rule are met). Whether or not a 
scheduled appointment data element is included in USCDI has no bearing 
on how API developers use the Scheduling

[[Page 8796]]

and Appointment FHIR Resources for other purposes.
    Comment: Multiple commenters disagreed with the proposal to require 
payers to include clinical documentation and forms related to a prior 
authorization, with one noting that this information will be 
duplicative of the clinical information in a person's medical record. 
Another commenter stated that clinical documentation is often submitted 
to payers in the form of lengthy PDF documents, and sometimes by fax, 
making manually translating these data into FHIR challenging and 
infeasible to do within the proposed 1 business day timeframe. A 
commenter recommended that CMS explain whether payers have to convert 
clinical documentation submitted by providers by fax or in PDF or JPEG 
file formats into FHIR. A commenter recommended that CMS require the 
same discrete data element standards that the agency applied to the 
original Patient Access API to the Provider Access API, since 
distributing patient clinical attachments to all requesting clinicians 
raises concerns under the HIPAA minimum necessary standard. The 
commenter stated that an alternative is that providers could share 
clinical attachments as needed through clinician data sharing 
consultation and collaboration. However, a commenter recommended that 
CMS should include the administrative and clinical documentation 
requirements and require specific information for prior authorization 
data.
    Response: After reviewing the comments, we agree that the burden of 
requiring payers to make unstructured documentation (as explained in 
section II.A.2.a.ii. of this final rule) available via the Provider 
Access API outweighs the benefits such documentation would provide. 
Thus, like for the Patient Access API, we are finalizing a requirement 
that the Provider Access API include only structured administrative and 
clinical documentation related to the prior authorization requests.
    As with the Patient Access API, documentation received in an 
unstructured format does not need to be parsed and converted to 
structured data for the purposes of inclusion in the Provider Access 
API. However, if a payer does parse the unstructured documentation to 
store the contained data in a structured format, that structured data 
would then be ``maintained'' by the payer, as defined in the CMS 
Interoperability and Patient Access final rule (85 FR 25538). For 
example, a payer may receive and maintain an unstructured PDF that 
contains lab results. If a payer maintains those lab results in a 
structured format, they would be required to share them under this 
final rule. If they are maintained in an unstructured format, they 
would not.
    We recognize that unstructured administrative and clinical 
documentation could be important to help providers understand certain 
prior authorization requirements, so we encourage payers to make that 
information available when possible. Furthermore, the policy we are 
finalizing would require payers to make available any documentation or 
materials that the provider sends to the payer to support a decision 
that are received in a structured format. Since we are finalizing that 
only structured documentation be made available, and structured 
documentation are formatted in a way that makes them easily 
transmissible between systems, our final policy should place 
significantly less burden on payers than our proposal, while still 
giving providers access to information about their prior authorization 
processes.
    It is important for payers to make available the specific clinical 
data at which they are looking to make a determination on the prior 
authorization request, even if that information may be elsewhere in the 
patient's record. As to the commenter concerned about clinical 
attachments and the HIPAA Privacy Rule's minimum necessary standard, we 
refer them and all readers to section II.B.3.b.ii. of this rule for 
more discussion about the HIPAA Rules.
    Comment: A commenter sought clarification on whether the data 
sharing requirement applies to only claims and encounter data that are 
available at the time of the request, reasoning that if so, it could 
avoid any inappropriate pressure on providers to submit claims 
immediately after the provision of an item or service.
    Response: Per the CMS Interoperability and Patient Access final 
rule (85 FR 25536), payers are only required to share data that they 
maintain as part of their normal operations. Nothing in this final rule 
would change that existing policy that payers are not required to reach 
out to providers or other entities to gather data that they do not 
maintain, if it is not part of their normal operations, in order to 
share via the Provider Access API.
f. Provider Remittances and Cost-Sharing Information
    Comment: Multiple commenters agreed with CMS's proposal to not 
require payers to make available provider remittances and patient cost-
sharing information, as it would likely only have a limited beneficial 
impact on care. A commenter stated the cost-related data currently 
available via from the Patient Access API are not very clear, which 
could lead to different implementations and increased ambiguity when 
implementing the Provider Access API. A commenter warned that 
implementers are inconsistent, with some sending Explanation of 
Benefits (EOB) scrubbed of the item level detail, whereas others 
exclude EOBs altogether and only provide clinical data.
    Response: Regardless of whether provider remittance information or 
cost-sharing information are truly confidential or proprietary 
information protected from disclosure under Federal law (which we do 
not address here), excluding such data from the Provider Access API is 
appropriate. Thus, if commenters believe that cost-sharing information 
would largely not be helpful information for providers to have access 
to, then we emphasize that sharing this information is not a 
requirement for the Provider Access API. We further agree with 
commenters that including this information in the Provider Access API 
will have limited benefit for treatment or care coordination. This rule 
does not prohibit payers from sending that information. Therefore, if a 
payer believes that implementing their Provider Access API in such a 
way that includes provider remittances and patient cost-sharing 
information would provide benefit or reduce burden, they are not 
prohibited from doing so under this rule, and may do so consistent with 
other applicable laws.
    Comment: Multiple commenters urged CMS to reconsider excluding 
cost-sharing information from the Provider Access API because providers 
with access to this information can make more informed decisions 
regarding patient care by incorporating cost into treatment plans, and 
in turn, maintain a good provider-patient relationship. A commenter 
encouraged CMS to examine standards-based, patient-facing, and real-
time benefit check capabilities that can be facilitated by patient 
cost-sharing information. A commenter also cautioned that excluding 
provider remittances and cost information conflicts with the cost-
sharing information needed to enable Good Faith Estimates (GFE) under 
the No Surprises Act (NSA), which was enacted as part of the 
Consolidated Appropriations Act, 2021 (CAA).\42\ They suggested that 
the rule be revised to

[[Page 8797]]

allow necessary cost-sharing information required under the NSA. 
Another commenter highlighted that providers must be able to calculate 
sustainable total cost of care for patients attributed to them as part 
of value-based payment models.
---------------------------------------------------------------------------

    \42\ Public Law 116-260 (December 27, 2020).
---------------------------------------------------------------------------

    Multiple commenters proposed potential solutions to facilitate the 
sharing of cost-sharing information. A commenter suggested that CMS 
consider a bi-directional exchange mandate (as opposed to one-way 
provider access to payer data) to cover payment and operations, in 
addition to treatment. A commenter suggested that it does not make 
sense to restrict patient cost-sharing information since it is 
available in the X12 270/271 transaction standard. The commenter stated 
the Provider Access API can potentially replace the need for a separate 
270/271 transaction and instead incorporate the information in 270/271 
transactions. Another commenter expressed that modifications could be 
made to the CARIN IG for Blue Button to align with the proposed 
requirement to remove remittances and cost-sharing data from the FHIR 
transaction.
    Response: While we appreciate the various suggestions we received; 
we did not propose any related policies because the primary purpose of 
our Provider Access API policies is to improve the exchange of data for 
health care treatment. We acknowledge that some providers may find cost 
information helpful for gaining a clearer picture of a patient's 
financial situation. However, there is nothing prohibiting a provider 
from discussing the costs of various items or services and comparing 
the costs when furnished in-network and out-of-network to help a 
patient understand how to limit their out-of-pocket costs. Further, in-
network or enrolled providers should be generally aware of the costs of 
various treatments, as their contracts would address payment amounts 
and conditions of payment for services furnished by that provider to a 
covered individual. We finally note that the GFE provision of the NSA 
relates to prospective costs, rather than cost information from past 
claims; that provision is beyond the scope of this final rule.
    Comment: A commenter stated that the CARIN IG for Blue Button will 
require updates to support CMS's proposal to remove remittances and 
cost-sharing data from the FHIR transaction for the Provider Access 
API.
    Response: Further development is currently underway on the CARIN IG 
for Blue Button, which is one IG that we are recommending to support 
the Patient Access, Provider Access, and Payer-to-Payer APIs (see Table 
H3 in section II.G.4. of this final rule). These developments will 
support exchanging information without provider remittances and patient 
cost-sharing information.
    Comment: A commenter supported CMS's effort to establish the 
infrastructure needed to support payment reform and value-based care 
initiatives via the Provider Access API, stating that these initiatives 
are critical to reducing the costs of health care delivery while 
maximizing quality for Medicare enrollees. Multiple commenters stated, 
however, that the Provider Access API does not facilitate sharing the 
complete set of information needed by providers for participation in 
value-based care programs and recommended that CMS prioritize 
additional information, such as financial targets, spending, 
coordination of care payments, payer-generated attributed 
beneficiaries, and cost performance reporting. They believe these would 
allow a better exchange of value-based care payment models' summary-
level data. A commenter recommended that ONC and CMS encourage industry 
to prioritize APIs to exchange information that would reduce 
administrative burden and lead to value-based care scalability.
    Response: We did not propose to include cost information for value-
based care, as the primary goal of the Provider Access API is to give 
providers both immediate and direct access to patient data in order to 
improve patient care. However, we remind impacted payers that they can 
use the API to exchange additional data, should they so choose. We 
agree that FHIR APIs have the potential to support participation in 
value-based care programs, as these initiatives are critical to 
reducing the costs of health care delivery while maximizing quality for 
patients. We will continue to explore ways to leverage FHIR APIs to 
achieve CMS and broader HHS priorities. The requirements in this final 
rule are a critical foundation for this future work.
g. Prior Authorization Data
    Comment: Multiple commenters supported including prior 
authorization information in the data made available through the 
Provider Access API, noting that it would help future providers 
understand the patient's current health status more quickly and better 
meet their care needs, increase transparency, and reduce burden on 
patients and providers. A commenter stated that adding prior 
authorization information to the Provider Access API will enhance 
functionality and incentivize use of the API.
    Response: We thank commenters for their support and agree that 
giving providers access to the same prior authorization data as 
patients will have a positive impact on patient care.
    Comment: Multiple commenters recommended not including ``the 
quantity of services used'' due to delays in claims processing. A 
commenter recommended that CMS include just the approved number of 
units.
    Response: In response to commenter feedback to both the Provider 
and Patient Access API proposals, we are finalizing our proposal with 
the modification that ``quantity of approved items or services used to 
date'' will not be a required field. We refer readers to section 
II.A.2.a.ii. of this final rule for a full discussion of our reasoning.
    Comment: A commenter recommended including a standardized comment 
code(s) and comment description(s) for each status update sent to the 
provider to help with future data analysis of prior authorization 
improvements and tracking quality metrics.
    Response: While we consider five basic statuses (pending, active, 
denied, expired, authorization not required) to cover the general scope 
of a prior authorization requests and decisions, we do not intend to 
prescribe or delineate the exact statuses that payers must use. The 
requirement for the Provider Access API (and the other APIs in this 
rule) to include the status of the prior authorization is intended to 
provide information to the provider, patient, or other payer that is 
using the API to access this information. Therefore, compliance with 
the requirement is not based on using specific terms, but on providing 
clear information. We refer readers to section II.A.2.a.ii. of this 
final rule for a full discussion on prior authorization status 
definitions.
    Comment: A commenter recommended that CMS crosswalk the required 
types of data for the Provider Access API with the other proposed APIs 
to avoid duplication, such as having to include supporting 
documentation through the Provider Access API, even if it is available 
via the Prior Authorization API.
    Response: If the commenter is recommending that the Provider Access 
API make available a mutually exclusive set of data from the Prior 
Authorization API to avoid confusion, then we note that Prior 
Authorization API will not have prior authorization data from other 
providers. We refer readers to section II.D. of this final rule for our 
full

[[Page 8798]]

discussion of the Prior Authorization API requirements. We further 
intend to provide educational resources related to all the APIs in this 
final rule. We are not finalizing our proposal that related 
unstructured administrative and clinical documentation be included in 
the prior authorization data that impacted payers would have to make 
available to providers via the Provider Access API.
    Comment: A commenter recommended including the following additional 
data elements related to prior authorization: timestamps of any change 
in the status of the prior authorization; date/time received, reviewed, 
denied/approved; how the decision was made; software tools/artificial 
intelligence (AI) tools used; and persons involved in making the prior 
authorization decision. Another commenter stated that prior 
authorization metrics should be available via the Provider Access API 
to give providers an aggregated view of their attributed patients' 
prior authorizations. A commenter also recommended that CMS should 
require payers to make available through the Provider Access API 
contact information for the entity responsible for managing the payer's 
prior authorization program.
    Response: While these specific additional data and functionalities 
may provide value to some providers at this time, we do not believe 
that the value outweighs the additional effort impacted payers would 
need to expend to add these data and functionalities to the Provider 
Access API. The PDex IG STU 2.0.0, which has been published since the 
publication of the CMS Interoperability and Prior Authorization 
proposed rule, states that payers using this IG shall make available 
pending and active prior authorization decisions and related clinical 
documentation and forms for items and services (not including 
prescription drugs), including the date the prior authorization was 
approved, the date the authorization ends, as well as the units and 
services approved and those used to date. It also requires a creation 
date, issued date, and specific codes relevant to the approval 
status.\43\ However, as discussed in section II.G., we are not yet 
ready to require this IG. We are thus prioritizing the data that are 
most important and useful at this time for clinical decision-making in 
proximity to a patient visit. To use one commenter's example, requiring 
payers to provide contact information for the entity responsible for 
managing the payer's prior authorization program would be duplicative, 
as providers who have a contractual relationship with the payer should 
already be aware of whom to contact regarding their prior authorization 
submissions. Providers can also use the Prior Authorization API to 
obtain this information. We remind impacted payers, however, that they 
may choose to include additional information if they believe it adds 
value to patients, providers, or themselves and their own processes. 
FHIR inherently provides flexibility to include additional information 
without reducing interoperability and the associated IGs are designed 
to both require and constrain specific elements identified as core to 
the IG's use case. We encourage the public to engage in the HL7 
balloting process \44\ to provide feedback on data elements they 
believe would be most widely useful and applicable.
---------------------------------------------------------------------------

    \43\ Health Level Seven International (2020). Da Vinci payer 
data exchange STU 2.0.0. Retrieved from https://build.fhir.org/ig/HL7/davinci-epdx/.
    \44\ Health Level Seven International. HL7 Balloting (n.d.). 
Retrieved from https://confluence.hl7.org/display/HL7/HL7+Balloting.
---------------------------------------------------------------------------

    Comment: A commenter recommended that sharing prior authorization 
information through the Provider Access API be required, even if the 
patient opts out.
    Response: We certainly agree with the benefits of providers having 
access to prior authorization information via an API and note that 
providers will have access to the Prior Authorization API. Providers 
will thus have access to these data for prior authorization requests 
that they make, regardless of whether the patient has opted out of the 
Provider Access API. We refer readers to section II.D.2.c. of this 
final rule for our discussion on patient opt out and the Prior 
Authorization API.
    Comment: A commenter urged CMS to require impacted payers to 
provide a statement through the Provider Access API when they are not 
requiring a prior authorization for an item or service. The commenter 
stated that this will ensure a level of transparency and paper trail 
between payer and provider.
    Response: This information will be available through the Prior 
Authorization API, so does not need to be included in the Provider 
Access API. We refer readers to section II.D. of this final rule for 
our full discussion of the Prior Authorization API requirements and 
section II.A.2.a.ii. for that of prior authorization statuses.
    Comment: A commenter encouraged CMS to work with impacted payers to 
ensure the supporting data fields of laboratory test results, clinical 
data, and a specific reason for a denial are standardized to ensure 
information is consistent across sources. They urged CMS to work with 
payers, providers, and patients to determine the balance of data 
included in the requirements and provide the needed clarification and 
guidance to all parties.
    Response: As explained in section II.B.2.e. of this final rule and 
in more detail in section II.A.2.a.ii. of this final rule, we are 
finalizing a requirement for payers to share only data that are already 
structured, which include laboratory test results, clinical data, and a 
specific reason for a prior authorization denial. We also remind 
readers that payers are not obligated under this rule to parse or 
convert documentation received in an unstructured format for the 
purposes of inclusion in the Provider Access API. However, they may 
choose to do so. We will continue to work with interested parties to 
ensure that all parties benefit from the data sharing requirements we 
are finalizing and explore possible enhancements to our policies that 
require API development or enhancement in future rulemaking.
h. Data Availability
    Comment: A commenter stated that prior authorization information 
should be available from the entire duration of the patient's history 
and not just for 1 year after the last status change because it would 
improve transparency in decision-making for providers.
    Response: Like with the Patient Access API, we believe that 1 year 
after the last status change is the appropriate amount of time to 
require payers to make historical prior authorization information 
available to providers. While historical information can certainly 
affect and be useful in improving patient care, we believe that 
historical claims and clinical data are more important to providers 
than information about prior authorizations that have expired or been 
denied more than a year in the past. Furthermore, our policy allows 
payers to make these prior authorization data available for longer than 
1 year, if they believe it adds value to patients, providers, or 
themselves and their own processes. To inform ongoing long-term care, 
any active prior authorizations must be included, even if they have 
been in that status for more than a year.
    Comment: A commenter supported the payer maintaining patient health 
data and making available any data to the provider with a date of 
service on or after January 1, 2016. A commenter recommended that CMS 
explain whether all data included in this rule will be subject first to 
corporate data retention standards, then retained from January 1, 2016, 
to present. Another

[[Page 8799]]

commenter sought clarification as to whether CMS's intention is to 
include all data since 2016 and not only the last 5 years.
    Response: We remind impacted payers that the policy we are 
finalizing aligns with the similar one finalized in the CMS 
Interoperability and Patient Access final rule: \45\ the data available 
through the Provider Access API are data with a date of service on or 
after January 1, 2016 maintained by the payer. By ``maintained,'' we 
mean data that are maintained as part of normal operations, as is 
currently the policy for the Patient Access API under the CMS 
Interoperability and Patient Access final rule.
---------------------------------------------------------------------------

    \45\ See 42 CFR 422.119(h)(1)(i) for MA organizations, 
431.60(g)(1)(i) for Medicaid FFS, and 457.730(g)(1)(i) for CHIP FFS, 
cross reference to 42 CFR 431.60 at 42 CFR 438.242(b)(5) for 
Medicaid Managed Care, cross reference to 42 CFR 438.242 at 42 CFR 
457.1233(d) for CHIP Managed Care, and 45 CFR 156.221(i)(1) for QHP 
issuers on the FFEs.
---------------------------------------------------------------------------

    We did not propose a policy for impacted payers to make data 
available only from the previous 5 years in either the proposed rule or 
the CMS Interoperability and Patient Access final rule, nor did we 
receive comments specifically in favor of shortening the timeframe to 5 
years. However, we also recognize that the data a payer maintains 
dating back to January 1, 2016, could be a substantial amount and, 
depending on the capabilities of the provider's EHR or practice 
management system, potentially more than some providers will need. We 
remind providers that this final rule does not obligate them to 
incorporate data they access via the Provider Access API into their 
patient's record. While we are finalizing our proposal to require 
impacted payers to make available via Provider Access API any of the 
applicable patient data with a date of service on or after January 1, 
2016, that the payer maintains, we will closely monitor whether this 
timeframe is appropriate, to inform possible future rulemaking.
i. Response Timeframe for Requested Data
    Comment: Multiple commenters expressed their support for the 
proposal to require payers to share the requested patient data no later 
than 1 business day after the payer receives the request. A commenter 
stated this will enable the provision of historical health care data 
and may affect current care recommendations. Multiple other commenters 
sought clarification on whether the proposed 1 business day turnaround 
time for a payer to respond to a provider's request for patient data 
included time for payers to complete an authentication of the 
provider's identity and the provider-patient treatment relationship.
    Multiple commenters recommended that CMS increase the amount of 
time payers have to respond to providers' data requests. 
Recommendations included suggestions to establish a two-day response 
time to balance timely access to information and reduce the operational 
burden and cost of the requirement. Commenters also noted that not all 
provider systems are FHIR-enabled and that could lead to longer data 
exchange times. A commenter stated that because of CMS's technical 
standards, specifications, and IG requirements, payers will likely need 
more time than one day to comply with CMS's proposed requirements. They 
believe that payers may need additional time to establish technical 
connections and contractual terms for a first-time request from a 
provider.
    However, other commenters believed the time for payers to respond 
to the data request should be decreased from 1 day and that the 
response should come as soon as possible, to be real-time or near real-
time. A commenter sought clarification from CMS as to why 1 business 
day is allowed for the payer to respond to a request, particularly if 
the initial request is being transmitted during a patient visit. The 
commenter continued that real-time responses should be expected from 
new technology. Another commenter stated having real-time data would 
help providers see a more complete view of a patient's complete care 
history. A commenter warned that, often, providers and patients review 
data during a visit and that delayed access to the data could undermine 
efforts to promote care coordination and provider-patient engagement. A 
commenter also recommended that CMS consider requiring that the 
requested data be provided within 1 calendar day to accommodate 
facilities that have 24/7 operations, like SNFs.
    Response: We foresee providers needing access to the specified data 
in order to review them in proximity to a patient visit. Thus, we do 
not believe that the turnaround time should be greater than 1 business 
day. We specify in the regulation that a payer must make the data 
available through the Provider Access API no later than 1 business day 
after receiving a request from the provider, if all the following 
conditions are met:
     The payer authenticates the identity of the provider that 
requests access and attributes the patient to the provider under the 
required attribution process;
     The patient does not opt out of the Provider Access API; 
and
     Disclosure of the data is not prohibited by law.
    Authenticating the identity of the provider will include confirming 
that the requesting provider is in-network or enrolled with the payer 
and the attribution process will include confirming that a verified 
treatment relationship exists. The technical standards at 45 CFR 
170.215 set requirements for identity proofing and authentication 
processes that must be met in order for a provider's EHR or practice 
management system to connect to the Provider Access API and access a 
patient's data (see section II.B.2.k. for more discussion on 
authorization and authentication). Those standards allow authentication 
to be completed within 1 business day, if not immediately, when the 
provider accesses their system via login. Impacted payers can also 
verify the patient-provider treatment relationship before the provider 
request. In fact, payers are permitted and highly encouraged to design 
their attribution processes to verify treatment relationships 
prospectively. We believe that the patient relationship can be verified 
for the vast majority of providers who will be requesting data via the 
Provider Access API either ahead of time or relatively quickly. 
However, we recognize that this may be difficult, if not impossible, 
for a new patient's first visit because there will be no claims history 
between that patient and the provider. Thus, there might be instances 
where the conditions previously mention may take longer to be met for 
some data requests. We strongly encourage impacted payers to ensure 
completion of these steps in a reasonable amount of time, so the 
provider can make use of the data they are requesting.
    While we appreciate the commenters who pointed out that some 
providers might need the patient information as soon as possible or in 
real time, we also believe that requiring that standard would cause 
undue burden on impacted payers. We nonetheless encourage payers to 
make data available to requesting providers as soon as they are able.
    We are therefore finalizing our proposal that impacted payers 
respond to a provider's request for patient data no later than 1 
business day after the payer receives the request if all conditions are 
met. This timeframe adequately balances a provider's need for timely 
data with impacted payers' capability to make data available. Further, 
as discussed in detail in section II.A.2.a.ii. of this final rule, we 
are not

[[Page 8800]]

finalizing our proposal for impacted payers to share unstructured 
documentation related to prior authorizations, as sharing such 
documentation would currently be difficult to accomplish in 1 business 
day.
    Comment: A commenter stated that the required response time for the 
Provider Access API could be administratively time consuming because 
the process to determine whether a disclosure is permitted under 
applicable law is a manual process that involves research, review, and 
analysis to determine which laws are applicable to the requester of the 
information, the type of data requested, and the intended recipient. 
Another commenter recommended that CMS consider the extent to which 
payers will be burdened by connecting and testing EHRs to facilitate 
the Provider Access API implementation.
    Response: We are only requiring impacted payers to share data 
elements that are already structured, and are requiring certain mature 
IGs and standards (see Table H3 in section II.G. of this final rule) 
that will enable the Provider Access API to connect to third-party apps 
and/or providers' EHRs or practice management systems. Because of this 
foundation, along with the 2027 compliance dates that we are 
finalizing, payers should have sufficient time to not only test their 
API connections, but also to develop internal processes and train staff 
to make the necessary determinations of which of the known and 
structured data are permitted to be shared via the Provider Access API. 
For instance, impacted payers may use this time to develop processes 
that flag certain data elements--as the payer receives them--as those 
that may require special permissions or are prohibited to disclose 
under other law. Such processes can ease any manual review and 
decision-making that might be necessary when a provider requests 
patient data.
    Comment: A commenter recommended that CMS make it clear that the 
provider must request access to patient data and attest to their 
treatment relationship with the patient at the time of connection.
    Response: While payers might utilize a process for providers to 
attest to a treatment relationship at the time of the data request, we 
did not propose, nor are we finalizing such a requirement. This is not 
the only way to attribute patients, but impacted payers are certainly 
permitted to utilize a provider attestation as part of their 
attribution process (discussed in section II.B.3.a. of this final 
rule). Our regulations do not prohibit using an attestation where 
another law that permits disclosure requires an attestation.
    Comment: Multiple commenters sought clarification on whether CMS's 
1 business day proposed requirement complies with the 21st Century 
Cures Act (Pub. L. 114-255, Dec. 13, 2016) (Cures Act) around 
information sharing ``without delay.''
    Response: We refer readers to section II.A.2.a.iii. of this final 
rule for a discussion of how our timeline requirements relate to ONC 
information blocking regulations.
    Comment: A commenter recommended that CMS require payers to notify 
providers once they have received a request and the specific date a 
provider should expect to receive information in response.
    Response: While we did not propose such a requirement, it would be 
good practice for the payer to verify that they have received the 
request for patient data from the provider. We expect payers to have a 
process for providers to track their requests. Additionally, it would 
benefit providers for them to receive a notification if the patient 
cannot be attributed to them. In the DPC pilot, participating providers 
have the ability to request data for a patient with whom they have no 
prior treatment relationship, however they will receive a response with 
no data if they do so.
j. Interaction With HIPAA Privacy, Security, and Administrative 
Transaction Rules
    Under our policies, all data shared and received via the Provider 
Access API must be handled in a way that is consistent with all 
applicable laws and regulations. Payers and health care providers that 
are covered entities under the HIPAA Rules \46\ are subject to the 
HIPAA Privacy and Security Rules.\47\ Adherence to both the HIPAA 
Privacy and Security Rules helps to ensure that the covered entity 
disclosing patient data through the Provider Access API has appropriate 
security protocols in place. These include, but are not limited to, 
administrative and technical safeguards, such as security management 
processes; \48\ access controls; \49\ and audit controls.\50\ 
Regardless of whether a provider meets the definition of a covered 
entity under the HIPAA Rules at 45 CFR 160.103, there may be state laws 
that require certain privacy and security protections for an HIE. 
Additionally, other laws, such as the regulations that focus on 
confidentiality of substance use disorder patient records at 42 CFR 
part 2 or state privacy laws, may require the payer to obtain the 
enrolled individual's permission to disclose certain health 
information. We requested comment on any other considerations regarding 
state privacy or other laws that may be implicated by our proposals.
---------------------------------------------------------------------------

    \46\ Under the HIPAA Rules at 45 CFR 160.103, a ``covered 
entity'' includes a health care provider who transmits any health 
information in electronic form in connection with a transaction 
covered by the subchapter. See also definitions of health care 
provider and transaction at https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103.
    \47\ 45 CFR parts 160 and 164, subparts A, C, and E. Department 
of Health and Human Services (2022). Security Rule Guidance 
Material. Retrieved from https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html?language=es.
    \48\ See 45 CFR 164.308(a)(1).
    \49\ See 45 CFR 164.312(a).
    \50\ Under the HIPAA Rules at 45 CFR 160.103, a ``covered 
entity'' includes a health care provider who transmits any health 
information in electronic form in connection with a transaction 
covered by the subchapter. See also definitions of health care 
provider and transaction at https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103.
---------------------------------------------------------------------------

    Commenters provided many thoughts and recommendations related to 
the Provider Access API's intersection with existing privacy laws, 
including the HIPAA Privacy Rule. We thank the commenters for their 
perspectives and will use the feedback to inform future guidance, 
educational resources, and/or rulemaking. We remain committed to 
safeguarding patient information across the health care industry. Our 
policies provide an opportunity to engage patients in their data 
sharing and privacy rights while offering them the opportunity to more 
meaningfully engage with their care.
    Our policies will not alter any obligation for providers or payers 
to comply with applicable law, including obligations for HIPAA covered 
entities to follow the HIPAA Rules. Such other applicable law includes, 
but is not limited to, standards regarding the use and disclosure of 
PHI, administrative, physical, and technical safeguards and other 
security provisions, and breach notification. The minimum required 
security framework of the Provider Access API is specified in the 
technical standards at 45 CFR 170.215 and will allow payers to verify 
the requesting provider's identity by using the required authorization 
and authentication protocols. Authorization refers to the process by 
which the payer gives the provider permission to access data. The 
authentication protocols are those that allow the payer to verify the 
identity of the requesting provider. In addition to using these 
required protocols, the payer will be required to share the specified 
data only if it can also attribute the patient to the provider

[[Page 8801]]

using an attribution process, as discussed in section II.B.3.a. of this 
final rule. While FHIR itself does not define security-related 
functions, used in combination with appropriate security controls (such 
as authentication and access control), a FHIR API can and should be 
implemented in compliance with the HIPAA Security Rule for secure data 
exchange.\51\
---------------------------------------------------------------------------

    \51\ Health Level Seven International (2022). FHIR Security. 
Retrieved from http://www.hl7.org/Fhir/security.html.
---------------------------------------------------------------------------

    Under section 1173(a) of HIPAA, the Secretary is required to adopt 
standards for specific financial and administrative transactions and 
may adopt standards for other financial and administrative 
transactions. Although our policies will facilitate sharing claims data 
from payers to providers for the purpose of helping to improve patient 
care, the FHIR API data transmission will not be subject to HIPAA 
transaction standards because the purpose of the exchange would not be 
to request or issue a payment.\52\ We also did not propose a mechanism 
to report health care encounters in connection with a reimbursement 
contract that is based on a mechanism other than charges or 
reimbursement rates for specific services.\53\ The Secretary has not 
adopted a HIPAA transaction standard applicable to transmitting claims 
or encounter information for a purpose other than requesting or issuing 
payment, thus HIPAA administrative simplification standards do not 
apply to the Provider Access API.\54\
---------------------------------------------------------------------------

    \52\ See 45 CFR 162.1101(a).
    \53\ See 45 CFR 162.1101(b).
    \54\ See 45 CFR 162.923(a).
---------------------------------------------------------------------------

k. Technical and Standards Considerations
    Comment: Multiple commenters recommended that CMS detail the 
requirements for the Provider Access API, with many offering that the 
rule should describe the workflow, authorization, provider 
authentication, and attribution processes in more detail. They 
cautioned that without a standardized governance framework and legal 
terms, it will be unreasonable to expect payers and providers to 
establish connections and respond to requests within a set timeframe 
since they will need to negotiate bespoke agreements.
    Multiple commenters stated that CMS's proposed standards and 
recommended IGs are insufficient for the Provider Access API. One payer 
cautioned that this would result in payers struggling to comply with 
the requirements and limited improvements to information exchange. 
Another commenter warned that the lack of endpoint standardization 
between payer and provider systems will likely create technical 
difficulties. A commenter stated that without requiring an IG for the 
Provider Access API, the data will not be standardized and might not be 
able to be directly incorporated into a provider's EHR or practice 
management system. A commenter also noted that the IGs that CMS 
recommends do not include direction for how sensitive data such as 
behavioral health data will be shared and with what privacy guidelines. 
A commenter was additionally concerned that the recommended IGs are not 
enough to support the attribution process.
    Response: We refer readers to section II.G. of this final rule for 
further discussion regarding the required technical standards for the 
Provider Access API and IG maturity. Further, the IGs we are 
recommending, listed in Table H3, are primarily meant to help implement 
the APIs themselves, not to facilitate related payer processes, like 
segmenting sensitive data or the attribution process. We recommend that 
industry look to existing trust community agreements for guidance on a 
standardized governance framework and legal terms. These agreements 
include, but are not limited to TEFCA or others used by state and 
regional HIEs.\55\ We anticipate that affected entities will need to 
adopt new practices and methods to enable data sharing with new trading 
partners, including payers supporting new types of interoperability 
with providers. This final rule affords flexibility to define those 
approaches. We will continue to evaluate and consider specifications 
that are well-adapted to meet the legal and regulatory needs for 
possible future guidance or rulemaking.
---------------------------------------------------------------------------

    \55\ Office of the National Coordinator for Health Information 
Technology (2023). Common Agreement for Nationwide Health 
Information Interoperability. Retrieved from https://www.healthit.gov/sites/default/files/page/2023-11/Common_Agreement_v1.1_FINAL_508_1.pdf.
---------------------------------------------------------------------------

    Comment: A commenter recommended that CMS exercise caution when 
selecting authentication mechanism requirements for the Provider Access 
API and stated that allowing simpler authentication mechanisms may make 
it easier to incorporate into workflows. Another commenter stated that 
it is unclear the extent to which payers would be expected to support 
trust and authentication processes for individual clinicians via the 
OpenID Connect Core standard, versus SMART integration that could rely 
on organization-level authentication. They noted that without 
specificity on workflows for exchange and authentication, 
authorization, and consent processes, payers and developers will need 
to support the numerous permutations that could be adopted by providers 
to address those needs, increasing complexity and burden. The commenter 
acknowledged the specifications developed by the HL7[supreg] Da Vinci 
Project and others have begun to address technical aspects of those 
needs, however, they are not yet mature and, because they are technical 
standards, do not address needed governance agreements.
    Another commenter stated that while the FHIR resources in the 
current Patient Access APIs are mostly reusable, the mechanism for 
providers to access information is entirely different. The commenter 
discussed system authentication and access protocols (OAuth and OpenID 
Connect Core) that are used to enable members to use portal credentials 
to pull data into a third-party app. The commenter mentions that while 
OAuth can and should be used for server-to-server connections to enable 
access to a wider set of data while maintaining security practices, 
current APIs do not have this capability. Therefore, they believe that 
this modification to enable a health care provider to access data on 
multiple patients is a significant change and will require rebuilding 
the FHIR APIs available for provider access.
    Response: Impacted payers are required to use authorization and 
authentication protocols to verify the requesting provider's identity. 
However, there is no single security protocol approach that will 
address all use cases. Additionally, within a single API, implementers 
may need to utilize more than one protocol to address specific 
population and trading partner needs. We are finalizing a modification 
to our proposal to not require the OpenID Connect Core for the Provider 
Access API. However, we are requiring impacted payers to use the SMART 
App Launch IG, which includes the capability to perform authentication 
via OAuth. However, we recognize that other methods such as Backend 
Services Authorization (which is included in both the SMART App Launch 
IG Release 2.0.0 and the Bulk Data Access IG v1.0.0), Mutual Transport 
Layer Security (mTLS), Unified Data Access Profiles (UDAP), or other 
trust community specified means may be appropriate depending on the 
needs.

[[Page 8802]]

    The PDex IG,\56\ which we are recommending payers use to support 
the Patient Access, Provider Access, and Payer-to-Payer APIs (see Table 
H3 in section II.G.4. of this final rule), includes using mTLS for the 
purposes of authentication. We are also supporting efforts to further 
refine the specifications for security (that is, authentication) at 
scale through UDAP via the FAST Security IG and will consider 
recommending this specification in the future. We recognize the 
importance of scalable technologies needed to support secure, 
protected, and authorized connectivity and communication across a wide 
range of interested parties throughout the industry. There are several 
approaches available, including the ones cited by commenters, and 
others implemented by various trust networks operating throughout the 
United States today.
---------------------------------------------------------------------------

    \56\ Health Level Seven International (2020). Da Vinci Payer 
Data Exchange. Retrieved from http://hl7.org/fhir/us/davinci-pdex/STU1/.
---------------------------------------------------------------------------

    Comment: Multiple commenters supported CMS's proposed requirement 
to leverage the Bulk Data Access IG for the Provider Access API, so 
that if a provider has a panel of patients associated with a single 
payer, the payer can share those data asynchronously in one 
transaction.
    Response: We thank commenters for their support of our policies. As 
discussed in section II.G. of this final rule, we are finalizing our 
proposal for impacted payers to use the Bulk Data Access IG at 45 CFR 
170.215(d)(1) to support implementation of the Provider Access API.
    Comment: Multiple commenters recommended that CMS limit the API to 
only individual data requests and that CMS not require the FHIR Bulk 
Data Access specification at this time, but instead consider it at a 
later date after it has been more thoroughly tested by HL7. Multiple 
commenters also stated that more work is needed on the Bulk Data Access 
IG before it is mandated, as it has not been adequately implemented; 
this makes it difficult to assess if it will be able to meet the 
proposed need and timelines.
    Multiple commenters also highlighted concerns with the technical 
functions of the Bulk Data Access IG and noted that large bulk 
downloads could pull time away from more urgent requests. The 
commenters recommended that payers be able to put reasonable limits on 
bulk data requests or that CMS should remove the bulk data transfer 
from the initial requirements. A commenter stated that CMS should only 
require impacted payers to respond to requests for certain patient's 
data quarterly. The commenter stated this would ensure that vendors do 
not set a default of daily retrievals of data that risk sharing more 
patient information than necessary.
    Multiple commenters additionally flagged that payers, especially 
smaller health plans, could struggle to respond to bulk requests within 
the 1 business day response period and that they could be faced with 
significant costs to implement this requirement correctly. A commenter 
stated concern about bulk patient attribution and requested CMS 
clarification and/or limitations on bulk data sharing requirements.
    Response: Bulk data exchange can allow payers to prioritize more 
urgent requests and defer bulk data requests until a later time when 
sufficient system resources can be allocated to create bulk data 
export. However, we remind payers that they are still required to 
comply with the 1 business day timeframe discussed in section II.B.2.i. 
of this final rule. We emphasize that although we are requiring 
impacted payers to support FHIR Bulk Data Access at 45 CFR 
170.215(d)(1) under this final rule, this requirement does not obligate 
them to use it for every data exchange if it is not feasible. However, 
we agree with commenters that impacted payers have leeway to place 
reasonable limits on bulk data requests. At the same time, we also 
believe that the benefits of access to these data outweigh any 
potential concern that vendors will set daily retrievals of data. This 
is because a provider would first need to request the data for 
individual patients, as well as the fact that the Provider Access API 
is better suited to enable discrete provider use when seeing a patient, 
rather than ongoing patient monitoring.
    Comment: A commenter stated that the PDex IG could support the opt 
out process by adding a flag to indicate an attributed member has opted 
out of provider data sharing.
    Response: We appreciate the commenter's suggestion and urge 
impacted payers to explore ways to leverage FHIR IGs for the other 
processes that we are requiring in this rule.
l. Interaction With ONC Policies
    Comment: Multiple commenters made recommendations regarding how CMS 
can work with ONC. They recommended that CMS work with ONC to implement 
additional requirements as part of the ONC Health IT Certification 
Program for developers to implement API interfaces into CEHRT in such a 
way that fits with provider workflow.
    Multiple commenters also recommended that CMS partner with ONC to 
create guidance regarding implementation of the Provider Access API and 
the technical capabilities of payers, EHR vendors, and providers. A 
commenter further suggested that CMS work with ONC to ensure that both 
payers and CEHRT vendors are aligned in the technical capabilities to 
implement Provider Access APIs in a way that does not hamper provider 
workflow and negate efforts to reduce prior authorization burdens.
    Multiple commenters strongly encouraged CMS to work with ONC to 
consider how the Provider Access API could be expanded in future 
rulemaking to support bi-directional, real-time data exchange between 
payers and providers to support patient care and to automate prior 
authorization requests, rather than a one-way data exchange from payer 
to provider. A commenter stated that including such criteria could 
ensure compliance with the ONC Cures Act final rule information 
blocking policies.
    Response: We appreciate commenters' support for leveraging of the 
ONC Health IT Certification Program to ensure APIs are implemented in a 
standardized fashion. We will continue to work with ONC to explore the 
adoption of standards and health IT certification criteria where 
appropriate to streamline data exchange, support interoperability, and 
increase efficiencies associated with the policies in this final rule, 
as well as to align and mutually reinforce all of our respective 
policies.
m. Interaction With Trusted Exchange Framework and Common Agreement
    Comment: Multiple commenters suggested that promoting payer to 
provider information exchange through the TEFCA may be a better path to 
achieve improved data exchange, including that of large-scale data 
sets, between payers and providers, rather than a requirement to 
implement FHIR APIs. A commenter recommended that CMS should 
collaborate with ONC and the Recognized Coordinating Entity (RCE) \57\ 
to determine an approach for payers to fulfill the payer to provider 
exchange requirement by joining the TEFCA network once responses are 
required for requests made as payment and operations exchange purposes, 
as described in the Qualified Health Information Network (QHIN)) 
Technical Framework (QTF).\58\
---------------------------------------------------------------------------

    \57\ The Sequoia Project (2023). What is the RCE? Retrieved from 
https://rce.sequoiaproject.org/rce/.
    \58\ The Sequoia Project (2022). Trusted Exchange Framework and 
Common Agreement QHIN Technical Framework (QTF). Retrieved from 
https://rce.sequoiaproject.org/wp-content/uploads/2022/01/QTF_0122.pdf.

---------------------------------------------------------------------------

[[Page 8803]]

    Response: We will continue to work closely with our ONC colleagues 
on our policies as they relate to TEFCA, including how it can support 
the exchange of large-scale datasets. As we wrote in the proposed rule 
(87 FR 76328), we agree that connections between QHINs can support 
exchange of patient information between payers and providers and could 
eventually provide the similar functionality to the Provider Access 
API. As requirements for using FHIR are incorporated into the QTF in 
the future,\59\ Participants and Subparticipants \60\ will be 
positioned to not only exchange the same data using the same standards 
that we are requiring in this final rule, but to do so under the TEFCA 
framework. Participants under TEFCA may include those, such as payers, 
who have entered into a contract to participate in a QHIN. As we expect 
payer participation in TEFCA to become more widespread in the future, 
we will continue to explore how we can align policies that require API 
development or enhancement for payers with TEFCA to ensure Participants 
and Subparticipants can utilize this network infrastructure to meet 
these API requirements.
---------------------------------------------------------------------------

    \59\ The Sequoia Project (2023). FHIR Roadmap for TEFCA Exchange 
Version 2.0. Retrieved from https://rce.sequoiaproject.org/wp-content/uploads/2023/12/FHIR-Roadmap-for-TEFCA-Exchange.pdf.
    \60\ The Sequoia Project (2023). How Can I Participate in TEFCA? 
Retrieved from https://rce.sequoiaproject.org/participate/.
---------------------------------------------------------------------------

    We remind commenters that though we are finalizing our proposals 
for APIs to use and comply with certain standards and technical 
specifications, this would not preclude payers from also leveraging 
QHIN-to-QHIN exchange or HIEs/HINs to exchange patient data.
    Comment: A commenter recommended that CMS establish a consistent 
set of technical standards between TEFCA and the proposed APIs that are 
required so that the industry does not have to implement different 
standards depending upon the exchange partner or mechanism for 
exchange.
    Response: ONC and CMS will continue to work closely together to 
identify ways that TEFCA can support the payer API requirements. We 
further agree that use of TEFCA could help to reduce burden associated 
with implementation variation that may arise in developing direct 
connections with exchange partners. ONC and the RCE are implementing 
the FHIR Roadmap for TEFCA Exchange to align and accelerate adoption of 
FHIR across the industry.\61\
---------------------------------------------------------------------------

    \61\ The Sequoia Project (2023). FHIR Roadmap for TEFCA Exchange 
Version 2.0. Retrieved from https://rce.sequoiaproject.org/wp-content/uploads/2023/12/FHIR-Roadmap-for-TEFCA-Exchange.pdf.
---------------------------------------------------------------------------

n. Federal Matching Funds for State Medicaid and CHIP FFS Expenditures 
on Implementation of the Provider Access API
    In section II.E. of this final rule, we discuss Federal matching 
funds for certain state Medicaid and CHIP FFS programs' expenditures 
related to implementation of the Provider Access API (this was also 
addressed in the proposed rule at 87 FR 76264).
o. Medicaid Expansion CHIP
    In section II.E. of this final rule, we discuss implementation for 
states with Medicaid Expansion CHIP programs (this was also addressed 
in the proposed rule at 87 FR 76264).
3. Additional Requirements for the Provider Access API
    Additional requirements for the Provider Access API regarding 
attribution, patient opt out process, patient resources, and provider 
resources are discussed in the sections that follow.
a. Attribution
    Patient attribution is a method of identifying a patient-provider 
treatment relationship. Attribution is a critical component to ensure 
that patient health data are shared only with appropriate providers. 
For purposes of our policies, we use the term ``attribution'' as 
shorthand for the determination that a treatment relationship exists 
between the patient and provider. For the Provider Access API, we 
proposed to require impacted payers to maintain an attribution process 
to associate patients with their in-network or enrolled (as applicable) 
providers to ensure that a payer only sends a patient's data to 
providers who have a treatment relationship with that patient.
    We are aware that the process of attribution can relate to many 
payer functions, including managing contracts, payments, financial 
reconciliation, reporting, and continuity of care. We thus encourage 
payers to use processes that they already have in place to attribute 
patients to their providers for these other purposes.
    We expect that many payers will rely primarily on claims data to 
establish a treatment relationship between a patient and a provider. 
Other payers might use existing patient rosters for individual 
providers or organizations, such as ACOs. For new patients, we 
explained that payers could accept proof of an upcoming appointment to 
verify the provider-patient treatment relationship. We know that many 
providers already verify coverage with a payer before a new patient's 
first appointment. A payer could establish a process that aligns with 
that query, using some evidence of a scheduled appointment. Once 
confirmed, the provider would be able to request the patient's data in 
preparation for the visit. Payers may have other existing processes 
that they prefer to use. We did not propose a prescriptive attribution 
process in order to provide payers the flexibility to use systems and 
processes they already have in place, where appropriate, or to develop 
new policies and procedures to ensure that access to a patient's data 
through the Provider Access API is limited to providers who have a 
treatment relationship with the patient.
    CMS has implemented an attribution process in the DPC pilot for 
Medicare beneficiaries (the Medicare FFS version of the Provider Access 
API), which can serve as an example for impacted payers. The pilot 
requires HIPAA covered entities or their business associates to agree 
to certain terms of service before data can be sent to them.\62\ The 
current Medicare FFS terms of service require each organization to 
maintain a list of patients that represents the patient population 
currently being treated at their facilities.\63\ CMS requires providers 
to attest that they have a treatment-related purpose to add a patient 
to their group. This is accomplished by submitting an attestation with 
every request to add a patient to their roster. This pilot will 
continue to test methods to accurately attribute patients to their 
providers. The information gained from this pilot may assist the 
industry to develop procedures to identify providers under this 
requirement.
---------------------------------------------------------------------------

    \62\ Centers for Medicare and Medicaid Services (n.d.). Terms of 
Service. Data at the Point of Care. Retrieved from https://dpc.cms.gov/terms-of-service.html.
    \63\ Centers for Medicare and Medicaid Services (n.d.). 
Attestation & Attribution. Data at the Point of Care. Retrieved from 
https://dpc.cms.gov/docsV1.html#attestation--attribution.
---------------------------------------------------------------------------

    In addition, HL7 has developed a HL7 Da Vinci Risk-Based Contracts 
Member Attribution (ATR) List IG. The ATR List IG does not specify how 
the payer and provider identify these patients, but defines the 
protocols, data structure, and value sets to be used for exchanging a 
Member Attribution List. The Member Attribution List typically 
contains: (1) plan/contract information which is the basis for the 
Member Attribution List, (2) patient information, (3) attributed 
individual provider information, (4) attributed organization 
information, and (5) member and subscriber coverage

[[Page 8804]]

information. The DPC pilot program has been working with the Da Vinci 
Member Attribution List workgroup towards compatibility with that 
IG.\64\ The ATR List IG is also informing updates to the PDex IG. We 
encourage payers to review the information from the workgroup. We 
further note that the HL7 Argonaut Project, a private sector initiative 
that advances using FHIR, has developed an IG specifying how to use the 
Scheduling and Appointment FHIR Resources to communicate this 
information.\65\
---------------------------------------------------------------------------

    \64\ Centers for Medicare and Medicaid Services (n.d.). Groups. 
Data at the Point of Care. Retrieved from https://dpc.cms.gov/docsV2.html#groups.
    \65\ Health Level Seven International (2022). Argonaut 
Scheduling IG (Release 1.0.0). Retrieved from https://fhir.org/guides/argonaut/scheduling/.
---------------------------------------------------------------------------

    We solicited comments on our proposal to require payers to maintain 
an attribution process to associate patients with their enrolled or in-
network (as applicable) providers to ensure that a payer only sends a 
patient's data to providers who have a treatment relationship with that 
patient. We requested comments on other examples of how patients can be 
attributed to the enrolled or in-network providers from whom they are 
receiving care, especially for a new patient-provider treatment 
relationship. We also requested comments on whether and how payers 
could attribute the patient to the provider at the time a provider 
makes a request for patient data through the Patient Access API.
    As discussed in more detail elsewhere, we are finalizing our 
proposal without changes.
i. General Comments on Attribution
    Comment: Multiple commenters expressed their support for CMS's 
proposed requirement that impacted payers maintain a process to verify 
a provider-patient relationship. Multiple commenters also underscored 
the importance of developing a patient attribution system to ensure 
those data are shared appropriately. A commenter further stated that 
payers should only develop an attribution process for in-network 
providers.
    Response: We thank commenters for their support for this proposal. 
We emphasize that the requirement we are finalizing--that impacted 
payers be required to make the specified patient data available to 
providers--only applies to those that are in-network or enrolled with 
the payer. However, we encourage payers to consider making the Provider 
Access API available to out-of-network providers. This rule requires 
that impacted payers maintain an attribution process to associate 
patients with their providers. Thus, if payers choose to make the API 
available to out-of-network providers, they would still need to 
establish an attribution process to ensure that a treatment 
relationship exists before making patient data available.
    Comment: A commenter recommended that CMS align patient attribution 
requirements and processes across payer types and leverage the CMS 
Innovation Center to identify where the process can be streamlined. A 
commenter also recommended that CMS permit payers to set reasonable 
requirements for providers to demonstrate that the provider is treating 
an individual, which could reduce the risk of providers making 
unauthorized inquiries in the system.
    Response: We recognize that there are multiple ways for impacted 
payers to verify a treatment relationship. Payers may already have a 
process that they want to use, so requiring a different process that 
deviates from an established and effective workflow may add burden. We 
encourage payers to work together to establish industry-wide principles 
and standards for patient attribution. As previously stated, payers are 
permitted to set requirements for providers as part of their processes, 
such as requiring an attestation of a treatment relationship and/or a 
need for the data. We agree with the commenter that such requirements 
should be reasonable and not overly burden providers.
    Comment: A commenter stated that some specialties are referred 
patients at a higher rate and requested that CMS take into account the 
additional burdens of the attribution process for providers who may 
only see a patient once. Another commenter suggested that the final 
rule should ensure that any attribution process will not negatively 
impact those patients who have a high number of providers. A commenter 
further noted the significant technological challenges of attribution 
and expressed concern that patients that most need their data to follow 
them through clinicians, systems, and payers are those that are most 
likely to have data discontinuity due to clinicians receiving erroneous 
patient data.
    Response: We emphasize that payers should consider all types of 
patients and providers when designing their attribution processes to 
prevent creating disparities. Making the specified data available via 
API may be particularly beneficial for patients experiencing data 
fragmentation. Establishing and maintaining an attribution process will 
benefit patients who may see multiple providers, so that all such a 
patient's providers (assuming they are in-network or enrolled) can have 
access to necessary information. We remind readers that we are not 
being prescriptive on when attribution needs to take place, as long as 
it occurs before patient data are made available through the Provider 
Access API. We encourage payers to perform the attribution prior to the 
first visit and/or in a reasonable amount of time to determine whether 
there are legal restrictions on the data that may be shared and so that 
providers can have the opportunity to review any relevant data in 
proximity to the patient encounter.
    Comment: A commenter expressed concern regarding the attribution 
process for Medicaid patients, noting that developing a proactive 
process for providers who will see a patient would be challenging for 
Medicaid agencies. Another commenter stated that there should be 
special consideration for patients with mental health and substance use 
disorder issues. For example, proof of upcoming appointments can be an 
inadequate test of a patient-provider relationship due to high ``no-
show'' or cancellation rates. A commenter also stated that verifying a 
provider-patient relationship will be difficult to accomplish in a 
single business day.
    Response: We understand the concerns of Medicaid agencies, 
including challenges in attributing new patients, and believe that 
proof of an upcoming appointment could sufficiently indicate the 
patient-provider relationship. However, impacted payers have latitude 
to determine when proof of an upcoming appointment can be used. For 
example, payers may implement a policy where providers can only 
successfully receive requested data if they have an upcoming 
appointment with the given patient within a specific number of days. 
Such a process can also mitigate potential ``no show'' or cancellation 
situations which one commenter cited. Many providers confirm 
appointments in the days prior to their appointment. A patient who 
confirms their appointment in proximity to the visit is less likely to 
cancel or not show. As stated previously, impacted payers must send the 
requested data no later than 1 business day after the payer receives a 
request and the following conditions are met: (1) the payer 
authenticates the identity of the provider and attributes the patient 
to that provider; (2) the patient has not opted out; and (3) disclosure 
of the requested information is not prohibited by law. Nothing in the 
rule requires payers to establish that these conditions are met in one 
business day; rather, data must be made available

[[Page 8805]]

through the Provider Access API no later than one business day after 
these conditions are met. We encourage payers to verify these 
conditions are met in advance as often as possible. If this is 
difficult or not possible, such as in the case of new patient visits, 
we strongly encourage payers to complete the attribution process in a 
reasonable amount of time with minimal involvement from the provider, 
so as not to increase burden.
ii. Providers' Role in Attribution
    Comment: A commenter sought clarification from CMS regarding 
whether the provider or the payer must maintain records of the 
attribution. They also asked how to account for ACO or value-based care 
coverage models that permit patients to choose a provider. Another 
commenter agreed, pointing out that most attribution processes in these 
coverage models are currently geared toward identifying a singular 
accountable primary care physician within value-based arrangements and 
that often, a patient's identification of ``their doctor'' may not 
match results generated through automated attribution approaches.
    Response: This final rule imposes on impacted payers the 
requirement to maintain a process to attribute a patient to in-network 
or enrolled providers. Payers are responsible for maintaining 
attribution records and ensuring that only in-network or enrolled 
providers who have a treatment relationship with the patient (or should 
they choose, out-of-network or unenrolled providers to whom the 
impacted payer has attributed a patient) have access to patient data. 
However, the process of attribution inherently requires provider 
participation in some instances. For example, when a patient has their 
first visit with a particular provider, we cannot expect the payer to 
have that information without some provider input. In other instances, 
payers may involve patients in their attribution processes, especially 
if they wish to account for providers who might not be identified via 
existing automated approaches. Should they do so, any such involvement 
should not be onerous for the patient.
    Comment: A commenter stated that CMS should allow payers and 
providers to adopt an approach that assures payers that any provider 
request for patient data meets the requirements of this rule, while 
also allowing providers to delegate the ability to request information 
to support staff. Another commenter sought clarification on whether 
physicians and their staff would be expected to operate outside of 
their normal workflows to demonstrate a care relationship with a 
patient. A commenter sought clarification on whether multiple providers 
could be attributed to the same patient at a time. A commenter further 
sought clarification on whether the rendering provider is the provider 
who has a treatment relationship with the patient, or if the billing 
provider could also be attributed to the patient to request data using 
the Provider Access API. A commenter stated that CMS should require 
payers to make an attribution prior to the first visit.
    Response: While we are not being prescriptive in how payers should 
design their attribution processes; we caution that payers should not 
set overly onerous criteria for providers to prove their treatment 
relationship with a patient. Both patients and providers will benefit 
from the provider having access to the specified information; the 
attribution process should not impede this benefit. Furthermore, it is 
appropriate for providers to be able to delegate administrative tasks 
to their staff. Similar to other processes, such as submitting claims, 
payers should set reasonable requirements that allow staff to provide 
information or perform tasks on a provider's behalf.
    We do not intend to overburden providers or their staff with the 
attribution process. As stated, we believe that payers can attribute 
most patients to providers via claims, which should not require 
providers to operate significantly outside their normal workflows to 
demonstrate a care relationship with a patient. Furthermore, we 
acknowledge that patients can (and in many cases should) be attributed 
to multiple providers who would be able to request access to the 
patient's data. This may apply, for example, to a multi-provider 
practice or an ACO.
    Comment: Multiple commenters recommended that CMS reevaluate the 
attribution process as outlined in the proposed rule. Multiple 
commenters also stated that payers have significantly different 
attribution processes, and this adds burden to hospitals and SNFs. A 
commenter agreed that varying attribution processes across payers would 
increase administrative burden for providers and clinics under the 
proposed rule. A commenter recommended that CMS permit providers not 
only to attribute patients through individual requests, but also to be 
able to submit information in a bulk format by submitting a list of all 
a payers' enrollees currently in their care. Another commenter 
cautioned CMS to not adopt any standard for attribution more rigorous 
than the HIPAA Privacy Rule and avoid imposing burdensome requirements.
    Response: We emphasize that the requirement to implement an 
attribution process applies to impacted payers, not providers. As 
discussed, a payer may verify the patient treatment relationship in a 
variety of ways. While verification may necessitate some action by the 
providers, we strongly encourage payers to implement a process that is 
least burdensome to providers as possible. When information from 
providers is required, payers should allow bulk submission in order to 
impose the least possible burden on providers. Finally, because we did 
not propose to adopt any attribution standard or method at all, we are 
not adopting one that is more rigorous than what is required under the 
HIPAA Privacy Rule.
iii. Attribution Process Design and Suggestions
    Comment: A commenter recommended that CMS establish minimum 
attribution criteria and a uniform claims attribution process. Multiple 
commenters suggested that CMS create guidance on best practices and 
specific ways that payers can accurately attribute patients to specific 
providers and when a payer can determine that a treatment relationship 
between a patient and provider has ended to allow flexibility in the 
attribution process rather. Multiple commenters also stated that payers 
should be able to ``un-attribute'' a patient from a provider when a 
treatment relationship is inactive to protect patient data. A commenter 
stated that it is crucial for CMS to define the timeline for which the 
patient attribution roster on both the payer and provider side must be 
updated to ensure that it is never shorter than the 30 days mandated by 
some states. A commenter also stated that the attribution process will 
be difficult because it will require two separate processes, one for 
new and one for established patients. A commenter further stated that 
payers will need to prioritize implementation of the Provider Access 
API, which will make developing an attribution process difficult.
    Response: In order to permit impacted payers the flexibility to 
leverage their existing processes or utilize another method that may be 
the least burdensome for them, we did not propose, and are not 
finalizing, a standardized attribution method. In the DPC pilot, for a 
provider to establish a treatment-related purpose for viewing patient 
data, they must have an existing ``treatment relationship,'' defined as 
a

[[Page 8806]]

processed claim with the provider's NPI number for that patient within 
the past 18 months. The DPC pilot currently does not have the ability 
for providers to access data for patients before their first claim. As 
noted in the proposed rule and previously mentioned, with each roster 
addition or renewal, a provider must also attest that there is an 
active treatment relationship. We have had significant interest in our 
DPC pilot from providers and provider organizations that participate in 
the Medicare program and continue to gather information from interested 
parties. However, we do not have information beyond what is currently 
publicly available to share at this time.
    This DPC process is just one attribution method and we encourage 
payers to leverage their existing processes and develop methods that 
work best for them and that place the least amount of burden on 
providers. Nothing in this final rule would require a specific 
timeframe after which a treatment relationship expires. Payers are 
permitted to establish a period after which the treatment relationship 
is considered inactive and a patient could be un-attributed from a 
provider. However, many patients may only see a particular provider 
annually, which would clearly signify a continuing treatment 
relationship. We did not propose a requirement for providers to 
maintain a patient roster, though it may be required under other 
Federal or state regulations or under the provider's contract with the 
payer.
    Finally, we understand that some payers may have challenges 
implementing an attribution process. One of the reasons we are 
finalizing a 2027 compliance dates rather than the proposed 2026 dates 
(see section I.D. of this final rule) is to give impacted payers 
additional time to prepare and test any new or modified process. We 
intend to provide more information and education on potential 
authentication processes prior to the compliance dates.
    Comment: Multiple commenters expressed concern with how difficult 
it is to verify the patient-provider relationship. A commenter sought 
clarification on the intended level of attribution for access to a 
member's data. Another commenter stated their belief that the proposed 
attribution requirement, specifically how a ``treatment relationship'' 
is defined, requires further development and feedback from consumers 
before implementation so that they can feel in control of their data. 
They noted that it is not uncommon to have dozens of providers involved 
in a single patient's care, nor is it uncommon to have a single 
interaction with a specialty provider, or to have a provider consult 
another provider on a course of care without the patient's knowledge.
    Response: Payers should be able to meet the requirement to have an 
attribution process by verifying the patient-provider treatment 
relationship in a variety of ways, as discussed in this section. Payers 
should consider Federal and state law, internal risk policies, and 
their own processes to determine what level of assurance they require 
to attribute a patient to a provider for the Provider Access API. 
Establishing specific requirements or procedures would add burden to 
payers who may establish different, but equally acceptable and 
effective, processes.
    We do not believe it is necessary to define a ``treatment 
relationship'' only for the purposes of this rule. Payers may have 
different definitions that may be based on Federal or state law, 
internal policies, or provider contracts. Therefore, an additional 
definition would be unnecessary, duplicative, and possibly confusing. 
We do note that if there is doubt about whether a patient and provider 
are in a treatment relationship, information from the patient could be 
one method of making that determination. However, we emphasize that 
placing burden on a patient should only be used a last resort, and only 
if the benefits of making data available outweigh that burden.
    In some cases, verifying a treatment relationship could result in 
providers having access to data about patients they have treated only 
once and whom they may not treat again. However, we believe that these 
providers would have little reason to request this information because 
they would be creating unnecessary work for themselves without 
benefitting patient care. Further, data from the Provider Access API is 
only required to be made available to in-network or enrolled providers. 
Such providers have already been vetted to participate in the impacted 
payer's network, so it is unlikely these participating providers would 
seek out patient data they do not need for patient care. Finally, some 
impacted payers might utilize an attestation process, as suggested by 
some commenters, where providers must attest that they have a clinical 
need for any data they request. A provider requesting data that they do 
not need could endanger their payer network or contract status if they 
fraudulently attest that they are only requesting data for patient 
care, should the impacted payer implement such a policy. We thus 
believe that the benefits of the Provider Access API outweigh concerns 
that already-attributed providers will inappropriately request patient 
data. We look forward to working with interested parties to develop 
best practices for attribution processes.
    Comment: A commenter stated that a claims-based approach to 
verifying a treatment relationship is the most reliable. Conversely, 
another commenter stated that it was not necessary to verify a 
treatment relationship through claims data. They recommended using 
processes that show the onset or evidence of treatment like Admission, 
Discharge, Transfer (ADT) or Scheduling Information Unsolicited (SIU) 
transaction. Another commenter stated that a hospital admission letter 
should be enough for payers to grant the provider access to the 
Provider Access API for the specified patient. A commenter also 
encouraged payers to consider whether a provider's signed order for 
treatment (on behalf of a patient) is enough to establish this 
relationship. A commenter highlighted that the CMS companion guide on 
the HIPAA-mandated eligibility transaction supporting Medicare 
Beneficiary Matching could serve as a model for data elements that 
could facilitate attribution.\66\ These data and the associated 
eligibility and benefit request essentially serve as proof of a 
scheduled appointment. A commenter also recommended leveraging TEFCA 
for the attribution process.
---------------------------------------------------------------------------

    \66\ Centers for Medicare and Medicaid Services (n.d.). HIPAA 
Eligibility Transaction System (HETS). Retrieved from https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/hetshelp.
---------------------------------------------------------------------------

    Response: Because different approaches and standards for an 
attribution process continue to evolve, we did not propose to specify 
how payers should identify whether a specific patient can be attributed 
to the requesting provider. Instead, we encouraged the community to 
continue to collaborate on viable approaches. We agree that a claims-
based approach is both reliable and puts little, if any, burden on 
providers. We expect that payers will also find this to be the simplest 
way to verify the treatment relationship because they will have a 
record of a treatment relationship as of the most recent date of 
service on a claim. We also agree that the other methods suggested 
could be leveraged by payers to attribute patients to providers for the 
Provider Access API.
    Comment: Multiple commenters highlighted existing resources or 
models that CMS could leverage to establish an attribution process. 
Another commenter recommended that payers be allowed to

[[Page 8807]]

use the existing processes to verify treatment relationships, including 
the ATR List IG. Multiple commenters also stated that this IG could be 
updated to provide the necessary tools to support implementation of the 
attribution process and some recommended that CMS adopt that standard 
when it is mature enough for large scale implementation.
    Multiple commenters expressed support for HIEs and HINs as unique 
entities that have the capability to create and manage patient-provider 
attribution for the Provider Access API. The commenters provided an 
example from the Active Care Relationship Service (ACRS), which enables 
organizations to send data files that record the relationships between 
their providers and patients. Another commenter stated that CMS should 
work with HIEs to expand capabilities and create IGs and processes for 
patient matching, attribution, and opt out to support the Provider 
Access API.
    Response: We thank readers for their comments and will consider 
them for future guidance or rulemaking. As we did not propose a 
specific attribution method, we encourage impacted payers to consider 
these existing resources and models. As members of the HL7[supreg] Da 
Vinci Project, we will continue to monitor development of the ATR List 
IG.
    Impacted payers may already have multiple arrangements in place 
with providers to support data exchange, and may even participate in 
community, local, state, or private HIEs. These HIEs may already have a 
process to attribute patients to providers. To the extent it would 
benefit payers, we encourage them to work with HIEs and HINs to 
facilitate the Provider Access API. Nothing in our policies prohibits a 
payer from using an intermediary to aid with patient matching, data 
exchange, or data hygiene. Once again, our goal is to allow payers to 
develop the least burdensome approach to attribution, and we encourage 
collaboration on potential solutions.
    Comment: Multiple commenters requested that CMS consider 
implementing a national, digital patient identification standard. A 
commenter recommended that CMS implement a standardized patient 
identification framework to ensure that patient data are not 
inadvertently co-mingled and does not pose a threat to patient privacy 
and safety within the Provider Access API. Another commenter stated 
that an electronic standard should be developed to verify a patient 
relationship and appointment status.
    Multiple commenters stated the importance of making sure the CEHRT 
programs require that record requests can only be made when a treatment 
relationship is present. A commenter recommended that CMS and ONC work 
together to establish standards for ONC's Health IT Certification 
Program.
    Response: A standard unique health identifier for each individual, 
which is in accord with numerous commenters' recommendations, would be 
associated with a HIPAA standard arising at section 1173(b)(1) of the 
Act. We will continue to work with our Federal partners as we consider 
future guidance or additional rulemaking within the ambit of our 
authority.
    Comment: A commenter recommended that CMS establish a workgroup or 
advisory committee to establish an appropriate attribution process. 
Another commenter recommended that CMS monitor the state of evolving 
technology and maintain flexibility in its requirements as technology 
continues to develop.
    A commenter recommended CMS utilize public feedback to establish 
minimum criteria as proof of an authentic patient-provider 
relationship, because a lack of clear guidance in this area may cause 
disputes between payers and providers regarding the appropriate 
criteria for establishing proof of a relationship.
    Response: We intend to continue our work with industry as they 
develop attribution processes that do not overly burden payers, 
providers, or patients. Additionally, based on feedback from the 
public, we believe that the public would benefit from further 
educational resources, and we will explore avenues by which we may 
offer those in the future.
    Comment: A commenter asked whether payers can integrate an 
attestation of a treatment relationship with a FHIR transaction.
    Response: While we are not prohibiting use of a FHIR transaction as 
part of the attribution process, the IGs we are recommending are 
primarily meant to help implement the APIs themselves, not to 
facilitate related payer processes, like the attribution process.
b. Opt Out
    We proposed that all impacted payers would be required to establish 
and maintain a process to allow patients or their personal 
representatives to opt out of (or if they have already opted out, to 
opt back in to) having the patients' data available for providers via 
the Provider Access API. We noted that this differed from our Payer-to-
Payer API, which was structured as an opt in process. Similar to the 
attribution process, as previously discussed, we did not intend to be 
prescriptive regarding how this opt out process should be implemented, 
but payers would be required to give all patients or their personal 
representatives the opportunity to opt out, including those currently 
enrolled on the compliance dates, before making patient information 
available via the Provider Access API, and at any time while the 
patient is enrolled with the payer.
    We did not propose to require specific methods for patients to opt 
out, but anticipated that payers would make that process available by 
mobile app or on their website. We also anticipated that mail, fax, or 
telephonic methods may be necessary alternatives for some patients, 
which payers would have to accommodate. We invited comments on whether 
we should establish more explicit requirements regarding the patient 
opt out processes.
    Our proposal would require impacted payers to allow patients to opt 
out of the Provider Access API data exchange for all providers in that 
payer's network. However, we also encouraged payers to implement 
processes that allow more granular controls over the opt out process, 
so patients can opt out of making data available to individual 
providers or groups of providers. We did not propose to require those 
more granular controls, as we were concerned about the potential 
administrative and technical burden this would place on some payers. 
However, we requested comments about the technical feasibility of 
implementing an opt out process that would allow patients to make 
provider-specific opt out decisions, and whether we should consider 
proposing such a requirement in future rulemaking.
    We appreciate commenters' feedback to our requests, and understand 
concerns about the potential for administrative burden associated with 
providing patients with more granular controls over data sharing, as 
well as which specific providers can receive their data. We used the 
term ``granular'' broadly because we wanted to know which data elements 
commenters thought were most important to be able to segment out. We 
are committed to minimizing the burden on patients and providers as 
much as possible and continue to weigh the benefits of providing 
patients with more control over their data against the potential 
administrative burden on impacted payers. We appreciate the suggestions 
we received for how to implement a more granular opt out approach and 
will

[[Page 8808]]

consider these suggestions for future rulemaking.
    We proposed an opt out approach because, as we discussed in the 
proposed rule, opt in models of data sharing have been shown to inhibit 
the utilization and usefulness of data sharing efforts between patients 
and health care providers. We acknowledged that there are positives and 
negatives to both opt in and opt out policies, and that some patients 
may prefer to control or direct their health information via an opt in 
process, which requires affirmative permission from a patient before 
their data can be shared. However, patients who are less 
technologically savvy or have lower health literacy may be less likely 
to use the Patient Access API, so having an opt out policy for the 
Provider Access API would facilitate sharing data directly with the 
provider, without requiring action by the patient. We stated our belief 
that opt out would promote the positive impacts of data sharing between 
and among payers, providers, and patients to support care coordination 
and improved health outcomes, which could lead to greater health 
equity. In formulating our proposal, we carefully weighed the issues 
related to both opt in and opt out policies, especially as they relate 
to making data available to providers. We wrote that a policy 
defaulting to sharing data with providers, unless a patient opts out, 
appropriately balances the benefits of data sharing with the right of 
patients to control their health information. As we also detailed in 
the proposed rule, payers would be responsible for providing patient 
resources to ensure that patients understand the implications of opting 
out. We noted that, should patients not opt out of data sharing, then 
the data that would be made available via the Provider Access API would 
be available to in-network providers whose identity has been 
authenticated and to whom the patients have been attributed, meaning 
that the payer has verified a treatment relationship between the 
provider and the patient. However, we stated that our proposals, taken 
together, gave patients ample opportunities to change their data 
sharing permission as they see fit.
    As we explained in detail in our proposed rule (87 FR 76260), opt 
in models can create greater administrative burden for smaller health 
care organizations, depending on where the responsibility for obtaining 
and updating the patient's data sharing permission is held. We also 
pointed to the fact that a larger health care organization that 
employed an opt in model, the Veterans Health Administration within the 
VA, saw the vast majority of provider requests for patient information 
rejected for lack of patient permission.
    We additionally stated our belief that an opt out model could 
address equity issues by ensuring that patients from lower 
socioeconomic and minority groups, who are more likely to have limited 
health literacy, can benefit from the improved care that the Provider 
Access API can facilitate. We believe that data sharing as the default 
option for all patients enhances both personal and organizational 
health literacy, as these terms are defined by the Healthy People 2030 
report,\67\ while protecting patients' choice to limit data sharing.
---------------------------------------------------------------------------

    \67\ Health Literacy in Healthy People 2030 (2020). History of 
Health Literacy Definitions. Retrieved from https://health.gov/healthypeople/priority-areas/health-literacy-healthy-people-2030/history-health-literacy-definitions.
---------------------------------------------------------------------------

    The ability for patients to opt out was specific to the data we 
proposed requiring payers to share via the Provider Access API. As 
discussed previously, nothing in the proposed rule would alter any 
other requirements under applicable privacy and security laws and 
regulations. If there is other authority to share patient information 
with respect to which a patient may not opt out, such as disclosures 
required by law, nothing in this proposal would change the payer's 
obligation to disclose that information. However, we encouraged payers 
and providers to use the proposed Provider Access API as a technical 
solution to transmit data between payers and providers beyond the scope 
of these policies, provided such disclosure is consistent with all 
other applicable requirements, such as the requirements set out in the 
HIPAA Privacy Rule and the HIPAA Security Rule.
    We value the importance of safeguarding the quality and integrity 
of patient health information. We acknowledged that there may be 
potential program integrity risks associated with sharing patient data 
under both an opt in and opt out models. We expect that if payers 
identify any vulnerabilities, they will work to make changes to their 
operations to address risks that could lead to potential fraud and to 
limit the impact on patient information.
    We requested comments on our proposal for a patient opt out 
framework for the Provider Access API. As discussed in more detail 
elsewhere, we are finalizing this proposal without changes.
i. General Comments on Opt Out
    Comment: Multiple commenters expressed support for the proposed 
policy to require an opt out framework for the Provider Access API. 
Commenters provided various rationales for their support, including 
that the opt out framework would enable patients to protect and control 
their health information while still making patient data available to 
providers, encourage increased data transmission, and allow patients to 
terminate a provider's access to their data when the patient no longer 
has a treatment relationship with the provider.
    Multiple commenters specifically expressed their support for an opt 
out approach instead of an opt in approach. These commenters noted that 
it is less burdensome for payers and that an opt in approach would 
require patients to have a higher level of education or better 
technology and health literacy to utilize than an opt out process, 
which may result in fewer patients having their data exchanged via the 
Provider Access API under an opt in approach.
    Response: We appreciate the comments we received in support of our 
proposal to allow patients or their personal representatives to opt out 
of the Provider Access API if they do not wish for their data to be 
made available via the API requirement. We agree with the commenters 
that an opt out approach will enable patients or their personal 
representatives to better protect and control their health information 
while still making patient data available to providers. We remind 
commenters that the opt out would not necessarily allow patients or 
their personal representatives to terminate a provider's access to 
their data when the patient no longer has a treatment relationship with 
the provider, because we did not propose to require a granular opt out 
policy (though some payers might choose to implement such a policy). 
However, we did note in section II.B.3.a. of this final rule that 
payers have latitude to determine when a patient-provider treatment 
relationship ends via their attribution process. Thus, regardless of 
the opt out granularity, payers should also use their attribution 
process to determine whether and when an individual provider should 
have access to a patient's data via the Provider Access API.
    Comment: Other commenters voiced their concerns with an opt out 
approach but did not specifically recommend that CMS take a different 
approach. Multiple commenters noted that offering patients an 
opportunity to opt out would limit information sharing and that

[[Page 8809]]

information sharing is important to facilitate the prior authorization 
process. Multiple commenters also stated their belief that an opt out 
approach would reduce, or even remove patient control over their health 
information. Those commenters stated that because CMS expects most 
patients not to opt out, the confidentiality of this patient data will 
effectively not be the default.
    Response: For reasons we discussed in both the proposed rule and 
previously, the opt out approach appropriately balances the benefits of 
data sharing with the ability of patients to control their health 
information. All patients will be given the opportunity to opt out of 
our Provider Access API policy. We agree that this information sharing 
is important to improve the efficiency of the prior authorization 
process and to ensure that patients have timely access to the care they 
need. While patients may opt out of data flowing from their payer to 
their provider via the Provider Access API, they cannot opt out of the 
prior authorization process established by their payer or the 
communications between their provider and payer that enable that 
process.
    Comment: Multiple commenters recommended that CMS adopt an opt in 
approach instead of an opt out approach for the Provider Access API. 
Commenters provided various rationales for recommending an opt in 
approach, including that an opt in would give patients more control 
over their data and is more understandable than an opt out process. A 
commenter explained that while they support an opt in approach, they do 
not agree that it would benefit disadvantaged people (such as people 
with low health literacy or limited English proficiency) because 
patients may not understand what it means to give permission for data 
sharing. Multiple commenters also supported an opt in approach due to 
patient privacy concerns with opt out. Specifically, a commenter with 
concerns about sharing patients' mental health and substance use 
information recommended that CMS adopt an opt in process, including a 
requirement for patients to provide written authorization before such 
information is accessible through the Provider Access API. The 
commenter explained that there are laws in place requiring a written 
authorization from a patient to disclose mental health and substance 
use information. Another commenter also recommended that CMS align 
requirements for the Provider Access API opt out approach with consent 
requirements under 42 CFR part 2. A commenter further stated their 
belief that most patients would choose to opt into the Provider Access 
API if they are adequately informed of their rights and the potential 
for API data exchange.
    Response: We refer readers to our proposed rule for a full 
discussion of why we proposed an opt out patient permission framework 
(87 FR 76259). As discussed elsewhere, we are finalizing a requirement 
that impacted payers must provide patients with plain language 
information about the Provider Access API, including how to opt out of 
data sharing, in order to help maximize patient control. This 
requirement should ensure that patients, including those with low 
health literacy or limited English proficiency, are aware of their 
rights and have the opportunity to make an informed decision about 
whether or not to allow payers to share their data with their providers 
through the Provider Access API. We further remind readers that all 
data sent and received via the Provider Access API must still be 
handled consistent with all other applicable laws and regulations 
regarding disclosure of these data. For instance, rules of 
confidentiality for patient records associated with mental health or 
substance use disorder, such as 42 CFR part 2, which may require 
patient consent to share with providers, will still apply.
ii. Interaction With HIPAA
    Comment: Multiple commenters stated that a process requiring 
patient permission for data sharing via the Provider Access API is not 
necessary because the HIPAA Privacy Rule permits PHI disclosure without 
patient permission under certain circumstances. Specifically, they 
reasoned that patient permission is not necessary if the PHI disclosed 
via the Provider Access API falls within the scope of HIPAA treatment, 
payment, and operations (TPO) disclosures, and recommended that CMS 
limit the data shared via the Provider Access API to the scope of 
permitted TPO disclosures. In support of their recommendation, these 
commenters noted that requiring an opt out process could be confusing 
and cumbersome to patients, negatively affect patient care, and would 
conflict with Federal and state laws (including the HIPAA statute). In 
a similar vein, commenters stated that CMS should rely on the HIPAA 
Privacy Rule requirements instead of requiring an opt out process, and 
a commenter suggested that CMS require impacted payers to include the 
Provider Access API exchange in their HIPAA Notices of Privacy 
Practices (NPP). Another commenter recommended that CMS make it clear 
that payers may still share certain patient health information with 
providers if it falls under the scope of a TPO disclosure, even when a 
patient elects to opt out of data sharing. Multiple commenters 
recommended that CMS provide additional guidance as to whether the 
Provider Access API is to be used for purposes beyond treatment, and 
indicated that providers should be able to access payer data for other 
purposes permitted under the HIPAA Privacy Rule, such as payment.
    Response: We understand that there are those who believe that an 
opt out patient permission process is not necessary, given existing 
HIPAA Privacy Rule provisions that permit PHI disclosure without an 
individual's authorization under certain circumstances. However, we 
emphasize that by virtue of this final rule, impacted payers would be 
required to disclose any PHI specified within the content standards for 
the Provider Access API, if the applicable requirements of this rule 
were met. That disclosure would be permitted under the HIPAA Privacy 
Rule as ``uses or disclosures that are required by law,'' \68\ rather 
than as a permitted TPO disclosure. Required by law disclosures are 
limited to the relevant requirements of such law, not to the HIPAA 
minimum necessary standard,\69\ thereby ensuring that all content 
required by our Provider Access API policy may be disclosed. Because 
our policies would potentially give providers access to more than what 
would have been considered to be the minimum necessary PHI under the 
HIPAA Privacy Rule for certain purposes (for example, administrative 
data in the USCDI that would not be used for treatment purposes), we 
are requiring impacted payers to give patients or their personal 
representatives an opportunity to opt out so that they have some 
control over whether or not to share this additional data with their 
provider(s). We believe that patients should control their own data to 
the extent possible and with an opt out approach to data sharing, we 
are giving patients this opportunity. Where the requirements of this 
rule change how covered entities or their business associates may use 
or disclose PHI, covered entities should consider their obligations 
under the HIPAA Privacy Rule.
---------------------------------------------------------------------------

    \68\ See 45 CFR 164.512(a).
    \69\ See 45 CFR 164.502(b)(2)(v).
---------------------------------------------------------------------------

    We emphasize that the opt out process described here only applies 
to the Provider Access API policies in this final rule. That is, the 
requirement for impacted payers to share individual

[[Page 8810]]

claims and encounter data, all data classes and data elements included 
in a content standard at 45 CFR 170.213 (USCDI), and certain 
information about prior authorizations maintained by the payer with a 
date of service on or after January 1, 2016, with in-network providers 
who have a treatment relationship with the patient. If a patient or 
their personal representative opts out under our policy, then the 
impacted payer should not share these data with a provider who requests 
it under this policy. However, there may be other permissible bases for 
payers and providers to share data, such as under the HIPAA Privacy 
Rule's permitted uses and disclosures to carry out TPO. Patients or 
their personal representatives do not have the ability to opt out of a 
payer or provider using the API itself as a mechanism for sharing data 
under such bases for disclosure.
    We also note that the data that may be shared under other 
permissible bases, such as the TPO exception, may overlap with the data 
required to be shared by our Provider Access API policy. For instance, 
a payer may be permitted to disclose clinical data included in a 
content standard at 45 CFR 170.213 with a health care provider for 
treatment purposes under 45 CFR 164.506(c)(2). If that disclosure is 
permissible, a patient opting out of the Provider Access API policy in 
this final rule would not prohibit a payer from using the Provider 
Access API to make that disclosure. In addition, there may be 
permissible bases for sharing data outside the scope of our Provider 
Access API policy. As an example, payers may be permitted to disclose 
clinical data that is not included in a content standard at 45 CFR 
170.213, such as information related to SDOH, under the TPO exception. 
Similarly, a patient or personal representative opting out of the 
Provider Access API policy in this final rule would not prohibit a 
payer from using the Provider Access API as the mechanism to make that 
permissible disclosure.
    Per 45 CFR 164.506(b), covered entities may create a process to 
obtain consent from an individual to use or disclose PHI to carry out 
TPO. Per 45 CFR 164.522(a), individuals also have the right to request 
restrictions on how a covered entity will use and disclose PHI about 
them for TPO. Except in limited circumstances, a covered entity is not 
required to agree to an individual's request for a restriction. Where a 
covered entity agrees to a restriction, it is bound to it unless the 
restriction is subsequently terminated. We emphasize that the opt out 
process described in this final rule is specific to the Provider Access 
API policy and therefore is not, on its own, a consent mechanism per 45 
CFR 164.506(b) or an agreed-upon restriction per 45 CFR 164.522(a).
    Payers should make these nuances clear to patients in their 
required educational resources, so that patients understand that their 
PHI may still be shared in some instances, even if they or their 
personal representative opts out of the Provider Access API policy.
iii. Interaction With Health Information Exchanges
    Comment: Multiple commenters noted that HIEs would be great 
partners for payers when implementing the Provider Access API, with one 
noting that they could be used to reduce the number of endpoints 
providers would need to query for patient information. Commenters 
suggested that because many providers already have connections to HIEs 
set up within their EHRs, HIEs could act as a conduit for the 
information impacted payers are required to make available. 
Furthermore, commenters stated that HIEs could make available patient 
clinical data beyond what is maintained by the payer.
    Response: We agree that HIEs could be helpful partners for payers 
when implementing the Provider Access API and nothing in this rule 
would prohibit an impacted payer from partnering with an HIE to meet 
its requirements. As a commenter noted, HIEs have extensive experience 
and expertise with patient matching and attribution, as well as with 
various consent models. We additionally agree that provider 
participation in an HIE can reduce the number of endpoints they would 
need to query for care coordination and treatment. We further encourage 
payers to look to HIEs or HINs as models for implementing a legal 
framework for data exchange.
    Comment: Multiple other commenters recommended that CMS both 
explain and reexamine its interpretation of 42 CFR 431.306(d) and 
457.1110(b) to prohibit Medicaid and CHIP programs from releasing 
beneficiary information to outside sources without first obtaining 
permission from the beneficiary or their personal representative. The 
commenters stated that CMS's current interpretation would effectively 
prohibit Medicaid agencies from participating in HIEs for Provider 
Access API and TPO purposes. The commenters stated that CMS should 
consider expanding this to include out-of-network providers.
    Response: We do not agree that 42 CFR 431.306(d) and 457.1110(b) 
prohibit Medicaid or CHIP agencies from contracting with an entity that 
offers the technology to allow for digital access and transfer of a 
patient's medical records, often referred to as an HIE. Section 
1902(a)(7) of the Act, which our regulations at 42 CFR part 431, 
subpart F, implement, requires that a state's Medicaid plan provide 
safeguards which restrict the use or disclosure of information 
concerning Medicaid applicants and beneficiaries to purposes directly 
connected with administration of the state plan. Our regulations at 42 
CFR part 431, subpart F, set forth requirements for states to safeguard 
Medicaid applicants' and beneficiaries' information in accordance with 
section 1902(a)(7) of the Act, including requirements for safeguarding 
the information, what types of information must be safeguarded, and 
when and how to release otherwise safeguarded information. The same 
requirements also apply to separate CHIP programs through a cross 
reference at 42 CFR 457.1110(b). The disclosures of beneficiary data to 
an HIE contracted to develop and maintain the required Provider Access 
API would be directly related to the administration of the state plan, 
because sharing beneficiary data through the Provider Access API 
supports the provision of services for beneficiaries, as described at 
42 CFR 431.302(c). Access to beneficiary data could help a provider 
better manage a beneficiary's total care because the data would provide 
a more in-depth medical history, enable more informed decision making, 
and potentially prevent orders for, or the provision of, duplicative 
services. Further, under section 1902(a)(4) of the Act, Medicaid 
agencies may contract with organizations to enhance the agency's 
capability for effective administration of the program.
    The regulation at 42 CFR 431.306(d) generally requires states to 
obtain permission from an individual Medicaid or CHIP applicant or 
beneficiary, or their personal representative, before responding to a 
request for information from an outside source, or disclosing that 
applicant's or beneficiary's data safeguarded under 42 CFR 431.305. 
There is no requirement for a state Medicaid or CHIP agency to obtain 
permission from an individual or family member prior to providing 
information about a Medicaid or CHIP beneficiary to an enrolled 
Medicaid or CHIP provider because enrolled providers are not outside 
sources as described at 42 CFR 431.306(d). Enrolled Medicaid and CHIP

[[Page 8811]]

providers are part of a state's Medicaid and/or CHIP FFS programs 
because they are contracted to support the agency's administration of 
its Medicaid or CHIP state plan. Specifically, an enrolled Medicaid or 
CHIP provider has a provider agreement with the Medicaid or CHIP agency 
to provide Medicaid or CHIP benefits and services under the state plan. 
Thus, the state Medicaid agency could share Medicaid or CHIP 
beneficiary information with enrolled providers for purposes directly 
connected to administration of the state plan, without prior permission 
from the Medicaid or CHIP beneficiary required by 42 CFR 431.306(d) and 
457.1110(b) respectively.
    Similarly, state Medicaid and CHIP agencies may share Medicaid and 
CHIP beneficiary information with entities with which the state 
Medicaid or CHIP agency has contracted to support the agency's 
administration of its Medicaid or CHIP state plan. Such contractors 
would not be considered ``outside sources'' because they are contracted 
to carry out functions directly related to administration of the state 
Medicaid or CHIP plan, such as case management and long-term services 
and supports for Medicaid or CHIP beneficiaries. Thus, if a state 
Medicaid or CHIP agency contracts with an HIE to carry out 
administrative functions of the state's Medicaid or CHIP program, such 
as developing and maintaining the required Provider Access API, the HIE 
would not be considered an ``outside source'' and the state Medicaid or 
CHIP agency could share Medicaid or CHIP beneficiary information with 
the HIE for the purposes directly connected to administration of the 
state plan, without prior permission from the Medicaid or CHIP 
beneficiary required by 42 CFR 431.306(d) and 457.1110(b) respectively.
    In addition, to receive beneficiaries' information from the 
Medicaid or CHIP agency, Medicaid or CHIP providers, plans, or 
contractors must be subject to standards of confidentiality comparable 
to those of the state Medicaid or CHIP agency in accordance with 42 CFR 
431.306(b) and 457.1110(b) respectively. Furthermore, the Medicaid 
regulation at 42 CFR 434.6(a)(8) requires that each of the state 
Medicaid agency's contracts must provide that the contractor safeguards 
information about beneficiaries as required by 42 CFR part 431, subpart 
F. Under these requirements, if a state Medicaid or CHIP agency 
contracted with an HIE or other entity, the contractor would be 
required to meet the same standards of confidentiality as the state 
Medicaid or CHIP agency (as set forth in section 1902(a)(7) of the Act 
and our implementing regulations at 42 CFR part 431, subpart F), 
including but not limited to--
     Providing safeguards that restrict the use or disclosure 
of information concerning applicants and beneficiaries to purposes 
directly connected with the administration of the plan in accordance 
with section 1902(a)(7) of the Act and 42 CFR 431.300 and 431.302; and
     Not disclosing data to an outside source, such as 
providers that are not enrolled with the state Medicaid or CHIP agency, 
and that might be participating in an HIE, without prior permission 
from the individual in accordance with 42 CFR 431.306(d).
iv. Opt Out Process Design
    Comment: Commenters provided thoughts about the implementation of 
the proposed opt out requirement. Multiple commenters suggested that 
CMS require a standardized opt out process to improve the patient and 
provider experience. A commenter expressed concern that the proposed 
implementation flexibility could be difficult for patients to navigate, 
while another commenter requested clarification on what opting out and 
opting back in means.
    Response: We agree that it is important to make it easy for 
patients or their personal representatives to opt out of data sharing. 
However, it is also important to give payers flexibility in how they 
implement the opt out process required by this rule. We recognize that 
payers' approaches may vary depending on their systems, capabilities, 
and specific enrollee population. Requiring a specific process could 
impose unnecessary burden on payers. We remind readers that regardless 
of what process payers choose, a patient or their personal 
representative must have the ability to change their data sharing 
permission at any time. For example, if a patient or their personal 
representative previously opted out of having their data shared under 
the Provider Access API policy, they should be able to reverse this 
decision, effectively choosing to opt back into having their data 
shared under the Provider Access API policy. We additionally note that 
each of our policies in this final rule is targeted toward individual 
patients, not any family members that may be covered through the same 
benefits. In some cases, applicable law may allow one individual (such 
as a parent or guardian) to act as a personal representative for 
another individual covered under the same benefits (such as a minor) 
and could therefore opt out of data sharing under the Provider Access 
API for that person. No data should be shared about any patient that 
has opted out (or whose personal representative has opted out), 
regardless of whether another patient covered under the same benefits 
has chosen to not opt out. We will continue to monitor implementation 
of the Provider Access API opt out requirement to ensure payers' opt 
out processes for the Provider Access API are easy and intuitive for 
patients or their personal representatives to use.
    Comment: Commenters recommended that CMS include several 
additional, explicit requirements related to the Provider Access API 
opt out process. Multiple commenters also recommended requiring or 
permitting payers to incorporate the opt out process into their 
existing platforms and communications, including patient portals, 
payers' websites, and within payers' regular communications with 
patients. A commenter encouraged CMS to collaborate with interested 
parties to develop a single platform for patients to give permission 
for data sharing.
    Response: While we are not requiring impacted payers to incorporate 
their opt out processes into their existing platforms and 
communications, we generally expect that that would result in the least 
amount of burden on payers and patients. There are solutions available 
that could be leveraged to manage permissions across payers, such as 
HIEs. We encourage impacted payers to investigate a variety of options 
to determine the solution that is best for them and their patients.
    Comment: Multiple commenters made recommendations related to the 
accessibility of the opt out process. They recommended that CMS require 
impacted payers to provide options to patients for opting out of data 
sharing that are accessible to patients with varied technological 
literacy (that is, via mail, fax, and phone). A commenter recommended 
that opt out information be available for the Provider Access API in 
multiple languages to reduce disparities and barriers to patients' 
understanding of the opt out process. Another commenter recommended 
that CMS establish clear expectations for how payers should accommodate 
patients who may have difficulty accessing the opt out process or that 
CMS should track the extent to which patients encounter difficulties 
with opting out of data sharing. A commenter further recommended that 
payers collect patients' opt out elections at the point of treatment, 
so that it is clear which provider(s) have access to the patient's data 
via the Provider Access API policy.
    Response: We agree with commenters that payers should make efforts 
to

[[Page 8812]]

ensure their patients or their personal representatives have the 
opportunity to opt out of data sharing under the Provider Access API 
policy and should be accommodated accordingly. These accommodations 
certainly include accounting for varied technology literacy and 
language barriers (see section II.B.3.c.ii. of this final rule for a 
discussion on plain language and existing requirements to make 
information accessible in other languages or formats). However, we do 
not want to be overly prescriptive to payers, as we believe they would 
know best how to accommodate their particular patient population. We 
disagree that payers should collect patient opt out elections at the 
point of treatment because we intend for these data to be available to 
the provider before patient appointments, and such practices are also 
outside the scope of a provider's role. We therefore intend to monitor 
patient experience and payer compliance with the opt out process and 
will consider our observations through this monitoring for future 
rulemaking.
    Comment: Multiple commenters recommended implementing processes for 
payers to notify providers of patients' election to opt out of the 
Provider Access API data exchange. A commenter identified some 
potential implementation challenges for providers, including that 
tracking patient permission would be challenging and that the opt out 
approach could create segmented data captures and multiple workflows. 
Another commenter flagged that CMS should not rely on physicians to 
educate patients on the intricacies of APIs, instead encouraging CMS to 
provide standardized language and guidelines to payers around how the 
process to opt out will be communicated to patients and the process for 
collecting and communicating opt outs to physicians.
    Response: While we are not requiring impacted payers to notify 
providers of their patients' election to opt out of the Provider Access 
API data exchange, we agree that notification can increase the utility 
of the Provider Access API for providers. We remind readers that we are 
not requiring providers to track patient data sharing permission, 
educate patients about their data sharing options, or utilize the 
Provider Access API at all. However, we believe that giving providers 
access to more patient data will benefit the care that they provide, 
and we encourage them to adjust their workflows and work with their EHR 
developers to take advantage of the data availability through this new 
mechanism.
    Comment: A commenter noted that it will take time for payers to 
process opt out requests from patients or their personal 
representatives who choose to opt out of having their data shared after 
enrollment. Another commenter suggested that patients should be able to 
record their permission through multiple channels (for example, OAuth 
2.0, portal access, and the FHIR consent profile). A commenter also 
stated that payers may have to design related processes to allow 
patients to opt in to sharing of sensitive information that adhere to 
state or local privacy laws. A commenter further sought guidance on 
whether specific consent language would be required for patients or 
their personal representatives to opt in and whether an opt in election 
may be included in the HIPAA authorization form or other enrollment 
materials.
    Response: Payers will have flexibility in how they process patient 
data sharing permission and the channels that patients may use to make 
their election. We caution, however, that any such opt out channels 
should be both optimally accessible to patients or their personal 
representatives and not onerous for them to navigate. Part of managing 
an opt out process will include cognizance of other laws that may 
restrict data sharing, such as state privacy laws. In fact, if other 
applicable law requires an opt in permission for data sharing, payers 
may integrate both the Provider Access API opt out and other permission 
gathering processes to simplify patients' ability to control their 
data, to the extent permitted by law. Finally, regarding the commenter 
seeking specific consent language for opt in and clarification related 
to leveraging the HIPAA authorization form for this purpose, we 
emphasize that this final rule finalizes an opt out framework for the 
Provider Access API, not an opt in. We further note that compound HIPAA 
authorizations are generally prohibited, per 45 CFR 164.508(b)(3).
v. Opt Out Timeframes
    Comment: Multiple commenters stated that patients or their personal 
representatives should be allowed to opt out at any time. Other 
commenters supported payers providing an option to opt out at a certain 
time, such as at the time of enrollment. A commenter recommended that 
CMS allow payers 30 days to process a patient's request to opt out and 
stop sharing the patient's data via the Provider Access API.
    Response: We agree that patients or their personal representatives 
should be able to opt out of data sharing under the Provider Access API 
policy at any time and we are requiring impacted payers to give their 
patients the opportunity to do so. As discussed in section II.B.3.c. of 
this final rule, no later than one week after the start of coverage and 
annually, patients will need to be given information about their opt 
out rights and instructions both for opting out. We remind readers that 
``start of coverage'' is defined differently, as applicable, for each 
type of impacted payer. We refer readers to section II.C.3.c.i. of this 
final rule for discussion of these differences. We do not agree that 
the opt out option should be time-limited, as that reduces patient 
control over their health data.
c. Patient Educational Resources Regarding the Provider Access API
    To help patients understand the implications of the opt out 
provision for the Provider Access API, we proposed to require impacted 
payers to disseminate certain educational resources to their patients. 
We proposed that those resources would include information about the 
benefits to the patient of API data exchange, their opt out rights, and 
instructions both for opting out of the data exchange and for opting in 
after previously opting out. We proposed that payers would have to 
provide this information, in non-technical, simple, and easy-to-
understand language, before the first date on which the payer makes 
patient information available through the Provider Access API, at the 
time of enrollment and annually thereafter. We also proposed that 
payers would be required to make this information available at all 
times, in an easily accessible location on payers' public websites. We 
did not propose to require this information to also be distributed to 
patients' personal representatives. However, we highly encourage 
impacted payers to do so, especially if distributing other materials to 
personal representatives is typical. We also did not propose specific 
text or format for this information, but requested suggestions and 
comments on whether required content or format would be beneficial or 
burdensome. In particular, we sought comments on language explaining 
how patient data that is shared through the Provider Access API could 
be used. We anticipated that payers would want to include this 
information in their regular communications, such as annual enrollment 
information, privacy notices, member handbooks, or newsletters. 
However, we requested comment on the most appropriate and effective 
communication channel(s) for conveying this information to patients. We 
also requested comment on whether

[[Page 8813]]

a requirement to provide this information at the time of enrollment and 
annually is appropriate, or whether we should require payers to share 
this information more frequently.
    We believe it is important to honor patient privacy preferences. 
Offering patients educational resources about their right to opt out of 
the Provider Access API data sharing is thus fundamental to empowering 
patients with respect to their data.
    As discussed in more detail, we are finalizing a modification to 
these proposals, that impacted payers must provide this information to 
patients no later than one week after the start of coverage. ``Start of 
coverage'' is defined differently, as applicable, for each type of 
impacted payer and we refer readers to section II.C.3.c.i. of this 
final rule for discussion of these differences.
i. Dissemination
    Comment: Multiple commenters supported the proposed requirement for 
payers to disseminate patient educational resources and made 
recommendations for communicating with, or sending information to 
patients. These recommendations include disseminating educational 
resources through existing patient portals, letters, text messages, and 
information posted on websites, in handbooks, and by mail.
    Conversely, a commenter recommended that CMS not require physical 
materials be sent annually to patients. The commenter recommended that 
payers should only send hard copies to patients who have opted out of 
data sharing. However, another commenter stated that separate patient 
resources for the Provider Access API are not necessary at all. A 
commenter additionally stated that many plan renewals do not actually 
generate patient-visible paperwork, forms, or formal documents of any 
sort and provided examples for how frequently sharing patient resources 
currently occurs. A commenter further stated that payers should have 
the flexibility to communicate with their members in a manner 
consistent with a set format and content for consistency and clarity.
    Response: We emphasize that impacted payers can indeed use their 
existing processes for producing patient-facing resources and will be 
permitted to send their patient education resources through the 
communication channels they think are most effective for reaching their 
patients, including emails, messages through a payer portal, or 
physical mail. It is not our intention to overburden payers, and thus 
we do want to be overly prescriptive in a way that that will unduly 
disrupt how they currently communicate with their patients. We disagree 
that only patients who have opted out of data sharing should receive 
these resources. Under our policies, patients may choose to change 
their data sharing permission at any time and we thus believe that they 
should remain maximally informed of their choices.
    We are also finalizing a modification to the proposed rule 
regarding payer deadlines, to give payers more clarity and an 
appropriate amount of time to meet these requirements, as well as to 
align with policies we are finalizing for the Payer-to-Payer API (see 
section II.C.3.c.i. of this final rule). Specifically, payers will be 
required to provide patients, no later than one week after the start of 
coverage, information about the benefits of API data exchange with 
their providers, their opt out rights, and instructions for both for 
opting out of data exchange and for opting in after previously opting 
out. This timeframe is intended to provide a reasonable amount of time 
after a payer receives confirmation that a patient will be enrolled in 
coverage with them. As further discussed in section II.C.3.c.i., to 
ensure feasible timeframes, we are finalizing deadlines to account for 
situations when coverage starts prospectively or retroactively for MA 
plans and QHPs issuers on the FFEs and retroactively for Medicaid and 
CHIP.
    Comment: Multiple commenters supported our proposal to require 
impacted payers to provide patient education resources at enrollment 
and annually thereafter. A commenter stated that educational resources 
could also come from providers at patient interactions. Other 
commenters expressed that CMS's requirements should not add burden to 
providers or interfere with their clinical workflow. A commenter 
recommended that CMS not require Medicaid agencies to provide 
information on the Provider Access API opt out policy more frequently 
than at member enrollment and annually. The commenter stated that it 
would be resource intensive and would require new workstreams and 
member outreach processes.
    Response: We thank commenters for their support of our proposal to 
require impacted payers to provide patient education resources at 
enrollment and annually thereafter (though we are finalizing a 
modification to this proposal, as explained above). We did not propose 
to require any role for providers, as we agree this would increase 
their administrative burden. We also agree with commenters that 
providing these resources more frequently would indeed increase burden, 
which is why we did not propose for impacted payers to do so.
ii. Content
    Comment: Multiple commenters suggested that CMS require payers to 
use clear and plain language and ensure the opt out policy is 
prominent.
    Response: We agree with commenters' sentiments and thus proposed 
that patients should be able to easily understand the patient education 
resources. In response to both these comments and comments on our opt 
out proposals, as well as for consistency with other policies, we are 
finalizing this rule slightly differently from how it was proposed. We 
had proposed that impacted payers provide patient education resources 
in ``non-technical, simple, and in easy-to-understand language,'' but 
our finalized requirement is that they use ``plain language.'' This 
change is not intended to alter that the educational information be 
non-technical, simple, and easy-to-use, but to make clear that we 
encourage impacted payers to follow the Federal Government's plain 
language guidelines. Those guidelines were informed by the Plain 
Writing Act of 2010, which requires Federal agencies to use clear 
government communication that the public can understand and use. That 
statute only applies to Federal Government agencies, but the plain 
writing guidance \70\ that has been developed for the Federal 
Government will be useful for impacted payers when developing 
educational resources for patients. We note that providing these 
patient educational resources is a separate requirement from the 
requirement to create an NPP under the HIPAA Privacy Rule.\71\
---------------------------------------------------------------------------

    \70\ General Services Administration (n.d.). Federal plain 
language guidelines. Retrieved from https://www.plainlanguage.gov/guidelines/.
    \71\ Department of Health and Human Services (n.d.). Notice of 
Privacy Practices for Protected Health Information. Retrieved from 
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/privacy-practices-for-protected-health-information/index.html.
---------------------------------------------------------------------------

    Comment: A commenter expressed concern about language access, while 
another recommended CMS set inclusivity requirements, based on a 
payer's patient population, for translating into languages other than 
English. Multiple commenters recommended that notices about the 
Provider Access API be focus group tested, written in accurate but 
positive language (so as not to unduly discourage participation), and 
translated into the required threshold languages for the coverage area.

[[Page 8814]]

    Response: Impacted payers may already be required to provide plain 
language resources in languages other than English, per 45 CFR part 92, 
which requires impacted payers (as health programs or activities under 
that section) to provide meaningful access to individuals with limited 
English proficiency and accessibility requirements for individuals with 
disabilities. The requirements of that part apply to impacted payers, 
as described at 45 CFR 92.3.
    Additionally, this rule does not affect standards already in place 
for specific payers on state or Federal levels. For example, 45 CFR 
156.250 requires QHP issuers on the FFEs to provide information in 
accordance with the accessibility standards for individuals with 
disabilities and individuals with limited English language proficiency 
at 45 CFR 155.205(c). Other impacted payers might have their own 
standards for accessible patient-facing resources, as well, that would 
not be affected by this final rule.
    Comment: Multiple commenters recommended, for ease of readability, 
that resources or notices be written at a certain grade level. Multiple 
commenters recommended that CMS amend the patient resources proposal to 
require impacted payers to write resources at a fourth-to-sixth grade 
reading level.
    Response: While we agree that these resources need to be 
understandable, we do not believe that it is prudent to establish a 
specific ``grade level'' requirement. A grade level score is based on 
the average length of the words and sentences. Readability formulae 
vary and the grade level scores for the same text can differ depending 
on how it is used. Furthermore, edits that are made to make text score 
at a lower grade level can produce choppy text that lacks cohesion.
    Comment: A commenter did not support the development of patient 
education resources that may be duplicative or confusing to patients, 
while another did not support the proposal for separate patient 
outreach and education if the data sharing under the Provider Access 
API is permitted under the HIPAA Privacy Rule's TPO exception.
    Response: We refer readers to section II.B.3.b.ii. of this final 
rule for a full discussion of the HIPAA Privacy Rule's applicability 
and why we are requiring an opt out policy for the Provider Access API. 
We believe that plain language educational resources will inform rather 
than confuse patients. We encourage payers to explain to patients that 
not opting out of data sharing would not limit or negatively affect 
their rights under the HIPAA Privacy Rule. Rather, it is an opportunity 
for them to control where their data are shared under the policies of 
this final rule. Where the requirements of this rule change how covered 
entities or their business associates may use or disclose PHI, covered 
entities should also consider their obligations under the HIPAA Privacy 
Rule.
    Comment: Commenters recommended that CMS require additional details 
from payers about their opt out process for the Provider Access API. A 
commenter stated patients should receive detailed communications that 
include the potential benefits and harms of sharing versus not sharing 
this information, including the potential impact on quality and 
timeliness of care. Commenters further recommended that resources 
include information on privacy and security, moving data to a third-
party app, and guidelines for patient-provider dialogue on consent.
    Response: As explained, we did not want to be overly prescriptive 
for the specific language used for the patient resources, but we did 
propose that they include patient instructions for opting out of data 
sharing and controlling their permission. We specifically proposed that 
the patient education resources include information about the benefits 
of API data exchange. In addition, impacted payers may, if they choose, 
include reasonable and objective information about any risks to data 
sharing. However, the purpose of the information in the educational 
resources, regardless of the particular content, should be to inform 
patients. We believe that patients educated with accurate information 
will realize the benefits of data sharing via the Provider Access API 
and most will not opt out.
    We agree that plain language resources should include information 
about privacy and security, in order to give patients an informed view 
of how the Provider Access API works. It is also reasonable and 
acceptable for payers to bundle or combine the educational resources 
about the Provider Access API with the educational resources about the 
Patient Access and Payer-to-Payer APIs, discussed in sections II.A. and 
II.C. of this final rule, to give patients a holistic view of how our 
interoperability policies work together to improve data exchange.
    Comment: Commenters recommended that CMS partner with ONC to 
develop templates and content for these educational resources, which 
impacted payers could use to meet this requirement. Many commenters 
recommended that CMS work with the health care community and patient 
advocates to develop language on the benefits and risks of data 
exchange. Commenters also recommended that CMS work with industry to 
develop and disseminate educational resources by creating a web page 
dedicated to interested party-specific newsletter inserts, holding CMS 
open door virtual forums, and using other methods to communicate 
regulatory and implementation updates.
    Response: We intend to continue working with Federal and industry 
partners to increase patient engagement in a way that both protects 
their autonomy and enables the sharing of the data to improve their 
health care. Based on feedback, we intend to develop additional 
outlines or templates for patient education resources.
d. Provider Resources Regarding the Provider Access API
    We proposed to require impacted payers to develop non-technical and 
easy-to-understand resources for providers about the Provider Access 
API. We proposed that those resources would have to include information 
about the process for requesting patient data from payers via the 
Provider Access API and how to use the payer's attribution process to 
associate patients with the provider. We proposed that impacted payers 
provide these resources to providers through the payer's website and 
other appropriate provider communications, such as annual contract 
updates or handbooks. Non-technical resources will help providers 
understand how they can use the API to access patient data, thus 
realizing the expected benefit of the proposed API. We requested 
comment on this proposal, including whether CMS should develop guidance 
regarding, or address in future rulemaking, the specific content of 
these educational resources about the Provider Access API.
    As discussed in more detail, we are finalizing this proposal, with 
a modification that provider resources be in plain language.
i. Dissemination
    Comment: Multiple commenters expressed support for requiring 
impacted payers to make these resources easily available on a payers' 
website, in contracts, and in provider handbooks. However, other 
commenters sought clarification on what ``other appropriate provider 
communications'' are and whether existing provider communication 
channels can be used to provide these resources. A commenter stated 
that it is unreasonable to expect

[[Page 8815]]

providers and their staff to access each payers' website to obtain the 
payers' specific resources and they do not believe this will happen in 
a reliable manner. Other commenters stated that the resources should be 
incorporated into a clinical workflow or EHRs.
    Response: While the provider resources must be available on the 
payer's website, we are also requiring impacted payers to send those 
resources directly to providers through other appropriate channels. We 
encourage payers to use existing methods of communication by which 
providers expect to receive information from payers. We use the term 
``other appropriate provider communications'' to provide payers with 
flexibility, but that term includes existing communication channels. 
For example, 42 CFR 422.202 requires MA organizations to provide to 
participating physicians written notice of rules of participation, 
including terms of payment, credentialing, and other rules directly 
related to participation decisions. The Provider Access API resources 
can be disseminated along with such resources.\72\ While payers are 
welcome to use the Provider Access API to make those resources 
available, they would have to develop an operable solution. 
Furthermore, if a provider needs guidance to access the Provider Access 
API, requiring a connection and query would not be useful.
---------------------------------------------------------------------------

    \72\ See 42 CFR 422.202(a)(1).
---------------------------------------------------------------------------

ii. Content
    Comment: Multiple commenters supported the proposal for impacted 
payers to disseminate provider-facing resources, particularly with 
instructions for attributing patients to a provider.
    Response: We appreciate commenters support for this requirement. As 
finalized, payers will be required to include information about the 
payer's process to attribute patients to a particular provider. We also 
highly recommend that payers include contact information for provider 
assistance. To be consistent with our revision to the patient education 
resources policy, but also being clear that we have not altered the 
intent, we are finalizing regulatory text slightly different than what 
we had proposed, to require provider education resources in ``plain 
language,'' as opposed to our proposed ``non-technical, simple, and in 
easy-to-understand language.''
    Comment: Multiple commenters recommended more technical education 
resources than we proposed because of the technical nature of API data 
exchange. A commenter suggested that the resources include information 
about the IGs, links to the payer's technical documentation and contact 
information for assistance with the Provider Access API. Another 
commenter warned that the educational resources need to be better 
defined, because they believe that the information we describe will be 
more appropriate for EHR vendors than providers. In fact, another 
commenter stated that it may be more appropriate for EHR and practice 
management system vendors to provide education resources that offer 
greater specificity about how data are integrated into provider data 
systems and workflows.
    Response: While payers will have to include instructions for 
accessing patient data, we disagree with the recommendation that payers 
include more technical documentation. We do not believe that most 
providers will be interested in the specific implementation details of 
the API, but will rely on their technology vendor. We remind payers 
that, per the final requirements in the CMS Interoperability and 
Patient Access final rule, they are required to make technical 
information about their Patient Access APIs available by posting 
directly on their website.\73\ We are finalizing this requirement by 
reference for the Provider Access, Payer-to-Payer, and Prior 
Authorization APIs, as well. References or links to that material would 
be entirely appropriate to include in the required provider resources. 
EHR and practice management vendors also have a role to play in 
educating providers about the functionality of their particular system. 
However, only payers will be able to offer provider specific details 
about their Provider Access API and the process for attributing 
patients.
---------------------------------------------------------------------------

    \73\ See 42 CFR 422.119(d), 431.60(d), and 457.730(d) and 45 CFR 
156.221(d).
---------------------------------------------------------------------------

    Comment: Commenters suggested that CMS require using language 
regarding limitations related to disclosures of sensitive conditions 
that are subject to 42 CFR part 2 and disclosures to minors.
    Response: Though we are not requiring it to be included in the 
provider resources, payers should adequately inform providers of what 
data are and are not available through the Provider Access API. 
Providers should be aware of what they can expect to receive in 
response to a request, whether that is because of the data content 
requirements, payer maintenance policies, or privacy limitations.
    Comment: Multiple commenters requested that CMS develop educational 
resources that impacted payers could disseminate to their providers to 
ensure consistency and that providers are aware of any reporting 
protocols for payer non-compliance. A commenter added that these 
requirements and related guidance should be posted on CMS provider web 
pages and print publications. Multiple commenters recommended that CMS 
consult with Federal partners at ONC, the Health Resources and Services 
Administration (HRSA) and the Agency for Healthcare Research and 
Quality (AHRQ), and the provider community in order to understand their 
educational needs and how best to promote the resources. A commenter 
recommended that CMS provide additional guidance on the education and 
training efforts to provider specialties who are lagging the industry 
in interoperable technology adoption.
    Response: Based on comments we received, we intend to provide 
general guidelines to impacted payers about what this final rule 
requires to be disseminated to providers, which may include information 
on potential best practices. However, unlike the patient-facing 
educational resources described previously, we expect that provider 
resources could vary significantly between payers. Payers will have 
different processes to allow providers to request data via the Provider 
Access API and policies for patient attribution to explain to their 
providers. Therefore, there is less benefit to standardized templates 
or content for these resources. We provided links to resources for APIs 
to support payers implementing provisions of the CMS Interoperability 
and Patient Access final rule (85 FR 25510) \74\ and we intend to 
identify similar resources for health care providers for this final 
rule. We will continue to work with our partners to ensure providers 
can access patient data, regardless of the technology they use. 
Requiring an API that can be accessed with systems other than CEHRT is 
a step toward that goal, and payer-developed resources should address 
all the ways providers could interact with the Provider Access API.
---------------------------------------------------------------------------

    \74\ Centers for Medicare and Medicaid Services (n.d.). Best 
Practices for Payers and App Developers. Retrieved from https://www.cms.gov/files/document/best-practices-payers-and-app-developersupdated21023.pdf.
---------------------------------------------------------------------------

4. Extensions, Exemptions, and Exceptions
    See section II.E. of this final rule for a discussion of extensions 
and exemptions and the final policies for the Provider Access API for 
state Medicaid and CHIP FFS programs and exceptions for the Provider 
Access API for QHP

[[Page 8816]]

issuers on the FFEs (this was also addressed in the proposed rule at 86 
FR 76279).
BILLING CODE 4150-28-P
[GRAPHIC] [TIFF OMITTED] TR08FE24.001


[[Page 8817]]


[GRAPHIC] [TIFF OMITTED] TR08FE24.002

BILLING CODE 4150-28-C
5. Final Action
    After considering the comments received, and for the reasons 
discussed in the CMS Interoperability and Prior Authorization proposed 
rule and our response to those comments (as summarized previously), we 
are finalizing our proposal with the following modifications:
---------------------------------------------------------------------------

    \75\ See Table H1 for which standards are required for the 
Provider Access API.
---------------------------------------------------------------------------

     Impacted payers must implement and maintain a Provider 
Access API beginning 2027 (by January 1, 2027, for MA organizations and 
state Medicaid and CHIP FFS programs; by the rating period beginning on 
or after January 1, 2027, for Medicaid managed care plans and CHIP 
managed care entities; and for plan years beginning on or after January 
1, 2027, for QHP issuers on the FFEs) rather than in 2026.
     Impacted payers are not required to use OpenID Connect 
Core at 45 CFR 170.215(e)(1) for the Provider Access API.
     Impacted payers are not required to share the quantity of 
items or services used under a prior authorization via the Provider 
Access API.
     Impacted payers are not required to share unstructured 
documentation related to prior authorizations via the Provider Access 
API.
     Impacted payers are required to provide educational 
resources to patients no later than one week after the start of 
coverage, as that term is defined for each type of impacted payer, 
rather than at enrollment.
     The educational resources that impacted payers are 
required to provide to patients and providers are described as ``plain 
language'' rather than in ``non-technical, simple, and in easy-to-
understand language.''
    See further discussion later for exact details of the final 
requirements for impacted payers.
    We are finalizing that beginning 2027 (by January 1, 2027, for MA 
organizations and state Medicaid and CHIP FFS Programs; by the rating 
period beginning on or after January 1, 2027, for Medicaid managed care 
plans and CHIP managed care entities; and for plan years beginning on 
or after January 1, 2027, for QHP issuers on the FFEs), impacted payers 
must implement and maintain a Provider Access API that is conformant 
with certain technical standards, documentation requirements, and 
denial or discontinuation policies. Specifically, those technical 
standards are HL7 FHIR at 45 CFR 170.215(a)(1), US Core IG at 45 CFR 
170.215(b)(1)(i), SMART App Launch IG at 45 CFR 170.215(c)(1), and Bulk 
Data Access IG at 45 CFR 170.215(d)(1).
    We are finalizing that, by the deadlines, impacted payers must make 
available upon request from an in-network provider, via the Provider 
Access API, claims and encounter data (excluding provider remittances 
and patient cost-sharing information), all data classes and data 
elements included in a content standard at 45 CFR 170.213 (USCDI), and 
certain information about prior authorizations (excluding those for 
drugs) that the payer maintains no later than 1 business day after 
receiving a request from such a provider, if all the following 
conditions are met:
     The payer authenticates the identity of the provider that 
requests access and attributes the patient to the provider under the 
required attribution process;
     The patient does not opt out of the Provider Access API; 
and
     Disclosure of the data is not prohibited by law.
    The required prior authorization information is:
     The prior authorization status;
     The date the prior authorization was approved or denied;
     The date or circumstance under which the prior 
authorization ends;
     The items and services approved;
     If denied, a specific reason why the request was denied; 
and
     Related structured administrative and clinical 
documentation submitted by a provider.
    We are finalizing that impacted payers are required to make this 
information about prior authorizations available no later than 1 
business day after the payer receives a prior authorization request and 
must update that information no later than 1 business day after any 
status change. This information must be available for the duration that 
the authorization is active and at least 1 year after the prior 
authorization's last status change.
    We are finalizing that impacted payers must establish and maintain 
an attribution process to associate patients with their in-network or 
enrolled providers to enable payer to provider data exchange via the 
Provider Access API.
    We are finalizing that, by the deadlines, impacted payers must 
establish and maintain a process for patients to opt out of data 
exchange via the Provider Access API and to change their permission at 
any time. We are finalizing that this process must be made available 
before the first date on which the payer makes patient information 
available via the Provider Access API, and at any time while the 
patient is enrolled with the payer.
    We are finalizing that, by the deadlines, impacted payers provide 
educational resources in plain language to their patients about the 
Provider Access API. Those resources must include information about the 
benefits of API data exchange with providers, patients' opt out rights, 
and instructions for both opting out of data exchange and for 
subsequently opting in. Impacted payers must make this information 
available to patients before the first date on which the payer makes 
their

[[Page 8818]]

information available via the Provider Access API, no later than one 
week after the start of coverage, and at least annually. These 
resources must also be available in an easily accessible location on 
payers' public websites. We remind readers that ``start of coverage'' 
is defined differently, as applicable, for each type of impacted payer. 
We refer readers to section II.C.3.c.i. for discussion of these 
differences.
    We are finalizing that, by the deadlines, impacted payers must 
provide on their website and through other appropriate provider 
communications, information in plain language explaining the process 
for requesting patient data using the Provider Access API. The 
resources must include information about how to use the payers' 
attribution process to associate patients with their providers.
    These policies apply to MA organizations, state Medicaid and CHIP 
FFS programs, Medicaid managed care plans and CHIP managed care 
entities (excluding NEMT PAHPs), and QHP issuers on the FFEs at the CFR 
sections listed in Table C1.
6. Statutory Authorities for Provider Access API
    We received no public comments on the statutory authorities for our 
Provider Access API policies.
a. Medicare Advantage Organizations
    For MA organizations, we are finalizing these Provider Access API 
requirements under our authority at sections 1856(b)(1) of the Act to 
promulgate regulations that adopt standards to implement provisions in 
Part C of Title XVIII of the Act (such as section 1852(d)(1)(A)) of the 
Act to adopt new terms and conditions for MA organizations that the 
Secretary finds ``necessary and appropriate.'' Section 1852(d)(1)(A) of 
the Act requires MA organizations to, as a condition of using a network 
of providers, make covered benefits available and accessible to 
enrollees in a manner that assures continuity in the provision of 
benefits. As noted in this section of this final rule, these 
regulations implement this requirement by requiring implementation of 
an API that will make available data to improve the provision of 
benefits. The Secretary also has authority under section 1857(e)(1) of 
the Act to add new contract terms, including additional standards and 
requirements, for MA organizations the Secretary finds necessary and 
appropriate and that are not inconsistent with Part C of the Medicare 
statute.
    In implementing section 1852(d)(1)(A) of the Act, we previously 
adopted a regulation, at 42 CFR 422.112(b), that requires MA 
organizations to ensure the continuity of care and integration of 
services through arrangements with providers that include procedures to 
ensure that the MA organization and the contracted providers have 
access to the information necessary for effective and continuous 
patient care. Our policy for MA organizations to implement and maintain 
a Provider Access API will facilitate exchanges of information about 
enrollees that are necessary for effective and continuous patient care, 
which is consistent with the requirement at section 1852(d)(1)(A) of 
the Act for continuing the provision of benefits. The Provider Access 
API policy, which will support sharing claims, all data classes and 
data elements included in a content standard at 45 CFR 170.213 (USCDI), 
as well as certain information about prior authorizations (sections 
II.B.2. and II.B.3. of this final rule) and a requirement for MA 
organizations to offer provider educational resources (section 
II.B.3.d. of this final rule), will give providers tools to support 
continuity of care and care coordination for enrollees. Were a provider 
able, through a Provider Access API established by an MA organization, 
to gather information for their patient, the provider potentially could 
make more informed decisions and coordinate care more effectively. In 
addition, if a patient moves from one provider to another, the new 
provider will be able to ensure continuity of care if they are able to 
access relevant health information for the patient from the MA 
organization in an efficient and timely way. A Provider Access API 
could support this; thus, the policy will carry out and be consistent 
with the Part C statute.
    This policy will complement and align with MA organization 
obligations at 42 CFR 422.112(b)(4) by providing a means, through a 
Provider Access API, for the exchange of information that supports 
effective and continuous patient care. A Provider Access API may 
increase the efficiency and simplicity of administration. It will give 
providers access to a significant amount of their patients' information 
with limited effort, and it could reduce the amount of time needed 
during provider visits to establish a patient's prior history, which 
could introduce efficiencies and improve care. These policies are also 
expected to allow for better access to other providers' prior 
authorization decisions, which could give a provider a more holistic 
view of a patient's care and reduce the likelihood of ordering 
duplicate or misaligned services. Ultimately, we anticipate that 
sharing patient information will ensure that providers receive patient 
information in a timely manner and could lead to more appropriate 
service utilization and higher patient satisfaction. In addition, the 
policy that MA organizations make available educational resources and 
information will increase access to and understanding of this Provider 
Access API, leading to more efficient use and integration of the API as 
a means for providers to access patient information. Thus, the Provider 
Access API will be necessary and appropriate for the MA program and 
consistent with existing requirements.
b. Medicaid and CHIP
    Our finalized requirements in this section for Medicaid FFS and 
Medicaid managed care plans fall generally under the authority in the 
following provisions of the statute:
     Section 1902(a)(4) of the Act, which requires that a state 
Medicaid plan provide such methods of administration as are found by 
the Secretary to be necessary for the proper and efficient operation of 
the state Medicaid plan;
     Section 1902(a)(8) of the Act, which requires states to 
ensure that Medicaid services are furnished with reasonable promptness 
to all eligible individuals; and
     Section 1902(a)(19) of the Act, which requires states to 
ensure that care and services are provided in a manner consistent with 
simplicity of administration and the best interests of the recipients.
    The final Provider Access API policies are authorized under these 
provisions of the Act because they will ensure that states are able to 
ensure that Medicaid providers can access data that could improve their 
ability to render Medicaid services effectively, efficiently, and 
appropriately. The policies are expected to help states fulfill their 
obligations to operate their state plans efficiently and to ensure that 
Medicaid services are furnished with reasonable promptness and in a 
manner consistent with the best interest of the recipients.
    In addition, section 1902(a)(7) of the Act requires that states 
must provide safeguards that restrict the use or disclosure of 
information concerning Medicaid applicants and beneficiaries to 
purposes that are directly connected with the administration of the 
Medicaid state plan. The implementing regulations at 42 CFR part 431, 
subpart F, for section 1902(a)(7) of the Act list purposes that CMS has 
determined are

[[Page 8819]]

directly connected with administration of Medicaid state plans (42 CFR 
431.302) and require states to provide safeguards meeting certain 
requirements to restrict uses and disclosures of Medicaid beneficiary 
data, including requirements for sharing applicant and beneficiary data 
at 42 CFR 431.306.
    Our finalized policy, that the data described in this section of 
the final rule be shared via the Provider Access API, is consistent 
with the requirement at section 1902(a)(7) of the Act, providing that 
states may share these data only for purposes directly connected with 
the administration of the Medicaid state plan. The Provider Access API 
data sharing policy is related to providing services for Medicaid 
beneficiaries, a purpose listed at 42 CFR 431.302(c). As mentioned 
previously, a provider can better manage a patient's total care when 
they have access to more of that patient's data because the data will 
provide a more in-depth medical history, enable more informed decision 
making, and potentially prevent the provision or ordering of 
duplicative services. More details about how the policies will be 
implemented in a manner consistent with state Medicaid requirements 
under 42 CFR part 431, subpart F, are discussed in section II.B.2. of 
this final rule.
    Requiring states to implement a Provider Access API to share data 
with enrolled Medicaid providers about certain claims, encounter, and 
clinical data, including data about prior authorization decisions, for 
a specific individual beneficiary, may improve states' ability to 
ensure that care and services are provided in a manner consistent with 
simplicity of administration, and to cover services more efficiently. 
We remind states that ``enrolled Medicaid providers'' includes managed 
care plan providers, per 42 CFR 438.602(b). This Provider Access API 
will enable Medicaid providers to access beneficiary utilization and 
authorization information from the state or managed care plan(s) prior 
to an appointment or at the time of care, and that, in turn, should 
enable the provider to spend more time on direct care. The policy will 
support efficient and prompt delivery of care as well, which will be in 
beneficiaries' best interests. These policies are also expected to give 
providers better access to prior authorization decisions for care 
provided by other enrolled Medicaid providers, which will give a 
provider a more holistic view of a patient's care and reduce the 
likelihood of ordering duplicate or misaligned services. This may also 
facilitate easier and more informed decision-making by the provider and 
should therefore support efficient coverage decisions in the best 
interest of patients. The Provider Access API is expected to make 
available a more complete picture of the patient to the provider at the 
point of care, which could improve the quality and efficiency of a 
patient visit. These outcome and process efficiencies may help states 
fulfill their obligations to ensure prompt access to services in a 
manner consistent with the best interest of beneficiaries, consistent 
with sections 1902(a)(8) and (19) of the Act, and the efficiencies 
created for providers might help the state administer its Medicaid 
program more efficiently, consistent with section 1902(a)(4) of the 
Act. These analyses apply similarly to FFS and managed care programs 
and delivery systems, so we are exercising our authority to adopt 
virtually identical regulatory requirements for a Provider Access API 
for both Medicaid FFS programs and Medicaid managed care plans.
    For CHIP, we finalized these requirements under the authority in 
section 2101(a) of the Act, which states that the purpose of Title XXI 
of the Act is to provide funds to states to provide child health 
assistance to uninsured, low-income children in an effective and 
efficient manner that is coordinated with other sources of health 
benefits coverage. We believe this policy will strengthen states' 
abilities to fulfill these statutory obligations in a way that will 
recognize and accommodate using electronic information exchange in the 
health care industry today and will facilitate a significant 
improvement in the delivery of quality health care to CHIP 
beneficiaries.
    When providers have access to patient utilization and authorization 
information from payers or other health IT systems, they may be able to 
provide higher quality care. Improving the quality of care aligns with 
section 2101(a) of the Act, which requires states to provide CHIP 
services in an effective and efficient manner. The more information a 
provider has to make informed decisions about a patient's care, the 
more likely it is that patients will receive care that best meets their 
needs. Additionally, providers can be more effective and efficient in 
their delivery of CHIP services by having direct access to patient 
utilization and authorization information. If a provider has 
information about a patient prior to or at the point of care, the 
provider will be able to spend more time focused on the patient, rather 
than on their need to collect information. In addition, the information 
providers do collect will not be based solely on patient recall. This 
will save time, improve the quality of care, and increase the total 
amount of direct care provided to CHIP beneficiaries. When data are 
standardized, and able to be incorporated directly into the provider's 
EHR or practice management system, they can be leveraged as needed at 
the point of care by the provider and also can be used to support 
coordination across providers and payers. This is inherently more 
efficient, and, ultimately, more cost-effective, as the information 
does not have to be regularly repackaged and reformatted to be shared 
or used in a valuable way. As such, the Provider Access API policies 
also align with section 2101(a) of the Act in that these proposals will 
improve coordination between CHIP and other health coverage. For these 
reasons, we believe this policy is in the best interest of the 
beneficiaries and within our long-established statutory authorities.
    Finally, the safeguards for applicant and beneficiary information 
at 42 CFR part 431, subpart F, are also applicable to CHIP through a 
cross-reference at 42 CFR 457.1110(b). More details about how the 
policies could be implemented in a manner consistent with these CHIP 
agencies' requirements are also discussed in section II.B.2. of this 
final rule. As discussed previously for Medicaid, giving CHIP providers 
access to attributed beneficiary data through the Provider Access API 
is related to providing services to beneficiaries, which is described 
at 42 CFR 431.302(c) as a purpose directly related to state plan 
administration. We remind states that when they share beneficiary 
information through the Provider Access API, they must comply with the 
privacy protections at 42 CFR 457.1110 and the release of information 
provisions at 42 CFR 431.306.
c. Qualified Health Plan Issuers on the Federally-Facilitated Exchanges
    For QHP issuers on the FFEs, we are finalizing these new 
requirements under our authority in section 1311(e)(1)(B) of the 
Affordable Care Act, which affords the Exchanges the discretion to 
certify QHPs if an Exchange determines that making available such 
health plans through that Exchange is in the interests of qualified 
individuals in the state in which the Exchange operates. We believe the 
benefits will outweigh any additional burdens this might impose on 
issuers. By using the finalized technologies, patients could experience 
improved health, payers could see reduced costs of care, and providers 
could see better compliance with care regimens. We also do not believe 
that premiums will significantly increase

[[Page 8820]]

because some of the infrastructure necessary to implement the 
technology has been completed to comply with the CMS Interoperability 
and Patient Access final rule. Furthermore, QHP issuers on the FFEs 
might combine investments and staff resources from other programs for 
implementation efforts, avoiding the need to increase premiums.
    We believe that certifying only health plans that make enrollees' 
health information available to their providers via the Provider Access 
API is generally in the interests of enrollees. Giving providers access 
to their patients' information supplied by QHP issuers on the FFEs will 
ensure that providers are better positioned to provide enrollees with 
seamless and coordinated care and ensure that QHP enrollees on the FFEs 
are not subject to duplicate testing and procedures, and delays in care 
and diagnosis. Access to the patient's more complete medical 
information could also maximize the efficiency of an enrollee's office 
visits. We encourage SBEs, including SBE-FPs, to consider whether a 
similar requirement should be applicable to QHP issuers participating 
in their Exchanges.

C. Payer-to-Payer API

1. Background
    Having a patient's data follow them when they change payers can 
have a multitude of benefits for patient care. A payer receiving data 
when a new patient enrolls can better coordinate care and make more 
informed decisions. For instance, a payer can use the patient's data to 
determine whether they have a chronic condition or is undergoing 
current care that needs to be maintained. If necessary, patient data 
can give payers the information they need to assign a case manager or 
help the patient find providers in their new network. Maintaining a 
corpus of data ensures that the patient and their providers do not lose 
access to recent information that may be relevant to ongoing or future 
care.
    Furthermore, because payers usually maintain a relationship with 
individual patients over time, they are uniquely positioned to collect 
and aggregate a patient's record. Whereas patients may have several 
providers who manage their care, they generally maintain a relationship 
with only one or two concurrent payers for a full year or multiple 
years. However, when a patient moves from one payer to another, both 
parties may lose access to that valuable data. Data exchange among 
payers, specifically, sending patient data from a patient's previous 
payer to their new one, is a powerful way to ensure that data follow 
patients through the health care system and improve care continuity. 
Electronic data exchange between payers will support payer operations 
and a patient's coverage transition to a new payer efficiently and 
accurately. Sharing health care data between payers also helps care 
coordination, care continuity, and allows patients to maintain access 
to their record over time.
    In the CMS Interoperability and Patient Access final rule (85 FR 
25565), we highlighted numerous benefits of payers maintaining a 
longitudinal (meaning, long-term) record of their current patients' 
health information. If payers are at the center of the exchange, they 
can make information available to patients and their providers and can 
help a patient's information follow them as they move from provider to 
provider and payer to payer.
    In the CMS Interoperability and Prior Authorization proposed rule, 
we proposed and, in this rule are now finalizing regulations that 
require impacted payers (MA organizations, state Medicaid and CHIP FFS 
programs, Medicaid managed care plans, CHIP managed care entities, and 
QHP issuers on the FFEs) to implement and maintain a FHIR API to 
facilitate payer to payer data exchange. We are finalizing that 
proposal to require impacted payers to build a Payer-to-Payer API, with 
certain standards (as further described in section II.F.), that will 
facilitate patient data exchange at the start of coverage and with 
concurrent payers. We proposed, and are finalizing, a patient opt in 
policy for this data exchange. We proposed compliance dates in 2026 for 
the Payer-to-Payer API (by January 1, 2026, for MA organizations and 
state Medicaid and CHIP FFS programs; by the rating period beginning on 
or after January 1, 2026, for Medicaid managed care plans and CHIP 
managed care entities; and for plan years beginning on or after January 
1, 2026, for QHP issuers on the FFEs). However, in response to comments 
we are finalizing a modification to that proposal for the Payer-to-
Payer API to establish compliance dates in 2027 (by January 1, 2027, 
for MA organizations and state Medicaid and CHIP FFS programs; by the 
rating period beginning on or after January 1, 2027, for Medicaid 
managed care plans and CHIP managed care entities; and for plan years 
beginning on or after January 1, 2027, for QHP issuers on the FFEs). 
Throughout this rule, we generally refer to these compliance dates as 
``in 2027'' for the various payers. In addition, and also in response 
to comments, we are finalizing a modification to our proposal to only 
require impacted payers to exchange data with a date of service within 
5 years of the exchange request.
    To support the implementation and maintenance of the Payer-to-Payer 
API, we are requiring certain standards and recommending certain IGs, 
as further discussed and in section II.G. With the publication of the 
HTI-1 final rule, our cross references to 45 CFR 170.215 have been 
updated to reflect the updated citations as needed. Changes to the 
structure of 45 CFR 170.215 and versions of the API standards codified 
there are discussed further in section II.G. and reflected throughout 
this final rule. For the Payer-to-Payer API, impacted payers must use 
the following standards: HL7 FHIR Release 4.0.1 at 45 CFR 
170.215(a)(1), US Core IG STU 3.1.1 at 45 CFR 170.215(b)(1)(i), and 
Bulk Data Access IG v1.0.0: STU 1 at 45 CFR 170.215(d)(1). Impacted 
payers are permitted to use updated standards, specifications, or IGs 
that are not yet adopted in regulation for the APIs required in this 
final rule, should certain conditions be met. For the standards at 45 
CFR 170.215, updated versions available for use under our policy 
include, but are not limited to, US Core IG STU 6.1.0 and the Bulk Data 
Access IG v2.0.0: STU 2, which have been approved for the ONC Health IT 
Certification Program.\76\ We refer readers to policies finalized for 
the Patient Access API in the Interoperability and Patient Access final 
rule, as well as section II.G.2.c. of this final rule for a full 
discussion on using updated standards. We also recommend payers use the 
CARIN IG for Blue Button STU 2.0.0, PDex IG STU 2.0.0, and SMART App 
Launch IG Release 2.0.0 to support Backend Services Authorization. We 
refer readers to Table H3 for a full list of the required standards and 
recommended IGs to support API implementation.
---------------------------------------------------------------------------

    \76\ Office of the National Coordinator for Health Information 
Technology (2023, September 11). Standards Version Advancement 
Process (SVAP). Retrieved from https://www.healthit.gov/topic/standards-version-advancement-process-svap.
---------------------------------------------------------------------------

    In this section, we talk about data exchange between payers. When 
we refer to a patient's new payer, we mean the payer that a patient is 
newly enrolled with and the party responsible for requesting and 
receiving the patient's data. When we refer to the patient's concurrent 
payers, we signify the parties (two or more) that are providing 
coverage at the same time and are responsible for exchanging data with 
each other as discussed further in section II.C.3.c. When we refer to 
the patient's previous payer, we denote the payer that a patient has 
previously had

[[Page 8821]]

coverage with and thus the payer responsible for sending the data to 
the new payer.
    Our payer to payer data exchange requirements discussed in this 
section involve transactions and cooperation between payers, which may 
include payers that are not subject to the requirements in this rule. 
We emphasize that each impacted payer is responsible only for its own 
side of the transaction. For instance, when an impacted payer is 
required to request patient data from another payer, it will have to do 
so regardless of whether the other payer is an impacted payer (a status 
that may or may not be evident to the requesting payer). Similarly, if 
an impacted payer receives a request for patient data that meets all 
the requirements, the impacted payer must share those data, regardless 
of whether the requesting payer is an impacted payer (which, again, may 
or may not be evident to the payer sharing the data). In this way, 
payers not subject to this regulation that implement a Payer-to-Payer 
API (or other IT functionality to request or receive information 
through the impacted payer's API) and their patients can also benefit 
from the data exchange.
    We are exploring steps for Medicare FFS to participate in payer to 
payer data exchange and we encourage other payers that are not subject 
to these requirements to do the same. We intend to implement the Payer-
to-Payer API capabilities for Medicare FFS in conformance with the 
requirements for impacted payers, as feasible. In the proposed rule, we 
sought comment on whether our proposals could be implemented as 
proposed for the Medicare FFS program, how we could apply each of the 
proposals, and whether there would be any differences for implementing 
the Payer-to-Payer API in the Medicare FFS program as a Federal payer. 
We summarize the comments received and our responses in section I.D. of 
this final rule. We strongly encourage all payers that are not subject 
to the requirements of this rule to consider the value of implementing 
a Payer-to-Payer API, so that all patients, providers, and payers in 
the U.S. health care system may experience the benefits of such data 
exchange.
    Comment: Many commenters supported our proposal to require data 
exchange via a Payer-to-Payer API. Commenters stressed the benefits to 
patients of maintaining an ongoing record when they change payers, 
which could result in better patient outcomes, especially for patients 
with chronic conditions. Commenters agreed that this API would improve 
interoperability, data exchange, and reduce administrative burden. 
Multiple commenters stated that the Payer-to-Payer API would be 
especially helpful to patients with concurrent coverage. A commenter 
stated that the assignment of primary care physicians could also be 
facilitated by the Payer-to-Payer API and that this could reduce care 
disruptions when changing payers. Another commenter acknowledged that 
investments made in payer to payer data exchange would benefit broader 
multi-payer alignment efforts, which are a key priority for improving 
quality, access, and value in health care. Another commenter stated 
that exchanging patient data from previous and concurrent payers would 
eliminate duplicative medical record requests from payers requiring 
providers to reapprove medical necessity, retry step therapy 
requirements, and reauthorize treatments.
    Response: We appreciate commenters validating our statements in the 
proposed rule regarding the benefits of payer to payer data exchange. 
We agree that the benefits of payer to payer data exchange include both 
ensuring care continuity and that patients, providers, and future 
payers do not lose access to important health information. We are 
finalizing, with modification, the Payer-to-Payer API proposals as 
discussed in this section.
    Comment: Multiple commenters opposed finalizing our Payer-to-Payer 
API proposals. They disagreed with our justification that payers should 
be the maintainers of a patient's longitudinal data. Another commenter 
cautioned that, as proposed, the Payer-to-Payer API would require 
payers to share a large amount of unnecessary data, which would make it 
difficult to effectively coordinate care. Instead, they suggested that 
by leveraging the Patient Access API, patients should have the 
responsibility to maintain their patient data using an app, or other 
solution of their choice. A commenter recommended that CMS separate the 
goal of creating longitudinal consumer health records from the goal of 
supporting consumer transitions between payers.
    Response: After reviewing comments, we agree that patients are in 
the best position to manage their health information, especially with 
the growing ecosystem of health apps and the availability of 
standardized Patient Access APIs. Some HIEs and health apps (which may 
also be TEFCA Participants and Subparticipants) may be able to gather 
data from payers, providers, and other sources to create a more 
comprehensive patient record than could be maintained by a payer. 
However, payers are uniquely positioned to collect and aggregate 
patient data, especially during coverage transitions. As we noted, 
patients may have several providers who manage their care, but they 
generally maintain a relationship with only one or two concurrent 
payers for a full year or multiple years. A payer to payer data 
exchange can facilitate care continuity by providing access to 
information about past treatments when a patient is moving from one 
payer to another. For example, that information could show payers that 
a patient has already demonstrated medical necessity or engaged in step 
therapy, which could ease the approval of a prior authorization 
request. Ensuring that payers have timely access to newly enrolled 
patients' data upon a patient transitioning payers can have a multitude 
of benefits for patient care leading to better-coordinated care, more 
informed decision-making, and minimize disruption in ongoing care. 
Therefore, to mitigate potential burden on impacted payers, while still 
establishing the Payer-to-Payer API as a means to support the creation 
and availability of a longitudinal record, as discussed, we are 
finalizing a modification to our proposal to only require payers to 
exchange data with a date of service within 5 years of the request. 
That modification means that payers will not be responsible for 
exchanging and maintaining a patient's entire health history dating to 
January 1, 2016.
    Comment: Multiple commenters did not support the proposed Payer-to-
Payer API and suggested alternatives to gain the intended benefits. A 
commenter noted that there are many industry solutions already being 
developed to facilitate the coordination of benefits between payers and 
recommended CMS continue to monitor and enable technical innovation in 
this area. Another commenter cautioned CMS to not view FHIR as the sole 
solution to interoperability and patient data exchange challenges. The 
commenter noted that as proposed, payers would experience challenges if 
FHIR failed to reach widespread adoption and maturity. Another 
commenter stated that requiring the FHIR standard eliminates choice and 
leads to bias and further stated that other options may be better 
suited for a payer.
    Response: We thank the commenters for their suggestions, but FHIR 
APIs are the standard that the industry indicated has the greatest 
maturity and hence has been adopted by ONC. A variety of solutions will 
not lead to

[[Page 8822]]

interoperability across the healthcare system. While payers already 
have processes in place for coordinating benefits, that coordination 
does not extend to transitions of care between payers, such as 
maintaining prior authorizations. Data exchange between payers can 
ensure that valuable patient information is not lost, such as prior 
authorization requests and approvals, which could make that transition 
more seamless. Requiring FHIR will get the healthcare industry to a 
more interoperable state, as that standard supports health data 
exchange in a standard, structured, but flexible format that can 
continue to advance and mature. Impacted payers are already required to 
use the FHIR standard for the Patient Access and Provider Directory 
APIs, and this final rule is meant to build on this existing policy. 
Also, we are extending the compliance dates for the Payer-to-Payer API 
to 2027. This delay to the compliance dates versus our proposal allows 
for additional time for implementation and IGs to be refined and 
matured to support the policies in this final rule.
    Comment: Multiple commenters expressed concern regarding payer 
access to patient data. They worried that this could lead to patient 
risk profiling, increased prior authorization requirements, increased 
premiums and limits on coverage and access to care. They recommended 
that CMS prohibit impacted payers from using information sent from a 
previous payer to discriminate against a patient. A commenter stated 
that CMS should implement safeguards to ensure that the payer to payer 
data exchange does not encourage payers to make care decisions based on 
the patient's record. The commenter recommended that CMS explain that 
the provider is the director of medical care, and payers support the 
patient's care through payment and coverage of services. They suggested 
that large-scale consumer data exchange should be consumer-mediated and 
result in meaningful access to comprehensive data for care coordination 
among payers.
    Response: We agree with the commenters that patient information 
should not be used in an inappropriate manner. We remind payers that 
section 1852(b) of the Act states that an MA plan may not deny, limit, 
or condition the coverage or provision of benefits based on any health 
status-related factor described in section 2702(a)(1) of the Public 
Health Service Act.\77\ Section 2705(a)(1) of the Public Health Service 
Act, which applies to QHP issuers on the FFEs, prohibits discrimination 
against individuals based on their health status-related factors. 
Similarly, section 2102(b)(1)(B)(ii) of the Act prohibits CHIP programs 
from denying eligibility for children with preexisting conditions. 
Finally, the overarching regulations at 45 CFR part 92 implementing 
section 1557 of the Affordable Care Act prohibit discrimination under 
any health program or activity receiving Federal financial assistance 
on the basis of race, color, national origin, sex, age, or disability.
---------------------------------------------------------------------------

    \77\ Section 2702 of the Public Health Service Act referenced in 
section 1852(b) of the Act refers to what is now codified as section 
2705 of the Public Health Service Act.
---------------------------------------------------------------------------

    Comment: Multiple commenters suggested that implementation of a 
Payer-to-Payer API may increase provider burden with unintended 
downstream effects. A commenter discussed how the Payer-to-Payer API 
could lead to a negative impact on providers who may be required to 
ingest large amounts of data if payers maintain a longitudinal record 
back to January 1, 2016, that is also shared via the Provider Access 
API.
    Response: Our modification to require impacted payers to exchange 
only 5 years of data via the Payer-to-Payer API will mitigate this 
possible issue for providers. By circumscribing the data to be 
exchanged by payers to only more recent data, providers are less likely 
to receive distant and irrelevant historical data via the Provider 
Access API. We acknowledge that not all of a patient's health 
information is going to be equally relevant to a particular provider. 
Therefore, providers should look for clinically relevant information 
and work with their EHR vendors on solutions to easily display the 
information most relevant to their practice. We discuss this issue is 
greater depth in section II.B.2.c.
    Comment: A commenter questioned the utility of the Payer-to-Payer 
API if payers other than impacted payers do not voluntarily adopt the 
technology and processes to share data.
    Response: We appreciate commenters supporting Payer to Payer 
adoption by payers other than impacted payers. We strongly encourage 
all payers not subject to these provisions to consider the value of 
implementing a Payer-to-Payer API, so that all patients, providers, and 
payers in the U.S. health care system may ultimately experience the 
benefits of such data exchange. Even though not every payer may 
participate in it, our Payer-to-Payer API policy can benefit the 
millions of Americans covered by impacted payers. We specifically 
encourage impacted payers that have other lines of business to adopt 
the policies in this final rule for their commercial plans that are not 
subject to the requirements of this rule.
    Comment: A commenter recommended that CMS work with ONC and 
industry stakeholders to develop a longer-term FHIR roadmap, including 
patient-centric data homes that efficiently and effectively collect, 
storage, and integrate information from across the health system on 
behalf of a patient. Another commenter recommended that CMS work with 
the DoD and the VA to implement Payer-to-Payer APIs.
    Response: We appreciate the support for our Payer-to-Payer API 
policies and will continue to work with other Federal agencies to 
improve interoperability across the health care system.
    Comment: Many commenters recommended delaying the Payer-to-Payer 
API compliance dates to give payers more time to design, develop, test 
and implement their systems. Some commenters recommended a January 1, 
2027, compliance date, and another commenter recommended 4 years after 
the publication of the final rule, to give industry time to align on a 
standardized implementation approach. A few commenters suggested CMS 
delay compliance dates until IGs are mature enough to adopt as required 
standards, or to allow payers to adopt Payer-to-Payer API on a 
voluntary or pilot basis. Some commenters suggested CMS set rolling 
compliance dates and the Payer-to-Payer API should be prioritized after 
the Prior Authorization API. Several commenters specifically 
recommended that CMS to delay the compliance dates for state Medicaid 
agencies to implement a consistent solution at enrollment. A commenter 
requested that CMS accelerate the compliance dates to 2024. Another 
commenter urged CMS to consider the added cost and burden for payers to 
meet the proposed compliance dates.
    Response: Because we understand that the payer implementation 
process is significant, after reviewing the comments, we are finalizing 
a modification to our proposal for the Payer-to-Payer API, to establish 
compliance dates in 2027 (by January 1, 2027, for MA organizations and 
state Medicaid and CHIP FFS programs; by the rating period beginning on 
or after January 1, 2027, for Medicaid managed care plans and CHIP 
managed care entities; and for plan years beginning on or after January 
1, 2027, for QHP issuers on the FFEs). However, as discussed in

[[Page 8823]]

section I.D.2., we decline to delay beyond that because of the 
importance of payer to payer data exchange. Establishing regulatory 
compliance dates will provide greater urgency to test and mature the 
evolving technical standards and IGs. When we proposed to require the 
relevant IGs in our December 2020 CMS Interoperability proposed rule, 
we received many comments that those standards were not mature enough 
to feasibly implement at that time. In response, we proposed in this 
rulemaking to only recommend (rather than require) the IGs for 
standardized implementation. After consideration of the comments we 
received in response to the CMS Interoperability and Prior 
Authorization proposed rule, we are finalizing those IGs as 
recommendations because it is prudent to move forward to attain the 
policy goals of the Payer-to-Payer API, even while those standards are 
being developed to achieve true interoperability. Moving to a 2027 
compliance dates will give the industry an extra year to refine those 
IGs and for payers to implement their technical solutions.
    With regard to the requests for additional time for Medicaid 
programs specifically, we refer readers to section II.E.2.a. of this 
final rule where we finalize our proposals to create a process for 
Medicaid and CHIP FFS programs to request and be granted an extension 
to the compliance dates for the Payer-to-Payer API.
2. Proposal To Rescind the CMS Interoperability and Patient Access 
Final Rule Payer to Payer Data Exchange Policy
    We strongly believe that data exchange among payers is a powerful 
way to improve information sharing that would allow patients and 
providers to have more complete access to health information, which can 
help to promote better patient care. Patients may wish for their health 
information to follow with them when they change payers, in part so 
that they can track the services they have received, and to ensure that 
a new payer has information to better assist with continuity of that 
care. However, given the concerns raised by stakeholders regarding the 
lack of technical specification in our previously finalized policy, we 
proposed to rescind the payer to payer data exchange policy finalized 
in the CMS Interoperability and Patient Access rule (85 FR 25568) at 42 
CFR 422.119(f)(1) and 438.62(b)(1)(vi) and (vii) and 45 CFR 
156.221(f)(1). We did so to prevent industry from developing multiple 
systems, and to help payers avoid the costs of developing non-
standardized, non-API systems, and the challenges associated with those 
systems. We proposed a new policy that would, instead, require impacted 
payers to implement and maintain a Payer-to-Payer API using the FHIR 
standard. We stated that using FHIR APIs would ensure greater 
uniformity and ultimately lead to payers having more complete 
information available to share with patients and providers.
    Comment: Commenters supported CMS's proposal to rescind and replace 
the Payer-to-Payer API requirements finalized in the CMS 
Interoperability and Patient Access rule (85 FR 25568). They agreed 
that the proposals would help standardize data exchange and avoid 
developing duplicative systems. Multiple commenters strongly supported 
the newly proposed FHIR API approach and noted that this API would 
leverage the same standards as the Patient Access and Provider Access 
APIs. A commenter highlighted how CMS's proposal to replace the payer 
to payer data exchange addressed a key concern held by the industry 
about the lack of specificity in the previous policy. Another commenter 
stated that they welcomed the elimination of provider remittances and 
cost-sharing information from the required data content.
    Response: We appreciate commenters support and are finalizing our 
rescission of the previous policy.
    We note that we are correcting a technical error in this final rule 
for the Payer-to-Payer API requirements in Medicaid managed care. When 
we proposed to remove the requirement at 42 CFR 438.62(b)(1)(vi) and 
(vii) and instead use a cross reference to 42 CFR 431.61(b)(1) at Sec.  
438.242(b)(7), we inadvertently neglected to properly revise 42 CFR 
438.9 to continue excluding NEMT PAHPs from the Payer-to-Payer API 
requirements. When the payer to payer data exchange requirements were 
finalized in the CMS Interoperability and Patient Access rule (85 FR 
25568) at Sec.  438.62(b)(1)(vi) and (vii), NEMT PAHPs were 
automatically excluded as 42 CFR 438.62 is not applicable to NEMT 
PAHPs. However, by moving the Payer-to-Payer API requirements to Sec.  
438.242(b)(7), the requirements would apply to NEMT PAHPs (at 42 CFR 
438.9(b)(7)). As we explained when we proposed to exclude NEMT PAHPs 
from the Provider Access API (87 FR 76258), we believed that the unique 
nature and limited scope of the services provided by NEMT PAHPs, in 
that they only cover transportation and not medical care itself, 
justified their exclusion from the requirements of the Provider Access 
API. Similarly, we do not believe that other payers have a routine need 
for NEMT data; therefore, requiring NEMT PAHPs to implement and 
maintain a Payer-to-Payer API would be an undue burden on them. It 
would also be a burden on other Medicaid payers concurrently covering a 
patient to receive NEMT data quarterly as required at 42 CFR 
431.61(b)(5). To correct this oversight, we are finalizing 42 CFR 
438.9(b)(7) to exclude the requirement at Sec.  438.242(b)(7), which is 
to comply with Sec.  431.61(a) and (b).
    Comment: A commenter supported our proposal to rescind the previous 
requirements but urged us not to finalize our new Payer-to-Payer API 
proposals, because many of the technical standards are still undergoing 
development and refinement and operational processes have not been 
established by payers. The commenter suggested that CMS should consider 
establishing a voluntary payer to payer data exchange policy.
    Response: We acknowledge that any new requirement is going to have 
operational challenges that need to be resolved. Technical standards 
have substantially developed over the past 3 years since we issued the 
December 2020 CMS Interoperability proposed rule (85 FR 82586). We 
refer readers to sections II.G.3.a. and II.G.3.b. of this rule for 
additional discussion on enhancements to both the required and 
recommended IGs published since the publication of the CMS 
Interoperability and Prior Authorization proposed rule. For example, 
the recently published PDex IG STU 2.0.0 specification now includes a 
Prior Authorization profile that enables payers to communicate prior 
authorization requests and decisions. We are extending our compliance 
dates for the Payer-to-Payer API from our proposed 2026 to 2027 in 
order to provide additional time for stakeholders, and specifically 
payers, to address those barriers to implementation.
3. Payer to Payer Data Exchange on FHIR
a. Payer-to-Payer API Technical Standards
    In the CMS Interoperability and Patient Access final rule we 
finalized a requirement that impacted payers must implement, maintain, 
and use a Patient Access API conformant with 45 CFR 170.215. However, 
we did not require payers to use an API or specific standards for payer 
to payer data exchange in that final rule.
    In the CMS Interoperability and Prior Authorization proposed rule, 
we

[[Page 8824]]

proposed an API-based payer to payer data exchange utilizing standards 
and technology similar to that of the Patient Access API. The degree of 
overlap between the requirements for the Patient Access API (discussed 
in section II.A.2. of the proposed rule) and the Provider Access API 
(discussed in section II.B.2. of the proposed rule) should ease the 
development and implementation of the Payer-to-Payer API for payers.
    The Patient Access API will provide the foundation to share 
adjudicated claims and encounter data, all data classes and data 
elements included in a standard adopted at 45 CFR 170.213 (USCDI), as 
well as certain information about prior authorizations. Because, as of 
January 1, 2021, the same adjudicated claims and encounter data, and 
all data classes and data elements included in the standard at 45 CFR 
170.213 are already required for the Patient Access API, payers should 
have already formatted these categories of data and prepared their 
systems to share these standardized data via a FHIR API. As a result, 
payers have already devoted the development resources to stand up a 
FHIR API infrastructure when they implemented the Patient Access API, 
which could be adapted for additional interoperability use cases.
    We proposed that, beginning January 1, 2026 (for Medicaid managed 
care plans and CHIP managed care entities, by the rating period 
beginning on or after January 1, 2026, and for QHP issuers on the FFEs, 
for plan years beginning on or after January 1, 2026), impacted payers 
must implement and maintain a Payer-to-Payer API that is conformant 
with the same technical standards, documentation requirements, and 
denial or discontinuation policies as the Patient Access API.
    We proposed to require certain standards adopted under 45 CFR 
170.215 that are applicable to the Payer-to-Payer API. We are 
finalizing our proposals for the Payer-to-Payer API with modifications, 
requiring impacted payers to use the following standards: HL7 FHIR 
Release 4.0.1 at 45 CFR 170.215(a)(1), US Core IG at 45 CFR 
170.215(b)(1)(i), and Bulk Data Access IG at 45 CFR 170.215(d)(1). We 
also recommend payers use the CARIN IG for Blue Button STU 2.0.0, PDex 
IG STU 2.0.0, and SMART App Launch IG Release 2.0.0 to support Backend 
Services Authorization. We proposed but are not finalizing to require 
impacted payers to use SMART App Launch IG and OpenID Connect Core for 
reasons discussed later in this section. We refer readers to Table H3 
for a full list of the required standards and recommended IGs to 
support API implementation. We refer readers to section II.G. of this 
final rule for further discussion of the required and recommended 
technical standards for the Payer-to-Payer API.
    One operational difference between the Patient Access and Payer-to-
Payer APIs is that payers may find it more efficient to share data for 
multiple patients at a time. It is likely that impacted payers with a 
fixed enrollment period will have many patients' data to share at one 
time, especially if other payers share that enrollment period (such as 
QHPs offered on an FFE). In such a situation, it could require 
significant time and resources for payers to send each patient's data 
individually through an API. The Bulk Data Access IG for exchanging 
multiple patients' data at once has been adopted by ONC at 45 CFR 
170.215(d)(1), which is discussed further in section II.F. of this 
final rule and is a standard we proposed to require for the Payer-to-
Payer API.
    We requested comments on these proposals. We received multiple 
comments regarding technical implementation challenges and the maturity 
of the recommended IGs, which are addressed in section II.G. of this 
final rule. Here we respond to the comments specific to the standards 
and IGs for implementing the Payer-to-Payer API.
    Comment: Multiple commenters stated their support for the proposed 
FHIR standard and recommended IGs for the Payer-to-Payer API. Multiple 
commenters stated that the FHIR standard will ultimately prevent issues 
with data sharing across payers and allow information to be shared 
accurately and timely. Many commenters gave their support for our 
proposal that the Payer-to-Payer API must be conformant with the 
standards at 45 CFR 170.215, including support for the Bulk Data Access 
IG and OpenID Connect Core. Some commenters agreed with not requiring 
payers to use the CARIN IG for Blue Button or HL7 Da Vinci IGs. 
Additionally, other commenters explained that universally implementing 
FHIR would define how health care information is shared, but will have 
no impact on how data are collected or stored. Multiple commenters 
stated their support for requiring Payer-to-Payer APIs to use the same 
standards as the other interoperability APIs. A commenter stated that 
leveraging the same standards and IGs will support efficient 
implementation. Another commenter stated that the lack of standards has 
been one of the barriers to achieving data fluidity between payers.
    Response: We thank commenters for their support of the proposed 
standards and recommended IGs for the Payer-to-Payer API and agree that 
the using standards will support more efficient data sharing. Requiring 
impacted payers to use the same standards and IGs will support 
consistent implementation and improve interoperability across health 
care. We note that for the Payer-to-Payer API, we are finalizing a 
modification to our proposal by not requiring the SMART App Launch IG 
at 45 CFR 170.215(c) and OpenID Connect Core at 45 CFR 170.215(e)(1), 
as discussed further in section II.C.3.d.iii. of this final rule. 
Protocols requiring user level credentials managed by the payer, such 
as those used with OpenID Connect Core, are generally not appropriate 
for business-to-business data exchanges like the Payer-to-Payer API 
where a particular individual may not be directly initiating the 
exchange.
    Comment: Some commenters who supported the proposal that the Payer-
to-Payer API must be conformant with FHIR at 45 CFR 170.215(a)(1) 
identified concerns with implementation. Multiple commenters agreed 
with the approach to require the FHIR standard for Payer-to-Payer APIs, 
but some commenters noted that the standard has not been widely 
demonstrated in production by industry stakeholders. A commenter stated 
that payers will need to create workflows to process exchanges, 
incorporate received data into local records, and troubleshoot any 
issues. A commenter recommended that CMS allow 1 to 2 years to 
implement new standards depending on complexity. The commenter 
encouraged data transfer standards be backward compatible.
    Response: We agree that implementing new standards takes time and 
appreciate the commenter recommending we allow 1 to 2 years. However, 
technology and standards are ever evolving and will never remain static 
for the period it would take the entire industry to implement. To 
address comments about the time necessary for implementation, we are 
delaying the compliance dates for the Payer-to-Payer API to 2027, which 
will give implementers approximately 3 years from the publication of 
this final rule. Public comment has broadly indicated that the proposed 
standards will be sufficiently mature for implementation by that 
deadline. We will continue working with HL7, the FHIR accelerators, and 
industry stakeholders to define, to participate in and convene testing 
events, and to develop and maintain the specifications, which moves 
them towards greater

[[Page 8825]]

maturity. Specifically, the PDex IG has been tested, implemented, and 
based on industry standard consensus, is ready for use. We acknowledge 
that the standards discussed in this rule will continue to mature to 
enhance functionality and meet additional use cases. We expect that 
future rulemaking by CMS and ONC will be necessary to keep pace with 
the latest technical innovations. While the technology may never be 
``done,'' commenters indicated that the standards available today are 
sufficiently mature to facilitate 2027 compliance dates for the 
policies in this final rule that require API development or 
enhancement.
    We acknowledge that, as with any standard, potential compatibility 
issues could arise through the further development of those 
specifications. We discuss IG maturity further in section II.G.3.b. of 
this final rule. These standards are subject to a standards development 
process where changes are reviewed and compatibility is an important 
consideration, increasingly so with the level of adoption and use. As 
the IGs mature, the number of potential compatibility issues between 
versions is expected to decrease.
    Comment: Multiple commenters recommended that CMS name specific IG 
versions and standards as a baseline for the Payer-to-Payer API and 
create a formal standard version advancement process similar to the ONC 
Standards Version Advancement Process (SVAP). A commenter noted that an 
established SVAP would give the industry and HL7 the opportunity to 
continue refining and testing standards and IGs to ensure consistent 
implementation. A commenter recommended that CMS ensure that the 
applicable Payer-to-Payer API technical standards remain current as new 
versions become available. Multiple commenters specifically stated 
their concern for endpoint compatibility and recommended that CMS 
create required standards so that payers do not need to make one-off 
modifications to accommodate slightly different APIs.
    Response: In the proposed rule, we stated that we believed the 
approach of recommending, but not requiring, specific versions of the 
IGs would provide directional guidance without locking implementers 
into the versions of the recommended IGs available at the time of the 
proposed rule. To not recommend any specific IGs would have meant a 
more diverse set of proprietary solutions with little to no 
interoperability. Our recommendations have allowed the IG authors and 
community to receive feedback from real-world use and to further mature 
and refine the IGs. Certification and testing of these APIs could help 
avoid implementation variation and will consider ways for CMS to 
support such testing in the future. In addition, by using the 
recommended IGs, implementers can ensure that their APIs are compatible 
and conformant to the requirements. As the standards continue to 
mature, we will consider whether to propose requiring additional IGs 
through rulemaking.
    Comment: A commenter stated that the proposed IGs are dependent on 
an outdated network authentication protocol and recommended using the 
HL7[supreg] FHIR[supreg] Da Vinci Health Record Exchange (HRex) IG, 
which leverages UDAP for authentication. Another commenter simply 
recommended utilizing UDAP for authentication. Another commenter 
recommended CMS modify the standards and IGs to adequately capture the 
Payer-to-Payer API requirements. The commenter stated that CMS should 
support the development of content and technical standards for prior 
authorization decisions that can be incorporated into the appropriate 
IGs for testing.
    Response: We acknowledge that there is no single security protocol 
approach that will address all use cases. Additionally, within a single 
API, implementers may need to utilize more than one protocol to address 
specific population and trading partner needs. As discussed in section 
II.C.3.d.iii. of this final rule, we are finalizing a modification to 
our proposal to not require the OpenID Connect Core and SMART App 
Launch IG standards for the Payer-to-Payer API. We recognize that 
methods such as SMART Backend Services (which is included in the SMART 
App Launch IG v2), mTLS, UDAP, or other trust community specified means 
may be appropriate depending on the needs. We refer readers to Table H3 
in this final rule for an updated finalized list of all required and 
recommended IGs for the Payer-to-Payer API. We will continue to work 
with ONC to advance the versions of the standards that ONC adopts at 45 
CFR 170.215. We will continue to monitor the development UDAP and other 
trust community specified solutions that could support the Payer-to-
Payer API authentication process. We also note that ONC has adopted 
SMART Release 2.0.0 at 45 CFR 170.215(c)(2) and while we are not 
requiring the SMART App Launch IG for the Payer-to-Payer API, we do 
recommend using SMART Backend Services.
    Comment: A commenter expressed support for maturing the PDex IG and 
noted that the IG still needs more testing for specific use cases. 
Another commenter suggested that CMS not finalize the Payer-to-Payer 
API until it works with HL7 to diminish the costs with the PDex IG. The 
commenter noted that in the PDex IG, the patient would be responsible 
for manually executing the data exchange using a third-party app and 
then transmitting that information to a new payer. Another commenter 
stated that the IGs identified for the payer to payer data exchange 
include the capability for two methods (member-mediated and member-
directed), which would cause confusion and redundancy. The commenter 
stated that the member-directed solution would potentially give the new 
payer access to financial information meant to be available only to the 
patient.
    Response: The PDex IG provides multiple data exchange methods. One 
method allows a member to directly authorize data being sent to a third 
party. While this method could be utilized for payer to payer 
interactions, it is not the primary method defined by the PDex IG for 
that use case. For the Payer-to-Payer API use case, the PDex IG 
provides guidance for supporting exchanges that do not require direct 
member engagement. The PDex IG STU 2.0.0, which is being recommended 
for the Payer-to-Payer API in this rule, can facilitate on the payer to 
payer exchange by defining a means for the requesting payer to send a 
record of the patient's opt in to retrieve data from the other payer. 
This method does not require patient action through OAuth and is the 
method we recommend for payer to payer data exchanges. While we 
recognize that the PDex IG utilizes mTLS for payer authentication, we 
are not requiring that protocol and recognize that other methods, such 
as SMART Backend Services, UDAP, or other trust community specified 
means, may be appropriate and easier to implement at scale. Payers will 
be able to choose the protocols or combination of protocols they deem 
appropriate as long as they meet the applicable security and privacy 
requirements.
    Comment: Multiple commenters had concerns regarding FHIR due to the 
lack of mature HL7 FHIR IGs and recommended that CMS instead advance 
payer to payer data exchange by leveraging the TEFCA QHINs. A few 
commenters recommended that CMS address the need for a legal governance 
framework for payer to payer data exchange. A commenter recommended 
that CMS work with ONC and the TEFCA RCE to incorporate the payer to 
payer data exchange use case into TEFCA's planned support for payment 
and operations exchange. The

[[Page 8826]]

commenter also recommended that CMS allow payers to comply with the 
Payer-to-Payer API requirements by participating in TEFCA.
    Response: We agree with the commenter that TEFCA can provide an 
efficient vehicle to query, send, and receive standardized electronic 
health information (EHI) from a broad array of participants enabling 
payer to payer data exchange. While standards and IGs for using FHIR 
within a network like TEFCA are still maturing, the FHIR Roadmap for 
TEFCA Exchange outlines the path for implementation. In addition, ONC 
and the RCE are currently developing the requirements in Common 
Agreement Version 2.0 for FHIR-based exchange under TEFCA across 
Exchange Purposes, including for Payment and Operations. ONC is aiming 
to publish Common Agreement Version 2.0 in the first quarter of 2024. 
To the extent that the requirements of this rule can be met through 
TEFCA exchange by the compliance dates, payers are permitted to do so. 
However, as there are methods for exchanging data under TEFCA that do 
not comply with the standards requirements we are finalizing (such as 
exchanging information using a method other than a FHIR API), 
participation in TEFCA, including exchanging the required data, does 
not necessarily mean that the payer is meeting the requirements of this 
rule.
    We note that payer to payer data exchange is legally required under 
this final rule and as such, legal agreements are not required. 
However, we understand that some payers may still request legal 
agreements. CMS is also working closely with ONC to explore how TEFCA 
could potentially be leveraged to support scalable governance for payer 
to payer exchange.
    Comment: Multiple commenters expressed support for CMS requiring 
the Bulk Data Access IG. A commenter stated that this IG was designed 
to exchange population level data to allow payers and providers to 
analyze care using the tools of ``big data'' analytics and for bulk 
information exchange between payers and providers for populations 
covered under value-based arrangements. A commenter stated it is 
critical to pace mandates with the development and adoption of 
standards and that the Bulk Data Access IG is not finalized or adopted 
by HHS. Another commenter stated that while the Bulk Data Access IG is 
the correct specification for transferring large amounts of data 
between two payers, the IG is still evolving. A commenter highlighted 
that the Bulk Data Access IG will require additional development 
efforts for their organizations since it is new. Another commenter 
stated that the Bulk Data Access IG does not include aspects that are 
relevant to the Payer-to-Payer API.
    Response: In the ONC Cures Act final rule HHS adopted the Bulk Data 
Access IG at 45 CFR 170.215(d)(1). In the CMS Interoperability and 
Patient Access final rule (85 FR 25510), we finalized a requirement to 
implement, maintain, and use API technology conformant with the 
standards at 45 CFR 170.215, which includes the Bulk Data Access IG. In 
this final rule, we are finalizing standards applicable for each API. 
Bulk data exchanges are usually used for system-to-system use cases and 
allow large volumes of information on a group of individuals to be 
shared in one exchange, which could be useful for sharing data between 
payers. Therefore, we feel that the Bulk Data Access IG is relevant for 
the Payer-to-Payer API and is being finalized as proposed.
    Comment: Multiple commenters recommended blockchain based 
technologies be used for the payer to payer data exchange. A commenter 
recommended that CMS support and evaluate blockchain-based technologies 
for the payer to payer data exchange and recommended that there needs 
to be confidence in the ability of blockchain-based technologies to 
leverage APIs for associated data movement. Another commenter 
recommended that CMS retain regulatory flexibility to enable future 
data exchange opportunities, including the potential for permissioned 
on-chain PHI access rather than an API call and response model.
    Response: We acknowledge that there are a range of technologies 
that may facilitate interoperability. In conjunction with ONC, we are 
working to establish standards that result from the work of SDOs and 
have been generally agreed upon by the industry through consensus-based 
processes. Blockchain technologies do not meet those criteria at this 
time, but we will continue to monitor evolving technologies and their 
possible benefits for interoperability. In the meantime, we are not 
prohibiting payers from using blockchain technology if they are doing 
so in a way that meets their legal requirements.
    Comment: Some commenters stated that payers, especially state 
Medicaid and CHIP agencies, would need technical assistance with 
implementing the Payer-to-Payer API. Multiple commenters stated that 
payers could use HIEs to implement the Payer-to-Payer API requirements, 
including the opt in process, which would reduce the burden on payers.
    Response: CMS has hosted, and intends to host in the future, CMS 
and HL7 FHIR Connectathons, which are free for stakeholders to attend, 
as well as provide educational webinars providing overviews of the 
technical requirements set forth in the interoperability rules. 
Additional public resources also exist through HL7, such as HL7 FHIR 
Connectathons, HL7 website resources and HL7 FHIR workgroup meetings. 
We understand that some payers may have implementation challenges and 
one of the reasons we are finalizing 2027 compliance dates is to give 
impacted payers additional time to prepare and test any new processes 
they may need to implement.
    To the extent that it reduces burden, we encourage payers to 
partner with HIEs or HINs, especially those operating under TEFCA, to 
facilitate payer to payer data exchange, subject any other applicable 
laws governing privacy and disclosure of these data. Some HIEs may 
already have the technical framework to manage patient consent or 
engage in standardized data exchange via FHIR APIs in ways that 
existing payer systems do not. Nothing in this rule would prohibit an 
impacted payer from partnering with an HIE to meet its requirements. 
For instance, as HIEs may have access to clinical data from providers 
that payers do not, some impacted payers may want to contract with an 
HIE to host their required API, either as their repository for clinical 
data, or as an intermediary with the payer's own systems. The HIE could 
then augment payer data with other clinical data they have access to in 
order to enhance the data available to via the Patient Access, Provider 
Access, and Payer-to-Payer APIs, subject to other applicable law.
    Comment: A commenter cautioned that CMS's proposals could result in 
each payer building their own API, and each payer pulling data from 
every other payer within a state. A commenter stated that it is not 
feasible for every clearinghouse to maintain so many non-standard 
connections, and to do so would be costly and risky. The commenter 
stressed the urgency to implement a National Data Warehouse Exchange 
Hub/Clearinghouse.
    Response: Impacted payers will not have to maintain non-standard 
connections for this payer to payer data exchange, as we are requiring 
impacted payers to use a FHIR API to support interoperable 
implementations. We are requiring impacted payers to use the same 
standards specifically so that connections between payers do not need 
to be ``hard coded'' but can rely on the

[[Page 8827]]

same technical standards to connect to any other payer's endpoint. 
There is no requirement to use a clearinghouse, but to the extent it 
could benefit payers, we encourage them to leverage HIEs or HINs.
    Comment: A commenter recommended that CMS resolve the technological 
infrastructure dependencies by further investing in the HL7 FAST 
Accelerator and ONC's work to facilitate patient matching and support 
implementation of the HL7 FAST Accelerator solutions to enable scaled 
exchange through FHIR APIs. Another commenter recommended that CMS 
collaborate with ONC to encourage industry adoption of the solutions 
outlined by the HL7 FAST Accelerator, at minimum, identity resolution, 
security, and directory for the Payer-to-Payer API.
    Response: We will continue to work closely with ONC on the FAST 
Accelerator and will seek to leverage any appropriate solutions being 
developed as part of this work. We are also committed to continuing to 
work with HL7, the Accelerators, and interested parties within the 
industry in defining, participating in, and convening testing events, 
as well as developing and maintaining the specifications, thereby 
moving them toward greater maturity and will adopt solutions as 
appropriate to our use cases as they mature.
b. Payer-to-Payer API Data Content Requirements
i. Data Content
    We proposed to require impacted payers to implement and maintain a 
Payer-to-Payer API to exchange claims and encounter data (excluding 
provider remittances and patient cost-sharing information), all data 
classes and data elements included in a content standard at 45 CFR 
170.213 (USCDI), and certain information about prior authorizations 
that the payer maintains with a date of service on or after January 1, 
2016. As stated in the proposed rule (87 FR 76255), this set of data is 
consistent with requirements for the Patient Access API finalized in 
the CMS Interoperability and Patient Access final rule (85 FR 2555) and 
our proposals for the Patient Access and Provider Access APIs. Using 
the same data content standards across the APIs in this final rule adds 
efficiencies for payers and maximizes the value of the work that has 
already been done, reducing the overall burden for impacted payers.
    In response to comments, we are finalizing our proposal, with 
modifications. We are modifying the data content by excluding data 
related to denied prior authorizations. In addition, we are also 
finalizing a modification by only requiring impacted payers to exchange 
data with a date of service within 5 years of the request.
    Comment: Many commenters expressed that using the same January 1, 
2016, start date for the set of data that must be exchanged via the 
Payer-to-Payer API would include significant historical data that are 
unlikely to be relevant to a patient's current health status and 
ongoing care. Those commenters urged us to establish a rolling period 
of time to the date of the exchange for the data content that must be 
shared. Some commenters pointed out that the technical and operational 
level of effort to integrate a patient's full history would impose 
significant data storage and archival costs on payers. Some commenters 
disagreed with CMS's justification for the proposal that payers were 
the appropriate maintainer of a patient's complete health history and 
suggested that while payers had a role to play, patient apps could be a 
more efficient, effective and reliable method to meet that objective.
    Response: While we continue to support and emphasize the benefits 
of payer to payer data exchange, we also recognize the burden of 
exchanging and storing large amounts of complex patient data. There are 
two main benefits for Payer-to-Payer API data exchange: to facilitate 
care continuity when a patient changes payers and to maintain the 
patient's record so that relevant information is not lost. After 
consideration of the comments, we agree that requiring impacted payers 
to exchange a patient's entire history back to the proposed January 1, 
2016, date would impose a significant burden on payers to integrate and 
maintain those data. In effort to balance the benefits we described in 
the proposed rule, which were supported by commenters, and the burden 
that some commenters raised, we are finalizing a modification to our 
proposal to limit the payer to payer data exchange to only the previous 
5 years of data.
    As described previously, solutions are emerging in the marketplace 
for Personal Health Records (PHR) that are better suited to keeping 
patient records for an indefinite period than payers, which might 
themselves maintain limited clinical data. ONC defines a PHR as an 
electronic application through which patients can maintain and manage 
their health information (and that of others for whom they are 
authorized) in a private, secure, and confidential environment.\78\ For 
instance, health apps can create a longitudinal record by gathering 
data both from payers via the Patient Access API, and providers' CEHRT. 
Even so, it is still important for patient care and continuity for a 
patient's new payer to receive and maintain some recent historical 
record of the patient's care. When a patient changes payers, only the 
information that the current payer maintains would be available via the 
Patient Access, Provider Access and Payer-to-Payer APIs.
---------------------------------------------------------------------------

    \78\ Office of the National Coordinator for Health Information 
Technology (2016, May 2). Frequently Asked Questions. Retrieved from 
https://www.healthit.gov/faq/what-personal-health-record.
---------------------------------------------------------------------------

    As payers and providers will have a more robust infrastructure for 
data exchange (including via the FHIR APIs required in this final 
rule), they are better suited to enable data exchange to providers and 
between payers than a patient would be with their PHR. A patient could 
supplement information that their payer maintains with information from 
their PHR, but should not have the primary responsibility for ensuring 
the technical capability to send their records.
    For continuity of ongoing care, we expect that the more recent data 
are, the more relevant they generally would be. Therefore, it is 
important to establish a period of time that is reasonably likely to 
include information relevant to foreseeable care after a patient 
changes payers. While many commenters suggested shortening the 
timeframe for data to be exchanged, we did not receive comments 
suggesting a specific period. Five years balances the needs to manage 
care continuity and establish a patient record with their new payer 
while not being overly burdensome on payers to exchange and maintain a 
large amount of data that may not be relevant. Being able to keep the 
most recent 5 years of data when transitioning between payers will 
cover the vast majority of a patient's ongoing and future healthcare 
needs. Even for patients with chronic conditions, data older than 5 
years are unlikely to have significant relevance or value when more 
recent information is available. This amount of data sharing strikes 
the right balance of limiting the burden to payers, while still reaping 
the benefits of care coordination and continuity and allowing patients 
to maintain a significant amount of data with their current payer.
    However, we disagree with commenters who suggested limiting the 
data exchange to a shorter period to focus only on current health 
conditions and ongoing care. We do not want to

[[Page 8828]]

narrow the scope of data to be exchanged to focus simply on care 
continuity. Health information that is not relevant at the time a 
patient changes payers may later be important for the patient or their 
providers to have access to. Beyond the care continuity justification 
for payer to payer data exchange, making a reasonable amount of patient 
data available, even if it is not the patient's full record, is still 
an important goal of this policy. For these reasons, and to better 
balance the burden on payers and benefit to patients, we are finalizing 
a modification to our proposal to only require the most recent 5 years 
of data be exchanged between impacted payers. We will monitor the 
Payer-to-Payer API implementation and usage to determine whether to 
extend this timeframe in the future.
    For some patients, those 5 years of data may still comprise a 
significant quantity. However, the data content requirements for the 
Payer-to-Payer API are built on structured data standards, such as the 
data classes and data elements included in a content standard at 45 CFR 
170.213 (USCDI), which should be easily ingested using the recommended 
IGs. The exception to that structured data is administrative and 
clinical documentation submitted by providers related to prior 
authorization requests and decisions, as discussed later in this 
section of this final rule. We encourage impacted payers to review the 
PDex IG for guidance on ingesting patient data in a structured manner 
that creates a useable patient record.\79\ We also note that CMS will 
continue to work closely with ONC and other Federal agencies to improve 
data interoperability through initiatives such as the USCDI+.
---------------------------------------------------------------------------

    \79\ Health Level Seven International (2023, October 28). Da 
Vinci Payer Data Exchange. Retrieved from https://build.fhir.org/ig/HL7/davinci-epdx/.
---------------------------------------------------------------------------

    Comment: Multiple commenters recommended narrowing the scope of 
data that would be exchanged via the Payer-to-Payer API. Some 
commenters suggested that CMS narrow the scope of information required 
to be exchanged to specific data that would facilitate a change in 
coverage. Other commenters recommended that CMS only require a minimum 
set of information necessary to facilitate a patient's transition and 
improve care coordination. Some commenters recommended that CMS work 
with industry stakeholders to determine a subset of key coverage, 
clinical, demographic, claims, and encounter information to share via 
the payer to payer data exchange to support coverage transitions. 
Another commenter expressed that the data exchange should be limited to 
claims data and prior authorization decisions.
    Response: We disagree with the view that the information sent via a 
Payer-to-Payer API should be limited to a minimum set of data that 
would facilitate transition between payers and continuity of ongoing 
care. While care continuity is one purpose of the Payer-to-Payer API, 
there are use cases that benefit from additional information being 
sent. Specifically, we proposed to include claims, encounter data and 
clinical data to maintain the availability of those data for the 
Patient Access and Provider Access APIs after a patient changes payers. 
We acknowledge that a patient's historical data may not be directly 
relevant to a patient's care at the time of transition. However, that 
does not mean that a patient or provider would never have a reason to 
access those data. While the payer to payer data exchange has its use 
cases, the Patient Access and Provider Access APIs have additional use 
cases. Therefore, it is important to consider not just how a payer 
would use data received from a previous payer, but how patients and 
providers may use it as well. A patient should not lose access to their 
recent claims, encounter, or clinical data from their payer because 
they are not strictly necessary to facilitate the transition to a new 
payer. As discussed, we are finalizing a modification to our proposal 
to limit the data to be sent to that with a date of service within 5 
years of the request.
    Comment: Multiple commenters provided recommendations regarding 
clinical data to be exchanged. Some commenters stated that clinical 
information is not stored in a sharable format for the Payer-to-Payer 
API. Specifically, a commenter discussed how current technology cannot 
adequately parse through large, non-standardized files. The commenter 
noted that clinical information sent by providers to payers is not 
received, structured, or stored in a way to be shared, as the X12 275 
transaction standard for healthcare claims attachments has not been 
finalized (though a standard has been proposed in the HIPAA Standards 
for Healthcare Attachments proposed rule (87 FR 78438)). In addition, a 
commenter recommended that CMS work with ONC to implement a requirement 
that providers share comprehensive clinical data in a FHIR enabled 
format with patients and payers. Another commenter recommended that CMS 
remove the requirement that impacted payers share all clinical 
information in USCDI and focus on the clinical information that has 
been received in standard, electronic structured format related to 
prior authorization. A commenter asked CMS to explain whether impacted 
payers only need to make available via the API the USCDI data classes 
and data elements that they currently maintain.
    Response: We acknowledge that not all information that we are 
requiring to be made available through the Payer-to-Payer API will be 
stored and maintained in a structured data format within the payers' 
systems. However, the benefits of ensuring that a patient's data follow 
them to a subsequent payer outweigh the burden of exchanging that 
information. In many circumstances, clinical information can be 
significantly more informative than claims or encounter information. 
For example, claims for laboratory tests will not provide the actual 
results of those laboratory tests, which is more important than simply 
knowing that laboratory tests were done without knowing what the 
results were. However, we know that many payers do not maintain 
clinical data, or only maintain specific sets of clinical data and 
therefore claims and encounter information can fill gaps that would 
otherwise be missing.
    Our data content requirements for the Payer-to-Payer API are built 
on the existing requirements for the Patient Access API. The set of 
clinical information that we have required to be available via the 
Patient Access API since January 1, 2021, is defined by the USCDI 
standard at 45 CFR 170.213. As discussed in section II.A.2.d. of this 
final rule, for clarity we are changing the regulatory text to point 
directly to the USCDI standard at 45 CFR 170.213 for the Patient Access 
API, as well as the new Provider Access and Payer-to-Payer APIs. 
Therefore, to the extent a payer maintains those data, the data classes 
and data elements in USCDI should already be in payers' systems in a 
form that makes them available via a FHIR API. Because payers should 
already have experience making that set of information available, there 
should not be a significant burden to make the same underlying data 
available through multiple APIs. Henceforth, with our revisions to 
directly reference the content standard at 45 CFR 170.213, the Patient 
Access, Provider Access, and Payer-to-Payer APIs will all be required 
to include all data classes and data elements within that content 
standard that are maintained by the payer.
    We are not adding any requirements in this final rule that would 
require payers to parse and convert

[[Page 8829]]

unstructured files into structured data, either for their own records 
or to share via the APIs. We also expect that as standards are adopted 
across the industry, an increasing percentage of clinical data will be 
stored and transmitted in structured formats, which is a result we 
encourage. We note, however, that unstructured administrative and 
clinical documentation submitted by a provider to support a prior 
authorization request (excluding those for drugs and those that were 
denied) are required to be sent through the Payer-to-Payer API.
    Comment: A commenter recommended that the patient's choice whether 
to opt into the Payer-to-Payer API be part of the data exchanged.
    Response: That piece of information is required as part of the 
attestation of patient opt in and is discussed in more detail in 
section II.C.3.d.iv. of this final rule. If a patient does not opt in, 
there would be no payer to payer data exchange under these 
requirements.
    Comment: A commenter recommended that CMS reduce the quantity of 
data that needs to be exchanged by not requiring that denied claims be 
exchanged between payers.
    Response: While some denied claims may be extraneous (such as a 
claim denied because it is a duplicate), they may contain important 
information about a patient that would be beneficial to their record. A 
claim, even if it is denied, can indicate that a patient received items 
or services, even if the claim was not paid. Denied claims are also 
included in the information that is currently required to be available 
via the Patient Access API (85 FR 25532). We did not propose, nor are 
we finalizing, to exclude denied claims from the Payer-to-Payer API (or 
the Provider Access API). However, as discussed in section 
II.C.3.b.iii., we are excluding denied prior authorization requests 
from the set of information that must be exchanged between payers. 
Unlike claims, a denied prior authorization request does not indicate 
that the patient actually received items or services and therefore an 
exclusion is justified, as discussed.
    Comment: Multiple commenters stated that payers have already 
formatted the necessary data elements and prepared their systems to 
share the standardized data through other FHIR APIs. A commenter noted 
that this infrastructure can be adapted for expanded interoperability 
use cases, such as the Payer-to-Payer API. However, another commenter 
believed that barriers to implementing FHIR APIs exist in the way of 
process siloes in payer organizations.
    Response: We appreciate the confirmation that payers have already 
formatted the necessary data elements to be shared through other FHIR 
APIs, particularly the Patient Access API. We agree that infrastructure 
can be adapted for this Payer-to-Payer API and are requiring the same 
data classes and data elements already required for the Patient Access 
API. Payers have already formatted these data elements and prepared 
their systems to share these standardized data via a FHIR API. We note 
that the Payer-to-Payer API data content requirement also includes both 
structured and unstructured administrative and clinical documentation 
submitted by providers related to prior authorizations, of which the 
unstructured documentation is not required to be shared through the 
Patient Access and Provider Access APIs. We also agree that payers have 
already devoted the development resources to standing up a FHIR API 
infrastructure when they implemented the Patient Access API, which 
could be adapted for expanded interoperability use cases. Using the 
recommended IGs will reduce implementation barriers and we encourage 
payers to get involved in the HL7 FHIR workgroups and to collaborate 
with other payer organizations on these API implementations. In 
addition, we are delaying the compliance dates to 2027 rather than the 
proposed 2026 not just to give payers time to implement the technical 
requirements, but also to address any internal business process changes 
that may be necessary.
ii. Provider Remittances and Patient Cost-Sharing
    We proposed to exclude provider remittances and patient cost-
sharing information from the Payer-to-Payer API because that 
information is often considered proprietary by payers. While there 
could be value to patients having provider remittances and patient 
cost-sharing information available via the Patient Access API, 
exchanging those data between payers would have only a limited 
beneficial impact on care. We believed that information about provider 
remittances and patient cost-sharing under another payer would have no 
impact on a payer's ability to ensure care continuity when a patient 
changes payers. Furthermore, there are existing processes for 
coordinating payment when a patient has concurrent payers that we did 
not wish to affect. Sharing claims and encounter information, even 
without these cost details, would complement the data classes and data 
elements included in a content standard at 45 CFR 170.213 (USCDI), by 
providing more information about the patient's care history to support 
care coordination and efficient operation.
    Comment: Multiple commenters supported the exclusion of provider 
remittances and patient cost-sharing information from the data shared 
through the payer to payer data exchange. However, a few commenters 
noted that this policy could create additional development work if 
payers need to segment data elements to make provider remittances and 
patient cost-sharing information available via the Patient Access API, 
but not the Payer-to-Payer API (or Provider Access API).
    Response: We acknowledge that segmenting data could create 
additional burden for payers. However, as discussed in the proposed 
rule, we proposed to not require provider remittances and patient cost-
sharing information be included in the data shared via the Payer-to-
Payer API because payers may consider that information proprietary. We 
agree that cost information would have limited benefits to care 
continuity when a patient changes payers. However, as our policy to 
exclude that information is intended to protect the payer's proprietary 
information, we are not prohibiting payers from sending it. Therefore, 
if a payer believes that implementing their Payer-to-Payer API in such 
a way that includes provider remittances and patient cost-sharing 
information would reduce burden, they are not prohibited from doing so.
iii. Prior Authorization Data
    We refer readers to section II.A.2.a. of this final rule where we 
discuss in more detail how prior authorization data must be available 
through the Patient Access API--and therefore through the other APIs as 
well. Our proposals to include prior authorization data in the Payer-
to-Payer API mirrored our proposals to include prior authorization data 
in the Patient Access and Provider Access APIs. We stated that it would 
be valuable for payers to make certain information about prior 
authorizations available via the Payer-to-Payer API, particularly when 
a patient enrolls with a new payer. Prior authorization data can inform 
a payer about ongoing treatments. Payers can use that information to 
determine whether a new patient needs a new prior authorization, and, 
if so, whether the information from the previous payer is sufficient 
for them to issue a decision without additional work by the patient or 
provider. Prior authorization is a significant focus of this final rule 
as a whole, and information about these requests and decisions could be 
beneficial to

[[Page 8830]]

patients, providers, and payers. As discussed in more detail in section 
I.D., this final rule does not apply to any prior authorization 
processes or standards related to any drugs.
    We discuss prior authorization and prior authorization processes in 
more depth in section II.D. of this final rule. We proposed to add 
certain information about prior authorizations to the set of data that 
impacted payers must make available via the Payer-to-Payer API upon 
request from another payer. We proposed that the information must 
include:
     The status of the prior authorization;
     The date the prior authorization was approved;
     The date or circumstance under which the authorization 
ends;
     The items and services approved;
     The quantity used to date; and
     Related administrative and clinical documentation.
    Comment: Many commenters generally supported including prior 
authorization information in the Payer-to-Payer API and stated that 
this would increase transparency, improve care coordination, and reduce 
burden on providers, patients, and payers. Commenters stated that 
including prior authorization data in the Payer-to-Payer API would 
protect beneficiaries' access to necessary items and services since 
information on prior authorization is not always transferred when 
beneficiaries switch coverage today. A commenter stated that prior 
authorization information would enable the new payer to provide 
continuous coverage for existing treatments and highlighted that this 
is especially important for patients receiving cancer treatment and 
specific medications after progressing through step therapies. Multiple 
commenters expressed support for sharing historical data to increase 
payer knowledge of previous patient prior authorization decisions and 
health care data, and to encourage continuity of care.
    Response: We appreciate commenters concurring on the importance of 
previous payers sharing authorization data. The prior authorization 
process is a priority area for us to reduce patient and provider 
burden.
    Comment: Multiple commenters recommended that some types of prior 
authorization data should be excluded from the Payer-to-Payer API. A 
few commenters suggested that CMS not require impacted payers to 
include information about prior authorizations without fully 
understanding how payers could use that information. Commenters 
specifically recommended that CMS exclude information about previously 
denied prior authorizations. A commenter noted that this might be used 
to limit care for patients, even if they meet the new payer's criteria 
for the same service. Conversely, another commenter noted that there is 
some benefit to patients and providers having a basic history of denied 
prior authorization requests.
    Response: After considering the comments we received, we are 
removing the requirement to include denied prior authorization 
decisions in the Payer-to-Payer API. However, we note that supporting 
clinical information associated with such decision may be available 
under the requirement to share all data classes and data elements 
included in the data content standard at 45 CFR 170.213 (USCDI) that 
are maintained by the payer. As discussed previously, we are focusing 
on the aspects of payer to payer data exchange that relate to care 
continuity when a patient changes payers. Because a previously denied 
prior authorization decision generally would not reflect ongoing 
treatment, and thus the information may not support care continuity, 
the value of including such information would likely be outweighed by 
the drawbacks of doing so. A denied prior authorization decision does 
not provide information about the patient's ongoing care because it 
does not show that patients received any items or services. If a 
patient did receive those items or services despite the denial of 
coverage, that information would have to be gathered from elsewhere 
(such as clinical data), regardless of whether the payer receives 
information about the denied prior authorization decision. However, we 
emphasize that denied prior authorization decisions are required to be 
shared via the Patient Access and Provider Access APIs because the 
benefits to those parties of accessing that information can be 
significant, especially for resubmitting requests or appealing 
decisions.
    However, this information could be used in ways that would 
negatively impact a patient's care or coverage. For example, 
information about a denied prior authorization decision could 
potentially create bias in future prior authorization decisions with 
the new payer, and patients could experience challenges to obtain 
coverage for a given service. Even if a previously denied prior 
authorization does not in fact create bias with the new payer, some 
patients may fear that result, which could lead to fewer patients 
opting in to payer to payer data exchange.
    Comment: Several commenters recommended not including the quantity 
of services used to date due to the concern that health plan claims 
data updates are often delayed and, therefore, may not be a reliable 
source to track the number of authorized services used to date. A 
commenter recommended that CMS require only the authorized units of 
items and services for a specific prior authorization, rather than the 
items and services used under the authorization.
    Response: Upon reviewing comments, we agree with the many 
commenters who pointed out that the authorized services used to date 
under a prior authorization may be more confusing than useful for 
patients and providers. We heard that the quantity used to date would 
only be available based on claims that have been submitted and 
adjudicated for those items or services. Because there can be a 
significant lag between the items or services being provided and the 
claim being adjudicated, the information available through the APIs 
could be out-of-date and inaccurate. Therefore, we are finalizing a 
modification to our proposal that will not require payers to share the 
number of items or services used under the authorization. We are also 
finalizing a modification to our proposals that this information does 
not need to be included in the Patient Access API (discussed in section 
II.A.2.a.ii. of this final rule) or the Provider Access API (discussed 
in section II.B.2.g. of this final rule).
    Comment: Several commenters encouraged CMS to include unstructured 
documentation and forms that were submitted as part of a prior 
authorization request. Some payers commented that making that 
documentation available via the Payer-to-Payer API will facilitate 
their ability to make prior authorization decisions for a new patients 
without requesting duplicative information be submitted. Commenters 
stated that unlike in the Patient Access and Provider Access APIs, 
sharing supporting documentation through the Payer-to-Payer API could 
allow the new payer to use that information to make decisions about 
subsequent prior authorizations, if required. A few commenters held the 
opposing view that CMS should not finalize requirements to include 
clinical documentation and forms with prior authorization information 
via the Payer-to-Payer API.
    Response: We are finalizing a modification to our proposal for the 
Patient Access and Provider Access APIs to remove the proposed 
requirement to make available unstructured administrative and clinical 
documentation. We have concluded that

[[Page 8831]]

for these APIs, the burden outweighs the benefit. However, that is not 
the case for the Payer-to-Payer API. One of the goals of this 
regulation and the Payer-to-Payer API requirement is to promote greater 
continuity of care when patients change payers, especially regarding 
prior authorization. In order for payers to ease that transition, they 
need as much relevant data related to recent and ongoing care as 
possible. For instance, current data can allow a payer to authorize 
coverage for ongoing treatment, without requiring repeat testing or 
needing a provider to resubmit clinical information that the provider 
has already submitted to a previous payer.
    In addition, the concerns regarding payers' ability to quickly make 
the unstructured administrative and clinical documentation available, 
via the Patient Access and Provider Access APIs, do not apply to the 
Payer-to-Payer API. Under our Patient Access and Provider Access API 
policies, payers have 1 business day from the time they receive the 
prior authorization request or there is another status update to make 
prior authorization information available. For the Payer-to-Payer API, 
absent a specific patient request, typically payers only have to 
exchange data at the time a patient changes payers, or quarterly for 
concurrent payers. Therefore, unless a prior authorization request is 
submitted within the last days of coverage, payers will have a longer 
timeframe to ensure that unstructured documentation is included in the 
patient's record and can be transferred to another payer when the need 
or requirement to transfer data through the Payer-to-Payer API arises. 
Furthermore, the concern about a patient app or provider's EHR not 
being able to read and display unstructured documentation does not 
apply to payers, which regularly receive unstructured administrative 
and clinical documentation with prior authorization requests.
    Comment: A commenter suggested that given the complexity and 
variation across prior authorizations, any pertinent data from peer-to-
peer reviews should be included in Payer-to-Payer API exchange.
    Response: Based on comments and conversations with payers, we 
understand that many payers consider the specific criteria they use to 
make prior authorization decisions to be proprietary information. In 
addition, because payers have different criteria, information about 
internal peer reviews of prior authorization requests from another 
payer has only limited usefulness. Therefore, we are not requiring 
payers to exchange any documentation that the payer itself generates 
regarding a peer-to-peer review of a prior authorization request. But 
we are requiring impacted payers exchange structured and unstructured 
administrative and clinical documentation submitted by providers 
related to prior authorizations to assist care continuity and allow 
payers to make their own decisions based on the patient's specific 
needs without requiring duplicative submissions from a provider.
iv. Duration of Prior Authorization Data to be Exchanged
    We proposed that impacted payers would be required to make certain 
information about prior authorizations available via the Payer-to-Payer 
API for the duration that the authorization is active and for at least 
1 year after the prior authorization's last status change. We proposed 
to require the availability of prior authorization information for at 
least 1 year after any status change across the Patient Access, 
Provider Access and Payer-to-Payer APIs, so that information from 
denied and expired prior authorizations would not be lost when they 
were not approved or no longer active.
    Comment: Many commenters supported CMS's proposal that certain 
information about prior authorizations be available for the duration of 
an active authorization and for at least 1 year after the last status 
change. Some commenters were in favor of retaining a patient's 
historical prior authorization data indefinitely. Another commenter 
requested clarification on how the proposal to make prior authorization 
data available for at least 1 year would align with the requirement 
that impacted payers make available patient data with a date of service 
on or after January 1, 2016.
    Response: As discussed previously, we are finalizing a modification 
to our proposal that will not require denied prior authorization 
requests to be shared via the Payer-to-Payer API at all. Such 
information must be shared through the Patient Access and Provider 
Access APIs beginning in 2027 (see sections II.A.2.ii. and II.B.2.g. of 
this final rule for more information). We note that the requirement to 
share patient data with a data of service on or after January 1, 2016, 
comes from the CMS Interoperability and Patient Access final rule, 
which required claims, encounter information and certain clinical data 
to be made available via the Patient Access API. Prior authorization 
information was not included in that rule, and therefore, we do not 
have reason to believe that payers are generally maintaining prior 
authorization data back to that date. In addition, the obligation to 
share encounter, claims, or other information from within 5 years of 
the request is contingent on the payer maintaining those data; for 
payers that are not required to maintain records past a certain point 
or that do not have internal policies for retaining records past a 
certain time period, the data may not be available to be shared through 
the Patient Access API. As discussed in the proposed rule, the 
availability of claims and clinical data are more important to patient 
care than information about prior authorizations that have expired. 
Claims and encounter data indicate items and services that the patient 
actually received in the course of their care. Information from a prior 
authorization indicates whether certain items and services were 
approved for coverage, and often the basis for that decision. While 
active or recent prior authorization information is important because 
it can indicate current or recent medical necessity, such information 
cannot be inferred from prior authorizations that have been expired for 
more than 1 year as they would not indicate any sort of ongoing care. 
Claims and clinical data maintained by the previous payer that are 
related to the treatment that occurred under an expired prior 
authorization would replace the need for the expired prior 
authorization decision itself. While claims and clinical data 
associated with an expired prior authorization can indicate the type of 
care received, as discussed earlier in this section, the value to a new 
payer of prior authorizations that were not acted upon, meaning they do 
not have a claim or any clinical data associated with them and are not 
associated with any past treatment or active care for the patient, is 
outweighed by the potential drawbacks of including such information. We 
also considered comments summarized previously and also discussed in 
sections II.A. and II.B. of this final rule regarding the inclusion of 
these data in the Patient Access and Provider Access APIs. While some 
API content differences may be beneficial or practical (such as the 
exclusion of provider remittances and patient cost-sharing 
information), we are keeping the API requirements as similar as 
possible to reduce burden by standardizing data content. We emphasize 
that for ongoing long-term care, any active prior authorizations must 
be included, even if they have been in that status for more than 1 
year. Furthermore, our policy allows payers to make these prior 
authorization data available for longer

[[Page 8832]]

than 1 year, if they believe it adds value to patients, providers, 
themselves or future payers.
v. Considering Prior Authorizations From Another Payer
    While we did not propose to require payers to review, consider, or 
honor the active prior authorization decision of a patient's former 
payer, payers may gain efficiencies by doing so. We sought comment on 
the benefits, burdens and considerations of imposing such a 
requirement. However, we did not make any proposals and therefore are 
not finalizing any policies in this area. We do note that since we 
published the proposed rule, the Medicare Program; Contract Year 2024 
Policy and Technical Changes to the Medicare Advantage Program, 
Medicare Prescription Drug Benefit Program, Medicare Cost Plan Program, 
and Programs of All-Inclusive Care for the Elderly final rule (CY 2024 
MA and Part D final rule) was issued, which requires MA coordinated 
care plans to provide a minimum 90-day transition period when an 
enrollee switches to a new MA organization, during which the new MA 
organization may not require prior authorization for an active course 
of treatment.
    Comment: A commenter requested clarification about the relationship 
between this final rule and the provision for MA plans at 42 CFR 
422.112(b)(8)(i)(B) added by the CY 2024 MA and Part D final rule. That 
rule requires MA coordinated care plans to provide a minimum 90-day 
transition period when an enrollee switches to a new MA organization 
during which the new MA organization may not require prior 
authorization for an active course of treatment.
    Response: The requirements at 42 CFR 422.112(b)(8) adopted in that 
recent final rule apply to Part A and B benefits covered by an MA plan. 
An ``active course of treatment'' is defined at 42 CFR 
422.112(b)(8)(ii) as a course of treatment in which a patient is 
actively seeing a provider and following a ``course of treatment,'' 
which is defined as a prescribed order or ordered course of treatment 
for a specific individual with a specific condition, outlined and 
decided upon ahead of time with the patient and provider. A patient can 
have an active course of treatment to which 42 CFR 422.112(b)(8) will 
apply that did not require prior authorization by their previous payer.
    Per 42 CFR 422.112(b)(8)(i)(B), MA organizations offering 
coordinated care plans must have, as part of their arrangements with 
contracted providers, policies for using prior authorization that 
provide for a minimum 90-day transition period for any active course(s) 
of treatment when an enrollee has enrolled in an MA coordinated care 
plan, even if the course of treatment was for a service that commenced 
with an out-of-network provider. Further, the MA plan cannot deny 
coverage of such active courses of treatment on the basis that the 
active course of treatment did not receive prior authorization (or was 
furnished by an out-of-network provider) but may review the services 
furnished against the MA plan's coverage criteria when determining 
payment. This includes enrollees who are new to an MA plan, an enrollee 
switching from Traditional Medicare to MA, or enrollees new to Medicare 
and enrolling in an MA plan for the first time.
    In that final rule, we explained how we expect any active course of 
treatment to be documented in the enrollee's medical records so that 
the enrollee, provider, and MA plan can track an active course of 
treatment to avoid disputes over the scope of the new requirement. 
Therefore, an active course of treatment should be included in the data 
exchanged between impacted payers, regardless of whether a previous 
payer required a prior authorization. Under this final rule, the data 
content that must be shared via the Payer-to-Payer API includes the 
claims and encounter data (excluding provider remittances and cost-
sharing data), all data classes and data elements included in a content 
standard at 45 CFR 170.213 and certain information about prior 
authorizations maintained by the payer with a date of service within 5 
years of the request. Almost any active course would be represented 
within that dataset. Any active course of treatment covered by 42 CFR 
422.112(b)(8)(i)(B) will thereby become part of the patient's record 
with their new payer. It is important, especially in light of 42 CFR 
422.112(b)(8), that MA enrollees are aware that their active course of 
treatment is being honored and for how long. That will allow MA 
enrollees in plans subject to this new requirement, and their 
providers, to plan for a new prior authorization request, if necessary.
    Although this particular need for access to information about 
active courses of treatment is unique to MA enrollees in MA coordinated 
care plans, the data exchange and Payer-to-Payer API requirements 
outlined here are applicable to any impacted payer. While we encourage 
other payers to honor an active course of treatment similar to the 
requirements of 42 CFR 422.112(b)(8) for MA coordinated care plans, we 
have not proposed to require that of any payers not covered by that 
rule.

c. Identifying Previous and Concurrent Payers and Opt In

i. Process Timing
    We proposed that all impacted payers develop and maintain processes 
to identify a patient's previous/concurrent payer(s) and to allow 
patients or their personal representatives to opt into the payer to 
payer data exchange (both with previous and concurrent payers) prior to 
the start of coverage. Additionally, we proposed that impacted payers 
would be required to establish similar processes for current patients 
prior to the compliance dates, to ensure those patients have the 
ability to opt in and have their data shared through the API. We are 
finalizing a modification to this proposal, as discussed, to establish 
a deadline for these processes at 1 week after the start of coverage 
(as that term is defined for each program).
    We emphasized in the proposed rule that obtaining a patient's opt 
in permission and identifying the previous/concurrent payer(s) could 
not delay an applicant's eligibility determination or start of coverage 
with any impacted payer. We noted that the proposed requirement to 
identify a patient's previous/concurrent payer(s) and obtain a 
patient's opt in may not always be feasible before the start of 
coverage, for instance, if a patient does not provide enough 
information to identify their previous payer. We emphasized that payers 
must begin this process before the start of coverage, but realize that 
it may take longer than enrollment. In that case, the impacted payer 
would be required to continue to engage with the patient to gather 
their permission and identify any previous/concurrent payer(s). Only 
once the impacted payer has received permission and identified those 
other payers would they be required to request patient data, as 
outlined in sections II.C.3.c.ii. and II.C.3.c.iv. of this final rule. 
Using Medicaid as an example, if a state has all the information 
necessary to determine an individual's eligibility before it has 
identified the previous payer, the state must determine the 
individual's eligibility and enroll the individual in Medicaid 
coverage, if determined eligible, while continuing to follow the Payer-
to-Payer API requirements as expeditiously as possible post-enrollment.
    For new patients enrolling on or after the compliance dates, we 
proposed to require impacted payers to maintain a process for patients 
to opt into the Payer-to-Payer API data exchange and to

[[Page 8833]]

identify their previous/concurrent payer(s) prior to the start of their 
coverage. In section II.C.4.b. of this final rule, we discuss the 
possible incorporation of these requirements into state applications 
for Medicaid or CHIP eligibility. In the proposed rule, we stated that 
making this process available to patients during the enrollment 
process, or immediately thereafter, would allow the proposed data 
exchange to take place as quickly as possible once the patient is 
enrolled with the new payer. For example, where there may not be 
communication during the enrollment process such as during the QHP 
enrollment on the FFEs, this process should be done immediately 
following enrollment. We solicited comment on incorporating the 
proposed requirements into the FFE QHP enrollment process as described 
at 45 CFR 156.265.
    Concurrent coverage means that an individual has coverage provided 
by two or more payers at the same time. This could include, for 
example, individuals dually eligible for Medicare and Medicaid who are 
enrolled in both an MA plan and a Medicaid managed care plan. Another 
example of concurrent coverage is when different services are covered 
by different Medicaid managed care plans for the same Medicaid 
beneficiary.
    Several payer deadlines in this rule are based on a patient's 
``start of coverage.'' For example, we proposed (and are finalizing) a 
requirement for impacted payers to request previous and concurrent 
payer information and a patient's opt in for Payer-to-Payer API data 
exchange (discussed in section II.C.3.c.iv. of this final rule) no 
later than 1 week after the start of coverage. Throughout the preamble, 
we are using the term ``start of coverage'' to mean when coverage 
begins or, if coverage begins retroactively, to refer to a later 
milestone, depending on the payer type. However, to ensure feasible 
timeframes for new patients after the compliance dates, we are 
finalizing deadlines based on whether coverage starts prospectively or 
retroactively. Where coverage starts prospectively, the deadline will 
be based on the coverage start date (also known as the coverage 
effective date). In the case of retroactive coverage, to avoid a 
deadline in the past, the deadline for the payer to provide the 
required information about the Payer-to-Payer API, request identifying 
information about previous/concurrent payer(s), and an opt in will be 
based on the date that the payer gets patient information and makes the 
patient's coverage effective.
    Because the enrollment and coverage initiation processes for each 
program differ in their specifics, in regulation text, the concept of 
``start of coverage'' is described differently for each type of 
impacted payer. That is, the regulatory text uses different, program-
appropriate terminology for each impacted payer.
    For MA organizations, the ``start of coverage'' generally means the 
effective date of coverage, as used at 42 CFR 422.68. In some 
instances, an individual's enrollment may be accepted by CMS with a 
retroactive effective date of coverage, as discussed in the Medicare 
Managed Care Manual, Chapter 2, section 60.4.\80\ In those cases, the 
``start of coverage'' would be the date that the individual's 
enrollment is accepted by CMS.\81\ Effectively, this means that the 
``start of coverage'' is whichever is the later of those two dates--the 
effective date of coverage or the date that the individual's enrollment 
is accepted by CMS.
---------------------------------------------------------------------------

    \80\ Centers for Medicare and Medicaid Services (2011, August 
19). Medicare Managed Care Manual. Retrieved from https://www.cms.gov/files/document/cy-2024-ma-enrollment-and-disenrollment-guidance.pdf.
    \81\ See also Medicare Managed Care Manual, Chapter 2, section 
40.4.2. for similar enrollee notification requirements tied to the 
date that the individual's enrollment is accepted by CMS.
---------------------------------------------------------------------------

    For example, an MA organization that receives an enrollment request 
from an individual that is accepted by CMS in January for a February 1 
effective date of coverage, would have 1 week from February 1 to 
complete the applicable requirements. An MA organization that receives 
an enrollment request from an individual in January that is accepted by 
CMS on February 7 for a retroactive February 1 effective date of 
coverage, would have 1 week from February 7 (not February 1) to 
complete the applicable requirements as finalized in this rule.
    For Medicaid, a beneficiary's coverage is generally retroactive 3 
months from the date that they are enrolled in Medicaid. For CHIP, 
retroactive coverage varies among states. Therefore, for Medicaid and 
CHIP FFS and managed care, the ``start of coverage'' is simply the date 
the beneficiary is enrolled in the state's MMIS (or equivalent 
process), not the date coverage takes retroactive effect.
    For QHP issuers on the FFEs, the start of coverage is generally the 
enrollee's QHP coverage start date. In some cases, a payer may provide 
coverage retroactively, that is, a payer provides coverage starting on 
a date prior to enrollment, for instance due to the birth, adoption, or 
foster care placement of a new child. In that case, the ``start of 
coverage'' would be the effectuation of coverage, as described at 45 
CFR 155.400(e)(1)(iii). Effectively, this means the ``start of 
coverage'' is whichever is the later of those two dates--either the 
coverage start date or the effectuation of coverage. We refer to the 
coverage start date as the first date for which the enrollee has 
coverage and the term ``effectuation of coverage'' to refer to the date 
that the payer takes the steps to implement coverage, even if that 
coverage starts retroactively.
    For example, an FFE QHP issuer that receives enrollee information 
during an annual open enrollment period for a consumer whose coverage 
will start on January 1 of the following year would have 1 week from 
the enrollee's coverage start date of January 1 to complete applicable 
requirements. An issuer that receives information and effectuates 
coverage on March 6 for an enrollee whose coverage starts retroactively 
on February 1 would have a week from the enrollee's effectuation date, 
March 6 (not February 1), to complete the applicable requirements.
    Comment: Multiple commenters expressed concern regarding processes 
for opting in and collecting previous/concurrent payer data occurring 
at the start of coverage, noting logistical challenges to collecting 
data at the time of a patient's enrollment, including document format 
and regulatory challenges to updating existing enrollment forms. 
Multiple commenters provided recommendations regarding actions for 
payers to take at the time of enrollment to facilitate collecting this 
information, such as defining specific data and updating enrollment 
forms.
    In addition, multiple commenters stated that payers should be 
permitted to collect a patient's opt in after enrollment. A commenter 
specifically recommended that collection should be allowed during the 
first month of active enrollment. Some commenters urged CMS to not 
require payers to collect data at enrollment to support the Payer-to-
Payer API, and instead to allow outreach to patients after enrollment 
through existing tools, such as payer portals. Another commenter stated 
that requesting that information at the time of the patient's 
application would allow them to incorporate the process into their 
existing data collection processes. A commenter noted that the 
inability to opt in after the enrollment start date could result in low 
participation rates. Another commenter supported allowing patients to 
opt into data sharing during the open enrollment period. A commenter 
supported allowing a payer to collect a patient's opt in prior to the 
compliance dates for state Medicaid and CHIP agencies and prior to 
enrollment

[[Page 8834]]

of new beneficiaries after the compliance dates.
    Response: We note that the terms used in the preamble and 
regulation text of our proposed rule were different. Our discussions in 
the proposed rule referred to ``prior to the start of coverage,'' which 
we explained in preamble and fully discussed throughout the proposed 
rule, but the proposed regulation text used the phrase ``at 
enrollment'' (except for QHP issuers on the FFEs where we used ``no 
later than the effectuation of enrollment''). We did not propose that 
new payers collect previous payer information at the time of 
enrollment. We stated that payers must begin the process of collecting 
the previous payer information and opt in prior to the start of 
coverage, but that it may take longer than the enrollment process. We 
are modifying the regulatory text to identify the start of coverage 
(rather than enrollment) as the milestone that tolls these 
requirements, consistent with the preamble discussion in the proposed 
rule.
    However, in response to public comments, we are finalizing a 
modification to our proposal by extending the deadline for both 
requesting identifying information about a patient's previous/
concurrent payer(s) and seeking opt in from the patient to 1 week after 
the start of coverage, with certain differences among payers. For MA 
organizations, we are modifying the deadline to no later than 1 week 
after the coverage start date or no later than 1 week after receiving 
acceptance of enrollment from CMS, whichever is later. In the case of 
Medicaid and CHIP FFS, we are modifying both deadlines to refer to 1 
week after enrollment, to avoid confusion related to the retroactive 
eligibility rules in Medicaid. For QHP issuers on the FFEs, we are 
modifying the requirement to no later than 1 week after the after the 
coverage start date or no later than 1 week after the effectuation of 
coverage, whichever is later. Commenters were clear that establishing 
the start of coverage as the deadline for these actions would result in 
logistical challenges and compliance would be difficult for impacted 
payers. We understand that while some types of impacted payers, such as 
MA organizations, may have contact with patients before the start of 
coverage, in other cases, payers do not. Furthermore, while we are 
recommending that state Medicaid and CHIP agencies incorporate these 
requirements into their applications for coverage, states would have 
few other options for communicating with patients before enrollment 
(which is how ``start of coverage'' is captured in the regulation text 
for Medicaid and CHIP).
    We emphasize that payers must begin the process of collecting the 
previous/concurrent payer information and opt in no later than 1 week 
after the start of coverage but understand that it may not be completed 
within that timeframe. We believe it is important to gather this 
information from patients as soon as possible when a patient enrolls 
with a new payer in order to facilitate the timely exchange of patient 
data. Patients may take additional time to respond or follow-up may be 
required. Impacted payers are encouraged to make a reasonable effort to 
engage with patients to gather their permission and identify any 
previous/concurrent payer(s). We rely on payers to develop reasonable 
processes to follow up with patients, and recommend payers follow-up 
one time before determining that the patient is choosing not to opt in. 
Though not required, we encourage payers to build into their request 
process a method for patients to indicate that they do not want to 
provide the requested information, so that payers need not follow up 
with them. We note that the patient education requirements, discussed 
in section II.C.3.g. of this final rule, will provide patients annual 
reminders of the payer to payer exchange functionality. Under this 
final rule, patients must be able to opt in or withdraw permission at 
any time.
    The opt in and identifying previous/concurrent payers processes 
could include using existing portals to gather this information from 
patients, as we are not being prescriptive on how each payer implements 
this process. We also encourage stakeholders to participate in HL7 FHIR 
workgroups to collaborate with other industry stakeholders on 
identifying best practices and identifying possible processes.
ii. Gathering Previous and Concurrent Payer Information
    We proposed that impacted payers would be required to gather 
information about patients' previous/concurrent payer(s) that would 
allow them to identify and request data from those payers. That could 
include the payer's name and a patient ID number or similar identifier. 
Under our proposal, an impacted payer would be required to allow a 
patient to report multiple previous/concurrent payers if they had (or 
continue to have) concurrent coverage. In this circumstance, we 
proposed that impacted payers would be required to request the 
patient's data from all previous/concurrent payers.
    Comment: Multiple commenters expressed concern with the lack of a 
standardized process to identify a patient's previous/concurrent 
payer(s) and recommended that CMS either establish a policy to identify 
the payers, provide technical assistance on how to crosswalk unique 
identifiers, or standardize elements of the process. A commenter 
highlighted that the lack of clarity on how payers are to identify a 
patient's previous/concurrent payer makes the Payer-to-Payer API 
difficult to operationalize and would likely introduce errors. Multiple 
commenters recommended additional changes to the enrollment process to 
support data exchange via the Payer-to-Payer API. A few commenters 
recommended that CMS work with stakeholders to develop a specific 
process to collect this information. A commenter urged CMS to reinforce 
to payers that they should make the processes as easy as possible for 
patients by leveraging touchpoints that the patient would already be 
engaged in to enroll and initiate new coverage.
    Response: Because the requirements for a Payer-to-Payer API and the 
need to collect information about previous or concurrent coverage for 
patients crosses many payer programs with variation between enrollment 
processes, we determined that being prescriptive on a specific process 
would cause more implementation burden than necessary. In response to 
comments, we are finalizing a modification to our proposal to require 
payers to request previous and concurrent payer information no later 
than 1 week after the start of coverage. As discussed previously, 
payers might not have contact with patients before enrollment. 
Therefore, this modification will allow additional time for payers and 
broaden the range of options for payers to align with their current 
processes. Initial implementation may be challenging; however, it is 
important that patients' data are shared as they transition care to a 
new payer, because the benefits for patients outweigh the upfront 
implementation burden. Leaving the process open for payers to implement 
in the least burdensome, most practical way to gather the information 
from patients makes the most sense. Gathering previous payer 
information and an opportunity for the patient to opt in ideally should 
take place through an already established point of contact with the 
patient. Leveraging established points of contact will reduce patient 
burden and help impacted payers meet the deadline of no later than 1 
week after the start of coverage. In particular, payers often have 
existing processes to identify concurrent payers to facilitate

[[Page 8835]]

coordination of coverage and Medicare Secondary Payer/Third Party 
Liability administration. For instance, per 42 CFR 422.108, MA 
organizations are required to identify payers that are primary to 
Medicare and coordinate its benefits to Medicare enrollees with those 
primary payers. State Medicaid programs are required to collect 
sufficient information to enable the state to pursue claims against 
such third parties when making an eligibility determination or 
redetermination per section 1902(a)(25) of the Act (for beneficiaries 
enrolled in managed care, states generally make this the responsibility 
of the MCO with state oversight). That requirement also applies to 
state CHIP programs by cross reference at section 2107(e)(1)(B) of the 
Act. Nothing in this rule would prevent payers from using that 
information for both that purpose and to identify concurrent payers for 
Payer-to-Payer API data exchange. However, patients would still need to 
opt in for payers to proceed with requesting patient data via the 
Payer-to-Payer API.
    Comment: A few commenters requested clarification on whether the 
definition of ``previous payer'' is limited to the immediately previous 
payer or to previous payers within a specific time period, such as 
within the last 5 years.
    Response: The minimum requirement is only to request information 
from the immediately previous payer, however if a patient does report 
multiple previous payers, impacted payers are required to request that 
patient's data from any previous/concurrent payers (identified to or 
known by the impacted payer) within the required 5-year period. We are 
finalizing that policy because patients may have been enrolled with 
payers that are not subject to the requirements of this rule. 
Therefore, allowing patients to have their impacted payers request data 
from payers other than their immediately previous payer within the 5-
year timeframe could maintain as much of their record as possible.
    Comment: A commenter suggested that CMS include a process for new 
payers to inquire whether the previous payer supported the Payer-to-
Payer API described in this regulation, such as a monitored email 
address, and that some type of consequence for non-compliance should be 
levied.
    Response: In section I.D. of this final rule we discuss an NDH that 
could serve as a centralized place for payers to find other payers' 
digital endpoints and identify payers that support the Payer-to-Payer 
API. Without an NDH or similar source of information, payers would 
likely be required to contact the previous payer directly to determine 
if they support the Payer-to-Payer API. We are also exploring other 
solutions, such as using TEFCA, that could be leveraged to determine if 
the previous payer supports the Payer-to-Payer API. We have addressed 
program enforcement and compliance mechanisms in section I.D.2. of this 
final rule, as well, and appreciate public interest in mechanisms for 
provider and patient appeals and complaints, oversight, and assurance 
of compliance.
    Comment: A commenter noted that a payer's ability to request data 
from a previous payer would be dependent on the patient providing 
accurate information about the previous payer. The commenter expressed 
concern regarding the accuracy of this information and the effort 
required for necessary follow-up.
    Response: As discussed previously, we acknowledge that the 
obligation to exchange data is contingent on patients supplying the 
necessary information about previous/concurrent payers. An impacted 
payer cannot comply with these requirements if the patient has not 
provided timely or accurate information about their previous/concurrent 
payer. We emphasize that payers must request this information no later 
than 1 week after the start of coverage, but that it may take longer 
than that to obtain information from the patient. If the patient does 
not respond or additional information is necessary, the impacted payer 
must make reasonable efforts to obtain their response to the opt in 
request and to identify any previous/concurrent payer(s).
    Comment: Several commenters suggested data elements that would be 
necessary or extraneous to make that Payer-to-Payer API request. 
Multiple commenters encouraged including the patient's name, patient's 
previous/concurrent payer name, member ID, date of birth, physical 
address, and phone number in a payer's data request to a previous 
payer. Multiple commenters urged payers not to require patients to 
provide the specific plan name, which may be long and unintuitive and 
because patients may have switched plans over time with that payer. A 
commenter expressed security concerns with exchanging Social Security 
numbers (SSNs) and suggested that their use be as limited as possible. 
Another commenter suggested that patients should be encouraged to 
provide the dates coverage started and ended or information about up to 
three recent services covered by the previous plan and those dates of 
service.
    Response: We agree with commenters that demographic information 
such as patient's name, member ID, date of birth, physical address and 
phone number are appropriate pieces of information to identify 
patients. We also agree that SSNs should be used to identify patients 
only when necessary (and permissible by law) due to that identifier's 
sensitivity. While start and end dates of coverage may be useful in 
some instances, patients are unlikely to know or remember those exact 
dates, nor are they likely easy to find. Therefore, we discourage their 
use for identifying patients. Asking a patient to provide information 
about recent services covered by the previous payer could be burdensome 
to a patient. Patients are unlikely to have that information without 
gathering it from their previous payer. Therefore, there are less 
burdensome ways to effectuate this process, such as by using the data 
elements mentioned previously. Payers should implement these 
requirements in such a way that accomplishes the goal of identifying 
patients' previous/concurrent payer(s) with the least burden on 
patients.
    The data elements that a payer may need to identify a patient and 
match that patient to their record are included in the required and 
recommended standards for the Payer-to-Payer API. Specifically, the 
required US Core IG and the recommended PDex IG have ``Must Support'' 
fields (meaning that the system must be able to support those data 
elements) that could be used for identifying a patient, such as patient 
name, addresses, birth sex, gender, birth date, member and subscriber 
identifiers, and group number. Requesting payers should use those 
fields to identify the patient whose data they are requesting. If the 
information provided is insufficient to make a match, or it matches 
with more than one member, an error should be returned. Payers will 
need to use a combination of data elements to support patient matching, 
as they do today with any data exchange. We also will continue to work 
with ONC and share information on their patient matching research/
initiatives here: https://www.healthit.gov/topic/interoperability/standards-and-technology/patient-identity-and-patient-record-matching. 
We encourage payers to leverage the appropriate patient matching data 
elements of the IGs and we will continue to work on ONC on their 
patient matching research and initiatives.\82\
---------------------------------------------------------------------------

    \82\ Office of the National Coordinator for Health Information 
Technology (2022, September 8). Patient Identity and Patient Record 
Matching. Retrieved from https://www.healthit.gov/topic/interoperability/standards-and-technology/patient-identity-and-patient-record-matching.

---------------------------------------------------------------------------

[[Page 8836]]

    Comment: A commenter suggested the need for a national Health Plan 
ID (HPID) to identify a patient's previous/concurrent payers. The 
commenter requested that CMS re-work and re-issue required standards 
for a national HPID. A commenter also stated that the process would 
benefit from establishing technical standards to ensure that all payers 
are using the same data elements to verify a patient's payer(s).
    Response: We acknowledge industry's interest in a national standard 
for a payer identifier. We are aware that there are a few alternative 
standards used in transactions today, which are located on member ID 
cards and maintained in payer systems. For example, the Payer ID, used 
in Electronic Data Interchange (EDI) transactions, is a unique ID 
assigned to insurance companies to enable them to communicate with each 
other to verify eligibility, coverage, benefits and submit claims. CMS 
also maintains a Plan ID for all QHPs on the FFEs, which are 14 
alphanumeric characters. Until and unless a national standard is 
adopted, industry may wish to collaborate with the SDOs on an 
appropriate payer identifier for the APIs.
    Comment: Several commenters raised the concern that for QHPs, the 
X12 834 transaction standard for health plan enrollment and 
disenrollment from the FFEs does not currently carry previous payer 
information, complete information on concurrent payers, member IDs, or 
opt in needed to support the payer to payer data exchange during QHP 
enrollment. A commenter also raised concerns about situations where a 
patient begins the QHP enrollment process but does make the binder 
payment, and therefore ultimately does not effectuate their coverage.
    Response: Requiring payers to gather this information could result 
in a more streamlined approach than incorporating it into the X12 834 
transaction standard enrollment process, given that FFEs are not 
otherwise required to use or retain the information. However, as 
discussed previously, we are finalizing a modification to our proposal 
to account for the timing of QHP coverage effectuation relative to plan 
selection, which impacts when a QHP can reasonably obtain information 
from an enrollee. Specifically, QHP issuers on the FFEs will be 
required to provide enrollees or their personal representatives with an 
opportunity to opt into the QHP issuer's Payer-to-Payer API data 
exchange no later than 1 week after the coverage start date or the 
effectuation of coverage, whichever is later. This timeframe accounts 
for the date on which an issuer has confirmation that an individual 
will be enrolled in QHP coverage with the issuer, by receiving the 
binder payment that is required to effectuate coverage per 45 CFR 
155.400(e), as well as instances in which coverage takes effect 
retroactively.
iii. Currently Enrolled Patients
    We proposed that no later than the compliance dates for the Payer-
to-Payer API, impacted payers must establish and maintain a process to 
gather permission and identify previous/concurrent payer(s) from all 
patients who are currently enrolled.
    Some payers may want to have a soft launch, rolling implementation, 
or pilot for their Payer-to-Payer API before the compliance dates. We 
therefore tied our proposal to require impacted payers to gather 
permission from currently enrolled patients to the proposed 2026 
compliance dates, rather than when a payer implements its API. We 
stated that this would allow payers to sequentially target specific 
plans, populations, or enrollee categories for operational rollout, as 
long as all currently enrolled patients are given the opportunity to 
opt into the payer to payer data exchange by the compliance dates.
    We received no comments on this proposal. In alignment with the 
modified compliance dates discussed throughout this final rule, the 
requirements to request currently enrolled patients' opt in permission 
and previous/concurrent payer information will be tied to the 2027 
compliance dates we are finalizing for the Payer-to-Payer API.
iv. Opt In
    We proposed an opt in approach for the data exchange through the 
Payer-to-Payer API. We stated that an opt in framework means that the 
patient or their personal representative would need to affirmatively 
permit a payer to share data, and without that permission, the payer 
could not engage in the proposed payer to payer data exchange for that 
patient. We noted that this permission (or lack thereof) would apply 
only to the data exchange we proposed and would not satisfy any other 
obligations required under the HIPAA Privacy Rule or other law. 
Additionally, we stated that we believed patients themselves are the 
best source for sufficient and accurate information necessary for the 
payer to make the request. Should a patient choose to provide this 
information, it would require an affirmative act from the patient, so 
we stated that the burden of asking a patient to opt in would not 
create a significant additional barrier to patient participation. We 
also proposed to require impacted payers to have a process for patients 
to opt into this data exchange at any time after the start of coverage, 
or if they have already opted in, to withdraw that permission at any 
time.
    As discussed in section II.C.4.c. of this final rule, this opt in 
requirement does not apply to data exchanges between a state Medicaid 
or CHIP program and its contracted managed care plans or entities. We 
also proposed that states, through their Medicaid and CHIP programs, 
would be responsible for collecting a patient's choice to opt into the 
payer to payer data exchange, rather than their contracted managed care 
plans. We explained that a Medicaid or CHIP beneficiary may switch 
between FFS and managed care delivery systems within the same state's 
Medicaid or CHIP program, but despite these shifts, an eligible 
beneficiary remains a beneficiary of the state program. States may also 
change the managed care plans that they contract with. Thus, we 
proposed that the patient permission for this data exchange, as a 
Medicaid or CHIP beneficiary, would be obtained by the state and would 
apply regardless of the delivery system in which the beneficiary is 
enrolled.
    In contrast, our policy for the Provider Access API will allow 
payers to exchange patient data with providers unless a patient has 
opted out. We proposed an opt out policy for the Provider Access API, 
in part, based on the existence of a treatment relationship between the 
patient and provider, a contractual relationship between the payer and 
the provider, and a coverage relationship between the payer and 
patient. Specifically, our policy to only require the Provider Access 
API data exchange with providers in the payer's network and require a 
process to attribute a patient to that provider before data can be 
exchanged creates a level of assurance for the payer that it is sending 
patient data to an appropriate party. Two payers exchanging information 
may not have a direct relationship, but would be exchanging data based 
on a patient's separate relationship with each payer. Therefore, in the 
proposed rule, we stated that it would make sense for the patient to 
have a larger gatekeeping role for the Payer-to-Payer API.
    Comment: Many commenters expressed support for the proposed policy 
to require patients to opt into the Payer-to-Payer API. Commenters 
provided various rationales for their

[[Page 8837]]

support. Multiple commenters stated that the opt in approach would give 
patients greater access to and control over their information. Other 
commenters appreciated that the opt in approach protects patient 
privacy. Some commenters noted that the opt in approach would be easy 
for a payer to implement when a patient is a new beneficiary or 
enrollee because the payer's relationship with the patient is new and 
active and the payer can request a patient's opt in at the same time as 
the payer requests the patient's previous/concurrent payer information. 
A commenter noted that the Payer-to-Payer API is particularly well 
suited for an opt in approach because it is usually a one-time or time 
limited exchange (unless concurrent payers are involved).
    Response: We appreciate commenters feedback in support of an opt in 
policy and are finalizing this policy as proposed.
    Comment: Some commenters voiced concerns about an opt in approach. 
Multiple commenters expressed concern that an opt in approach will 
result in lower rates of patient participation in the payer to payer 
data exchange. Multiple commenters recommended that CMS adopt an opt 
out approach for the Payer-to-Payer API instead of an opt in approach. 
Primarily, commenters agreed that an opt out framework would lead to 
more patient participation and more data available for the new payer, 
any new network providers, and patients themselves. A commenter was 
concerned that patients may be confused by the opt in process and 
recommended providing clear directions to patients detailing how and 
when patients can opt into data sharing.
    Response: We agree that an opt in approach often results in fewer 
data exchanges than an opt out policy. However, increased data exchange 
is not necessarily the goal of our policy unto itself, but a process to 
facilitate improved care. We believe that patients, as they are the 
owners of their data, should have control over who has access to their 
data, especially when the two parties exchanging patient data do not 
have a direct relationship with each other, as in the case with payer 
to payer exchange versus the Provider Access API where the payer and 
provider have a network contract. However, we know that the more data 
available, the more informed decisions about care can be. Patients 
should see value in having their data exchanged between their previous/
current payer(s) and their new payer. As discussed in section II.C.3.g. 
of this final rule, impacted payers will be required to provide plain 
language information to patients informing them of the benefits of 
payer to payer data exchange and directions for opting in.
    Comment: A commenter recommended that CMS better explain the length 
of time that an opt in election is valid.
    Response: The patient's opt in election is valid indefinitely with 
that payer unless the patient decides to withdraw their permission at a 
later time.
    Comment: Multiple commenters requested clarification on the 
implications of a patient choosing not to opt into the data exchange 
via the Payer-to-Payer API. Specifically, a commenter agreed that the 
information proposed for the Payer-to-Payer API can be shared only if 
the patient opts in, however, requested clarification on how payers 
could meet obligations to exchange these patients' data for other 
purposes.
    Response: Patients have a choice about whether they want their data 
shared under this policy as they transition between payers. If a 
patient chooses not to opt into the data sharing, data will not be 
exchanged between payers under the requirements in this final rule. 
However, payers may exchange information without a patient's 
authorization for other purposes, such as benefit coordination in the 
case of concurrent payers, or for other permissible reasons under the 
HIPAA Privacy Rule. There is nothing in this rule that would prohibit 
payers from using the Payer-to-Payer API as the mechanism for data 
exchange permissible under other authority, even if the patient has not 
opted into the payer to payer data exchange policy in this final rule.
    Comment: Multiple commenters submitted responses relating the 
Payer-to-Payer API data exchange to the HIPAA Privacy Rule exception 
for TPO disclosures, which do not require patient authorization. Some 
commenters stated that the information CMS proposed to require be made 
available falls under the scope of that exception and therefore opt in 
should not be required. Other commenters believe that some of the data 
(such as prior authorization information) would fall under that 
exception, but other data (such as claims information) would not. A few 
commenters suggested that CMS should reduce the scope of the data 
exchange to allow disclosure under the TPO exception. Furthermore, 
commenters stated that it may confuse and upset patients who have opted 
out of sharing their data via the Payer-to-Payer API, but whose PHI may 
otherwise be disclosed under the HIPAA Privacy Rule.
    Response: We emphasize that our final requirements are not intended 
to change any existing obligations under the HIPAA Privacy, Security, 
and Breach Notification regulations, the regulations under 42 CFR part 
2, or state privacy or other laws, but can and should be implemented in 
accordance with those rules. To make a blanket determination that the 
Payer-to-Payer API exchange that we are requiring always constitutes a 
TPO disclosure would go beyond the scope of this rule and could 
overstate and conflict with existing HIPAA Privacy Rule requirements 
and guidance. Making such a determination could have unintended effects 
on covered entities' ability to disclose PHI. Instead, for the reasons 
explained previously, it is appropriate to require patients to opt in 
for payer to payer data exchange. Our payer to payer data exchange 
requirements are disclosures permitted under the HIPAA Privacy Rule as 
``uses or disclosures that are required by law,'' as defined at 45 CFR 
164.103, rather than as a permitted TPO disclosure. ``Required by law'' 
disclosures are limited to the relevant requirements of such law, not 
to the HIPAA minimum necessary standard, thereby ensuring that all 
content required by our Payer-to-Payer API policy may be disclosed. In 
addition, the data exchange must not be prohibited by other law, such 
as restrictions on patient records related to substance use disorder at 
42 CFR part 2 or state privacy laws.
    We emphasize that the opt in process described here applies only to 
the payer to payer data exchange in this final rule. That is, it 
applies only to the requirement for impacted payers to share individual 
claims and encounter data (excluding provider remittances and cost-
sharing data), all data classes and data elements included in a content 
standard at 45 CFR 170.213 and certain information about prior 
authorizations maintained by the payer with a date of service within 5 
years of the request by a patient's new or concurrent payer. Similar to 
the discussion in section II.B.3.b.ii. regarding Provider Access API, a 
patient's choice not to opt into the payer to payer data exchange does 
not prohibit the payer from using the Payer-to-Payer API to exchange 
patient data under another permissible authority. For instance, there 
may be other permissible bases for payers to share data, without a 
patient's authorization, such as under the HIPAA Privacy Rule's 
permitted uses and disclosures to carry out treatment, payment, or 
health care operations. Patients do not have the ability to opt

[[Page 8838]]

out of a payer using the API itself as a mechanism for sharing data 
under such bases for disclosure. We urge payers to inform their 
patients of this possibility in the educational resources discussed in 
section II.C.3.g. However, we also note that the HIPAA Privacy Rule, at 
45 CFR 164.520, has specific notice requirements for covered entities 
to send to individuals. Payers should make clear the differences 
between the payer to payer data exchange, which requires patients to 
opt in, and other permissible disclosures, which may not require 
authorization.
    We also note that the data that may be shared under other 
permissible bases, such as the TPO exception, may overlap with the data 
required to be shared by our Payer-to-Payer API policy. For instance, a 
payer may be permitted to disclose PHI to another covered entity to 
coordinate benefits or determine cost-sharing amounts for the covered 
entity's payment purposes under 45 CFR 164.506(c)(3). If that 
disclosure is permissible, a patient declining to opt into the payer to 
payer exchange policy in this final rule would not prohibit a payer 
from using the Payer-to-Payer API to make that disclosure. In fact, we 
encourage payers to leverage the Payer-to-Payer API as a standardized 
mode of transmitting this information. Payers may leverage a variety of 
solutions for exchanging coverage data today and moving to a standard-
based API across the industry could benefit payers by reducing the 
types of connections they must maintain to communicate with other 
payers.
    Per 45 CFR 164.506(b), covered entities may create a process to 
obtain consent from an individual to use or disclose PHI to carry out 
treatment, payment, or health care operations. Per 45 CFR 164.522(a), 
individuals also have the right to request restrictions on how a 
covered entity will use and disclose PHI about them for TPO. Except in 
limited circumstances, a covered entity is not required to agree to an 
individual's request for a restriction. Where covered entities agree to 
a restriction, it is bound to the restriction to which it agrees unless 
the restriction is subsequently terminated. We emphasize that the opt 
in process described in this final rule is specific to the Payer-to-
Payer API policy and is therefore not, on its own, a consent mechanism 
per 45 CFR 164.506(b) or an agreed-upon restriction per 45 CFR 
164.522(a).
    These nuances are necessary for patients to understand that their 
personal health information may still be shared in some instances, even 
if they do not opt into the payer to payer data exchange. Where the 
requirements of this rule change how covered entities or their business 
associates may use or disclose PHI, covered entities should consider 
their obligations under the HIPAA Privacy Rule.
    Comment: A commenter recommended that CMS assist states with 
implementing opt in processes. Another commenter explained that the 
feasibility of an opt in approach depends on how it would be 
implemented. A different commenter recommended that CMS to work with 
stakeholders to develop a standard approach for how an opt in 
requirement will work when the patient is not the primary insurance 
holder, noting that a standard approach is necessary to reduce 
confusion and ensure that patient information is protected.
    Response: We agree that the feasibility of an opt in approach 
depends on how it is implemented, which is why we are leaving the 
actual implementation process up to the payers. We expect that payers 
will implement the most viable processes for themselves. Each of our 
policies in this final rule is targeted toward individual patients, not 
any family members that may be covered through the same benefits. We 
note that in some cases, applicable law may allow one individual (such 
as a parent or guardian) to act as a personal representative for 
another individual covered under the same benefits (such as a minor) 
and could therefore opt into the payer to payer data exchange for that 
individual. Regardless, the opt in is patient-specific and a payer must 
make the data request based on the individual's permission and the 
previous/concurrent payer should respond in kind with the individual 
patient's record. No data should be shared about any patient that has 
not opted in (or whose personal representative has not opted in), 
regardless of whether another patient covered under the same benefits 
has opted in.
    Comment: Multiple commenters weighed in on whether patients' opt in 
should be collected electronically and specifically recommended that 
payers collect the opt in via a patient portal or mobile device. A 
commenter explained that payers do not have the means to collect 
patients' opt in via multiple methods. A different commenter noted that 
payers should collect opt in data electronically. Another commenter 
stated that patients should not be required to use a patient portal or 
mobile device app to opt into data sharing. A commenter also requested 
guidance on how to collect permission from patients who require 
assistance enrolling or registering for the patient portal. Another 
commenter noted the importance of equitable access to patient data and 
highlighted the current usage of patient portals as a method to 
authenticate patients' identities and obtain their opt in permission. 
They recommended a centralized identity service for patient 
authentication, verification, or consent for patients who cannot, or 
prefer not to, access the patient portals. A commenter recommended that 
CMS provide a centralized security verification through CMS. The 
commenter noted that a centralized security certification validation 
would relieve burden on payers to manage connectivity with other payers 
and provide assurances around self-signed certificates.
    Response: We are finalizing that all impacted payers must develop 
and maintain processes to identify a patient's previous/concurrent 
payer(s) and to allow patients or their personal representatives to opt 
into the payer to payer data exchange (both with previous and 
concurrent payers) no later than 1 week after the start of coverage. As 
finalized in this rule, each new payer will be responsible for 
gathering permission through an opt in process before requesting data 
from any previous or concurrent payer. If payers believe that a patient 
portal or mobile smart device with appropriate security protections is 
the best way to gather opt in, it is permissible to use those methods. 
We are not being prescriptive about the process or procedures used by 
impacted payers for the required opt in process. However, we strongly 
recommend that there be a way for patients to record their permission 
telephonically or otherwise if they do not have internet access or do 
not want to sign up for an electronic portal. We agree that equitable 
access to patient data is of the utmost importance and emphasize that 
the Payer-to-Payer API requirements are intended to allow for other 
solutions besides patient portals for authentication, verification, or 
consent. For those patients who require assistance, a personal 
representative would be allowed to assist. However, we do note that 45 
CFR part 92 requires impacted payers (as health programs or activities 
under that section) to provide meaningful access to individuals with 
limited English proficiency and accessibility requirements for 
individuals with disabilities. The requirements of that part apply to 
impacted payers, as described at 45 CFR 92.3.
    We also are working closely with ONC on how the Individual Access 
Services exchange under TEFCA could

[[Page 8839]]

support patient access to their data on the network, which could 
include via payer APIs. We appreciate the suggestion of a centralized 
security process and will consider our authority in this area.
    Comment: Multiple commenters generally supported the proposed 
requirement for payers to implement procedures to allow patients to 
withdraw permission for the payer to payer data exchange after 
initially opting in. Several commenters requested clarification from 
CMS on what action payers must take in such instances. Specifically, 
multiple commenters recommended that CMS explain whether payers are 
expected to delete data that have already been received through the 
Payer-to-Payer API if a patient withdraws their opt in permission after 
the data exchange has occurred. Another commenter recommended that CMS 
explain whether patients with concurrent payers will be able to 
withdraw their opt in permission to stop the quarterly concurrent payer 
data exchange.
    Response: Our opt in policy is only prospective. If a patient opts 
in, their impacted payers would be required to exchange data via the 
Payer-to-Payer API, if all other requirements are met. If that patient 
subsequently withdraws permission, payers will not need to take any 
additional steps with regard to patient data that have already been 
received from another payer. Specifically, there is no requirement in 
our regulations to delete those data from their records. We acknowledge 
that it may not be possible in all cases to clearly delineate which 
entity created each part of the patient record and trying to do so 
would put a burden on payers without benefit to patients. Payers are 
permitted to identify the previous or concurrent payer as the source of 
data, but are not required to do so. If a patient withdraws their 
permission for the payer to payer data exchange after first opting in, 
the payer will not be permitted to request that patient's data from 
another payer, including a concurrent payer, unless the patient 
subsequently opts in again. As discussed previously, payers may 
exchange information for other purposes not related to the policies 
described herein, such as for benefit coordination in the case of 
concurrent payers or other permissible purposes under the HIPAA Privacy 
Rule, and may still use the Payer-to-Payer API as the mechanism to 
exchange data for those purposes, even if a patient has not opted in.
    Comment: Multiple commenters made recommendations related to CMS 
monitoring and oversight of the opt in approach. A commenter suggested 
that CMS conduct oversight to ensure that payers implement the opt in 
process and provide appropriate messaging to patients. A commenter 
recommended that CMS require payers to submit data on the number of 
patients who opted into the data exchange and how they were educated to 
do so. The commenter stated that this would help CMS understand if the 
API is meeting its intended goals. Another commenter recommended that 
CMS consider including Payer-to-Payer API claims in the Healthcare 
Effectiveness Data and Information Set (HEDIS) measure. Another 
commenter recommended that CMS monitor the percentage of patients that 
do not opt into these data exchanges via the Payer-to-Payer API and 
assess whether those patients are concentrated in certain populations 
and whether there are equity issues that CMS should address in the 
future.
    Response: We did not propose to require impacted payers to report 
any metrics regarding the number of patients who opt into data sharing, 
but we appreciate the recommendation and will consider it for future 
rulemaking. We note that the specifications of HEDIS measures are out 
of scope for this rule. We received comments on many of our proposals 
about the need for specific compliance and enforcement efforts 
pertaining to each API and we address these comments in section I.D. of 
this final rule. Oversight and compliance procedures and processes vary 
among these CMS programs and may have different implications based on a 
payer's status in the program, previous compliance actions, and 
corrective action plans.
    Comment: Multiple commenters supported our proposal to require 
state Medicaid and CHIP programs to collect patients' permission for 
payer to payer data exchange in lieu of their contracted managed care 
plans and managed care entities. Commenters stated that Medicaid and 
CHIP agencies are in the best position to collect information from all 
beneficiaries during eligibility and enrollment. However, commenters 
warned that if sister agencies within the state perform eligibility and 
enrollment processes, there would be additional coordination required 
to collect patients' permission.
    Response: We agree with commenters that state Medicaid and CHIP 
agencies are the logical entity to hold Medicaid and CHIP 
beneficiaries' permission for payer to payer data exchange. We note 
that MCOs, PIHPs, and PAHPs are still responsible for collecting 
previous/concurrent payer information and requesting the data exchange. 
However, nothing in this rule would prevent a Medicaid or CHIP agency 
from collecting that information and passing it along to their MCOs. We 
also acknowledge the specific difficulties that states may face to 
implement the requirements of this rule and refer readers to section 
II.E. of this final rule for discussion about available extensions and 
Federal funding for IT expenditures related to these requirements.
d. Requesting Data Exchange From a Patient's Previous/Concurrent 
Payer(s) and Responding to Such a Request
i. Timeframe for Requesting Data
    We proposed to require impacted payers to request a patient's data 
from their previous/concurrent payer(s) no later than 1 week after the 
start of coverage, as defined previously. We stated that 1 week should 
be sufficient time for payers to complete their process for identifying 
patients' previous/concurrent coverage and to request data from the 
other payer(s). We proposed that if, after the start of coverage, a 
patient opts into the data exchange or provides previous/concurrent 
payer information or requests a payer to payer data exchange for 
another reason, then the current payer would be required to request 
data from the previous/concurrent payer(s) no later than 1 week after 
the payer received the previous/concurrent payer information and the 
patient has opted in, or the patient makes the request. We acknowledge 
that the obligation to request data is contingent on the patient 
supplying the necessary information about a previous/concurrent payer 
to enable the new payer to conduct the required exchange. An impacted 
payer cannot comply with these requirements if the patient has not 
provided timely or accurate information about their previous/concurrent 
payer. In that case, payers are required to make reasonable efforts to 
gather this information from patients. For example, we recommend payers 
follow-up one time before determining that the patient has not opted 
in. We are finalizing a modification to the proposed regulatory text to 
clearly establish that the 1-week timeframe for requesting patient data 
begins when the impacted payer has sufficient identifying information 
about previous/concurrent payers and the patient has opted in.
    Comment: Many commenters supported our proposal to require impacted 
payers to request data from a patient's previous payer no later than 1 
week after the start of coverage or obtaining previous/concurrent payer

[[Page 8840]]

information and opt in permission from the patient. Other commenters 
suggested a variety of alternative timeframes for payers to request 
patient data from previous/concurrent payers. A few commenters 
recommended that CMS allow 2 weeks after the start of coverage to 
request the data. Other commenters recommended that CMS extend the 
timeframe for a data exchange to be within 30 or 90 days after 
enrollment to allow payers time to confirm the patient's information, 
especially during peak volumes such as open enrollment. A commenter 
highlighted that a 90-day timeframe would allow time for the previous 
payer to process outstanding claims. Conversely, other commenters 
recommended a 3-day timeframe for a new payer to request the patient's 
data from their previous payer to expediate the data exchange.
    Response: We continue to believe that 1 week is the appropriate 
period to require payers to make a request for patient data after they 
have sufficient identifying information about the previous/concurrent 
payer and the patient has opted in. The longer the period between the 
time a patient enrolls with a new payer and that payer receives patient 
data, the less relevant those data could be. This is particularly true 
for patients who have chronic conditions or ongoing treatment for life-
threatening conditions. For these patients, it is more important that 
their new payer get information as soon as possible. If necessary, 
additional information can be exchanged as it becomes available. See 
our discussion in section II.C.3.d.i. of this final rule regarding 
optional additional data exchanges between previous and new payers. For 
instance, the CY 2024 MA and Part D final rule requires MA coordinated 
care plans to provide a minimum 90-day transition period when an 
enrollee switches to a new MA plan. During that time, the new MA 
organization may not require prior authorization for an active course 
of treatment. Establishing a 90-day timeline for payer to payer 
exchange could largely negate the utility of the data to comply with 
that requirement. Even a shorter period, such as 2 weeks or 30 days, 
could require patients to provide separate information about active 
courses of treatment, which would add burden to patients rather than 
reducing it. Regardless of whether impacted payers are subject to that 
rule, it is important to exchange data quickly so that patients can 
maintain a continuity of care.
    However, we also determined that our proposed data request deadline 
was no longer feasible with the modified deadline for requesting 
previous/concurrent payer information and the patient's opt in to be no 
later than 1 week after the start of coverage. Therefore, we are also 
finalizing a modification to our proposal to require impacted payers to 
request data from a patient's previous/concurrent payer(s) no later 
than 1 week after the payer has sufficient identifying information and 
the patient has opted in, or within 1 week of a patient's request. We 
encourage payers to request these data as expeditiously as possible. 
Specifically in regard to periods of peak volume for payers, we 
encourage payers to use the Bulk Data Access IG to send bulk requests 
and responses for multiple patients at once. As discussed in section 
II.G. of this final rule, we are finalizing our proposal to require 
payers to implement the Bulk Data Access IG for the Payer-to-Payer API 
for this very purpose.
    Comment: Multiple commenters suggested that CMS explain the meaning 
of within 1 week of the start of coverage. A commenter highlighted how 
Medicaid policy requires that they grant eligibility retroactively up 
to 3 months and recommended that the data request within 1 week of the 
start of coverage be based on the date that the eligibility update is 
received into their MMIS, not the effective date of coverage, which 
could be 3 months prior. Another commenter recommended that only QHP 
policies that have been effectuated with a binder payment be subject to 
the payer to payer data transfer requirement, which should leave 1 week 
after the date that benefits begin for the new payer to request the 
data transfer.
    Response: As noted previously, we are changing the deadlines for 
payers to request information from other payers by tying them more 
closely to the date when the payer has sufficient information about a 
patient's previous and concurrent payers and the patient has opted in. 
As such, the data request deadline is no longer linked to the start of 
coverage or enrollment. Further, as explained previously, the term 
``start of coverage,'' as used in the preamble to this rule, means when 
coverage begins or when the patient enrolls, as applicable. For cases 
when there may be retroactive coverage, such as in Medicaid, the payer 
will be required to seek a patient's opt in for Payer-to-Payer API data 
exchange and to request information about a new patient's previous/
concurrent payer(s) no later than 1 week after the patient's 
enrollment. In Medicaid, the patient's ``enrollment'' is the date the 
beneficiary is enrolled in the state's MMIS (or equivalent process), 
not the date that coverage takes retroactive effect. For that reason, 
the regulation text in Medicaid FFS reflects this by referring to 
``enrollment'' instead of ``start of coverage.''
    Comment: Multiple commenters requested clarification that timing 
requirements are flexible to the extent reasonable and necessary to 
verify that privacy and security requirements are met. A commenter 
emphasized that this timeframe could only be followed if it begins 
after the member has provided sufficient information as determined by 
the impacted payer to identify a concurrent payer (for example, payer 
name, member enrollment number, group number).
    Response: We agree that the timeframe for sending a request only 
begins when a payer has sufficient information to send a request to 
another payer and the patient whose data are being requested has opted 
in. We are finalizing that the request must be made no later than 1 
week after the payer has sufficient identifying information and the 
patient has opted in. We note that, as discussed previously, payers 
have an obligation to request that information from their patients no 
later than 1 week after the start of coverage, as that term is defined 
previously specific to each impacted payer type.
    Comment: A commenter suggested that if payer endpoints are not 
publicly available or accurate information on a previous payer is not 
available, payers should only be required to make reasonable efforts to 
complete the data exchange.
    Response: Existing requirements require payers to make technical 
documentation about their API, including digital endpoint information, 
on a publicly accessible section of their website.\83\ In section I.D. 
of this rule we discuss an NDH that could serve as a centralized place 
for impacted payers to find other payers' digital endpoints. Commenters 
indicated that such a directory would significantly improve the process 
for requesting patient data.
---------------------------------------------------------------------------

    \83\ See 42 CFR 422.119(d) for MA organizations, 42 CFR 
431.60(d) for Medicaid FFS, 42 CFR 438.242(b)(5) for Medicaid 
managed care, 42 CFR 457.730(d) for CHIP FFS, 42 CFR 457.1233(d) for 
CHIP managed care, and 45 CFR 156.221(d) for QHP issuers on the 
FFEs. These requirements are cross referenced in the regulations 
requiring impacted payers to apply the same technical specifications 
to all the APIs required under this final rule.
---------------------------------------------------------------------------

    Payers are required to request patient information from previous 
and concurrent payers if the conditions in the rule are met, and we 
encourage payers to make a reasonable effort to locate information 
about a patient's

[[Page 8841]]

previous payer. If a payer is unable to obtain a valid endpoint or 
accurate information for a previous or concurrent payer, we recommend 
they document the efforts they took to gather the information from the 
other payer. Doing so could establish a record for future oversight, or 
in case of a dispute, that the payer made a reasonable effort to comply 
with the requirements of this rule and the patient's desire for their 
data to be exchanged. As discussed, payers are not responsible for 
determining whether the patient's previous payer is an impacted payer, 
but are required to request previous/concurrent payer information from 
the patient and to make the data request to the other payer. We 
encourage payers that are not subject to the requirements in this rule 
to participate in the Payer-to-Payer API exchange in order to allow 
their patients to benefit from this policy. However, a payer not 
subject to this regulation may not have a FHIR API or want to exchange 
the required information, which would be outside of the impacted 
payer's control.
    Comment: Multiple commenters flagged that impacted payers will need 
time to establish the necessary technology linkages, data use 
agreements, and security protocols to exchange information with another 
payer in a manner compliant with the HIPAA standard transaction and 
code set requirements. A commenter noted that the data exchange would 
take longer than 1 week if a payer needs to set up a new connection, as 
feeds may differ.
    Response: We understand that a functional technological connection 
with other payers to meet the requirements for the Payer-to-Payer API 
policy can and sometimes will take more than a week to complete. 
However, there is no applicable HIPAA standard transaction or code set 
for the payer to payer data exchange we are finalizing in this final 
rule. The required standards are those being established in this final 
rule. Giving impacted payers sufficient time to coordinate with other 
payers to establish the capability to exchange data is one rationale 
for delaying the compliance dates from the proposed 2026 to 2027. We 
expect that payers will use that additional time not only to build the 
requisite API technology, but to coordinate with other payers to 
establish those linkages. We encourage payers to establish connections 
and perform testing with other payers before the compliance dates for 
the Payer-to-Payer API to ensure that the data exchange will work as 
expected. Payers should also set up a testing or sandbox instance of 
their Payer-to-Payer API as early as possible for other payers to test 
against. We also encourage payers to establish data use agreements and 
register with each other's APIs prior to the compliance dates in order 
to facilitate exchange as quickly as possible after the compliance 
dates. We expect that those technological and legal requirements will 
be most burdensome when one payer connects with another for the first 
time. Subsequent exchanges should rely on that same foundation, and it 
should not be necessary to repeat those steps. Finally, we suggest 
payers prioritize other payers that they are most likely to exchange 
with, such as those that overlap with their geographical coverage area.
ii. Additional Data Exchange
    In the proposed rule, we solicited comments on whether additional 
data exchanges would be warranted to account for data received or 
processed by the previous payer after the patient's coverage ends and, 
if so, what the appropriate parameters would be. Outside the context of 
concurrent payers, we generally expect our policy to require a one-time 
data exchange between a previous and new payer. Once the new payer has 
received the patient's data from the previous payer, we do not 
generally expect there to be additional exchanges with the previous 
payer. However, we want to allow patients to request subsequent data 
exchanges to account for any outlier situations. We are also aware that 
claims take time to process and may be processed after patients have 
enrolled with a new payer, thus creating additional data within the 
patient's record for some time period after the patient has changed 
payers. We considered proposing a policy where, if the patient opts in, 
a previous payers would be required to send any additional data within 
the required dataset to the new payer no later than 1 week of receiving 
the additional data. However, keeping in mind the burden this could 
impose on payers, we sought comment on such a policy. We sought comment 
on whether additional data could be helpful for the new payer in the 
weeks or months after enrollment, and which specific data could be most 
pertinent, or whether additional data exchange would be overly 
burdensome and not provide value to the new payer. We asked whether it 
would be appropriate to limit such a requirement to send updated data 
to a certain period after the initial data exchange, for instance 
within 30 or 90 days. Additionally, we asked whether impacted payers 
should be required to make an additional data exchange within a week of 
receiving any new data or on a set cadence, such as monthly or 
quarterly, to allow payers to streamline transactions for multiple 
patients.
    Comment: We received varying comments around additional data 
exchanges with multiple commenters supporting a one-time additional 
data exchange to promote continuity of care. Some commenters thought it 
would not be feasible to share additional data within 1 week of each 
update but supported a single exchange at 30-, 60- or 90-days after the 
patient has moved to a new payer. A commenter stated it would be 
difficult to track when additional data need to be sent after the 
initial exchange.
    Response: We agree that it could be helpful for payers to 
supplement the data exchange required under this rule, to account for 
any claims or data that are received after the initial data are sent to 
the new payer. While we are not requiring it, we encourage payers to do 
so in order to pass along a complete patient record. Likewise, we 
encourage the new payer to send an additional request for data within 
90 days of receiving the initial data response. The previous impacted 
payer would be required to respond to such a request.
iii. Authorization and Authentication Protocols
    We proposed that impacted payers would be required to use the 
OpenID Connect Core authorization and authentication protocols at 45 
CFR 170.215(e)(1) to authenticate the identity of the requesting payer. 
We wanted to ensure payers would not have to send data unless they are 
confident that the requesting payer is identified. The ONC Cures Act 
final rule adopted content and vocabulary standards to provide the 
foundation needed and were finalized for use in the CMS 
Interoperability and Prior Authorization final rule to support 
implementation of the policies (85 FR 25521-25522). Thus, we proposed 
OpenID Connect Core in effort to align standards across API 
implementations.
    Comment: Multiple commenters sought clarification on the general 
authentication and authorization process and flagged that requiring 
OpenID Connect Core will not be sufficient for the Payer-to-Payer API. 
A commenter recommended that CMS consider UDAP or the PDex IG, which 
uses a SMART framework instead. Another commenter flagged that the 
OpenID Connect Core standard requires a log-in, whereas the proposal 
suggested that payers are required to provide these APIs without a user 
login or credential.

[[Page 8842]]

A commenter highlighted that the Bulk Data Access IG requirement relies 
on portal credentials and user logins created by the individuals to be 
linked to their identity in the payer system.
    Response: Upon consideration, we agree that it would not be 
appropriate to require OpenID Connect Core for the Payer-to-Payer API. 
OpenID Connect Core is a means to identify individuals and because the 
Payer-to-Payer API is a business-to-business interaction, OpenID 
Connect Core is not adequate to meet this use case. Although OpenID 
Connect Core can be utilized for the Payer-to-Payer API, it is not a 
scalable approach because it requires user credentials. For similar 
reasons, we are finalizing a modification to our proposal to not 
require OpenID Connect Core for the Provider Access, Payer-to-Payer and 
Prior Authorization APIs.\84\ The SMART App Launch IG can also provide 
a method for authentication within the Payer-to-Payer API; though we 
note that we are not finalizing our proposal to require that IG, it 
remains available to payers as an option. However, as part of the 
Payer-to-Payer API, payers still need to authenticate bi-directionally 
using industry best practices to ensure that patient data are only 
shared appropriately. We refer readers to Table H3 in section II.G. for 
an updated listed of required and recommended standards and IGs. We 
also advise that the Bulk Data Access IG, which is a required IG for 
the Payer-to-Payer API, contains a ``SHOULD'' (that is, strongly 
recommended) conformance statement to use SMART Backend Services. We 
also note that SMART Release 2.0.0, which has since been adopted in the 
HTI-1 final rule at 45 CFR 170.215(c)(2) includes SMART backend 
services. Though in this final rule we are requiring impacted payers to 
support the Bulk Data Access IG in their Provider Access and Payer-to-
Payer APIs, this requirement does not obligate them to use it for every 
data exchange if it is not necessary.
---------------------------------------------------------------------------

    \84\ In the proposed rule, that requirement was included for MA 
organizations at 42 CFR 422.121(b)(1)(i), for Medicaid FFS at 42 CFR 
431.61(b)(1)(i), for CHIP FFS at 42 CFR 457.731(b)(1)(i), for 
Medicaid managed care plans through cross reference at 42 CFR 
438.242(b)(7), for CHIP managed care entities through cross 
reference at 42 CFR 457.1233(d), and for QHP issuers on the FFEs at 
45 CFR 156.222(b)(1)(i).
---------------------------------------------------------------------------

    Comment: A commenter recommended that CMS collaborate with industry 
stakeholders to identify best practices for user authentication and 
authorization with the Payer-to-Payer API. Another commenter 
highlighted that guidance on how to trust and verify inbound data 
requests via the Payer-to-Payer API will be essential.
    Response: We will continue to collaborate with industry 
stakeholders through HL7 FHIR workgroups and through HL7 FHIR 
Connectathons as the standards to support the Payer-to-Payer API 
continue to be refined to support these final policies. We also will 
continue to work closely with ONC on the required authentication and 
authorization standards under 45 CFR 170.215. While we are not 
specifically requiring an IG or method be used for authentication and 
authorization, as part of the Payer-to-Payer API payers still need to 
authenticate the other payer they are exchanging data with.
iv. Attestation
    We proposed to require the requesting impacted payer to include an 
attestation with the request for data affirming that the patient (1) is 
enrolled with the requesting payer and (2) has opted into the data 
exchange in a manner that meets the applicable legal requirements. As 
explained in section II.G. of this final rule, we recommended certain 
HL7 FHIR IGs to support the data exchange between payers. The 
recommended PDex IG has been developed to include both the technical 
and business processes of capturing and sharing a patient's permission 
for data exchange with the payer to payer data request. Because that IG 
is recommended and not required, impacted payers could also exchange an 
attestation regarding patient permission with other implementations, 
which could meet or exceed the requirements of the PDex IG.
    Comment: Multiple commenters supported the attestation proposals 
for the Payer-to-Payer API. Multiple commenters provided 
recommendations for processes to share patients' data sharing 
permission. Multiple commenters suggested processes for payers to 
verify that a patient opted into data sharing with another payer before 
giving that payer access to patient data. A commenter requested 
clarification on whether patients must opt in for each subsequent 
payer. A commenter recommended that patients' data sharing permission 
be shared with secondary and tertiary payers. Commenters requested 
clarification on which payer (the requestor or requestee) is 
responsible for obtaining patients' permission. A commenter highlighted 
that an attestation process will not resolve the risks of incorrectly 
matching data to the patient. Another commenter asked whether FHIR can 
be used to send the attestation. Another commenter requested 
clarification on using standards and IGs to facilitate the opt in 
process. A commenter sought guidance on where a patient's opt in would 
be indicated on the electronic transmission and how they could verify 
that the payer provided educational information to the patient.
    Response: We appreciate the recommendations for sharing a patient's 
opt in but leave that exact process up to payers. The impacted payer 
requesting the data from the previous/concurrent payer is responsible 
for obtaining the patient's opt in and must include an attestation with 
that request for data affirming that the patient (1) is enrolled with 
the requesting payer and (2) has opted into the data exchange in a 
manner that meets the necessary legal requirements. Patients would have 
to opt in for each subsequent payer to request their data from a 
previous/concurrent payer. The purpose of the attestation is not to 
match the data to the patient, but to affirm that the patient has 
enrolled with the requesting payer and has opted into the data exchange 
in a manner that meets the necessary legal requirements. We highly 
recommend using the IGs discussed in further detail in section II.G. of 
this final rule to support the Payer-to-Payer API. The latest published 
version of the PDex IG (STU 2.0.0) includes a means for a payer to 
communicate that the member has opted in--through a FHIR Consent 
resource--when requesting data from another payer. An attestation or 
verification that the requesting payer provided educational information 
to the patient is not required to be sent with the request.
    Comment: A commenter recommended that CMS more clearly explain the 
Payer-to-Payer API process to ensure that prospective or potential 
payers are not requesting a patient's data. Another commenter suggested 
that an attestation from another payer is not sufficient proof to 
demonstrate a patient's decision to opt in and suggested that some 
assignment of legal liability be considered for the requesting payer, 
as it might assuage these concerns.
    Response: A prospective or potential payer should not request a 
patient's data under this rule. Under this rule, a payer must attest 
that the patient is enrolled with that payer as part of its request for 
the patient's data from a previous/concurrent payer. We emphasize that 
the impacted payers must implement an authentication process (discussed 
previously) that verifies the requesting payer's identity as a 
legitimate health care coverage entity. If an entity includes a 
fraudulent attestation that the patient is enrolled with the payer and 
has opted in to payer to payer data

[[Page 8843]]

exchange in its request for patient data, that entity could be subject 
to criminal or civil penalties.
v. Timeframe for Responding to a Request
    We proposed that impacted payers that are previous/concurrent 
payers would be required to respond to a current payer's request, if 
specified conditions are met, within 1 business day of receiving the 
request. We explained that 1 business day would be the appropriate 
timeframe to complete this process to send the data, as new payers need 
timely access to previous/concurrent payer data to facilitate care 
coordination and make the information available to providers within 
their new network. We noted that this timeframe also would align with 
the 1 business day response time for the Patient Access and Provider 
Access APIs.
    We sought comment on whether the proposed timeframes for the 
previous/concurrent payer to send these data, are appropriate or 
whether other timeframes would better balance the benefits and burdens. 
We sought comment on whether payers need more than 1 business day to 
respond to a request and sought comments on what might be a more 
appropriate timeframe if commenters thought a different timeframe was 
warranted. We explained that it is important for patient data to move 
to the new payer as soon as possible to send their patient record and 
to ensure care continuity.
    Comment: Multiple commenters expressed support for the 1 business 
day response time for the Payer-to-Payer API. A commenter recommended a 
modification that data should be available within 1 calendar day. 
Another commenter stated that the purpose of standardized API data 
exchange is to have real-time data availability. A commenter requested 
that CMS provide at least 24 hours for data from the Prior 
Authorization API to be available via the Payer-to-Payer API. Some 
commenters expressed general concern with our proposed response 
timeframe and suggested that payers may become overwhelmed, especially 
during open enrollment periods. A commenter expressed concern that the 
proposed timeframe does not consider the degree of manual effort 
required to ensure compliance with applicable state laws and 
regulations regarding health privacy and confidentiality. Multiple 
commenters recommended that CMS require a response time of 2 business 
days for the Payer-to-Payer API and another suggested 3 business days.
    Response: After reviewing the comments, we believe that keeping the 
response timeframe at 1 business day is appropriate. This expedient 
data exchange will support care continuity and still allow time for the 
processes for payers to appropriately send patient data. We note that 
this timeframe also aligns with the finalized 1 business day response 
time for the Patient Access and Provider Access APIs. We acknowledge 
that some periods may have increased data exchange requests, such as 
during open enrollment period, and note that the purpose of the 
required Bulk Data Access IG is to efficiently exchange large volumes 
of data for multiple individuals and can be utilized for both 
requesting and sending data.
    The data content we are finalizing that must be included in the 
payer to payer data exchange is generally the same as the current 
requirements for the Patient Access API, notwithstanding the addition 
of prior authorization information. Claims and encounter data and all 
data classes and data elements included in a content standard at 45 CFR 
170.213 (USCDI) are structured data, which will help payers identify 
particular items that are subject to additional privacy requirements. 
We are also finalizing 2027 compliance dates, in part, to give payers 
additional time to develop internal processes and train staff. That 
includes processes make the necessary determinations as to which data 
are permitted to be shared via the Payer-to-Payer API. For instance, 
payers may use this time to develop processes that flag certain data 
elements with metadata--as the payer receives them--if they require 
special permissions or are prohibited to disclose under other law. We 
highly encourage payers to engage in this process as they receive data 
to ease any manual review and decision-making that might be necessary 
when a payer requests patient data.
    Comment: A commenter recommended that CMS address the need for a 
legal governance framework for the payer to payer data exchange because 
the technical standards proposed would not enable the requesting payer 
to substantiate the patient's authorization. The commenter stated the 
need to provide legal assurances that the payer requesting a patient's 
records has obtained appropriate authorization to request the records 
and without a standardized governance framework, payers would struggle 
to fulfill the requirement to respond within 1 business day of 
receiving a request.
    Response: We understand the importance of legal assurance between 
payers to ensure the patient has provided appropriate authorization 
before sharing data across payers. The recommended PDex IG STU 2.0.0, 
which has since been published since the publication of the CMS 
Interoperability and Prior Authorization proposed rule, includes both 
the technical and business processes to capture and share a patient's 
permission as part of the payer to payer data request. We believe 1 
business day is sufficient to fulfill the request for data exchange 
because the IG is a means for payers to electronically send a record of 
the patient's permission to receive data from the other payer. We are 
also working closely with ONC as to how TEFCA could support scalable 
governance for payer to payer data exchange. We reiterate that we are 
requiring that the new payer provide an attestation with the request 
for data affirming that the patient has enrolled with that requesting 
payer and has opted into the data exchange.
vi. Payers Not Subject to This Regulation
    If a previous/concurrent payer is not an impacted payer, they are 
not subject to our final requirements and, therefore, are not required 
to send or request data through the Payer-to-Payer API. For example, an 
employer-based commercial plan would not be subject to this rulemaking. 
If the previous/concurrent payer is not an impacted payer, they are not 
subject to our requirements to respond to the request. A new or 
concurrent impacted payer is not obligated to determine whether the 
previous/concurrent payer is an impacted payer under this final rule or 
to limit its requests for a patient's data (or its responses to 
requests for a patient's data) to only impacted payers. Therefore, we 
proposed that an impacted new payer would be required to request the 
data from the patient's previous/concurrent payer, regardless of 
whether the other payer is an impacted payer. Conversely, we proposed 
that if an impacted payer receives a request for patient data that 
meets the requirements of this rule, they would be required to respond 
by making available the required data through their Payer-to-Payer API, 
regardless of whether the requesting payer is an impacted payer (which 
the payer may or may not know).
    If a payer not subject to this regulation does not have the 
capability or refuses to exchange the required data with an impacted 
payer or is willing to exchange the data but is unable or unwilling to 
do so through a FHIR API, the impacted payer will not be required to 
exchange data with that payer. Payers that have not implemented the 
Payer-to-Payer API would not have accessible digital endpoints to make 
the required request.

[[Page 8844]]

We emphasized in the proposed rule that impacted payers would not need 
to spend resources determining whether other payers are subject to this 
rulemaking, but would be required to request patient data, if possible, 
and respond to all requests that are made within the requirements. 
However, we encourage all payers to implement a Payer-to-Payer API to 
support data exchange with other payers, even if they are not subject 
to our final requirements to support care coordination and more 
efficient operations.
    Comment: Multiple commenters flagged concerns regarding 
interoperability with payers not subject to this regulation. A 
commenter stated that it is unclear what value would be derived from 
the investment if there is no response or reciprocation from payers not 
subject to this regulation. Another commenter noted that payers need to 
build a connectivity system with other payers, including payers not 
subject to this regulation.
    Response: We disagree that the burden of connecting with a payer 
not subject to this regulation that has implemented a Payer-to-Payer 
API in conformance with our requirements is any different than 
connecting with an impacted payer. Regardless of whether they are 
covered by an impacted payer, there is value in maintaining a patient's 
data and exchanging those data when a patient transitions to a new 
payer or between concurrent payers. Furthermore, requiring impacted 
payers to exchange data only with other impacted payers would require 
impacted payers to expend effort to determine whether the other payer 
is an impacted payer. That effort can be eliminated by simply treating 
any payer as a possible exchange partner. Furthermore, not requiring 
impacted payers to exchange data with payers not subject to this 
regulation would mean that there would be no incentive for those payers 
to adopt the requirements of payer to payer data exchange. In addition, 
impacted payers are not required to exchange data outside of the 
process finalized in this final rule, including using a standards-based 
API. If a payer not subject to this regulation requests data in a 
format that is not compatible with the Payer-to-Payer API and specific 
data formatting, content and vocabulary standards established in 
regulation, impacted payers will not be required to send data via a 
different method, unless other law requires them to do so.
    We understand that impacted payers may have additional difficulty 
ascertaining that another payer is not subject to this regulation (or 
not compliant), as that payer would not have digital endpoints to 
discover. Payers are required to take reasonable steps to determine 
whether they can exchange data with the other payer. We encourage 
payers to contact the previous payer directly to determine whether they 
support the Payer-to-Payer API. Other solutions could also be explored 
to help payers determine whether the previous payer supports the Payer-
to-Payer API, such as using TEFCA. In section I.D. of this final rule 
we discuss an NDH that could serve as a centralized place for payers to 
find other payers' digital endpoints and identify payers that support 
the Payer-to-Payer API. Once a payer knows that another payer is not 
capable of payer to payer data exchange, they would not be required to 
inquire every time they receive a new patient who identifies that 
previous payer. However, it would be prudent to occasionally (such as 
annually) check whether the other payer has implemented a Payer-to-
Payer API and is now capable of data exchange.
e. Ongoing Data Exchange Requirements for Concurrent Coverage
i. Concurrent Coverage Data Exchange
    For individuals who have concurrent coverage with multiple payers, 
we proposed to require impacted payers to collect identifying 
information about any concurrent payer(s) from patients before the 
start of coverage with the impacted payer (consistent with how ``start 
of coverage'' is explained previously). Because we believed it would be 
beneficial for all of a patient's current payers to maintain a complete 
record of the care that the patient has received, we proposed to 
require impacted payers to request the same patient data described in 
section II.C.3.b. of this final rule from all of a patient's concurrent 
payers, and to send those data in response to a request that meets all 
the requirements of this final rule. We stated that this would ensure 
that the patient's concurrent impacted payers maintain a complete 
patient record and can provide all the information proposed to be 
required under the Patient Access and Provider Access APIs.
    Specifically, we proposed to require impacted payers, no later than 
1 week after the start of a patient's coverage,\85\ to request data 
from any concurrent payers that the patient reports. Because all payers 
will update patient records while a patient is enrolled with those 
payers, we proposed that when a patient has concurrent coverage with 
two or more payers, the impacted payers would be required to exchange 
with every other concurrent payer, at least quarterly. We proposed that 
should an impacted payer receive a request for a current patient's data 
from a concurrent payer for that patient, the receiving payer would 
have to respond with the appropriate data within 1 business day of 
receiving the request. Operationally, this proposed exchange would 
function the same as the data exchange with a patient's previous payer.
---------------------------------------------------------------------------

    \85\ For QHP issuers on the FFEs, no later than 1 week after the 
effectuation of enrollment.
---------------------------------------------------------------------------

    We also proposed that any impacted payer that receives patient data 
from another payer under these regulations must incorporate those data 
into the recipient payer's records about the patient. The required data 
content we proposed are the same claims and encounter data (excluding 
provider remittances and cost-sharing information), all data classes 
and data elements included in a content standard at 45 CFR 170.213 
(USCDI), and certain information about prior authorizations that the 
payer maintains with a date of service on or after January 1, 2016. We 
stated that that proposal would require impacted payers to both request 
patients' data from other concurrent payers and to respond to requests 
from other payers to share patients' data.
    Comment: A commenter recommended that we only require concurrent 
payers making quarterly data transmissions to send data that have been 
updated since the last data exchange. The commenter stated that this 
would reduce burden by allowing them to exchange a smaller set of data 
that can more easily be integrated into their patient records.
    Response: We agree that this is a reasonable solution to reduce 
burden. We are finalizing a modification to our proposal to allow 
concurrent payers to agree to exclude from ongoing quarterly data 
exchange any data that were previously transferred to or originally 
received from the other concurrent payer. We leave it to payers to 
determine the best process to effectuate this option, as it is intended 
to reduce payer burden. If exchanging only new data would increase 
burden on payers versus exchanging all patient data, they are not 
required to do so. Ultimately, the exchange should result in both 
concurrent payers having a complete set of patient data to support 
patient care and care coordination.
    Comment: A commenter suggested that CMS require payers to clearly 
document, in the payer systems, which payer is primary, and which is 
secondary to ensure providers receive accurate and timely coordination 
of benefit information.

[[Page 8845]]

    Response: Coordination of benefits is an established process 
(though the exact process may vary by payer and jurisdiction) that we 
specifically did not propose to affect. As discussed previously, if 
payers find it beneficial to use the Payer-to-Payer API for purposes 
other than the data exchange finalized in this rule, such as 
coordinating coverage, they are welcome to do so. To the extent that 
such coordination information would benefit patients or providers by 
being available via the Patient Access and Provider Access APIs, we 
encourage payers to do so.
    Comment: Several commenters expressed opinions on the appropriate 
timeframe for payers to request data from another concurrent payer and 
for payers to respond to such a request. Multiple commenters stated 
their general support for timely information exchange between 
concurrent payers to help minimize unnecessary administrative paperwork 
and other inefficiencies. Several commenters supported our proposed 
timeframes. Other commenters suggested that payers have up to 30 days 
to request patient information. A commenter stated that the data should 
be available within 1 calendar day instead of 1 business day. A 
commenter recommended CMS allow at least 3-5 business days for a 
response.
    Response: There should be no procedural or technical difference 
between requesting data from a previous payer or a concurrent payer, 
other than the requirement that concurrent payers engage in ongoing 
quarterly exchange. Similarly, responding to such a request should be 
the same process, using the same FHIR standards. Therefore, we believe 
it is prudent to establish the same timeframes for the initial requests 
to and all responses from concurrent payers as for previous payers. 
Therefore, we are finalizing that for concurrent payers, the initial 
request for data must be made no later than 1 week after the payer has 
sufficient identifying information about concurrent payers and the 
patient has opted in and quarterly thereafter. We are finalizing our 
proposal that impacted payers must respond within 1 business day to a 
request for patient data from a concurrent payer that meets all the 
requirements of this final rule.
ii. Concurrent Payer Exchange Timeframe
    We also considered whether to propose more frequent exchanges 
(weekly or monthly), or less frequent exchanges (semi-annually or 
annually) for the required data exchanges between concurrent payers; 
however, we explained in the proposed rule that we believed a quarterly 
data exchange would strike the right balance between providing 
accurate, timely data and payer burden. We believed that sharing data 
quarterly would be frequent enough to allow new health data to 
accumulate and still be timely, but not so frequent that it causes 
unnecessary burden on the payers. We requested comment on this 
proposal, including on the appropriate frequency for this payer to 
payer exchange for patients with concurrent coverage.
    Comment: A significant majority of commenters supported our 
proposal to require quarterly data exchange between concurrent payers 
because it would facilitate care coordination. Some commenters 
suggested that a more frequent data exchange could benefit patients. 
Some commenters noted that even quarterly data exchange may miss key 
clinical events that would be useful for care coordination and 
recommended that the data exchange should take place monthly. On the 
other hand, a few commenters stated that impacted payers should only 
request additional data from concurrent payers when initiated by a 
member.
    Response: We agree with the majority of commenters that a quarterly 
cadence appropriately balances the benefits and burdens on payers. 
Payers may make arrangements with each other to exchange information 
more frequently, if they believe it would benefit their mutual 
patients. The burden of initiating the exchange should not fall on the 
patient, especially at times when they are dealing with specific health 
issues that would most benefit from care coordination. As some 
commenters recommended more frequent data exchange, we will consider 
whether to propose amendments to this policy in future rulemaking after 
the industry has experience meeting the requirements of this final 
rule.
    We note that when a patient has concurrent coverage, the payers 
must communicate regularly to ensure that the proper payer is 
responsible for that patient's claims. Nothing in this final rule, 
including a patient not opting into the Payer-to-Payer API data 
exchange, is intended to alter payers' ability to exchange data as they 
do today for that purpose, in accordance with applicable law.
f. Data Incorporation and Maintenance
i. Data Incorporation
    We proposed that data received by an impacted payer through this 
data exchange must be incorporated into the patient's record with the 
new payer. We stated that those data could then be part of the 
patient's record maintained by the new payer and should be included as 
appropriate in the data available through the Patient Access, Provider 
Access, and Payer-to-Payer APIs. In this way, a patient's data could 
follow them between payers and be available to them and their 
providers. We stated that this proposal would not obligate payers to 
review, utilize, update, validate, or correct data received from 
another payer, but we encouraged impacted payers to do so, at least to 
the extent it might benefit the patient's ongoing care. We explained 
that payers could choose to indicate which data were received from a 
previous payer so a payer, provider, or the patient looking at the 
record, would know where to direct questions (such as how to address 
contradictory or inaccurate information), but would not be required to 
do. Regardless, all data received, maintained, used, or shared via the 
proposed Payer-to-Payer API would be required to be received, 
maintained, used, or shared in a way that is consistent with all 
applicable laws and regulations.
    Comment: Multiple commenters supported our proposal to require 
payers to incorporate data they receive from other payers via the 
Payer-to-Payer API into their own patient records in order to ensure 
that a patient's record is not lost. Other commenters stated that they 
do not believe that payers are the appropriate holders of a patient's 
full medical record and that providers or patients themselves should be 
the maintainers of those data.
    Response: We agree that in some cases a payer is not the best 
entity to hold a patient's longitudinal record and that there is other 
technology available for patients to download their data, for example, 
using the Patient Access API, and to store it independently of their 
payer. As discussed previously, we are finalizing a policy that limits 
the payer to payer data exchange to data with a date of service within 
5 years of the request. After considering public comments, we 
determined that a 5-year period balances the benefits of new payers 
having access to recent patient data and the patient not losing recent 
information against the burden of integrating and maintaining 
historical data that may or may not be useful to care.
    For patients who want to maintain their own information in a PHR, 
they have that option through the Patient Access API. While in some 
cases, a patient may have a provider that can and will aggregate their 
records from each other provider that the patient

[[Page 8846]]

sees, we do not believe this is a common scenario, as it would require 
a significant amount of work by the provider. As discussed, because 
payers receive claims or encounter data from each provider that sees a 
patient, they typically possess the most complete historical patient 
record. Requiring a payer to send a patient's data to their new payer 
will ensure that recent information that could be important for care 
continuity is not lost.
    Comment: A commenter cautioned that CMS should not assume that the 
information received from a previous payer is whole and/or correct. The 
commenter noted that the difference in health plans' level of diligence 
could cause some discrepancies in patient coverage. Another commenter 
suggested that payers would be incentivized to send incorrect 
information to another payer rather than correcting the patient's 
record.
    Response: We acknowledge that any set of patient data may have 
errors or omissions. However, we do not believe that the appropriate 
response to this issue is to discard data when a patient moves between 
payers. As stated, we do not wish to burden payers to proactively 
verify patient records when they receive them from another payer. 
However, under the HIPAA Privacy Rule, at 45 CFR 164.526, individuals 
generally have the right to have a covered entity amend PHI or a record 
about the individual in a designated record set for as long as the PHI 
is maintained in the designated record set, with certain exceptions. 
That right exists regardless of whether the covered entity created the 
PHI itself or received it from elsewhere. That requirement is 
consistent with our policy, as it does not require proactive 
verification, but must be addressed upon request by an individual.
    We also do not believe that there is any risk of payers 
intentionally proliferating inaccurate information. There is no reason 
for a payer to maintain inaccurate records with the ultimate goal of 
passing that information to another payer when the patient leaves their 
coverage. Finally, payers are only responsible for maintaining their 
own records, including that which has been received from another payer. 
If there is an error to be corrected in data received from a previous 
payer, neither the patient nor their payer will need to contact the 
previous payer to correct it and have the patient's record resent. A 
patient's current payer is required, by the HIPAA right to amend and 
correct data in its records, even if that incorrect information was 
initially received from a previous payer.
    Comment: A few commenters recommended that all the APIs should 
support optional provenance resources that could be added by either the 
sender or the receiver to indicate the source of data. A commenter 
recommended that instead of CMS recommending payers to note where the 
data originated, CMS instead propose that specific provenance resources 
be required to indicate which data came from a previous payer, which 
could also be included in subsequent data exchanges.
    Response: When incorporating the data from an old or concurrent 
payer, payers are free to indicate the provenance of that information, 
which would then be included in the data available through the Patient 
Access or Provider Access APIs. As discussed in section II.G., we are 
recommending, but not requiring, the PDex IG for the Payer-to-Payer 
API. The PDex IG requires provenance information be included in 
outbound FHIR transactions and that a payer receiving such a 
transaction must incorporate any included provenance information. There 
is also a ``SHOULD'' recommendation within the IG that payers create 
provenance records when the provenance is not included in a data set 
(for example, when it was received through non-FHIR mechanisms). We 
highly recommend that payers use the IG for several reasons, including 
that it would help address this issue and help payers, providers, and 
patients understand the source of data. We will consider whether to 
propose to require provenance information through future rulemaking.
    Comment: Multiple commenters highlighted that our Payer-to-Payer 
API policy would require extensive data translation and de-duplication. 
They suggested that CMS encourage payers to work with HIEs to determine 
the best solutions to avoid data duplications and associated errors. A 
commenter expressed concern regarding the potential for duplicate data 
to be transmitted throughout the health care system.
    Response: We appreciate commenters' suggestions that there are 
existing marketplace solutions to address some of the concerns about 
data duplication. We understand the concern over duplicative 
information. There are IT solutions, such as EHR vendors and HIEs, 
available that can make the data actionable and help payers avoid 
receiving duplicative information via the Payer-to-Payer API. To the 
extent it would benefit payers, we encourage them to work with HIEs and 
HINs to facilitate payer to payer data exchange. We note that nothing 
in our policies prohibits a payer from using an intermediary to aid 
with various functions, such as patient matching, data exchange, or 
data hygiene.
    Comment: A commenter stated that they believe data acquired via 
Payer-to-Payer APIs should be dated with the original date of service 
to prevent duplication in future Patient Access or Provider Access API 
requests, if a patient or provider already had that information from 
the previous payer.
    Response: We agree that it is important to maintain the fidelity of 
data received via the Payer-to-Payer API. While creating additional 
metadata is recommended to be able to track where the data came from 
and when it was acquired, payers should not be changing the underlying 
data itself. For example, the ``date of service'' or ``date claim 
processed'' should not be updated to the date that the new payer 
receives the record of the claim from a previous payer.
    Comment: A commenter stated claims are not typically considered 
``patient records'' and suggested CMS define the ``patient record'' 
into which information from a previous/concurrent payer must be 
incorporated.
    Response: We do not need to define ``patient record'' as we are 
defining the set of data that must be shared between payers, that is, 
claims and encounter data (excluding provider remittances and patient 
cost-sharing information), all data classes and data elements included 
in a content standard at 45 CFR 170.213 (USCDI), and certain 
information about prior authorizations maintained by the payer with a 
date of service within 5 years of the request by a patient's new or 
concurrent payer. Furthermore, we have defined maintain in the 
Interoperability and Patient Access final rule ``to mean the payer has 
access to the data, control over the data, and authority to make the 
data available through the API'' (85 FR 255380). Payers must 
incorporate patient data into the appropriate place where they maintain 
that type of information that they generate while covering a patient. 
We understand that payers will store that information in a variety of 
ways, depending on their own data infrastructure.
    Comment: A commenter requested clarification as to how payers 
should integrate data into a patient's records if the data from their 
previous payer includes information from other individuals who were on 
the same coverage plan (for example, a family health plan).
    Response: Each of our policies in this final rule are tailored 
toward individual patients, not any family members that may be covered 
through the same

[[Page 8847]]

benefits. In some cases, applicable law may allow one individual (such 
as a parent or guardian) to act as a personal representative for 
another individual covered under the same benefits (such as a minor) 
and could therefore opt into the Payer-to-Payer API data exchange for 
that individual. Regardless, the opt in is patient-specific and a payer 
must make the data request based on the individual permission and the 
previous/concurrent payer should respond in kind with the individual 
patient's record. No data should be shared about any patient that has 
not opted in, regardless of whether another patient covered under the 
same benefits has opted in.
    Comment: A commenter cautioned that when a new payer takes on 
another payer's information, this may cause a significant amount of 
risk for patients as they may get billed for services that are not 
approved under their new payer.
    Response: We are not requiring impacted payers to honor another 
payer's prior authorization decision, nor do our final rules require 
reprocessing claims submitted to previous payers. If payers believe 
that sending these data will be confusing for patients, they should 
include information in their educational resources that makes clear 
what the data exchange is and is not used for.
ii. Data Retention
    In the proposed rule, we noted that our proposals would not impact 
any payer's data retention requirements. Specifically, we did not 
propose to require impacted payers to maintain data for unenrolled 
patients any longer or differently than they do today under current 
law, regulation, or policy. We understand that if a patient is 
uninsured or moves to a payer not subject to this regulation that does 
not request information from the previous payer, after a period of 
time, the previous payer may discard information, which would make it 
unavailable to the patient or other payers in the future.
    We acknowledged that imposing requirements that would require 
payers to alter their data retention policies based on the actions of 
other payers would be a significant burden that would outweigh the 
benefits of such a policy. We considered proposing a minimum period 
during which a payer must maintain patient records after disenrollment, 
such as 1 or 2 years. However, we stated that most payers have policies 
in place that would maintain patient data for at least that long, and 
thus, such a requirement would be unnecessary and duplicative. We 
requested comment on whether our understanding is correct and whether 
there is a benefit to considering a data retention requirement in the 
future.
    Comment: Multiple commenters supported our decision not to propose 
or establish a data retention requirement for patient records that 
would be different or longer than that required by current laws, 
regulations, and policies. Other commenters recommended that CMS set a 
minimum data retention timeframe. A commenter suggested that a payer 
should have to retain data until they are requested by a subsequent 
payer or after a minimum period of years, whichever occurs first. Other 
commenters recommended data be maintained for 5 or 10 years after a 
patient is unenrolled. Some commenters requested further guidance 
regarding the time for which impacted payers should maintain the data 
received from previous/concurrent payers.
    Response: We do not believe that additional data retention 
requirements are necessary at this time, as we do not wish to change or 
create conflict with existing rules. For example, under 42 CFR 
422.504(d), 438.3(u), and 457.1201(q), MA organizations, Medicaid 
managed care plans, and CHIP managed care entities, respectively, must 
retain records for at least 10 years. Similarly, most states require 5-
10 years of data retention. Nothing in this final rule would extend 
existing data retention requirements or create an obligation for 
perpetual maintenance. We emphasize that once a payer receives patient 
data from another payer, it becomes part of the patient's record and 
should be treated the same as data in the patient record created by the 
current payer. There should be no difference for data retention or data 
availability, as well as the same obligation to update or correct the 
data. The only difference is that payers may attach provenance 
information designating where the data originated.
    Comment: A commenter noted that a patient's previous payer should 
not be required to respond to requests from the patient's current payer 
more than 90 days after the patient has disenrolled from the previous 
payer.
    Response: We disagree with setting a 90-day limit on the initiation 
of a payer to payer data exchange by a patient's new payer. Patients 
should have access to their data for a significantly longer period than 
that. Some patients may not learn about payer to payer exchange for 
more than 90 days after the start of coverage. Others may move to 
payers that are not subject to this rule and do not have a Payer-to-
Payer API or become uninsured for a period before moving back to an 
impacted payer. However, we do expect that a significant majority of 
the payer to payer data exchanges will be near the beginning of a 
patients' new coverage, particularly if the required patient 
educational resources clearly present the option at or shortly after 
enrollment. Impacted payers are required to exchange the data they 
maintain on a patient, with a date of service within 5 years of the 
request. We note that we discuss the timeframe for data retention in 
this section, for which we are not changing any regulation or 
requirement. We may consider, in future rulemaking, establishing a time 
period for the data to be available via Payer-to-Payer API, but such a 
timeframe would likely be a matter of years, not days or months.
g. Patient Education Resources
    Consistent with our proposals for the Provider Access API, we 
proposed that impacted payers (excluding including Medicaid managed 
care plans and CHIP managed care entities) would be required to provide 
patients with educational resources in non-technical, simple, and easy-
to-understand language, explaining at a minimum: the benefits of the 
Payer-to-Payer API data exchange, patients' ability to opt in or 
withdraw their permission, and instructions for doing so. We proposed 
that state Medicaid and CHIP programs would provide this information to 
beneficiaries to be consistent with our proposal that states would be 
responsible for collecting beneficiaries' permission for payer to payer 
exchange. We proposed that those impacted payers would be required to 
provide these educational resources to patients at or before requesting 
permission for the Payer-to-Payer API data exchange. As discussed 
previously, currently enrolled patients must be given the opportunity 
to opt into the payer to payer data exchange and to provide previous/
concurrent payer information before the API compliance dates. We 
proposed that impacted payers would be required to provide these 
educational resources to those currently enrolled patients at or before 
requesting their opt in as well. In addition, we proposed that similar 
resources would have to be provided annually to all covered patients in 
mechanisms that the payer regularly uses to communicate with patients. 
Impacted payers would also be required to post these resources in an 
easily accessible location on the payer's public website. We requested 
comment on whether it would reduce payers' burden to only be required 
to provide these resources annually to any patients who have not opted 
in and those with known concurrent payers.

[[Page 8848]]

    Because we are finalizing a modification to our proposal and 
establishing Payer-to-Payer API compliance dates in 2027 this 
requirement to provide educational resources is also being moved from 
the proposed 2026.
    Comment: Multiple commenters expressed support for CMS's proposed 
requirements related to resources to educate patients about the 
benefits of data exchange between payers, the patient's right to opt in 
and to withdraw their permission, and instructions for doing so. 
Multiple commenters supported CMS's proposals to require that patient 
educational resources be in non-technical, simple, and easy to 
understand language. A commenter noted health literacy is the single 
largest barrier to health care access for those with coverage. A 
commenter recommended that CMS amend the patient resources requirements 
to require impacted payers to write resources at the fourth to sixth 
grade reading level.
    Response: We are slightly modifying the final regulation text to 
require that this information be provided in ``plain language'' instead 
of using the longer, more cumbersome phrase ``non-technical, simple, 
and easy-to-understand language.'' This modification does not change 
the meaning of the requirement that the educational information be non-
technical and easy-to-use, but is intended to be more straightforward 
and to encourage impacted payers to follow the Federal Government's 
plain language guidelines. Those guidelines were informed by the Plain 
Writing Act of 2010, which requires Federal agencies use clear 
government communication that the public can understand and use. That 
statute applies only to Federal Government agencies, but we believe 
that the plain writing guidance developed for the Federal Government 
will be useful for impacted payers when developing educational 
resources for patients. We also encourage payers to review and utilize 
the health literacy resources that the AHRQ makes available on their 
website.\86\
---------------------------------------------------------------------------

    \86\ Agency for Healthcare Research and Quality (2023, May). 
Patient Education and Engagement. Retrieved from https://www.ahrq.gov/health-literacy/patient-education/index.html.
---------------------------------------------------------------------------

    We do not believe that it is prudent to establish a specific 
``grade level'' requirement. A grade level score is based on the 
average length of the words and sentences. Readability formulae vary 
and the grade level scores for the same text can differ depending on 
how it is used. Furthermore, edits that are done to make text score at 
a lower grade level can produce choppy text that lacks cohesion.
    However, we do note that 45 CFR part 92 requires impacted payers 
(such as health programs or activities under that section) to provide 
meaningful access to individuals with limited English proficiency and 
accessibility requirements for individuals with disabilities. The 
requirements of that part apply to impacted payers, as described at 45 
CFR 92.3.
    Comment: Multiple commenters recommended that CMS develop 
resources, such as standardized language, tools, and delivery models, 
that payers could customize to ensure a consistent message to patients 
on what will be a confusing and complicated topic. A commenter noted 
that if CMS led the development, then the educational resources and 
programs for the Payer-to-Payer API could be standardized across 
carriers, FFS program administrators, and enrollment administrators to 
support consistent messaging and improve engagement with the API.
    Response: In an effort to assist payers in meeting these 
requirements, we intend to provide templates or outlines for 
educational resources after this final rule is published and in time 
for payers to review and use prior to the compliance dates. However, we 
do not expect those resources to be fully sufficient to meet the 
requirements of this rule without additional content and customization 
by payers to include their specific processes for patients to opt in or 
withdraw their permission. To the extent possible, we encourage payers 
to collaborate on standardized resources to ensure consistent messaging 
to patients, regardless of the payer with whom they are enrolled. 
However, we also expect each payer to have to customize their resources 
with their own information and opt in process.
    Comment: A commenter suggested that it would benefit both patients 
and providers for us to allow third parties, such as an HIE or HIN, to 
provide educational resources to patients on the payer's behalf. The 
commenter stated that if multiple payers use the same third-party 
resources, it could simplify the solution across the industry.
    Response: Nothing in this rule will prevent a payer from working 
with a third party to develop the educational resources discussed here 
or from using subcontractors or downstream entities to the extent that 
program-specific laws permit that. As discussed in this section, payers 
may use an HIE or HIN to facilitate the Payer-to-Payer API exchange. 
However, we encourage payers to make it clear that any resources 
disseminated to patients under this requirement are from the payer. 
Patients are unlikely to devote attention to resources they receive 
from entities with which they are not familiar. While we expect that 
patients would recognize the name, logo, and other markings of official 
correspondence from their payer, they are unlikely to recognize their 
payer's partners. Therefore, while a third party may develop (and send 
on the payer's behalf) the required educational resources, we strongly 
recommend that these resources be clearly branded as communications 
from the patient's payer.
    Comment: Multiple commenters highlighted the need to educate 
patients specifically on the opt in framework. Specifically, these 
commenters encouraged CMS to ensure that those educational resources 
are easy for patients to find. Some commenters recommended including 
that information in the patient's enrollment resources, while others 
disagreed and believe that that information may be easily missed within 
the larger quantity of information. A commenter recommended that in 
addition to payers, Federal agencies should play a role in patient 
education regarding data sharing. Another commenter recommended that 
CMS engage in testing patient education and opt in notifications before 
the compliance dates.
    Response: We agree that it is particularly important for patients 
to understand what they are opting in to. The educational information 
should highlight the benefits of API-based data exchange and explain 
patients' permission rights. Additionally, we emphasize that that 
information should be communicated in a way that is conspicuous and 
makes clear to patients that this policy provides them rights as 
consumers. However, each payer has different processes and modalities 
for communicating with patients and we do not want to be prescriptive 
in a way that may add unintended and unnecessary burden to payers.
    As stated previously, we are committed to providing outlines or 
templates for these educational resources. In developing those 
resources, we will prioritize using plain language for patients. In 
addition, we have stated that Medicare FFS intends to conform to the 
requirements of this rule, which includes patient educational 
resources. Beyond that, we will consider what role CMS may play in 
patient education. However, we know that

[[Page 8849]]

patients have a relationship with their payers and expect to receive 
various communications from their payer relating to their coverage. 
Therefore, patients are more likely to consider educational resources 
that come directly from their payer. Further, these educational 
resources will need to include instructions for how patients can opt 
into Payer-to-Payer API data exchange and withdraw their permission; 
such instructions will need to be tailored to the specific procedures 
for each payer. While additional education from Federal agencies may 
supplement information from payers, it is not a substitute.
    Comment: Multiple commenters recommended that CMS limit the 
dissemination of annual Payer-to-Payer API educational resources to 
only those patients who have not opted in and those with known 
concurrent payers. A commenter recommended that making patient 
educational resources available on a payer's website should be 
sufficient and CMS should not require payers to send that information 
on an annual basis.
    Response: While we understand that there may be additional burden 
to send all patients educational resources annually, we believe that 
such a requirement is necessary. As discussed previously, in section 
II.C.3.c.iv. of this final rule, patients must have the opportunity to 
withdraw their permission for payer to payer exchange at any time. 
While we generally expect exchange between a previous and new payer to 
be a one-time transaction, we do allow for the possibility of 
additional data exchanges, as discussed in section II.C.3.d.ii. of this 
final rule. Therefore, the opportunity to withdraw permission needs to 
be offered to all patients at any time. In order to be aware of this 
right, patients need to be informed of it. Payers are already required 
to send information to patients annually and including information 
about payer to payer data exchange should not be a significant burden 
to include with those resources. We do not believe that it would serve 
patients to have resources and information about the Payer-to-Payer API 
data exchanges and the patients' rights to opt into and out of those 
data exchanges available only on a payer's website. That would require 
patients to affirmatively seek out that information on their own, or to 
stumble across it by chance.
    Comment: Multiple commenters encouraged CMS to use community 
outreach and education campaigns to encourage patients to opt into 
sharing their data via the Payer-to-Payer API.
    Response: We will look into opportunities to educate patients on 
opting into data sharing. As mentioned previously, we are committed to 
providing outlines or templates for these educational resources. In 
developing those resources, we will prioritize patient comprehension. 
Beyond that, we will consider what role CMS may play in patient 
education.
4. Payer to Payer Data Exchange in Medicaid and CHIP
a. Inclusion of Medicaid and CHIP Fee-for-Service
    As discussed in the CMS Interoperability and Prior Authorization 
proposed rule (87 FR 76267), we did not require state Medicaid and CHIP 
FFS programs to comply with the payer to payer data exchange policies 
in the CMS Interoperability and Patient Access final rule (85 FR 
25568).
    We proposed to make the payer to payer data exchange policies in 
this rule applicable to state Medicaid and CHIP FFS programs. We stated 
that requiring state Medicaid and CHIP FFS programs to implement the 
Payer-to-Payer API data exchange in this rule would not be as 
burdensome as the non-API-based payer to payer data exchange that was 
finalized in the CMS Interoperability and Patient Access final rule (85 
FR 25524), which we are now rescinding. That is because this new API 
would be leveraging the same data and technical standards as the 
Patient Access API. State programs should have already implemented 
Patient Access APIs and should thus be able to leverage the work done 
for that API to make implementing this new API more manageable. 
Additionally, in the proposed rule we discussed the various benefits 
that the Payer-to-Payer API could produce for state Medicaid and CHIP 
programs, including creating efficiencies, reducing burden, and 
improving health outcomes (87 FR 76276).
    Comment: Commenters supported applying the proposed requirements to 
Medicaid and CHIP FFS and agreed that such a policy would benefit 
Medicaid and CHIP beneficiaries who are covered by FFS by improving 
care coordination and continuity of care. Other commenters stated that 
the Payer-to-Payer API would reduce burden on patients and providers 
and allow state Medicaid agencies to operate more efficiently.
    Response: We appreciate the support for including state Medicaid 
and CHIP FFS as impacted payers and are finalizing that proposal.
    Comment: A commenter questioned the expected value of the Payer-to-
Payer API to state Medicaid agencies and the return on investment for 
the time and effort to implement systems.
    Response: Data exchange from one payer to another as patients 
transition between payers is a powerful way to support care 
coordination and continuity of care during coverage transitions, 
particularly in the Medicaid program where patients often churn in and 
out of the program and between payers. Electronic data exchange between 
payers would support payer operations and a patient's coverage 
transition to a new payer efficiently and accurately.
b. Medicaid and CHIP--Seeking Permission Using an Opt In Approach in 
the Payer-to-Payer API
    We proposed that state Medicaid and CHIP agencies, like other 
impacted payers, establish a process to allow beneficiaries to opt into 
the payer to payer data exchange. We stated that an opt in framework 
means that the beneficiary or their personal representative would need 
to affirmatively permit state Medicaid and CHIP agencies to share their 
data, and without first obtaining that permission, the agency could not 
engage in the payer to payer data exchange for that beneficiary. In 
contrast, we proposed an opt out policy for the Provider Access API, in 
part, based on the existence of a treatment relationship between the 
beneficiary and provider. Specifically, our policy to only require the 
Provider Access API data exchange with enrolled Medicaid and CHIP 
providers and require a process to attribute a patient to that provider 
before data can be exchanged creates a level of assurance for the 
Medicaid or CHIP agency that it is sending patient data to an 
appropriate party. Two payers exchanging information may not have a 
direct relationship but would be exchanging data based on a patient's 
separate relationship with each payer. Therefore, in the proposed rule, 
we stated that it would make sense for the patient to have a larger 
gatekeeping role and be required to provide affirmative permission for 
the Payer-to-Payer API data exchange.
    We proposed that state Medicaid and CHIP agencies, rather than 
their managed care plans or managed care entities, would be responsible 
for obtaining the required permission. We also proposed that the 
requirement to identify patients' previous/concurrent payers would 
apply to state Medicaid and CHIP agencies rather than managed care 
plans or managed care entities. For clarity and consistency with 
existing Medicaid and CHIP rules, we also

[[Page 8850]]

proposed that a patient's permission would not be necessary to exchange 
data between a state Medicaid or CHIP agency and its contracted managed 
care plans or entities.
    We explained in the proposed rule that the opportunity for newly 
enrolling patients to opt in could take place through a single 
streamlined application, or at some later point of contact with the 
beneficiary prior to enrollment, but in no instance would our proposals 
permit a delay in the enrollment process or a beneficiary's coverage.
    We sought comments, specifically from states and contracted managed 
care plans and entities, how we could establish standards for patient 
data exchange for state Medicaid and CHIP agencies and their contracted 
managed care plans and entities without creating additional barriers or 
burden. We requested comment on the workflow and data exchanges that 
occur when a Medicaid or CHIP beneficiary is enrolled into a managed 
care plan or entity and the feasibility of sending patient permission 
during the enrollment process.
    We considered proposing that the Payer-to-Payer API requirements 
would not apply for beneficiaries moving between or with concurrent 
coverage with a state Medicaid or CHIP agency and its contracted 
Medicaid or CHIP (as applicable) managed care plan or entity for the 
reasons outlined previously. However, we are concerned that many states 
today do not exchange data between their Medicaid or CHIP FFS programs 
and managed care programs. We requested comments on whether there are 
other ways we can ensure patient data are exchanged in this case in a 
manner that would reduce burden on states.
    Comment: Multiple commenters recommended that CMS reexamine whether 
its interpretation of 42 CFR 431.306(d) and 457.1110(b) would prohibit 
Medicaid agencies from participating in HIEs. A commenter encouraged 
CMS to explain whether requirements at 42 CFR 431.306(d) and 
457.1110(b) prohibits Medicaid and CHIP programs from sharing 
beneficiary information with HIEs for the purposes of the Payer-to-
Payer API. The commenters advocated for CMS to make a change to privacy 
regulations to support an opt out model consistent with industry 
standards. Multiple commenters that agreed with the proposal 
specifically recommended that state Medicaid and CHIP agencies leverage 
current solutions by HIEs and HINs to implement the proposed opt in 
requirement.
    Response: We do not agree that 42 CFR 431.306(d) and 457.1110(b) 
prohibit Medicaid or CHIP agencies from contracting with an entity that 
offers the technology to allow for digital access and transfer of a 
patient's medical records, often referred to as an HIE. Section 
1902(a)(7) of the Social Security Act (the Act), which our regulations 
at 42 CFR part 431, subpart F, implement, requires that a state's 
Medicaid plan provide safeguards that restrict the use or disclosure of 
information concerning Medicaid applicants and beneficiaries to 
purposes directly connected with administration of the state plan. Our 
regulations at 42 CFR part 431, subpart F, set forth requirements for 
states to safeguard Medicaid applicants' and beneficiaries' information 
in accordance with section 1902(a)(7) of the Act, including 
requirements for safeguarding the information, what types of 
information must be safeguarded, and when and how to release otherwise 
safeguarded information. The same requirements also apply to separate 
CHIPs through a cross reference at 42 CFR 457.1110(b). The disclosures 
of beneficiary data to an HIE contracted to implement and maintain the 
required Payer-to-Payer API would be directly related to the 
administration of the state plan because sharing beneficiary data 
through the Payer-to-Payer API supports the provision of services for 
beneficiaries, as described at 42 CFR 431.302(c). States that share 
information about Medicaid beneficiaries or former beneficiaries with 
their concurrent and new payers support opportunities for improved care 
coordination, reduce time needed to evaluate beneficiaries' current 
care plans, their health risks, and their health conditions at the time 
they enroll with the Medicaid program, or another payer. Further, under 
section 1902(a)(4) of the Act, Medicaid agencies may contract with 
organizations to enhance the agency's capability for effective 
administration of the program.
    The regulation at 42 CFR 431.306(d) generally requires states to 
obtain permission from an individual Medicaid applicant or beneficiary, 
or their personal representative, before responding to a request for 
information from an outside source to disclose that applicant's or 
beneficiary's data safeguarded under 42 CFR 431.305. State Medicaid and 
CHIP agencies may share Medicaid and CHIP beneficiary information with 
entities with which the agency has contracted to support the 
administration of its Medicaid or CHIP state plan. Such contractors 
would not be considered ``outside sources'' because they are contracted 
to carry out functions directly related to administration of the state 
Medicaid or CHIP plan. Thus, if a Medicaid or CHIP agency contracts 
with an HIE to carry out administrative functions of the state's 
Medicaid or CHIP program, including implementing and maintaining the 
required Payer-to-Payer API, the HIE would not be considered an 
``outside source'' and the state Medicaid or CHIP agency could share 
Medicaid or CHIP beneficiary information with the HIE for purposes 
directly connected to administration of the state plan without prior 
permission from the Medicaid or CHIP beneficiary required by 42 CFR 
431.306(d) and 457.1110(b), respectively. Regardless, whether a 
Medicaid or CHIP agency contracts with an HIE to develop and maintain 
the required Payer-to-Payer API, the Medicaid or CHIP agency is 
responsible for ensuring the contracted entity implements a Payer-to-
Payer API that meets all regulatory requirements, which includes that 
an individual or their representative has provided permission (opted 
in) prior to their information being shared with other payers via the 
Payer-to-Payer API.
    In addition, to receive beneficiaries' information from the 
Medicaid or CHIP agency, Medicaid or CHIP providers, plans, or 
contractors must be subject to standards of confidentiality comparable 
to those of the state Medicaid and CHIP agency in accordance with 42 
CFR 431.306(b) and 457.1110(b) respectively. Furthermore, Medicaid 
regulation at 42 CFR 434.6(a)(8) requires that each of the state 
Medicaid agency's contracts must provide that the contractor safeguards 
information about beneficiaries as required by 42 CFR part 431, subpart 
F. Under these requirements, if a state Medicaid or CHIP agency 
contracted with an HIE or other entity, the contractor would be 
required to meet the same standards of confidentiality as the state 
Medicaid agency (as set forth in section 1902(a)(7) of the Act and our 
implementing regulations at 42 CFR part 431, subpart F), including but 
not limited to:
     Providing safeguards that restrict the use or disclosure 
of information concerning applicants and beneficiaries to purposes 
directly connected with the administration of the plan in accordance 
with section 1902(a)(7) of the Act and 42 CFR 431.300 and 431.302; and
     Not disclosing data to an outside source, such as non-
Medicaid or non-CHIP payers with whom the HIE might exchange data, 
without prior permission from the individual in accordance with 42 CFR 
431.306(d).

[[Page 8851]]

    We did not propose any changes to Medicaid or CHIP confidentiality 
regulations at 42 CFR part 431, subpart F, and 42 CFR 457.1110(b), but 
we appreciate the comment and will consider it for any future 
rulemaking.
    Comment: A commenter stated that an opt in process implemented 
within its system would not authorize another payer (particularly 
payers not subject to this regulation) to release patient information 
to the commenter or for the commenter to release a patient's data to a 
patient's subsequent payer.
    Response: All data received, maintained, used, or shared via this 
proposed Payer-to-Payer API must be received, maintained, used, or 
shared in a way that is consistent with all applicable laws and 
regulations. As discussed previously, our regulation for Medicaid at 42 
CFR 431.306 (incorporated via cross reference for CHIP at 42 CFR 
457.1110(b)) sets forth certain requirements for release of Medicaid 
and CHIP applicant and beneficiary data. Consistent with our proposal, 
we are finalizing that when another payer (including a payer not 
subject to this final rule) is requesting a former Medicaid or CHIP 
beneficiary's information from the state Medicaid or CHIP agency, an 
attestation from a requesting payer that the patient or their 
representative has opted into data exchange with the requesting payer 
(that is, given permission for the Medicaid or CHIP agency to share the 
beneficiary's data) is sufficient to meet the requirements at 42 CFR 
431.306 and 457.111(b) to allow the state Medicaid or CHIP agency to 
respond to the data request, though such permission must be received 
prior to the state Medicaid or CHIP agency sharing any beneficiary 
data. For more information about how the HIPAA Privacy Rule interacts 
with Payer-to-Payer API, see section II.C.3.c.iv.
    Comment: Multiple commenters agreed with the proposal for state 
Medicaid and CHIP agencies to collect and manage patient decisions to 
opt into the payer to payer data exchange when beneficiaries are 
enrolled in Medicaid or CHIP managed care. Multiple commenters agreed 
that collecting a beneficiary's choice to opt into the payer to payer 
data exchanges as part of existing Medicaid and CHIP eligibility and 
enrollment processes would be the most effective and technically 
feasible approach for most states operating managed care programs in 
Medicaid and CHIP and would streamline the process for beneficiaries.
    Response: For many reasons, we agree that the state Medicaid or 
CHIP program is the appropriate custodian of the patient's permission 
record, rather than the particular managed care plan or managed care 
entity through which a patient receives Medicaid or CHIP covered 
services. A Medicaid or CHIP beneficiary may switch between FFS and 
managed care delivery systems within the same state's Medicaid or CHIP 
program. Despite these shifts, an eligible beneficiary remains a 
beneficiary of the state program. States may also change the Medicaid 
or CHIP managed care plans or entities with which they contract. Thus, 
a Medicaid or CHIP beneficiary's opt into the payer to payer data 
exchange, should be obtained by the state and will apply regardless of 
the delivery system in which the beneficiary is enrolled. Furthermore, 
we understand that in many states, managed care plans may not have any 
contact with beneficiaries prior to their enrollment in the Medicaid 
managed care plan or CHIP managed care entity.
    We believe the ideal time to allow patients to opt into the payer 
to payer data exchange is during their application for Medicaid or 
CHIP. As stated previously, obtaining a patient's opt in permission and 
identifying the previous/concurrent payer(s) cannot delay an 
applicant's eligibility determination or start of coverage. If a state 
has all the information necessary to determine an individual's 
eligibility before it obtains the individual's permission for the payer 
to payer data exchange, the state must determine the individual's 
eligibility and enroll the individual in Medicaid or CHIP coverage, if 
determined eligible, while continuing to follow the Payer-to-Payer API 
requirements as expeditiously as possible post-enrollment.
    Because we expect higher rates of patients to opt in when they are 
presented with the option at a point when they are already providing 
information (such as at application or plan selection), we highly 
encourage states to leverage any touchpoints before patients are 
enrolled in Medicaid or CHIP rather than expecting patients to opt in 
through a separate process.
    We are finalizing our proposal to require the state to establish a 
process for obtaining opt into the payer to payer data exchange prior 
to the state Medicaid or CHIP agency's Payer-to-Payer API compliance 
dates, and prior to the enrollment of new beneficiaries after that 
date, and that the state Medicaid and CHIP agencies will be responsible 
for obtaining the required permission.
    To the extent that doing so is consistent with Federal Medicaid and 
CHIP requirements, including those at section 1902(a)(7) of the Act and 
implementing regulations at 42 CFR part 431, subpart F, and applied to 
separate CHIPs through a cross reference at 42 CFR 457.1110(b), 
Medicaid and CHIP agencies are welcome to contract with HIEs or HINs, 
especially those operating under TEFCA, to facilitate payer to payer 
data exchange. Some HIEs may already have the technical framework to 
manage patient consent or engage in standardized data exchange via FHIR 
APIs in ways that Medicaid or CHIP agencies' systems do not. Nothing in 
this rule would prohibit a Medicaid or CHIP agency from partnering with 
an HIE to meet its requirements, but Medicaid and CHIP agencies must 
continue to comply with all other Federal requirements applicable to 
the operation of Medicaid and CHIP.
    Comment: Multiple commenters expressed concerns about state 
Medicaid and CHIP agencies' resources to collect and manage patient 
decisions to opt into the exchange of their data via the Payer-to-Payer 
API. A commenter stated that it may need to build separate 
functionality to support implementation of the opt in requirement if it 
is unable to support the requirement within the state's existing 
eligibility system. A commenter noted that it will require significant 
work to implement an opt in process in states and territories where the 
Medicaid agency does not complete eligibility and enrollment processes 
and recommended that CMS ensure an appropriate implementation timeline 
in these instances. A commenter suggested that CMS work with states to 
implement a consistent solution to avoid inconsistencies in what data 
are collected and how to address the concern about resources. Another 
commenter specifically expressed that the process to identify a 
previous/concurrent payer would be challenging for Medicaid.
    Response: We understand and appreciate that state Medicaid and CHIP 
agencies will need to create new processes to request a patient's 
permission to exchange data and identifying information about their 
previous/concurrent payer(s), and then to share that information with 
their managed care plans and managed care entities. States have 
different eligibility and enrollment processes, and a one-size-fits all 
approach may not be optimal. We are not being prescriptive on this 
process, as we want each program to implement the requirements in the 
least burdensome, most efficient way for them.
    We also understand that making changes to applications can be a 
significant administrative process, and

[[Page 8852]]

for states where Medicaid or CHIP eligibility is determined by a state 
or regional agency other than the Medicaid or CHIP agency, there will 
be additional administrative steps to implementation. We are extending 
our compliance dates for the Payer-to-Payer API from our proposed 2026 
to 2027 in order to provide adequate time for payers to implement these 
requirements. Further, there may be other places where a state could 
obtain a patient's data exchange permission for the Payer-to-Payer API 
data exchange. For instance, a state could leverage an online portal or 
app, if beneficiaries frequently use those pathways for other purposes, 
such as reporting a change in circumstance or providing information for 
eligibility renewal. However, the option should be equally available 
for all beneficiaries and if only a small portion of the Medicaid or 
CHIP population uses these tools to communicate with the Medicaid or 
CHIP agency, that subset would be self-selected for greater technology 
literacy and taking this approach could exacerbate inequality.
    We note that the single streamlined application, which for Medicaid 
and CHIP purposes is described at 42 CFR 435.907(b)(1) and 457.330, 
respectively, and is also used for applications through the FFEs, 
includes questions about concurrent coverage information. We also 
expect that some states that do not use the single streamlined 
application already ask for this information for Coordination of 
Benefits and Third-Party Liability purposes. We believe that it would 
generally make sense to gather permission for payer to payer data 
exchange at the point the state collects concurrent payer information. 
We note that the patient permission provisions in this rule will apply 
only to the payer to payer data exchange discussed here and would not 
affect states' ability to perform Coordination of Benefits or Third-
Party Liability activities as they do today.
    Comment: Multiple commenters stated that CMS should ensure that 
regulatory language clearly makes the opt in requirement applicable to 
Medicaid managed care plans.
    Response: We intentionally did not include regulatory text 
requiring Medicaid managed care plans and CHIP managed care entities to 
meet the requirement to collect patient permission for payer to payer 
data exchange. As discussed in section II.C.4.b. of this final rule, we 
are finalizing that requirement for state Medicaid and CHIP agencies 
because we believe that they are the proper entity to hold a patient's 
opt in decision. State Medicaid and CHIP agencies may work with their 
managed care plans and entities to gather that information, but 
ultimately the requirement to gather and maintain that information is 
the responsibility of the state Medicaid or CHIP agency. As proposed 
and discussed in section II.E.2.a. of this final rule, we are 
finalizing that the responsibility to collect patient permission for 
the Payer-to-Payer API data exchange is not eligible for exemption from 
the API requirements. Therefore, even if a state receives an exemption 
from the Payer-to-Payer API, it is still responsible for collecting and 
maintaining a record of patient opt in permission for this data 
exchange. We note that we are also finalizing that state Medicaid and 
CHIP programs, rather than their managed care organizations, are 
responsible for providing educational resources at the time of 
requesting permission for payer to payer data exchange and for 
collecting identifying information about patients' previous/concurrent 
payer(s).
    Comment: A commenter requested clarification on whether a patient's 
opt in permission is required to share data between impacted payers 
within the same state Medicaid program. Another commenter asked us to 
explain what types of managed care plans are included in this statement 
(for example, MCOs, PIHPs, PAHPs, Primary Care Case Managers (PCCMs), 
integrated plans for patients dually eligible for Medicare and 
Medicaid).
    Response: As we explained in the preamble to the proposed rule (87 
FR 76238), we know that state Medicaid or CHIP agencies regularly 
exchange data with their managed care plans and entities. We do not 
intend the opt in requirements for the Payer-to-Payer API to interfere 
with or affect this permissible exchange. Medicaid managed care plans, 
and CHIP managed care entities are not outside sources as described at 
42 CFR 431.306(d), but are part of a state's Medicaid and/or CHIP 
programs as a whole, because these entities are contracted to support 
the agency's administration of its Medicaid or CHIP state plan. 
Specifically, Medicaid managed care plans and CHIP managed care 
entities are contracted with the Medicaid state agency to deliver 
Medicaid program health care services to beneficiaries under the state 
plan.
    Hence, we are finalizing our proposal that if a Medicaid or CHIP 
agency is exchanging information per our Payer-to-Payer API proposals 
with a managed care plan or managed care entity with which they have a 
contract, the requirement to obtain patient opt in would not apply. We 
consider any plan and entity that has a contract with the state 
Medicaid or CHIP agency to deliver Medicaid program health care 
services to beneficiaries under the state plan, including state 
Medicaid agency contracts with D-SNPs under 42 CFR 422.107, to be part 
of the state's Medicaid or CHIP programs, regardless of the coverage 
model. We note that this policy and opt in requirement to share data 
between impacted payers would not replace regulatory requirements as 
described at 42 CFR part 422, including as they relate to integrated D-
SNPs.
    We note that permissible data exchange only covers data that 
facilitate that plan's contracted services. For instance, it would be 
inappropriate to share patient data with a managed care plan or entity 
other than the one with which the patient is enrolled. The other Payer-
to-Payer API requirements, such as the requirement to use a FHIR API 
and the authorization and authentication protocols would apply to data 
exchange required in this final rule between state Medicaid and CHIP 
agencies and their managed care plans or managed care entities. The 
exchange must also not be prohibited by other law.
c. Federal Matching Funds for State Medicaid and CHIP Expenditures on 
Implementation of Payer to Payer Data Exchange
    In section II.E. of this final rule, we discuss Federal matching 
funds for certain state Medicaid and CHIP FFS programs' expenditures 
related to implementation of the payer to payer data exchange (this was 
also addressed in the proposed rule at 87 FR 76278).
d. Medicaid Expansion CHIP
    In section II.E. of this final rule, we discuss implementation for 
states with Medicaid Expansion CHIP programs (this was also addressed 
in the proposed rule at 86 FR 76279).
5. Extensions, Exemptions, and Exceptions
    See section II.E. of this final rule for a discussion of extensions 
and exemptions and the final policies for the Payer-to-Payer API for 
state Medicaid and CHIP FFS programs and exceptions for the Payer-to-
Payer API for QHP issuers on the FFEs (this was also addressed in the 
proposed rule at 86 FR 76279).
BILLING CODE 4150-28-P

[[Page 8853]]

[GRAPHIC] [TIFF OMITTED] TR08FE24.003


[[Page 8854]]


[GRAPHIC] [TIFF OMITTED] TR08FE24.004

BILLING CODE 4150-28-C

[[Page 8855]]

6. Final Action
    After considering the comments received, and for the reasons 
discussed in the CMS Interoperability and Prior Authorization proposed 
rule and our response to those comments (as summarized previously), we 
are finalizing our proposal with the following modifications:
     Impacted payers must implement and maintain a Payer-to-
Payer API beginning in 2027 (by January 1, 2027, for MA organizations 
and state Medicaid and CHIP FFS programs; by the rating period 
beginning on or after January 1, 2027, for Medicaid managed care plans 
and CHIP managed care entities; and for plan years beginning on or 
after January 1, 2027, for QHP issuers on the FFEs) rather than in 
2026.
     Impacted payers are not required to share the quantity of 
items or services used under a prior authorization via the Payer-to-
Payer API.
     The data exchange between a previous payer and a new payer 
is limited to data with a date of service within the previous 5 years.
     Impacted payers are required to request patients' 
permission for payer to payer data exchange and identifying information 
about patients' previous/concurrent payers no later than 1 week after 
the start of coverage, as that term is defined for each type of 
impacted payer, rather than at enrollment.
    See further discussion for the exact details of the final 
requirements for impacted payers.
    We are finalizing the rescission of the payer to payer data 
exchange policy previously finalized in the CMS Interoperability and 
Patient Access rule (85 FR 25568) at 42 CFR 422.119(f)(1) and 
438.62(b)(1)(vi) and (vii) and 45 CFR 156.221(f)(1).
    We are finalizing a requirement that, beginning in 2027 (by January 
1, 2027, for MA organizations and state Medicaid and CHIP FFS programs; 
by the rating period beginning on or after January 1, 2027, for 
Medicaid managed care plans and CHIP managed care entities; and for 
plan years beginning on or after January 1, 2027, for QHP issuers on 
the FFEs), impacted payers must implement and maintain a Payer-to-Payer 
API that is conformant with certain technical standards, documentation 
requirements, and denial or discontinuation policies. Specifically, 
those technical standards are HL7 FHIR R4 at 45 CFR 170.215(a)(1), US 
Core IG at 45 CFR 170.215(b)(1)(i), and Bulk Data Access IG at 45 CFR 
170.215(d)(1).
    We are also finalizing a requirement that, by the deadlines, 
impacted payers (except Medicaid managed care plans and CHIP managed 
care entities) must establish and maintain a process to gather patient 
permission for payer to payer data exchange no later than 1 week after 
the start of coverage. We are finalizing an opt in framework whereby a 
patient or personal representative must affirmatively agree to allow 
that data exchange. Impacted payers must also have a process for 
patients to change their permission at any time.
    We are finalizing a requirement that, by the deadlines, impacted 
payers must establish and maintain a process to identify a patient's 
previous/concurrent payer(s) no later than 1 week after the start of 
coverage. As part of this process, impacted payers are required to 
allow a patient to report multiple previous/concurrent payers if they 
had (or continue to have) concurrent coverage. If a patient does report 
multiple previous payers, impacted payers are required to request that 
patient's data from all previous/concurrent payers. If a patient does 
not respond or additional information is necessary, the impacted payer 
must make reasonable efforts to engage with the enrollee to collect 
this information.
    We are also finalizing a requirement that, no later than the 
compliance dates, impacted payers must establish and maintain a process 
to gather permission and previous/concurrent payer(s) information from 
patients who are already enrolled.
    We are finalizing a requirement that, by the deadlines, impacted 
payers must request a patient's data from a patient's previous/
concurrent payer(s) no later than 1 week after the payer has sufficient 
identifying information and the patient has opted in. Impacted payers 
must also request data from a patient's previous/concurrent payers(s) 
within 1 week of that patient's request to do so. Impacted payers must 
include an attestation with this request for data affirming that the 
patient is enrolled with the requesting payer and has opted into the 
data exchange in a manner that meets the legal requirements.
    Additionally, we are finalizing a requirement that, by the 
deadlines, when an impacted payer has sufficient identifying 
information and the patient has opted in, they must request data from 
any concurrent payers at least quarterly. Impacted payers who receive a 
request for a patient's data from a known concurrent payer must respond 
with the required data within 1 business day of receiving the request.
    We are finalizing a requirement that, by the deadlines, upon 
receiving a request that meets the legal requirements, impacted payers 
must make any of the required information that they maintain available 
to new payers no later than 1 business day after receiving the request.
    We are finalizing a requirement that, by the deadlines, impacted 
payers must make available via the Payer-to-Payer API, by request from 
payer that meets certain requirements, claims and encounter data 
(excluding provider remittances and patient cost-sharing information), 
all data classes and data elements included in a content standard at 45 
CFR 170.213, and certain information about prior authorization requests 
and decisions (excluding those for drugs and those that were denied) 
that the payer maintains with a date of service within 5 years of the 
request. The required information is--
     The prior authorization status;
     The date the prior authorization was approved;
     The date or circumstance under which the prior 
authorization ends;
     The items and services approved; and
     Structured and unstructured administrative and clinical 
documentation submitted by a provider.
    We are finalizing a requirement that impacted payers are required 
to make this information about prior authorizations available for the 
duration that the authorization is active and for at least 1 year after 
the prior authorization's last status change.
    We are finalizing a requirement that, by the deadlines, information 
received by an impacted payer through the payer to payer data exchange 
must be incorporated into the payer's patient record.
    We are finalizing a requirement that, by the deadlines, impacted 
payers (except Medicaid managed care plans and CHIP managed care 
entities) must provide educational resources to their patients about 
the Payer-to-Payer API in plain language. These resources must include 
information about the benefits of Payer-to-Payer API data exchange, the 
patient's ability to opt in or withdraw that permission, and 
instructions for doing so. Impacted payers must make this information 
available to patients when requesting the opt in decision. Thereafter, 
impacted payers must provide this information to patients annually, in 
mechanisms the payer ordinarily uses to communicate with patients. 
These resources must also be available in an easily accessible location 
on payers' public websites.
    These final policies apply to MA organizations, state Medicaid and 
CHIP FFS programs, Medicaid managed care plans, CHIP managed care 
entities (excluding NEMT PAHPs), and QHP

[[Page 8856]]

issuers on the FFEs at the CFR sections listed in Table D1.
7. Statutory Authorities for Payer to Payer Data Exchange Proposals
    We note that we received no public comments on the statutory 
authorities for our Payer-to-Payer API policies.
a. MA Organizations
    For MA organizations, we are finalizing these Payer-to-Payer API 
requirements under our authority at section 1856(b) of the Act to adopt 
by regulation standards consistent with and to carry out Part C of 
Title XVIII of the Act (such as section 1852(d)(1)(A) of the Act). In 
addition, section 1857(e)(1) of the Act authorizes the Secretary to 
adopt contract terms and conditions for MA organizations that are 
necessary, appropriate, and not inconsistent with the statute. In 
total, the regulations we are adopting in this final rule for MA 
organizations and MA plans are necessary and appropriate because they 
address and facilitate continued access to enrollees' medical records 
and health information when they change payers, which will support 
consistent and appropriate coordination of coverage when enrollees have 
concurrent payers and will support coordination of care and 
continuation of active courses of treatment when enrollees change 
payers.
    In regulations establishing the MA program,\87\ CMS described it as 
a program designed to: provide for private plan options available to 
Medicare beneficiaries, especially those in rural areas, enrich the 
range of benefit choices, provide incentives to plans and add 
specialized plans to coordinate and manage care in ways that 
comprehensively serve those with complex and disabling diseases and 
conditions, use competition to improve service and benefits, invest in 
preventive care, hold costs down in ways that attract enrollees, and 
advance the goal of improving quality and increasing efficiency in the 
overall health care system. This final rule supports these goals and 
enables the MA program to advance services for its enrollees by 
providing greater access to information in a way that will improve care 
management for payers, providers, and the patient.
---------------------------------------------------------------------------

    \87\ Medicare Program: Establishment of the Medicare Advantage 
Program, 70 FR 4588 (January 28, 2005) (to be codified at 42 CFR 
part 417).
---------------------------------------------------------------------------

    Section 1856(b) of the Act requires the Secretary to establish 
regulatory standards for MA organizations and plans that are consistent 
with, and carry out, Part C of the Medicare statute, Title XVIII of the 
Act. The Payer-to-Payer API proposals support MA organizations sharing 
certain claims, encounter, and clinical data, as well as prior 
authorization requests and decisions, with another payer that, as 
identified by the enrollee, has or does cover the enrollee. Such 
exchanges of data about patients could facilitate continuity of care 
and enhance care coordination. As discussed for the Provider Access API 
in section II.B. of this final rule, allowing payers to share health 
information for one or more patients at once could increase efficiency 
and simplicity of administration. Though we are not requiring payers to 
share data for more than one patient at a time, there are efficiencies 
to doing so, both for communicating information and for leveraging 
available technology.
    Further, providing MA organizations with additional data about 
their enrollees through these data exchanges will increase the scope of 
data that the MA organizations must make available to enrollees through 
the Patient Access API. It will give payers access to all their 
enrollees' information with limited effort and enable the payer to then 
make that information available to providers and to enrollees through 
the Provider Access and Patient Access APIs. It may reduce the amount 
of time needed to evaluate a patient's current care plan and possible 
implications for care continuity, which may introduce efficiencies and 
improve care. As discussed earlier, if a new payer receives information 
and documentation about prior authorization requests from a previous 
payer, the new payer can review this information and determine that a 
new prior authorization may not be necessary for an item or service 
that was previously approved. Instead, the same care may be continued, 
reducing burden on both payers and providers, and improving patient 
care. While the statutory provisions governing the MA program do not 
explicitly address sharing data with other payers that cover or have 
covered an enrollee, the benefits to be gained by sharing data make 
adoption of Payer-to-Payer API policies necessary and appropriate for 
the MA program. Further, requiring use of the API and the 
specifications for the data to be shared provides a step toward greater 
interoperability among payers. Ultimately, using the Payer-to-Payer API 
is anticipated to ensure that payers receive patient information in a 
timely manner, which could lead to more appropriate service utilization 
and higher patient satisfaction. Such goals are consistent with the MA 
statute.
    Section 1852(h) of the Act requires MA organizations to provide 
their enrollees with timely access to medical records and health 
information as far as MA organizations maintain such information. As 
technology evolves to allow for faster, more efficient methods of 
information transfer, so do expectations as to what is generally 
considered ``timely.'' Currently, consumers across public and private 
sectors have become increasingly accustomed to accessing a broad range 
of personal records, such as bank statements, credit scores, and voter 
registrations, immediately through electronic means and with updates 
received in near real-time. Thus, we to align our standards with 
current demands, we must take steps for MA enrollees to have immediate, 
electronic access to their health information and plan information. The 
information exchanged via the Payer-to-Payer API will ultimately be 
accessible to enrollees via the Patient Access API and will therefore 
improve timeliness to medical records and health information as 
enrollees will no longer have to spend time contacting previous payers 
to access their information. These data will be accessible as needed by 
the enrollee's current payer and would therefore support timely access.
    Section 1852(d)(1)(A) of the Act requires MA organizations to, as a 
condition of using a network of providers, make covered benefits 
available and accessible to enrollees in a manner which assures 
continuity in the provision of benefits. In implementing section 
1852(d)(1)(A) of the Act, we adopted a regulation, at 42 CFR 
422.112(b), that requires MA organizations to ensure the continuity of 
care and integration of services through arrangements with providers 
that include procedures to ensure that the MA organization and the 
contracted providers have access to the information necessary for 
effective and continuous patient care. Consistent with section 
1852(d)(1)(A) of the Act, the final requirement here for MA 
organizations to implement and maintain a Payer-to-Payer API will 
facilitate exchanges of information about enrollees that are necessary 
for effective and continuous patient care. Under this final rule, the 
data received from other impacted payers will become part of the data 
the MA organization maintains and will therefore be available (subject 
to other law authorizing the disclosure) to providers via the Provider 
Access API discussed in section II.B. of this final rule; the data 
could then be used for treatment and coordination of care purposes.
    The finalized policies in this rule are necessary, appropriate, and 
consistent

[[Page 8857]]

with Part C of Title XVIII of the Act. Overall, establishing these 
regulatory requirements for MA organizations will improve enrollee's 
quality of care by ensuring that they do not lose their patient records 
when they change payers.
b. Medicaid and Children's Health Insurance Program
    Our provisions in this section fall generally under our authority 
in the following provisions of the Act.
     Section 1902(a)(4) of the Act, which requires that a state 
Medicaid plan provide such methods of administration as are found by 
the Secretary to be necessary for the proper and efficient operation of 
the state Medicaid plan.
     Section 1902(a)(8) of the Act, which requires states to 
ensure that Medicaid services are furnished with reasonable promptness 
to all eligible individuals.
     Section 1902(a)(19) of the Act, which requires states to 
ensure that care and services are provided in a manner consistent with 
simplicity of administration and the best interests of the recipients.
    The final requirements related to the Payer-to-Payer API are 
authorized by sections 1902(a)(4), (a)(8), and (a)(19) of the Act for 
the following reasons. First, because the Payer-to-Payer API is 
designed to enable efficient exchange of data between payers, we 
anticipate that it will help state Medicaid programs improve the 
efficiencies and simplicity of their own operations under a Medicaid 
state plan, consistent with sections 1902(a)(4) and (a)(19) of the Act. 
It will give Medicaid agencies and their managed care plans access to 
their beneficiaries' information in a standardized manner and enable 
states to then make that information available to providers and 
patients through the Patient Access and Provider Access APIs. It may 
also reduce the amount of time needed to evaluate a patient's current 
care plan and have possible implications for care continuity, which may 
introduce efficiencies and improve care. Receiving patient information 
at the start of coverage will lead to more appropriate service 
utilization and higher beneficiary satisfaction by Medicaid agencies 
and those managed care plans considered impacted payers under this 
final rule by supporting efficient care coordination and continuity of 
care, which could lead to better health outcomes.
    As discussed in section II.C.3.b. of this final rule, when a state 
Medicaid program has access to a previous payer's prior authorization 
decisions, the Medicaid program may choose to accept the existing 
decision and support continued patient care without requiring a new 
prior authorization or duplicate tests. This information exchange might 
also improve care continuity for beneficiaries who have concurrent 
coverage in addition to Medicaid by improving the coordination of 
health coverage they receive, reducing gaps, or duplication of 
coverage.
    Our final rule is expected to help states and managed care plans 
furnish Medicaid services with reasonable promptness and in a manner 
consistent with beneficiaries' best interests, consistent with sections 
1902(a)(8) and (a)(19) of the Act. A significant portion of Medicaid 
beneficiaries experience coverage changes and churn in a given 
year.\88\ Therefore, exchanging this information with a beneficiary's 
next payer may also better support care continuity for Medicaid 
beneficiaries. When states share information about Medicaid 
beneficiaries or former beneficiaries with their concurrent and next 
payers, they can support opportunities for improved care coordination 
for Medicaid beneficiaries and former beneficiaries. Exchanging 
information about Medicaid beneficiaries and former beneficiaries 
between payers might also reduce the amount of time needed to evaluate 
beneficiaries' current care plans, their health risks, and their health 
conditions at the time they enroll with the Medicaid program, as well 
as with another payer. This information exchange might be of particular 
value to improve care continuity for beneficiaries who might churn into 
and out of Medicaid coverage. The final rule may also improve the 
provision of Medicaid services, by potentially helping to ensure that 
Medicaid beneficiaries who may require coordinated services with 
concurrent payers can be identified and provided case management 
services, reduce duplication of services, and improve the coordination 
of care, as appropriate.
---------------------------------------------------------------------------

    \88\ Churning occurs when people lose Medicaid coverage and then 
re-enroll within a short period of time. Medicaid beneficiaries 
frequently experience churning. See U.S. Department of Health and 
Human Services, Assistant Secretary for Planning and Evaluation 
(2021, April 12). Medicaid churning and continuity of care: Evidence 
and policy considerations before and after the COVID-19 pandemic 
(issued April 12, 2021). Available at: https://aspe.hhs.gov/reports/medicaid-churning-continuity-care.
---------------------------------------------------------------------------

    In addition, section 1902(a)(7) of the Act requires that states 
must provide safeguards that restrict the use or disclosure of 
information concerning Medicaid applicants and beneficiaries to 
purposes that are directly connected with the administration of the 
Medicaid state plan. The implementing regulations at 42 CFR part 431, 
subpart F, for section 1902(a)(7) of the Act list purposes that CMS has 
determined are directly connected with administration of Medicaid state 
plans (42 CFR 431.302) and require states to provide safeguards meeting 
certain requirements to restrict uses and disclosures of Medicaid 
beneficiary data, including requirements about releasing applicant and 
beneficiary information at 42 CFR 431.306.
    Requiring the data described in this section to be shared via the 
Payer-to-Payer API is consistent with states' requirements to provide 
safeguards meeting certain requirements to share these data since it is 
related to providing services for beneficiaries, a purpose listed at 42 
CFR 431.302(c). As described previously in sections II.A.5.b. and 
II.B.6.b. of this final rule related to authority under sections 
1902(a)(8) and 1902(a)(19) of the Act, states that share information 
about Medicaid beneficiaries or former beneficiaries with their 
concurrent and next payers, may support opportunities for improved care 
coordination, reduction in the amount of time needed to evaluate 
beneficiaries' current care plans, their health risks, and their health 
conditions at the time they enroll with the Medicaid program, as well 
as with another payer. This information exchange might be of particular 
value to improve care continuity for beneficiaries who churn into and 
out of Medicaid coverage, described in more detail previously. When 
state Medicaid agencies share medical records or any other health or 
enrollment information pertaining to individual beneficiaries, they 
must comply with the requirements of 42 CFR part 431, subpart F, 
including 42 CFR 431.306.
    For Medicaid managed care, and in addition to the general 
authorities cited previously regarding Medicaid programs, the finalized 
exchange of adjudicated claims and encounter data, all data classes and 
data elements included in a content standard at 45 CFR 170.213 (USCDI), 
and certain information about prior authorizations maintained by the 
payer with a date of service within 5 years of the request by a 
patient's new or concurrent payer will greatly enhance an MCO's, 
PIHP's, or PAHP's ability to fulfill its obligations under 42 CFR 
438.208(b), which require them to: implement procedures to deliver care 
to and coordinate services including ensuring that each enrollee has an 
ongoing source of appropriate care; coordinate services between 
settings of care, among Medicaid programs, and with community and

[[Page 8858]]

social support providers; make a best effort to conduct an initial 
screening of each enrollee's needs; and share with the state or other 
MCOs, PIHPs, and PAHPs serving the enrollee the results of any 
identification and assessment of that enrollee's needs to prevent 
duplication of those activities. The data provided via the Payer-to-
Payer API in this final rule will give managed care plans the 
information needed to perform these required functions much more 
easily, thus enhancing the effectiveness of the care coordination, and 
helping enrollees receive the most appropriate care in an effective and 
timely manner.
    For CHIP, we finalized these requirements under our authority in 
section 2101(a) of the Act, which states that the purpose of Title XXI 
of the Act is to provide funds to states to provide child health 
assistance to uninsured, low-income children in an effective and 
efficient manner that is coordinated with other sources of health 
benefits coverage. The provisions in this final rule can strengthen our 
ability to fulfill these statutory obligations in a way that recognizes 
and accommodates using electronic information exchange in the health 
care industry today and will facilitate a significant improvement in 
the delivery of quality health care to our beneficiaries.
    As with the Medicaid FFS and Medicaid managed care programs, the 
provisions in this section of the final rule for CHIP FFS and CHIP 
managed care entities require using a Payer-to-Payer API to exchange 
claims, encounter, clinical and prior authorization data at a 
beneficiary's request, or any time a beneficiary changes payers, using 
a FHIR API. The current payer can use data from the previous payer to 
respond to a request for a prior authorization more effectively or 
accurately, because under this final rule, a new payer will have 
historical claims or clinical data upon which they may review a request 
with more background data. Access to information about new patients 
will enable appropriate staff within the CHIP program to coordinate 
care and conduct care management more effectively because they will 
have better data available to make decisions for planning. In many 
cases, patients do not remember what services they have had, or other 
possibly relevant encounters that could help payers manage their care. 
This final rule is consistent with the goal of providing more informed 
and effective care coordination, which will help to ensure that CHIP 
services are provided in a way that supports quality care, which aligns 
with section 2101(a) of the Act.
    Finally, the safeguards for applicant and beneficiary information 
at 42 CFR part 431, subpart F, are also applicable to CHIP through a 
cross reference at 42 CFR 457.1110(b). As discussed previously for 
Medicaid, CHIP agencies' data exchange through the Payer-to-Payer API 
is related to providing services to beneficiaries, which is described 
at 42 CFR 431.302(c) as a purpose directly related to state plan 
administration. We remind states that when they share medical records 
or any other health or enrollment information pertaining to individual 
beneficiaries, they must comply with the privacy protections at 42 CFR 
457.1110 and the release of information provisions at 42 CFR 431.306.
c. Qualified Health Plan Issuers on the Federally-Facilitated Exchanges
    For QHP issuers on the FFEs, we finalized these new requirements 
under our authority in section 1311(e)(1)(B) of the Affordable Care 
Act, which affords the Exchanges the discretion to certify QHPs if the 
Exchange determines that making available such health plans through the 
Exchange is in the interests of qualified individuals in the state in 
which the Exchange operates.
    Requiring QHP issuers on the FFEs to implement and maintain a 
Payer-to-Payer API will allow the seamless flow from payer to payer of 
adjudicated claims, and encounter data, all data classes and data 
elements included in a standard at 45 CFR 170.213 (USCDI), and certain 
information about prior authorizations, that are maintained by the 
payer with a date of service within 5 years of the request by a 
patient's new or concurrent payer. Ensuring a means for an enrollee's 
new issuer to electronically obtain the enrollee's claims, encounter, 
and other data, as well as prior authorization information with 
corresponding medical records, from the previous issuer will reduce 
administrative burden and result in more timely and efficient care 
coordination and responses to prior authorization requests.
    We believe that it is in the interest of qualified individuals that 
QHP issuers on the FFEs have systems in place to send information 
important to care coordination to a departing enrollee's new payer, and 
that QHP issuers on FFEs also have systems in place to receive such 
information from other payers on behalf of new and concurrent 
enrollees, as appropriate and consistent with the provisions in this 
section. Having patient information at the beginning of a new plan may 
assist the new payer in identifying patients who need care management 
services, which could reduce the cost of care. We encourage SBEs to 
consider whether a similar requirement should be applicable to QHP 
issuers participating in their Exchange.
    Though we are not requiring the exchange of all enrollees' data at 
one time between impacted payers, we encourage QHP issuers on the FFEs 
to use the Bulk Data Access IG for the Payer-to-Payer API once it is 
available, as it will improve the efficiency and simplicity of data 
transfers between issuers by enabling the exchange of all data for all 
patients at once. The opportunity to support the exchange of data from 
multiple patient records at once, rather than data for one patient at a 
time, may be cost effective for the issuers.

D. Prior Authorization API and Improving Prior Authorization Processes

1. Background
    This section of the final rule addresses the topic of prior 
authorization and includes both technical and operational requirements 
intended to improve the prior authorization process for payers, 
providers, and patients. Here, we finalize our proposals for payers to 
implement and maintain an API to support and streamline prior 
authorization processes; respond to prior authorization requests within 
certain timeframes; provide a specific reason for prior authorization 
denials; and publicly report on prior authorization approvals, denials, 
and appeals.
    In the CMS Interoperability and Prior Authorization proposed rule 
(87 FR 76286) we provided a comprehensive review of the work HHS 
conducted regarding prior authorization processes and their associated 
burden to identify the primary issues that needed to be addressed to 
alleviate the burdens of these processes on patients, providers, and 
payers. We cited studies from ONC \89\ which highlighted the burdens 
associated with prior authorization including difficulty determining 
payer-specific requirements for items and services that require prior 
authorization; inefficient use of provider and staff time processing 
prior authorization requests and information (sending and receiving) 
through fax, telephone, and web portals;

[[Page 8859]]

and unpredictable wait times to receive payer decisions.
---------------------------------------------------------------------------

    \89\ Office of the National Coordinator for Health Information 
Technology (2020). Strategy on Reducing Burden Relating to the Use 
of Health IT and EHRs. Retrieved from https://www.healthit.gov/topic/usability-and-provider-burden/strategy-reducing-burden-relating-use-health-it-and-ehrs.
---------------------------------------------------------------------------

    We referenced American Medical Association (AMA) physician surveys 
from 2018, 2020, and 2022 \90\ which noted issues with prior 
authorization, and we used these studies to estimate the costs and 
savings for this final rule. Please see the CMS Interoperability and 
Prior Authorization proposed rule (87 FR 76286-76287) for the detailed 
context of these industry surveys as well as the reports from the 2019 
meetings of the two Federal advisory committees, the Health Information 
Technology Advisory Committee (HITAC) \91\ and the National Committee 
on Vital and Health Statistics (NCVHS),\92\ which conducted joint 
hearings to discuss persistent challenges with prior authorization 
workflows and standards; and the follow up 2020 task force on the 
Intersection of Clinical and Administrative Data (ICAD) Task Force at 
87 FR 76287.
---------------------------------------------------------------------------

    \90\ American Medical Association (2022). AMA prior 
authorization (PA) physician survey. Retrieved from https://www.ama-assn.org/system/files/prior-authorization-survey.pdf.
    \91\ Office of the National Coordinator for Health Information 
Technology (2023). Health Information Technology Advisory Committee 
(HITAC). Retrieved from https://www.healthit.gov/topic/federal-advisory-committees/health-information-technology-advisory-committee-hitac-history.
    \92\ National Committee on Vital and Health Statistics (2022). 
Charter. Retrieved from https://ncvhs.hhs.gov/about/charter/.
---------------------------------------------------------------------------

    We use the term prior authorization to refer to the process by 
which a provider must obtain approval from a payer before providing 
certain covered items and services to receive payment for delivering 
those items or services to a covered individual. As we stated in the 
CMS Interoperability and Prior Authorization proposed rule, prior 
authorization has an important place in the health care system, but the 
process of obtaining prior authorization can be challenging for 
patients, providers, and payers. Interested parties, including payers 
and providers, say that dissimilar payer policies, inconsistent use of 
electronic standards, and other technical barriers have created 
provider workflow challenges and an environment in which the prior 
authorization process is a primary source of burden for both providers 
and payers, a major source of burnout for providers, and can create a 
health risk for patients if inefficiencies in the process cause delays 
in medically necessary care. The prior authorization policies in this 
final rule apply to any formal decision-making process through which 
impacted payers render an approval or denial determination in response 
to prior authorization requests based on the payer's coverage 
guidelines and policies before services or items are rendered or 
provided.
    As discussed in section I.D. of this final rule, we exclude drugs 
from the provisions in this section, meaning any drugs that could be 
covered by the impacted payers affected by these provisions. Thus, the 
policies herein do not apply to prescription drugs that may be self-
administered, administered by a provider, or that may be dispensed or 
administered in a pharmacy or hospital, or OTC drugs that may be 
covered by an impacted payer. We include a definition of drugs for 
purposes of this exclusion for each impacted payer in the CFR where 
applicable to provisions for implementation of the Prior Authorization 
API. For MA organizations, the definition of drugs also includes any 
products that constitute a Part D drug, as defined by 42 CFR 423.100, 
and are covered under the Medicare Part D benefit by MA-PDs; this part 
of the definition specific to MA organizations provides a clear 
dividing line for MA-PD plans that must comply with this new rule. 
However, payers may voluntarily incorporate their business rules for 
prior authorizations for drugs using the Prior Authorization API now 
being finalized in this rule.
    As noted in section I.D., although Medicare FFS is not directly 
affected by this final rule, we will evaluate opportunities to improve 
automation of prior authorization processes in the Medicare FFS program 
as feasible.
    We received nearly 900 letters in response to the CMS 
Interoperability and Prior Authorization proposed rule, with hundreds 
of individual comments specific to the importance of the topic of prior 
authorization and the critical timing of addressing this issue. Most of 
the comments were relevant to the proposals and others were out of 
scope. The majority of commenters supported our proposals which are 
intended to mitigate longstanding issues with prior authorization 
processes and many commenters stressed the importance of finalizing the 
policies in this final rule as soon as practicable to resolve patient 
access to care issues. Some commenters identified concerns with the 
timing of compliance for the policies (too soon or too late), with 
prior authorization decision timeframes (too short or too long), and 
with reporting of metrics (too little or too much). We carefully 
reviewed each comment and considered the input to inform the policies 
now being described in this final rule. To be fully responsive to the 
public comment process, yet avoid creating an overwhelming final rule, 
we have consolidated input from all of the comments and summarized the 
contents with our responses for each provision. We value the diverse 
commentary provided by all interested parties as the volume and scope 
helped shape our approach to these final policies which advance our 
commitment to interoperability, burden reduction, process improvement 
for prior authorization, and transparent rulemaking. Comments that were 
out of scope for this final rule are not addressed here.
    Comment: Multiple commenters stated that, while prior 
authorizations may improve the safety or efficiency of care in some 
circumstances, they can lead to negative effects for patients and 
providers. A commenter suggested that CMS implement a broader set of 
changes to prior authorization processes to correct current abuses, 
specifically noting that improving the speed of prior authorizations 
without addressing the content of prior authorization requests will not 
improve outcomes of inappropriate use of prior authorizations. Another 
commenter recommended that CMS further evaluate prior authorization 
burdens and make additional proposals.
    Response: We appreciate that there are still concerns about the 
general use of prior authorization in the health care system. However, 
prior authorization continues to have a place in the health care system 
and can support functions such as utilization management, cost-
effective care delivery, patient safety, and preventing unnecessary 
treatment. The policies we are finalizing in this rule are intended to 
improve the transparency and efficiency of the process.
    Regarding suggestions for us to implement broader policy changes 
for prior authorization, we acknowledge that Federal policies alone 
cannot control all payer specific processes or patient health outcomes. 
Policies must be applied with good medical judgment and review, and we 
reiterate that we, in the administration of its programs \93\ and 
implementation of programmatic authority, continue to evaluate 
opportunities for future rulemaking to alleviate burdens, mitigate 
harm, and improve patient care. For example, in the CY 2024 MA and Part 
D final rule (88 FR 22120), we finalized several provisions to ensure 
that utilization management tools, including prior authorization 
requirements, are used in ways that ensure timely and appropriate 
access to medically necessary care for

[[Page 8860]]

beneficiaries enrolled in MA plans.\94\ Specifically, we explained 
current rules related to acceptable coverage criteria for basic 
benefits that require MA organizations to comply with national coverage 
determinations (NCDs), local coverage determinations (LCDs), and 
general coverage and benefit conditions included in Traditional 
Medicare regulations. In addition, under new regulations adopted in 
that final rule, when coverage criteria are not fully established, MA 
organizations may create internal coverage criteria based on current 
evidence in widely used treatment guidelines or clinical literature 
made publicly available to us, enrollees, and providers. The CY 2024 MA 
and Part D final rule also streamlines prior authorization 
requirements, including adding continuity of care requirements and 
reducing disruptions for beneficiaries. First, we finalized that prior 
authorization policies for coordinated care plans may only be used to 
confirm the presence of diagnoses or other medical criteria that are 
the basis for coverage determinations and/or ensure that an item or 
service is medically necessary based on standards specified in that 
final rule (see 42 CFR 422.138(b)). Second, we finalized that for MA 
coordinated care plans,\95\ an approval granted through prior 
authorization processes must be valid for as long as medically 
necessary to avoid disruptions in care in accordance with applicable 
coverage criteria, the patient's medical history, and the treating 
provider's recommendation, and that plans provide a minimum 90-day 
transition period when an enrollee who is currently undergoing an 
active course of treatment switches to a new MA plan or is new to MA 
(see 42 CFR 422.112(b)(8)). Finally, to ensure prior authorization and 
other utilization management policies are consistent with CMS rules, we 
finalized a requirement that all MA plans that use utilization 
management policies must establish a Utilization Management Committee 
to review all utilization management policies, including prior 
authorization, annually and ensure they are consistent with regulatory 
standards for MA plan coverage, including compliance with current, 
Traditional Medicare's NCDs and LCDs (see 42 CFR 422.137).
---------------------------------------------------------------------------

    \93\ CMS's oversight and administration authority and roles for 
MA, Medicaid, CHIP, and the FFEs vary with each program.
    \94\ National Archives (2022, December 27). Federal Register. 
Retrieved from https://www.federalregister.gov/documents/2022/12/27/2022-26956/medicare-program-contract-year-2024-policy-and-technical-changes-to-the-medicare-advantage-program.
    \95\ An MA coordinated care plan is a plan that includes a 
network of providers that are under contract or arrangement with the 
organization to deliver the benefit package approved by CMS; this 
includes MA plans that are HMOs, PPOs, and MA plans for special 
needs individuals.
---------------------------------------------------------------------------

a. Compliance Dates
    We proposed compliance dates for most impacted payers in 2026 (by 
January 1, 2026, for MA organizations and state Medicaid and CHIP FFS 
programs; by the rating period beginning on or after January 1, 2026, 
for Medicaid managed care plans and CHIP managed care entities; and for 
plan years beginning on or after January 1, 2026, for QHP issuers on 
the FFEs). There was one exception for some of the Medicaid FFS fair 
hearing and notice requirements, as discussed in the CMS 
Interoperability and Prior Authorization proposed rule (87 FR 76299 and 
76300), which would take effect upon the effective date of this final 
rule.
    Based on commenter feedback, we are extending the compliance dates 
for the Prior Authorization API for all impacted payers consistent with 
the compliance dates for the Provider Access and Payer-to-Payer APIs to 
2027 (by January 1, 2027, for MA organizations and state Medicaid and 
CHIP FFS programs; by the rating period beginning on or after January 
1, 2027, for Medicaid managed care plans and CHIP managed care 
entities; and for plan years beginning on or after January 1, 2027, for 
QHP issuers on the FFEs). Throughout this rule, we generally refer to 
these compliance dates as ``in 2027'' for the various payers. The prior 
authorization business process improvements, or those provisions that 
do not require API development or enhancement, including the 
requirement to communicate a specific reason for a denial, reduced 
decision timeframes for standard and expedited prior authorization 
decisions, and public reporting of certain prior authorization metrics 
are being finalized as proposed with a compliance dates in 2026 (by 
January 1, 2026, for MA organizations and state Medicaid and CHIP FFS 
programs; by the rating period beginning on or after January 1, 2026, 
for Medicaid managed care plans and CHIP managed care entities; and for 
plan years beginning on or after January 1, 2026, for QHP issuers on 
the FFEs). Throughout this rule, we generally refer to these compliance 
dates as ``in 2026'' for the various payers.
    We received comments on the compliance dates for both the Prior 
Authorization API and process improvement proposals that do not require 
API development or enhancement. Overall compliance timeline comments 
are addressed in greater detail in section I.B. of this final rule. In 
this section, we discuss comments more specifically related to the 
Prior Authorization API and process improvement policies.
    Comment: Multiple commenters recommended that CMS require the 
shortened prior authorization decision timeframes earlier than 2026, 
with some noting that payers, specifically MA organizations, already 
have the technological capability to implement these new decision 
timeframes in 2024. These commenters did not provide additional context 
for the reference to technological capabilities. Other commenters 
recommended that CMS should require compliance with all requirements 
that are not contingent on implementation of the Prior Authorization 
API by January 2025 (for example, decision timeframes, providing 
specific denial reasons, and reporting of metrics). Commenters said 
payers should not have trouble adapting their processes to meet the 
requirements related to decision timeframes and communication with 
patients and providers by that date, and that patients and providers 
should not have to wait any longer to benefit from the proposals in 
this rule. Other commenters cited reasons for implementing the Prior 
Authorization API proposal as soon as possible or in 2024 or 2025, such 
as to ensure that bidirectional flow of electronic prior authorization 
information is fully operational by January 1, 2026 and to protect 
patients from delays in, and restricted access to, cancer care.
    Other commenters indicated that transitioning to use the API-
facilitated process for prior authorization will require significant 
development and implementation efforts. A commenter explained that 
developers would need 12 to 18 months following publication of the 
final rule to design, develop, test, and release updated software. The 
commenter went on to state that payers would likely need this same 
amount of time following publication of the final rule to build their 
specific coverage and prior authorization criteria and rules into the 
system for each of their impacted health plans for the Prior 
Authorization API. This commenter explained that providers and payers 
will also need time to work together to reconcile variances in the FHIR 
implementations to ensure that they can engage in accurate exchange of 
prior authorization information.
    Response: We appreciate the comments in support of the proposed 
compliance dates in 2026 for the business process improvement 
provisions of the CMS Interoperability and Prior Authorization proposed 
rule that do not require API development or

[[Page 8861]]

enhancement, specifically the requirement to communicate a specific 
reason for a denial, reduced decision timeframes for standard and 
expedited prior authorization decisions, and public reporting of 
certain prior authorization metrics. We are finalizing those compliance 
dates for those new requirements in this final rule. We agree that 
those prior authorization process improvements will initiate burden 
reductions and support both payers and providers.
    Although there are several early implementations and pilots of the 
Prior Authorization API in place today, it is important to take into 
account the capabilities of all payer types and sizes to implement the 
requirements of the Prior Authorization API, including internal 
resource allocation for implementation and testing. All payers must 
identify relevant prior authorization coverage criteria and rules and 
program these criteria and rules into the appropriate format for the 
API in accordance with the IG. Subsequent programming and testing for 
the questionnaires within the API must take place to ensure 
functionality. To accommodate these development efforts, CMS is 
finalizing 2027 compliance dates for the Prior Authorization API. The 
compliance timeframe should enable the industry to establish a strong 
technical framework to support the development and scalability of the 
API-based solution. We anticipate that this timeframe will provide more 
time for development and testing to enable the integration of the Prior 
Authorization API between payers, providers, and EHR developers. 
Additional time for the API implementation also supports state efforts 
to process the extraordinarily high volume of renewals and other 
eligibility and enrollment actions that need to be conducted following 
the end of the Medicaid continuous enrollment condition at section 
6008(b)(3) of the Families First Coronavirus Response Act (FFCRA),\96\ 
which has consumed both staff and technical resources.
---------------------------------------------------------------------------

    \96\ As described in prior CMS guidance, states have up to 12 
months to initiate, and 14 months to complete, a renewal for all 
individuals enrolled in Medicaid, CHIP, and the Basic Health Program 
(BHP) following the end of the Medicaid continuous enrollment 
condition that ended on March 31, 2023--this process has commonly 
been referred to as the ``unwinding period.'' For more details see 
CMS (2023, January 27). State Health Official letter #23-002. 
Retrieved from https://www.medicaid.gov/sites/default/files/2023-08/sho23002.pdf.
---------------------------------------------------------------------------

2. Requirement Tto Implement an API for Prior Authorization
a. Prior Authorization API
    To help address prior authorization process challenges and continue 
our roadmap to interoperability, we proposed that certain payers 
implement and maintain a PARDD API to be used by providers to 
facilitate the prior authorization process. As we explained in section 
I.B. of this final rule, for consistency with the naming conventions of 
the other APIs, we have elected to finalize the name of this API to the 
Prior Authorization API rather than the PARDD API. The purpose of the 
API is to support the full prior authorization process, as described in 
the CMS Interoperability and Prior Authorization proposed rule. We 
believe this revised name best reflects that purpose in this final 
rule.
    In this section, we are finalizing policies to improve the prior 
authorization process between payers and providers using a Prior 
Authorization API. The purpose of the API is to streamline the process 
and ensure that payers use technology to provide more useful 
information about when and how to obtain a prior authorization and the 
status of an approved or denied prior authorization.
    In the CMS Interoperability and Prior Authorization proposed rule, 
we discussed the anticipated benefits of the Prior Authorization API 
and explained how this API would automate certain tasks, thereby 
mitigating some of the obstacles of the existing process. We stated 
that the API would allow a provider to query the payer's system to 
determine whether prior authorization was required for certain items 
and services and identify documentation requirements. The Prior 
Authorization API would send the prior authorization request from the 
provider's EHR or practice management system to the payer. In this 
final rule, we are finalizing the requirement to use certain standards 
and making recommendations to use certain IGs to support development of 
the FHIR API. Use of the Prior Authorization API will enable automation 
for the prior authorization request and response within the clinical 
workflow of the provider. The IGs and relevant standards, which are 
discussed in section II.G. of this final rule, serve as the 
instructional manuals for the functional capability of the API. When 
operational, the API enables a provider to submit a request about a 
medical item or service, determine if additional information is 
required, submit that information, and additionally assemble the 
necessary information to submit a prior authorization request. The 
response from the payer must indicate whether the payer approves (and 
for how long) or denies the prior authorization request or requests 
more information from the provider to support the request.
    To support the implementation and maintenance of the Prior 
Authorization API, we are requiring certain standards and recommending 
certain IGs, as discussed elsewhere and in section II.G. of this final 
rule. With the publication of the HTI-1 final rule (89 FR 1192), our 
cross references to 45 CFR 170.215 have been updated to reflect the 
updated citations as needed. Changes to the structure of 45 CFR 170.215 
and versions of the API standards codified there are discussed further 
in section II.G. of this final rule and reflected throughout this final 
rule. For the Prior Authorization API, impacted payers must use the 
following standards: HL7 FHIR Release 4.0.1 at 45 CFR 170.215(a)(1), US 
Core IG STU 3.1.1 at 45 CFR 170.215(b)(1)(i), and SMART App Launch IG 
Release 1.0.0 at 45 CFR 170.215(c)(1). Impacted payers are permitted to 
voluntarily use updated standards, specifications, or IGs that are not 
yet adopted in regulation for the APIs discussed in this final rule, 
should certain conditions be met. For the standards at 45 CFR 170.215 
required for the Prior Authorization API, updated versions available 
for use under our policy include, but are not limited to, US Core IG 
STU 6.1.0 and the SMART App Launch IG Release 2.0.0, which have been 
approved for use in the ONC Health IT Certification Program.\97\ We 
refer readers to section II.G.2.c. of this final rule for a full 
discussion on using updated standards. We are also recommending payers 
use the CRD IG STU 2.0.1, HL7[supreg] FHIR[supreg] Da Vinci 
Documentation Templates and Rules (DTR) IG STU 2.0.0, and PAS IG STU 
2.0.1. We refer readers to Table H3 for a full list of the required 
standards and recommended IGs to support API implementation.
---------------------------------------------------------------------------

    \97\ Office of the National Coordinator for Health Information 
Technology (2023, September 11). Standards Version Advancement 
Process (SVAP). Retrieved from https://www.healthit.gov/topic/standards-version-advancement-process-svap.
---------------------------------------------------------------------------

    Comment: Many commenters supported the proposal to require impacted 
payers to implement and maintain a Prior Authorization API to improve 
automation of the prior authorization process. Many commenters stated 
that the API has the potential to support the needed transition to 
electronic prior authorization. Commenters also stated that the Prior 
Authorization API would

[[Page 8862]]

reduce the burden for providers and speed up the prior authorization 
process for patients to improve care and access treatment options. A 
commenter stated that the API would offer much-needed transparency for 
rural providers around the prior authorization process. Other 
commenters stated that the API would potentially replace old ways of 
conducting the prior authorization process and give way to new ways of 
conducting prior authorization and explained that the prior 
authorization provisions laid out in the CMS Interoperability and Prior 
Authorization proposed rule could provide a good return on investment 
for payers. Multiple commenters supported CMS's efforts to implement a 
standardized API that makes payers' prior authorization and other 
documentation requirements electronically accessible to providers and 
that supports a more streamlined prior authorization request and 
response process. Multiple commenters believe this change will offer 
many benefits for patients and providers, including increasing access 
to care for patients and increasing providers' understanding of prior 
authorization requirements by providing upfront information about which 
services require prior authorization and what type of documentation is 
required to support approval of a prior authorization request; and 
increasing automation in the submission, receipt, and processing of 
requests, which could support more timely responses. Commenters also 
stated that this automation will help decrease administrative costs and 
that the Prior Authorization API would improve the efficiency of 
providing services to patients due to the request and response being 
automated and in real-time, as well as the quality of patient care. A 
large group of commenters expressed their support for the proposed 
requirement for payers to implement the Prior Authorization API because 
it will make their physical therapy businesses more efficient and allow 
them to focus on treating patients.
    Response: We agree that these policies will serve to mitigate some 
of the burdens that exist in the prior authorization process today. 
This is the reason we are finalizing a modification to the compliance 
dates. Our proposal did not include a requirement for the Prior 
Authorization API to provide real-time processing of the prior 
authorization request, but we agree that incorporating a level of 
automation and facilitating electronic prior authorization processing 
could improve processing timelines in the future. Though we anticipate 
that some of the responses or decisions potentially may be made in 
real-time, other decisions will continue to necessitate review and 
evaluation by clinical staff. The complete automation of a complex 
process such as prior authorization is an ongoing process of continuous 
improvement.
    Comment: Multiple commenters stated that the Prior Authorization 
API would not do enough to resolve existing issues surrounding prior 
authorization burden and turnaround times. A commenter stated that the 
amount of data to be transmitted and used by payers and providers 
through the API is burdensome and impractical. This commenter wrote 
that the continued transmission of medical information from non-FHIR 
systems (for example, administrative transactions) will require payers 
to translate such information into a format that is useable for the 
Prior Authorization API, which would only shift the manual prior 
authorization burden, not alleviate it. The commenter stated it is 
important to maintain industry flexibility around prior authorization 
to continue industry innovation in interactive decision-making 
processes with providers to ensure the best care experience possible 
for patients. Multiple commenters expressed concern that the required 
implementation of the Prior Authorization API might increase the burden 
for both providers and payers. A commenter expressed concerns that what 
time may be saved through the API may end up being redirected to 
maintain the API, field questions from patients and providers, and 
support external development when requests are incomplete, which may 
even require a dedicated team to answer provider questions throughout 
the electronic prior authorization lifecycle. This commenter provided 
insight into their experience with their current online portal and 
provider submissions of prior authorizations, and continued reliance on 
electronic faxes. A commenter expressed concerns that the maintenance 
of the API will also place significant burdens on payers to translate 
all coverage criteria to questions suitable for the electronic prior 
authorization process and to keep such information up to date. Another 
commenter also stated that the work involved in identifying all 
policies and authorization processes that would be included in the 
Prior Authorization API will be a significant effort as it will require 
significant resources, staff, and time.
    Response: We acknowledge concerns about the new technology and 
processes associated with the Prior Authorization API, including 
implementation challenges, potential conflicts with existing workflows, 
and increased workload for initially implementing the Prior 
Authorization API. Payers will need to identify the policies, conduct 
the analysis, and do the necessary programming for the next few years. 
Providers will also experience an initial implementation and data 
collection burden associated with translating records into FHIR-
compatible formats. It is in part based on these considerations that we 
decided to modify our proposed compliance dates so that the impacted 
payers and providers alike will have sufficient time to conduct testing 
on the newly structured prior authorization process. We disagree with 
commenters who indicated that the Prior Authorization API would not do 
enough to resolve existing issues surrounding prior authorization 
burden and turnaround times, and with those who were concerned that the 
transmission of medical information from systems would shift the prior 
authorization burden to manual processes rather than alleviate it. The 
benefits of using an electronic prior authorization process improve the 
manual and burdensome process used today. Making the prior 
authorization process electronic will reduce the time and burden 
associated with the current process, allowing providers to put time 
back into direct patient care, and ultimately will reduce provider 
burnout. Once the Prior Authorization API is in place and a provider 
can connect to a payer's system using that API, the manual effort for 
both payers and providers should decrease because clinical and 
administrative staff will be able to leverage the technology to conduct 
a more streamlined process for submitting prior authorization requests. 
Payers should be able to shift resources to review the requests more 
efficiently. While payers may have their policies documented, these are 
not in any standard formats, nor are they readable in any structured 
way. Providers must often download documents from different portals and 
then interpret them individually. The API will centralize and automate 
this process for both payers and providers. Further, we have included 
several significant policies that do not require API development or 
enhancement in this final rule, one of which relates to shortening the 
deadline by which impacted payers must respond to prior authorization 
requests from providers. The policies being finalized in this rule have 
been developed over time with input from providers, payers, and 
patients to address the technical

[[Page 8863]]

and operational issues described to us as the most significant issues 
in the prior authorization process.
b. FHIR Implementation Guides
    In the CMS Interoperability and Prior Authorization proposed rule, 
we proposed to require the use of certain technical specifications 
(that is, IGs adopted as implementation standards) adopted at 45 CFR 
170.215 (87 FR 76239). We also proposed that the same documentation 
requirements and discontinuation and denial of access standards as we 
proposed for the Patient Access API (discussed in section II.A.2. of 
this rule), the Provider Access API (discussed in section II.B.2. of 
this rule), and the Payer-to-Payer API (discussed in section II.C.3. of 
this rule) would apply to the Prior Authorization API. Additionally, 
for the Prior Authorization API, we specifically recommended using 
certain FHIR IGs that have been developed to support the functionality 
of the Prior Authorization API. These IGs are as follows:

 The CRD IG
 The DTR IG
 The PAS IG

    These three IGs are designed to be used by the payer, or 
implementer, to develop and implement the Prior Authorization API. The 
IGs undergo regular development and testing to support implementation 
and use of the Prior Authorization API and to improve the API's 
functionality in support of an improved prior authorization process. 
Technical information and website access are provided in section II.G. 
of this final rule.
    The first IG recommended for use to develop the Prior Authorization 
API is the CRD IG. As described on the HL7 web page, the CRD IG defines 
a workflow to allow payers to provide information about coverage 
requirements to providers through their clinical systems.\98\ Use of 
this IG improves the transparency of specific coverage rules specific 
to the patient and the provider based on the payer's prior 
authorization policies, and, when implemented, provides decision 
support to providers when they are ordering services. This is the first 
stage of the process for determining whether authorization is required 
for certain items or services. The CRD IG provides the functionality to 
enable the API to inform the provider if a prior authorization is 
required, and information about the payers' prior authorization 
coverage rules, so the provider knows what information is necessary to 
support a request. The functionality of the CRD may return a decision 
to the provider if there is sufficient information and the payer 
supports early determinations.
---------------------------------------------------------------------------

    \98\ Health Level Seven International (2024, January 8). Da 
Vinci--Coverage Requirements Discovery. Retrieved from https://www.hl7.org/fhir/us/davinci-crd/.
---------------------------------------------------------------------------

    The second IG recommended for use by payers to develop the Prior 
Authorization API is the DTR IG. On the HL7 IG web page, the 
description explains how this IG specifies how payer rules can be 
executed in a provider context to ensure that documentation 
requirements are met.\99\ This IG is a companion to the CRD IG. Its 
purpose is to automate the process of assembling documentation to 
support a prior authorization request for a specific payer. The 
instructions will allow the provider to download questionnaires and 
populate them automatically with information from the EHR or other 
systems for the completion of documentation requirements needed to 
demonstrate medical necessity for a proposed item or service, based on 
payer rules. The DTR IG enables the return of completed templates with 
specific FHIR resources identified as required to support the medical 
necessity of the service or item that is being requested for a prior 
authorization. This process replaces the need to manually request, 
gather, and submit documentation.
---------------------------------------------------------------------------

    \99\ Health Level Seven International (2023, November 7). Da 
Vinci--Documentation Templates and Rules. Retrieved from https://www.hl7.org/fhir/us/davinci-dtr/.
---------------------------------------------------------------------------

    The third IG recommended for the Prior Authorization API is the PAS 
IG. On the HL7 web page, the description explains that the PAS IG 
enables direct transmission of prior authorization requests (and can 
request/receive immediate authorization) from within EHR systems using 
the FHIR standard and that it can create the mapping between FHIR and 
HIPAA compliant X12 transactions.\100\ The PAS IG ensures that the API 
takes the information from the CRD and DTR and allows provider systems 
to send (and payer systems to receive) requests using FHIR. Providers 
and payers can still meet separate regulatory requirements, where 
required, to use the X12 278 transaction standard for prior 
authorization(s) to transport the prior authorization request and 
response. The PAS IG is the basis for: (1) assembling the information 
necessary to substantiate the clinical need for a particular treatment; 
and (2) submitting the assembled information and prior authorization 
request to an intermediary before it is sent to the intended recipient. 
As these IGs have been expanded and improved, the workgroup has 
enhanced the graphic display depicting the workflow and made it 
available on the HL7 website.\101\
---------------------------------------------------------------------------

    \100\ Health Level Seven International (2023, December 1). Da 
Vinci--Documentation Templates and Rules. Retrieved from https://www.hl7.org/fhir/us/davinci-pas/.
    \101\ Health Level Seven International (2023, November 20). Da 
Vinci Coverage Requirements: Technical Background. Retrieved from 
https://build.fhir.org/ig/HL7/davinci-crd/background.html.
---------------------------------------------------------------------------

    Most importantly, use of the instructions from the IG and the API 
provides the necessary information about the status of the prior 
authorization request--the response indicates whether the payer 
approves (and for how long) or denies (and the reason) the prior 
authorization request, or requests more information from the provider 
to support the prior authorization request. The PAS IG also defines 
capabilities around the management of prior authorization requests, 
including checking on the status of a previously submitted request, 
revising a previously submitted request, and canceling a request. 
Section II.G. of this final rule provides additional discussion of both 
the required and recommended standards and IGs to support the Prior 
Authorization API.
    Comments regarding requiring versus recommending the IGs, maturity 
of the IGs, and technical implementation challenges are addressed in 
section II.G. of this final rule. For example, commenters recommended 
that the FHIR IGs should be required rather than recommended, as merely 
recommending the IGs would lead to an additional burden for both payers 
and providers as they may use varied implementations of the required 
APIs that would ultimately reduce interoperability. We also received 
multiple comments about technical implementation challenges and the 
maturity of the recommended IGs. Technical comments such as these are 
addressed in section II.G. Here we respond to the comments specific to 
the standards and IGs for implementation of the Prior Authorization 
API.
    Comment: Multiple commenters recommended that CMS and HL7 ensure 
the recommended CRD, DTR, and PAS IGs are fully tested before the 
effective date of the final rule, as the IGs have not been adequately 
or widely tested in real-time clinical settings. The commenter noted 
that these IGs have data elements and processes that are listed as 
optional despite their utility for automation. Another commenter 
cautioned that the IGs have several data elements and processes that 
are optional, which means payers could meet decision requirements with 
vague responses,

[[Page 8864]]

hence jeopardizing CMS's prior authorization reform goal. Multiple 
commenters supported using the PAS IG and stated that the IG is well-
positioned to support the development of the proposed Prior 
Authorization API. A commenter noted that many of the proposed 
requirements are covered in the PAS IG STU 2.0.0, which is targeted for 
publication in calendar year 2023. The commenter continued by stating 
that based on functional requirements, additional updates can be made 
to the IG to ensure it fully supports the proposed Prior Authorization 
API once finalized in preparation for compliance in 2026. However, 
other commenters expressed some concerns about recommending these IGs. 
Multiple commenters noted that hospitals and insurers may need to use 
more than one technology solution to participate and track activity 
using the Prior Authorization API. A commenter expressed concern with 
the proposed IGs, which seem to require fast responses, within 5 
seconds, and encouraged CMS to monitor technical standards as they are 
developed to avoid excessive burdens that the agency did not intend to 
create.
    Response: CMS is recommending the three IGs to implement the Prior 
Authorization API. These IGs, the CRD, DTR, and PAS IGs, were created 
to be used together to provide implementation flexibility. Several 
optional or ``situational'' elements were included in these guides as a 
means to connect them in a single workflow while allowing for the 
decoupling of these processes where necessary. For example, the CRD IG 
might be used to develop an API specific to prior authorization 
coverage requirements, and a separate API, linked to that one, built 
using the DTR IG. Some hospitals and providers will need more than one 
technology solution to connect to the payer's Prior Authorization API 
endpoint based on the architectures and systems of the provider 
organization. Impacted payers and providers may have separate and 
unconnected systems that address coverage and eligibility, 
documentation, and prior authorization. Since publication of the CMS 
Interoperability and Prior Authorization proposed rule, updated 
versions of the CRD, DTR, and PAS IGs have all been published. We refer 
readers to Table H3 for the required standards and recommended IGs to 
support API implementation.
    In response to the specific comment about implementation 
strategies, we refer implementers to the HL7 Da Vinci workgroups for 
technical guidance; however, we understand that payers may need to pull 
multiple technology solutions together to meet the overall Prior 
Authorization API requirements. Concerning the response time of 5 
seconds, which is near real-time, we anticipate that most systems can 
accommodate this communication exchange when the information is 
available. The PAS IG has a recommended synchronous response time of 15 
seconds. Instructions are available in the IG for how systems should 
respond in a timeframe with the best possible information. For further 
technical details, we encourage interested parties to reach out to the 
appropriate HL7 workgroups.
    Comment: Multiple commenters stated that there are potential 
technological challenges for the implementation of the Prior 
Authorization API. A commenter noted that the proposed rule does not 
specify what technology hospitals need to support or implement the API, 
nor what technology is needed to track participation or be required to 
participate in the API once finalized. This commenter noted that 
providers will be using the Prior Authorization API without any 
meaningful testing. Another commenter noted that they currently offer 
providers an option to submit electronic prior authorizations through 
an online portal, but utilization is low as most providers still favor 
fax as their preferred method to send prior authorizations, and portal 
prior authorizations often require corrections to incorrect data 
entries.
    Multiple commenters said CMS should do more to support the 
implementation of the Prior Authorization API. A commenter supported 
regulatory efforts to require payers to build APIs to automate prior 
authorization, but questioned whether the CMS Interoperability and 
Prior Authorization proposed rule goes far enough to accomplish that 
goal. Another commenter noted that the Prior Authorization API will 
require payers, providers, and vendors to connect but noted that 
multiple infrastructure challenges will have to be resolved to ensure 
API implementation success and cited the work of the HL7 FAST 
Accelerator to identify and address scalability issues to avoid 
duplication of efforts, including security and authentication.
    Response: The regulations we are finalizing in this rule require 
impacted payers to implement a Prior Authorization API, and providers 
are encouraged to use the technology in their CEHRT to take advantage 
of the improvements in prior authorization processes that will be 
available through use of the Prior Authorization API. As we noted in 
the proposed rule, HL7 launched an implementation division in 2021, 
specifically to provide support for implementers, including education 
and technical support. This division will provide payers, providers, 
and vendors with access to information about the types of technology 
and software that will address implementation, education, and testing 
of the standards, IGs, and APIs. Furthermore, the HL7 workgroups, which 
are open to the public, continue to be the best resources to learn 
about implementation. We will continue to work with associations, 
developers, and HL7 on identifying or supporting the development of 
appropriate resources for education.
    The HL7 FAST Accelerator is addressing the scalability issues of 
the FHIR standard through its work on security and the directory IGs. 
We and ONC participate in the HL7 FAST Accelerator and will monitor 
progress on the IGs being developed by that project.
    The policies in this final rule are an important component of the 
overall CMS strategic plan to reduce burden, advance interoperability, 
and improve patient care. This rule finalizes significant changes to 
improve the patient experience and alleviate some of the administrative 
burden by applying policies which address both technical and process 
barriers. These policies represent foundational regulatory steps toward 
addressing the longstanding challenges of prior authorization.
    Comment: A commenter, writing from the provider perspective, stated 
that the Prior Authorization API would complicate clinical and 
administrative workflows by requiring some combination of staff time 
and additional technological advances and recommended the FHIR API be 
combined with the HIPAA transaction standard.
    Response: We do not agree that using the Prior Authorization API 
will complicate clinical work. Rather, time will be saved across all 
personnel tasks, including researching the requirements for prior 
authorization across multiple payers, entering information into 
systems, submitting requests, processing approvals, or determining next 
steps if a denial is received. The Prior Authorization API is capable 
of conducting the prior authorization request as a FHIR only data 
exchange, or in combination with the HIPAA transaction standard.
    Comment: Multiple commenters urged CMS to name the CDex IG as one 
of the recommended IGs to use in support of the Prior Authorization API

[[Page 8865]]

and stated that it is a critical part of burden reduction and plays an 
important role in supporting FHIR prior authorization transactions as 
proposed. To support the attachments for the Patient Access, Provider 
Access, and Payer-to-Payer APIs, as well as the supporting 
documentation requirements for the Prior Authorization API, this IG 
provides the instructions to enable the exchange of structured 
documents \102\--meaning those which could be read and interpreted by a 
computer. This functionality to attach documents to support a prior 
authorization is currently missing from the other FHIR IGs and 
standards. A commenter stated that the PAS IG could support existing 
Federal and state requirements to exchange attachments if implementers 
also added the functionality of using the CDex IG. Use of this IG would 
further support efficiencies in the prior authorization process.
---------------------------------------------------------------------------

    \102\ General comparison of structured versus unstructured 
documents: Structured documents are organized and fit into 
spreadsheets and relational databases. Structured documents often 
contain numbers and fit into columns and rows and are easily 
searchable. Examples are ICD-codes, Star Ratings, and other discrete 
data elements. Unstructured documents include traditional business 
files, word processing documents, presentations, notes, and PDFs.
---------------------------------------------------------------------------

    Response: We are aware that early adopters have begun testing with 
the CDex IG for attachments to advance additional use cases for the 
Prior Authorization API. This final rule does not address standards for 
attachments and does not prohibit using the CDex IG or other attachment 
standards.
c. Implementation, Automation, and Other General Considerations for the 
Prior Authorization API and Processes
    We proposed and are finalizing requirements for impacted payers to 
implement a Prior Authorization API to improve the prior authorization 
process. The policy would require use of new standards for some 
impacted payers and some changes in procedures. We received comments on 
the use of new standards, technology, and automation with 
considerations for implementation and have grouped them here.
    Comment: A commenter stated that they support the proposed 
requirements for the Prior Authorization API; however, they believe 
much more needs to be done to achieve the CMS objectives for this 
policy. Multiple commenters shared potential concerns and challenges 
with the implementation of a Prior Authorization API. A commenter wrote 
that the Prior Authorization API use case will not work without 
provider participation, as the API requires bidirectional exchange 
between impacted payers and providers. A commenter expressed concern 
regarding the resource development needed for providers and noted this 
needs to be more widely understood before the implementation of the 
Prior Authorization API. The commenter recommended CMS work with 
interested parties to ensure practices can utilize and leverage this 
API. The commenter encouraged CMS to work with ONC to extend the 
applicability of the Prior Authorization API requirements to providers 
and EHR vendors to ensure technical readiness and enable greater 
adoption of the Prior Authorization API and electronic prior 
authorization. A commenter suggested that CMS require plans to provide 
to each contracted physician, upon request and regardless of their use 
of the API, the references to the clinical research evidence that 
underlie medical policy determinations when they approve or deny a 
service. The commenter noted that some physicians may not be able to 
adopt these systems by the compliance dates.
    Response: We are finalizing compliance dates in 2027 for payers to 
implement the Prior Authorization API which should provide sufficient 
time for payers to implement the APIs, collaborate with EHR vendors to 
support appropriate connections for their providers, and develop 
outreach materials. Ongoing pilots demonstrate that payers and 
providers can implement the necessary infrastructure by those 
compliance dates. While providers are not required by this final rule 
to use the Prior Authorization API, in section II.F. of this final rule 
we are incentivizing providers to use this API by finalizing new 
electronic prior authorization measures for MIPS eligible clinicians 
under the MIPS Promoting Interoperability performance category and for 
eligible hospitals and CAHs under the Medicare Promoting 
Interoperability Program. To promote Prior Authorization API adoption, 
implementation, and use among MIPS eligible clinicians, eligible 
hospitals, and CAHs, we are adding a new measure titled ``Electronic 
Prior Authorization'' under the HIE objective in the MIPS Promoting 
Interoperability performance category and the Medicare Promoting 
Interoperability Program, beginning with the calendar year (CY) 2027 
performance period/2029 MIPS payment year and CY 2027 EHR reporting 
period. There could be many benefits for providers for improvements in 
the prior authorization process, and we encourage all providers to 
evaluate whether use of the Prior Authorization API could benefit their 
practices. Payers should also encourage providers in their network to 
use the Prior Authorization API, given that it could be timesaving for 
both parties, and we anticipate that many payers will begin education 
and awareness campaigns as more pilots are launched and/or payer APIs 
are readied for testing. We are monitoring the activities of existing 
pilots and receiving positive reports from participants. ONC may 
consider developing and making available additional criteria for EHR 
certification for electronic prior authorization in future rulemaking.
    We did not propose to specifically require payers to make available 
the references to the clinical research evidence that underlie medical 
policy determinations when they approve or deny a service, but we did 
propose that when an impacted payer denies a prior authorization 
request, the payer must include a specific reason for that denial in a 
notice to the provider who requested the prior authorization. See 
section II.D.3. regarding that proposal and the final policy. While we 
do not oversee contract provisions between payers and providers, the CY 
2024 MA and Part D final rule (88 FR 22120) \103\ finalized a new 
requirement at 42 CFR 422.101(b)(6) for MA plans to make certain 
information about their internal coverage policies publicly accessible, 
including a list of the evidence considered in developing the internal 
coverage criteria; that final rule also limits using internal coverage 
criteria for Part A and Part B benefits to when coverage criteria are 
not fully established in Medicare statute, regulation, NCD, or LCD. We 
anticipate this information, along with the requirement that MA plans 
provide a reason for denying a request for prior authorization (at 42 
CFR 422.122 as adopted here and currently in existing 42 CFR 
422.568(e)) will address the commenter's concern about access to 
clinical research and evidence supporting denials of coverage in the MA 
program. In addition, the CY 2024 MA and Part D final rule adopted a 
new regulation, at 42 CFR 422.137, that requires a Utilization 
Management Committee to annually review the policies and procedures for 
all utilization management, including prior

[[Page 8866]]

authorization, used by the MA plan, and a new regulation at 42 CFR 
422.138 that limits how prior authorization may be used by certain MA 
plans. Per 42 CFR 422.138, coordinated care MA plans (for example, 
Health Maintenance Organization [HMO], Preferred Provider Organization 
[PPO], and point-of-service [POS] plans) may only use prior 
authorization to confirm the presence of diagnoses or other medical 
criteria that are the basis for coverage determinations for the 
specific item or service and to ensure that the requested item or 
service is medically necessary (for Part A and B benefits) or 
clinically appropriate (for supplemental benefits). Finally, we remind 
readers that MA regulations at 42 CFR 422.202(b) and 422.136(a) require 
MA organizations to provide education and outreach about utilization 
management policies and engage in consultation with contracted 
providers.
---------------------------------------------------------------------------

    \103\ See 88 FR 22120 through 22345 (April 12, 2023). Medicare 
Program; Contract Year 2024 Policy and Technical Changes to the 
Medicare Advantage Program, Medicare Prescription Drug Benefit 
Program, Medicare Cost Plan Program, and Programs of All-Inclusive 
Care for the Elderly. Retrieved from https://www.federalregister.gov/documents/2023/04/12/2023-07115/medicare-program-contract-year-2024-policy-and-technical-changes-to-the-medicare-advantage-program.
---------------------------------------------------------------------------

    Comment: Multiple commenters discussed automating prior 
authorizations, and many were in support of automation, providing 
technological suggestions for automation of the prior authorization 
process. A commenter stated that, for prior authorization forms, 
specific clinical questions require answer formats that are easily 
understood and automated by a computer. Another commenter described how 
payers might automate the prior authorization process by utilizing 
existing matrices to create algorithms that would be able to review a 
large proportion of their prior authorization requests. A commenter 
noted that deep learning AI methods for submitted clinical data could 
be used to inform the review and electronic prior authorization 
approval process to expedite a decision that simulates a consensus of 
expert human judgment.
    Multiple commenters recommended that CMS explore automating service 
``bundle'' prior authorizations for instances where one episode of care 
needs multiple prior authorizations (for example, a knee replacement 
surgery), as this would help ease administrative burden and reduce 
delays in patient care.
    Response: We are closely following the level of interest in the 
types of automation that might be brought to bear on the prior 
authorization process, particularly around the infrastructure for 
communications, and the innovative thinking shared in the public 
comments. While CMS did not directly address using AI for purposes of 
implementing the prior authorization policies, or any provisions of 
this final rule, we encourage innovation that is secure; includes 
medical professional judgment for coverage decisions being considered; 
reduces unnecessary administrative burden for patients, providers, and 
payers; and involves oversight by an overarching governance structure 
for responsible use, including transparency, evaluation, and ongoing 
monitoring. We also reiterate that impacted payers must comply with 
Federal and state policies and the requirements of the standards and 
recommended IGs in implementing these APIs. We encourage these and 
other individuals to participate in the HL7 IG development groups to 
share these ideas with the drafters of the IGs to further refine their 
functionality.
    Comment: Multiple commenters recommended that CMS include 
additional requirements for payers. A commenter recommended that CMS 
require payers to offer their electronic prior authorization system at 
no cost to providers. Multiple commenters stated that health plans 
should be required to provide a web-based interface for providers and 
patients with a standardized, easy-to-use web page with an up-to-date 
database that quickly indicates whether prior authorization is 
required. The commenter stated that this web page should include prior 
authorization rules and medical policies. A commenter requested that 
the required response to the query on the online database include the 
following data points: transaction ID, group or member ID, date of 
service, prior authorization required, instructions, and a medical 
policy link. A commenter recommended that, in the case of a technical 
glitch with the prior authorization process, insurance plans should 
develop a backup system.
    Response: We did not specifically address whether payers could 
charge providers for use of or access to the Prior Authorization API. 
We would encourage payers not to charge additional costs beyond those 
that may exist to conduct prior authorization business functions today, 
including the costs of conducting transactions. We do not anticipate 
that fees would be charged for use of the API or other services 
required by this final rule, but are aware that payers will be funding 
their own development and vendor related costs.
    Concerning the specific functionalities commenters requested be 
available through portals, online systems, or the API, such as easy-to-
use web pages with an up-to-date database that quickly indicates 
whether prior authorization is required or what the medical policies 
are, we reiterate that payers are required to implement a Prior 
Authorization API that allows a provider to query a payer's system to 
determine whether a prior authorization is required, to identify 
documentation requirements, and to receive information about whether a 
specific prior authorization request has been approved or denied. As 
part of fulfilling these required functions, information about the 
policies and how they have been developed may be available, but we 
understand that the level of additional information and detail about 
the development of prior authorization and coverage policies could vary 
by payer. There may be other connected systems and resources available 
with information about the medical policies that are associated with 
the Prior Authorization API to which the provider will be able to refer 
to understand how decisions are being made for certain items and 
services. Furthermore, under existing Federal and state laws, such as 
the HIPAA Privacy and Security Rules, administrative, technical, and 
physical safeguards policies and procedures must be in place to ensure 
that systems have effective backup controls to protect access to 
patient data during planned and unplanned downtime. We would expect 
impacted payers to already have such procedures in place for reliable 
backup systems.
    Comment: Multiple commenters noted that payers will have to 
digitize their prior authorization policies to meet the Prior 
Authorization API requirements, which will be difficult and time-
consuming. Multiple commenters noted that payers may be concerned that 
if a significant amount of their providers do not adopt the new prior 
authorization API process, the payer will not receive the full benefit 
of their investment.
    Response: We acknowledge that payers will have to digitize their 
prior authorization policies to meet the API requirements. Several 
organizations have implemented the Prior Authorization API as pilot 
projects or as part of the Da Vinci Exception Project, and we are aware 
that implementation of the API requires a significant investment of 
resources. We also recognize that the full benefit of the API will be 
achieved when providers use the API to request information about prior 
authorization requirements and change existing workflow patterns. The 
changes for both payers and providers will maximize the return on 
investment from the new electronic exchange. We encourage other 
impacted payers to engage with these early implementers to learn from 
their experience and to begin evaluating their policies to understand 
the level of effort that will be required within their organizations. 
To support

[[Page 8867]]

the analysis, implementation, and testing, we are also finalizing 
compliance dates that are a year later than we proposed to provide 
additional time for the necessary work to implement the Prior 
Authorization API and to conduct outreach and education to the provider 
community.
    Comment: A commenter recommended that CMS include a Prior 
Authorization API opt out policy and another commenter recommended that 
CMS explain providers' responsibilities related to communicating 
patients' right to opt out of the Prior Authorization API and their 
responsibility to notify the payer of that decision.
    Response: Prior authorization is an administrative process between 
a payer and provider that is conducted almost completely electronically 
today with no direct burden on the patient. We would anticipate that an 
individual who wishes to obtain medical services expediently might wish 
for their provider to use the most efficient resource available to 
them. The opt out/opt in rules that we are finalizing in this rule are 
for the Provider Access and Payer-to-Payer APIs' data exchange 
requirements, discussed in sections II.B. and II.C., and do not apply 
to the Prior Authorization API. While this final rule does require 
impacted payers to develop and implement the Prior Authorization API, 
this rule does not require providers to use the API. As discussed in 
section II.F., this final rule does include policies regarding using 
the Prior Authorization API for the Promoting Interoperability 
performance category of MIPS and the Medicare Promoting 
Interoperability Program. As many providers are currently conducting 
these processes through EHRs in the office, with the patient present, 
we would encourage providers to explain any activity to the patient, as 
is being done for any electronic transaction, including electronic 
prescribing, lab orders, and scheduling. We also anticipate that 
providers would want to use a process in which their EHR or other 
medical record systems are capable of connecting with the APIs and 
exchanging certain data and documents using FHIR standards. At a 
minimum, the Prior Authorization API will provide a means for providers 
to identify the prior authorization requirements for the impacted 
payers, which will save time and burden associated with having to 
research those requirements manually. We do not believe it is necessary 
to add a new opt out process for patients regarding prior 
authorization. These are administrative tasks already in place in 
provider offices. We reiterate that providers are not required by this 
rule to use the Prior Authorization API.
    Comment: Multiple commenters discussed prior authorization criteria 
and specifically referenced the CY 2024 MA and Part D final rule for 
the enhancements it provides for prior authorization requirements. A 
commenter requested that CMS require payers to make their prior 
authorization criteria public in advance of the publication of this 
final rule and to ensure that physicians with expertise in the services 
are involved in their development. Other commenters requested that CMS 
ensure that prior authorization criteria be peer-reviewed. A commenter 
wrote that the Prior Authorization API will increase transparency into 
payer prior authorization criteria, and another noted that using an 
electronic data exchange could improve the accuracy of prior 
authorization determinations. A few commenters wrote that the solution 
to prior authorizations must include both an expedited prior 
authorization process as well as appropriate clinical decision-making, 
particularly with treatment guidelines supported by clinical evidence. 
Another commenter stated that the Prior Authorization API could 
specifically speed up the process of prior authorization for key 
treatments of gynecologic cancers. Commenters noted that the increased 
transparency will include better timing for responses and accuracy for 
treatment protocols subject to prior authorization.
    Response: We agree that if the API can enhance provider 
understanding of the requirements for requesting a prior authorization, 
a provider's ability to submit a complete and accurate request 
electronically will be improved and the manual intervention needed to 
collect additional information reduced. This transparency in 
requirements and criteria should improve communication between payers 
and providers during the prior authorization process, which is a core 
element of the functionality of the Prior Authorization API. We also 
appreciate comments suggesting that prior authorization criteria should 
be peer-reviewed and include appropriate clinical decision-making 
information with treatment guidelines that are supported by clinical 
evidence. Use of such clinical evidence is helpful to reviewers when 
creating care treatment plans and evaluating prior authorization 
requests. We have also heard from many payer organizations that 
aligning with clinical guidelines is part of their process when 
establishing prior authorization criteria and we encourage this 
practice for all payers. We did not make specific proposals related to 
developing prior authorization criteria, but acknowledge the value of 
such clinical involvement.
    We also note that the provisions in this final rule on prior 
authorization will work with several of the utilization management and 
prior authorization policies in the CY 2024 MA and Part D final rule to 
further CMS's overall goals of improving prior authorization processes 
to serve the needs of payers, providers, and patients. We encourage 
readers to review that rule as well (88 FR 22120) to have a greater 
understanding of the limits on how MA organizations may use and 
implement prior authorization.
    Comment: Multiple commenters discussed the need for APIs to be 
integrated with EHR systems. A commenter expressed concern that current 
EHR systems will not be set up to accommodate the requirements of this 
rule. Another commenter noted that an obstacle to the effective 
implementation of the Prior Authorization API is the lack of 
standardized coding and structured data in provider EHRs to support 
adjudication of a prior authorization request. The commenter stated 
that it will be important for EHR clinical data to be standardized to 
successfully adjudicate prior authorization requests through API 
interfaces.
    Response: We appreciate comments about standardization and the need 
for providers and EHR system vendors to address consistency in the 
coding of medical records for interoperable data exchange. Such 
comments do not reflect a technical readiness issue for the Prior 
Authorization API or the standards but rather an industry readiness to 
meet the requirements to enable and automate prior authorization 
processes. Over the next few years, both provider management systems, 
as well as certified EHRs, will advance in their use of standards, data 
exchange, and connectivity. Implementation of a content standard at 42 
CFR 170.213 (USCDI) for all data classes and data elements will support 
communication about medical records will reduce the variation in 
medical record coding, increase structured data, and support the 
ability for interoperable data exchange. The IGs that support the Prior 
Authorization API provide the framework for exchanging standard 
information between the payer and provider systems.
    We note that ONC previously sought comment on how updates to the 
ONC Health IT Certification Program could support electronic prior 
authorization through an RFI titled ``Electronic Prior Authorization 
Standards,

[[Page 8868]]

Implementation Specifications, and Certification Criteria'' (87 FR 
3475), which appeared in the January 24, 2022, issue of the Federal 
Register. The Unified Agenda, current at the time of this final rule's 
publication, includes an entry for a proposed rule from ONC entitled 
``Health Data, Technology, and Interoperability: Patient Engagement, 
Information Sharing, and Public Health Interoperability'' (RIN 0955-
AA06). The description indicates that this proposed rule aims to 
advance interoperability, including proposals to expand the use of 
certified APIs for electronic prior authorization.\104\
---------------------------------------------------------------------------

    \104\ Office of Information and Regulatory Affairs, Office of 
Management and Budget, Executive Office of the President. 
Reginfo.gov. Retrieved from https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202304&RIN=0955-AA06.
---------------------------------------------------------------------------

    Comment: A few commenters recommended that CMS work with states to 
resolve conflicts between this rule and existing state regulations. A 
commenter noted that Arizona has recently enacted legislation and 
published guidance establishing a uniform prior authorization request 
form. The commenter expressed concern that potentially conflicting 
policies would create confusion and operational process challenges for 
QHP issuers on the FFEs and providers.
    Response: We are aware that many states are also attempting to 
improve prior authorization processes and have read the Arizona 
legislation HB 2621 from 2022 \105\ regarding using standard paper 
forms and electronic portals. We do not believe there is a conflict 
between those requirements and this final rule as the Prior 
Authorization API required by this final rule can support the various 
state required standardized forms for electronic submission of the 
prior authorization request. The AMA also provides a list of other 
state legislation designed to improve prior authorization processes, 
many of which support or enhance the provisions in this final rule, for 
example, by supporting the establishment of an electronic prior 
authorization process.\106\ Should a conflict present between state and 
Federal requirements, the general rule is that the regulated entity 
must comply with both requirements unless compliance with one makes 
compliance with the other impossible; in such a situation, Federal law 
generally preempts state law in the absence of statutory direction 
otherwise.
---------------------------------------------------------------------------

    \105\ Office of the Director Arizona Department of Insurance and 
Financial Institutions (2022, January 3). Regulatory Bulletin 2022-
01(INS). Retrieved from https://difi.az.gov/sites/default/files/Prior%20Authorization%20Bulletin%20with%20forms%202022-01.pdf.
    \106\ American Medical Association (2022). 2022 Prior 
Authorization (PA) State Law Chart. Retrieved from https://fixpriorauth.org/sites/default/files/2022-12/2022%20Prior%20Authorization%20State%20Law%20Chart.pdf.
---------------------------------------------------------------------------

d. Implementation Timing Considerations
    In the proposed rule (87 FR 76290), we stated that we had 
considered proposing that the Prior Authorization API be implemented in 
a phased approach. However, we explained that we did not think a phased 
implementation strategy would reduce the burden on impacted payers or 
providers, but rather could increase burden during the initial 
implementation. We also explained that a phased approach could delay 
the availability of electronic prior authorization for certain items 
and services, which could in turn reduce the overall adoption of the 
Prior Authorization API by providers who do not see their specialties 
and services represented in the initial rollout of the available Prior 
Authorization API. We sought comment on whether to require payers to 
make prior authorization rules and documentation requirements available 
through the API incrementally, beginning in 2026. Additional comments 
and responses regarding the timing and deadlines for compliance with 
the Prior Authorization API and those policies that do not require API 
development or enhancement are discussed in sections I.B. and II.D.1.
    Comment: Some commenters supported a phased implementation of the 
Prior Authorization API to allow impacted payers sufficient time to 
build the API and recommended processes that would use the IGs in a 
staggered fashion rather than implementing the entire process for prior 
authorizations. Other commenters recommended a phased implementation 
based on the following order for the IGs: CRD IG first, DTR IG second, 
and PAS IG third. A commenter stated there are already states making 
plans to implement an electronic prior authorization process and 
suggested that a staggered approach could help to avoid unnecessary 
variation in implementations. A commenter stated that if CMS does not 
provide an explanation of terminology (such as ``documentation'') and 
specify IGs and common standards on time for the Prior Authorization 
API there may need to be a staggered approach for implementing the API. 
A commenter agreed with CMS's observation that a phased implementation 
approach would still result in having to request and process prior 
authorization requests in at least two different manners for a provider 
working with the same impacted payer, which makes little sense given 
the difficulties in the current state to even get the HIPAA Referral 
Certification and Prior Authorization transaction adopted under HIPAA 
Administrative Simplification. Multiple commenters recommended a 3-year 
timeframe for phased implementation based on the specific/common 
services approach. A commenter recommended that instead of using a 
percentage criterion, CMS should use a 3-year timeframe with year 1 
requiring authorization rules, year 2 adding rules to different 
specialty facilities, and year 3 adding the Prior Authorization API to 
specific services and care sectors.
    Response: As stated at the beginning of this section, we are 
finalizing a modification to our proposed compliance dates for the 
Prior Authorization API in 2027. We continue to believe, for the 
reasons outlined in the CMS Interoperability and Prior Authorization 
proposed rule and in our responses to comments on this issue, that 
mandating a phased approach is not necessary. Payers may choose to 
implement the IGs in a phased approach within their operations, as long 
as the API is fully functional by the compliance date. Each payer will 
evaluate the scope of work required to program their prior 
authorization requirements, build the rules and questionnaires, and 
develop appropriate testing. For those payers with extensive prior 
authorization requirements and less structured documentation policies 
for different benefit packages, the scope will be more significant. 
However, a phased approach will not change the scope of this work; the 
IGs provide the road map or instructions for implementation. Use of 
these guides will help payers determine the scope and level of effort 
required for the work that must be completed for system changes, as 
well as operational changes for their organizations.
    Comment: Multiple commenters stated the phased approach may result 
in inconsistent implementation and/or fragmentation when it comes to 
leveraging the Prior Authorization API, as different payers and 
providers may be at different stages of implementation. Multiple 
commenters stated that a phased approach could reduce adoption of Prior 
Authorization API by providers, particularly if certain items or 
services are listed in the initial rollout and others are not. A 
commenter noted that the slow and delayed rollout of the Prior 
Authorization API is unlikely to result in standardized, streamlined, 
electronic prior authorization experiences for physicians, clinicians, 
providers, and

[[Page 8869]]

health IT vendors. Therefore, multiple commenters supported the full 
implementation of Prior Authorization API on January 1, 2026.
    Response: We thank commenters for affirming that a phased approach 
could result in inconsistent and fragmented implementation of the Prior 
Authorization API and reiterate that the decision to provide an 
additional year for implementation for all impacted payers was made to 
ensure that the organizations would have sufficient time for training, 
development, testing, and outreach to providers.
e. Existing Prior Authorization Standards: HIPAA Exceptions for Testing 
New Standards
    In the CMS Interoperability and Prior Authorization proposed rule, 
we explained that the X12 278 transaction standard (Version 5010) and 
NCPDP D.0 are the current standards for electronic prior authorization 
transactions, adopted by HHS under provisions of HIPAA. Many payers and 
providers do not use the HIPAA transaction standards, and instead use 
proprietary payer interfaces and web portals through which providers 
submit their requests, as well as phone calls or faxes to complete the 
process for a response. The prior authorization process remains 
inefficient and burdensome and creates service issues for patients. We 
provided findings from industry surveys and HHS reports about gaps in 
the current processes and standards for prior authorization.
    The Council for Affordable and Quality Health Care (CAQH) Committee 
on Operating Rules for Information Exchange (CORE) annual report, the 
CAQH CORE Index, includes data on health plan and provider use of HIPAA 
standard transactions, and as noted in the proposed rule (at 87 FR 
76288), shows that prior authorization using the X12 278 transaction 
standard was the least likely to be supported by payers, practice 
management systems, vendors, and clearinghouse services.\107\ The 2021 
report \108\ showed an incremental increase in using the X12 278 
transaction standard for prior authorization of 26 percent. CAQH CORE 
published its 2022 report \109\ in November 2022 with data showing that 
while medical plans' adoption of the X12 278 transaction standard 
increased by two percentage points (to 28 percent), it was still low as 
compared to the other HIPAA transactions.
---------------------------------------------------------------------------

    \107\ Council for Affordable and Quality Health Care (2019). 
2019 CAQH Index: Conducting Electronic Business Transactions: Why 
Greater Harmonization Across the Industry is Needed. Retrieved from 
https://www.caqh.org/sites/default/files/explorations/index/report/2019-caqh-index.pdf?token=SP6YxT4u.
    \108\ Council for Affordable and Quality Health Care (2021). 
2021 CAQH Index: Working Together: Advances in Automation During 
Unprecedented Times. Retrieved from https://www.caqh.org/sites/default/files/explorations/index/2021-caqh-index.pdf.
    \109\ Council for Affordable and Quality Health Care (2022). 
2022 CAQH Index: A Decade of Progress. Retrieved from https://www.caqh.org/sites/default/files/2022-caqh-index-report%20FINAL%20SPREAD%20VERSION.pdf.
---------------------------------------------------------------------------

    We received many comments about the adopted HIPAA transaction 
standard and its intersection with the proposed rule and address 
applicable comments here.
    The provisions of this final rule will provide enhancements to the 
electronic prior authorization process overall. We are finalizing our 
proposal to require impacted payers to implement a Prior Authorization 
API that can provide the necessary data to support a payer's use of 
electronic prior authorization processes.
    In the proposed rule, we referenced section 1104 of the Affordable 
Care Act, which amended HIPAA to require that HHS adopt operating rules 
for HIPAA standard transactions. ``Operating rules'' are defined at 45 
CFR 162.103 as the ``necessary business rules and guidelines for the 
electronic exchange of information that are not defined by a standard, 
or its implementation specifications as adopted for purposes of HIPAA 
Administrative Simplification.'' Operating rules have not been adopted 
for the X12 278 transaction standard.
    The NCVHS reviews operating rules and advises the Secretary as to 
whether HHS should adopt them (section 1173(g) of the Act). The 
Secretary adopts operating rules through regulation in accordance with 
section 1173(g)(4) of the Act. In June 2022, CAQH CORE submitted 
revised and new operating rules to NCVHS for consideration. In June 
2023, NCVHS sent a letter to HHS recommending adoption of revised 
operating rules for Eligibility & Benefits, Claim Status, and Payment & 
Remittance Advice transaction standards, as well as a Connectivity 
operating rule. In that letter, NCVHS recommended that HHS not adopt 
the proposed CAQH CORE Attachments Prior Authorization Infrastructure 
operating rule or the CAQH CORE Attachments Health Care Claims 
Infrastructure operating rule. NCVHS wrote that ``[t]he need for these 
operating rules should be considered only after publication of a final 
rule adopting a health care attachments transaction standard under 
HIPAA.'' \110\ Should a future proposal or recommendation for adoption 
be submitted to HHS, we would evaluate the effect, if any, on the 
policies included in this final rule. After the publication of this 
final rule, CMS will continue to evaluate the impact of any NCVHS 
recommendation and any separate actions by HHS in that regard.
---------------------------------------------------------------------------

    \110\ National Committee on Vital and Health Statistics (2023, 
June 30). NCVHS Recommendations on Updated and New CAQH CORE 
Operating Rules to Support Adopted HIPAA Standards. Retrieved from 
https://ncvhs.hhs.gov/wp-content/uploads/2023/07/Recommendation-Letter-Updated-and-New-CAQH-CORE-Operating-Rules-June-30-2023_Redacted-508.pdf.
---------------------------------------------------------------------------

    We also noted in the CMS Interoperability and Prior Authorization 
proposed rule (87 FR 76289), that in March 2021, HHS approved an 
application \111\ from an industry group of payers, providers, and 
vendors for an exception under 45 CFR 162.940 from the HIPAA 
transaction standards to allow testing of an alternative to the adopted 
HIPAA standard for prior authorization.\112\ The purpose of this 
exception is to test an automated exchange of a prior authorization 
request and response using only the FHIR standard and the FHIR IGs 
recommended in the proposed rule and included in this final rule. Under 
this exception, participants are testing the prior authorization 
exchange using a FHIR-to-FHIR exchange using the FHIR standard without 
using the X12 278 transaction standard. Preliminary findings suggest 
that this alternative standard can be used successfully to conduct the 
prior authorization request and response as end-to-end FHIR in a cost-
effective, efficient way. Payer and provider groups have presented 
these preliminary findings in public forums.
---------------------------------------------------------------------------

    \111\ Da Vinci Project (2021, May 26). Da Vinci HIPAA Exception. 
Retrieved from https://confluence.hl7.org/display/DVP/Da+Vinci+HIPAA+Exception.
    \112\ HHS provides information about requests for exceptions 
from standards to permit testing of proposed modifications on the 
HIPAA administrative simplification website. Centers for Medicare 
and Medicaid Services (2023, September 6). Go-to-Guidance, Guidance 
Letters. Retrieved from https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/Subregulatory-Guidance/Go-to-Guidance-Guidance-Letters.
---------------------------------------------------------------------------

    HHS provides information about requests for exceptions from 
standards to permit testing of proposed modifications on the HIPAA 
administrative simplification website.\113\
---------------------------------------------------------------------------

    \113\ HHS website with information about Sec.  164.940 
(Exceptions Process and Guidance Letters): HHS provides information 
about requests for exceptions from standards to permit testing of 
proposed modifications on the HIPAA administrative simplification 
website. Centers for Medicare and Medicaid Services (2023, September 
6). Go-to-Guidance, Guidance Letters. Retrieved from https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/Subregulatory-Guidance/Go-to-Guidance-Guidance-Letters.

---------------------------------------------------------------------------

[[Page 8870]]

    Comment: Multiple commenters made statements about the HIPAA 
exceptions process (45 CFR 162.940) and described various burdens 
associated with it, including the application process, lack of clarity 
for the evaluation criteria, and the time for approval. Commenters 
noted the current exceptions process may serve as a barrier for the 
industry to take advantage of the opportunity to move interoperability 
forward and urged CMS to make it less burdensome to accelerate 
opportunities for entities to beta test new standards and approaches to 
more efficient data exchange. A commenter recommended that CMS work 
with HHS or other agencies to improve the HIPAA exceptions process such 
that it is less onerous and more flexible to facilitate innovation. 
Another commenter strongly urged CMS to eliminate the requirement for 
payers to request an exception to any of the HIPAA transaction and code 
standards. This commenter stated that Da Vinci member exceptions should 
be discontinued, and CMS should work with other government entities as 
needed to eliminate the requirement to obtain an exception from the 
HIPAA standard for organizations seeking to directly exchange data 
using the FHIR standard without X12 translation. A commenter requested 
that HHS develop an administrative process or ``onramp'' for states to 
request a HIPAA exception for this specific transaction that individual 
states could utilize at their discretion.
    Response: The opportunity to apply for an exception to test an 
alternative to an adopted standard is established in the HIPAA statute 
and implemented in regulation at 45 CFR 162.940. Although we appreciate 
these comments regarding the HIPAA exceptions process, they are out of 
scope of this rule.
    Comment: Many commenters stated that the CMS Interoperability and 
Prior Authorization proposed rule failed to address the limitations of 
the X12 278 transaction standard. Many others noted that current 
industry use of the X12 278 transaction standard is very low, noting it 
is complex and outdated, and thus mandating the conversion of FHIR to 
the X12 278 transaction standard serves no real value beyond 
compliance. A commenter discussed how the CAQH CORE Index report 
consistently reports that full automation for X12 standards for prior 
authorization lags far behind payment-related use cases. A commenter 
noted that because of the low use of the X12 278 transaction standard, 
entities would have to develop an implementation process to complete a 
FHIR exchange just to convert it to an X12 278 transaction standard. 
Another commenter noted the industry will continue to have 
interoperability challenges around the Prior Authorization API 
capability due to a lack of uniformity if existing issues with the X12 
278 transaction standard are not addressed. Multiple commenters 
requested that CMS consider certain flexibilities in implementation. A 
commenter recommended that CMS consider a floor versus ceiling approach 
in which the X12 standard is seen as the floor and a standard FHIR 
approach using the PAS IG is the ceiling. Multiple commenters 
recommended that CMS provide a waiver for the X12 278 transaction 
standard for payers that can implement end-to-end FHIR data exchange. A 
commenter requested that CMS grant such payers a safe harbor that 
provides an automatic waiver of the X12 278 transaction standard 
requirement. A commenter noted these waivers would preferably be 
automatic or minimally burdensome to obtain. Another commenter 
recommended CMS allow for exceptions to the requirement of converting 
Prior Authorization API messages to the X12 278 transaction standard in 
scenarios where there is no need for the receiving entity to pass along 
the prior authorization transaction to another system. A commenter 
sought guidance on whether CMS will consider payers that are not 
currently covered under the HIPAA administrative simplification 
exception of having prior authorizations sent through the PAS phase of 
the Prior Authorization API, translated into and out of the X12 278 
transaction standard for an exception. A commenter requested 
clarification on whether CMS proposed that the Prior Authorization API 
can be used to transform the provision of a health care attachment into 
a valid X12 278 transaction standard for meeting HIPAA requirements or 
is suggesting that the Prior Authorization API provides an alternative 
basis to the proposed X12 278 transaction standard.
    Response: We appreciate stakeholder interest in using the FHIR 
standard to implement the Prior Authorization API. Unless an impacted 
payer is included in the current Da Vinci pilot to test an exception to 
the HIPAA transaction, that payer may be required to use the adopted 
HIPAA standard when implementing the API. Information on the Da Vinci 
pilot is available on the HL7 Da Vinci website.\114\ The participants 
in the pilot are testing the prior authorization API over 3 years and 
will report to HHS at the end of that time on such metrics as response 
time, ability to exchange supporting clinical information, integration 
into the provider's workflow, reducing total provider/staff time to 
obtain prior authorization, flexibility of the standard, ability to 
provide a timely response, and more. The Prior Authorization API can 
support the submission of a prior authorization request itself, or 
provide data that can support the HIPAA-compliant X12 278 transaction 
standard, if used, for prior authorizations, which is then sent as a 
separate transmission between the providers and payers, either through 
a clearinghouse or through the provider's practice management system. 
HL7 provides detailed workflows and graphical depictions of the API and 
the HIPAA transaction process.\115\ Finally, this final rule does not 
address health care attachments.
---------------------------------------------------------------------------

    \114\ Da Vinci Project (2021, May 26). Da Vinci HIPAA Exception. 
Retrieved from https://confluence.hl7.org/display/DVP/Da+Vinci+HIPAA+Exception.
    \115\ Health Level Seven International (2023, December 1). Da 
Vinci Prior Authorization Support (PAS) FHIR: Use Cases and 
Overview. Retrieved from https://build.fhir.org/ig/HL7/davinci-pas/usecases.html.
---------------------------------------------------------------------------

    Comment: A commenter noted that the lack of requirements for 
specific data elements with the X12 278 transaction standard for prior 
authorizations limits the value of that transaction standard and would 
affect the adoption of the API because providers would lack an 
efficient way to identify what critical information to include in a 
prior authorization request. Multiple commenters expressed concern 
regarding the functionality of the proposal to use the X12 278 
transaction standard with the API, and another commenter noted that the 
X12 275 transaction standard for health care claims attachments does 
not allow for using FHIR, which creates concerns about the 
implementation of the Prior Authorization API. Another commenter stated 
that certain CAQH CORE operating rules to support HIPAA transactions 
were submitted to NCVHS for review and recommendation to HHS in 2023. 
These operating rules were specific to certain HIPAA transactions and 
included required documentation requirements. The commenter noted that 
the operating rules do not name an API documentation requirement, which 
is key to locating data in various formats. Finally, another commenter 
noted that the X12 and FHIR standards

[[Page 8871]]

do not currently share compatible coding for all the information that 
would need to be translated.
    Response: We appreciate the concerns commenters expressed regarding 
the ability to use the adopted X12 prior authorization transaction with 
the Prior Authorization API. Code mapping between the X12 standard and 
the FHIR IGs contains X12 standard proprietary information and will 
require a license for its use to support the X12 transaction. This 
mapping is available on the X12 website through the Glass online viewer 
\116\ as HL7 does not publish an X12 mapping artifact.
---------------------------------------------------------------------------

    \116\ X12. X12 (2023). Retrieved from www.X12.org.
---------------------------------------------------------------------------

    We also note that we did not propose in this rulemaking that the 
X12 275 transaction standard be required for use with the Prior 
Authorization API. That transaction was proposed for use in the HIPAA 
Standards for Health Care Attachments proposed rule (87 FR 78438),\117\ 
which has not yet been finalized. We reiterate that there are no 
operating rule requirements in the HIPAA Administrative Simplification 
rules (45 CFR part 162) applicable to the API required for use in this 
final rule, or, at this time, to the required HIPAA-compliant X12 278 
transaction standard.
---------------------------------------------------------------------------

    \117\ National Archives (2022, December 21). Administrative 
Simplification: Adoption of Standards for Health Care Attachments 
Transactions and Electronic Signatures, and Modification to Referral 
Certification and Authorization Transaction Standard. Retrieved from 
https://www.federalregister.gov/documents/2022/12/21/2022-27437/administrative-simplification-adoption-of-standards-for-health-care-attachments-transactions-and.
---------------------------------------------------------------------------

    Comment: Multiple commenters expressed support to CMS for proposing 
an electronic Prior Authorization API that uses the FHIR standard and 
IGs in addition to the adopted X12 278 transaction standard to conduct 
electronic prior authorization.
    Response: We appreciate commenter support for the policy that 
utilizes both FHIR and X12 transaction standards. The FHIR standard and 
IGs will be used to implement the Prior Authorization API while 
supporting compliance with the HIPAA administrative transaction 
standard.
    Comment: Multiple commenters requested support for their 
organizations that are ready and willing to exchange data using FHIR 
data and process standards instead of X12 standards. Other commenters 
recommended that CMS recognize FHIR data and process standards as a 
permitted option for standard transactions (that is, adopted in place 
of the X12 standards). These commenters noted that FHIR has 
increasingly become the de facto standard in health care since it was 
mandated as a standard in the implementation of the Cures Act. To 
further accelerate the FHIR standard and exchange of data via FHIR, 
commenters recommended that CMS work with other government entities to 
eliminate the need for the HIPAA exception requirement for 
organizations seeking to exchange data via FHIR directly without X12 
transaction standard translation. Some commenters stressed the costs 
involved in having to comply with both a new set of standards and 
maintain a system for an outdated standard they were not using and for 
which they had already developed workarounds. Others suggested that CMS 
support both X12 and FHIR to meet market needs and innovation. The SDOs 
supported this approach, noting that the FHIR IG is written in such a 
way that if the requirement to use the HIPAA standard is removed, the 
structure is in place for a FHIR-only transaction.
    Response: We appreciate industry interest in moving towards using 
the FHIR standard and reiterate that the HIPAA standards are adopted by 
HHS. HIPAA covered entities may consider submitting comments regarding 
updates to those standards to the Secretary of HHS for consideration.
    Comment: Multiple commenters emphasized the importance of exploring 
the integration of real-time electronic prior authorization 
transactions into workflows as these could reduce payer costs. A 
commenter noted that this was also recommended in the 2020 ONC report: 
``Strategy on Reducing Regulatory and Administrative Burden Relating to 
the Use of Health IT and EHRs.'' A commenter noted these could be used 
for medical services and medications that do not typically require 
large amounts of supporting documentation. Another commenter 
recommended that CMS adopt policies that support integration of 
electronic prior authorization into physicians' practice workflows such 
as direct financial support for investments in compliant IT platforms, 
allowing physicians to access insurer APIs as they work towards full 
capability, and supporting flexible sources of documentation for prior 
authorization requests within the established framework. A commenter 
recommended the electronic prior authorization system be universal 
across all payers with information displayed in real-time, with no cost 
to clinicians or health systems. The commenter stated that research 
showed that switching to real-time electronic prior authorization could 
save more money and reduce the time a provider takes to complete a 
transaction by 15 minutes on average. The commenter stated that 
improving prior authorization processes would benefit every actor in 
this transaction. Another commenter expressed the importance for CMS to 
acknowledge that real-time prior authorization should be the goal and 
that the standards and technology currently exist to implement real-
time prior authorization for certain use cases. A commenter recommended 
that payers implement real-time determination by January 1, 2026, for 
Medicaid managed care plans, CHIP managed care entities, and QHP 
issuers on the FFEs.
    Response: Many commenters discussed the potential the Prior 
Authorization API and policies in this final rule have for payers to 
make real-time decisions, particularly when integrated into both the 
payer and provider workflows; however, we did not propose a real-time 
decision requirement and are not finalizing such a requirement in this 
final rule. Though we anticipate that some of the responses or 
decisions may be made in real-time, we anticipate others will continue 
to necessitate review and evaluation by clinical staff. We agree that 
the automation of a complex process such as prior authorization will 
require continuous improvement. Furthermore, some cases will require 
manual review because of their complexity. Nonetheless, the overarching 
improvements in automation will be an improvement in what exists today.
f. Federal Matching Funds for State Medicaid and CHIP Fee-for-Service 
Programs' Expenditures on Implementation of the Prior Authorization API
    In section II.E. of this final rule, we discuss Federal matching 
funds for certain state Medicaid and CHIP FFS programs' expenditures 
related to implementation of the Prior Authorization API (this was also 
addressed in the proposed rule at 87 FR 76291 and 76292).
g. Medicaid Expansion CHIP
    In section II.E. of this final rule, we discuss implementation for 
states with Medicaid Expansion CHIP programs (this was also addressed 
in the proposed rule at 87 FR 76292).
3. Requirement for Payers To Provide Reason for Denial of Prior 
Authorizations and Notifications
    Throughout the Interoperability and Prior Authorization proposed 
rule at 87 FR 76292, we described opportunities for improvement with 
the prior authorization process, specifically

[[Page 8872]]

where better communication between payers and providers could mitigate 
confusion about the status of a prior authorization, particularly if it 
was not approved. This section addresses issues about the proposed and 
final policy for communication about prior authorization denials and 
existing requirements for notifications from impacted payers.
a. Background on Providing a Reason for Denial of Prior Authorization
    Payers deny prior authorizations for different reasons, including 
because the payer does not consider the items or services to be 
medically necessary, the patient exceeded limits on allowable covered 
care for a given type of item or service, or documentation to support 
the request was missing or inadequate. When a payer provides a specific 
reason for a denial, a provider can take appropriate actions such as 
re-submitting the request with updated information, identifying 
alternatives for the patient, appealing the decision, or communicating 
the decision to the patient to enable the patient to consider other 
options or to appeal as well. Today, impacted payers send denials 
either electronically or through the mail, and the information provided 
varies substantially between payers. For denials sent using the X12 278 
transaction standard, payers must use the codes from the external code 
set maintained by X12. For responses sent through portals, fax, or 
other means, payers may use proprietary codes or text to communicate 
denial reasons. The process is inefficient and unsatisfactory; and in 
general, providers do not have consistent direction on the next steps 
for a denied authorization. Our proposal for impacted payers to send a 
specific denial reason was one approach to address current 
inefficiencies.
    We proposed, and are finalizing in this final rule, that, beginning 
in 2026, impacted payers must provide a specific reason for denied 
prior authorization decisions, regardless of the method used to send 
the prior authorization request. As with all policies in this final 
rule, this provision does not apply to prior authorization decisions 
for drugs. This final policy is an effort to improve the communication 
about denials from an impacted payer in response to a request for a 
prior authorization through existing mechanisms, such as electronic 
portals, telephone calls, email, standard transactions, or other means.
b. Denial Reason and Denial/Decision Codes
    Some payers subject to this requirement to provide a specific 
reason for denied prior authorization decisions will also remain 
subject to existing requirements to provide notice to patients, 
providers, or both, with the specific reasons for the denial. In 
addition, for certain payers impacted by this final rule, existing 
communication requirements related to coverage decisions, notices of 
coverage decisions, and appeal processes, remain in effect for coverage 
decisions that are made as part of a prior authorization denial or 
approval. These requirements are not changed under this final rule. For 
example, before an MA plan may issue a prior authorization denial (or 
any other organization determination that is a denial) based on medical 
necessity, the decision must be reviewed by a physician or other 
appropriate health care professional with expertise in the field of 
medicine or health care that is appropriate for the services being 
requested, including knowledge of Medicare coverage criteria, per 42 
CFR 422.566(d); this will apply to any denial of a prior authorization 
request, regardless of whether the Prior Authorization API has been 
used to request, check the status of, or communicate the decision on 
the prior authorization. Nothing in this final rule limits the scope of 
the MA regulation at 42 CFR 422.566(d) and it continues to apply to any 
prior authorization request and decision that is also subject to the 
policies being finalized in this final rule.
    Comment: Some commenters recommended that CMS define and provide 
examples for terms such as ``approval,'' ``denial,'' and ``specific 
reason'' concerning prior authorization denials in the final rule.
    Response: We are not adding regulatory definitions for these terms 
in this rule, as these terms are clear, frequently used in many 
contexts, and commonly used. For this final rule, these terms mean the 
following:
     Approvals are when the payer authorizes coverage of items 
or services for which prior authorization has been requested.
     Denials are the refusal by a payer to approve the prior 
authorization for a health care item or service. Denials, or rejection 
of a prior authorization, may result because the service was not 
considered medically necessary under the payer's medical guidelines or 
the provider did not provide complete or accurate documentation to 
support the request.
     A specific reason for denial could include reference to 
the specific plan provisions on which the denial is based; information 
about or a citation to coverage criteria; how documentation did not 
support a plan of care for the therapy or service; a narrative 
explanation of why the request was denied, and specifically, why the 
service is not deemed necessary or that claim history demonstrated that 
the patient had already received a similar service or item.
    Comment: Multiple commenters expressed their support for CMS's 
proposal to require impacted payers to provide specific reasons for 
prior authorization denials, regardless of the mechanism used to submit 
the prior authorization request. Multiple commenters also specifically 
expressed support for requiring impacted payers to provide the reasons 
for denial as part of the information included in the Prior 
Authorization and Patient Access APIs. Similarly, commenters expressed 
support for CMS's proposal to require impacted payers, particularly MA 
organizations, to give providers specific reasons for their prior 
authorization denials. Many commenters supported the proposal to 
require payers to include in the Prior Authorization API specific 
information about prior authorization requests, including the 
determination of approval (and for how long), determination of denial 
(with a specific reason), and a request for more information from a 
provider.
    Response: We appreciate the general support for the proposal to 
improve this aspect of the prior authorization process, specifically 
communication about prior authorization decisions and information about 
denials.
    Comment: Multiple commenters noted that requiring a reason for 
denials and public reporting of prior authorization metrics could help 
providers, patients, policymakers, and other interested parties 
understand the prior authorization process better. These commenters 
asserted that this increased transparency could improve providers' 
submissions of prior authorization requests, ensure prior 
authorizations are based on the best medical evidence and guidelines, 
and allow patients to be better informed regarding their health care 
purchasing decisions.
    Response: We appreciate the many other comments we received in 
support of the proposals to require a reason for denials and public 
reporting and discuss other comments specific to those provisions later 
in this section. Specifically, we concur that the transparency of 
information will support communication between payers, providers, and 
patients.
    Comment: Multiple commenters recommended that CMS be more specific 
about which prior authorization decision information payers should

[[Page 8873]]

include as well as how they should provide this information. 
Specifically, multiple commenters recommended that CMS further specify 
the level of detail that impacted payers must provide about their 
reasons for denial. Other commenters recommended that the information 
payers provide regarding reasons for prior authorization denials 
include the policy on which the decision was based and the requirements 
for coverage assessed, including the standards used to determine 
medical necessity. The commenters recommended that CMS require that the 
reason for denial provided by payers include the clinical rationale and 
patient-specific evidence supporting the denial decision (that is, 
which specific criteria the patient did not meet). A commenter 
recommended that CMS require payers to provide the following with each 
prior authorization decision: whether the prior authorization 
adjudication was automatically adjudicated; whether statistical methods 
such as AI, machine learning, or other algorithms were used; and 
whether a human decision-maker was involved and the name and 
credentials of the employee. This commenter noted algorithms should be 
publicly accessible so that they can be examined for implicit bias. 
Another commenter recommended that CMS require impacted payers to 
provide a clinical rationale for prior authorization denials according 
to the national medical specialty society guidelines for peer-reviewed 
clinical literature. Multiple commenters recommended that CMS specify 
that impacted health plans must provide all the prior authorization 
decision and denial information in a form that is understandable and 
outlines specific steps for the provider, including any additional 
information the provider needs to provide to further support the 
request, a list of covered alternative treatments, and details 
regarding their right to appeal and the process for appeals.
    Response: In this final rule, we are requiring impacted payers to 
provide a specific reason to the provider when denying a prior 
authorization. The volume of comments in this area, as in other areas 
of these proposals, was indicative of the challenges providers face in 
obtaining specific information about prior authorization decisions and 
denials, and that payers face in providing adequate detail for the 
decisions they give back to a provider about a prior authorization 
denial, such that the provider can take appropriate action. The CMS 
Interoperability and Prior Authorization proposed rule and this final 
rule do not directly address how prior authorization decisions are 
made, such as using AI, statistical methods, requirements for clinical 
decisions, or other algorithms, which are out of scope of this specific 
rulemaking. However, prior authorization decisions involving AI or 
other algorithmic systems must still comply with applicable 
requirements, including requirements around clinical decision-making 
and the finalized policy requiring communication of the specific reason 
for denial. This rule intends to ensure that payers provide better 
communication about denials than has been available to date.
    There are existing programmatic rules for some of the impacted 
payers that also address the content of a denial decision. MA 
organizations \118\ are required to provide the specific reasons for 
the denial to their enrollees when an item or service is denied, along 
with certain other information (such as the ability to appeal the 
decision and how). CMS provides a standard form for MA organization 
use, which captures a specific and detailed explanation of why the 
medical services were denied, including a description of the applicable 
coverage rule or applicable plan policy (for example, Evidence of 
Coverage provision) upon which the action was based, and a specific 
explanation about what information is needed to approve coverage if 
applicable. For Medicaid managed care prior authorization decisions, 42 
CFR 438.210(b) requires the MCO, PIHP, or PAHP contract with the state 
to include provisions requiring the Medicaid managed care plan to 
consult with the requesting provider when appropriate and that any 
decision to deny a service authorization request or to authorize a 
service in an amount, duration, or scope that is less than requested, 
be made by an individual who has appropriate expertise in addressing 
the enrollee's medical, behavioral health, or long-term services and 
supports needs. The regulation at 42 CFR 438.210(c) requires notice 
(albeit not necessarily written notice) to the provider of the Medicaid 
managed care plan's denial of a service authorization request, or 
decision to authorize a service in an amount, duration, or scope that 
is less than requested. For Medicaid FFS, 42 CFR 435.917(a) requires 
state Medicaid agencies to provide the beneficiary with timely and 
adequate written notice of any decision regarding the beneficiary's 
prior authorization request, as any such decision would cause a 
``denial or change in benefits and services.'' \119\ When a state 
denies the prior authorization request in whole or in part, the 
beneficiary notice must include, in addition to the content described 
at 42 CFR 435.917, the notice content described at 42 CFR part 431, 
subpart E, including the requirement at 42 CFR 431.210 that notices 
contain a clear statement of the specific reasons supporting the 
intended action. Notices must be written in plain language and be 
accessible to individuals who have limited English proficiency and 
individuals with disabilities consistent with 42 CFR 435.905(b). These 
existing provisions, which include a requirement for enrollees to be 
provided written notice about an adverse decision, could be useful 
examples for the level of specificity that could be given to a 
provider, including the applicable medical necessity criteria. 
Likewise, for CHIP managed care entities' prior authorization 
decisions, 42 CFR 457.1230(d) cross references to 42 CFR 438.210 to 
apply Medicaid managed care plans' prior authorization decision 
requirements to CHIP managed care entities. Additionally, for QHP 
issuers on the FFEs, 45 CFR 147.136(b)(2)(ii)(E) and 29 CFR 2560.503-
1(g) and (j) require group health plans and issuers of group and 
individual health insurance coverage to provide notice to individuals, 
in a culturally and linguistically appropriate manner, of adverse 
benefit determination or final internal adverse benefit determination 
and specifies information that this notice must include, such as a 
description of the plan's or issuer's standard, if any, that was used 
in denying the claim.
---------------------------------------------------------------------------

    \118\ See 42 CFR 422.568(e).
    \119\ See 42 CFR 435.917(a).
---------------------------------------------------------------------------

    When denial information is sent to a provider by any communication 
method, including existing notices, the content of a denial should be 
sufficiently specific to enable a provider to understand why a prior 
authorization has been denied and what actions must be taken to re-
submit or appeal. This requirement would improve the current processes 
and reduce manual effort and costs. When implemented, the Prior 
Authorization API could mitigate some denials by providing information 
about the documentation and information or data necessary to support a 
prior authorization request for the service or item.
    Comment: Multiple commenters recommended that CMS work with X12 and 
other appropriate industry organizations to update the X12 278 Service 
Decision Reason Code Set with additional codes for scenarios not yet 
covered by the existing code set or for

[[Page 8874]]

use of the X12 Service Decision Reason Codes as the code set for 
communicating reasons for the denial. The X12 Service Decision Reason 
Code List is a code set maintained by X12 used by HIPAA covered 
entities with the HIPAA standard transaction for electronic prior 
authorization decisions. A commenter supported using denial codes under 
the condition that CMS continue to work with SDOs, NCVHS, and other 
relevant organizations to expand the denial reasons and add support for 
more specific options. Another commenter requested clarification on 
whether the specific reason for the denial requirement must be met by 
using the X12 code list of denial reasons. The commenter added that 
this code list allows varying interpretations which would result in 
ambiguity. Other commenters recommended that CMS establish a clearly 
defined standardized set of specific reasons for the denial and require 
payers to use them for communicating prior authorization decisions for 
all items and services. A commenter recommended that CMS align the FHIR 
Certification Action Codes and the X12 Service Decision Reason Codes. 
Another commenter stated that the HCR 03 Decision Reason Code is an 
optional field in the X12 278 transaction standard and recommended that 
CMS refer to ``denial reasons'' as ``decision reason codes.''
    Response: We confirm that the X12 Service Decision Reason Code List 
is a code set maintained by X12 for electronic prior authorization 
decisions. Updates to this code set must be requested through the X12 
code maintenance workgroup. We strongly encourage both impacted payers 
and providers to evaluate the X12 Decision Reason Code List and make 
recommendations to X12 for necessary updated or new codes as 
appropriate. We encourage interested organizations and SDOs to continue 
their collaboration efforts on crosswalks needed for the IGs supporting 
the Prior Authorization API and maintenance of code sets that could be 
used with the API. We decline to change the terminology in this final 
rule from ``reason for the denial'' to ``decision reasons'' or 
``decision reason codes.'' The obligation under this final rule for 
impacted payers to provide a specific reason for the denial of a prior 
authorization request goes beyond using a single code set and means 
that payers must provide sufficient detail in the denial response to 
enable the provider to know what action to take as the follow-up to the 
denial to obtain coverage--that is whether to appeal, submit additional 
documentation, or identify alternative treatment options. Impacted 
payers may send additional information through the API which could 
provide additional clarity. Finally, though the Medicare FFS program 
has a list of decision reason codes in use for its program, and these 
could be considered for inclusion in the X12 code set, we did not 
propose these for use by all payers as part of this policy. However, 
the industry could submit similar text to X12 as additions to that 
external code set. We affirm that all denial reasons must be specific.
    Comment: Multiple commenters shared concerns about and made 
recommendations related to MA organizations' utilization management 
policies as these pertain to the denial of prior authorizations.
    Response: This rulemaking does not address requirements or 
limitations for all utilization management guidelines or policies used 
by MA organizations. This rulemaking adopts certain procedural and 
timing requirements for prior authorizations and several API 
requirements for MA organizations and other impacted payers, including 
implementation of a Prior Authorization API, new reporting to CMS, and 
new requirements to provide to the applicable provider a specific 
reason for the denial of a request for prior authorization. However, in 
separate rulemaking for MA organizations, we addressed standards and 
requirements for how MA organizations develop and use clinical criteria 
and prior authorization policies to help ensure MA beneficiaries 
receive the same medically necessary care they would receive under 
Traditional Medicare in the CY 2024 MA and Part D final rule (88 FR 
22120).\120\ We recommend interested readers review the CY 2024 MA and 
Part D final rule for more information on these other requirements for 
MA organizations.
---------------------------------------------------------------------------

    \120\ See also 42 CFR 422.101(b)(6), 422.112(b)(8), 422.137, and 
422.138.
---------------------------------------------------------------------------

    Comment: Many commenters described challenges with denials, 
including the burdens they faced when attempting to appeal those 
denials on behalf of their patients and delays created in access to 
care when they did not have information about the reason for the 
denial, and therefore little information to include in the response 
back to the payer. Multiple commenters wrote that requiring impacted 
payers to provide reasons for prior authorization denials would have 
positive impacts on the health care system. Multiple commenters stated 
that this requirement would facilitate better transparency and 
communication between providers and payers. Commenters noted that this 
requirement would: (1) allow providers to better communicate the reason 
for denial and reasons for potential treatment plan changes to their 
patients; (2) provide patients with more insight into how decisions are 
made relating to access to care; (3) decrease the number of arbitrary 
prior authorization denials and minimize the number of denials that are 
overturned on appeal; and 4) reduce unnecessary delays in patient care.
    Response: We appreciate the many letters from commenters indicating 
support for the provisions of this rule and including in those letters 
descriptions of the process challenges that they believe could be 
mitigated by the policies being finalized. We concur with the 
information in many of the letters that the requirement to provide the 
specific reason for the denial in a response to the provider has the 
potential to improve communication between payers and providers for the 
prior authorization process.
c. Existing Notice Requirements To Communicate Prior Authorization 
Denial Information--By Program
    Some of the impacted payers are required by existing Federal and 
state laws and regulations to notify providers or patients when the 
payer makes an adverse decision on a prior authorization request. Our 
proposals to impose requirements on payers to communicate certain 
information to providers about prior authorization denials were 
intended to reinforce and supplement existing Federal and state 
requirements and do not alter or replace existing requirements to 
provide notice to patients, providers, or both. Further, the 
requirements include implementation of a Prior Authorization API that 
can provide responses about whether an authorization request has been 
approved (and for how long) or denied, a specific reason for the 
denial, or request more information from the provider to support the 
prior authorization. Communicating denial reasons with specific 
information, in addition to the existing program notification 
requirements, will increase transparency, reduce burden, and improve 
efficiencies for both payers and providers. The API requirements have 
compliance dates in 2027.
i. Denial Notice Requirements
    This section of the final rule addresses denial notice requirements 
which will remain in place for MA organizations, CHIP FFS, Medicaid

[[Page 8875]]

managed care plans, and CHIP managed care entities.
    Under the MA program, the actions that constitute an ``organization 
determination'' include a prior authorization decision (as well as a 
decision in response to a voluntary pre-service request for a decision 
on coverage), as it is defined as including an MA organization's 
refusal to provide or pay for services, in whole or in part, including 
the type or level of services that the enrollee believes should be 
furnished or arranged by the MA organization as well as other types of 
decisions about coverage and payment.\121\ Existing MA program 
regulations impose requirements as to the form and content of the 
written notice to enrollees in the event of a partial or full denial. 
For example, existing regulations regarding written notices for 
enrollees for standard organization determinations require that notice 
for any denial by the plan of coverage of an otherwise covered service 
or item must--
---------------------------------------------------------------------------

    \121\ See 42 CFR 422.566(b).
---------------------------------------------------------------------------

     Use approved notice language in a readable and 
understandable form;
     State the specific reasons for the denial;
     Inform the enrollee of their right to a reconsideration;
     Describe both the standard and expedited reconsideration 
processes, including the enrollee's right to, and conditions for, 
obtaining an expedited reconsideration and the rest of the appeal 
process; and
     Comply with any other notice requirements specified by 
CMS.\122\
---------------------------------------------------------------------------

    \122\ See 42 CFR 422.568(e).
---------------------------------------------------------------------------

    Under existing requirements,\123\ if the MA organization expedites 
an organization determination, the MA organization must notify the 
enrollee (or the enrollee's representative) and the physician involved, 
as appropriate, of its decision, whether adverse or favorable, as 
expeditiously as the enrollee's health condition requires, but no later 
than 72 hours after receiving the request. Either an enrollee or a 
physician, regardless of whether the physician is affiliated with the 
MA organization, may request that an MA organization expedite an 
organization determination.\124\ The notice of expedited determination 
must state the specific reasons for the determination in understandable 
language and if the determination is not completely favorable to the 
enrollee, the notice must also--
---------------------------------------------------------------------------

    \123\ See 42 CFR 422.572.
    \124\ See 42 CFR 422.570.
---------------------------------------------------------------------------

     Inform the enrollee of their right to a reconsideration;
     Describe both the standard and expedited reconsideration 
processes, including the enrollee's right to request, and conditions 
for obtaining an expedited reconsideration, and the rest of the appeal 
process; and
     Comply with any other requirements specified by CMS as to 
the content of the notice.\125\
---------------------------------------------------------------------------

    \125\ See 42 CFR 422.572.
---------------------------------------------------------------------------

    Because applicable integrated plans (D-SNPs that have exclusively 
aligned enrollment with an affiliated Medicaid MCO) are a type of MA 
plan, the regulations regarding prior authorization processes that we 
are finalizing apply to them. The final rule revises the specific 
timeframes for prior authorization decisions by applicable integrated 
plans. Applicable integrated plans cover both Medicaid long term 
services and supports and MA benefits in ten states. Existing 
requirements already govern denial notices issued by applicable 
integrated plans to their enrollees and are similar to the Medicaid 
managed care and MA rules described in the prior paragraphs.\126\ 
Integrated organization determination notices must be written in plain 
language, available in a language and format that is accessible to the 
enrollee, and explain--
---------------------------------------------------------------------------

    \126\ See 42 CFR 422.631.
---------------------------------------------------------------------------

     The applicable integrated plan's determination;
     The date the determination was made;
     The date the determination will take effect;
     The reasons for the determination;
     The enrollee's right to file an integrated reconsideration 
and the ability for someone else to file an appeal on the enrollee's 
behalf;
     Procedures for exercising an enrollee's rights to an 
integrated reconsideration;
     The circumstances under which expedited resolution is 
available and how to request it; and
     If applicable, the enrollee's rights to have benefits 
continue pending the resolution of the integrated appeal process.
    As with the notices required from MA plans, our finalized policies 
do not change the content requirements for these written denial notices 
to enrollees but will supplement these notices by requiring applicable 
integrated plans to notify the provider of the reason for a denial of a 
prior authorization request.
    For Medicaid managed care plans and CHIP managed care entities, 
existing regulations at 42 CFR 438.210(c) require notice to the 
provider without specifying the format or method, while 42 CFR 
438.210(c) and 438.404(a) require written notice to the enrollee of an 
adverse benefit determination. In addition, 42 CFR 438.210(c) requires 
notice (albeit not necessarily written notice) to the provider as well 
of the Medicaid managed care plan's denial of a service authorization 
request or decision to authorize a service in an amount, duration, or 
scope that is less than requested. CHIP managed care entities are 
required to comply with similar standards at 42 CFR 457.1230(d) 
(referencing 42 CFR 438.210) and 457.1260(c) (referencing 42 CFR 
438.404). Nothing in this final rule will limit the existing enrollee 
notification requirements at 42 CFR part 438 for Medicaid managed care 
plans and at 42 CFR part 457 for CHIP managed care entities as these 
requirements will remain in full effect. This final rule fills a 
potential gap concerning the information communicated to providers 
regarding a denial of a prior authorization request. We proposed and 
are finalizing that the response--whether the authorization request has 
been approved (and for how long), denied (with the reason for the 
denial), or a request for more information to support the prior 
authorization--if transmitted to providers via the Prior Authorization 
API workflow process or other means, will be sufficient to satisfy the 
current requirement for notice to providers at 42 CFR 438.210(c) and 
457.1230(d). We are finalizing a slight modification to the regulatory 
language to use ``the date or circumstance under which the 
authorization ends'' instead of ``how long'' as the scope of 
information that must be provided by the payer. The payer will not be 
required to send the response to the provider via both the Prior 
Authorization API (which is required to furnish certain information, 
including denial reason) and a separate, additional manner (for 
example, separate written notice or phone call) with duplicate 
information. However, given that providers are not required to use the 
Prior Authorization API, the payer must ensure that the response to the 
provider with the reason for the denial must be furnished to the 
provider through some means.
    We also remind all Medicaid managed care plans and CHIP managed 
care entities subject to this final rule that their existing 
obligations to provide these required notices to patients are not 
changed by the final policies in this rule. These payers will still 
have to

[[Page 8876]]

provide a separate written notice to the enrollee.
    QHP issuers on the FFEs that offer individual health insurance must 
provide the specific reason for an adverse benefit determination, which 
includes denial of prior authorization.\127\ Furthermore, plans and 
issuers must ensure that notice is made to individuals in a culturally 
and linguistically appropriate manner that complies with existing 
requirements.\128\
---------------------------------------------------------------------------

    \127\ See 45 CFR 147.136(b)(3)(ii)(E).
    \128\ See CFR 147.136(b)(2)(ii)(E) and 29 CFR 2560.503-1(g) and 
(j).
---------------------------------------------------------------------------

    Finally, impacted payers may be required to provide this 
information in languages other than English, which requires impacted 
payers (as health programs or activities under that section) to provide 
meaningful access to individuals with limited English proficiency and 
accessibility requirements for individuals with disabilities.\129\
---------------------------------------------------------------------------

    \129\ See 45 CFR 92.3 and 92.101.
---------------------------------------------------------------------------

ii. Notice and Payer Communications
    We received comments on the current processes for notice and payer 
communications and summarize those and our responses here. Generally, 
such processes exist for MA organizations, Medicaid managed care plans, 
CHIP managed care entities, and QHP issuers on the FFEs.
    Comment: Multiple commenters expressed frustration with the 
variation of prior authorization requirements across MA plans, 
inconsistencies in access to care and coverage, and painful 
interactions during lengthy peer-to-peer review of medical necessity 
assessments with MA organizations. A commenter expressed support for 
the proposal in the CY 2024 MA and Part D proposed rule (87 FR 79452) 
to prohibit MA plans from diverting a patient to a different level of 
care than recommended by the patient's physician when the patient 
otherwise meets all the clinical criteria appropriate for the setting 
requested by the physician. Commenters noted these factors have 
contributed to a more complicated prior authorization process, extended 
wait times, duplicate or inaccurate prior authorization denials and 
post-claim denials, and a shifting focus from patient care. Multiple 
commenters recommended CMS implement increased oversight policies to 
address MA's challenging prior authorization landscape. Multiple 
commenters recommended that CMS continue to oversee MA plans' use of 
prior authorization and advance policies that ensure that MA enrollees 
have the same access to covered services as those enrolled in 
Traditional Medicare and that MA organizations cannot use more 
stringent criteria than Traditional Medicare.
    Response: As finalized in the CY 2024 MA and Part D final rule, 42 
CFR 422.138 provides that coordinated care plan prior authorization 
policies may only be used to confirm the presence of diagnoses or other 
medical criteria and/or ensure that an item or service is medically 
necessary. Second, the CY 2024 MA and Part D final rule requires 
coordinated care plans to provide a minimum 90-day transition period 
when an enrollee currently undergoing treatment switches to a new MA 
plan, during which the new MA plan may not require prior authorization 
for the active course of treatment (42 CFR 422.112(b)(8)(ii)(B)). 
Third, to ensure prior authorization is being used appropriately, we 
are requiring all MA plans that use utilization management policies 
(like prior authorization) to establish a Utilization Management 
Committee to review policies annually and ensure consistency with 
Traditional Medicare's NCDs, LCDs, and guidelines; compliance with 
limits on how prior authorization can be used; compliance with other MA 
regulations on determining medical necessity (42 CFR 422.101(c)); and 
consultation with network providers (42 CFR 422.202(b) and 422.137). 
Finally, to address concerns that the CY 2024 MA and Part D proposed 
rule did not sufficiently define the expected duration of ``course of 
treatment,'' a newly adopted regulation at 42 CFR 422.112(b)(8) 
requires that a coordinated care MA plan's approval of a prior 
authorization request for a course of treatment must be valid for as 
long as medically necessary to avoid disruptions in care in accordance 
with applicable coverage criteria, the patient's medical history, and 
the treating provider's recommendation. The CY 2024 MA and Part D final 
rule and this final rule taken together provide significant guardrails 
for prior authorization in the MA program and support a more 
streamlined process, which will ultimately lead to reduced burden in 
health care.
    Comment: A commenter was concerned that without specific guidance 
for MA plans regarding certain benefits, the proposed rule will 
negatively impact the already existing barriers to electronic exchange 
of information between MA organizations and religious nonmedical health 
care institution (RNHCI) providers. This commenter supported the 
concept of the Prior Authorization API because it makes possible the 
electronic exchange of certain prior authorization information between 
payers and providers, which RNHCIs have long desired. However, the 
organization was concerned about the requirement at 42 CFR 422.122(b) 
because of concerns about its applicability to nonmedical benefits. 
This commenter proposed amendments to the regulatory text regarding the 
obligation to accept and exchange information.
    Response: The requirements proposed at 42 CFR 422.122(b) apply to 
all covered Medicare services, including covered items and services 
furnished by a RNHCI, and all MA supplemental benefits covered by an MA 
plan, excluding all drugs, as defined at 42 CFR 422.119(b)(1)(v). See 
section I.D. for more information about the exclusion of drugs from the 
scope of the prior authorization policies in this rule.
    We are finalizing that the prior authorization requirements adopted 
in this final rule supplement and do not replace requirements in other 
applicable laws, including existing requirements for MA plans, Medicaid 
managed care plans, CHIP managed care entities, and QHP issuers on the 
FFEs regarding decisions made on requests for prior authorization of 
covered benefits. For additional explanation on the continued 
applicability of existing standards in this final rule, we are adding 
paragraph (b)(5) to 42 CFR 422.122 to explain that prior authorization 
decisions made under 42 CFR 422.122 must meet all other applicable MA 
requirements in subpart M of part 422, such as the adjudication 
timeframes and notice requirements. Under existing standards for 
Medicaid managed care plans, all prior authorization decisions by 
Medicaid managed care plans must comply with 42 CFR 438.210 as well as 
notice requirements at 42 CFR 438.404.
4. Requirements for Prior Authorization Decision Timeframes and 
Communications
a. Impact of Delays in Prior Authorization Decisions: Background of 
Decision Timeframes
    As discussed in the CMS Interoperability and Prior Authorization 
proposed rule (87 FR 76294), CMS learned through listening sessions and 
other public meetings that excessive wait time for prior authorization 
decisions could cause delays to patient care and create medical risks 
in some cases. Providers face delays for the approval of the initial 
request, or, secondarily, for the resolution of a request ``in 
process,'' often meaning the payer is reviewing requested 
documentation. In 2019, CMS

[[Page 8877]]

conducted outreach to external entities (87 FR 76294) and received many 
comments about timeframes for processing prior authorizations, where 
commenters explained that the process of securing approvals for prior 
authorization directly affects patient care by delaying access to 
services, including transfers between hospitals and post-acute care 
facilities, treatment, medication, and supplies. Commenters believed 
that these delays occur partly because payers have different policies 
and review processes, do not use available technologies consistently, 
and continue to rely on manual systems such as phone, fax, and mail, 
which are more labor-intensive.
b. Standard and Expedited Prior Authorization Requests and Decision 
Timeframes
    In the CMS Interoperability and Prior Authorization proposed rule 
we used the terms standard and expedited prior authorizations to refer 
to two types of prior authorizations for which we are now finalizing 
our policies--in this final rule, we affirm that the term ``standard'' 
prior authorization refers to non-expedited, non-urgent requests and 
the term ``expedited'' prior authorization indicates an urgent request. 
These terms continue to be used in CMS regulations.\130\ We received a 
few comments on these terms and respond to those here.
---------------------------------------------------------------------------

    \130\ See 42 CFR 422.568, 422.570, 422.572, and 422.631 for MA 
organizations and applicable integrated plans and 42 CFR 438.210(d) 
and 438.404 for Medicaid managed care plans.
---------------------------------------------------------------------------

    Comment: Multiple commenters stated that there was a lack of 
clarity and guidance on the definition of a standard versus an 
expedited prior authorization. A commenter recommended that CMS create 
additional specificity around what ``expedited'' means, especially for 
mental health and substance use disorder conditions. Another commenter 
stated that what one provider may deem an expedited request may not be 
considered one by the payer. A commenter noted that the lack of a 
standard definition leads to discrepancies on what a payer considers 
``urgent'' and sometimes leaves some discretion up to the provider. 
This lack of standardization can adversely affect a patient. If a payer 
has a stricter definition of what constitutes an expedited prior 
authorization, this could lead to the patient waiting up to 7 days for 
a decision and delay access to care further if prior authorization is 
denied. Commenters stated that CMS should release guidance on 
definitions of these terms to facilitate more alignment for payers and 
strengthen patient access by minimizing variation between network 
standards on what is considered ``urgent'' versus ``normal.'' Another 
commenter requested that CMS provide clarification on timeframes in 
emergencies and if emergency care would override prior authorization 
rules.
    Response: We decline to create a new definition for standard and 
expedited, as the definitions for standard and expedited requests 
provide a foundation upon which both payers and providers can rely for 
making professional judgments. These terms are used in the provisions 
at 42 CFR 422.568, 422.570, 422.572, and 422.631 for MA organizations 
and applicable integrated plans. Similar terms are used at 42 CFR 
438.210(d) for Medicaid managed care plans, at 42 CFR 457.1230(d) for 
CHIP managed care entities (87 FR 76294), and we are adding 
requirements at 42 CR 440.230 for Medicaid FFS and at 42 CFR 457.495 
for CHIP FFS to meet these timelines--specifically, as expeditiously as 
a beneficiary's health condition requires, that may not exceed either 7 
calendar days or 72 hours after receiving the request for standard or 
expedited requests respectively.
    A standard for when expedited determinations are required currently 
exists for MA organizations at 42 CFR 422.566(a), which requires MA 
organizations to have an expedited procedure for situations in which 
applying the standard procedure could seriously jeopardize the 
enrollee's life, health, or ability to regain maximum function.\131\ 
This long-standing medical exigency standard is familiar to MA plans 
and providers and affords sufficient guidance on when an expedited 
decision is necessary. There is adequate guidance on these standards 
for the MA appeals and organization determination deadlines already. 
For Medicaid managed care and (by cross reference) CHIP managed care, 
42 CFR 438.210(d)(2)(i) specifies an expedited authorization is 
required when ``following the standard timeframe could seriously 
jeopardize the enrollee's life or health or ability to attain, 
maintain, or regain maximum function.'' Standard prior authorization 
requests are used when the enrollee's life or health or ability to 
attain, maintain, or regain maximum function are not seriously 
jeopardized by the managed care plan using the longer, standard 
authorization timeframes. These policies are intended to ensure that 
impacted payers, including Medicaid FFS, Medicaid managed care plans, 
and CHIP managed care entities will evaluate expedited prior 
authorization review procedures that will minimize patient risk. We 
confirm that MA plans, Medicaid managed care plans, and CHIP managed 
care entities are prohibited from applying prior authorization 
requirements to evaluation and stabilization services for emergency 
medical conditions.\132\
---------------------------------------------------------------------------

    \131\ See 42 CFR 422.570 and 422.572.
    \132\ See sections 1852(d), 1932(b)(2), and 2103(f)(3) of the 
Act and 42 CFR 422.113, 438.114, and 457.1228.
---------------------------------------------------------------------------

    Comment: A commenter asserted that eliminating the need for a 
provider to reach out to a payer and notify them of a request that 
requires an expedited response would reduce a provider's administrative 
burden and further the efficiency of the prior authorization process. 
The commenter recommended CMS request that payers be required to have 
systems that enable providers to electronically differentiate between 
standard and expedited prior authorization requests.
    Response: While this final rule addresses several important prior 
authorization processes, it does not specifically dictate all payer 
operational procedures. Existing regulations in the applicable programs 
covered by this final rule may address the circumstances under which a 
payer must make a coverage decision, such as a prior authorization 
request on an expedited basis. For example, under the MA rules at 42 
CFR 422.570, an enrollee or a physician (regardless of whether the 
physician is affiliated with the MA organization) may request that an 
MA organization expedite an organization determination involving a 
request for an item or service. The MA organization must promptly 
decide whether to expedite an organization determination. Under the 
rules at 42 CFR 422.570(c)(2), if a request is made by an enrollee, the 
MA organization must provide an expedited determination if it 
determines that applying the standard timeframe for making a 
determination could seriously jeopardize the life or health of the 
enrollee or the enrollee's ability to regain maximum function. If a 
request for an expedited decision is made or supported by a physician, 
the MA organization must provide an expedited determination if the 
physician indicates that applying the standard timeframe for making a 
determination could seriously jeopardize the life or health of the 
enrollee or the enrollee's ability to regain maximum function. The 
existing medical exigency standard related to expedited requests will 
continue to

[[Page 8878]]

apply to organization determinations that involve prior authorization.
    The recommended PAS IG may not currently have the instructions to 
provide the capability to differentiate between standard and expedited 
prior authorization requests. However, this data element could be a 
helpful addition for the next version, and interested parties are 
encouraged to discuss this at an HL7 workgroup meeting. There may be 
other means through the payer's Prior Authorization API to determine 
how an indicator for the type of prior authorization request might be 
incorporated. The current version of FHIR includes a required data 
element to indicate the urgency of a request. In FHIR technical 
terminology, this required data element is named ``claim.priority.'' 
However, there is no equivalent value in the HIPAA X12 278 transaction 
standard or the X12 external code lists because that data element is 
not required in that standard. The PAS IG does not provide any mapping 
to X12. For those entities conducting the end-to-end FHIR exchange, the 
information about expedited and standard prior authorization requests 
is available to them through the FHIR claim.priority data element. As 
noted, the X12 278 transaction standard does not include this 
information because the current version of the X12 278 transaction 
standard for prior authorizations does not support this concept. An 
alternative to using the claim.priority data element when using the X12 
278 transaction standard for expedited requests would be to include a 
service date, to indicate urgency.
c. Decision Timeframes for Standard and Expedited Prior Authorization 
Requests
    To improve patient care outcomes and ensure that patients have more 
timely access to services, we are finalizing our proposals to create, 
improve, or shorten prior authorization timeframes for certain payers 
to respond to prior authorization requests for covered items and 
services, excluding drugs. Specifically, we are finalizing that these 
timeframes would be 72 hours for expedited requests, unless a shorter 
minimum timeframe is established under applicable state law,\133\ and 7 
calendar days for standard requests with the possibility of an 
extension to up to 14 days in certain circumstances. We acknowledged 
that some of the payers affected by this final rule had different 
requirements for prior authorization decision notice and appeal 
timeframes, and we are aligning the prior authorization decision 
timeframes across those payers except for QHPs on the FFEs, as further 
discussed. For some payers, the existing regulation already uses the 
timeframe we are adopting in this final rule for standard or expedited 
requests for prior authorization; those regulations will continue to 
apply while amendments to adopt the new timeframes for other payers 
will apply to their prior authorization decisions, beginning in 2026.
---------------------------------------------------------------------------

    \133\ The final policies adopted here for state Medicaid and 
CHIP FFS programs and Medicaid managed care plans and CHIP managed 
care entities at 42 CFR 438.210 and 457.495(d)(2), respectively, 
include that a state may set a shorter timeframe for these 
decisions. However, such state authority does not apply to MA plans 
operating in these states.
---------------------------------------------------------------------------

    In the CMS Interoperability and Prior Authorization proposed rule 
(87 FR 76295), we provided a chart identifying which regulations we 
proposed to modify the decision timeframes for standard prior 
authorization decisions made by MA organizations and applicable 
integrated plans, CHIP FFS programs, Medicaid managed care plans, and 
CHIP managed care entities.\134\ Table E1 at the end of this section 
provides the final Federal requirements for prior authorization 
decision timeframes that will apply to each payer beginning in 2026.
---------------------------------------------------------------------------

    \134\ See 42 CFR 422.570, 422.572, 422.631(c) and (d)(2)(iv)(A), 
438.210(d)(2), and 457.1230(d).
---------------------------------------------------------------------------

    We did not propose to change any existing timeframes that might 
apply to expedited authorization decisions made by any of the impacted 
payers, especially given that many of these payers already apply a 72-
hour maximum timeframe for such requests. To ensure consistency and 
correctly describe the new timeframes being finalized for these payers 
to provide notice of standard determinations, we proposed and are 
finalizing certain conforming amendments to the CFR sections listed in 
Table E2.
    QHPs are not included in the policy on timeframes for the reasons 
described at the end of this section. Note that these timeframes do not 
apply to any drugs, as discussed in section I.D. of this final rule.
    We proposed that beginning January 1, 2026, MA organizations and 
applicable integrated plans must provide notice of prior authorization 
decisions as expeditiously as a patient's health condition requires, 
but no later than 7 calendar days for standard requests. For MA 
organizations, on or after January 1, 2026, prior authorization 
requests for items and services covered by the finalized requirements 
at 42 CFR 422.122 will be affected by this final rule; for all other 
items and services, existing timeframes under the MA regulations for 
other pre-service requests for an organization determination would 
remain applicable. These deadlines are reflected in amendments to 42 
CFR 422.568(b)(1) (for MA plans) and 422.631(d)(2)(i) (for applicable 
integrated plans).
    We proposed and are finalizing conforming amendments to certain 
regulations that reference or describe the timeframes that are being 
amended in this final rule. Specifically, we proposed and are 
finalizing an amendment to the MA program regulation at 42 CFR 422.570; 
the revision replaces references to the specific length of the 
timeframe for standard decisions with a general reference to 42 CFR 
422.568 which we are also amending to include the new timeframe(s) for 
prior authorization decisions for items and services.
    In addition, this final rule does not change existing Federal 
timeframes for expedited and standard determinations on requests for 
Part B drugs for MA organizations and applicable integrated plans; 
current regulations require notice to the enrollee as expeditiously as 
the enrollee's health condition requires, but no later than 72 hours 
after receiving the request for a standard determination and as 
expeditiously as the enrollee's health condition requires, but no later 
than 24 hours after receiving an expedited request.\135\ Due to the 
finalized revisions to 42 CFR 422.568(b), we are redesignating existing 
42 CFR 422.568(b)(2) related to requests for Part B drugs for MA 
organizations to 42 CFR 422.568(b)(3).
---------------------------------------------------------------------------

    \135\ See 42 CFR 422.568(b)(3), 422.572(a)(2), and 422.631(a).
---------------------------------------------------------------------------

    Furthermore, an MA plan must automatically transfer a request to 
the standard timeframe if the MA plan denies a request for an expedited 
organization determination or an applicable integrated plan denies a 
request for an expedited integrated organization determination.\136\ 
This step to automatically transfer expedited requests to the standard 
timeframe is consistent with Medicaid and CHIP managed care provisions 
listed in Tables E2, E3, and E4.
---------------------------------------------------------------------------

    \136\ See 42 CFR 422.570(d)(1) and 422.631(d)(2)(iv).
---------------------------------------------------------------------------

    As there are no existing CMS regulations imposing timeframes for 
state Medicaid FFS programs to provide notice of prior authorization 
decisions, in the proposed rule we specified that these programs must 
provide notice of such decisions as expeditiously as a patient's health 
condition requires, but no later than 72 hours for expedited requests 
and 7 calendar days for

[[Page 8879]]

standard requests unless a shorter minimum timeframe is established 
under state law. For CHIP FFS, existing regulations require states to 
provide prior authorizations within 14 days or according to existing 
state law, in accordance with the medical needs of the beneficiary. 
Also, a possible extension of up to 14 days may be permitted if the 
beneficiary requests the extension or if the physician or health plan 
determines that additional information is needed.\137\ To align with 
Medicaid, we are finalizing for CHIP FFS that beginning in 2026, states 
must provide notice of prior authorization decisions in accordance with 
the medical needs of the beneficiary, but no later than 7 calendar days 
after receiving the request for a standard determination and by no 
later than 72 hours after receiving the request for an expedited 
determination.
---------------------------------------------------------------------------

    \137\ See 42 CFR 457.495(d).
---------------------------------------------------------------------------

    For Medicaid managed care plans and CHIP managed care entities, we 
proposed, and are now finalizing, to change the maximum permitted 
timeframe for the payer to send notices of prior authorization 
decisions as expeditiously as a patient's health condition requires, 
but no later than 7 calendar days for standard requests beginning with 
the first rating period that starts on or after January 1, 2026. We are 
also finalizing requirements for Medicaid managed care plans and CHIP 
managed care entities concerning the timeframes for prior authorization 
of services (under 42 CFR 438.210 and 457.1230) but not the timeframes 
for issuing notices of other adverse benefit determinations and appeals 
under 42 CFR 438.404(c)(1) and (2) and 457.1260.
    The provisions at 42 CFR 438.210(d)(2)(i) and 457.1230(d) require 
Medicaid managed care plans and CHIP managed care entities to make an 
expedited authorization decision no later than 72 hours after receipt 
of the request if the provider requesting the authorization indicates 
that following the standard timeframe could seriously jeopardize the 
beneficiary's life or health or ability to attain, maintain, or regain 
maximum function. If Medicaid managed care plans or CHIP managed care 
entities deny an expedited request, that request becomes standard and 
must be reviewed within 7 days.
    State law or managed care plan contracts may impose a shorter 
timeframe for these decisions in Medicaid and CHIP; the shorter 
timeframe would govern for state Medicaid and CHIP FFS programs, 
Medicaid managed care plans, and CHIP managed care entities, as 
applicable.\138\ If state law imposes a longer timeframe, payers must 
comply with Federal regulations within the shorter Federal timeframe--
which will automatically make them compliant with their state 
regulations. For this reason, we are adding to the Medicaid managed 
care regulations at 42 CFR 438.210(d)(2)(i) and (d)(1), respectively, 
and CHIP managed care regulations at 42 CFR 457.1230(d), respectively, 
that the decision must be made as expeditiously as the enrollee's 
condition requires but no later than 72 hours in the case of expedited 
requests or 7 calendar days in the case of standard requests unless a 
shorter minimum timeframe is established under state law.
---------------------------------------------------------------------------

    \138\ In addition, States may, by contract, require applicable 
integrated plans to use shorter decision timeframes. See 42 CFR 
422.629(c).
---------------------------------------------------------------------------

    State laws do not apply to MA plans, based on the preemption 
provision in section 1856(b) of the Act and at 42 CFR 422.402, which 
provides that the Federal standards established for MA plans supersede 
any state law or regulation, other than state licensing laws or state 
laws relating to plan solvency, with respect to the MA plans that are 
offered by MA organizations.
    This final rule does not change the 72-hour timeframe required by 
current Federal regulations, or the authority for an extension of that 
timeframe, for expedited decisions made by MA organizations and 
applicable integrated plans, Medicaid managed care plans, and CHIP 
managed care entities.
    For the reasons discussed in the CMS Interoperability and Prior 
Authorization proposed rule, we are not requiring that impacted payers 
approve a request for prior authorization if that payer did not meet 
the required standard or expedited decision timeframe (87 FR 76297). If 
a payer fails to meet the timeline for approval or other decision, 
providers should contact the payer to obtain the status of the request 
and determine if supporting documentation is needed to complete the 
processing of the authorization or if there are other reasons for the 
delay in a decision. Some programs, such as the MA program (and 
including applicable integrated plans) and the Medicaid and CHIP 
managed care programs, have regulations that include provisions for the 
failure to provide timely notice of an organization determination; 
generally, such a failure to meet the timeframe constitutes an adverse 
decision that may be appealed.\139\
---------------------------------------------------------------------------

    \139\ See 42 CFR 422.568(f), 422.631(d)(1)(ii), 438.404(c)(5), 
and 457.1260(b)(3).
---------------------------------------------------------------------------

    The final rule does not change timeframes for prior authorization 
processes for QHP issuers on the FFEs, in part because existing 
regulations at 45 CFR 147.136 establish internal claims and appeals 
processes, external review processes, and pre-service claims 
requirements for all non-grandfathered group and individual market 
plans or coverage. Specifically, individual health insurance issuers 
are required to meet minimum internal claims and appeals 
standards.\140\ The current regulations for group health plans and 
group and individual market health insurance issuers adequately protect 
patient interests. QHP issuers on the FFEs are required to provide 
notification of a plan's benefit determination within 15 days for 
standard authorization decisions and within 72 hours for expedited 
requests, which is consistent with the other CMS payers affected by 
this provision.
---------------------------------------------------------------------------

    \140\ See 45 CFR 147.136(b)(3).
---------------------------------------------------------------------------

    We requested comments on the timeframe proposals and provide the 
summarized comments and responses here.
    Comment: Multiple commenters disagreed with the proposal to exclude 
QHP issuers on the FFEs from prior authorization shortened decision 
timeframe requirements and recommended that CMS reconsider the 
exclusion of these payers. Some commenters expressed concern that 
excluding QHP issuers on the FFEs from shorter prior authorization 
decision timeframe requirements would result in a negative effect on 
patient care. Commenters asserted that patients under these plans 
should be entitled to the same protections as others under this 
regulation. A commenter stated that they did not believe that 
shortening a QHP issuer on the FFEs' decision timeframe from the 
current 15-day response time for standard requests to 7 days would pose 
an undue burden. Another commenter encouraged CMS to work to align 
prior authorization notification requirements across all impacted 
payers as this could avoid confusion amongst patients and providers 
regarding whether a patient is covered by a QHP. Multiple commenters 
wrote that CMS should include QHP issuers on the FFEs in regulations 
requiring even shorter prior authorization decision timeframes: 24 
hours for urgent or expedited requests and 72 hours for standard 
requests. A commenter recommended CMS impose a standard of 24 hours for 
expedited requests and 48 hours for standard requests and specified 
that this standard should apply to all payers, including those on the 
Exchanges. However, multiple commenters supported the

[[Page 8880]]

proposal to leave in place the current prior authorization decision 
timeframes applicable to QHP issuers on the FFEs. These commenters 
raised general concerns about payer burden due to expedited timeframes 
and agreed specifically that applying expedited timeframes to QHP 
issuers on the FFEs could harm consumers by reducing participation by 
QHP issuers on the FFEs. A commenter recommended that timeframes be 
measured with business days as opposed to calendar days.
    Response: We discussed in the CMS Interoperability and Prior 
Authorization proposed rule the reasons why we did not propose to 
change timeframes for prior authorization processes for QHP issuers on 
the FFEs. We did not propose and are not finalizing, any changes to 
prior authorization timeframes for QHP issuers on the FFEs, in part 
because existing regulations at 45 CFR 147.136 establish internal 
claims and appeals processes, external review processes, and pre-
service claims requirements for all non-grandfathered group and 
individual market plans or coverage. Specifically, individual health 
insurance issuers are required to meet minimum internal claims and 
appeals standards.\141\ We believe the current standard adequately 
protects patient interests. QHP issuers on the FFEs are required to 
provide notification of a plan's benefit determination within 15 days 
for standard authorization decisions and within 72 hours for expedited 
requests; thus, QHP issuers on the FFEs have the same timeframe for 
expedited authorization decisions as other impacted payers in this 
final rule. For reasons discussed in this section, we are not 
finalizing any timeframes shorter than 72 hours for expedited requests 
for any impacted payers at this time. Additionally, the benefits for 
the patient of a shorter timeframe for standard prior authorization 
decisions should outweigh the additional burden that QHP issuers on the 
FFEs might experience, as compared to off-Exchange plans. Aligning 
timeframe requirements for prior authorization decisions across 
individual and group market plans would reduce the burden of compliance 
for QHP issuers on the FFEs for the proposed prior authorization 
requirements while continuing to protect consumer interests. Finally, 
making changes to regulations applicable to all non-grandfathered group 
and individual market plans or coverage for consistency with the 
proposed approach was outside the scope of the proposed rulemaking. 
While we are finalizing this rule as proposed, the prior authorization 
information that this final rule requires QHP issuers on the FFEs to 
publicly report per 45 CFR 156.223(c) will help provide insight into 
prior authorization timelines and practices that may support further 
improvements in the future.
---------------------------------------------------------------------------

    \141\ See CFR 147.136(b)(3).
---------------------------------------------------------------------------

    Comment: Multiple commenters supported the revised standard prior 
authorization decision timeframe of 7 calendar days, and many 
commenters supported the 72-hour decision timeframe for expedited prior 
authorization requests. Additionally, a commenter requested 
clarification on whether the 7-day standard decision timeframe would be 
calendar days or business days. A commenter recommended counting the 
turnaround time in business days rather than calendar days because 
processing prior authorization requests requires careful evaluation by 
payers and a review process that is dependent on working days as 
opposed to calendar days. Defining the turnaround timeframe by calendar 
days limits the time needed by payers to accurately reach a decision 
and is further reduced during holidays. This commenter suggested 
providing a timeframe that aligns with the number of working hours a 
payer has to evaluate a request and suggested CMS provide 7 business 
days. The commenter indicated that such an approach aligns with 
turnaround times for HIPAA transactions and would therefore prevent 
confusion over using both calendar days and business days. Another 
commenter recommended that the proposed standard be reduced from 7 days 
to 72 hours, stating that tracking timelines using hours instead of 
days will preclude any confusion or ambiguity regarding calendar days 
or business days.
    Response: We reiterate that current regulations are specific to 
using hours for expedited requests and we are not modifying the 
terminology for that requirement of 72 hours for expedited requests. 
For example, if a prior authorization request is submitted at 1:00 a.m. 
on Sunday, a response within 72 hours would mean by 1:00 a.m. on 
Wednesday. The regulations do not contemplate delays based on business 
hours or business days. For standard prior authorization requests, the 
current regulations (that is, before the amendments made by this final 
rule) for MA plans and Medicaid and CHIP managed care programs use the 
term ``calendar days,'' in recognition of health care services being 
agnostic of business days. The amendment we proposed and are finalizing 
for standard prior authorization decisions is ``7 calendar days.'' This 
final rule applies to the business process of the prior authorization 
request and decision, and not the transmission of the HIPAA standards 
when used for the request.
    Comment: Multiple commenters recommended having shorter decision 
timeframes that are less than 7 calendar days for standard prior 
authorization requests, ranging from 5 days, 72 hours, 48 hours, and 24 
hours. Some commenters also suggested that decisions be made in real-
time. In general, commenters recommended that CMS create faster prior 
authorization response timelines to improve the patient experience and 
access to care.
    Response: We are finalizing a requirement that prior authorization 
decisions be rendered as expeditiously as the patient's condition 
requires, but no later than 7 calendar days requires impacted payers to 
render their decision based on patient-specific information within 7 
calendar days (or shorter if otherwise required via contract or state 
law) being the maximum. Further, as discussed in the proposed rule, we 
did not propose to change timeframes for prior authorization processes 
for QHP issuers on the FFEs, in part because existing regulations at 45 
CFR 147.136 establish internal claims and appeals processes, external 
review processes, and we believe the current standard adequately 
protects patient interests.\142\ We will continue to review these 
comments and the supporting information to determine how we might 
incorporate such policies in future rulemaking as part of our ongoing 
mission to improve the patient and provider experience.
---------------------------------------------------------------------------

    \142\ See 87 FR 76297.
---------------------------------------------------------------------------

    Comment: Another commenter indicated that timely approvals for 
discharge to an appropriate setting of care are paramount to delivering 
high-quality care. The commenter explained that inappropriate and 
lengthy delays in payer responses to requests for transfers to post-
acute care settings put patient care at risk. Specifically, the 
commenter explained that in nine percent of cases, the delay is caused 
by an untimely response from a payer. The commenter stated that while 
that percentage may seem low, it accounted for over 20,500 patient 
encounters across the commenter's system in 2022.
    Response: We agree that timely response to such requests can impact 
patient care, and thus we are finalizing policies to reduce prior 
authorization decision timeframes. We also encourage payers to review 
their procedures for this and other similar cases to determine where 
process improvements would be

[[Page 8881]]

appropriate to prevent such delays within their own organizations and 
provider relationships.
    Comment: A commenter stated that ensuring appropriate review 
timeframes to make decisions for patients is critical to avoiding 
mistakes in care and that accelerated review timeframes increase the 
risk of failed or non-optimal therapies. A commenter wanted CMS to 
maintain the current 14-day decision timeframes for standard requests 
in Medicaid managed care. Another commenter suggested that CMS remove 
the proposal to shorten prior authorization turnaround timeframes until 
the Prior Authorization API is implemented and the agency can re-
evaluate whether the policy is necessary and then re-issue a proposal. 
Multiple commenters had concerns about shortening the prior 
authorization timeframes. Several state commenters expressed concern 
that they will neither have the staffing capacity nor the operational 
efficiencies to implement the prior authorization timeframes by the 
compliance date. Some commenters noted that state legislative approval 
will be needed to increase state staffing or adjust vendor contracts, 
requiring additional time to implement. Some commenters also noted that 
states will need to evaluate and overhaul their entire prior 
authorization processes to attain the operational efficiencies needed 
to achieve the shortened decision timeframes.
    Response: We thank the commenters for their concerns about accuracy 
in making decisions about prior authorizations, but that utilization 
management techniques and other professional safeguards are in place to 
mitigate such concerns. As we stated in the CMS Interoperability and 
Prior Authorization proposed rule, shorter prior authorization 
timeframes will improve patient care, reduce burden, and improve equity 
(87 FR 76297). The volume and substance of other comments support our 
proposals to shorten certain existing timeframes, and thus we are 
finalizing our proposal as described in this final rule. When the Prior 
Authorization API is implemented in 2027, this resource should further 
improve efficiencies in the process. We recognize the unique challenges 
some state commenters shared concerning the practical ability to 
implement the new prior authorization timeframes in state Medicaid and 
CHIP FFS by January 1, 2026. We understand that states often require 
longer timeframes to create new positions, adjust procurement 
arrangements, and rework system processes. We are willing to work with 
state Medicaid and CHIP FFS programs that may be unable to meet the new 
compliance date for the prior authorization timeframes. States should 
contact their Medicaid state lead or CHIP project officer before April 
1, 2025, to discuss their extenuating circumstances. Any flexibility 
granted to a state Medicaid or CHIP FFS program for the implementation 
of the new prior authorization decision timeframe requirements will be 
temporary and limited to the unique circumstances of the program.
    Comment: A commenter stated that providers and health plans have 
multiple exchanges of information back and forth, including additional 
medical documentation and patient-specific information before a final 
determination. The commenter noted that the currently proposed decision 
timeframes do not account for these situations as most requests often 
require additional information from providers. The commenter also 
stated that these requirements, in combination with a lack of required 
information about the data content, could unintentionally increase the 
number of denials. Multiple commenters stated that shorter timeframes 
would mean an increase in staff and administrative resources and that 
without enough time there could be an increase in denials.
    Response: We also acknowledge that additional staff resources may 
be necessary. Firstly, the Prior Authorization API could mitigate 
communication and staffing issues, once it is fully implemented, but 
acknowledge that additional staff may be necessary during the 
implementation process. Also, the focus on process improvement overall 
may lead to improved efficiencies as payers address opportunities to 
reduce inefficiencies and meet the requirements of the final rule. 
Furthermore, the requirement to provide a specific reason for denials, 
regardless of the method of the prior authorization, should also 
support improvements in communication between health plans and 
providers. By making the documentation requirements clearer through the 
API, providers should submit more complete and appropriate 
documentation in the first submission, thus enabling quicker processing 
and fewer denials. Additionally, for Medicaid managed care plans at 42 
CFR 438.210(d)(1) and for CHIP managed care entities through an 
existing cross reference at 42 CFR 457.1230(d), we are finalizing (with 
slight redesignations from current regulations) a provision that 
permits standard authorization decisions to have an extension of up to 
14 additional calendar days (to the 7-calendar day timeframe) if the 
enrollee or the provider requests the extension or if the managed care 
plan justifies a need for additional information and how the extension 
is in the enrollee's interest. Medicaid managed care plans have been 
able to utilize a 14-calendar day extension since 42 CFR 438.210(d)(1) 
was first promulgated in 2001 (66 FR 43670). We believe this provides 
sufficient time for managed care plans and providers to complete the 
needed information exchange and enable the managed care plan to render 
its decision. Similarly for CHIP FFS, we are finalizing our policy at 
42 CFR 457.495 to allow for a possible extension of up to 14 days if 
the enrollee requests the extension or if the physician or health plan 
determines that additional information is needed to furnish a prior 
authorization decision.
    Comment: A commenter suggested that CMS convene a multi-stakeholder 
panel of health professionals and payer representatives to determine an 
appropriate timeframe for prior authorizations.
    Response: We do not agree that a multi-stakeholder panel of health 
professionals and payer representatives is necessary to determine an 
appropriate timeframe for prior authorizations. CMS has conducted 
surveys and listening sessions for nearly a decade, as have 
professional associations. Results are consistent for challenges of 
timeframes, with the consensus that this issue must be addressed. While 
some states have additional requirements for decision timeframes, they 
are not the same across the country. This final rule establishes 
policies for most of the programs over which CMS has authority to 
provide consistent and aligned structure for providers and payer 
communications on this important matter. To continue the conversation 
with another panel would further delay implementing these important 
changes that provide the opportunity for improving access to care and 
ensure that the industry collaborates on a solution to a critical 
problem that has widespread consensus. CMS will evaluate these reduced 
timeframes over time to see if future changes are needed, and may at 
that time conduct additional stakeholder meetings, but at this time we 
do not believe this is a necessary step to finalizing this policy, 
which will reduce timeframes and improve prior authorization processes 
across impacted payers.
    Comment: Multiple commenters requested clarification regarding the 
consequences and the available appeals process if payers do not meet 
decision timeframes. For example, a commenter

[[Page 8882]]

stated that for cancer treatments, there should be no extensions unless 
a peer-to-peer review is needed, and if so, it should only be for 48 
hours from the original request. Another commenter stated that policies 
should be implemented for payer oversight and dispute resolutions like 
targeted audits and penalties for violations. Multiple commenters 
highlighted that if decision timeframes are not met there should be a 
presumption of coverage for standard and pre-service determinations for 
providers and expedited appeal rights. A commenter noted that payers 
should be required to provide more information for denials when they do 
not meet decision timeframes and there should be civil monetary 
penalties on entities that demonstrate a statistical pattern of 
unnecessary documentation requests.
    Response: We agree that data will be useful for oversight 
activities. The impacted payers are subject to the oversight and 
enforcement of the respective programs, in accordance with annual 
reporting, certification, and/or auditing. We have addressed program 
enforcement and compliance mechanisms in response to other similar 
comments in section I.D.2. of this final rule. For Medicaid managed 
care, 42 CFR 438.66(a) through (c) requires states to have a monitoring 
system for all of their managed care programs that addresses all 
aspects of the program and requires that data collected from these 
monitoring activities are used to improve program performance. Further, 
42 CFR 438.66(e) requires states to complete an annual report on the 
performance of each of its managed care programs, submit that report to 
CMS, and post it on the state's website. CMS reviews these reports and 
can take enforcement action when needed. Along with the metrics 
published under 42 CFR 438.210(f), we will have broad visibility into 
the timeliness of Medicaid managed care plans' prior authorization 
decisions. For QHP issuers on the FFEs, penalties associated with 
failure to comply with deadlines or other provisions of 45 CFR 147.136 
are generally within the purview of state regulators.\143\ The AMA 
published a summary of some state initiatives regarding prior 
authorization practices.\144\
---------------------------------------------------------------------------

    \143\ Except to the extent that a state has deferred to CMS as 
the primary enforcer of these provisions or a state has entered into 
a Collaborative Enforcement Agreement (CEA) with CMS whereby the 
state attempts to obtain voluntary compliance but if unsuccessful, 
defers to CMS to handle enforcement.
    \144\ American Medical Association (2023, May 10). Bills in 30 
states show momentum to fix prior authorization. Retrieved from 
https://www.ama-assn.org/practice-management/prior-authorization/bills-30-states-show-momentum-fix-prior-authorization.
---------------------------------------------------------------------------

    For the reasons discussed in the CMS Interoperability and Prior 
Authorization proposed rule at 87 FR 76297, we are not requiring that 
impacted payers approve a request for prior authorization if that payer 
did not meet the required standard or expedited decision timeframe. If 
a payer fails to meet the timeline for approval or other decision, 
providers should contact the payer to obtain the status of the request 
and determine if supporting documentation is needed to complete the 
processing of the authorization or if there are other reasons for the 
delay in a decision. We do not believe it is practical to require 
payers to default to approval for prior authorization requests for 
which a timely response has not been provided. Therefore, impacted 
payers may choose to evaluate process improvements to meet the proposed 
timeframes and API in this final rule, and consider how to efficiently 
support provider inquiries on status should responses or timeframes be 
missed. Some programs, such as the MA program (and including applicable 
integrated plans) and the Medicaid and CHIP managed care programs, have 
regulations that include provisions for the failure to provide timely 
notice of an organization determination; generally, such a failure to 
meet the deadline constitutes an adverse decision on the prior 
authorization request that may be appealed.\145\
---------------------------------------------------------------------------

    \145\ See 42 CFR 422.568(f), 422.631(d)(1)(ii), 438.404(c)(5), 
and 457.1260(b)(3).
---------------------------------------------------------------------------

d. Operational Topics
    We solicited comments on what administrative, regulatory, 
technical, governance, operational, and workflow solutions would need 
to be addressed, for and by payers, to comply with the proposed 
timeframes for handling prior authorization review and approval 
activities. We also solicited comments on what operational or 
procedural changes payers or providers would need to make in their 
workflows or systems to reduce decision timeframes from 14 calendar 
days to 7 calendar days (for standard prior authorization requests) and 
from 72 hours to 1 day or 24 hours (for expedited prior authorization 
requests). We indicated that we wished to learn more about barriers 
that prevent payers from meeting shorter timeframes than those we 
proposed and requested input on whether MA organizations and applicable 
integrated plans, state Medicaid and CHIP FFS programs, Medicaid 
managed care plans, and CHIP managed care entities could provide notice 
of standard and expedited prior authorization decisions within shorter 
timeframes (for example, 5 calendar days and 48 hours, respectively), 
and if not, what issues and obstacles prevent that. We solicited 
comments on whether implementation of the Prior Authorization API could 
yield process improvements to support shorter decision timeframe 
requirements for prior authorization requests and on anticipated 
operational challenges of implementing the API that might affect a 
payer's ability to meet the proposed timeframes. Finally, we requested 
comments regarding the costs, benefits, and operational impact on 
providers and payers, as well as the impact on patients, of making and 
communicating prior authorization decisions on a shorter timeframe than 
those in the proposed rule. We received a substantial number of 
comments on these topics which will be useful as we consider future 
policies and guidance on these issues.
    These policies for the impacted payers are being finalized in this 
final rule in the CFR sections listed in Table E4.
BILLING CODE 4150-28-P

[[Page 8883]]

[GRAPHIC] [TIFF OMITTED] TR08FE24.005

BILLING CODE 4150-28-C

[[Page 8884]]

    The timeframe for standard prior authorization requests and 
expedited organization determinations for certain programs may be 
extended for either 14 or 15 \146\ days for reasons specified and 
permitted under existing or new policies. The specific citations are 
provided here for reference.
---------------------------------------------------------------------------

    \146\ QHP issuers on the FFEs follow 29 CFR 2560.503-
1(f)(2)(iii)(A) for certain extensions. See 29 CFR 2560.503-
1(f)(2)(iii)(A).
---------------------------------------------------------------------------

     Medicaid FFS at 42 CFR 440.230(e)(1)(i). Timeframes for 
prior authorization decisions under the Medicaid FFS program have been 
newly established with this final rule. The timeframe for standard 
authorization decisions can be extended by up to 14 calendar days if 
the beneficiary or provider requests an extension or if the state 
agency determines that additional information from the provider is 
needed to make a decision.
     MA expedited organization determinations at 42 CFR 
422.572(b) and MA standard organization determinations at 42 CFR 
422.568(b)(1)(i). Extensions are permitted for expedited and standard 
integrated organization determinations by applicable integrated plans 
(see 42 CFR 422.631(d)(2)(ii)).
     Medicaid managed care plan expedited authorization 
decisions at 42 CFR 438.210(d)(2)(ii) and Medicaid managed care plan 
standard authorization decisions at 42 CFR 438.210(d)(1)(ii). 
Extensions are permitted for expedited and standard prior authorization 
requests by up to 14 calendar days under certain circumstances.
     QHP issuers on the FFEs are permitted additional time on 
expedited requests under certain circumstances when a claimant does not 
provide sufficient information. See 29 CFR 2560.503-1(f)(2)(i). Limited 
extensions of the timeframe for standard requests are also allowed 
under certain circumstances. See 29 CFR 2560.503-1(f)(2)(iii)(A).
5. Requirements for Timing of Notifications Related to Prior 
Authorization Decisions
    This section outlines the regulatory amendments adopted in this 
rule as applicable based on other laws for the timing of notifications 
sent by certain payers to patients regarding prior authorization 
decisions. These requirements also apply to most impacted payers. 
However, we did not address notifications from the QHP issuers on the 
FFEs for the same reasons we explained in section II.D.4. of this final 
rule.
a. Medicare Advantage Organizations
    MA organizations are currently required to provide notifications to 
enrollees of decisions regarding coverage, called organization 
determinations, which include decisions regarding prior authorizations. 
To support more timely decisions and communication of those decisions, 
we proposed to amend 42 CFR 422.568(b)(1) to require MA organizations 
to notify the enrollee of its prior authorization determination as 
expeditiously as the enrollee's health condition requires, but no later 
than 7 calendar days after the organization receives the request for a 
standard organization determination for a medical item or service 
subject to the prior authorization rules at 42 CFR 422.122. We also 
proposed to move the existing language at 42 CFR 422.568(b)(1)(i) and 
(ii) (regarding extensions of the adjudication timeframe for standard 
organization determinations) to 42 CFR 422.568(b)(2). We proposed to 
move the language previously at 42 CFR 422.568(b)(2) to a new paragraph 
(b)(3). We emphasized that this change to the regulation text structure 
would not change current requirements and that the proposed new 7-
calendar day timeframe would remain subject to the existing standards 
and limits (currently at 42 CFR 422.568(b)(1)(i), proposed to be at 42 
CFR 422.568(b)(2)) related to when an MA organization may extend the 
adjudication timeframe by up to 14 additional calendar days. For 
additional explanation on the continued applicability of existing 
standards, in this final rule, we are adding paragraph (a)(3) to 42 CFR 
422.122 to explain that prior authorization decisions made under 42 CFR 
422.122 must meet all other applicable requirements in subpart M of 
part 422, such as the adjudication timeframes and notice requirements. 
In this final rule we are also adding explanatory language to the 
beginning of paragraph (b)(1)(i) of 42 CFR 422.568; specifically, we 
are adding the phrase ``For a service or item not subject to the prior 
authorization rules at Sec.  422.122'' to the beginning of the sentence 
to be clear that those requests not subject to the prior authorization 
rules at 42 CFR 422.122 will be adjudicated under the existing 14-
calendar day timeframe, such as a request for a supplemental benefit 
that involves an OTC drug or a pre-service request made by an enrollee 
who is seeking an advance determination on an item or service that is 
not subject to prior authorization under the rules at 42 CFR 422.122. 
In contrast, 42 CFR 422.568(b)(1)(ii) sets forth the 7-calendar day 
timeframe for those requests for a service or item that are subject to 
the prior authorization rules at 42 CFR 422.122.
    We proposed similar amendments to the integrated organization 
determination requirements at 42 CFR 422.631 for applicable integrated 
plans. We are making in this final rule explanatory revisions to the 
regulation text at 42 CFR 422.631 consistent with the revisions made at 
42 CFR 422.568 and amended 42 CFR 422.631(d)(2)(i)(B) to state that 
when a provider makes a request for an item or service, the applicable 
integrated plan must notify the enrollee of its determination as 
expeditiously as the enrollee's health condition requires, but no later 
than 7 calendar days after the organization receives the request for a 
standard pre-service organization determination that is subject to 42 
CFR 422.122. We also proposed an amendment to 42 CFR 
422.631(d)(2)(iv)(B) to state that when an applicable integrated plan 
denies a request for an expedited determination and automatically 
transfers the request to the standard timeframe, it must make its 
determination within the applicable timeframe established at 42 CFR 
422.631(d)(2)(i)(B). This means that for prior authorization requests 
within the scope of 42 CFR 422.122, the 7-calendar day timeframe 
applies, rather than the current 14-calendar day timeframe for an 
integrated organization determination. These changes also apply to 
applicable integrated plans that are MCOs as defined at 42 CFR 438.2, 
because per 42 CFR 438.210(d)(4), 42 CFR 422.631 also applies to these 
Medicaid plans. These amendments are consistent with changes for other 
Medicaid managed care plans being finalized at 42 CFR 438.210(d)(1) and 
(2). Concerning MA organizations (including applicable integrated 
plans), our proposal was limited to the timeframes for standard 
determinations involving prior authorization, and there are no changes 
to the timeline for expedited integrated organization determinations, 
extensions, or the requirements for notice to enrollees.
    Comment: A commenter urged CMS to require that any failure by an MA 
plan or applicable integrated plan to provide notice of an organization 
determination within the same timeframes (and without having requested 
an extension) constitute a deemed denial for which the provider may 
request a reconsideration by an independent reviewer.
    Response: We acknowledge this commenter's concern about the failure 
of MA plans to provide notice within

[[Page 8885]]

the required timeframes. Under the existing MA rules, a failure to meet 
the deadline by which an organization determination, including a 
request for prior authorization, constitutes a denial that can be 
appealed to the next level (reconsideration by the MA organization). 
See 42 CFR 422.568(f) and 422.631(d)(1)(ii). The MA program regulations 
(42 CFR 422.592 through 422.596 and 422.634) provide for review by an 
Independent Review Entity (IRE) after an MA organization's adverse 
reconsidered organization determination, including where the MA 
organization fails to issue a reconsidered organization determination 
in a timely fashion. We did not propose, and are therefore not 
finalizing here, an amendment to those rules to escalate prior 
authorization denials to the IRE. However, the existing regulations at 
42 CFR 422.590(h)(1) and 422.629(k)(4) provide that for 
reconsiderations by MA plans and applicable integrated plans, the 
individuals who make the reconsideration determination must not have 
been involved in the organization determination. We also reiterate that 
providers should follow up on the status of a request with the payer. 
Failure to respond to a request for the status of the pending prior 
authorization request does not constitute a denial (unless the lack of 
response continues beyond the deadline for response) but may indicate 
other issues in the process such that an appeal may not be necessary. 
We acknowledge that issues in communication between payers and 
providers may continue to exist, and encourage providers to notify 
payers or CMS of any patterns for poor communication and untimely 
issuance of prior authorization decisions.
b. Medicaid Fee-for-Service, Including Beneficiary Notice and Fair 
Hearings
    For the Medicaid FFS program, we proposed, in the CFR sections 
listed in Table E2, regulatory timeframes to provide notice of 
decisions on both expedited and standard prior authorization requests. 
We stated that the new requirements would apply to prior authorization 
decisions beginning January 1, 2026. We are finalizing that policy in 
this final rule.
    Under the new requirement for Medicaid FFS, which appears at 42 CFR 
440.230(e)(1), notice of the state Medicaid program's decision 
regarding an expedited request for prior authorization will have to be 
communicated as expeditiously as a beneficiary's health condition 
requires, but no later than 72 hours after receiving a provider's 
request for an expedited determination, unless a shorter minimum 
timeframe is established under state law. Notice of a decision on a 
standard request for prior authorization will have to be communicated 
to the requesting provider as expeditiously as a beneficiary's health 
condition requires, but no later than 7 calendar days after receiving 
the request, unless a shorter minimum timeframe is established under 
state law. If the state determines that it needs additional information 
from a provider to make a decision, or if the beneficiary or provider 
requests an extension, the proposed decision-making and communication 
timeframe for a standard request may be extended by up to 14 calendar 
days if the beneficiary or provider requests an extension, or if the 
state agency determines that additional information from the provider 
is needed to make a decision. Such extensions may be justified and in 
the beneficiary's interest if medical evidence from outside providers 
is needed to support the request, or if there are other circumstances 
identified by either the provider or the beneficiary.
    Independent of this final rule's API proposals and their 
application to Medicaid prior authorization requests, Medicaid has 
longstanding beneficiary notice and fair hearing regulations. CMS has 
interpreted these existing regulations to apply to prior authorization 
requests for Medicaid FFS and will continue to do so in the future. 
These existing Medicaid beneficiary notice and fair hearing 
requirements will remain in full effect without change, in concert with 
other provisions of this final rule, including the Prior Authorization 
API.
    As discussed in detail in the proposed rule (87 FR 76299 and 
76300), the current Medicaid notice and fair hearing regulations at 42 
CFR 435.917 and 42 CFR part 431, subpart E, apply to all prior 
authorization decisions. Therefore, states are required to--
     Provide the beneficiary with timely and adequate written 
notice of any decision regarding the beneficiary's prior authorization 
request;
     Include the content described at 42 CFR 435.917 and at 42 
CFR part 431, subpart E, including information about the beneficiary's 
right to request a fair hearing to appeal the partial or total denial, 
in the beneficiary notice when a state denies the prior authorization 
request in whole or in part;
     Provide beneficiaries the opportunity to request a fair 
hearing if the state fails to act on a claim, which includes prior 
authorization requests, with reasonable promptness; and
     Provide at least 10-day advance notice to beneficiaries of 
any termination, suspension of, or reduction in benefits or services 
for which there is a current approved prior authorization, including 
information regarding the beneficiary's right to request a fair 
hearing.
    These notice and fair hearing requirements are not affected by any 
of the changes made elsewhere in this final rule. As noted in the CMS 
Interoperability and Prior Authorization proposed rule, the Medicaid 
notice requirements are separate from and independent of, the new 
timeline for provider notice that is finalized at 42 CFR 440.230(e)(1).
    To make it explicit that existing Medicaid beneficiary notice and 
fair hearing rights apply to Medicaid FFS prior authorization 
decisions, we proposed several updates to the existing regulations at 
42 CFR 431.201, 431.220, and 435.917, and a new 42 CFR 440.230(e)(2). 
The proposed changes are intended to further explain, but not change, 
Medicaid notice or fair hearing policy or operational requirements for 
states. We proposed and are finalizing, with one exception discussed 
below, that the changes referenced in this paragraph take effect on the 
effective date of the final rule. Please see 87 FR 76300 for the 
detailed text. The regulations and amendments are listed in Table E3.
    The proposed changes for 42 CFR 431.201 included replacing the term 
``beneficiary'' with ``enrollee'' in the revised definition of 
``Action.'' This change was proposed in error, and the preamble to the 
CMS Interoperability and Prior Authorization proposed rule did not 
discuss the potential impact of changing ``beneficiary'' to 
``enrollee'' on the definition of ``Action.'' In this final rule, we 
are reverting to the term ``beneficiary'' in the definition of 
``Action'' at 42 CFR 431.201, consistent with the current definition 
and with our stated intent in the proposed rule that the changes would 
not change Medicaid notice or fair hearing policy or operational 
requirements for states.
    We received comments on fair hearings and provide those and our 
responses here.
    Comment: Multiple commenters expressed support for our proposal to 
further explain the application of Medicaid notice and fair hearing 
requirements to Medicaid FFS prior authorization decisions and 
recommended that the proposed changes be codified. A few commenters 
noted that states already apply notice and fair hearing requirements to 
Medicaid FFS prior authorizations.

[[Page 8886]]

Multiple commenters noted that Medicaid agencies already have provider 
hearing rights for prior authorization decisions in place.
    Response: We appreciate commenters' support for the proposed 
updates to the Medicaid notice and fair hearing regulations, which we 
are finalizing as proposed.
    Comment: A few commenters noted that patients should receive 
equitable fair hearing rights for their prior authorizations, 
regardless of whether they are enrolled in a Medicaid FFS or a managed 
care plan. A few commenters expressed support for the proposed changes 
which would explain that Medicaid FFS notice and fair hearing 
requirements are consistent with current regulations for notice and 
appeal rights for managed care prior authorization decisions.
    Response: We agree that comparable and aligned notice and fair 
hearing rights should apply across delivery systems. As discussed in 
the CMS Interoperability and Prior Authorization proposed rule, we have 
historically interpreted the existing Medicaid notice and fair hearing 
regulations to apply to prior authorization requests for Medicaid FFS. 
Given the alignment between these state-level requirements and the 
managed care plan-level requirements, equitable notice and appeal 
rights have been and will continue to be available to Medicaid FFS and 
managed care beneficiaries and that the updates, which we are 
finalizing as proposed, will further strengthen the existing alignment 
between delivery systems regarding notices and fair hearings/appeals.
    Comment: A commenter stated that there needs to be more 
clarification in the rule that existing Medicaid beneficiary notice and 
fair hearing rights apply to prior authorization decisions for Medicaid 
FFS beneficiaries. Another commenter recommended CMS mandate more 
details on the hearing process to ensure that a hearing can be 
conducted expeditiously and objectively. A commenter recommended that 
the language in the regulation be strengthened to explicitly state that 
failure to act on a request for prior authorization will give rise to 
notice and hearing rights.
    Response: The updates we are making to these regulations, which we 
are finalizing as proposed, provide additional details regarding how 
Medicaid beneficiary notice and fair hearing rights apply to prior 
authorization decisions for Medicaid FFS beneficiaries. These changes 
provide further detail about, but do not change, the current 
application of these regulations to Medicaid FFS prior authorization 
decisions. Therefore, the existing requirements for the fair hearing 
process at 42 CFR part 431, subpart E, apply to Medicaid FFS prior 
authorization fair hearings. These include a requirement that fair 
hearings must be conducted by an impartial person who was not directly 
involved in the initial decision (42 CFR 431.240(a)(3)) and 
requirements for when the state must take final administrative action 
on a fair hearing request (42 CFR 431.244(f)). These regulations also 
require the state to provide notice to a beneficiary (42 CFR 
431.206(c)(2)) whenever a hearing is required in accordance with 42 CFR 
431.220(a), which includes when the state fails to act upon a claim, 
including a prior authorization decision, with reasonable promptness.
    Comment: A commenter recommended that CMS expand on proposed 42 CFR 
440.230(e)(2) to require written notice of a prior authorization 
decision be provided to the provider as well as the beneficiary.
    Response: The Medicaid notice and fair hearing provisions at 42 CFR 
435.917 and 42 CFR part 431, subpart E, which are cross referenced at 
42 CFR 440.230(e)(2), apply to applicants and beneficiaries, not 
providers. Therefore, we decline this recommendation and will finalize 
42 CFR 440.230(e)(2) as proposed. There are separate requirements 
regarding provider notification of prior authorization decisions. As 
stated in this final rule, we are finalizing requirements for payers to 
provide a specific reason for denials, as well as the status of a prior 
authorization, either through the Prior Authorization API as specified, 
or through existing processes. When providing a status for a prior 
authorization, the response must indicate whether the payer approves 
(and for how long) or denies (and the reason) the prior authorization 
request, or the payer may request more information from the provider to 
support the prior authorization request.
    Comment: A commenter raised concerns about whether and how notice 
and appeal rights can be provided electronically and noted that lower-
income consumers may have inconsistent access to electronic 
communications. This commenter recommended that HHS continue to require 
a redundant written notice for all important Medicaid notices, 
including those related to prior authorization.
    Response: The provision of electronic notices to Medicaid 
applicants and beneficiaries is addressed at 42 CFR 435.918. 
Individuals must be provided a choice to receive notices in electronic 
format or by regular mail and have the option to request that all 
electronic notices also be provided by regular mail. Changes to 42 CFR 
435.918 are outside the scope of this rule. The Medicaid notice 
requirements, which include the provision of fair hearing rights, will 
continue to apply unchanged when API-based notifications begin. 
Therefore, low-income beneficiaries enrolled in Medicaid will continue 
to receive notices by mail, electronically, or both, even after the 
API-based notifications begin.
    Comment: A commenter expressed that CMS's proposal to make explicit 
the requirement for a fair hearing to appeal prior authorization non-
compliance is inadequate to address prevalent and profitable wrongful 
denials of prior authorization. This commenter stated that very few 
patients can appeal wrongful denials and rarely do appeal and noted 
that medical practices aren't compensated for prior authorizations or 
appeals, which harms patients as well.
    Response: Fair hearings are an important part of a beneficiary's 
due process rights. While fair hearings cannot directly prevent 
inappropriate denials of prior authorization requests, they do provide 
a pathway for a beneficiary to remedy an inappropriate prior 
authorization denial, termination, or reduction and provide data to 
states to help them identify problems with the prior authorization 
process. We believe that improvements in the process overall will occur 
by using the API once that is in place, as providers will have 
additional information on which to base the submission of an initial 
prior authorization request.
c. Medicaid Managed Care
    For Medicaid managed care, we proposed new timeframes for notice of 
decisions on standard (non-expedited) prior authorization requests 
which would apply beginning with the rating period that starts on or 
after January 1, 2026, and proposed to revise 42 CFR 438.210(d)(1) and 
(2) to accomplish this. Specifically, we proposed to revise 42 CFR 
438.210(d)(1) to reflect that, beginning with the rating period that 
starts on or after January 1, 2026, managed care plans must provide 
notice of standard authorization decisions as expeditiously as the 
enrollee's health condition requires and within state-established 
timeframes that may not exceed 7 calendar days following the plan's 
receipt of the request for service. Our proposed amendment provided 
that for rating periods that begin before January 1, 2026, the current 
rule would

[[Page 8887]]

remain in effect. We proposed to specify the standard authorization 
requirements by the compliance dates by leaving the section header 
``Standard authorization decisions'' as 42 CFR 438.210(d)(1) and 
redesignating standard authorization timeframes as 42 CFR 
438.210(d)(1)(i)(A) and (B). We also proposed to move the current 
regulation text on extending the prior authorization decision timeframe 
from 42 CFR 438.210(d)(1)(i) and (ii) to 42 CFR 438.210(d)(1)(ii)(A) 
and (B) and proposed to make slight revisions to the text for 
readability. We explained that our proposal would not change the 
current provisions for how failure to issue a decision within the 
required timeframe constitutes an adverse benefit determination that 
can be appealed under 42 CFR 438.404(c)(5). The regulations at 42 CFR 
438.404 and other regulations governing appeal rights at 42 CFR part 
438, subpart F, would continue to apply and we did not propose to amend 
those regulations. We note that 42 CFR 438.404(c)(3) through (6) 
provide that certain adverse benefit determinations must be issued on 
the timing specified at 42 CFR 422.210(d); the new timeframes proposed 
(and finalized) in this rulemaking will apply to those specific adverse 
benefit determinations. In addition, under current regulations at 42 
CFR 438.3(s)(1) and (6) and 438.210(d)(3), Medicaid managed care plans 
must also comply with the requirements in section 1927 of the Act 
regarding coverage and prior authorization of covered outpatient drugs; 
nothing in this rulemaking would change these requirements. Finally, 
because some Medicaid MCOs are applicable integrated plans as defined 
at 42 CFR 438.2, our proposal related to 42 CFR 422.631(d) applied to 
those plans.
    We received a few comments on this subject and provide our 
responses to those here.
    Comment: A commenter agreed with the proposal to provide notice of 
decisions for standard prior authorization requests within state 
established timeframes not exceeding 7 calendar days, and another 
commenter disagreed with the proposal to shorten the maximum amount of 
time for Medicaid managed care plans to respond with a decision from 14 
to 7 days. Another commenter proposed that the standard should be 24 
hours or less for standard requests. A commenter stated that Medicaid 
and CHIP managed care programs already have requirements to issue prior 
authorization decisions within a certain timeframe established by the 
state and that those standards provide adequate protection for 
enrollees and providers.
    Response: As we stated in the proposed rule, and based on CMS and 
other industry studies on the impact of delays to patient health or 
access to care from extended authorizations, reducing standard prior 
authorization decision timeframes from 14 calendar days to 7 calendar 
days should improve patient care outcomes and ensure that patients have 
more timely access to services (87 FR 76296).
d. CHIP Fee-for-Service and Managed Care
    To implement the proposed prior authorization timeframes for CHIP, 
we proposed to revise certain policies affecting the timing for making 
decisions on prior authorization requests under the CHIP FFS and 
managed care programs. These changes are listed in Table E2. We 
proposed that beginning on January 1, 2026, decisions related to prior 
authorization of health services would be required to be completed in 
accordance with the medical needs of the patient, but no later than 7 
calendar days after receiving the request for a standard determination 
and 72 hours after receiving the request for an expedited 
determination, unless an alternative option is preferred by industry 
based on public comments. Further, we stated that if a beneficiary 
requests an extension of a prior authorization review, or if the 
provider or health plan determines that additional information is 
needed for such review, an extension of up to 14 calendar days may be 
granted. We proposed to remove the option for states to follow existing 
state law regarding prior authorization of health services, requiring 
states to instead follow these updated timeframes. However, if state 
laws are more stringent than our proposal, states would be allowed to 
apply and enforce those shorter timeframes for prior authorization 
responses. Timely prior authorization decisions are important patient 
protections, and CHIP patients should be afforded the same decision 
timeframes as Medicaid and Medicare patients.
    Existing CHIP regulations at 42 CFR 457.1130(b) require a state to 
ensure that a beneficiary has an opportunity for external review of 
health services matters, including a delay, denial, reduction, 
suspension, or termination of health services, in whole or in part, 
including a determination about the type or level of service. Under 
this regulation, CHIP beneficiaries must have an opportunity for 
external review of prior authorization decisions. We did not propose 
any changes to this requirement, as it already applies to decisions 
related to the prior authorization of services.
    In the CMS Interoperability and Prior Authorization proposed rule 
we explained that overall, we believed that the decision and 
notification timeframes proposed for certain impacted payers would help 
ensure that prior authorization processes do not inappropriately delay 
patient access to necessary services. Introducing prior authorization 
decision timeframes that are the same across these impacted payers for 
items and services that require prior authorization would also help 
providers better organize and manage administrative resources and thus 
may make more time available for providers to render patient-centered 
care.
    Currently, CHIP managed care program regulations reference the 
Medicaid managed care regulations for the timelines and requirements 
for CHIP managed care entities as to prior authorization decisions and 
notices as well as appeal processes. We explained in the proposed rule 
that the proposal to amend 42 CFR 438.210(d) for timeframes would also 
apply to standard and expedited decisions made by CHIP managed care 
entities because of the cross reference to 42 CFR 438.210 in current 42 
CFR 457.1230(d). We did not propose to change the required timeframes 
for expedited decisions at 42 CFR 438.210(d)(2), but we proposed to 
amend 42 CFR 438.210(d)(2)(i) to explain that the MCO, PIHP, or PAHP 
must make these decisions on shorter timeframes if the state requires 
shorter timeframes. We did not propose any changes to the authority for 
a 14-calendar day decision timeframe provided at 42 CFR 
438.210(d)(2)(ii).
    We received the following comments related to CHIP FFS and managed 
care and include our responses to those comments here.
    Comment: A commenter disagreed with CMS's proposal to shorten the 
maximum amount of time for CHIP FFS and managed care to respond with a 
decision from 14 to 7 days. The commenter proposed that the standard 
should be 24 hours or less. Another commenter recommended CMS provide 
equal protection for children enrolled in CHIP FFS against unnecessary 
delays in accessing necessary services due to prior authorization 
procedures. The commenter also recommended that state CHIP agencies 
follow the same rules as state Medicaid agencies, including specific 
timelines for prior authorization responses for outpatient prescription 
drugs. Another commenter expressed their support for aligning the 
beneficiary protections in CHIP and Medicaid

[[Page 8888]]

managed care and recommended CMS maintain 42 CFR 457.1230(d) as 
proposed, applying 42 CFR 438.210 to CHIP managed care entities with 
the proposed shorter timelines for responses to standard requests for 
prior authorization, characterizing these as stronger beneficiary 
protections.
    Response: Though we anticipate the Prior Authorization API will 
introduce additional efficiencies into the prior authorization process, 
we are uncertain that such a truncated standard decision timeframe 
would be possible until we have completed further data collection and 
analysis after the implementation of the API. The recommendation 
concerning CHIP prior authorization decision timeframes for outpatient 
prescription drugs is outside the scope of the final rule. We agree 
with comments that recommend CHIP prior authorization decision 
timeframes be in alignment with Medicaid.
    We are finalizing the proposals to adopt the timeframes we proposed 
for responses by MA organizations, state Medicaid and CHIP FFS 
programs, Medicaid managed care plans, and CHIP managed care entities 
to prior authorization requests. We are not requiring that impacted 
payers approve a request for prior authorization if that payer fails to 
meet the required standard or expedited decision timeframe. If a payer 
fails to meet the timeline for approval or other decision, providers 
should contact the payer to obtain the status of the request and 
determine if supporting documentation is needed to complete the 
processing of the authorization or if there are other reasons for the 
delay in a decision. The 72-hour requirement for expedited requests is 
measured in hours, whereas the 7-day requirement for standard requests 
is measured in calendar days. In the case of expedited and standard 
requests, the timeframes are 72 hours and 7 days, respectively, unless 
a shorter minimum timeframe is established under state law.
    Tables E2 and E3 provide a list of some, but not all of the final 
policies for decision notification timelines for the impacted payers. 
The full list of final policies and citations is included in Table E4 
at the end of this section. We included these tables for ease of 
reference for the narrative on the discussion of notifications and 
timeframes.
    Table E3 is specific to the Medicaid FFS notice and fair hearings 
provisions, which provide an important service to beneficiaries and 
providers alike. This rule finalizes modifications to those provisions, 
and this table and accompanying narrative provide the reader with 
citations to new and existing provisions.
[GRAPHIC] [TIFF OMITTED] TR08FE24.006


[[Page 8889]]


[GRAPHIC] [TIFF OMITTED] TR08FE24.007

6. Extensions, Exemptions, and Exceptions
    See section II.E. of this final rule for a discussion of extensions 
and exemptions and the final policies for the Prior Authorization API 
for state Medicaid and CHIP FFS programs and exceptions for the Prior 
Authorization API for QHP issuers on the FFEs (this was also addressed 
in the proposed rule at 87 FR 76279).
7. Public Reporting Requirements for Prior Authorization Metrics
    In the CMS Interoperability and Prior Authorization proposed rule 
we discussed the importance of accountability for payer prior 
authorization practices and proposed that certain data be made publicly 
available for patients and providers to better understand the types of 
items and services which required prior authorization and how each 
payer performed over time for approvals and denials. We are finalizing 
our proposal to require impacted payers to report certain aggregated 
metrics about prior authorization by posting them on the payer's 
website. This requirement underscores the importance of transparency 
and accountability in the health care system. Public disclosure of the 
items and services which are subject to prior authorization, as well as 
organizational performance, offers useful information to providers, 
patients, and other interested parties. Performance data could allow 
for objective evaluation of the efficiency of prior authorization 
practices of each organization, and it enables payers to assess trends, 
identify areas for improvement, and work towards continuous process 
improvement while maintaining necessary quality checks for quality and 
appropriateness of care.
    We are finalizing as proposed that state Medicaid and CHIP FFS 
programs will report at the state level, Medicaid managed care plans 
and CHIP managed care entities will report at the plan level, and QHP 
issuers on the FFEs will report at the issuer level. We are finalizing 
a modification to our proposal for reporting to be at the organization 
level to require that reporting be at the contract level for MA 
organizations as discussed in this section (section II.D.7. of this 
final rule). Additionally, we explain that integrated plans will report 
items and services covered by MA organizations at the MA contract level 
and items and services covered by Medicaid managed care plans at the 
plan level as the separate requirements for MA organizations and 
Medicaid managed care plans will apply under the respective contracts.
    We described how payers might use the information for process 
improvements and performance analysis in the proposed rule (87 FR 
76304). For example, an impacted payer could use these data to examine 
its performance trends. In addition, we explained how providing this 
information publicly would benefit patients (who could use the 
information when selecting among plan or organization options) and 
providers (in when and whether to contract with an impacted payer). The 
legal authority for requiring such public reporting is discussed in 
section II.D.10. of this final rule.
    We are finalizing our proposal that for each metric listed, data 
would be reported in aggregate for all items and services. We received 
many comments on the proposed public reporting of metrics, the timing, 
and the level of reporting. The suggestions were detailed and 
represented diverse issues and concerns from interested parties about 
prior authorization challenges and potential uses for the data. CMS 
will use the comments received as CMS considers future policy 
development. We intend to support transparency and accountability and 
enable patients to access data that are meaningful and easy to use for 
decision-making and understanding the prior authorization processes. 
The metrics we are finalizing represent the most significant issues for 
both patients and providers identified over the past decade on a 
national level, including the CMS listening sessions referenced at the 
beginning of this section. Furthermore, payers can supplement the 
information they report with additional metrics on prior authorization. 
We may consider additional reporting options in the future. We 
reiterate that the prior authorization reporting metrics are on medical 
items and services, excluding drugs covered by the impacted payers.
    We are finalizing the requirement for impacted payers to make 
reports available annually on all of the following:
     A list of all items and services that require prior 
authorization.
     The percentage of standard prior authorization requests 
that were approved, aggregated for all items and services.
     The percentage of standard prior authorization requests 
that were denied, aggregated for all items and services.
     The percentage of standard prior authorization requests 
that were approved after appeal, aggregated for all items and services.
     The percentage of prior authorization requests for which 
the timeframe for review was extended, and the request was approved, 
aggregated for all items and services.
     The percentage of expedited prior authorization requests 
that were approved, aggregated for all items and services.
     The percentage of expedited prior authorization requests 
that were denied, aggregated for all items and services.
     The average and median time that elapsed between the 
submission of a

[[Page 8890]]

request and a determination by the payer, plan, or issuer, for standard 
prior authorizations, aggregated for all items and services.
     The average and median time that elapsed between the 
submission of a request and a decision by the payer, plan, or issuer, 
for expedited prior authorizations, aggregated for all items and 
services.
a. Reporting Prior Authorization Metrics
    As described previously, we proposed to require impacted payers to 
report certain metrics to support a level of accountability for the 
requirements in this final rule. As discussed previously, public 
disclosure of information for each audience--patients, providers, and 
the general public--supports the intent of this final rule to improve 
the prior authorization process, patient care, and burden reduction.
    Comment: Many commenters supported CMS's efforts to promote 
transparency through public reporting of these aggregated metrics. 
These commenters believe such reporting will increase transparency from 
payers related to the volume of prior authorizations. For example, a 
commenter wrote to encourage CMS to propose in future rulemaking to use 
the prior authorization data the agency would collect from impacted 
payers to help develop quality measures to incorporate into quality 
ratings across certain payer programs, specifically for MA 
organizations. This would ensure that such data are incorporated more 
directly into a consumer-friendly comparison tool so that payers' prior 
authorization practices are available to physicians and practitioners, 
including gastroenterologists, to ensure transparency and 
accountability in the prior authorization process. Multiple commenters 
stated that reporting metrics could be informative to providers in the 
context of what they submit to payers for prior authorization requests, 
as the data might provide insights about the types of services that are 
approved or denied. A commenter noted that prior authorization metrics 
could be useful to patients as they decide which health plans to 
select, and another commenter appreciated that CMS's proposal aimed to 
strike a balance between data reporting burden and providing meaningful 
data to consumers and providers. Another commenter supported reporting 
prior authorization metrics on the payer's website by March 31, 2026. 
Some commenters believed that CMS should require public reporting of 
the metrics sooner than proposed, and multiple commenters recommended 
that CMS require the public reporting requirement immediately upon 
finalizing the rule.
    Response: We thank commenters for their support of our proposed 
prior authorization reporting metrics, including those commenters who 
recommended that CMS consider additional future uses for the data for 
other program purposes and require compliance as soon as the rule is 
finalized. We agree that payers have the data available now, as they 
are currently conducting the prior authorization process, and that the 
data would provide a baseline for reporting. As proposed and finalized, 
CMS is not collecting these data, but instead requiring impacted payers 
to post such data on the payer's website. We encourage payers to 
consider developing and posting reports of these metrics at the 
earliest date feasible. We are finalizing the requirements for public 
reporting as well as the compliance dates in 2026, as proposed.
    Comment: Multiple commenters recommended that CMS require payers to 
report prior authorization data at a more granular level. Specifically, 
multiple commenters recommended that CMS require MA organizations to 
report prior authorization metrics at the plan level or state level. 
Commenters stated that the organization level for MA organizations was 
a higher level of aggregation than the plan level for Medicaid managed 
care plans and CHIP managed care entities and therefore would not 
present the same level of detail. Those commenters pointed out that MA 
organization metrics reported at the organization level would not be 
useful to consumers choosing plans in their area. Other commenters 
suggested more discrete reporting levels, including county level, 
specialty/benefit level, or service level.
    Response: Upon further consideration and taking the comments into 
account, we determined that contract level is the more appropriate 
reporting level for MA organizations. MA organizations generally have 
multiple plans under the same contract as it is common throughout the 
industry to offer a variety of plans within a service area. Contract-
level data are aggregated data that are collected from the plan benefit 
packages (PBPs) (that is, the various MA plans) offered under an 
individual contract; these data are specific to the contract to which 
they correspond. CMS already requires MA organizations to report some 
contract-level data about their organization determinations to the 
agency on an annual basis and Star Ratings are assigned at the contract 
level. While this particular provision does not require MA 
organizations to submit data to CMS, a consistent approach of contract-
level reporting in the MA program will give consumers useful 
information while limiting plan burden. By requiring contract-level 
reporting for these data, we ensure that the format of this reported 
data remains consistent with that of other similar data that MA 
organizations are required to report.
    We agree that requiring Medicaid managed care plans and CHIP 
managed care entities to report at the plan level will allow 
beneficiaries and states to compare plans within the state. Requiring 
QHP issuers on the FFEs to report at the issuer level, aggregating 
plans under their purview, is consistent with their reporting on 
quality improvement strategies as described in section 1311(g) of the 
Affordable Care Act (45 CFR 156.1130), which provides consistency with 
other QHP reporting requirements.
    While we understand the desire from some commenters to increase the 
level of granularity for reporting, we have concerns about data 
overload, patient understanding, and usability of the data. For 
example, reporting at the specialty level and service level could be 
overwhelming because of the volume of information presented. A patient 
might not be able to relate to the data and would not refer to the 
reports as intended. There can and should be both transparency and 
accountability in the information that is presented to the public and 
we will continue to explore opportunities to strike the appropriate 
balance with impacted payers. We are finalizing a modification to our 
proposal for MA organizations to report at the contract level. We are 
finalizing, as proposed, that state Medicaid and CHIP FFS programs will 
report at the state level, Medicaid managed care plans and CHIP managed 
care entities will report at the plan level, and QHP issuers on the 
FFEs will report at the issuer level.
    We may assess whether to collect more detailed metrics than we are 
finalizing here in program-specific rulemaking in the future. For 
instance, we may consider requiring in future rulemaking that MA plans 
report at a more discrete level. Similarly, should a state Medicaid or 
CHIP agency believe it would be beneficial to require more detailed 
data, the state may require additional metrics in its managed care 
contracts.
    Comment: A commenter requested clarification on whether integrated 
care plans for dually eligible individuals, such as FIDE SNPs, should 
report these data consistent with MA organizations, at the contract 
level, or consistent with

[[Page 8891]]

Medicaid managed care plans, at the plan level.
    Response: Integrated care plans generally combine D-SNPs, which 
include FIDE SNPs and HIDE SNPs--both as defined at 42 CFR 422.2--and 
Medicaid managed care plans offered by the same parent organization. D-
SNPs are a type of MA plan designed to meet the needs of individuals 
who are dually eligible for Medicare and Medicaid, also known as dually 
eligible individuals. In these arrangements, there is an MA 
organization with a contract with CMS for the MA D-SNP and an 
organization with a contact with the state for the Medicaid managed 
care plan.
    For items and services that require prior authorization under an 
integrated plan's MA benefit package, data must be reported in a manner 
consistent with the requirements for MA organizations, which we are 
finalizing at the contract level. In the case of integrated care, the 
affiliated Medicaid managed care plan will report prior authorizations 
of items and services covered under the plan's Medicaid benefit package 
at the plan level. Where there is not a clear delineation between 
whether items or services are covered under Medicare or Medicaid (for 
example, home health services), we will accept any reasonable 
methodology for attributing the prior authorization reporting to one 
payer versus the other.
    Comment: Multiple commenters recommended a more phased-in approach 
to the reporting of prior authorization metrics. A commenter stated 
that while prior authorization metrics should not be publicly reported 
until after the electronic FHIR APIs have been implemented, the prior 
authorization metrics should still be reported to CMS beginning March 
2026. A commenter recommended that CMS begin to phase in reporting 
requirements before the 2026 implementation period (for example, 
require payers to report some, but not all, metrics soon after the rule 
is finalized) to help identify any issues with the reporting process so 
that they can be addressed timely.
    Response: We disagree that a phased-in approach to reporting 
metrics is necessary given that payers already conduct prior 
authorization processes and likely already track data for many of the 
metrics for their usual business operations. We are finalizing 
compliance dates in 2026, as stated previously. We agree that reporting 
prior authorization metrics conducted using the Prior Authorization API 
will not be reported until after the Prior Authorization API has been 
implemented, and that the technology could be capable of supporting 
automated reporting on its use. The metrics to be included in the 
reports beginning in March 2026 will be based on an impacted payer's 
current prior authorization processes, in advance of implementation of 
the Prior Authorization API. Reporting information about performance 
data in advance of implementation could provide valuable data in the 
years post-implementation.
    Comment: Multiple commenters expressed concerns about how the prior 
authorization metrics could be used by payers in inappropriate or 
harmful ways to providers. A commenter flagged that the publicly 
reported metrics could lead to plans ``self-selecting'' patients by 
implementing other burdensome prior authorization processes to avoid 
approving services, which could lead to patients who need those 
services enrolling in other plans. Another commenter recommended that 
CMS address steps it will take to protect against adverse selection. 
This commenter urged CMS to consider how it will mitigate unintended 
consequences that may occur as competing payers decide to analyze each 
other's data once it becomes public. The commenter wrote that CMS 
should make clear that any such practices would be against the spirit 
and intent of the reporting requirements.
    Response: We acknowledge concerns by a few commenters that prior 
authorization policies and information on the publicly reported metrics 
could technically be used inappropriately for improper decision-making 
purposes or other reasons. Public reporting does not in and of itself 
create such behavior. However, we believe requiring that public 
availability of prior authorization metrics will have the opposite 
effect; that is, payers will use the data to try to improve their 
performance to improve their competitive standing in a program.
    In addition, there are some safeguards in place to help address the 
concerns raised by commenters about inappropriate efforts to discourage 
enrollment by individuals who need certain covered services. Medicaid 
managed care regulations also provide significant patient protections 
for access to covered services at 42 CFR 438.206 through 438.210. For 
example, 42 CFR 438.210(a) requires states' contracts with Medicaid 
managed care plans to identify, define, and specify the amount, 
duration, and scope of each service covered by the plan and such 
amount, duration, and scope must be no less than that furnished to 
Medicaid FFS beneficiaries. Existing regulations at 42 CFR 438.66 
require states to have a monitoring system that addresses all aspects 
of each Medicaid managed care program and to use the data collected 
from their monitoring activities to improve the performance of their 
managed care program, including at a minimum enrollment and 
disenrollment trends in each managed care plan. Additionally, 42 CFR 
438.66(e) requires states to submit to CMS a report on each of their 
Medicaid managed care programs that provides information on and an 
assessment of the operation of the managed care program.
    Further, section 1852(b)(1) of the Act prohibits discrimination by 
MA organizations on the basis of health status-related factors and 
directs that CMS may not approve an MA plan if CMS determines that the 
design of the plan and its benefits are likely to substantially 
discourage enrollment by certain MA eligible individuals. In addition, 
MA organizations must comply with applicable Federal civil rights laws 
that prohibit discrimination on the basis of race, color, national 
origin, sex, age, or disability, including section 1557 of the 
Affordable Care Act, Title VI of the Civil Rights Act of 1964, section 
504 of the Rehabilitation Act of 1973, and the Age Discrimination Act 
of 1975. The regulation at 42 CFR 422.110 provides that an MA 
organization may not deny, limit, or condition the coverage or 
furnishing of benefits to individuals eligible to enroll in an MA plan 
offered by the organization on the basis of any factor that is related 
to health status. MA organizations discouraging or preventing 
enrollment in an MA plan by beneficiaries by implementing burdensome 
prior authorization processes to avoid approving services would be 
prohibited by 42 CFR 422.110. CMS relies on the MA anti-discrimination 
provision; the agency's authority under section 1856(b) of the Act to 
adopt standards for MA organizations; and the agency's authority under 
section 1857(e) of the Act to add terms and conditions that are 
necessary, appropriate, and not inconsistent with the Medicare statute. 
CMS does not collect detailed information on prior authorization 
policies as part of the bid. However, CMS will continue to monitor for 
potential discrimination by plans through prior authorization and other 
utilization management programs in our review of complaints received 
from beneficiaries and providers and will take action, as necessary. 
CMS may also consider future sub-regulatory guidance based on a review 
of complaints.
    We also believe that MA and other managed care plans will use the 
published data to drive performance

[[Page 8892]]

improvement to facilitate provider network development and that 
providers will use the prior authorization metrics to evaluate managed 
care plans and make decisions on whether to join or remain part of a 
plan's network.
    Comment: A commenter recommended that if CMS intends to require 
public reporting in the final rule, CMS should explain how the data 
would benefit interested parties and conduct education and outreach to 
prevent confusion or misinterpretation of data. Multiple commenters 
stated their hesitation to require public reporting of prior 
authorization data without understanding the purpose of the reporting, 
and another recommended that CMS reevaluate the need and value of 
payers reporting the prior authorization metrics versus its costs and 
resource burden. Multiple commenters highlighted the significant new 
administrative burden that reporting prior authorization metrics would 
cause. Other commenters recommended that CMS remove the proposed 
requirement for payers to publicly report prior authorization metrics.
    Response: We are aware that payers have many reporting requirements 
for state and Federal programs and that preparing these public 
disclosures may require additional effort. Payers also provide 
educational resources to patients and providers for enrollment, 
directories, and other health care reminders--all to explain benefits 
and services and improve the health care experience. We are finalizing 
policies in this final rule to address longstanding, important process 
challenges related to prior authorization. Reporting on these metrics, 
including, for example, the services that require prior authorizations, 
the number of denials, those approved, and those overturned after 
appeal, will give the patients and providers a better understanding of 
payer performance in those categories--and over time--of the changes in 
performance in those categories. These data will demonstrate the 
intended impact of these policies. Public reporting is one of the most 
universal, effective means to demonstrate improvement or change. This 
public reporting has value because it can provide a benchmark for 
patients or providers to understand, at a high level, the volume of 
services a payer approves or denies, the types of services it 
authorizes, or changes in those decisions over time. Not all patients 
will use or necessarily understand all of the data, but it may help 
support the beginning of a conversation between either the patient and 
the payer, or the patient and the provider. We anticipate payers will 
identify the most appropriate locations on their website for the 
information to be public. We additionally note that the Medicare FFS 
program currently publicly reports prior authorization metrics on its 
website and invites payers to reference the presentation of those 
metrics as they develop their public reporting strategy.\147\
---------------------------------------------------------------------------

    \147\ Centers for Medicare and Medicaid Services (2023, 
September 15). Prior Authorization and Pre-Claim Review Initiatives. 
Retrieved from https://www.cms.gov/data-research/monitoring-programs/medicare-fee-service-compliance-programs/prior-authorization-and-pre-claim-review-initiatives.
---------------------------------------------------------------------------

    Comment: A commenter recommended that a voluntary consensus SDO 
should develop standardized codes that could be used to document prior 
authorization denial reasons. Then, CMS could revise the metrics to 
include information on the reason for denial to provide a more complete 
picture of a plan's prior authorization process.
    Response: As discussed previously in the section on providing a 
reason for denial, the standard codes for denial reasons are an 
external code set maintained by X12, which is a voluntary SDO. Any 
organization or individual interested in providing updates to this code 
set may do so by submitting a request to X12. At this time, we are not 
requiring payers to publicly report the reason for denial in these 
reporting metrics; that information is only provided to the requesting 
provider and the patient.
    Comment: Another commenter recommended that state Medicaid agency 
reporting requirements be changed to begin 1 year following the 
implementation of the APIs (by March 31 of each year). Another 
commenter stated that the proposed metrics do not align with the data 
elements required to be reported for appeal for the Managed Care Annual 
Care Program Report (MCPAR) that states are required to report. The 
commenter stated that alignment is necessary to assess the impact of an 
MCO, PHIP, or PAHP's prior authorization determinations on beneficiary 
access to requested services.
    Response: We disagree that any payer should begin their reporting 
period substantially after any other payer, as all payers already have 
data to support their prior authorization activities. Even if a state 
Medicaid agency were granted an exception or extension, their prior 
authorization processes are already in effect and they have data 
regarding their current prior authorization activities. The final 
action statement in this section of the final rule includes the 
compliance dates and reporting requirements for impacted payers, which 
remains March 31, 2026, for reporting data for the prior year. 
Concerning the MCPAR, alignment is neither necessary nor feasible. The 
MCPAR collects information specifically on appeals, and we are 
requiring information specifically on prior authorization. While it is 
true that a denied prior authorization could generate an appeal, that 
is not relevant to these two reporting vehicles. We may revise the data 
collected in the MCPAR in the future and will use the existing data 
from the MCPAR and this reporting to inform any such revisions.
    Comment: Multiple commenters recommended that CMS develop standard 
guidance or IGs for payers to have a set format and consistent 
calculation of the metrics. A commenter flagged that the lack of 
guidance on report formatting could lead to a wide variation across 
impacted payers. Another commenter stated that CMS should issue the 
guidance and allow adequate time for impacted payers and vendors to 
make the appropriate modification to their system before public 
reporting begins. A commenter sought clarification as to whether the 
public reporting of prior authorization metrics would only apply to 
prior authorization requests that are received on or after the 
compliance dates. Another commenter recommended that rule language 
specify the data required, ensure the data are placed prominently on 
the payers' websites, and indicate the cadence at which payers must 
refresh the publicly reported data. Many other commenters suggested 
various dissemination mechanisms for the prior authorization metrics. A 
commenter stated that they support an active distribution method for 
the prior authorization metrics, like a newsletter. Another commenter 
recommended that prior authorization metrics be available to be 
downloaded in Excel and PDF.
    Response: The Medicare FFS program currently publicly reports prior 
authorization metrics on its website and invites payers to reference 
the presentation of those metrics as they develop their public 
reporting strategy. We will consider what additional support we can 
provide to impacted payers before the compliance date of the final rule 
regarding recommended content and format for use in their public 
reports. The requirement for data in the first report for prior 
authorization metrics to include information about prior authorization 
activity for the prior year will provide a baseline for impacted payers 
as well as the public.

[[Page 8893]]

The reporting requirement applies to prior authorization requests that 
were received the year before the compliance date.
    Comment: Multiple commenters recommended that CMS report the 
required prior authorization information on the CMS website. A 
commenter stated that this will enable easy retrieval of data by 
physicians and patients, especially for plan comparison. Another 
commenter stated that CMS should also make sure it publishes this 
information on pages of its website that correlate to a particular 
payer. A commenter stated that CMS should report on the impact prior 
authorization has on the quality of care patients receive, potential 
delays in care, and associated cost savings due to the prior 
authorization process. The commenter suggested that reporting these 
data can help policymakers, researchers, providers, and patients make 
more informed decisions about the prior authorization process, ensuring 
that patient care remains central. Multiple commenters recommended that 
instead of payers publicly reporting metrics, there should be 
confidential reporting to CMS so it can track outliers and avoid 
misleading patients on data that are not comparable across plans. 
Another commenter recommended that CMS consider confidential payer 
reporting to CMS until the Prior Authorization API experiences 
significant uptake by providers.
    Response: We considered requiring that payers submit their reports 
to a central website for publication. However, as we explained in the 
CMS Interoperability and Prior Authorization proposed rule (87 FR 
76347), we did not select this alternative because we believe patients 
likely would view their health plan and payer as the resource for 
information about their plan. While CMS does provide comparative data 
for plans in certain programs (for example, the MA program) and may use 
such information in future public reports, we are not finalizing such 
an approach in this rule. Patients should be able to find information 
about their plan or payer from those websites to minimize burden and 
confusion. For Medicaid and CHIP, patients generally associate their 
coverage with their state or managed care plan, not CMS. While having 
the prior authorization data posted on each payer's website is the most 
appropriate place, we also encourage state Medicaid agencies to include 
the data on their websites (which are required by 42 CFR 438.10(c)(3)) 
to improve the value of information available to their patients. 
Similarly, MA patients look to their MA organization websites for 
information and resources about those plans and their performance. 
Payers must already include significant patient resource information on 
their websites, and CMS will conduct outreach to payers, patients, and 
providers to help provide guidance on best practices about the website 
locations for such public reporting of prior authorization information. 
In our oversight role, we may begin to look at data after the 
compliance date to evaluate compliance with these new reporting 
requirements. CMS may consider additional reporting requirements as 
well as publication of comparative information in the future.
    Comment: Multiple commenters stated it would be helpful for 
additional context to explain metrics in the event of an outlier, such 
as explaining denial or approval rates for services-related data. 
Multiple commenters suggested including the total number of requests 
approved/denied, rather than only aggregate percentages. A commenter 
stated that they also would like to see specific data for common 
services to show a direct comparison across different payers and plans 
as certain prior authorization requests are more complex than others.
    Multiple commenters stated that service-specific reporting will aid 
in identifying services for which there is a high rate of approval and 
for which prior authorization requirements may no longer be necessary, 
or for identifying critical services or items being routinely denied. A 
commenter recommended CMS require payers to provide more detailed 
information by item or service including Healthcare Common Procedure 
Coding System (HCPCS) code, Current Procedural Terminology (CPT) code, 
and International Classification of Diseases, Tenth Revision (ICD-10) 
code. Other suggestions included requiring payers to report 
disaggregated data by diagnosis, race and ethnicity, gender, and age. A 
commenter warned that without item- and service-level reporting, it 
will be impossible for CMS and the public to understand some data and 
to hold impacted payers accountable for excessive denials and delays in 
responding to prior authorization requests. Other commenters 
recommended CMS require payers to report data with setting-specific 
data or by type of provider (for example, physician, short-term care, 
long-term care, rehabilitation, psychiatric, and skilled nursing 
services). A commenter stated that only with this setting level of 
specificity will patients and providers be able to assess which 
services are routinely denied, appealed, and overturned in favor of 
patients and providers. Another commenter warned that segmentation by 
the provider should encompass short-term acute care, long-term care, 
rehabilitation, psychiatric, and skilled nursing services to allow 
consumers, providers, and regulators to gain a better understanding of 
prior authorization processes and where there is a need for 
improvement. A commenter recommended that CMS should require metrics be 
broken down at the Health Care Provider Taxonomy code set Level II, 
Classification, which is a code set used in HIPAA standard 
transactions. Another commenter recommended that the metrics be 
reported by the payer based on service type, site of care, and whether 
the service is inpatient or outpatient. Another commenter wanted CMS to 
compare the metrics for MA organization plans to Medicare FFS and 
commercial health plans.
    Response: Service-specific and demographic reporting may be very 
useful to the impacted payers in evaluating their programs and expect 
that they use such data today and will continue to do so as they 
implement the policies of this final rule. While we agree that there 
could be many more reporting requirements, and at more granular levels, 
and data are an important tool for different evaluation purposes, 
reporting should serve its intended purposes and not become a burden to 
the users. Too much data can also become overwhelming. We anticipate 
patient and provider feedback following implementation and will review 
opportunities after that time.
    We agree that it would be appropriate to compare the metrics for 
all payers several years after the policies of this final rule have 
been implemented to determine its impact on the prior authorization 
barriers and burdens. However, commercial plans other than QHPs on the 
FFEs are not subject to the provisions of this rule, and CMS does not 
have access to performance data for those organizations. If states are 
collecting such data, they might be able to analyze the data at the 
state level.
b. Publication of Prior Authorization Metrics
    We requested comments on how the information might be displayed on 
payer websites in a useful and meaningful manner for patients and 
providers, including which data would be most useful. The summarized 
comments and our responses follow.
    Comment: Multiple commenters recommended that the prior 
authorization metrics be presented in a readable and accessible format, 
particularly for individuals with

[[Page 8894]]

disabilities, individuals with limited or low health and data literacy, 
and individuals with limited English proficiency. Other commenters 
recommended that CMS require plans to write publicly reported data at a 
sixth grade reading level, conduct consumer-focused testing on data 
readability, and provide translations in multiple languages. Multiple 
commenters recommended that CMS should require payers to provide access 
to prior authorization data in multiple languages (based on the most 
common languages in a community) and in a format that is comprehensible 
to the average consumer. A commenter recommended CMS should make the 
reported payer data patient-friendly and public to enable comparison of 
metrics.
    Response: We appreciate commenter suggestions that payer data be 
``patient-friendly,'' easy to understand, and in an accessible format. 
We may consider how best to provide guidance to encourage impacted 
payers to develop their reports with these factors in mind, as the 
intent of these public reports is to ensure that individuals can use 
and interpret the information.
c. Types of Prior Authorization Metrics
    Impacted payers are required to post a general set of prior 
authorization metrics on their public websites to support process 
improvement, as well as patient and provider insight into trends for 
different payers. While the data will not be submitted to CMS at this 
time, it will be available for public review and evaluation and may be 
informative as experience with the new policies evolves.
    Comment: Some commenters wrote that CMS should include more data on 
use of the Prior Authorization API. A commenter suggested certain 
metrics be considered for adoption: the number of requests initiated 
using the Prior Authorization API, average response time for requests 
not requiring a prior authorization, the number of requests initiated 
using the Prior Authorization API requiring a prior authorization, the 
number of requests initiated using the Prior Authorization API 
requiring a prior authorization that had all of the required 
documentation available automatically, the percentage of Prior 
Authorization API requests requiring a prior authorization with all 
required documentation available processed automatically, the number of 
requests initiated using the Prior Authorization API requiring a prior 
authorization that were unable to automatically supply required 
documentation, and a list of all SMART on FHIR app/EHR combinations or 
equivalent technology used for Prior Authorization API requests at 
provider organizations. A commenter encouraged CMS to consider breaking 
reporting out by prior authorization transactions supported by a FHIR 
API transaction and those otherwise conducted.
    Response: The intended goal of publicly reporting these metrics is 
to help providers and patients gain insights into the payers' prior 
authorization practices and performance, and to assist payers in 
evaluating their prior authorization practices. While the performance 
and utilization of the Prior Authorization API is valuable information 
for assessing the adoption and use of the API itself, it may not 
adequately represent the full scope of a payer's prior authorization 
practices. As noted in a prior response, we may consider issuing 
guidance before the compliance date with more specifics on the 
recommended format and content; however, the lack of regulations or 
guidance on the format and content does not prevent payers from 
including additional information that could be of value to patients and 
providers.
8. ``Gold-Carding'' Programs for Prior Authorization
    We solicited comments on the potential for gold-carding or prior 
authorization exemption programs and how they might reduce provider and 
payer burden and improve services to patients. We also solicited 
comments on the incorporation of such a measure into Star Ratings for 
these organizations. We received several comments on this topic and 
appreciate the input. Since no policies were proposed, we are not 
finalizing policies in this area at this time. We thank commenters for 
their feedback and will consider all comments for possible future 
rulemaking.
BILLING CODE 4150-28-P

[[Page 8895]]

[GRAPHIC] [TIFF OMITTED] TR08FE24.008


[[Page 8896]]


[GRAPHIC] [TIFF OMITTED] TR08FE24.009

BILLING CODE 4150-28-C

[[Page 8897]]

9. Final Action
    After considering the comments received, and for the reasons 
discussed in the CMS Interoperability and Prior Authorization proposed 
rule and our response to those comments (as summarized previously), we 
are finalizing our proposals with the following modifications:
     Impacted payers must implement and maintain a Prior 
Authorization API beginning 2027 (by January 1, 2027, for MA 
organizations and state Medicaid and CHIP FFS programs; by the rating 
period beginning on or after January 1, 2027, for Medicaid managed care 
plans and CHIP managed care entities; and for plan years beginning on 
or after January 1, 2027, for QHP issuers on the FFEs) rather than in 
2026.
     MA organizations must report prior authorization metrics 
at the contract level rather than at the proposed organization level.
    See further discussion for exact details of the final requirements 
for impacted payers.
    We are finalizing that, beginning 2027 (by January 1, 2027, for MA 
organizations and state Medicaid and CHIP FFS programs; by the rating 
period beginning on or after January 1, 2027, for Medicaid managed care 
plans and CHIP managed care entities; and for plan years beginning on 
or after January 1, 2027, for QHP issuers on the FFEs), impacted payers 
must implement and maintain a Prior Authorization API that is compliant 
with certain technical standards, documentation requirements, and 
denial or discontinuation policies. Specifically, those technical 
standards are HL7 FHIR at 45 CFR 170.215(a)(1), US Core IG at 45 CFR 
170.215(b)(1)(i), and SMART App Launch IG at 45 CFR 170.215(c)(1).
    We are finalizing that, by the compliance dates, impacted payers 
must implement a Prior Authorization API that:
     Is populated with the payer's list of covered items and 
services (excluding drugs) that require prior authorization;
     Can identify all documentation required for approval of 
any items or services that require prior authorization;
     Supports a HIPAA-compliant prior authorization request and 
response; and
     Communicates whether the payer approves the prior 
authorization request (and the date or circumstance under which the 
authorization ends), denies the prior authorization request (with a 
specific reason), or requests more information.
    We are finalizing that, beginning 2026 (by January 1, 2026, for MA 
organizations and state Medicaid and CHIP FFS programs; by the rating 
period beginning on or after January 1, 2026, for Medicaid managed care 
plans and CHIP managed care entities; and for plan years beginning on 
or after January 1, 2026, for QHP issuers on the FFEs), impacted 
payers' must provide a specific reason for a denial within their 
decision timeframe regardless of the method that was used to send the 
prior authorization request or decision.
    We are finalizing that, beginning in 2026, MA organizations, 
including applicable integrated plans, state Medicaid and CHIP FFS 
programs, and Medicaid managed care plans and CHIP managed care 
entities must provide notice to providers and patients of prior 
authorization decisions as expeditiously as a patient's health 
condition requires, but no later than 7 calendar days for standard 
requests, unless a shorter minimum timeframe is established under 
applicable state law.
    We are finalizing that, beginning in 2026, MA organizations, 
including applicable integrated plans, and state Medicaid and CHIP FFS 
programs, must provide notice to providers and patients of prior 
authorization decisions as expeditiously as a patient's health 
condition requires, but no later than 72 hours for expedited requests, 
unless a shorter minimum timeframe is established under applicable 
state law. That requirement already exists for Medicaid managed care 
plans and CHIP managed care entities, but for consistency with Medicaid 
FFS, we are finalizing that those payers must also send notices to 
patients and comply with a shorter timeframe, if established by state.
    In response to public comments, CMS will work with state Medicaid 
and CHIP FFS programs that may be unable to meet the new prior 
authorization decision timeframes compliance date in 2026. States 
should contact their Medicaid state lead or CHIP project officer before 
April 1, 2025, to discuss their extenuating circumstances. Any 
flexibility granted to a state Medicaid or CHIP FFS program for the 
implementation of the new prior authorization decision timeframes 
requirements will be temporary and limited to the unique circumstances 
of the program.
    We are finalizing that, as of the effective date of this final 
rule, existing Medicaid beneficiary notice and fair hearing regulations 
apply to Medicaid FFS prior authorization decisions.
    We are finalizing that, beginning in 2026, impacted payers must 
annually report certain aggregated prior authorization metrics. 
Specifically, by March 31, MA organizations at the contract level, 
state Medicaid and CHIP FFS programs at the state level, Medicaid 
managed care plans and CHIP managed care entities at the plan level, 
and QHP issuers on the FFEs at the issuer level must post the required 
metrics on their websites. Impacted payers must publicly report the 
previous calendar year's metrics by March 31 following any year that 
they offered that type of plan.
    These policies apply to MA organizations, state Medicaid and CHIP 
FFS programs, Medicaid managed care plans, CHIP managed care entities, 
and QHP issuers on the FFEs at the CFR sections listed in Table E4.
10. Statutory Authorities To Require Improvements in Prior 
Authorization Processes, Decision and Notification Timeframe Policies
    We did not receive any public comments on the statutory authorities 
for the Prior Authorization API and prior authorization process 
policies discussed in this section.
a. Medicare Advantage
    Section 1856(b) of the Act directs the Secretary to establish 
regulatory standards for MA organizations that are consistent with, and 
carry out, Part C of the Medicare statute, including the provisions in 
section 1852 of the Act. Section 1852(a) and (d) of the Act provide for 
MA plans to cover medically necessary Part A and Part B benefits, 
including by making benefits available and accessible with reasonable 
promptness. Section 1852(c)(1)(G) of the Act requires that MA 
organizations disclose to their enrollees any rules regarding prior 
authorization or other review requirements that could result in 
nonpayment. Section 1852(g)(1)(A) of the Act requires an MA plan to 
have a procedure for making determinations about whether an enrollee is 
entitled to receive a health service, how much the enrollee is required 
to pay for such service, and to provide an enrollee with a written 
notice if the plan denies coverage. Section 1852(g)(1)(A) of the Act 
also requires that coverage determinations be made on a timely basis. 
Section 1852(g)(3)(B)(iii) of the Act requires that the organization 
notify the enrollee (and physician involved, as appropriate) of an 
expedited determination (and reconsideration) under time limitations 
established by the Secretary, but not later than 72 hours after the 
time of receipt of the request. The prior authorization requirements in 
this final rule ensure that MA organizations carry out their 
responsibilities under section 1852 of the Act in a consistent and 
standardized

[[Page 8898]]

fashion and in compliance with standards that carry out and serve the 
purposes of the MA program.
    Under the authorities referenced previously, we are finalizing 
certain requirements for MA organizations. These requirements are to 
ensure that MA organizations provide enrollees with appropriate access 
to care and information by using certain standards, technologies, and 
business processes. The requirements include implementing certain APIs 
that provide information about the coverage and documentation 
requirements for prior authorization, responding to prior authorization 
requests with the status of that request, and meeting certain 
timeframes for making decisions on prior authorization requests.
    We are requiring that MA organizations implement the Prior 
Authorization API using certain implementation specifications as 
discussed in section II.G. of this final rule. These implementation 
specifications are expected to improve the overall prior authorization 
process by addressing deficiencies that exist in the process today 
concerning providers' access to information about the prior 
authorization rules and documentation requirements. The Prior 
Authorization API will communicate the coverage and documentation 
requirements for prior authorization, indicating if authorization is 
required for a specific item or service and what documentation is 
required to support an authorization request. Use of the Prior 
Authorization API is consistent with the disclosure obligation on MA 
organizations in section 1852(c)(1)(G) of the Act by disclosing to 
providers the same information that generally must be provided to 
enrollees about which covered benefits are subject to prior 
authorization and serves the same larger purpose of ensuring access to 
coverage by communicating the limits and rules for covered services.
    Additionally, the Prior Authorization API is a mechanism for 
receiving and responding to requests for coverage determinations before 
the services are rendered or items furnished; therefore, the 
requirement to adopt and use the Prior Authorization API is an 
additional standard for implementing and complying with section 1852(g) 
of the Act regarding an MA organization's obligation to make coverage 
determinations. The Prior Authorization API will enable the provider to 
submit a HIPAA-compliant prior authorization request through their 
existing workflow and receive a timely response to that request. In 
concert with these APIs, we are requiring the payer to provide the 
status of the request, such as whether it was approved or denied, along 
with a specific denial reason, so that the provider knows what steps to 
take next--whether to request a different service for the patient, to 
submit additional information, or to appeal the decision. These final 
requirements will improve patient care and reduce redundancies in 
administrative processes between providers and payers because they give 
providers clearer instructions, both for submitting the original 
request and, if necessary, providing additional information. The 
required API has the potential to improve the efficiency of the prior 
authorization process because it enables providers to submit accurate 
information with the request, which could reduce the number of appeals 
or denials, and possibly eliminate requests for additional 
documentation.
    We expect the prior authorization policies in this final rule to 
improve timely access to care for beneficiaries by mitigating delays 
that sometimes occur when a provider is trying to determine coverage 
requirements or does not know what documents to submit to obtain 
approval for a service. Improvements in the timeliness of payer 
operations and provider services will contribute to program efficiency, 
and effective operations and will be in the best interest of the 
enrollees. The requirement for MA organizations to make certain changes 
to the timeframes in which they provide notice for prior authorization 
has the potential to improve patient access to care in program 
operations as discussed in section II.D.5. of this final rule. This 
could prevent some patients from abandoning care while waiting for 
authorization, and it could improve efficiencies by avoiding repeat 
phone calls from providers who must check on the status of 
authorization over several days, or sometimes weeks. We finalized 
requirements to improve some timeframes for expedited and standard 
decisions under the premise that these changes are overdue, feasible, 
and would benefit patients and providers. Furthermore, by establishing 
more certainty in the process for providers, there may be a reduction 
in unnecessary repeat requests for services. More responsive timeframes 
will also enhance enrollee access to timely and appropriate care. A 
shorter timeframe for both standard and expedited decisions may reduce 
administrative time and expense for providers and payers, as they would 
spend fewer resources on follow-up inquiries. As such, these 
requirements are consistent with our authorities to adopt standards to 
carry out and implement the requirements in section 1852 of the Act for 
MA organizations to have a procedure for making timely determinations 
and to make benefits available and accessible with reasonable 
promptness.
    Finally, section 1857(e)(1) of the Act explicitly authorizes the 
adoption of additional reporting requirements by MA organizations where 
necessary and appropriate. The requirement for MA plans to publicly 
report prior authorization metrics will enable CMS to assess the 
implementation of the policies and attempt to determine the impact of 
these new requirements on payers and providers. A review of these 
metrics may help CMS and the plans understand the impact of the 
requirements, including the impact of using the APIs and improved 
decision timeframes. The data may also help plans evaluate operations, 
implement new policies and the API, and determine what changes may be 
appropriate.
b. Medicaid
    For Medicaid, most of the requirements finalized in this section 
are authorized by sections 1902(a)(4), (8), and (19) of the Act. 
Section 1902(a)(4) of the Act requires that a state Medicaid plan 
provide such methods of administration as are found by the Secretary to 
be necessary for the proper and efficient operation of the state 
Medicaid plan, section 1902(a)(8) of the Act requires states to ensure 
that Medicaid services are furnished with reasonable promptness to all 
eligible individuals, and section 1902(a)(19) of the Act requires 
states to ensure that care and services under a Medicaid state plan are 
provided in a manner consistent with the simplicity of administration 
and the best interests of the recipients. Some requirements finalized 
in this section are also authorized by additional sections of the Act 
as discussed in this section of the final rule.
    Additionally, section 1902(a)(7) of the Act requires that states 
must provide safeguards that restrict the use or disclosure of 
information concerning Medicaid applicants and beneficiaries to 
purposes that are directly connected with the administration of the 
program or plan. The implementing regulations at 42 CFR part 431, 
subpart F, for this section 1902(a)(7) of the Act list purposes that 
CMS has determined are directly connected with the administration of 
Medicaid state plans (42 CFR 431.302) and require states to provide 
safeguards meeting certain

[[Page 8899]]

requirements to restrict uses and disclosures of Medicaid beneficiary 
data. CHIP programs are subject to the same requirements through a 
cross reference at 42 CFR 457.1110(b).
    Our finalized policy that the data described in this section be 
shared via the Prior Authorization API is consistent with the 
requirement at section 1902(a)(7) of the Act, providing that states may 
share these data only for purposes directly connected with the 
administration of the Medicaid state plan. This data sharing policy for 
the Prior Authorization API is related to providing services for 
beneficiaries, a purpose listed at 42 CFR 431.302(c). The services 
include those for which the state requires that a provider submit a 
prior authorization request, and thus needs to communicate about that 
prior authorization with other providers enrolled with or authorized by 
the state to provide care to its beneficiaries. Prior authorization can 
be an integral part of the Medicaid program and facilitates access to 
care as well as provider payment processes.
    We remind states that to meet the requirements of the regulations 
at 42 CFR part 431, subpart F, states must have consistent criteria for 
the release and use of information (which should comply with the 
proposed Prior Authorization API requirements), in accordance with 42 
CFR 431.306(a). Access to information concerning beneficiaries must be 
restricted to persons who are subject to standards of confidentiality 
that are comparable to that of the state Medicaid agency, in accordance 
with 42 CFR 431.306(b). Similar to the Provider Access API discussed 
previously, the permission requirement at 42 CFR 431.306(d), which 
requires that the state agency obtain permission from a family or 
individual, whenever possible, before responding to a request for 
information from an outside source, is not relevant to the Prior 
Authorization API, because any request for beneficiary information 
would be from an enrolled Medicaid or CHIP provider and thus would not 
be from an outside source. While the beneficiary's permission is not 
required under 42 CFR 431.306(d) for the Prior Authorization API, state 
or other laws may require such permission. When requesting approval to 
provide certain services from the state using the state's Prior 
Authorization API as described in section II.D.2.a. of this final rule, 
the provider will be able to determine if prior authorization is 
required and what supporting documentation is necessary to obtain 
approval for that care.
i. Prior Authorization API
    The requirement for state Medicaid FFS programs and Medicaid 
managed care plans to implement the Prior Authorization API is expected 
to improve the efficiency and timeliness of the prior authorization 
process for Medicaid beneficiaries, providers, state Medicaid agencies, 
and Medicaid managed care plans by addressing inefficiencies that might 
exist in the process today. As discussed in section II.D.2.a. of this 
final rule, the Prior Authorization API will allow a provider to 
determine whether a prior authorization is required and the 
documentation requirements for that prior authorization request. The 
Prior Authorization API will:
     Enable providers to submit a complete prior authorization 
request faster and easier;
     Support more timely notice to the provider and beneficiary 
of the disposition of the prior authorization request; and
     Permit improved scheduling of services or filing appeals, 
depending on the decision. The Prior Authorization API has the 
potential to improve the prior authorization process by making it more 
efficient, including by reducing the number of denials and appeals, or 
even by eliminating requests for additional documentation, as noted 
elsewhere in this final rule.
ii. Requirement for Payers To Provide Specific Reason for Denial of 
Prior Authorizations
    Based on the provisions of this final rule, states and Medicaid 
managed care plans must provide specific information to providers about 
the status of prior authorization requests to enable providers to plan 
care for their patients after submitting a prior authorization request. 
As discussed in section II.D.3. of this final rule, when providers 
receive a response to a prior authorization request, the payer will 
typically indicate whether the request is approved, or denied, or if 
additional information is needed. If prior authorization has been 
denied, the payer must give the provider the specific reason for the 
denial; that information may be used by the provider to decide next 
steps, such as re-submitting the request with updated information, 
identifying alternative treatments for the patient, or appealing the 
decision. These requirements will improve the timeliness, clarity, and 
consistency of information for providers regarding prior authorization 
requests; help providers determine the next steps for timely patient 
care; and reduce payer, provider, and patient burden by eliminating the 
need for repeated inquiries.
iii. Requirements for Prior Authorization Decision Timeframes, 
Notifications Related to Prior Authorization Decision Timeframes, and 
Amendments to Existing Medicaid Fair Hearings and Appeals Regulations
    As discussed in section II.D.5. of this final rule, delayed prior 
authorization decisions may directly affect patient care by delaying 
access to treatment, services, and supplies, as well as transfers 
between hospitals and post-acute care facilities. The required 
timeframes for making prior authorization decisions about items and 
services that require prior authorization in Medicaid FFS and managed 
care programs will help providers better manage administrative 
resources, make more time available for providers to render patient 
care, and facilitate faster access to services. These requirements 
should make substantive improvements to the care experience for 
Medicaid beneficiaries and lead to better health outcomes. In turn, 
better health outcomes will contribute to more efficient use of 
Medicaid program resources.
    The requirement to shorten the maximum amount of time for a 
Medicaid managed care plan to make a prior authorization decision from 
14 calendar days to 7 calendar days will improve the efficient 
operation of the Medicaid program by facilitating faster receipt of 
services or filing of appeals.
    Our amendment to explicitly state in the regulation text that 
current notice and fair hearing requirements apply to Medicaid FFS 
prior authorization decisions is authorized under section 1902(a)(3) of 
the Act. Section 1902(a)(3) of the Act requires that a Medicaid state 
plan provide an opportunity for a fair hearing to any individual whose 
claim for medical assistance under the plan is denied or is not acted 
upon with reasonable promptness. This is also supported by the 14th 
Amendment to the United States Constitution and case law on due 
process, specifically, Goldberg v. Kelly, 397 U.S. 254 (1970). States 
must establish timely notice and fair hearing processes meeting due 
process standards under Goldberg v. Kelly, as incorporated into 
existing Medicaid fair hearing regulations at 42 CFR part 431, subpart 
E, see 42 CFR 431.205(d).
    Additionally, section 1902(a)(17) of the Act requires state 
Medicaid plans to include reasonable standards for determining the 
extent of medical assistance under the plan that are

[[Page 8900]]

consistent with the objectives of Title XIX of the Act. As set forth at 
42 CFR 440.230, the standards that states establish under section 
1902(a)(17) of the Act could include appropriate limits on a service 
based on such criteria as medical necessity or on utilization control 
procedures, as long as each service is sufficient in amount, duration, 
and scope to reasonably achieve its purpose. Items and services covered 
under Title XIX benefit authorities are subject to 42 CFR 440.230, 
unless statute or regulation expressly provides for an exception or 
waiver. This would include covered items and services described in 
sections 1905(a), 1915(c), 1915(i), 1915(j), 1915(k), 1915(l), 1937, 
and 1945 of the Act, and any other authorities as established by 
Congress. The standards that states establish under section 1902(a)(17) 
of the Act and 42 CFR 440.230 could include prior authorization 
requirements. The requirements to establish timeframes for prior 
authorization decisions are authorized under section 1902(a)(17) of the 
Act because they would be expected to help ensure that states make 
prior authorization decisions in a manner that is consistent with the 
requirements in section 1902(a)(4), (a)(8), and (a)(19) of the Act, 
thus helping to ensure that states' standards for determining the 
extent of medical assistance under the plan are consistent with the 
objectives of Title XIX.
    Section 1932(b)(4) of the Act provides that each Medicaid MCO must 
establish an internal grievance procedure whereby a beneficiary who is 
eligible for medical assistance may challenge the denial of coverage or 
payment for such assistance. CMS has implemented requirements for those 
procedures at 42 CFR 438.210, which applies the same appeal and 
grievance requirements for PIHPs and PAHPs as for Medicaid MCOs. We 
rely on our authority in section 1902(a)(4) of the Act to adopt 
standards for PIHPs and PAHPs that mirror requirements for MCOs. This 
is consistent with our prior practice for adopting standards for 
Medicaid managed care plans (81 FR 27507). We rely on the same 
authority here to revise the procedures under which Medicaid managed 
care plans may make prior authorization decisions about coverage and 
provide those decisions to providers and enrollees. Reducing plan 
response time for prior authorization decisions may enable 
beneficiaries to file appeals if necessary and receive a resolution to 
those appeals sooner. The earlier an appeal is filed, and the 
disposition known, the sooner the provider and beneficiary can 
determine whether to request a state fair hearing or to identify 
treatment alternatives, if necessary. The prior authorization 
requirements in this rule are also consistent with how section 
1932(c)(2)(A)(i) of the Act requires MCO contracts to contain a 
provision for an annual external quality review of quality outcomes and 
access to and timeliness of covered services. If the shorter prior 
authorization response requirements successfully improve workflow and 
processes that facilitate timely access to services, improvements to 
the care experience for patients, and better health outcomes, the 
results should be visible in external reviews. This requirement 
reflects the importance and potential advantages of timely access for 
beneficiaries to covered services through more efficient processing of 
prior authorization requests as proposed in this rule.
iv. Public Reporting of Prior Authorization Metrics
    We are also requiring Medicaid FFS programs and Medicaid managed 
care plans to publicly report certain prior authorization metrics by 
posting them on the payer's website. As discussed in section II.D.7. of 
this final rule, publicly reporting these metrics may support more 
timely access to services by identifying prior authorization process 
weaknesses or deficiencies and enabling the implementation of 
corrective action, and for managed care programs, helping beneficiaries 
select Medicaid managed care plans that best meet their needs and 
helping some Medicaid providers make informed decisions on which 
Medicaid managed care plan networks to join.
    Section 1902(a)(4) of the Act authorizes this requirement because 
enabling more timely access to services by identifying prior 
authorization deficiencies and facilitating the implementation of 
corrective action to improve the prior authorization process will 
support the proper and efficient operation of the state Medicaid plan. 
Requiring Medicaid managed care plans to publicly report their prior 
authorization metrics will hold them accountable and enable them to 
monitor their performance and identify process improvement 
opportunities, which may be an integral part of implementing a quality 
assessment and improvement strategy more easily. This is consistent 
with the requirements for quality strategies for managed care programs 
at section 1932(c)(1)(A)(i) of the Act.
    Section 1902(a)(8) of the Act authorizes this requirement because 
identifying prior authorization process weaknesses or deficiencies and 
enabling the implementation of corrective action as well as helping 
beneficiaries select a Medicaid managed care plan that best meets their 
needs may improve the promptness with which services are provided to 
beneficiaries. Section 1902(a)(19) of the Act authorizes this 
requirement because identifying prior authorization process weaknesses 
or deficiencies and enabling the implementation of corrective action 
will help ensure that care and services are provided in a manner 
consistent with the simplicity of administration. Additionally, 
implementation of corrective action to improve prior authorization 
processes, helping beneficiaries select a managed care plan that best 
meets their needs, and helping providers make informed decisions on 
which Medicaid managed care plan networks to join is in the best 
interest of beneficiaries.
c. CHIP
    For CHIP, we finalized these requirements under the authority of 
section 2101(a) of the Act, which sets forth that the purpose of Title 
XXI is to provide funds to states to provide child health assistance to 
uninsured, low-income children effectively and efficiently that is 
coordinated with other sources of health benefits coverage. This 
provision authorizes us to adopt these requirements for CHIP to obtain 
access to program data for analysis. Such analysis supports 
improvements in the efficacy of CHIP programs and more efficient 
administration of services.
    As discussed previously, we are requiring the implementation of the 
Prior Authorization API in section II.D.2.a. of this final rule to 
improve the prior authorization process for patients, providers, and 
payers by addressing deficiencies and inefficiencies that exist 
currently. Today, a payer's rules about when prior authorization is 
required and what documentation requirements must be fulfilled to 
submit the request are not necessarily easily accessible for providers. 
The Prior Authorization API will enable a provider to determine if a 
prior authorization is required electronically, in real-time and what 
the documentation requirements are regarding such requests. While we 
expect providers to be the primary beneficiaries of this API, making 
this information available in a standardized way and permitting access 
through an API will also serve the requirements in section 2101(a) of 
the Act that CHIP ensures access to coverage and coordinated care.
    The Prior Authorization API is a mechanism for receiving and 
responding to requests for coverage

[[Page 8901]]

determinations before the services are furnished; this API will 
streamline the initial authorization process for the payer by sharing 
this information in an easily accessible way. The API will also allow 
the provider to know what to do if prior authorization is required for 
a certain service, which will improve the provider's ability to treat 
the patient timely. The Prior Authorization API enables the payer to 
send a real-time response back to a provider, based on the request for 
authorization. This, too, will improve the efficiency of providing 
services to the patient because the request and response are automated 
and in real-time. We expect payers' use of this API to ensure that a 
provider can submit a request for prior authorization with the correct 
and complete documentation to avoid an incorrect submission which might 
result in an unnecessary denial. The Prior Authorization API will: (1) 
enable providers to submit a prior authorization request faster and 
easier; (2) support more timely notice to the provider and beneficiary 
of the disposition of the prior authorization request; and (3) permit 
faster scheduling of services or filing appeals, depending on the 
decision. The Prior Authorization API has the potential to improve the 
prior authorization process by making it more efficient, including 
limiting the number of denials and appeals, or even eliminating 
requests for additional documentation, as noted elsewhere.
    The safeguards for beneficiary information at 42 CFR part 431, 
subpart F, are also applicable to CHIP through a cross reference at 42 
CFR 457.1110(b). As discussed previously for Medicaid, CHIP payers' and 
providers' data exchange through the Prior Authorization API is related 
to providing services to beneficiaries, which is described at 42 CFR 
431.302(c) as a purpose directly related to state plan administration. 
We remind states that when they share medical records or any other 
health or enrollment information about individual beneficiaries, they 
must comply with the privacy protections at 42 CFR 457.1110 and the 
release of information provisions at 42 CFR 431.306.
    The requirement in section II.D.5. of this final rule that CHIP FFS 
and CHIP managed care entities meet certain timeframes to provide 
decisions for prior authorizations for expedited and standard decisions 
is an improvement from the current state, where there is uncertainty 
about expectations for when a prior authorization might be approved. 
This requirement is intended to establish more certainty in the prior 
authorization process for providers and improve access to appropriate 
care for all patients, particularly those with chronic conditions or 
complicated health risks. Health parity may be increased as barriers 
due to process and timeframes will be removed. Similarly, improved 
process improvements may reduce administrative costs for providers and 
payers as redundancies will be removed from the system. We expect the 
requirement to improve timeliness in responding to providers and 
patients to support process improvements for the state and managed care 
programs and is consistent with our authorities under section 2101(a) 
of the Act in that it improves the efficiency of the CHIP programs.
    The policy to require CHIP FFS and CHIP managed care entities to 
publicly report prior authorization metrics will also support the 
states' oversight, evaluation, and administration responsibilities. CMS 
may occasionally view some of the CHIP's FFS and managed care websites 
to check for compliance, see how data are being reported, and determine 
if any trends in prior authorization changes could be indicative of the 
benefits of the prior authorization policies as discussed in section 
II.D.7. of this final rule. The data may indicate the use of the APIs, 
improvements in prior authorization numbers, or changes in total 
numbers, denials, and appeals.
d. Qualified Health Plan Issuers on the Federally-Facilitated Exchanges
    For QHP issuers on the FFEs, we finalized the requirements in this 
section under the authority of section 1311(e)(1)(B) of the Affordable 
Care Act, which affords the Exchanges the discretion to certify QHPs if 
the Exchange determines that making available such health plans through 
the Exchange is in the interests of qualified individuals in the state 
in which the Exchange operates.
    The policies finalized here may improve the efficiency of the 
issuers that are certified to offer QHPs on the FFEs and improve the 
quality of services they provide to providers and their patients by 
increasing the efficiency in the prior authorization submission and 
review process. In section II.D.2.a. of this final rule, we are 
requiring that QHP issuers on the FFEs implement an API to support the 
prior authorization process. The Prior Authorization API will allow QHP 
issuers on the FFEs to communicate requirements for prior authorization 
more efficiently and enable providers to similarly operate more 
efficiently to determine when a prior authorization is needed and 
locate the documentation requirements. The Prior Authorization API may 
enable more accurate submission and subsequent processing of prior 
authorization requests, with the potential of improving the delivery of 
services to patients. Qualified individuals enrolled in QHPs on the 
FFEs may receive covered services more quickly using the API. Similar 
to the other APIs, we believe that certifying only health plans that 
implement the Prior Authorization API and adhere to the other 
requirements described in this section of the preamble is in the 
interests of qualified individuals in the state or states in which a 
QHP issuer on the FFEs operates because of the opportunities for 
improvements in patient care, in alignment with the goals of the 
Affordable Care Act. We encourage SBEs to consider whether a similar 
requirement should apply to QHP issuers participating in their 
Exchanges.
    We are also requiring that QHP issuers on the FFEs provide a 
specific reason for denial when sending a response to a prior 
authorization request, to facilitate better communication and 
understanding between the provider and issuer. This may enable 
efficient and successful resubmission of the previously denied prior 
authorization request, which may more promptly facilitate the needed 
patient care.
    Finally, the requirement for QHP issuers on the FFEs to publicly 
report prior authorization metrics in section II.D.7. of this final 
rule will hold issuers accountable to their providers and patients, 
which could help these organizations improve their program 
administration. These data may help QHP issuers on the FFEs evaluate 
their processes and determine if there are better ways to leverage the 
APIs, including the quality and sufficiency of the coverage and 
documentation information included in the APIs.

E. Extensions, Exemptions, and Exceptions and Federal Matching Funds 
for Medicaid and CHIP

1. Background
    The CMS Interoperability and Prior Authorization proposed rule 
discussed extensions, exemptions, and exceptions for state Medicaid and 
CHIP FFS Programs and QHP issuers on the FFEs, Federal funding 
available to states, and applicability to state Medicaid expansion 
programs for CHIP populations. As stated in the Provider Access, Payer-
to-Payer, and Prior Authorization API sections of this final rule we 
are consolidated in one section the requirements for applying for an

[[Page 8902]]

extension, exemption, or exception. Here we discuss those proposals, 
provide responses to the comments received regarding the proposals, and 
include the final policies.
2. Extensions, Exemptions, and Exceptions
a. Extensions and Exemptions for State Medicaid and CHIP Fee-for 
Service
    In the proposed rule we explained that state Medicaid and CHIP FFS 
agencies face certain unique financing and operational circumstances 
that would not apply to other impacted payers. For example, some states 
would need legislative approval to initiate a public procurement 
process to secure contractors, particularly those with the necessary 
skills to support a state's implementation of the policies that require 
API development or enhancement. The timeline for an openly competed 
procurement process, together with the time needed to onboard 
contractors to develop the APIs can be lengthy for states (87 FR 
76302). We described the issues impacting the state Medicaid and CHIP 
FFS programs in the proposed rule for the Provider Access (87 FR 
76261), Payer-to-Payer (87 FR 76279), and Prior Authorization (87 FR 
76302) APIs. However, we also stated that if our proposals regarding 
these APIs were finalized, we would strongly encourage state Medicaid 
and CHIP FFS programs to implement them as soon as possible, because of 
the anticipated benefits for the impacted payers, patients, and 
providers. Therefore, to address implementation concerns for state 
Medicaid and CHIP FFS programs, we proposed a process through which 
states could seek an extension to, and, in specific circumstances, an 
exemption from, the requirements to implement and maintain Provider 
Access, Payer-to-Payer, and Prior Authorization APIs.
    We also proposed that states could request a one-time, 1-year 
extension through their annual Advance Planning Document (APD) for 
Medicaid Management Information System (MMIS) operations expenditures. 
We also proposed to permit state Medicaid FFS programs to request an 
exemption from any or all of these three API requirements when at least 
90 percent of the state's Medicaid beneficiaries are enrolled in 
Medicaid MCOs as defined at 42 CFR 438.2. Similarly, we proposed that 
separate state CHIP FFS programs could request an exemption from the 
API requirements if at least 90 percent of the state's separate CHIP 
beneficiaries are enrolled in CHIP MCOs as defined at 42 CFR 457.10. We 
proposed that states could apply for an exemption by submitting a 
written request for the exemption as part of the annual APD for MMIS 
operations expenditures. CMS approves project plans and enhanced FFP 
for Medicaid Enterprise Systems (MES) using the APD process. CHIP 
waiver requests and expenditures for systems are managed at CMS in the 
operations division responsible for management of APDs. Guidance on the 
application process is available through each state's Regional Office 
contact.
    As discussed in section II.C.4.b. of this final rule, we proposed 
and are finalizing, that for the payer to payer data exchange, state 
Medicaid and CHIP programs, rather than their managed care plans or 
managed care entities, will be responsible for obtaining beneficiaries' 
permission, providing educational resources at the time of requesting 
permission, and identifying patients' previous/concurrent payers, 
including for beneficiaries covered under managed care (87 FR 76280). 
Therefore, we also proposed that an exemption would not apply to those 
requirements, but only the API requirements, because it would prevent 
Medicaid managed care plans and CHIP managed care entities from meeting 
their obligations.
    For Medicaid managed care plans and CHIP managed care entities, we 
did not propose an extension process because we believe that these 
managed care plans are actively working to develop the necessary IT 
infrastructure to be able to comply with the requirements at 42 CFR 
438.272(d)(5) and 42 CFR part 457. Many of these plans might benefit 
from efficiencies based on all of the plan types that they offer. For 
example, many of these managed care plans with Medicaid and CHIP 
beneficiaries are part of a larger organization serving MA and 
Marketplace populations. These larger organizations often provide the 
technical and operational capacity that would enable implementation of 
the APIs across all lines of business. We believe this would be a 
practical and efficient use of resources to service all enrollees. 
Additionally, because the majority of Medicaid beneficiaries receive 
all or some of their benefits in a managed care delivery system, these 
plans should be held to the implementation times finalized in this rule 
to support the intended policy goals. Please see 87 FR 76263 for the 
supporting narrative in the proposed rule.
    Comment: Multiple commenters expressed support for the proposed 
Medicaid and CHIP FFS extension policy and urged CMS to finalize this 
flexibility regarding compliance with the Provider Access, Payer-to-
Payer, and Prior Authorization APIs. Multiple commenters highlighted 
extenuating circumstances that state Medicaid and CHIP agencies may 
face, especially related to the conclusion of the COVID-19 public 
health emergency (PHE), and the resulting impact on IT and personnel 
resources.
    Multiple commenters submitted comments about which APIs should be 
included in the extensions, exemptions, and exceptions proposals and 
some recommended that CMS extend these flexibilities to all APIs 
included in the rule. A commenter recommended that CMS provide clarity 
regarding the exemption and extension provisions for the Patient Access 
API requirements.
    Response: We acknowledge that states will be conducting long-term 
efforts to return to normal Medicaid and CHIP operations after the end 
of the COVID-19 PHE and the continuous enrollment condition under 
section 6008(b)(3) of the FFCRA. These efforts will continue through 
2024, and many of these states have ongoing system development 
initiatives that require integration with MES and modules. Some states 
must work within their state legislative budget request cycle, as well 
as the Federal request cycle for requesting and obtaining funds for 
updates to their systems or new contracts.
    We reiterate that this final rule requires impacted payers to 
implement and maintain Provider Access, Payer-to-Payer, and Prior 
Authorization APIs. Impacted payers should have already implemented or 
begun implementation of the Patient Access and Provider Directory APIs 
as required in the CMS Interoperability and Patient Access final rule, 
except for those organizations that have approved exceptions, as 
applicable.148 149 We did not propose a new Patient Access 
API, but rather additional data requirements for that API, and 
reporting requirements for use metrics. We did not propose any new

[[Page 8903]]

extensions, exemptions, or exceptions for the Patient Access API in the 
proposed rule and are not adding policies of that nature in the final 
rule.
---------------------------------------------------------------------------

    \148\ In the CMS Interoperability and Patient Access final rule, 
we finalized that Patient Access API provisions would be effective 
beginning January 1, 2021. We announced a 6-month enforcement 
discretion exercised as a result of the PHE until July 1, 2021.
    \149\ For example, 45 CFR 156.221(h) permits the FFE to grant an 
exception on an annual basis to the requirements in paragraphs (a) 
through (g) of that section for an FFE QHP if the Exchange 
determines that making their health plan(s) available through the 
Exchange is in the interests of qualified individuals in the State 
or States in which such Exchange operates, and the QHP issuer 
submits a narrative justification describing the reasons why it 
cannot reasonably satisfy the requirements for the applicable plan 
year, the impact of non-compliance upon enrollees, the current or 
proposed means of providing health information to enrollees, and 
solutions and a timeline to achieve compliance with the requirements 
of this section.
---------------------------------------------------------------------------

    Comment: Multiple commenters expressed concern regarding the 
proposed state Medicaid and CHIP FFS extension policies, specifically 
citing the importance of the impact of these policies on Medicaid 
enrollees, and on the need for provider adoption to truly achieve the 
burden reduction goals of the proposed rule for patients, payers, 
hospitals, and providers. A commenter recommended that CMS not allow 
certain payers to have extensions because this could affect provider 
adoption of the necessary technology. Another commenter expressed 
appreciation of CMS for the proposal to allow extensions but stated 
that they believe provider adoption is going to be the most important 
factor in achieving burden reduction. The commenter emphasized the 
importance of having a certain percentage of their prior authorizations 
be electronic so that there is a return on investment from the changes 
necessary (for example, workflow changes, training, IT changes). The 
commenter stated that if payers are not held to the requirements in the 
rule, it could be perceived as a disincentive to providers to invest in 
the necessary technology.
    Response: We thank commenters for confirmation that payers must be 
held accountable for implementation of the APIs, and that provider 
adoption of certain APIs is going to be an important factor in 
achieving burden reduction--particularly the Prior Authorization API. 
Participation by both payers and providers in some of the API 
provisions of this final rule will be important to ensure widespread 
adoption of the APIs. Because we also believe that provider 
participation is important for the Prior Authorization API, we are 
finalizing a modification to our proposal to adopt new Electronic Prior 
Authorization measures to incentivize providers (specifically, MIPS 
eligible clinicians, eligible hospitals, and CAHs) to use the Prior 
Authorization API under MIPS and the Medicare Promoting 
Interoperability Program as discussed in section II.F. of this rule. We 
also reiterate that while these extensions and exemptions apply to the 
new API provisions of this final rule, other policies must still meet 
the compliance dates established in this final rule. These include the 
prior authorization information to be included in the Patient Access 
API; information required under the finalized prior authorization 
process, such as providing a specific reason for denial, and revised 
timeframes for issuing prior authorization decisions. We encourage 
states to communicate their implementation plans about the policies in 
this final rule (including those to which an extension or exemption may 
apply) to network and enrolled providers. Such communication may help 
providers prepare for changes in procedures or notify their vendors to 
make appropriate system changes on a similar schedule.
    Comment: A commenter said that the exemption for the APIs was a 
concern because it creates an unfair, two-tiered system that may leave 
people with disabilities behind; these people already face high 
barriers to care due to administrative burdens and uncertainties caused 
by prior authorization. The commenter wrote that the proposed exemption 
process will leave some FFS Medicaid populations--groups that include a 
disproportionate share of people with disabilities--without comparable 
access to any benefits derived from streamlining the prior 
authorization process with the Patient Access, Provider Access, and 
Payer-to-Payer APIs. The commenter noted the potential challenges of 
developing and maintaining the necessary data infrastructure for a 
relatively small FFS population, but wrote that in many states, people 
receiving Home and Community-Based Services (HCBS) through waivers that 
are carved out of managed care, may be individuals who would fall under 
the proposed API exemption and would fail to benefit from the 
streamlined prior authorization process in this regulation. Another 
commenter requested clarification on whether and how CMS considered 
health equity when proposing exemptions for some state Medicaid and 
CHIP programs. Other commenters expressed disagreement with the 
proposed exemptions and stated that these exemption proposals should be 
withdrawn, to make the APIs available to every Medicaid beneficiary. A 
commenter noted that states with managed care populations close to the 
proposed threshold for exemption may be incentivized to pressure 
beneficiaries into managed care to qualify for the exemption.
    Response: We agree that it is important to consider access and 
equity issues, and the risk of a two-tiered system that may impose 
barriers to care. CMS will only grant a state an exemption from the 
Provider Access, Payer-to-Payer, and Prior Authorization APIs if the 
state establishes an alternative plan to enable the electronic exchange 
and accessibility of the required information that would otherwise be 
shared through the API. For example, CMS will only grant a state an 
exemption from the Provider Access API requirement if the state has 
established an alternative plan to ensure that enrolled providers have 
efficient electronic access to the same required data content about 
their patients through other means while the approved exemption is in 
effect. Similarly, states would be expected to use efficient means for 
electronic prior authorization that would reduce burden for providers 
and improve access to information about the requirements for when prior 
authorization is required for items and services or what documentation 
is required in advance. In light of requirements for the accessibility 
of this information, states implementing an alternative plan will be 
required to provide this information to all patients and providers in 
plain language and to offer auxiliary aids and services to ensure 
effective communications with individuals with disabilities.
    Comment: Multiple commenters recommended that CMS include managed 
care plans in the proposed flexibilities (for extensions and 
exemptions) and some commenters said that each state should be able to 
decide whether to allow an extension to managed care plans. A commenter 
noted that managed care plans have greater resources than state 
Medicaid and CHIP FFS programs and would be able to meet the rule 
requirements on time. On the other hand, a commenter recommended that 
state Medicaid agencies offer managed care plans a 1-year extension.
    Response: We acknowledge commenters who recommended that CMS 
provide the opportunity for an extension or exemption to Medicaid 
managed care plans and CHIP managed care entities to align with our 
approach throughout the rule to apply most policies to both state 
Medicaid and CHIP FFS programs and Medicaid managed care plans and CHIP 
managed care entities. However, we reiterate that the purpose of the 
extension policy for state Medicaid and CHIP FFS programs is to provide 
states that are making a good faith effort with additional time to work 
through lengthy and complex state procurement processes, to secure the 
necessary funding, personnel, and technical resources to successfully 
implement the requirements. The purpose of the exemption policy for 
state Medicaid and CHIP FFS programs is to accommodate the different 
enrollment models that are now in effect for each state and provide 
consideration

[[Page 8904]]

for states with relatively small FFS populations. In response to these 
and many other comments requesting additional time for payers to 
implement the Provider Access, Payer-to-Payer, and Prior Authorization 
APIs, we are extending the compliance dates for the policies in this 
final rule that require API development or enhancement to 2027. This 
allows all impacted payers an additional year to meet these 
requirements, compared to our initial proposal to implement the 
requirements in 2026. We are finalizing the state Medicaid and CHIP FFS 
extension and exemption policies as proposed without extending this 
option to other payers in the Medicaid program, such as Medicaid 
managed care plans. We do not agree with commenters who suggested that 
each state be able to decide separately to allow an extension to 
managed care plans because the purpose of this final rule is to 
encourage adoption of these policies as soon as is practicable. As we 
have noted, Medicaid managed care plans are often owned and operated by 
larger private organizations, also subject to this final rule, and 
likely have the resources and capabilities to implement these policies 
and can efficiently leverage the work they do to build APIs across 
their Medicaid, MA, and Marketplace lines of business. We do not want 
to encourage a system where fewer Medicaid beneficiaries have access to 
the benefits of the policies in this final rule versus those with other 
types of coverage.
    Comment: Multiple commenters provided recommendations regarding 
additional payers and plan types that should be eligible to benefit 
from the extensions, exemptions, and exceptions proposals. Multiple 
commenters recommended that CMS extend these flexibilities to all 
impacted payers. For example, a commenter recommended that HHS consider 
permitting state Medicaid and CHIP agencies that have a direct 
relationship with patients and providers to be eligible for extensions, 
exemptions, or exceptions. Another commenter recommended that CMS 
create an exception process for state Medicaid agencies in states or 
territories with HIEs that would give participating providers the same 
data as the Provider Access API. Some Medicaid agencies report concerns 
about duplication with these HIEs, as this would be an inefficient use 
of resources, could confuse providers, and may inhibit efforts to 
expand HIEs. A commenter wrote that CMS should create an exception 
process for Medicaid agencies in states or territories with robust HIEs 
that provide access to the same data. Another commenter recommended 
that CMS consider exception and extension criteria for plans where the 
proposed timelines and requirements would jeopardize their ability to 
operate.
    Response: We thank all commenters for their input regarding 
extensions, exemptions, and exceptions for all payers. We are 
finalizing the extensions and exemptions policies as proposed for state 
Medicaid and CHIP FFS programs without extending them to additional 
payers because state Medicaid and CHIP FFS programs face certain unique 
challenges. As noted previously, unlike other impacted payers, state 
Medicaid and CHIP FFS programs do not have many discrete health care 
plans, and therefore cannot balance implementation costs across plans 
with low enrollment and those with higher enrollment. As stated at the 
beginning of this section, many states have complex procurement and 
staffing/recruitment challenges which do not apply to non-governmental 
organizations. We acknowledge HIEs could be helpful partners for payers 
when implementing these APIs. Nothing in this rule would prohibit a 
state from partnering with an HIE to meet its requirements. Further 
discussion regarding HIEs can be found in sections II.B.3.b.iii. and 
II.C.3.a. of this final rule.
    Comment: Some commenters recommended that CMS include extensions 
and/or exemptions in the proposal for MA organizations, Special Needs 
Plans (SNPs), D-SNPs, or Institutional Special Needs Plans (I-
SNPs).\150\ A commenter wrote that CMS should also permit extensions 
and exemptions for MA organizations offering integrated D-SNPs, 
especially if CMS does not finalize a phased-in approach to 
implementation. The commenter wrote that some of these payers are 
facing the challenge of unwinding current flexibilities implemented due 
to the PHE and are also facing significant requirements in coming years 
as finalized in the CY 2024 MA and Part D final rule (88 FR 22120). 
Another commenter asked that CMS consider whether there may be 
appropriate circumstances where it would be permissible for very small 
MA organizations, such as SNPs or I-SNPs to seek a one-time extension 
to the compliance dates.
---------------------------------------------------------------------------

    \150\ We note for readers that MA organizations offer MA plans, 
which include SNPs (including the specific types of SNPs mentioned 
by commenters--D-SNPs and I-SNPs), so we address these comments 
together.
---------------------------------------------------------------------------

    Response: We did not propose extensions or exemptions for MA 
organizations or Medicaid managed care plans, including plans that 
integrate managed care Medicare and Medicaid benefits (for example, D-
SNPs or applicable integrated plans). We have provided explanations for 
excluding Medicaid managed care plans in previous responses. We believe 
that most MA organizations are supported by entities with an 
operational and technical infrastructure that can support the API 
requirements because these organizations can leverage existing staff 
and vendor resources from implementation of the Patient Access and 
Provider Directory APIs. Further, MA organizations should have the 
operational infrastructure to analyze and implement the requirements 
for the new APIs based on that expertise. Finally, because we did not 
propose extensions or exemptions for MA organizations in the proposed 
rule, we cannot finalize such a policy for these entities in this rule.
    Comment: Some commenters recommended that CMS grant exemptions for 
states that are already implementing electronic prior authorization 
solutions or state-level policies that conflict with the proposed Prior 
Authorization API requirements.
    Response: The option for states to apply for an exemption exists to 
alleviate burden for states with small FFS populations and that have 
established an alternative plan to ensure that enrolled providers have 
efficient electronic access to the same information through other means 
while the exemption is in effect. We will not grant exemptions for 
situations where state law conflicts with the final rule. The final 
rule pre-empts any conflicting state law.
    Comment: Multiple commenters recommended that CMS consider allowing 
states to obtain two 1-year extensions. A commenter stated that an 
additional, 1-year extension would allow states to better meet the 
proposed requirements. Another commenter noted that states face certain 
challenges that may be out of their control and prolong implementation.
    Response: After consideration of comments received and for the 
reasons outlined in our response to these comments, we are extending 
the compliance dates for all of the polices that require API 
development or enhancement finalized in this rule to begin January 1, 
2027, which will allow for additional time for the FHIR standard and 
IGs to continue to be refined and advanced to support all of the 
policies in this final rule. This applies to the compliance dates for 
the Provider Access, Payer-to-Payer, and Prior Authorization APIs. 
State Medicaid and CHIP FFS programs will

[[Page 8905]]

be eligible to apply for up to a 1-year extension as proposed.
    Comment: Multiple commenters expressed support for CMS's proposal 
regarding exemptions for state Medicaid and CHIP FFS programs and 
recommended that CMS finalize these proposed flexibilities regarding 
implementation of the Provider Access, Payer-to-Payer, and Prior 
Authorization APIs. A commenter indicated that in reviewing exemption 
requests and the compliance dates in the proposed rule, as well as 
other information system projects that are in development, their plans 
to implement a comprehensive systems integration platform that would 
integrate the MES would necessitate the option for an exemption. This 
commenter indicated that the project was particularly urgent due to the 
end of system support for another legacy system. Another commenter 
recommended that CMS use a flexible interpretation for the exemption 
process and noted that it would not be reasonable to require a state to 
build out APIs for a Federal Emergency Services Program (FESP), 
explaining that some agencies report having a high number of FFS 
enrollees in an FESP, such that less than 90 percent of their members 
are technically enrolled in managed care.
    Response: We appreciate the support for the proposed exemption 
process, as well as for the simultaneous encouragement for payers to 
secure the necessary resources to implement the technology for the 
prior authorization and other APIs being finalized in this rule. We 
also confirm that the policy in this final rule does not apply to 
FESPs, and that other payers are not being considered eligible for 
exemptions, extensions, or exceptions at this time.
    Comment: A commenter noted that states with managed care 
populations close to the proposed threshold for exemption may be 
incentivized to pressure beneficiaries into managed care to qualify for 
the exemption. A commenter stated that larger states qualifying for an 
exemption will have a total number of FFS beneficiaries that is greater 
than the total Medicaid population of smaller states that would not 
qualify for the exemption.
    Response: CMS needs to balance the benefits to small populations of 
beneficiaries with the burden of new operations and costs being placed 
on states. CMS will not approve exemptions unless a state has 
established an alternative plan to ensure that enrolled providers have 
efficient electronic access to the same information, including prior 
authorization information, through other means while the exemption is 
in effect, or that states are providing efficient electronic access to 
other payers. Additionally, state agencies with an approved exemption 
will be required to meet the policies that do not require API 
development or enhancement for their FFS populations (that is, the 
reduced prior authorization decision timeframes, providing a specific 
reason for a denial, and reporting prior authorization metrics). These 
policies, to the extent they will mitigate barriers to care or support 
improvements in the transparency of information between the states and 
providers, are part of the overall scope for this final rule to address 
challenges with prior authorization. Concerning the methodology states 
use to apply and be approved for an exemption, we believe we have 
provided a threshold where a state could appropriately claim an 
exemption without taking actions that would inappropriately influence 
the enrollment process or individual enrollee's enrollment decisions. 
States' use of enrollment brokers for choice counseling and enrollment 
processing also protects enrollees from undue pressure during the 
enrollment process. We remind states of the enrollee protections 
specified at 42 CFR 438.54 and 457.1210 for Medicaid and CHIP managed 
care enrollment respectively, as well as disenrollment rights specified 
at 42 CFR 438.56(c) and 457.1212, respectively.
    Comment: A commenter urged CMS to use a flexible interpretation for 
the exemption process for the API requirements for Medicaid agencies 
with at least 90 percent of their members enrolled in managed care, 
noting that some states have a high number of FFS beneficiaries in an 
FESP that are only covered for emergency care. The commenter stated 
that it would not be reasonable to require a state to build out APIs 
for beneficiaries and programs that cover such a narrow scope of 
services.
    Response: We appreciate the commenter highlighting that some states 
may have larger populations in FFS where beneficiaries are not 
receiving comprehensive benefits and thus may experience only limited 
value from the APIs. Our intent with establishing this condition for 
exemption approval is that no FFS population will experience diminished 
health care delivery or information exchange capabilities as a result 
of an approved exemption. The exemption intends to alleviate the cost 
burden of implementing the API provisions on state Medicaid and/or CHIP 
agencies with small FFS populations, regardless of the scope of their 
benefit package. We remind states that CMS will grant an exemption if 
the state establishes to CMS's satisfaction that the state meets the 
criteria for the exemption and has established an alternative plan to 
ensure that enrolled providers have efficient electronic access to the 
same information through other means while the exemption is in effect, 
including patient information and prior authorization information.
b. Exception for Qualified Health Plan Issuers on the Federally-
Facilitated Exchanges
    For QHP issuers on the FFEs, we proposed an exception process to 
the Provider Access, Payer-to-Payer, and Prior Authorization APIs for 
issuers applying for QHP certification that cannot satisfy the proposed 
requirements. To apply for an exception, we proposed that an issuer 
must include as part of its QHP application a narrative justification 
describing the reasons why it cannot reasonably satisfy the 
requirements for the applicable plan year, the effect of non-compliance 
upon providers and enrollees, the current or proposed means of 
providing the required information to providers or other payers, and 
solutions and a timeline to achieve compliance with the requirements 
(87 FR 76304). We reiterate in this final rule that QHP issuers on the 
FFEs submit a new application each year and that this information will 
be part of the annual QHP Certification application submission. Thus, 
should the size, financial condition, or capabilities of the QHP issuer 
change such that it believes it can implement one or more of the APIs, 
that information would be included in the application. We received a 
few comments on the proposals for exceptions for QHPs.
    Comment: Multiple commenters expressed support for the proposed 
exception process for QHP issuers on the FFEs, highlighting the need 
for this policy and recommending that CMS finalize the proposal to 
allow exceptions for QHP issuers on the FFEs regarding compliance with 
all proposed APIs.
    Response: We appreciate the support for the policy that QHPs be 
permitted an exception for the policies that require API development or 
enhancement in cases where the FFE determines that making such QHPs 
available is in the interests of qualified individuals in the state or 
states in which the FFE operates, and an exception would be warranted 
to permit the QHP issuer to offer QHPs through the FFE. This policy and 
the exceptions per 45 CFR 156.222(c) are consistent with the exception 
for QHP issuers on the FFEs

[[Page 8906]]

that we finalized for the Patient Access API in the CMS 
Interoperability and Patient Access final rule (85 FR 25552). We 
believe that having a QHP issuer offer QHPs through an FFE generally is 
in the best interest of patients; we would not want patients to have to 
go without access to QHP coverage because an issuer is unable to 
implement these APIs.
    Comment: Multiple commenters expressed concern regarding the 
proposed exception process for QHP issuers on the FFEs. Commenters 
specifically highlighted the ability for a QHP issuer to be certified, 
even with an exception to these requirements. A commenter recommended 
that CMS limit using exceptions for QHP issuers on the FFEs for the 
Provider Access API, and another commenter recommended that CMS explain 
that QHP issuers on the FFEs must eventually comply with the proposed 
requirements. A commenter expressed concern that if QHP issuers on the 
FFEs can be certified without complying with the regulation, then there 
would not be an incentive for compliance. A commenter stated that the 
proposal does not make sense given the financial position of QHP 
issuers on the FFEs and their ability to afford cost-saving technology. 
The commenter recommended that any exception be conditioned on ``no 
profit taking'' by a health plan and limited executive compensation 
plans until the plan can comply. Additionally, the commenter stated 
that CMS had not offered a reasonable proposal for criteria to qualify 
a QHP issuer to be exempt from the proposed API requirements.
    Response: We understand concerns from commenters about permitting 
delayed implementation of requirements to promote access to information 
and expedited decision-making. However, given the comments in support 
of the proposed exceptions process and our interest in ensuring a 
variety of coverage options for FFE enrollees, we are finalizing this 
exception as proposed. While some issuers are in a position to 
implement the updates that this rule requires, a wide range of issuers 
participate in the FFEs and vary in terms of when they will have 
available resources to adopt these new requirements. Per applicable 
rules at 45 CFR 156.221(h), 156.222(c), and 156.223(d), we have been 
and will continue granting exceptions to QHP issuers on the FFEs on an 
annual basis, and use information that issuers submit as part of the 
QHP certification process to track their progress.
    We will implement the exceptions processes per 45 CFR 156.222(c), 
and 45 CFR 156.223(d), based on our experience to date with 
implementing the existing exception per 45 CFR 156.221(h) that is 
available to QHP issuers on the FFEs that cannot satisfy the 
requirements per 45 CFR 156.221(a) through (g) to implement and 
maintain the Patient Access API for the applicable plan year. When 
determining whether a QHP issuer on an FFE may qualify for an exception 
to the current requirement to provide a Patient Access API, we take 
into consideration the content that the issuer submits per the 
requirement at 45 CFR 156.221(h), including the impact of non-
compliance upon enrollees, the current or proposed means of providing 
health information to enrollees, and solutions and a timeline to 
achieve compliance with the requirements of this section. This 
information allows us to assess whether a QHP issuer has a plan in 
place to mitigate harm or inconvenience to enrollees by ensuring they 
can access necessary information, as well as a plan to fully implement 
the requirements as soon as possible. Information that issuers submit 
during the QHP certification process also allows us to develop a 
knowledge base of API development capacity for issuers based on size 
and other circumstances, which can inform future decisions about 
whether to allow exceptions. We expect to build on this knowledge base 
as we implement the exceptions processes per 45 CFR 156.222(c) and 
156.223(d), and as part of our updates to the QHP certification process 
in the coming years to reflect this rule's new requirements, we will 
continue to work closely with issuers and other stakeholders to ensure 
that our implementation balances the importance of access to 
information with robust QHP issuer participation on the FFEs.
    Finally, QHP issuer applications for plan years 2023 and 2024 
indicated that most issuers were compliant with the requirement to 
provide a Patient Access API. Further, issuers that sought an exception 
under 45 CFR 156.221(h) generally explained in their justifications 
that they planned to become compliant with the API requirements mid-way 
through the upcoming plan year, or shortly after the start of the plan 
year. This high level of compliance suggests that the availability of 
an exception does not discourage or de-incentivize issuers' 
implementation of these standards.
    We agree that the intent of our final policies is for all impacted 
payers to provide patients with the benefits of the Provider Access, 
Payer-to-Payer, and Prior Authorization APIs as soon as they are 
financially and operationally able. For example, for each of the API 
provisions for which an exemption is available, we have indicated that 
if the payer cannot implement the API and is seeking an exemption, it 
must offer alternative options to the providers to support the intent 
of the policies; such programs would generally improve the exchange of 
patient data between payers for care management or access to 
information for patients, and to improve the prior authorization 
process for providers and payers. We believe that by requiring 
alternatives to the APIs during the exemption, payers will investigate 
options to implement the APIs because, in the long term, these will be 
more efficient and financially viable than maintaining current manual 
processes.
    Table F1 shows the impacted payers that are eligible to apply for 
an extension, exemption, or exception for the Provider Access, Payer-
to-Payer, and/or Prior Authorization APIs required in this final rule. 
Tables C1, D1, and E4 found in sections II.B., II.C., and II.D. of this 
final rule include the regulatory citations for the extensions, 
exemptions, and exceptions for each impacted payer.

[[Page 8907]]

[GRAPHIC] [TIFF OMITTED] TR08FE24.010

3. Federal Matching Funds for State Medicaid and CHIP Expenditures on 
Implementation of the Provider Access, Payer-to-Payer, and Prior 
Authorization APIs
    We explained in the proposed rule for each of the APIs, we would 
anticipate that states operating Medicaid and CHIP programs would be 
able to access Federal matching funds to support their implementation 
of the APIs--specifically, the Provider Access, Payer-to-Payer, and 
Prior Authorization APIs. We expect these APIs to lead to more 
efficient administration of Medicaid and CHIP state plans by supporting 
more efficient data exchange and prior authorization processes, 
consistent with sections 1902(a)(4) and 2101(a) of the Act, 
respectively.
    We do not consider state expenditures for implementing the Provider 
Access, Payer-to-Payer, or Prior Authorization APIs to be attributable 
to any covered Medicaid item or service within the definition of 
``medical assistance.'' Thus, in Medicaid, CMS will not match these 
expenditures at the state's regular Federal Medical Assistance 
Percentage (FMAP). However, FFP at a rate of 50 percent could be 
available for state expenditures related to implementing these APIs for 
Medicaid programs under section 1903(a)(7) of the Act (for the proper 
and efficient administration of the Medicaid state plan). The three 
APIs should, over time, help the state more efficiently administer its 
Medicaid program by supporting data exchange with providers and other 
payers and improving efficiencies in the prior authorization process. 
As we stated in the proposed rule, sharing certain data through the 
Provider Access API with participating providers could improve the 
quality of care for patients, using the Payer-to-Payer API may help 
patients manage their information across payers to support patient 
care, and using the Prior Authorization API will enable administrative 
efficiencies by reducing delays in the prior authorization process 
overall, and by helping reduce the number of denied and appealed prior 
authorization decisions.
    States' expenditures to implement the proposed requirements could 
be eligible for 90 percent enhanced FFP under section 1903(a)(3)(A)(i) 
of the Act if the expenditures can be attributed to the design, 
development, and installation (DDI) of mechanized claims processing and 
information retrieval systems. Additionally, 75 percent enhanced FFP, 
under section 1903(a)(3)(B) of the Act, could be available for state 
expenditures to operate Medicaid mechanized claims processing and 
information retrieval systems to comply with the finalized API 
requirements.
    States can request Medicaid enhanced FFP under section 
1903(a)(3)(A)(i) or (B) of the Act through the APD process described at 
45 CFR part 95, subpart F. Additionally, 42 CFR 433.112(b)(12) and 
433.116(c) require that any system for which states are receiving 
enhanced FFP under section 1903(a)(3)(A)(i) or (B) of the Act align 
with and incorporate the ONC Health IT standards adopted at 45 CFR part 
170, subpart B. The APIs complement this requirement because they 
further interoperability by using standards adopted by ONC at 45 CFR 
170.215.\151\ States must comply with 42 CFR 433.112(b)(10) and 
433.116(c) to explicitly support exposed APIs, meaning the API's 
functions are visible to others to enable the creation of a software 
program or application, as a condition of receiving enhanced FFP under 
section 1903(a)(3)(A)(i) or (B) of the Act. We note that FHIR is an 
open-source standard that can meet the requirements at 42 CFR 
433.112(b)(10) and 433.116(c) if implemented by following our 
regulations, particularly the technical, documentation and denial or 
discontinuation requirements at 42 CFR 431.60.
---------------------------------------------------------------------------

    \151\ Centers for Medicare and Medicaid Services (2020). SHO # 
20-003 RE: Implementation of the CMS Interoperability and Patient 
Access Final Rule and Compliance with the ONC 21st Century Cures Act 
Final Rule. Retrieved from https://www.medicaid.gov/federal-policy-guidance/downloads/sho20003.pdf.
---------------------------------------------------------------------------

    Finally, 42 CFR 433.112(b)(13) and 433.116(c) require states to 
promote sharing, leverage, and re-use of Medicaid technologies and 
systems within and among states as a condition of receiving enhanced 
FFP under section 1903(a)(3)(A)(i) or (B) of the Act. CMS interprets 
that requirement to apply to technical documentation associated with a 
technology or system, such as technical documentation for connecting to 
a state's APIs. Making the needed technical documentation publicly 
available so that systems that need to do so can connect to the APIs 
finalized in this rule is required as part of the technical 
requirements at 42 CFR 431.60(d) for all APIs, including the Provider 
Access, Payer-to-Payer, and Prior Authorization APIs.

[[Page 8908]]

    Separately, for CHIP agencies, section 2105(c)(2)(A) of the Act and 
42 CFR 457.618, limiting administrative costs to no more than 10 
percent of a state's total computable expenditures for a fiscal year 
(FY), will apply to administrative claims for developing the APIs 
finalized in this rule.
    Comment: Multiple commenters expressed appreciation for the 
inclusion of language that states may be eligible for enhanced FFP to 
support implementation of the Provider Access, Payer-to-Payer, and 
Prior Authorization APIs in this final rule. While these commenters 
expressed support for this option, others asked CMS to explain whether 
enhanced FFP is also available to implement the Patient Access API 
requirements.
    Response: Many states have already requested enhanced Federal 
matching funds for their expenditures on implementation of the Patient 
Access API required in the CMS Interoperability and Patient Access 
final rule. Additionally, enhanced funding under section 
1903(a)(3)(A)(i) of the Act may be available for certain expenditures 
to design, develop, and install the enhancements to the Patient Access 
API finalized in this rule, in addition to expenditures related to the 
Provider Access, Payer-to-Payer, and Prior Authorization APIs. CMS 
encourages states to seek enhanced FFP where it might be applicable for 
states' expenditures on work needed to meet state Medicaid and CHIP 
agencies' requirements under this rule and looks forward to reviewing 
any APDs submitted by states. Instructions for submitting the APDs are 
available on the Medicaid website \152\ under the topic of ``Medicaid 
State Plan Amendments'' with information about what categories of costs 
may be included in the requests, such as HIE connection/interface 
costs. The information on the categories that are included in these 
requests can be found in the State Medicaid Manual (SMM), Chapter 11, 
sections 265 & 276,\153\ the State Medicaid Director Letter (SMDL) 16-
004, ``Mechanized Claims Processing and Information Retrieval Systems-
Enhanced Funding,'' \154\ and the State Health Official (SHO) #20-003, 
``Implementation of the CMS Interoperability and Patient Access final 
rule.'' \155\
---------------------------------------------------------------------------

    \152\ Code of Federal Regulations (amended 2016, June 2). 
Retrieved from 45 CFR 95.610, Submissions of advance planning 
documents.
    \153\ Centers for Medicare and Medicaid Services. The State 
Medicaid Manual (SMM), Chapter 11, sections 265 & 276. Retrieved 
from https://www.cms.gov/regulations-and-guidance/guidance/manuals/paper-based-manuals-items/cms021927.
    \154\ Centers for Medicare and Medicaid Services (2016, March 
31). State Medicaid Director letter #16-004. Retrieved from https://www.medicaid.gov/sites/default/files/federal-policy-guidance/downloads/SMD16004.pdf.
    \155\ Centers for Medicare and Medicaid Services (2020, August 
14). State Health Official letter #20-003. Retrieved from https://www.medicaid.gov/sites/default/files/2020-08/sho20003_0.pdf.
---------------------------------------------------------------------------

    Comment: A commenter recommended that states receive a 90 percent 
Federal match to support implementation of these requirements. Another 
commenter urged CMS to explain in the final rule, or additional 
guidance, whether all, or likely all, of the required state investment 
to develop these APIs, would qualify for enhanced Federal matching to 
establish and operate API systems.
    Response: States' expenditures to implement the proposed 
requirements for each of the APIs may be eligible for 90 percent 
enhanced FFP if the expenditures can be attributed to the DDI for those 
APIs that benefit the Medicaid program. CMS determines on a case-by-
case basis when states' APDs requesting this 90 percent FFP are 
approvable, consistent with the requirements at 42 CFR part 433, 
subpart C, and 45 CFR part 95, subpart F. States should work with their 
MES State Officers for further guidance specific to their programs.
    Comment: A commenter recommended that CMS clarify that the Federal 
funding resources available for states meeting the Prior Authorization 
API requirement can also include pass-through payments to providers to 
obtain and utilize interoperable EHR technology for these purposes. 
This commenter also expressed concern that the proposed rule did not 
offer any indication of available resources for providers, but they 
appreciate CMS's clarification of available Federal resources available 
to states for implementing the Prior Authorization API requirement. 
Another commenter said that states should be granted flexibility for 
Federal funding sources to expand the number of SNF providers able to 
utilize the new Provider Access API.
    Response: We encourage states to apply for Federal funding to 
support their planning, development, and implementation of state 
systems including the Provider Access, Payer-to-Payer, and Prior 
Authorization APIs, because these APIs will enable more providers to 
engage in data exchange with state systems to improve patient care. As 
previously noted, enhanced Federal Medicaid funding at the 90 percent 
rate may be available for the DDI and at the 75 percent rate for the 
operation of these API initiatives that benefit the Medicaid program. 
These enhanced Federal matching funds, as outlined at 42 CFR 433.112 
(DDI) and 433.116 (operation), are available for state expenditures on 
Medicaid state systems only, and not available for other state or 
provider expenditures on provider-only systems to support providers' or 
other entities' efforts to implement APIs. Similarly, Federal matching 
funds at 50 percent under section 1903(a)(7) of the Act might be 
available to support Medicaid state specific activities for the 
required provisions. However, none of these funds are available for 
funding to providers, as these are designated to support state-specific 
initiatives.
4. Medicaid Expansion CHIP
    Most states have Medicaid expansion CHIP programs, in which a state 
receives Federal funding to expand Medicaid eligibility to optional 
targeted low-income children that meet the requirements of section 2103 
of the Social Security Act. We proposed and are now finalizing our 
policy at 42 CFR 457.700(c), that for states with Medicaid Expansion 
CHIP programs, the final requirements as proposed for Medicaid will 
apply to those programs rather than separate provisions for the CHIP 
program. In this final rule, we make explicit that the Medicaid 
requirements at Sec. Sec.  431.60, 431.61, and 431.80 apply to the 
Medicaid expansion CHIP programs rather than the separate CHIP 
requirements at Sec. Sec.  457.730, 457.731, and 457.732.
    Comment: A commenter stated that most states have operating 
Medicaid expansion CHIP programs and that the provisions outlined in 
the proposed rule would apply to most states.
    Response: We agree with this commenter and as stated, are 
confirming that Medicaid requirements apply equally to Medicaid 
expansion CHIP programs.
5. Final Action
    After consideration of the comments received, and for the reasons 
discussed in the CMS Interoperability and Prior Authorization proposed 
rule and our responses to those comments (as summarized), we are 
finalizing our proposal to allow for state Medicaid and CHIP FFS 
programs and QHP issuers on the FFEs to apply for certain extensions, 
exemptions, or exceptions for the Provider Access, Payer-to-Payer and/
or Prior Authorization APIs. We are also finalizing our proposal 
regarding Medicaid Expansion CHIP programs.
    We are finalizing the policy to allow state Medicaid and CHIP FFS 
programs

[[Page 8909]]

to apply for an extension to the deadline from the requirements to 
implement the Provider Access, Payer-to-Payer, and/or Prior 
Authorization APIs. Specifically, we are finalizing that states may 
request a one-time, 1-year extension as part of their annual APD for 
MMIS operations expenditures before the compliance dates. The written 
extension request must include the following: (1) a narrative 
justification describing the specific reasons why the state cannot 
satisfy the requirement(s) by the compliance dates, and why those 
reasons result from circumstances that are unique to the agency 
operating the Medicaid and/or CHIP FFS program; (2) a report on 
completed and ongoing state activities that evidence a good faith 
effort toward compliance; and (3) a comprehensive plan to meet the 
requirements no later than 1 year after the compliance date. CMS will 
grant an extension if the state establishes, to CMS's satisfaction, 
that the request adequately establishes a need to delay implementation; 
and that the state has a comprehensive plan to meet the requirements no 
later than 1 year after the compliance date.
    We are finalizing a policy to allow state Medicaid and CHIP FFS 
programs to apply for an exemption from the requirements of the 
Provider Access, Payer-to-Payer, and/or Prior Authorization APIs when 
at least 90 percent of the state's Medicaid beneficiaries are enrolled 
in Medicaid MCOs or when at least 90 percent of the state's separate 
CHIP beneficiaries are enrolled in CHIP MCOs. We are finalizing that 
the requirements for the Payer-to-Payer API to obtain beneficiaries' 
permission, provide educational resources at the time of requesting 
permission, and identify patients' previous/concurrent payers, 
including for beneficiaries covered under managed care are not eligible 
for the exemption. Specifically, we are finalizing the policy that a 
state may request an exemption, as part of their annual APD for MMIS 
operations expenditures before the compliance date (which may be 
extended by 1 year if the state receives an extension). The exemption 
request must include documentation showing that the state meets the 
threshold criterion based on enrollment data from the most recent CMS 
``Medicaid Managed Care Enrollment and Program Characteristics'' (for a 
Medicaid FFS exemption) or enrollment data from section 5 of the most 
recently accepted state submission to CHIP Annual Report Template 
System (CARTS). The state must also include an alternative plan to 
ensure that providers have efficient electronic access to the same 
information through other means while the exemption is in effect. CMS 
will grant the exemption if the state establishes, to CMS's 
satisfaction, that the state meets the criteria for the exemption, 
including an alternative plan to ensure efficient electronic access to 
the same information through other means while the exemption is in 
effect.
    We are finalizing that an exemption will expire under two 
scenarios. First, an exemption will expire if, based on the 3 previous 
years of available, finalized Medicaid Transformed Medicaid Statistical 
Information System (T-MSIS) and/or CHIP CARTS enrollment data, the 
State's MCO enrollment for 2 of the previous 3 years is below 90 
percent. Second, an exemption will expire if CMS approves a state plan 
amendment, waiver, or waiver amendment that would significantly reduce 
the percentage of beneficiaries enrolled in managed care and the 
anticipated shift in enrollment is confirmed by the first available, 
finalized Medicaid T-MSIS and/or CHIP CARTS enrollment data.
    We are finalizing that states must provide written notification to 
CMS if they no longer qualify for an approved exemption. Written 
notification must be submitted to CMS within 90 days of the 
finalization of the first annual Medicaid T-MSIS managed care 
enrollment data and/or the CARTS report for CHIP demonstrating the 
enrollment shift to below 90 percent in managed care. States must 
obtain CMS approval of a timeline for compliance with the API 
requirements for Medicaid FFS and/or CHIP FFS within 2 years of the 
expiration of the exemption. For additional context, please refer to 
the proposed rule (87 FR 76263).
    In addition, we are finalizing that for states with Medicaid 
expansion CHIPs, the requirements for Medicaid will apply to those 
programs rather than-the provisions for separate CHIPs.
    We are finalizing that an issuer applying for QHP certification may 
apply for an exception from requirements of the Provider Access, Payer-
to-Payer, and/or Prior Authorization APIs. The issuer must include, as 
part of its QHP application, a narrative justification describing the 
reasons why the issuer cannot reasonably satisfy the requirements for 
the applicable plan year, the impact of non-compliance upon providers 
and enrollees, the current or proposed means of providing health 
information to providers or other payers, and solutions and a timeline 
to achieve compliance with the requirements. An FFE may grant an 
exception to the requirements if it determines that making that 
issuer's QHPs available through the FFE is in the interests of 
qualified individuals in the state or states in which the FFE operates, 
and an exception is warranted to permit the issuer to offer QHPs 
through the FFE.
    These final policies apply to state Medicaid and CHIP FFS programs 
and QHP issuers on the FFEs at the CFR sections listed in Tables C1, 
D1, and E4.

F. Electronic Prior Authorization Measures for the Merit-Based 
Incentive Payment System Promoting Interoperability Performance 
Category and the Medicare Promoting Interoperability Program

1. Background
    As discussed in detail in section II.D. of this final rule, the 
current prior authorization process needs improvement to reduce the 
burden associated with the process itself. To facilitate those needed 
improvements in the prior authorization process, we are requiring 
impacted payers to implement and maintain a Prior Authorization API. 
The Prior Authorization API aims to improve care coordination and 
shared decision-making by enabling enhanced electronic documentation 
discovery and facilitating electronic prior authorization. We believe 
the Prior Authorization API will reduce administrative burden, improve 
efficiency, and ensure patients promptly receive necessary medical 
items and services. We also recognize that efficiencies from payer 
implementation of these APIs will only be realized if they are utilized 
by requesting providers to complete prior authorization requests.
    Therefore, we proposed a new measure for MIPS eligible clinicians 
(as defined at 42 CFR 414.1305) under the MIPS Promoting 
Interoperability performance category, as well as for eligible 
hospitals and CAHs under the Medicare Promoting Interoperability 
Program, related to electronic prior authorization and the Prior 
Authorization API (87 FR 76312-76314). We proposed the new measures, 
titled ``Electronic Prior Authorization,'' to be included in the HIE 
objective for the MIPS Promoting Interoperability performance category 
and in the HIE objective for the Medicare Promoting Interoperability 
Program. The Electronic Prior Authorization measure aims to address 
concerns, specifically from commenters in response to the December 2020 
Interoperability proposed rule (85 FR 82586), that few providers would 
use the Prior

[[Page 8910]]

Authorization API established by impacted payers.
    MIPS is authorized under section 1848(q) of the Act. As described 
in sections 1848(q)(2) and (5) of the Act, we evaluate the performance 
of MIPS eligible clinicians in four performance categories, which we 
refer to as the quality, cost, improvement activities, and Promoting 
Interoperability performance categories. Under 42 CFR 414.1375(b)(2), 
MIPS eligible clinicians must report on objectives and measures as 
specified by CMS for the Promoting Interoperability performance 
category. We refer readers to the CY 2024 Physician Fee Schedule (PFS) 
final rule (88 FR 79357-79362) for a list of the current objectives and 
measures required for the MIPS Promoting Interoperability performance 
category.\156\ We determine a final score for each MIPS eligible 
clinician based on their performance in the MIPS performance categories 
during a MIPS performance period for a year. Based on the MIPS eligible 
clinician's final score, we calculate a MIPS payment adjustment (which 
can be positive, neutral, or negative) that applies for the covered 
professional services they furnish in the MIPS payment year which 
occurs 2 years later.
---------------------------------------------------------------------------

    \156\ In the proposed rule (87 FR 76312), we referred readers to 
the CY 2023 PFS final rule (87 FR 70075-70080) for the then-current 
list of objectives and measures. We have updated this final rule to 
refer to the CY 2024 PFS final rule which includes the most recent 
objectives and measures, including changes effective for the CY 2024 
MIPS performance period.
---------------------------------------------------------------------------

    The Medicare Promoting Interoperability Program for eligible 
hospitals and CAHs is authorized in part under sections 
1886(b)(3)(B)(ix) and 1814(l)(4) of the Act. Under these statutory 
provisions, eligible hospitals and CAHs that are not meaningful EHR 
users are subject to Medicare payment reductions. To be considered a 
meaningful EHR user (as defined under 42 CFR 495.4), the eligible 
hospital or CAH must demonstrate meaningful use of CEHRT by satisfying 
objectives and measures as required under 42 CFR 495.24. We refer 
readers to the FY 2024 Hospital Inpatient Prospective Payment System 
(IPPS) and Long-Term Care Hospital (LTCH) final rule (88 FR 59269-
59277) for a summary of the currently adopted objectives and measures 
for the Medicare Promoting Interoperability Program.
2. Electronic Prior Authorization
    To support the policies in this final rule and maximize the 
potential to improve the prior authorization process for providers and 
patients, we proposed to add new measures, titled ``Electronic Prior 
Authorization,'' under the HIE objective of the MIPS Promoting 
Interoperability performance category and under the HIE objective of 
the Medicare Promoting Interoperability Program. These measures support 
the electronic exchange of health information to improve the quality of 
health care, such as promoting care coordination, as described in 
section 1848(o)(2)(A)(ii) of the Act with respect to MIPS eligible 
clinicians, and section 1886(n)(3)(A)(ii) of the Act with respect to 
eligible hospitals and CAHs.
    We proposed that for purposes of the Electronic Prior Authorization 
measures, a prior authorization request must be made using the Prior 
Authorization API to satisfy the measure, unless the MIPS eligible 
clinician, eligible hospital, or CAH could claim an applicable 
exclusion. As discussed in more detail in the proposed rule (87 FR 
76313) and further in this section II.F., we proposed that MIPS 
eligible clinicians, eligible hospitals, and CAHs would report the 
number of prior authorizations requested electronically via the Prior 
Authorization API using data from their CEHRT as a numerator and 
denominator, unless they could claim an applicable exclusion. We 
proposed that beginning with the CY 2026 performance period/CY 2028 
MIPS payment year for MIPS eligible clinicians and the CY 2026 EHR 
reporting period for eligible hospitals and CAHs, a MIPS eligible 
clinician, eligible hospital, or CAH that fails to report the measure 
or claim an exclusion would not satisfy the MIPS Promoting 
Interoperability performance category or Medicare Promoting 
Interoperability Program reporting requirements. For the CY 2026 
performance period/CY 2028 MIPS payment year for MIPS eligible 
clinicians and the CY 2026 EHR reporting period for eligible hospitals 
and CAHs, we proposed that the Electronic Prior Authorization measure 
would not be scored and would not affect the total score for the MIPS 
Promoting Interoperability performance category or the Medicare 
Promoting Interoperability Program. In other words, for CY 2026, a MIPS 
eligible clinician, eligible hospital, or CAH would be required to 
report a numerator of at least one for the measure or claim an 
exclusion, but the measure would not be scored. We proposed that, if 
the MIPS eligible clinician or eligible hospital or CAH does not report 
a numerator of at least one for the measure or claim an exclusion, they 
would receive a zero score for the MIPS Promoting Interoperability 
performance category or the Medicare Promoting Interoperability 
Program, respectively. We noted that we intend to propose a scoring 
methodology for the measure in future rulemaking.
    First, we are finalizing that MIPS eligible clinicians report the 
Electronic Prior Authorization measure beginning with the CY 2027 
performance period/2029 MIPS payment year (rather than the CY 2026 
performance period/2028 MIPS payment year), and that eligible hospitals 
and CAHs report the Electronic Prior Authorization measure beginning 
with the CY 2027 EHR reporting period (rather than the CY 2026 EHR 
reporting period). We believe that this modification to our proposed 
policy for the Electronic Prior Authorization measures will allow more 
time for MIPS eligible clinicians, eligible hospitals, and CAHs to 
adjust to the new electronic prior authorization workflow using the 
Prior Authorization API.
    Second, we are finalizing the Electronic Prior Authorization 
measure with a modification such that it is structured as an 
attestation (yes/no) measure, instead of a numerator and denominator 
measure as originally proposed, for both MIPS eligible clinicians and 
eligible hospitals and CAHs. As an attestation measure, MIPS eligible 
clinicians, eligible hospitals, and CAHs will report a ``yes'' or 
``no'' response or report an applicable exclusion for the Electronic 
Prior Authorization measure. Instead of reporting how many times the 
MIPS eligible clinician, eligible hospital, or CAH requested prior 
authorization electronically via the Prior Authorization API in a 
numerator and all prior authorizations in a denominator as proposed (87 
FR 76313), the MIPS eligible clinician, eligible hospital, or CAH will 
either submit an attestation (yes/no) regarding whether they used the 
Prior Authorization API to submit at least one prior authorization 
request electronically or claim an applicable exclusion to report the 
modified Electronic Prior Authorization measures. We are modifying the 
proposed reporting methodology to align with the modification to the 
measure specifications we are finalizing, specifically reporting this 
measure as an attestation yes/no response instead of a numerator and 
denominator. We believe that this modification to our proposed policy 
for the Electronic Prior Authorization measures will reduce burden by 
not requiring MIPS eligible clinicians, eligible hospitals, and CAHs to 
calculate and report a numerator and

[[Page 8911]]

denominator for the Electronic Prior Authorization measure.
    Additionally, we are finalizing that the measures will not be 
scored (that is, not assigned points for completion or failure). 
Instead, if a MIPS eligible clinician, eligible hospital, or CAH fails 
to report the measure as specified, they would not meet the minimum 
reporting requirements, not be considered a meaningful EHR user, and 
fail the Medicare Promoting Interoperability Program or the MIPS 
Promoting Interoperability performance category. A failure in the 
Medicare Promoting Interoperability Program would result in a downward 
payment adjustment for eligible hospitals or CAHs (unless the eligible 
hospital or CAH receives a hardship exception). A failure in the 
Promoting Interoperability performance category would result in the 
MIPS eligible clinician receiving a score of zero for the performance 
category, which is currently worth 25 percent of their final score for 
MIPS. This is consistent with our original proposal that failure to 
report a numerator of at least one for the measure, or claim an 
exclusion, warrants a zero score for the MIPS Promoting 
Interoperability performance category and failure to meet Medicare 
Promoting Interoperability Program reporting requirements (87 FR 
76313).
    For the MIPS Promoting Interoperability performance category, 
satisfactory performance on this measure can be demonstrated only by 
reporting a ``yes'' response on the attestation or claiming an 
applicable exclusion. A ``no'' response on the attestation will result 
in the MIPS eligible clinician failing to meet the minimum reporting 
requirements, therefore not being considered a meaningful EHR user for 
MIPS, as set forth in section 1848(o)(2)(A) of the Act and defined at 
42 CFR 414.1305, for the MIPS payment year (42 CFR414.1305). MIPS 
eligible clinicians that do not report a ``yes'' response or claim an 
applicable exclusion for the Electronic Prior Authorization measure as 
specified (that is, they do not submit the measure or claim an 
exclusion or report a ``no'' response) will not earn a score for the 
MIPS Promoting Interoperability performance category (a score of zero 
for the category). A MIPS eligible clinician's score in the Promoting 
Interoperability performance category is generally worth 25 percent of 
their total final score for MIPS.\157\ We note that to report a 
``yes,'' the action of the measure must occur during the selected 
performance period \158\ or EHR reporting period,\159\ as per the 
measure specifications defined below.
---------------------------------------------------------------------------

    \157\ See 42 CFR 414.1375(a); 414.1380(c)(1).
    \158\ See 42 CFR 414.1320.
    \159\ See 42 CFR 495.40(b)(2)(i).
---------------------------------------------------------------------------

    For the Medicare Promoting Interoperability Program, only a ``yes'' 
response on the attestation, or claiming an applicable exclusion, will 
fulfill the minimum requirements of this measure. A ``no'' response 
will result in the eligible hospital or CAH failing to meet the 
measure, and therefore failing to meet minimum program reporting 
requirements, thus not being considered a meaningful EHR user for an 
EHR reporting period, as defined in section 1886(n)(3) of the Act.\160\ 
Eligible hospitals and CAHs that do not meet the minimum program 
reporting requirements are subject to a downward payment adjustment 
(unless the eligible hospital or CAH receives a hardship exception).
---------------------------------------------------------------------------

    \160\ See 42 CFR 495.4; 495.24(f)(1)(i)(A).
---------------------------------------------------------------------------

    The following is a summary of the comments we received on our 
proposals and our responses.
    Comment: Multiple commenters expressed support for our proposal to 
add the Electronic Prior Authorization measure under the MIPS Promoting 
Interoperability performance category for MIPS eligible clinicians and 
the Medicare Promoting Interoperability Program for eligible hospitals 
and CAHs to incentivize use of the Prior Authorization API among 
providers. Multiple commenters agreed that it is appropriate to place 
the proposed Electronic Prior Authorization measure under the HIE 
objective for both the MIPS Promoting Interoperability performance 
category and the Medicare Promoting Interoperability Program. Multiple 
commenters noted that the Electronic Prior Authorization measure would 
incentivize MIPS eligible clinicians, eligible hospitals, and CAHs to 
use the Prior Authorization API capabilities to automate the prior 
authorization process, which could lead to more timely delivery of 
care. A commenter stated that this proposal would help ensure that 
providers utilize the Prior Authorization and Provider Access APIs' 
technology, in addition to promoting interoperability and the 
electronic exchange of health information.
    Response: We thank commenters for their feedback and support of the 
proposed Electronic Prior Authorization measure under the MIPS 
Promoting Interoperability performance category and the Medicare 
Promoting Interoperability Program. We agree that the Electronic Prior 
Authorization measure will help incentivize MIPS eligible clinicians, 
eligible hospitals, and CAHs to use the Prior Authorization API to 
automate the prior authorization process, which could lead to more 
timely delivery of care.
    Comment: Multiple commenters encouraged CMS to continue to explore 
additional and alternative opportunities to foster API adoption and 
utilization of electronic prior authorization tools, as well as 
incentivize the adoption of the Prior Authorization API across the 
industry and include a broader set of providers outside of these 
incentive programs. Commenters suggested expanding the Electronic Prior 
Authorization measure to other programs to reach additional provider 
populations, such as the Medicare Shared Savings Program (MSSP) and 
Alternative Payment Models (APMs). A commenter also recommended 
implementing a pilot program as part of CMS's Primary Care First (PCF) 
model. A commenter recommended that CMS should work in partnership with 
ONC to implement incentives that encourage further adoption of 
electronic prior authorization. Another commenter supported further 
development of performance measures to encourage interoperability 
enhancements and API uptake. A commenter recommended that CMS engage 
with various associations to encourage further adoption. A commenter 
supported industry-wide adoption of electronic prior authorization 
processes but suggested that only requiring impacted payers to build 
APIs would not lead to broad adoption. A commenter stated that CMS 
should use every available option to influence and incentivize adoption 
of these standards within the health care industry if it intends to 
mandate that impacted payers participate. Commenters also acknowledged 
that the provider community is an important, interested group in the 
drive to enable widespread interoperability.
    Response: We thank the commenters for their support and additional 
recommendations on how we can incentivize using the Prior Authorization 
API. We will continue to monitor and assess opportunities we can 
leverage to encourage API implementation uptake. Additionally, we will 
continue to collaboratively work with ONC to identify ways to 
incentivize the adoption of electronic prior authorization. We believe 
that establishing the Electronic Prior Authorization measure is a 
viable method to begin fostering the adoption and utilization of the 
Prior Authorization API by MIPS eligible

[[Page 8912]]

clinicians, eligible hospitals, and CAHs in these initiatives. We note 
that nothing in the Prior Authorization API proposal we are finalizing 
would prohibit providers that are not subject to MIPS or the Medicare 
Promoting Interoperability Program from using the API for electronic 
prior authorization as well. Where permitted under applicable law and 
relevant program requirements, we encourage providers who are not 
included in these programs to leverage the Prior Authorization APIs to 
gain the intended benefits, such as improving efficiency and reducing 
the administrative burden of prior authorization processes. We agree 
that requiring impacted payers to build the APIs would not lead to 
broad adoption. However, we believe that establishing the Electronic 
Prior Authorization measure under both MIPS and the Medicare Promoting 
Interoperability Program will help promote the implementation and use 
of the Prior Authorization API by MIPS eligible clinicians, eligible 
hospitals, and CAHs. In order for the industry to realize the 
efficiencies of the Prior Authorization API and achieve the goals set 
forth in this final rule, it is essential that both impacted payers and 
providers adopt and use a Prior Authorization API.
    Comment: Multiple commenters opposed adoption of the proposed 
Electronic Prior Authorization measure stating that the measure would 
be inefficient and burdensome, citing challenges with additional 
workflow requirements, increased provider burden, and financial burden. 
A commenter stated that it would potentially leave providers unfairly 
penalized. Several commenters noted that the burden of reporting 
outweighs the benefits of use and that hospital IT resources are 
already overloaded and limited. Other commenters noted that mandating 
the Electronic Prior Authorization measure could further increase 
provider burden and detract from patient care, directing MIPS eligible 
clinicians, eligible hospitals, and CAHs' attention away from patients. 
A commenter stated that the Electronic Prior Authorization measure 
proposal is unlikely to provide significant relief to providers (that 
is, MIPS eligible clinicians, eligible hospitals, and CAHs). Another 
commenter stated that payers should compensate providers fairly for the 
cost of each prior authorization for the implementation of costly and 
burdensome electronic prior authorization requirements. This commenter 
stated that each prior authorization is a net financial loss for 
practices. Another commenter recommended that the Electronic Prior 
Authorization measure should remain optional until a time when the 
benefit, both monetarily and in reduced administrative burden, can be 
quantified for a calculated return on investment.
    Response: We appreciate the feedback provided by commenters and 
note that we believe the benefit of the Prior Authorization API will 
outweigh the burden of implementation. We refer readers to the 
Collection of Information (COI) requirements in section III. of this 
final rule regarding burden and the regulatory impact analysis (RIA) we 
conducted in section IV. of this final rule for the additional 
information on the cost calculations of this Electronic Prior 
Authorization measure for MIPS eligible clinicians reporting for the 
MIPS Promoting Interoperability performance category and for eligible 
hospitals and CAHs reporting for the Medicare Promoting 
Interoperability Program. We acknowledge that there is an initial 
implementation and data collection burden associated with the 
Electronic Prior Authorization measure. However, we believe that the 
benefits of using an electronic prior authorization process outweigh 
the burdensome manual process used today. We believe that making the 
prior authorization process electronic will improve the time and burden 
associated with the current process, allowing providers to put time 
back into direct patient care, and ultimately will reduce provider 
burnout. We emphasize that we are implementing requirements for both 
impacted payers and providers (that is, MIPS eligible clinicians, 
eligible hospitals, and CAHs) to help streamline the prior 
authorization process because both payers and providers have a role to 
play in this process and the solution cannot be one-sided. As discussed 
further in this section, in order to address concerns regarding the 
burden of the Electronic Prior Authorization measure on MIPS eligible 
clinicians, eligible hospitals, and CAHs, we are modifying the measure 
to be an attestation (yes/no) measure rather than a numerator and 
denominator measure. Therefore, data collection to report a numerator 
and denominator for the Electronic Prior Authorization measure is no 
longer required.
    Comment: A commenter cautioned that the Electronic Prior 
Authorization measure for the MIPS Promoting Interoperability 
performance category would reflect data regarding a different 
population than other MIPS measures, stating that other measures in 
MIPS are designed to capture information about the Medicare beneficiary 
population specifically. The commenter stated that this would make 
these measures difficult to compare. Another commenter stated that the 
Electronic Prior Authorization measure proposed for the MIPS Promoting 
Interoperability performance category does not apply to Medicare FFS, 
which results in misalignment.
    Response: We thank the commenters for their feedback. First, we 
disagree that the Electronic Prior Authorization measure will reflect 
data regarding a different population than other MIPS measures. We note 
that all of the MIPS Promoting Interoperability performance category 
measures are based on using CEHRT, utilizing data that are captured in 
the CEHRT, and require submission of applicable data, regardless of 
payer. The Electronic Prior Authorization measure is consistent with 
other measures reported under the MIPS Promoting Interoperability 
performance category.
    Second, although Medicare FFS is not an impacted payer, we refer 
readers to section I.D.1. of this final rule where we discuss CMS's 
intent to align Medicare FFS to the requirements of this final rule, as 
applicable. Although, generally, the policies in this final rule do not 
directly pertain to Medicare FFS, we want to ensure that Medicare 
beneficiaries, as well as other individuals, can benefit from these 
policies, regardless of their coverage, delivery system, or payer.
    Comment: A commenter stated that, if CMS does move forward with the 
proposed Electronic Prior Authorization measure for the MIPS Promoting 
Interoperability performance category, CMS should consider exempting 
small, rural, and underserved practices from reporting the Electronic 
Prior Authorization measure, which would redistribute the Promoting 
Interoperability performance category's weight to other performance 
categories. A few commenters suggested that the inclusion of the 
Electronic Prior Authorization measure would have a disproportionately 
adverse effect on small business entities, federally recognized 
American Indian and Alaska Native-Tribal communities, psychiatric 
practices, and other specialties and could contribute to the electronic 
divide.
    Response: We thank commenters for their feedback and would like to 
note that there are a number of situations in which MIPS eligible 
clinicians may qualify for reweighting of the MIPS Promoting 
Interoperability performance category. This includes policies 
implemented in our regulations at 42 CFR part 414, subpart O, including 
42

[[Page 8913]]

CFR 414.1380(c)(2), if they have a special status (defined at 42 CFR 
414.1305), are a qualifying clinician type, or have a CMS-approved 
significant hardship or other exception application. For example, MIPS 
eligible clinicians in small practices (fifteen or fewer MIPS eligible 
clinicians) may have the MIPS Promoting Interoperability performance 
category reassigned a weight of zero percent automatically in the event 
the MIPS eligible clinician in a small practice (as verified by CMS on 
an annual basis) does not submit any data for any of the measures in 
that category as provided at 42 CFR 414.1380(c)(2)(i)(C)(9), and 
therefore would not be required to meet the MIPS Promoting 
Interoperability performance category's requirements including 
reporting on this Electronic Prior Authorization measure (86 FR 65485-
65487). If the MIPS Promoting Interoperability performance category is 
reweighted to zero percent as provided at 42 CFR 414.1380(c)(2)(i), the 
category's 25 percent weight will be redistributed to the remaining 
MIPS performance categories in accordance with 42 CFR 
414.1380(c)(2)(ii).
    Comment: Multiple commenters opposed the proposed addition of the 
Electronic Prior Authorization measure. Commenters believed that the 
finalization of the Electronic Prior Authorization measure would not be 
necessary because MIPS eligible clinicians, eligible hospitals, and 
CAHs would be prompted to voluntarily adopt and use the Prior 
Authorization API if the API achieves the goal of streamlining the 
prior authorization process, which likely would reduce provider burden, 
improve prior authorization processing time, and enable more timely 
access to care. Multiple commenters expressed that they do not believe 
that the proposed Electronic Prior Authorization measure would address 
concerns about low provider utilization of APIs, especially for small, 
rural providers, due to cost, limited bandwidth, and lack of dedicated 
health IT staff. A commenter expressed that they do not believe that 
the inclusion of the Electronic Prior Authorization measure would be a 
sufficient incentive for MIPS eligible clinicians, eligible hospitals, 
and CAHs to overcome the costs associated with the transaction. Some 
commenters stated that, as electronic prior authorization becomes more 
common and affordable, providers would be incentivized to adopt this 
process, which promises to free up resources and allow providers to 
spend more time on patient care. A commenter stated that providers will 
be naturally incentivized to engage in electronic prior authorization 
processes if the processes lower costs, carry a minimal burden, do not 
cause unreasonable delays in care, and lead to care that is in their 
patients' best interests. Another commenter stated that the proposal to 
add a measure on conducting electronic prior authorization for items or 
services using the Prior Authorization API is not sufficient to 
encourage robust use of the Prior Authorization API by providers and 
stated that the proposals will be a one-sided mandate on impacted 
payers.
    Response: We appreciate the commenters' feedback and are glad to 
hear that providers likely would be naturally incentivized and prompted 
to voluntarily adopt and use the Prior Authorization API if the API 
achieves the goal of streamlining the prior authorization process, 
which we believe it will. However, based on experience with adoption of 
other similar new EHR technology, we believe there needs to be an 
initial drive to encourage all parties involved (payers and providers) 
to develop, implement, and use the new Prior Authorization API to 
support widespread adoption, thus reaping the benefits of burden 
reduction through the electronic prior authorization processes. We 
understand and agree that the Electronic Prior Authorization measure 
itself may not be enough to address concerns about low provider 
utilization of APIs, particularly for small and rural providers. 
However, we believe the improvement and benefits in the prior 
authorization processes resulting from using the Prior Authorization 
API, specifically, may encourage such providers to adopt the API to 
help streamline existing paper-based or portal-based processes.
    We acknowledge that small, rural providers may have limited 
bandwidth and fewer dedicated IT staff. We note that implementing an 
electronic prior authorization process could free up resources and 
allow providers to spend more time on patient care, which can be a 
challenge for small, rural providers. We also note that MIPS eligible 
clinicians in small practices (fifteen or fewer MIPS eligible 
clinicians) may have the MIPS Promoting Interoperability performance 
category reassigned a weight of zero percent automatically in the event 
the MIPS eligible clinician in a small practice (as verified by CMS on 
an annual basis) does not submit any data for any of the measures in 
that category as provided at 42 CFR 414.1380(c)(2)(i)(C)(9), and 
therefore would not be required to meet the category's requirements 
including reporting on this Electronic Prior Authorization measure (86 
FR 65485-65487). We believe that using electronic prior authorization 
processes will benefit small, rural providers, and small practices in 
underserved communities who are able to implement and maintain the 
Prior Authorization API in their processes with by saving time, faster 
turnaround on prior authorization requests, and, in turn, improved 
patient satisfaction.
    Comment: A commenter requested that CMS calculate the additional 
cost of compliance with the MIPS requirements generally and consider 
what benefit MIPS reporting offers when practices already have a great 
interest in lowering their expenses related to prior authorization.
    Response: We appreciate the commenter's feedback regarding cost of 
the Electronic Prior Authorization measure and refer readers to the RIA 
we conducted in section IV. of this final rule for the additional 
information on the cost calculations of this Electronic Prior 
Authorization measure for MIPS eligible clinicians reporting for the 
MIPS Promoting Interoperability performance category and for hospitals 
and CAHs reporting for the Medicare Promoting Interoperability Program. 
We note that the cost of compliance and benefits of reporting for MIPS 
as a whole are outside the scope of this rule. We will continue to 
evaluate use of the Prior Authorization API and assess whether the 
Electronic Prior Authorization measure has achieved its goal of 
promoting widespread Prior Authorization API adoption.
    Comment: Multiple commenters acknowledged that the proposed 
Electronic Prior Authorization measure is not directed toward the 
impacted payers. A commenter stated that CMS should collect prior 
authorization data from payers to measure their performance rather than 
from providers. Another commenter noted that the electronic prior 
authorization proposal does not assess any financial costs against 
payers to discourage their overuse of prior authorizations.
    Response: We thank the commenters for their feedback and 
acknowledge that this Electronic Prior Authorization measure is not 
intended to incentivize payers to use the Prior Authorization API. For 
more information about the Prior Authorization API requirements for 
payers, we refer readers to section II.D. of this final rule.
    To reiterate, the success of the Prior Authorization API is 
dependent upon both payers and providers using the Prior Authorization 
API. We want to stress the importance of both payers and providers 
using the Prior Authorization

[[Page 8914]]

API to ensure that all parties can experience the maximum benefits of 
engaging in the electronic prior authorization process. Thus, we 
recognize the importance of not only requiring impacted payers to 
build, implement, and maintain the API, but also to drive MIPS eligible 
clinicians, eligible hospitals, and CAHs to use it.
    We agree that collecting prior authorization data from payers is 
important and provides accountability for using prior authorization 
processes. As such, we are finalizing our proposal to require payers to 
publicly report certain prior authorization metrics. We refer readers 
to section II.D. of this final rule for further information on these 
requirements for impacted payers.
    We note that prior authorization is an established administrative 
process used by payers to help control costs and ensure payment 
accuracy by verifying that an item or service is medically necessary, 
meets coverage criteria, and is consistent with standards of care 
before the item or service is provided. The policies we are finalizing 
are not intended to discourage the use of prior authorization, nor do 
they impose direct financial repercussions for using prior 
authorization by payers. The policies we are finalizing in this final 
rule are intended to streamline the existing prior authorization 
process.
    Comment: Multiple commenters noted that the adoption of the 
Electronic Prior Authorization measure contradicts CMS's goal of 
reducing provider burden and urged CMS not to replace one type of 
administrative burden with another. Another commenter cautioned that 
the proposed Electronic Prior Authorization measure is not suitable for 
a quality improvement program given that the focus is on technological 
capability. A commenter stated that measures related to prior 
authorization conflict with the goal of MIPS to improve quality of 
health care, stating there is no evidence to indicate that prior 
authorization improves outcomes.
    Response: We disagree that the Electronic Prior Authorization 
measure conflicts with our goals and believe the policies we are 
finalizing in this rule are necessary to support a more efficient prior 
authorization process in the future. We believe this measure is 
entirely suitable for MIPS since the goal of MIPS is to provide 
financial incentives to clinicians that provide high-value and high-
quality care to Medicare patients. MIPS supports care improvements by 
focusing on better patient outcomes and decreasing clinician burden. We 
believe that electronic prior authorization aligns with these goals, as 
it streamlines a historically burdensome process to allow providers to 
spend more time focused on improving patient outcomes instead of 
administratively burdensome processes.
    We also believe that the Electronic Prior Authorization measure 
fits within the goals of the Medicare Promoting Interoperability 
Program and the MIPS Promoting Interoperability performance category by 
enhancing the meaningful use of CEHRT. For the MIPS Promoting 
Interoperability performance category, section 1848(q)(2)(B)(iv) of the 
Act requires MIPS eligible clinicians to report on specified measures 
and activities demonstrating that they meet the requirements 
established under section 1848(o)(2) of the Act for determining whether 
the MIPS eligible clinician is a meaningful EHR user. For the Medicare 
Promoting Interoperability Program, section 1886(n) of the Act 
similarly requires eligible hospitals and CAHs to demonstrate that they 
meet requirements established under section 1886(n)(3)(A) (which align 
with section 1848(o)(2)(A) of the Act) for determining whether the 
eligible hospital or CAH is a meaningful EHR user. Electronic exchange 
of information to improve health care and care coordination is a 
central statutory requirement for both the Medicare Promoting 
Interoperability Program and the MIPS Promoting Interoperability 
performance category.
    We proposed this measure under sections 1848(o)(2)(A)(ii) and 
1886(n)(3)(A)(ii) of the Act for MIPS and the Medicare Promoting 
Interoperability Program, respectively, because we believed, and 
continue to believe, this measure will further enable the electronic 
exchange of health information to improve the quality of health care 
(87 FR 76312). More specifically, we believe the proposed Electronic 
Prior Authorization measure, which we are finalizing with 
modifications, is fundamental to determining whether a MIPS eligible 
clinician, eligible hospital, or CAH meets criterion two of being a 
meaningful EHR user: demonstrating that their CEHRT is connected in a 
manner that provides for the electronic exchange of health information 
to improve the quality of health care, such as promoting care 
coordination (sections 1848(o)(2)(A)(ii) and 1886(n)(3)(A)(ii) of the 
Act). We believe the Electronic Prior Authorization measure is another 
means by which MIPS eligible clinicians, eligible hospitals, and CAHs, 
can use their health IT to timely and efficiently share key health 
information with payers to obtain prior authorizations promptly and 
thereby provide necessary health care to their patients expeditiously. 
Therefore, we believe the Electronic Prior Authorization measure does 
meet the intended goal of these programs to promote interoperability 
and electronically exchange health information.
    Comment: Multiple commenters opposed the Electronic Prior 
Authorization measure stating that prior authorizations are a harmful 
practice that result in delays and denials of necessary care which can 
worsen a patient's condition. Several commenters shared concerns about 
payer prior authorization policies themselves. A commenter stated that 
prior authorizations lower the costs for payers but raise the overall 
cost of care by delaying care and shifting costs to providers and 
patients, thus worsening clinical outcomes which necessitates the 
escalation of more expensive care.
    Response: We would like to thank commenters for their feedback 
regarding payers' prior authorization processes and the burden placed 
on patients and providers. We understand that some commenters expressed 
concerns about prior authorization itself, regardless of whether it 
could be completed electronically, and whether or not these existing 
prior authorization requirements support improved outcomes. We note 
that the existence and use of prior authorization processes is outside 
the scope of this rule. Our policies are limited to streamlining this 
already existing process.
    The policies we are finalizing in this rule are not intended to 
encourage or discourage the prior authorization requirements that 
payers already have; these policies are intended to increase the 
efficiency of these existing requirements and processes by encouraging 
use of electronic methods. We understand that the existing prior 
authorization process can be burdensome, and thus believe the policies 
we are finalizing in this rule are necessary to support a more 
efficient prior authorization process in the future.
    We received many comments on the December 2020 CMS Interoperability 
proposed rule, which has since been withdrawn, and in response to the 
CMS Interoperability and Prior Authorization proposed rule that 
indicated that prior authorization processes could be improved by 
electronic, interoperable data exchange. Those comments have informed 
the policies we are finalizing in this rule.
    Comment: Multiple commenters stated that the Electronic Prior 
Authorization measure should not penalize LTCHs and Inpatient 
Rehabilitation Facilities (IRFs) for

[[Page 8915]]

failing to use EHRs. Another commenter expressed that practices have 
many different technical and infrastructure capabilities; therefore, 
they recommended that CMS consider ways to further engage and support 
all provider types--especially safety-net, small/independent, and/or 
rural health providers--to adopt and use the Prior Authorization API. 
The commenter continued by stating that they are concerned that these 
providers are at risk of being left behind. Likewise, the commenter 
stated that CMS should also explore ways to expand provider incentives 
to reach broadly across the health care system to encourage widespread 
adoption of the Prior Authorization API. Another commenter recommended 
that CMS include all health care providers as recipients of the 
benefits of the final rule, whether they are recipients of Meaningful 
Use dollars or are participants in MIPS. The commenter continued by 
providing a possible scenario in which payers further delay decisions 
of excluded providers in favor of meeting the requirements for 
providers included under the provisions of the rule.
    Response: We note that LTCHs and IRFs are not included in the 
definition of an eligible hospital or CAH (42 CFR 495.4 definitions, 75 
FR 44327) and therefore would not be required to report the Electronic 
Prior Authorization measure under the Medicare Promoting 
Interoperability Program.\161\ We also understand that different 
practices have different technical and infrastructure capabilities. To 
the extent that these facilities or any provider type ordering items or 
services requiring prior authorizations have access to appropriate 
health IT and the Prior Authorization API and are otherwise permitted 
to use the Prior Authorization API, we encourage them to use this 
technology for their own benefit. Our proposals for the Prior 
Authorization API technology and functionality do not limit its use to 
participants under the MIPS Promoting Interoperability performance 
category and the Medicare Promoting Interoperability Program. We will 
continue to look for ways to encourage API implementation uptake and 
ways to incentivize the adoption of electronic prior authorization 
across additional programs and provider types, especially safety-net, 
small/independent, and rural health providers.
---------------------------------------------------------------------------

    \161\ Centers for Medicare and Medicaid Services (2023, 
September 6). Medicare Promoting Interoperability Program: 
Eligibility Hospital Information. Retrieved from https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Eligibility-#BOOKMARK2.
---------------------------------------------------------------------------

    Additionally, we appreciate the comment regarding possible 
scenarios in which impacted payers further delay decisions on prior 
authorizations from providers not participating in MIPS or the Medicare 
Promoting Interoperability Program or not using the Prior Authorization 
API. However, to mitigate this, we are finalizing certain prior 
authorization decision timeframes for all impacted payers. We refer 
readers to section II.D. of this final rule for more information on the 
prior authorization decision timeframe provisions.
    Comment: A commenter suggested that instead of developing the 
Electronic Prior Authorization measure, CMS should engage in stringent 
oversight to ensure that impacted payers are not only developing and 
implementing a Prior Authorization API but are also implementing all of 
the provisions of this final rule. The commenter also suggested that 
CMS should release additional information on how it will enforce the 
proposed requirements contained in the CMS Interoperability and Prior 
Authorization proposed rule to ensure compliance.
    Response: As explained in the proposed rule, and in the CMS 
Interoperability and Patient Access final rule, each program oversees 
compliance under existing program authorities and responsibilities. 
These compliance processes vary among programs and may have different 
implications based on a payer's status in the program, previous 
compliance actions, and corrective action. Patients and providers 
should submit an inquiry or complaint to the appropriate program, 
depending on their coverage as described in section I.D.2. of this 
final rule. Compliance questions or complaints about compliance may be 
sent to the respective program contact at the website or email address 
provided there. Compliance will be tracked through specific methods 
managed by the programs. While these compliance efforts will help payer 
compliance, as we have stated repeatedly throughout this section, it is 
imperative that both payers and providers come together to use the 
Prior Authorization API to ensure that all parties can experience the 
maximum benefits of engaging in the electronic prior authorization 
process. Thus, we recognize the importance of not only requiring 
impacted payers to build the Prior Authorization API, but also to 
incentivize MIPS eligible clinicians, eligible hospitals, and CAHs to 
use it through the finalization of this Electronic Prior Authorization 
measure.
    Comment: A commenter stated that CMS lacks a legitimate 
justification for imposing the new Electronic Prior Authorization 
measure, as it does not align with the legal requirements under section 
1848(q) of the Act. The commenter sought clarification on how the 
proposed measure complies with the governing regulations.
    Response: We have authority under section 1848(q)(2)(A)(iv) and 
(B)(iv) of the Act, which requires that we assess MIPS eligible 
clinicians' performance with respect to their meaningful use of CEHRT 
in accordance with the requirements established in section 1848(o)(2) 
of the Act. We also have authority under section 1848(q)(2)(B)(iv) of 
the Act to create new measures under the MIPS Promoting 
Interoperability performance category as well as for determining 
whether an eligible professional is a meaningful EHR user in accordance 
with the requirements established in section 1848(o)(2) of the Act. 
Connecting to the API technology identified in the Electronic Prior 
Authorization measure helps to facilitate bi-directional data exchange 
electronically and can significantly reduce the burden associated with 
the prior authorization processes for providers using data from CEHRT 
when accessing the Prior Authorization API. This type of function 
demonstrates meaningful use of CEHRT and is therefore appropriate in 
assessing whether a MIPS eligible clinician is a meaningful EHR user 
under section 1848(o)(2)(A) of the Act.
    Comment: A commenter requested that CMS use its authority to permit 
payers to include quality measures tied to use of the APIs in the 
provider contracts.
    Response: We appreciate the commenter's recommendation. However, we 
leave this decision--whether payers require measures like this for 
their providers and how they work with their providers on using the 
Prior Authorization API--up to the discretion of the payers.
a. Measure Specifications
    In the proposed rule (87 FR 76313), we proposed the following 
specifications for the Electronic Prior Authorization measure: \162\
---------------------------------------------------------------------------

    \162\ In the proposed rule, we used the term ``Prior 
Authorization Requirements, Documentation, and Decision API (PARDD 
API).'' For simplicity, we are finalizing the name of that API as 
simply the ``Prior Authorization API.''

---------------------------------------------------------------------------

[[Page 8916]]

1. For MIPS Eligible Clinicians Under the MIPS Promoting 
Interoperability Performance Category--Electronic Prior Authorization
     Measure Description: For at least one medical item or 
service (excluding drugs) ordered by the MIPS eligible clinician during 
the performance period, the prior authorization is requested 
electronically from a Prior Authorization API using data from CEHRT.
    The MIPS eligible clinician would be required to report a numerator 
and denominator for the measure or (if applicable) report an exclusion:
     Denominator: The number of unique prior authorizations 
requested for medical items and services (excluding drugs) ordered by 
the MIPS eligible clinician during the performance period, excluding 
prior authorizations that cannot be requested using the Prior 
Authorization API because the payer does not offer an API that meets 
the Prior Authorization API requirements outlined in section II.D.3.a. 
of the CMS Interoperability and Prior Authorization proposed rule.
     Numerator: The number of unique prior authorizations in 
the denominator that are requested electronically from a Prior 
Authorization API using data from CEHRT.
     Exclusion: Any MIPS eligible clinician who:
    (1) Does not order any medical items or services (excluding drugs) 
requiring prior authorization during the applicable performance period; 
or
    (2) Only orders medical items or services (excluding drugs) 
requiring prior authorization from a payer that does not offer an API 
that meets the Prior Authorization API requirements outlined in section 
II.D.3.a. of the CMS Interoperability and Prior Authorization proposed 
rule during the applicable performance period.
2. For Eligible Hospitals and Critical Access Hospitals Under the 
Medicare Promoting Interoperability Program--Electronic Prior 
Authorization
     Measure Description: For at least one hospital discharge 
and medical item or service (excluding drugs) ordered during the EHR 
reporting period, the prior authorization is requested electronically 
via a Prior Authorization API using data from CEHRT.
    The eligible hospital or CAH would be required to report a 
numerator and denominator for the measure or (if applicable) report an 
exclusion:
     Denominator: The number of unique prior authorizations 
requested for medical items and services (excluding drugs) ordered for 
patients discharged from the eligible hospital or CAH inpatient or 
emergency department (POS code 21 or 23) during the EHR reporting 
period, excluding prior authorizations that cannot be requested using 
the Prior Authorization API because the payer does not offer an API 
that meets the Prior Authorization API requirements outlined in section 
II.D.3.a. of the proposed rule.
     Numerator: The number of unique prior authorizations in 
the denominator that are requested electronically from a Prior 
Authorization API using data from CEHRT.
     Exclusions: Any eligible hospital or CAH that--
    ++ Does not order any medical items or services (excluding drugs) 
requiring prior authorization during the applicable EHR reporting; or
    ++ Only orders medical items or services (excluding drugs) 
requiring prior authorization from a payer that does not offer an API 
that meets the Prior Authorization API requirements outlined in section 
II.D.3.a. of the proposed rule during the applicable EHR reporting 
period.
    Comment: Multiple commenters expressed support for CMS's proposal 
regarding the proposed Electronic Prior Authorization measure's 
numerator and denominator criteria. Specifically, a commenter agreed 
with the numerator being the number of unique prior authorizations that 
are requested electronically via a Prior Authorization API using data 
from CEHRT if the Electronic Prior Authorization measure includes 
electronic prior authorizations from commercial payers. A commenter 
recommended that CMS ask for the percentage of prior authorization 
requests that are not being completed through the Prior Authorization 
API. Another commenter supported CMS's proposal to include prior 
authorization requests that are made using fax, mail, or portal in the 
denominator of the Electronic Prior Authorization measure unless the 
prior authorization cannot be requested using the Prior Authorization 
API because the payer does not offer an API that meets the Prior 
Authorization API requirements, in which case it would be excluded from 
the denominator. A commenter expressed support for CMS progressing the 
proposed Electronic Prior Authorization measure to a performance-based 
measure in future years.
    Response: We thank the commenters for their feedback and appreciate 
their support for the numerator and denominator criteria for the 
Electronic Prior Authorization measure for the MIPS Promoting 
Interoperability performance category and the Medicare Promoting 
Interoperability Program. We agree that requiring participants to 
report a numerator and denominator for the measure would ultimately 
give us the most insight into the degree of adoption and use of the 
Prior Authorization API. However, after consideration of comments 
received, and as discussed in more detail later in this section, we are 
modifying the specifications of the Electronic Prior Authorization 
measure to require an attestation (yes/no), in lieu of reporting data 
for a numerator and denominator as proposed, for this measure beginning 
with the CY 2027 performance period/2029 MIPS payment year for MIPS and 
the CY 2027 EHR reporting period for the Medicare Promoting 
Interoperability Program.
    Comment: A commenter suggested that CMS explore different 
mechanisms for tracking electronic prior authorization requests. A few 
commenters also noted that tracking these data elements should be the 
responsibility of payers, as they would have this information more 
easily accessible. Another commenter stated that CMS needs to determine 
an approach to measure the usage of electronic prior authorization 
tools that does not require collecting information about the 
availability of corresponding APIs or functionality. Another commenter 
stated that measuring the success of these policies should not be 
punitive for providers and that the metrics of success should exist for 
all stakeholders. Multiple commenters urged CMS to work with the 
provider community, as well as other stakeholders, on various aspects 
of the Electronic Prior Authorization measure as well as other prior 
authorization reforms to identify ways to incentivize provider uptake 
without creating unnecessary provider burden and determine how to 
engage providers in the testing and development of the proposed 
Electronic Prior Authorization measure. Another commenter noted that 
the technology supporting electronic prior authorization must be widely 
available and demonstrated to be effectively integrated into EHR 
workflows through real-world testing prior to requiring MIPS eligible 
clinicians, eligible hospitals, and CAHs to report on use of the Prior 
Authorization API for the Electronic Prior Authorization measure. A 
commenter suggested that CMS should require payers to provide these 
data on electronic prior authorization, rather than place increasing 
demands on providers.

[[Page 8917]]

    Response: We thank the commenters for their recommendations. We 
will consider exploring additional mechanisms for tracking electronic 
prior authorization requests in future rulemaking. We believe that 
tracking the use of electronic prior authorization processes by 
impacted payers and providers (that is, MIPS eligible clinicians, 
eligible hospitals, and CAHs) is important to ensure widespread 
implementation and use of the Prior Authorization API by both user 
groups. In this context, we view the Electronic Prior Authorization 
measure not merely as a way to track performance or success. Instead, 
we view this measure as a way for MIPS eligible clinicians, eligible 
hospitals, and CAHs to adopt and use the electronic Prior Authorization 
APIs implemented by payers. As we have noted previously, payers 
impacted by this rule are required to implement and maintain the Prior 
Authorization API. To fully recognize the benefits and efficiencies of 
payer implementation of this API, we need to encourage providers to use 
said API to complete prior authorization requests. While we are 
encouraged by commenters' statements that the benefits of the Prior 
Authorization API are enough to encourage providers to use it, we also 
believe that accessing this API using data from CEHRT demonstrates 
meaningful use of CEHRT that can improve patient care under sections 
1848(o)(2)(A) and 1886(n)(3)(A) of the Act, and thus believe this 
measure is appropriate to incentivize providers to adopt and use this 
technology. We refer readers to section II.D. of this rule where we 
discuss in further detail the metrics impacted payers will be required 
to report on electronic prior authorizations.
    We note that we do not currently use established workgroups to test 
and develop measures for the Medicare Promoting Interoperability 
Program or the MIPS Promoting Interoperability performance category 
outside of our annual call for measures.\163\ We do work with members 
of the provider community in HL7 workgroups to obtain their feedback 
during the development and testing phases of the IGs that support the 
Prior Authorization API, as well as during discussions around technical 
workflow. We encourage providers to engage in the HL7 FHIR workgroup 
meetings to get involved in the standards development and 
implementation discussions for specific use cases. The IGs are also 
tested during Connectathons and throughout the IG development lifecycle 
and refined based on testing and implementation feedback. We have also 
previously reviewed public comments received on the Reducing Burden and 
Improving Electronic Information Exchange of Prior Authorizations RFI 
(85 FR 82639) and December 2020 CMS Interoperability proposed rule (85 
FR 82586) regarding ways in which we could incentivize and encourage 
provider use of the electronic Prior Authorization API and used that 
feedback to develop our policies outlined in this final rule.
---------------------------------------------------------------------------

    \163\ Centers for Medicare and Medicaid Services. (2023, 
September 6). Annual Call For Measures. Retrieved from https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/CallForMeasures.
---------------------------------------------------------------------------

    Comment: Multiple commenters expressed their disapproval of the 
proposed Electronic Prior Authorization measure's numerator and 
denominator criteria. Numerous commenters stated that the Electronic 
Prior Authorization measure as proposed would create significant data 
collection and reporting burden on MIPS eligible clinicians, eligible 
hospitals, CAHs, and support staff. Many commenters specifically 
identified the excessive burden with calculating the denominator. 
Multiple commenters expressed concern regarding identifying which prior 
authorization requests meet the denominator requirements of the 
proposed Electronic Prior Authorization measure (for example, which 
payers offer a Prior Authorization API or how a provider will be able 
to determine the number of prior authorization requests that should be 
counted in the denominator) making this measure particularly 
burdensome, contributing to provider burnout, and causing further 
delays in care. A commenter sought clarification on whether CMS is 
considering alternatives to the proposed numerator and denominator 
measure criteria and requested changes to these specifications that 
would reduce the implementation burden for both providers and health IT 
developers.
    Some commenters expressed concern regarding compliance and 
documentation for the proposed Electronic Prior Authorization measure. 
Commenters stated that providers submit prior authorizations in a 
variety of modalities and noted it will be hard to track all prior 
authorizations submitted. Other commenters expressed similar concerns 
given that data surrounding prior authorizations are captured outside 
of an EHR, which would make the data collection process extremely 
burdensome.
    Several commenters urged CMS not to implement the Electronic Prior 
Authorization measure as proposed due to these concerns or consider 
ways the measure could be implemented without increasing provider 
burden. A commenter recommended that CMS continue to evaluate the 
numerator and denominator proposals and adjust the requirements based 
on real-world testing. Another commenter questioned why CMS would 
create a numerator/denominator measure that is not automatically 
calculated by EHRs. The commenter continued by stating that several EHR 
vendors will likely not have the capability to assist in tracking prior 
authorization requests for reporting purposes. Another commenter 
disagreed with the proposed measure criteria to collect information on 
the total number of prior authorization requests submitted by the Prior 
Authorization API versus other request methods given that collecting 
these data does nothing to improve patient clinical outcomes. 
Therefore, multiple commenters recommended that CMS should use an 
attestation (yes/no) measure and remove the proposed numerator/
denominator criteria.
    Response: We appreciate the commenters sharing their concerns 
regarding the burden associated with calculating a numerator and 
denominator as proposed for the Electronic Prior Authorization measure. 
Generally, we proposed that to report these measures, MIPS eligible 
clinicians, eligible hospitals, and CAHs must use data from their CEHRT 
to request prior authorization from a payer for at least one medical 
item or service (excluding drugs), and, for eligible hospitals and 
CAHs, one hospital discharge and medical item or service that they 
ordered via the Prior Authorization API (87 FR 76313). However, we 
recognize that the challenge of consistently calculating a numerator 
and denominator for these proposed measures across providers increases 
if providers are accessing the Prior Authorization API in different 
ways. We further recognize that it would be challenging for MIPS 
eligible clinicians, eligible hospitals, and CAHs to report a numerator 
and denominator for these measures as we proposed until such time as 
the ONC Health IT Certification Program establishes health IT 
certification criteria to support standardized exchange via the Prior 
Authorization API and adopts updated certification criteria supporting 
numerator and denominator calculation.
    We acknowledge that modifying the Electronic Prior Authorization 
measure to be attestation-based would substantially reduce the 
reporting burden placed on MIPS eligible clinicians, eligible 
hospitals, and CAHs.

[[Page 8918]]

With an attestation-based yes/no measure, those providers would be 
required to report a yes/no response, rather than a numerator and 
denominator, to indicate whether they used a Prior Authorization API to 
submit at least one electronic prior authorization during the 
applicable performance period/MIPS payment year or EHR reporting 
period. After consideration of this feedback, and as discussed in more 
detail later in this section, we are modifying the Electronic Prior 
Authorization measure to be an attestation measure, meaning that MIPS 
eligible clinicians, eligible hospitals, and CAHs will report a yes/no 
response for the measure. We will continue to explore ways to move 
toward numerator and denominator reporting for future years of the 
measure, particularly should ONC Health IT Certification Program 
criteria be made available to support certification of EHRs to the 
capability associated with tracking prior authorizations requested 
electronically via the Prior Authorization API using data from CEHRT.
    Comment: A commenter stated that the Electronic Prior Authorization 
measure should not be restricted only to items and services but should 
also include drugs to provide consistency across prior authorization 
needs.
    Response: As discussed earlier in this final rule, the Prior 
Authorization API requirements we have finalized for impacted payers 
are limited to medical items and services (excluding drugs). Therefore, 
for consistency, we are aligning using the API for the Electronic Prior 
Authorization measure to limit it to evaluating using a Prior 
Authorization API for medical items and services authorization requests 
only. We refer readers to section II.D. for additional information on 
the Prior Authorization API requirements for impacted payers and the 
exclusion of drugs.
    Comment: A commenter stated that industry would need to review and 
endorse the specification criteria prior to requiring the Electronic 
Prior Authorization measure.
    Response: We thank commenters for this suggestion; however, we must 
note that there is no requirement for industry to review or endorse 
measures in either the MIPS Promoting Interoperability performance 
category or the Medicare Promoting Interoperability Program. We welcome 
comments from any interested parties through public comment during 
rulemaking, and also during the annual call for measures for the MIPS 
Promoting Interoperability performance category and the Medicare 
Promoting Interoperability Program, every summer.
    Comment: Multiple commenters expressed concern that MIPS eligible 
clinicians, eligible hospitals, and CAHs will not have the necessary 
health IT to support the Prior Authorization API and therefore will not 
be able to report the proposed Electronic Prior Authorization measure 
by the proposed implementation year of CY 2026. Multiple commenters 
urged CMS to delay mandating the proposed Electronic Prior 
Authorization measure until adequate standards and specifications are 
available to support electronic prior authorization, the Prior 
Authorization API is implemented, and workflow is established. A 
commenter stated that providers should have the flexibility to stage 
their adoption, as recognized in the Electronic Prior Authorization 
measure proposal, to support a smooth transition from the current, 
manual process to a fully electronic workflow. Another commenter 
suggested that CMS needs to provide eligible hospitals with adequate 
time to convert their current processes into an electronic prior 
authorization process prior to implementing the Electronic Prior 
Authorization measure under the Medicare Promoting Interoperability 
Program. The commenter expressed their concern that this transition to 
a new electronic process will allow cases to fall through the cracks.
    Response: We thank the commenters for their feedback. After 
reviewing comments for both the Prior Authorization API and for using 
that API in this Electronic Prior Authorization measure, we 
reconsidered our proposal and agree that provision of additional time 
for implementation would be beneficial. As previously discussed, we 
understand that there may be challenges with the availability of health 
IT to calculate a measure numerator and denominator consistently for 
the Electronic Prior Authorization measures as we originally proposed. 
We also believe the functionality of the Prior Authorization API should 
be in place and used by hospitals and providers prior to requiring a 
numerator and denominator be reported. We will continue to work with 
ONC to explore the adoption of standards and health IT certification 
criteria where appropriate to streamline data exchange, support 
interoperability, and increase efficiencies associated with the 
policies in this final rule. As noted previously, the Unified Agenda, 
current at the time of this final rule's publication, includes an entry 
for a proposed rule from ONC (RIN 0955-AA06). The description indicates 
that that proposed rule aims to advance interoperability, including 
proposals to expand the use of certified APIs for electronic prior 
authorization.\164\
---------------------------------------------------------------------------

    \164\ Office of Information and Regulatory Affairs (2023, 
November). Health Data, Technology, and Interoperability: Patient 
Engagement, Information Sharing, and Public Health Interoperability. 
Retrieved from https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202304&RIN=0955-AA06.
---------------------------------------------------------------------------

    As previously discussed, we are finalizing the Electronic Prior 
Authorization measure with modification, to delay implementation for a 
year later than originally proposed, beginning with CY 2027 performance 
period/2029 MIPS payment year for MIPS eligible clinicians in the MIPS 
Promoting Interoperability performance category, and beginning with the 
CY 2027 EHR reporting period for eligible hospitals and CAHs under the 
Medicare Promoting Interoperability. This modification also aligns with 
the finalized compliance dates in 2027 for the Prior Authorization API. 
Also, as previously discussed, we are finalizing the Electronic Prior 
Authorization measure with modification as an attestation (yes/no) 
measure, instead of requiring reporting of data for a numerator and 
denominator. We believe this modification will minimize data collection 
and reporting burden for this measure.
    Comment: Many commenters recommended that the Electronic Prior 
Authorization measure be an attestation (yes/no) measure to mitigate 
provider burden if CMS moves forward with the proposed measure. Some 
commenters stated that they are not opposed to the Electronic Prior 
Authorization measure and appreciated CMS not scoring it initially. 
However, a commenter noted there may be implementation challenges due 
to eligible hospitals and CAHs still recovering from the PHE and not 
having enough resources to implement. Another commenter suggested that 
the Electronic Prior Authorization measure remain unscored 
indefinitely. The commenter noted that the Prior Authorization API 
still being in the pilot testing phase is an additional challenge. 
Another commenter expressed their appreciation for the implementation 
timeline of the Electronic Prior Authorization measures stating that it 
would allow for technical implementation, provider implementation, and 
education. Multiple commenters were displeased with the proposed 
scoring methodology for the Electronic Prior Authorization measure. 
Multiple commenters recommended that CMS consider making the Electronic 
Prior

[[Page 8919]]

Authorization measure voluntary or award bonus points for the proposed 
Electronic Prior Authorization measure rather than including the 
measure in the composite score. A commenter stated that an attestation 
(yes/no) measure would align the proposed Electronic Prior 
Authorization measure with the other measures within the HIE objective.
    Response: We appreciate the commenters' concerns and 
recommendations on ways to ease burden by making the Electronic Prior 
Authorization measure an attestation (yes/no) measure. We agree and 
acknowledge that it would significantly reduce the reporting burden for 
MIPS eligible clinicians, eligible hospitals, and CAHs if we did not 
require a numerator and denominator to be calculated, and instead 
require only a ``yes'' or ``no'' response be reported to indicate 
whether the Prior Authorization API was used for at least one prior 
authorization during the applicable performance period/MIPS payment 
year or EHR reporting period. After consideration of this feedback, and 
as discussed in more detail elsewhere in this section, we are modifying 
the proposed Electronic Prior Authorization measure to be reported as 
an attestation (yes/no) measure.
    We appreciate the commenters' recommendations for scoring this 
measure, such as not scoring the measure or only assigning bonus 
points. However, we respectfully disagree with these approaches. First, 
we did not propose to score this measure by assigning points (for 
example, between 10 and 30 points for successful completion as provided 
at 42 CFR 414.1380(b)(4)(ii) for MIPS). However, we did propose that a 
MIPS eligible clinician, eligible hospital, or CAH would ``receive a 
zero score for the MIPS Promoting Interoperability performance category 
or the Medicare Promoting Interoperability Program'' if they did not 
``report a numerator of a least one for the measure or claim an 
exclusion'' (87 FR 76313). In other words, we proposed that if a MIPS 
eligible clinician, eligible hospital, or CAH failed to request at 
least one prior authorization electronically via the Prior 
Authorization API using data from their CEHRT, as would be required to 
report a numerator under the originally proposed measure specifications 
(attesting ``no'' to the measure), or claim an applicable exclusion, 
then they would not meet the minimum reporting requirements, not be 
considered a meaningful EHR user, and fail the Medicare Promoting 
Interoperability Program or the Promoting Interoperability performance 
category. A failure in the Medicare Promoting Interoperability Program 
would result in a downward payment adjustment for eligible hospitals or 
CAHs (unless the eligible hospital or CAH receives a hardship 
exception). A failure in the MIPS Promoting Interoperability 
performance category would result in the MIPS eligible clinician 
receiving a score of zero for the performance category, which is 
currently worth 25 percent of their final score for MIPS.
    Second, we clarify our rationale for proposing this scoring policy 
of zero for this measure, which we are finalizing with modification to 
align with the attestation-based measure specifications we are 
finalizing in this section. Fundamentally, a MIPS eligible clinician, 
eligible hospital, or CAH must demonstrate it is a meaningful EHR user 
by meeting three statutory criteria set forth in sections 1848(o)(2)(A) 
and 1886(n)(3)(A) of the Act, to earn a score for the MIPS Promoting 
Interoperability performance category (section 1848(q)(2)(B)(iv) of the 
Act) or avoid a downward payment adjustment for the Medicare Promoting 
Interoperability Program. We proposed this measure under sections 
1848(o)(2)(A)(ii) and 1886(n)(3)(A)(ii) of the Act for MIPS and 
Medicare Promoting Interoperability Program, respectively, because we 
believed, and continue to believe, this measure would further enable 
the electronic exchange of health information to improve the quality of 
health care (87 FR 76312). More specifically, we believe the proposed 
Electronic Prior Authorization measure, which we are finalizing with 
modification, is fundamental to determining whether a MIPS eligible 
clinician, eligible hospital, or CAH meets criterion two of being a 
meaningful EHR user: demonstrating that their CEHRT is connected in a 
manner that provides for the electronic exchange of health information 
to improve the quality of health care, such as promoting care 
coordination (sections 1848(o)(2)(A)(ii) and 1886(n)(3)(A)(ii) of the 
Act). A MIPS eligible clinician, eligible hospital, or CAH using the 
Prior Authorization API to request at least one prior authorization 
electronically for, or claiming an applicable exclusion from, reporting 
this measure, fundamentally demonstrates that they are a meaningful EHR 
user. Therefore, we believe that failure to report the Electronic Prior 
Authorization measure as specified, or to claim an applicable 
exclusion, demonstrates they are not a meaningful EHR user and warrants 
the MIPS eligible clinician, eligible hospital, or CAH receiving a 
score of zero for the MIPS Promoting Interoperability performance 
category or Medicare Promoting Interoperability Program.
    After consideration of public comments we received, we are 
finalizing a modification to our proposal that the Electronic Prior 
Authorization measure will require MIPS eligible clinicians, eligible 
hospitals, and CAHs to report a numerator and denominator, and instead, 
require that MIPS eligible clinicians, eligible hospitals, and CAHs 
attest ``yes'' or ``no'' to having performed at least one electronic 
prior authorization using the Prior Authorization API, or claim an 
applicable exclusion. We are also finalizing that, if a MIPS eligible 
clinician, eligible hospital, or CAH attests ``no'' or fails to claim 
an applicable exclusion for this measure, then they will receive a zero 
score for the MIPS Promoting Interoperability performance category 
(currently worth 25 percent of their final score for MIPS) or fail to 
meet Medicare Promoting Interoperability Program reporting 
requirements. To allow for additional implementation time, we are 
finalizing inclusion of the Electronic Prior Authorization measure in 
the MIPS Promoting Interoperability performance category beginning with 
the CY 2027 performance period/2029 MIPS payment year and in the 
Medicare Promoting Interoperability program beginning with the CY 2027 
EHR reporting period.
    Comment: Some commenters expressed concerns that providers may be 
unfavorably evaluated or unfairly penalized for infrastructure and 
system issues or lack of capabilities and not the providers' 
willingness or desire to conduct electronic prior authorizations. A 
commenter requested clarification on the proposed measure exclusion 
criteria applying only to medical items and services (excluding drugs) 
requiring prior authorization from a payer that does not offer a Prior 
Authorization API, questioning whether this exclusion would lead to 
unintended consequences.
    Response: We recognize that these capabilities may not yet be 
widely adopted in some settings, and that successful implementation of 
these capabilities may vary across providers and systems. We note that 
we are finalizing that the Electronic Prior Authorization measure would 
be reported as an attestation (yes/no) measure, as opposed to the 
proposed numerator and denominator, which should reduce some of the 
initial implementation challenges. We are also finalizing that the 
measure would first be reportable beginning with the CY

[[Page 8920]]

2027 performance period/2029 MIPS payment year and CY 2027 EHR 
reporting period. This delayed implementation will give both providers 
(that is, MIPS eligible clinicians, eligible hospitals, and CAHs) and 
payers time to implement these changes to workflows and establish 
integrations prior to the measure reporting being required.
    We believe electronic prior authorization capabilities represent an 
important investment that will benefit providers, patients, and other 
health care system entities. We note that some payers do not fall under 
the definition of impacted payers in this final rule. Therefore, we are 
finalizing the measure's exclusion criterion (excluding MIPS eligible 
clinicians, eligible hospitals, and CAHs that only order medical items 
or services [excluding drugs] requiring prior authorization from a 
payer that does not offer an API that meets the Prior Authorization API 
requirements finalized in this final rule) because we do not want to 
penalize MIPS eligible clinicians, eligible hospitals, or CAHs for 
ordering medical items or services (excluding drugs) from payers that 
do not have the API functionality for reasons such as not being an 
impacted payer.
    Comment: A commenter stated that they oppose measures that could 
negatively impact a MIPS eligible clinician's score, such as the 
current all-or-nothing scoring methodology used to score the MIPS 
Promoting Interoperability performance category. Another commenter 
stated their belief that the proposed rule lacks detail on how the 
Electronic Prior Authorization measure will be scored and tied into the 
broader scoring of the Medicare Promoting Interoperability Program for 
eligible hospitals and CAHs.
    Response: We note that the overall scoring methodology for MIPS 
Promoting Interoperability performance category is not being changed 
with the addition of the Electronic Prior Authorization measure, nor 
the scoring methodology for the HIE measure itself. As discussed 
previously in this section, we believe that failure to report the 
Electronic Prior Authorization measure as specified, or to claim an 
applicable exclusion, demonstrates that the MIPS eligible clinicians is 
not a meaningful EHR user and warrants the MIPS eligible clinician 
receive a score of zero for the MIPS Promoting Interoperability 
performance category. While we understand that the all-or-nothing 
approach requires MIPS eligible clinicians to report and attest to all 
requirements, we note that requiring the Electronic Prior Authorization 
measure is in alignment with our scoring policies and methodologies. 
Our regulation at 42 CFR 414.1375(b) provides that, to earn a score for 
the MIPS Promoting Interoperability performance category, the MIPS 
eligible clinician must report on objectives and associated measures as 
specified by CMS.
    For additional information on overall MIPS scoring policies and 
MIPS Promoting Interoperability performance category scoring policies, 
we refer readers to our regulations at 42 CFR 414.1375 (governing the 
requirements for the MIPS Promoting Interoperability performance 
category), 42 CFR 414.1380 (governing scoring for MIPS), as well as 
Table 46: Scoring Methodology for the Performance Period in CY 2024 for 
the Promoting Interoperability performance category in the CY 2024 PFS 
final rule (88 FR 52587). For information on the overall scoring 
methodology currently used to calculate MIPS final scores, we refer 
readers to the MIPS Final Score Methodology section in the CY 2024 PFS 
final rule (88 FR 52591).
    To be considered a meaningful EHR user, fulfill the minimum 
reporting requirements, and avoid a downward payment adjustment, the 
Medicare Promoting Interoperability Program requires that eligible 
hospitals and CAHs meet, by reporting on or attesting to, all 
objectives and measures selected by CMS. Failure to meet the minimum 
reporting requirements results in failure of the Medicare Promoting 
Interoperability Program, subjecting the eligible hospital or CAH to a 
downward payment adjustment (unless the eligible hospital or CAH 
receives a hardship exception).
b. Prior Authorization API Functionality
    In the proposed rule (87 FR 76313), we proposed that a prior 
authorization request must be made using the Prior Authorization API to 
satisfy the Electronic Prior Authorization measure. The Prior 
Authorization API functionality is outlined in further detail in 
section II.D.2. of this final rule. We proposed that prior 
authorization requests that are made using fax, mail, or portal would 
be included in the denominator of the measure unless the prior 
authorization cannot be requested using the Prior Authorization API 
because the payer does not offer an API that meets the Prior 
Authorization API requirements, in which case any such prior 
authorization request would be excluded from the denominator. Instances 
where a payer offering the Prior Authorization API specifically 
requests a mailed or faxed prior authorization would be included in the 
denominator. Prior authorization requests that are made using fax, 
mail, or portal would not be included in the numerator of the measure 
because these methods would not incentivize using the standards-based 
API functionality as intended by the measure. Prior authorizations for 
any and all drugs would be excluded from both the numerator and 
denominator of the measure. (For a more detailed discussion of the 
exclusion of drugs, see section I.C. of this final rule.)
    We proposed that only prior authorizations that are requested 
electronically via a Prior Authorization API using data from CEHRT 
would be included in the numerator. Using the API to query 
documentation requirements alone, and not to request the prior 
authorization, would not count in the numerator or denominator.
    To satisfy the Electronic Prior Authorization measure, the health 
care provider uses data from their CEHRT (such as patient demographics 
and medical information) to justify the prior authorization request. 
The Prior Authorization API then automates the HIPAA-compliant prior 
authorization request. Additional information not contained in CEHRT 
may also be required for submission.
    Comment: Multiple commenters urged CMS to delay mandating the 
proposed Electronic Prior Authorization measure until adequate 
standards and specifications are available to support electronic prior 
authorization and until the Prior Authorization API workflow is 
established. A commenter urged CMS to evaluate whether sufficient 
implementation guidance exists to support automating data retrieval 
before moving to require the Electronic Prior Authorization measure in 
future years. Some commenters noted that CMS must ensure that the 
desired standards outlined in the Electronic Prior Authorization 
measure specification are achievable. Another commenter recommended 
that CMS make all IGs required for payers so the burden is not placed 
on providers to figure out something that will be incredibly difficult 
and resource-intensive to do. Another commenter recommended that CMS or 
ONC should issue an IG to ensure there is standardization of 
implementation across payers. The commenter stated that IGs could 
reduce payer variability in the creation of the Prior Authorization 
API. Another commenter sought clarification on how it will be feasible 
for CEHRT to implement an API-based prior authorization functionality 
to support performance measurement if payers are not required to adhere 
to standardized IGs. The commenter stated that for this to occur 
seamlessly CEHRT standards

[[Page 8921]]

would need to be updated appropriately.
    Response: We thank the commenters for sharing their 
recommendations. We are working with HL7, the HL7 FHIR accelerator 
workgroups, and interested parties within the standards development 
industry to move the IGs towards greater maturity by defining technical 
specifications, participating in and convening testing events for them, 
and developing and maintaining the technical specifications. Electronic 
prior authorization using a FHIR API has been implemented and is in 
production, proving sufficient implementation guidance exists. We agree 
that IGs help to ensure standardization of implementation across the 
industry. In section II.G. of this final rule, we outline the required 
standards and technical specifications necessary to build the Prior 
Authorization API and to ensure that implementation is consistent 
across all impacted payers and providers to avoid unnecessary 
duplication of efforts. We have also recommended certain IGs to help 
providers and payers meet that requirement. These IGs are developed 
using a consensus process involving many members of the payer and 
provider communities. They aid in the implementation process of the 
APIs. We anticipate that payers will use the recommended IGs so that 
most, if not all, providers benefit from a standardized approach to 
accessing patient data with all payers with whom they contract. Our 
approach in the proposed rule of recommending, but not requiring, the 
specific IGs for each API implementation was to provide directional 
guidance with flexibility to the industry without locking implementers 
into the versions available at the time of the proposed rule. As 
industry moves forward with implementation of these policies and use of 
these standards, industry can continue to harmonize on common 
approaches that work, eventually culminating in a required set of 
specifications when ready.
    Comment: A commenter recommended that CMS explain that the 
electronic prior authorization workflow does not necessarily need to be 
completed by the provider and that such workflows do not necessarily 
need to be included in CEHRT. The commenter recommended that CMS 
emphasize that only using data from CEHRT as part of the process for 
requesting prior authorization via a payer's Prior Authorization API is 
sufficient to meet the Electronic Prior Authorization measure. Another 
commenter suggested that CMS should consider not limiting the 
Electronic Prior Authorization measure to only data relevant to a prior 
authorization that is obtained from an EHR as relevant prior 
authorization data may not be limited to the provider's EHR alone. A 
commenter stated that certain health insurance data, clinical data, and 
other administrative data subject to follow-up requests or initial 
submissions may exist in non-EHR systems in use. The commenter stated 
that this further underscores the premise that any health IT developer 
wishing its health IT to be certified must support all USCDI in its 
health IT. The commenter stated that USCDI as a driver to enable 
standards-based exchange is increasingly less relevant and, instead, 
the various IGs would indicate what participating systems should 
support. A commenter requested clarification on the expectations for 
incorporating such workflows into the Medicare Promoting 
Interoperability Program. The commenter sought clarification on whether 
eligible hospitals are expected to begin to share prior authorization 
information via the integrations with HINs to meet the bi-directional 
HIE measure. Multiple commenters encouraged the use of HIEs to connect 
impacted payers and providers to facilitate electronic prior 
authorization. A commenter stated that HIEs could provide support for 
continuing to connect providers and payers, including for the purposes 
of prior authorization. Another commenter recommended that CMS should 
include an optional, alternative measure that allows MIPS eligible 
clinicians, eligible hospitals, and CAHs to claim a Promoting 
Interoperability credit by attesting to using a HIE/HIN to request a 
prior authorization. Another commenter recommended that CMS create a 
health IT activity as part of the HIE Objective for mapping to a Prior 
Authorization API that is measured by the transmission of at least one 
prior authorization through the Prior Authorization API.
    Response: We did not propose, and are not finalizing, details of a 
specific workflow, or by whom, that must be completed to report the 
Electronic Prior Authorization measure beyond specifying that data from 
CEHRT must be used for the transaction with a Prior Authorization API. 
CMS recognizes that, under the Electronic Prior Authorization measure 
that we are finalizing in this rule, MIPS eligible clinicians, eligible 
hospitals, and CAHs may utilize different workflows to submit an 
electronic prior authorization request. As noted, the Unified Agenda, 
current at the time of publication of this final rule, includes an 
entry for a proposed rule from ONC entitled ``Health Data, Technology, 
and Interoperability: Patient Engagement, Information Sharing, and 
Public Health Interoperability'' (RIN 0955-AA06). The description for 
this proposed rulemaking notes that this rule aims to advance 
interoperability through proposals for the expanded use of certified 
APIs for electronic prior authorization, among other proposals.\165\ We 
plan to continue to explore how potential future updates to the ONC 
Health IT Certification Program can support our policies and will 
address any updates to our requirements related to these future updates 
to the ONC Health IT Certification Program criteria if finalized, in 
future rulemaking. In reference to the USCDI, we note that health IT 
modules may be certified to only one or a few certification criteria 
that do not reference the USCDI standard, and therefore are not all 
required to support USCDI.
---------------------------------------------------------------------------

    \165\ Office of Information and Regulatory Affairs (2023, 
November). Health Data, Technology, and Interoperability: Patient 
Engagement, Information Sharing, and Public Health Interoperability. 
Retrieved from https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202304&RIN=0955-AA06.
---------------------------------------------------------------------------

    With regard to workflows, there is no requirement under the MIPS 
Promoting Interoperability performance category or the Medicare 
Promoting Interoperability Program that a specific individual person 
must request prior authorization electronically via the Prior 
Authorization API to meet requirements of the Electronic Prior 
Authorization measure. Instead, it can be someone who legally can enter 
information into the medical record in accordance with applicable laws 
and professional guidelines. Regarding the measure's specifications, we 
emphasize that data must come from the CEHRT, as use of CEHRT is a 
required element of both the MIPS Promoting Interoperability 
performance category and the Medicare Promoting Interoperability 
Program. However, additional data outside of CEHRT may also be used in 
addition to support the interaction with a Prior Authorization API.
    Regarding the USCDI, we note that this standard is referenced in 
many of the IGs recommended for these use cases, however, the relative 
utility, in the abstract, of USCDI as a standard adopted for use in 
certified health IT and cross referenced in certain ONC Health IT 
Certification Program criteria is outside the scope of this final rule. 
We also note that we did not propose and are not finalizing a 
requirement under the MIPS Promoting

[[Page 8922]]

Interoperability performance category or the Medicare Promoting 
Interoperability Program to share prior authorization information via 
the integrations with HINs to meet the Bi-Directional HIE measure. 
Additionally, we thank commenters for their recommendations on 
additional measures to promote electronic prior authorization. CMS 
reiterates that to meet the requirements of the Electronic Prior 
Authorization measure, the electronic prior authorization must use a 
Prior Authorization API as finalized in this rule. CMS agrees that 
using HIEs and other HINs could help to facilitate sharing of prior 
authorization information. Nothing in the Electronic Prior 
Authorization measures we are finalizing would restrict using such 
networks as long as the payer's Prior Authorization API is used for the 
electronic prior authorization.
    Comment: A commenter sought clarification on whether a provider 
must implement capabilities to connect to all parts of the Prior 
Authorization API for full automation of the electronic prior 
authorization processing in order to claim numerator credit. Another 
commenter questioned whether a provider meets the numerator criteria if 
they use the Prior Authorization API that does not meet all the 
capabilities outlined in the recommended HL7 Da Vinci CRD, DTR, and PAS 
IGs. Another commenter requested clarification regarding whether a MIPS 
eligible clinician using the Prior Authorization API to submit a prior 
authorization request is not required to use all capabilities (that is, 
CRD, DTR, and PAS) in order to meet the numerator qualification, but 
rather that, at a minimum, the PAS IG request is used.
    Response: We thank the commenters for their feedback and note that 
we are finalizing this measure with modification to no longer require 
MIPS eligible clinicians, eligible hospitals, and CAHs to report a 
numerator and denominator for the measure. Instead, we are finalizing 
this measure to require MIPS eligible clinicians, eligible hospitals, 
and CAHs to attest a ``yes'' or ``no'' response for the measure or 
claim an applicable exclusion. In order to attest ``yes,'' for at least 
one medical item or service (excluding drugs) and, for eligible 
hospitals and CAHs, for one hospital discharge ordered during the 
performance period or EHR reporting period, a prior authorization 
request must be submitted to a payer using a Prior Authorization API. 
We note that to report a ``yes,'' the action of the measure must occur 
during the selected performance period \166\ or EHR reporting 
period,\167\ as per the measure specification. The Prior Authorization 
API is discussed in more detail in section II.D. of this final rule, 
and we note that the submission of the prior authorization request 
itself is described through the recommended PAS IG.
---------------------------------------------------------------------------

    \166\ See 42 CFR 414.1320.
    \167\ See 42 CFR 495.40(b)(2)(i).
---------------------------------------------------------------------------

    Comment: Some commenters stated that certain EHR systems are more 
sophisticated than others and could track Prior Authorization API 
activity, while other hospitals and providers lack this technology. A 
commenter sought clarification on how a provider can use their EHR to 
identify situations where the prior authorization cannot be requested 
via a payer's Prior Authorization API for the purposes of performance 
measurement. A commenter stated that some provider systems do not 
support one or more payer APIs due to slight differences in structure, 
interpretation, or both, which could result in the provider being 
penalized due to an EHR system's lack of capability and not the 
provider's lack of desire to use the Prior Authorization API. A 
commenter noted that the Electronic Prior Authorization measure would 
be counterproductive to ONC's strategy of reducing burden related to 
using health IT and EHRs and that there should be near-zero reporting 
burden. Multiple commenters noted that there will be technical and 
financial challenges with adopting an electronic prior authorization 
process. Some commenters recommended that CMS should provide financial 
and technical assistance/training to providers to adopt and implement 
the technology requirements. The commenter noted that some provider 
types, such as physical therapists, are ineligible to participate in 
the Medicare and Medicaid EHR Incentive Programs and have received 
little guidance on using EHR systems. A commenter stated that CMS 
should acknowledge the significant financial and administrative risk 
providers face when purchasing EHR systems in the context of MIPS. A 
commenter noted that many health IT vendors currently charge separately 
for electronic prior authorization functionality and the cost 
associated with purchasing these functionalities has been a substantial 
barrier to adoption for many small and independent practices, as well 
as rural hospitals. Some commenters noted the financial burden 
associated with using APIs and that practices must first be able to 
affordably adopt this technology before a new requirement is 
established for its use.
    Response: We acknowledge there will be variability in EHR 
technology capabilities to track Prior Authorization API activity. As 
noted previously, for this reason and to reduce reporting burden, we 
are finalizing the Electronic Prior Authorization measure as an 
attestation (yes/no) measure. As noted, ONC has sought comment on how 
updates to the ONC Health IT Certification Program could support 
electronic prior authorization (87 FR 3475). We also note that the 
Unified Agenda, current at the time of publication of this final rule, 
has been updated to include an entry for a proposed rule from ONC (RIN 
0955-AA06) that includes proposals for the expanded use of certified 
APIs for electronic prior authorization.\168\ We will monitor these 
developments in order to inform updates to the Electronic Prior 
Authorization measure in the future, for instance, requiring reporting 
of a numerator and denominator.
---------------------------------------------------------------------------

    \168\ Office of Information and Regulatory Affairs (2023, 
November). Health Data, Technology, and Interoperability: Patient 
Engagement, Information Sharing, and Public Health Interoperability. 
Retrieved from https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202304&RIN=0955-AA06.
---------------------------------------------------------------------------

    While we acknowledge there may be costs associated with 
implementing functionality needed to interact with a payer's Prior 
Authorization API, as well as add-on costs charged by health IT vendors 
for adding these features, we believe that the benefits of the 
technology outweigh the costs. We also remind readers that this 
attestation (yes/no) measure would not be included under the Medicare 
Promoting Interoperability Program and the MIPS Promoting 
Interoperability performance category until the CY 2027 performance 
period/2029 MIPS payment year and CY 2027 EHR reporting period. We 
believe extending the inclusion of the Electronic Prior Authorization 
measure to the CY 2027 performance period/2029 MIPS payment year for 
MIPS eligible clinicians and the CY 2027 EHR reporting period for 
eligible hospitals and CAHs will allow participants in these programs 
to work with health IT vendors to adopt and implement functionality 
that can facilitate the actions needed to satisfy the Electronic Prior 
Authorization measure.
    As far as technical assistance, CMS does host CMS and HL7 FHIR 
Connectathons, which are free for interested parties to attend, as well 
as provides educational webinars with overviews of the technical 
requirements

[[Page 8923]]

in the CMS Interoperability and Patient Access final rule and proposed 
requirements in the CMS Interoperability and Prior Authorization 
proposed rule. Additional public resources also exist through HL7, such 
as HL7 FHIR Connectathons, HL7 website resources, and HL7 FHIR 
workgroup meetings. CMS believes that using the EHR systems, and 
training for staff using them, is up to each practice or hospital 
system to ensure occurs.
    CMS also is aware that the initial incentive programs (that is, the 
Medicare and Medicaid EHR Incentive Programs) supported EHR adoption 
for only certain provider types and the challenges that brings for 
certain provider types that were not originally eligible for this 
funding. CMS continues to evaluate ways to support providers that may 
lag in health IT adoption.
    Comment: A commenter requested that CMS establish requirements for 
impacted payers to publish their API endpoints for the Prior 
Authorization API or provide information on where to find the APIs and 
make information concerning how to connect to them conspicuously 
available for third-party app developers and for providers through 
their public websites similar to what is asked of certified health IT 
developers of API functions as a part of their basis of CEHRT under 45 
CFR 170.315(g)(10).
    Response: We understand that a directory of impacted payers' 
digital endpoints would be highly beneficial to facilitate the Prior 
Authorization API. Without such a directory, payers would need to 
discover other payers' endpoints one by one, and each payer would have 
to maintain a list of payers with whom they have previously connected. 
Therefore, we are committing to exploring an NDH that contains payers' 
digital endpoints before the 2027 compliance dates for the Prior 
Authorization API, which could allow providers to easily access those 
APIs and thereby facilitate electronic prior authorization, as 
discussed in this final rule. Further details about the NDH structure, 
requirements, and timing will be released if and when they become 
available.
    Comment: A commenter discussed the X12 standards and expressed that 
they do not believe that the inclusion of the Electronic Prior 
Authorization measure would be a sufficient incentive for MIPS eligible 
clinicians, eligible hospitals, and CAHs to overcome the costs 
associated with the transaction. Multiple commenters recommended that 
CMS should include the usage of the X12 278 standard in the numerator 
of the proposed measures. A commenter noted organizations that have 
standardized usage of the X12 standard may find this effective and 
efficient. The commenter stated that requiring these groups to 
transition to the Prior Authorization API to meet the measure 
requirements would be disruptive and burdensome. Another commenter 
recommended CMS use a single standard if CMS would like to incorporate 
the Electronic Prior Authorization measure. A commenter also 
recommended that CMS provide guidance on the role of HIPAA 
administrative transaction standards.
    Response: We thank the commenters for their feedback; however, we 
do not agree that the X12 278 standard is appropriate for the numerator 
of the proposed Electronic Prior Authorization measure because of its 
persistent and historically low utilization. While the CAQH efficiency 
index report is more reflective of payer and vendor uptake of the HIPAA 
standards, it does include some provider information.\169\ In the last 
four reporting years, the utilization of the X12 278 transaction has 
not exceeded 21 percent. Comments from reporting submitters (for the 
CAQH Index) indicate that providers do not use the X12 278 because it 
does not include the data elements they need for complete processing, 
and many payers are still not supporting it. Thus, to consider using 
that standard as the numerator, knowing the utilization rates are low, 
would not seem appropriate. We believe the benefit of moving towards a 
standardized electronic prior authorization process that leverages FHIR 
outweighs the initial implementation cost and burden of the transition. 
We will continue coordinating with colleagues across CMS and other 
Federal agencies on all ways that that HIPAA administrative transaction 
standards could impact our policies. We also note that we are 
finalizing a modification to our proposal to no longer require 
reporting of a numerator and denominator for this measure, as discussed 
in more detail throughout this section.
---------------------------------------------------------------------------

    \169\ Coalition for Affordable Quality Healthcare (2022). The 
CAQH Index Report. Retrieved from https://https://www.caqh.org/insights/caqh-index-report.
---------------------------------------------------------------------------

c. Measure Exclusions
    In the proposed rule (87 FR 76314), we proposed that MIPS eligible 
clinicians, eligible hospitals, or CAHs that do not order any medical 
items or services (excluding drugs) requiring prior authorization 
during the applicable performance period or EHR reporting period could 
claim an exclusion for the Electronic Prior Authorization measure. We 
also proposed that MIPS eligible clinicians, eligible hospitals, or 
CAHs that only order medical items or services (excluding drugs) 
requiring prior authorization from a payer that does not offer an API 
that meets the Prior Authorization API requirements outlined in section 
II.D.2. of this final rule (that is, payers not subject to this 
regulation or impacted payers that are non-compliant with the Prior 
Authorization API requirements outlined in section II.D.2. of this 
final rule), during the applicable performance period/MIPS payment year 
or EHR reporting period, could claim an exclusion for the Electronic 
Prior Authorization measure. As an alternative to this proposal, we 
considered whether MIPS eligible clinicians, eligible hospitals, and 
CAHs that request a small number of prior authorizations, such as five 
prior authorizations during the performance period/EHR reporting 
period, should also be able to claim the exclusion. We sought public 
comment on the alternative we considered and whether another minimum 
number of prior authorization requests would be appropriate for the 
exclusion. Given the previously discussed limitations of the current 
prior authorization process, we believe that all MIPS eligible 
clinicians, eligible hospitals, and CAHs (as well as their patients and 
the payers they request prior authorization from) would benefit from 
using the electronic process described here, regardless of how often 
they request prior authorization. Therefore, we believe that no minimum 
number of prior authorization requests, other than zero, would be a 
reasonable threshold for claiming an exclusion for the Electronic Prior 
Authorization measure.
    Comment: A few commenters stated that if a payer insists on faxing 
or other means of communication, CMS should consider treating this 
scenario as the basis for exclusion from the Electronic Prior 
Authorization measure versus still having authorizations impacted by 
such a requirement of a payer included in the denominator. A commenter 
stated that some practitioners do not have enough prior authorization 
requests or the necessary technology to support electronic prior 
authorization, and suggested the exclusion should be based on not only 
quantity but also on technical capability of those who do not submit a 
high volume of prior authorization requests. The commenter encouraged 
CMS to consider alternative exclusion criteria, such as the technical

[[Page 8924]]

capability of those who do not submit a high volume of prior 
authorization requests. The commenter continued by stating that CMS 
should not penalize providers for failing to use EHRs for this purpose 
of electronic prior authorization if they either do not have enough 
requests or if the technology they use does not support this 
capability.
    Response: We appreciate commenters' recommendations and feedback 
that some providers may not have enough prior authorization requests or 
the necessary technology to support electronic prior authorization. We 
believe that all MIPS eligible clinicians, eligible hospitals, and CAHs 
(as well as their patients and the impacted payers they request prior 
authorization from) would benefit from using the electronic prior 
authorization process described in this final rule. We also note that 
the modified version of the Electronic Prior Authorization measure 
being finalized in this rule only requires reporting of ``at least 
one'' medical item or service (excluding drugs) ordered during the 
performance period/MIPS payment year or EHR reporting period. We 
believe this is achievable for all MIPS eligible clinicians, eligible 
hospitals, and CAHs who make any prior authorization requests in a 
given year. For those who do not have any prior authorization requests, 
we are finalizing our exclusion as proposed. MIPS eligible clinicians, 
eligible hospitals, and CAHs who do not order any medical items or 
services (excluding drugs) requiring prior authorization during the 
applicable performance period/MIPS payment year or EHR reporting period 
would be able to report that they qualify for the exclusion for the 
Electronic Prior Authorization measure.
    We acknowledge that EHR technology may not consistently support 
interactions with the Prior Authorization APIs at this time, and as 
discussed in further detail elsewhere in this section, we will continue 
to work with ONC on potential ONC Health IT Certification Program 
criteria that would support the Electronic Prior Authorization measure. 
For this reason, we are finalizing this measure for the MIPS Promoting 
Interoperability performance category beginning with the CY 2027 
performance period/2029 MIPS payment year and for the Medicare 
Promoting Interoperability Program beginning with the CY 2027 EHR 
reporting period.
d. Office of the National Coordinator for Health Information Technology 
Health IT Certification Program
    As described previously, ONC previously sought comment through an 
RFI titled ``Electronic Prior Authorization Standards, Implementation 
Specifications, and Certification Criteria'' (87 FR 3475), which 
appeared in the January 24, 2022, issue of the Federal Register, on how 
updates to the ONC Health IT Certification Program could support 
electronic prior authorization. Since then, the Unified Agenda has been 
updated to include a proposed rule from ONC (RIN 0955-AA06) that aims 
to advance interoperability through proposals for the expanded use of 
certified APIs for electronic prior authorization, among other 
proposals.\170\ We plan to continue to explore how potential updates to 
the ONC Health IT Certification Program could support our policies and 
will address any updates to our requirements related to future updates 
to the ONC Health IT Certification Program, if finalized, in future 
rulemaking.
---------------------------------------------------------------------------

    \170\ Office of Information and Regulatory Affairs (2023, 
November). Health Data, Technology, and Interoperability: Patient 
Engagement, Information Sharing, and Public Health Interoperability. 
Retrieved from https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202304&RIN=0955-AA06.
---------------------------------------------------------------------------

e. Other Considerations
    We invited public comment on considerations and alternatives 
related to the Electronic Prior Authorization measure. For example, we 
sought comment on the proposed numerator and denominator of the 
Electronic Prior Authorization measure or any changes to the 
specifications that would reduce the implementation burden for both 
impacted providers (MIPS eligible clinicians, eligible hospitals, and 
CAHs) and health IT developers. We also sought comment on challenges 
that MIPS eligible clinicians, eligible hospitals, and CAHs might face 
in identifying those payers that have the Prior Authorization API 
technology to accurately include eligible prior authorization requests 
in the denominator. Additionally, we sought comment on challenges MIPS 
eligible clinicians, eligible hospitals, and CAHs could face in 
performing the actions included in the Electronic Prior Authorization 
measure specifications if certification criteria are not available in 
the ONC Health IT Certification Program at the time MIPS eligible 
clinicians, eligible hospitals, and CAHs are required to report the 
Electronic Prior Authorization measure under the Medicare Promoting 
Interoperability Program or MIPS Promoting Interoperability performance 
category.
    We received many comments in response to our request for comment. 
We thank commenters for their feedback as we consider any future 
rulemaking, including collaboration with ONC as appropriate.
    Comment: Multiple commenters opposed the proposed Electronic Prior 
Authorization measure because of the lack of health IT certification 
criteria to ensure EHRs communicate with payers through Prior 
Authorization API. Multiple commenters expressed concern about the 
inclusion of the Electronic Prior Authorization measure due to possible 
technical challenges and the lack of health IT that has the capacity to 
support electronic prior authorization. Multiple commenters encouraged 
CMS to focus on ensuring that the proposed APIs are implemented and 
supported by CEHRT to make sure they are successfully implemented 
within the provider's workflow rather than developing a measure related 
to electronic prior authorization.
    Several commenters noted that ONC has not established health IT 
certification criteria to support electronic prior authorization in 
such technologies. Multiple commenters suggested various alternative 
timeframes for CMS to consider. A commenter recommended that CMS 
require payers to make the Prior Authorization API available to 
providers no later than 12 months following the publication of this 
final rule. Another commenter suggested a compliance date 12 months 
after the implementation of the Prior Authorization API or 36 months 
following publication of this final rule, whichever is later. Another 
commenter requested that CMS consider reopening the comment period for 
this rule following the publication of the HTI-1 proposed rule (88 FR 
23746). The commenter stated that CMS should give industry 24 months 
from the reopening of the comment period to create specifications, 
perform development, complete certification testing, and execute client 
deployments. Another commenter recommended that CMS suspend the 
proposed Electronic Prior Authorization measure until payers implement 
and maintain the Prior Authorization API as specified in this rule and 
the Prior Authorization API is in effect for at least 3 years. Multiple 
commenters were concerned that providers will not be guaranteed access 
to the Prior Authorization API if health IT developers are not required 
to incorporate the functionality into CEHRT and therefore should not be 
held

[[Page 8925]]

accountable for using the Prior Authorization API nor reporting on the 
proposed Electronic Prior Authorization measure. A commenter 
recommended that CMS and ONC work in collaboration to leverage 
technologies, such as electronic prior authorization tools. Another 
commenter urged CMS to work with ONC to establish ONC Health IT 
Certification Program criteria to require providers and EHR vendors to 
adopt the IGs associated with electronic prior authorization. 
Commenters stated that it is unreasonable to measure utilization by 
MIPS eligible clinicians, eligible hospitals, and CAHs of electronic 
prior authorization processes for incentive payments until the ONC 
Health IT Certification Program requires CEHRT to include the 
functionality necessary for health IT systems to communicate through a 
Prior Authorization API. Another commenter stated that CMS should 
postpone implementation of the Electronic Prior Authorization measure 
until both the ONC Health IT Certification Program and HIPAA attachment 
standards are updated. Another commenter stated that the proposed 
Electronic Prior Authorization measure would subject MIPS eligible 
clinicians, eligible hospitals, and CAHs to be reliant upon untested 
technology and tie their performance to such technology. A commenter 
emphasized the importance of industry adoption and noted that the API 
will have minimal value if EHR vendors do not build the necessary 
connections to allow clinicians to access it and if clinicians are not 
incentivized to adopt. To mitigate this, the commenter recommended that 
CMS require EHR vendors to provide bi-directional patient data access 
via an API so payers can better leverage digital patient information 
and automate prior authorization requests. Another commenter 
recommended that CMS ensure that the proposed Electronic Prior 
Authorization measure is supported by technology used by all of the 
impacted users. Several commenters stated that providers should not be 
subject to punitive action if they do not implement the Prior 
Authorization API requirements and should not be evaluated on 
electronic prior authorization utilization for payment purposes until 
EHRs are required to provide this functionality by the ONC Health IT 
Certification Program.
    Response: We appreciate the comments received on this request for 
comments. As noted, the Unified Agenda, current at the time of 
publication of this final rule, includes an entry for a proposed rule 
from ONC (RIN 0955-AA06) that aims to advance interoperability through 
proposals for the expanded use of certified APIs for electronic prior 
authorization.\171\ We will work with ONC to ensure that any future 
updates to the ONC Health IT Certification Program around electronic 
prior authorization will improve health care providers' capabilities to 
interact with the Prior Authorization APIs established by impacted 
payers, as well as further support health care providers' ability to 
complete the action specified in the Electronic Prior Authorization 
measure we are finalizing. We will provide further guidance in future 
rulemaking about how any updates made by ONC to the ONC Health IT 
Certification program related to electronic prior authorization relate 
to the requirements of the Medicare Promoting Interoperability Program 
and Promoting Interoperability performance category of MIPS. We note 
that CMS does not have authority to regulate EHR vendors directly; 
however, we collaborate with ONC regarding certification criteria for 
health IT that are included in the voluntary ONC Health IT 
Certification Program and referenced in CMS program requirements.
---------------------------------------------------------------------------

    \171\ Office of Information and Regulatory Affairs (2023, 
November). Health Data, Technology, and Interoperability: Patient 
Engagement, Information Sharing, and Public Health Interoperability. 
Retrieved from https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202304&RIN=0955-AA06.
---------------------------------------------------------------------------

    In the interim, we note that MIPS eligible clinicians, eligible 
hospitals, and CAHs are required to use CEHRT for the measure as a 
means to capture clinical information as structured data and to use 
such structured data for the prior authorization. This function of 
gathering structured data from CEHRTs is achievable today without 
additional CEHRT criteria. The request for prior authorization through 
the Prior Authorization API could be accomplished through the use of 
additional technology to complement CEHRT depending on implementation 
preference. We note that MIPS eligible clinicians, eligible hospitals, 
and CAHs can report on the measure, saying ``yes'' they submitted a 
prior authorization request electronically using the Prior 
Authorization API with data from CEHRT, without needing additional 
certification criterion in the ONC Health IT Certification Program.
    We also note that in December 2022, HHS proposed to adopt a 
standard for attachments in the HIPAA Standards for Health Care 
Attachments proposed rule (87 FR 78438). That proposed rule has not yet 
been finalized. At this time there are no operating rule requirements 
applicable to the APIs required for use in this final rule, or to the 
HIPAA X12 278 transaction standard.
    We appreciate commenters' recommendations regarding implementation 
timelines, such as making the Prior Authorization API available to 
providers no later than 12 months or 36 months following the 
publication of this final rule. We note that, after consideration of 
comments received and discussed in more detail elsewhere in the rule, 
we are finalizing our proposal with the modification to have MIPS 
eligible clinicians report the Electronic Prior Authorization measure 
beginning with the CY 2027 performance period/2029 MIPS payment year 
and eligible hospitals and CAHs report the Electronic Prior 
Authorization measure beginning with the CY 2027 EHR reporting period. 
We also acknowledge that a commenter recommended suspending the 
Electronic Prior Authorization measure until payers implement the Prior 
Authorization API as specified in this rule and use it for some time 
period. However, we believe finalization of this Electronic Prior 
Authorization measure encourages all parties involved (payers and 
providers) to develop, implement, and use the new Prior Authorization 
API to drive widespread adoption, thus reaping the benefits of burden 
reduction through electronic prior authorization processes. The Prior 
Authorization API needs parties on both ends of a request to be using 
the API in order for the API to be beneficial to everyone involved.
    Comment: Multiple commenters recommended that ONC conduct oversight 
of CEHRT products to determine if the products do or do not 
successfully support electronic prior authorization, and then publicize 
CEHRT products that fail ONC review on the Certified Health IT Product 
List (CHPL) so providers can avoid products that will not support the 
new electronic prior authorization requirements. The commenter 
recommended that ONC work with professional associations to educate 
providers about their oversight and reporting process.
    Response: There is not a dedicated certification criterion related 
to electronic prior authorization in the ONC Health IT Certification 
Program at this time. However, as noted previously, ONC previously 
sought comment on how updates to the ONC Health IT Certification 
Program could support electronic prior authorization (87 FR 3475). We 
also note that the Unified Agenda, current at the time of publication 
of this final rule, includes an entry for a proposed rule from ONC

[[Page 8926]]

(RIN 0955-AA06), which describes planned proposals for the expanded use 
of certified APIs for electronic prior authorization.\172\ We note that 
the Electronic Prior Authorization measure requires using data from 
CEHRT, and the Prior Authorization API can be implemented without 
regard to any changes ONC may propose for the ONC Health IT 
Certification Program.
---------------------------------------------------------------------------

    \172\ Office of Information and Regulatory Affairs (2023, 
November). Health Data, Technology, and Interoperability: Patient 
Engagement, Information Sharing, and Public Health Interoperability. 
Retrieved from https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202304&RIN=0955-AA06.
---------------------------------------------------------------------------

    While ONC oversight and enforcement authority is beyond the scope 
of this final rule, we note that health IT products certified to all 
certification criteria are subject to oversight mechanisms within the 
ONC Health IT Certification Program. For more information about the 
oversight elements within the ONC Health IT Certification Program, 
readers should visit the ONC website at https://www.healthit.gov/topic/certification-ehrs/oversight-and-surveillance. Regarding the CHPL 
(https://chpl.healthit.gov/), we note this resource includes listings 
of those health IT products that have successfully certified to health 
IT certification criteria under the Certification Program.
    Comment: Multiple commenters recommended that CMS and ONC outline a 
roadmap for electronic prior authorization adoption that leverages the 
ONC Health IT Certification Program. A commenter recommended that the 
roadmap should include details from the ONC Cures Act final rule (85 FR 
25642) and these requirements. Another commenter stated that an 
established path to electronic prior authorization will avoid delays 
and confusion.
    Response: We appreciate commenters' feedback. CMS will consider 
developing a roadmap for electronic prior authorization adoption in 
collaboration with ONC. We will collaborate with ONC to incorporate any 
future policies for the ONC Health IT Certification Program as part of 
a comprehensive approach to ensuring electronic prior authorization is 
conducted in a standardized fashion across parties.
3. Final Action
    After consideration of the comments received and for the reasons 
discussed in the CMS Interoperability and Prior Authorization proposed 
rule and our response to those comments (as summarized previously), we 
are finalizing our proposal with the following modifications:
     The ``Electronic Prior Authorization'' measure will be 
reported as an attestation (yes/no) measure, instead of reporting a 
numerator and denominator, regarding whether the MIPS eligible 
clinician, eligible hospital, or CAH submitted at least one prior 
authorization request electronically via a Prior Authorization API 
using data from CEHRT during the performance period/EHR reporting 
period, as further specified below.
     MIPS eligible clinicians will report the ``Electronic 
Prior Authorization'' measure for the MIPS Promoting Interoperability 
performance category beginning with the CY 2027 performance period/2029 
MIPS payment year and eligible hospitals and CAHs participating under 
the Medicare Promoting Interoperability Program will report the measure 
beginning with the CY 2027 EHR reporting period.
    See further discussion below for exact details of the final 
requirements for MIPS eligible clinicians, eligible hospitals, and 
CAHs.
    We are finalizing the following specifications for the Electronic 
Prior Authorization measures:
1. For MIPS Eligible Clinicians Under the MIPS Promoting 
Interoperability Performance Category--Electronic Prior Authorization
     Measure Description: For at least one medical item or 
service (excluding drugs) ordered by the MIPS eligible clinician during 
the performance period, the prior authorization is requested 
electronically via a Prior Authorization API using data from CEHRT.
     Reporting Requirements: Yes/No response.
    To successfully report this measure, MIPS eligible clinicians must 
attest ``yes'' to requesting prior authorization electronically via a 
Prior Authorization API using data from CEHRT for at least one medical 
item or service (excluding drugs) ordered by the MIPS eligible 
clinician during the performance period or (if applicable) report an 
exclusion.
     Exclusion: Any MIPS eligible clinician who--
    ++ Does not order any medical items or services (excluding drugs) 
requiring prior authorization during the applicable performance period; 
or
    ++ Only orders medical items or services (excluding drugs) 
requiring prior authorization from a payer that does not offer an API 
that meets the Prior Authorization API requirements outlined in section 
II.D.2. of this final rule during the applicable performance period.
2. For Eligible Hospitals and Critical Access Hospitals Under the 
Medicare Promoting Interoperability Program--Electronic Prior 
Authorization
     Measure Description: For at least one hospital discharge 
and medical item or service (excluding drugs) ordered during the EHR 
reporting period, the prior authorization is requested electronically 
via a Prior Authorization API using data from CEHRT.
     Reporting Requirements: Yes/No response.
    To meet this measure, the eligible hospital or CAH must attest 
``yes'' to requesting a prior authorization electronically via a Prior 
Authorization API using data from CEHRT for at least one hospital 
discharge and medical item or service (excluding drugs) ordered during 
the EHR reporting period or (if applicable) report an applicable 
exclusion.
     Exclusions: Any eligible hospital or CAH that--
    ++ Does not order any medical items or services (excluding drugs) 
requiring prior authorization during the EHR reporting period.
    ++ Only orders medical items or services (excluding drugs) 
requiring prior authorization from a payer that does not offer an API 
that meets the Prior Authorization API requirements outlined in section 
II.D.2. of this final rule during the applicable EHR reporting period.
    We intend to reevaluate the Electronic Prior Authorization measure 
criteria and reporting structure of this measure in future years as the 
Prior Authorization API becomes more widely adopted and if additional 
certification criteria become available for CEHRT to determine whether 
a numerator/denominator reporting structure would be more appropriate 
at that time. We would address those issues in future rulemaking.
    We are finalizing our proposal that the Electronic Prior 
Authorization measure will not be assigned points for the CY 2027 
performance period/2029 MIPS payment year for MIPS eligible clinicians, 
and the CY 2027 EHR reporting period for eligible hospitals and CAHs. 
Instead, if a MIPS eligible clinician, eligible hospital, or CAH fails 
to report the measure as specified, they would not meet the minimum 
reporting requirements, not be considered a meaningful EHR user, and 
fail the Medicare Promoting Interoperability Program or the MIPS 
Promoting Interoperability performance category. A failure to meet the 
minimum reporting

[[Page 8927]]

requirements of the Medicare Promoting Interoperability Program would 
result in a downward payment adjustment for eligible hospitals or CAHs 
(unless the eligible hospital or CAH receives a hardship exception). A 
failure in the Promoting Interoperability performance category would 
result in the MIPS eligible clinician receiving a score of zero for the 
performance category, which is currently worth 25 percent of their 
final score for MIPS.
    For the MIPS Promoting Interoperability performance category, 
satisfactory performance on this measure can be demonstrated only by 
reporting a ``yes'' response on the attestation or claiming an 
applicable exclusion. A ``no'' response on the attestation will result 
in the MIPS eligible clinician failing to meet the minimum reporting 
requirements, therefore not being considered a meaningful EHR user for 
MIPS, as set forth in section 1848(o)(2)(A) of the Act and defined at 
42 CFR 414.1305, for the MIPS payment year (42 CFR 414.1305). MIPS 
eligible clinicians that do not report a ``yes'' response or claim an 
applicable exclusion for the Electronic Prior Authorization measure as 
specified (that is, they do not submit the measure or claim an 
exclusion or report a ``no'' response) will not earn a score for the 
MIPS Promoting Interoperability performance category (a score of zero 
for the category). A MIPS eligible clinician's score in the Promoting 
Interoperability performance category is generally worth 25 percent of 
their total final score for MIPS (42 CFR 414.1375(a); 414.1380(c)(1)). 
We note that to report a ``yes,'' the action of the measure must occur 
during the selected performance period \173\ or EHR reporting 
period,\174\ as per the measure specification defined below.
---------------------------------------------------------------------------

    \173\ See 42 CFR 414.1320.
    \174\ See 42 CFR 495.40(b)(2)(i).
---------------------------------------------------------------------------

    For the Medicare Promoting Interoperability Program, only a ``yes'' 
response on the attestation, or claiming an applicable exclusion, will 
fulfill the minimum requirements of this measure. A ``no'' response 
will result in the eligible hospital or CAH failing to meet the 
measure, and therefore failing to meet minimum program reporting 
requirements, thus not being considered a meaningful EHR user for an 
EHR reporting period, as defined in section 1886(n)(3) of the Act.\175\ 
Eligible hospitals and CAHs that do not meet the minimum program 
requirements are subject to a downward payment adjustment (unless the 
eligible hospital or CAH receives a hardship exception).
---------------------------------------------------------------------------

    \175\ See 42 CFR 495.4 and 495.24(f)(1)(i)(A).
---------------------------------------------------------------------------

G. Interoperability Standards for APIs

1. Background
    In the CMS Interoperability and Patient Access final rule (85 FR 
25510), we finalized a requirement to implement, maintain, and use API 
technology conformant with the API technical standards at 45 CFR 
170.215, which at the time included (85 FR 25521):
     Health Level Seven (HL7[supreg]) Fast Healthcare 
Interoperability Resources (FHIR[supreg]) Release 4.0.1
     HL7[supreg] FHIR[supreg] US Core Implementation Guide (IG) 
Standard for Trial Use (STU) 3.1.1
     HL7[supreg] SMART Application Launch Framework IG Release 
1.0.0, including mandatory support for the ``SMART Core Capabilities''
     FHIR[supreg] Bulk Data Access (Flat FHIR) IG (v1.0.0: STU 
1), including mandatory support for the ``group-export'' 
``OperationDefinition''
     OpenID Connect Core 1.0, incorporating errata set 1
    When we finalized the requirement for conformance with the 
specifications at 45 CFR 170.215 in the CMS Interoperability and 
Patient Access final rule, we required impacted payers to comply with 
all standards at 45 CFR 170.215 for each of the APIs finalized in that 
rule. However, we understand that the existing requirements for payers 
to ``use API technology conformant with 45 CFR 170.215'' (85 CFR 25632) 
for each API may introduce confusion to the compliance requirements, 
because not all the standards at 45 CFR 170.215 may be applicable for 
each specific API.\176\
---------------------------------------------------------------------------

    \176\ See 42 CFR 422.119 (Access to and exchange of health data 
and plan information), 431.60 (Beneficiary access to and exchange of 
data), and 457.730 (Beneficiary access to exchange of data) and 45 
CFR 156.221 (Access to and exchange of health data and plan 
information).
---------------------------------------------------------------------------

    Accordingly, to provide clarity, in the CMS Interoperability and 
Prior Authorization proposed rule, we outlined modifications to be more 
specific regarding which standards at 45 CFR 170.215 are applicable to 
each API (87 FR 76314-21). Specifically, instead of the existing 
requirements to use ``API technology conformant with 45 CFR 170.215,'' 
we proposed that each standard at 45 CFR 170.215 would apply to a given 
set of APIs. The specific CFR citations were listed in Table 8 of the 
proposed rule (87 FR 76318). We are now finalizing those requirements, 
with modifications to some of the specific API requirements. We are 
finalizing that impacted payers will only be required to use those 
specifications at 45 CFR 170.215 that are listed in Table H3 as 
necessary for the Patient Access, Provider Access, Provider Directory, 
Payer-to-Payer, and Prior Authorization APIs. We are also finalizing 
our proposal to allow impacted payers to use updated standards, 
specifications, or IGs for each of these APIs. Finally, we are 
reiterating our recommendations to use the IGs listed in Table H3. We 
discuss these policies in detail elsewhere in the final rule.
2. Modifications to Required Standards for APIs
    We proposed specific standards at 45 CFR 170.215 that would apply 
to each API. In the proposed rule, we listed the standards applicable 
to each API in Table 10 (87 FR 76320). Since the publication of the CMS 
Interoperability and Prior Authorization proposed rule, ONC has 
published the HTI-1 final rule which reorganized the structure of 45 
CFR 170.215 to delineate the purpose and scope more clearly for each 
type of standard or implementation specification (89 FR 1283). We note 
that the HTI-1 final rule adopted updated versions of several standards 
at 45 CFR 170.215, which now includes:
     Health Level Seven (HL7) Fast Healthcare Interoperability 
Resources (FHIR) Release 4.0.1 at 45 CFR 170.215(a)(1) (HL7 FHIR);
     HL7 FHIR US Core IG Standard for Trial Use (STU) 3.1.1, 
which expires on January 1, 2026, at 45 CFR 170.215(b)(1)(i);
     HL7 FHIR US Core IG STU 6.1.0 at 45 CFR 170.215(b)(1)(ii) 
(US Core IG),
     HL7 SMART Application Launch Framework IG Release 1.0.0, 
which expires on January 1, 2026, at 45 CFR 170.215(c)(1);
     HL7 SMART App Launch IG Release 2.0.0 at 45 CFR 
170.215(c)(2) (SMART App Launch IG);
     FHIR Bulk Data Access (Flat FHIR) IG (v1.0.0: STU 1) at 45 
CFR 170.215(d)(1) (Bulk Data Access IG); and
     OpenID Connect Core 1.0, incorporating errata set 1 at 45 
CFR 170.215(e)(1) (OpenID Connect Core).
    We refer readers to the HTI-1 proposed and final rule for 
additional information (FR 1284 through 1295). The specific standards 
at 45 CFR 170.215 that we identified in our proposed rule were 
restructured by HTI-1 and moved to new locations at 45 CFR 170.215. In 
addition, in several cases ONC adopted new versions of the same 
standards proposed in the CMS Interoperability and Prior Authorization 
proposed rule. Specifically, ONC finalized US Core IG STU 6.1.0 (at 45

[[Page 8928]]

CFR 170.215(b)(1)(ii)) and the SMART App Launch IG Release 2.0.0 (at 45 
CFR 170.215(c)(2)). Additionally, ONC has finalized expiration dates 
for the US Core IG STU 3.1.1 (at 45 CFR 170.215(b)(1)(i)) and the SMART 
App Launch Framework IG Release 1.0.0 (at 45 CFR 170.215(c)(1)) to 
indicate when a version of a standard may no longer be used for the ONC 
Health IT Certification Program. While we did not propose to require 
those updated versions, we emphasize that impacted payers are permitted 
to use them based on our policy to allow updated versions of required 
standards, as discussed. We intend to align with the updated versions 
finalized at 45 CFR 170.215 through future rulemaking prior to our API 
compliance dates.
    We are finalizing our proposals to identify specific required 
standards at 45 CFR 170.215 that are applicable to each of the APIs, 
with modifications. The finalized requirements include any additional 
mandatory support requirements listed, such as for both the SMART App 
Launch IG at 45 CFR 170.215(c) and Bulk Data Access IG at 45 CFR 
170.215(d). We are cross-referencing the new locations for these 
standards at 45 CFR 170.215 finalized by ONC in the HTI-1 final rule. 
Table H3 lists the required versions of each standard and their 
citation. Throughout this preamble we refer to the current structure of 
45 CFR 170.215 as updated by the HTI-1 final rule.
    For the Patient Access API, we are finalizing the required 
standards as proposed with modifications to incorporate the expiration 
dates ONC adopted at 45 CFR 170.215(b)(1)(i) and (c)(1). For the 
Provider Directory API, we are finalizing our proposal with 
modifications to incorporate the expiration date ONC adopted at 45 CFR 
170.215(b)(1)(i), and to remove the SMART App Launch IG at 45 CFR 
170.215(c)(1) and OpenID Connect Core at 45 CFR 170.215(e), which were 
erroneously included in the proposed rule. We refer readers to the 
footnote in Table H3 for additional information. For the Provider 
Access API, we are finalizing our proposal with the modification to not 
require OpenID Connect Core at 45 CFR 170.215(e) and with modifications 
to incorporate the expiration dates ONC adopted at 45 CFR 
170.215(b)(1)(i) and (c)(1). For the Payer-to-Payer API, we are 
finalizing our proposal with modifications to not require the SMART App 
Launch IG at 45 CFR 170.215(c) and OpenID Connect Core at 45 CFR 
170.215(e), and to incorporate the expiration date ONC adopted at 45 
CFR 170.215(b)(1)(i). For the Prior Authorization API, we are 
finalizing our proposal with modifications to not require OpenID 
Connect Core at 45 CFR 170.215(e) and to incorporate expiration dates 
ONC adopted at 45 CFR 170.215(b)(1)(i) and (c)(1). Payers will be 
required to comply with the applicable specifications that we have 
identified for the Patient Access, Provider Access, Provider Directory, 
Payer-to-Payer, and Prior Authorization APIs as listed in Table H3. The 
exact regulation text for each API will vary depending on which 
standards apply to that API. These updates particularize the 
specifications at 45 CFR 170.215 that are required for each API. We 
received comments on these proposals and discuss details of the 
modifications.
a. HL7 FHIR and Technical Readiness
    Comment: Multiple commenters expressed support for CMS's proposal 
to specify technical standards for each API and recommended that CMS 
finalize the proposal. A commenter expressed appreciation for CMS's 
efforts to explain the technical requirements for each API and agreed 
with the proposal to add more specific language regarding which 
standards apply to which API.
    Multiple commenters also supported CMS's proposal to require payers 
to use the FHIR standard to facilitate information exchange and promote 
interoperability. Multiple commenters stated that FHIR APIs help 
connect patients, providers, and payers to the correct information. A 
commenter stated that FHIR-based standards maximize the chance for 
innovation and the proposed revision provides technical clarity to 
payers. Another commenter stated that utilizing the FHIR standard 
continues to advance the use of transparent, widely available standards 
and helps to facilitate electronic information exchange, while another 
stated that the FHIR-based IGs support the provider team's workflow and 
enable them to better understand patient-specific benefits.
    Response: We appreciate commenters support for using the FHIR 
standard and FHIR APIs to improve information exchange and agree with 
the commenters' assessments that these will advance interoperability.
    Comment: Multiple commenters expressed concern about mandating the 
FHIR standard. Multiple commenters expressed concern regarding the 
maturity of the proposed standards, specifications, and recommended 
IGs. Multiple commenters stated that it would be inadvisable to specify 
technical requirements at this time given that the technical standards 
and IGs have not fully matured. Multiple commenters recommended that 
CMS, along with ONC, take steps to adequately and inclusively develop 
technical standards and relevant IGs to full maturity as a baseline of 
industry consistency, ensuring standards are tested and transparently 
evaluated prior to mandated adoption. Another commenter encouraged CMS 
to maintain flexibility in the agency's ongoing data exchange 
activities to ensure the success of interoperability programs. Another 
commenter urged CMS to ensure careful consideration of what technical 
standards to require in the future. Another commenter suggested that 
requiring all entities to use the FHIR standard may be burdensome. The 
commenter stated that CMS has not proposed any alternatives and that 
adoption of the FHIR standard may not be feasible for small entities 
and asked questions such as what will happen if small businesses are 
not able to convert to FHIR.
    A commenter cautioned CMS not to view the FHIR standard as the sole 
solution to interoperability and patient data exchange challenges. The 
commenter noted that as currently proposed, the Patient Access API 
would experience challenges if the FHIR standard failed to reach 
widespread adoption and maturity. A commenter stated that the HL7 Da 
Vinci IGs that support the Patient Access API have not yet reached 
sufficient maturity for widespread adoption. The commenter stated that 
using the FHIR standard, agnostic of a particular IG, will give 
industry stakeholders greater flexibility to pilot different approaches 
and build consensus without the risk of distortions that could result 
from mandatory adoption of immature specifications.
    Response: We thank commenters for providing their thoughts 
regarding the FHIR standard. However, we disagree that FHIR is not 
mature. The primary components of the FHIR standard are mature, as are 
the standards we are requiring in this rule, such as the US Core IG. We 
acknowledge that the FHIR resource profiles included in the IGs we 
recommend are of varying levels of maturity, but we believe they are 
sufficiently mature for industry to start implementing them. We refer 
readers to our discussion on IG maturity in section II.G.3.b. of this 
final rule. The FHIR standard will help move the health care industry 
toward a more interoperable state, and we believe that it supports 
transmission of health data in a standard, structured, but flexible 
format as FHIR specifications continue to advance and mature. HHS has 
already adopted standards for FHIR APIs at 45

[[Page 8929]]

CFR 170.215, as finalized in the ONC Cures Act final rule, and 
therefore we did not propose any alternatives (85 FR 25521). We 
disagree that the HL7 Da Vinci IGs that support the Patient Access API 
have not yet reached sufficient maturity for widespread adoption as 
they have already been successfully implemented and are being used 
today. Since 2021 impacted payers have been required to implement and 
maintain a standards-based Patient Access API that uses FHIR and other 
technical standards at 45 CFR 170.215, as finalized in the CMS 
Interoperability and Patient Access final rule (85 FR 25558). We are 
delaying the compliance date for policies that require API enhancement 
or development to 2027, which will allow additional time for the 
recommended FHIR IGs to be refined to support the policies in this 
final rule. We believe the adoption of the FHIR standard is feasible 
for all the APIs finalized in this rule, especially with the additional 
implementation time.
    Comment: Multiple commenters appreciated CMS's efforts to move 
industry towards interoperability and expressed support for CMS's 
proposals to promote electronic data exchange among patients, 
providers, and payers via APIs leveraging technical standards and IGs. 
Multiple commenters supported using FHIR-based standards to facilitate 
data transport across the industry and that FHIR-based exchange is 
technically feasible for both payers and providers to adopt and 
implement. A commenter stated that the FHIR standard and IGs promote a 
level of consistency in terms of format, structure, and vocabulary, as 
well as allow for a variety of interoperability paradigms that best 
suit the interaction requirements between providers, payers, and 
patients. A commenter supported using USCDI data classes and data 
elements in addition to claims and encounter data when exchanging 
patient information.
    Multiple commenters expressed support for CMS's proposals to use 
standards-based APIs and stated that the industry-wide adoption of 
uniform standards will help enhance interoperability and minimize 
complexity. Multiple commenters stated that having an established 
technical infrastructure to support the development and adoption of the 
new APIs outlined in this rule is crucial to prevent added 
administration burden, complexity, and variability in implementation.
    Response: We agree with the commenters' assessments and thank them 
for their support of our policies.
    Comment: A commenter requested that CMS define a more prescriptive 
designated data set for claims and encounter data akin to USCDI. The 
commenter continued by stating that CMS should explicitly call out the 
Common Payer Consumer Data Set (CPCDS), which would ensure a more 
uniform implementation and ensure that patients, providers, and payers 
can use those capabilities in a way that the rule intended. Another 
commenter suggested a realignment of the purpose and use of USCDI as a 
library of data types, classes, and specifications from which 
interoperability requirements can be drawn.
    Response: While altering the design and structure of the USCDI are 
out of scope for this rule, we will continue to work with ONC to expand 
and build upon the USCDI. For instance, we have worked with ONC on the 
USCDI+ initiative, which aims to harmonize data sets that extend beyond 
the USCDI for additional use cases. While USCDI is one category of data 
required to be exchanged via the APIs, we understand that the USCDI is 
limited in scope and that additional data and standards will be 
necessary to implement these APIs. For instance, the recommended 
HL7[supreg] FHIR[supreg] CARIN Consumer Directed Payer Data Exchange IG 
(CARIN IG for Blue Button) (87 FR 76316), which was itself informed by 
and includes mappings to CPCDS.
    Comment: A commenter noted that the implementation of the APIs is 
contingent on compliant technical solutions being available in the 
marketplace. Another commenter stated that the lack of specificity in 
API requirements gives payers significant latitude to determine what 
data elements they want to include in their APIs and under what 
circumstances, which will not promote widespread interoperability. 
Another commenter stated that technical standardization and payer 
participation are the only ways that these proposals could be 
effective. The commenter stated if the responsibility is not shared 
across stakeholders, CMS will simply shift more burden onto providers. 
Another commenter stated that variance in API implementation could 
require providers to need significant assistance from health IT vendors 
to navigate these systems, which would eliminate any efficiencies CMS 
expected to derive from the new interoperability requirements. Another 
commenter noted a frequent problem with the implementation of technical 
processes is variation from system-to-system and interpretation 
differences since guidance is not universally communicated to 
developers who need the information. Similarly, a commenter noted that 
these technical API standards may require providers to hire additional 
staff to implement them.
    Response: The industry already has significant adoption of the FHIR 
standard for several use cases and there are solutions available today 
to FHIR-enable existing systems. Additionally, many of the IGs 
recommended in this rule have already been implemented by multiple 
implementers at some level. We anticipate more solutions will be 
available in the marketplace ahead of the API compliance dates in 2027. 
We acknowledge that using marketplace technical solutions may ease 
implementation. We understand that there is still a learning curve with 
respect to the FHIR-based standards and IGs and that entities may need 
to hire and train staff.
    We appreciate these perspectives and acknowledge that standards are 
what promote interoperability. The adoption of the FHIR standard and 
the IGs promote interoperability by enabling the secure exchange of 
health information across disparate systems. The FHIR APIs provide the 
framework for this exchange. Regarding concerns for the lack of 
specificity in the API requirements, we acknowledge that we are only 
recommending rather than requiring several IGs because they continue to 
evolve and are not adopted by HHS at 45 CFR 170.215. As these IGs 
continue to mature, we will consider proposing to require them through 
future rulemaking. The IGs provide the exchange of the essential data 
elements, such as patient demographics, clinical information, prior 
authorization requests, and other data to ensure the necessary 
information is shared between payers and providers. We acknowledge that 
implementation and testing will take time and welcome ongoing feedback 
through the programs and standards workgroups.
    Comment: Multiple commenters expressed concern regarding the 
proposed technical standards and IG provisions outlined in the proposed 
rule. Multiple commenters noted that technical challenges around health 
information exchange could persist despite these proposals and that the 
technical standards lack the specificity and flexibility to properly 
support the interoperable exchange of data.
    Response: We received many comments regarding our approach in the 
proposed rule of recommending, rather than requiring, specific IGs. We 
believe that this approach optimally balances the need for us to 
provide directional guidance without locking implementers

[[Page 8930]]

into the versions of the recommended IGs that were available at the 
time of the proposed rule. As these IGs mature, industry can continue 
to harmonize on common approaches that work, eventually culminating in 
a required set of specifications, which, when ready, could be proposed 
through future CMS rulemaking. If we chose not to recommend specific 
IGs, this lack of direction would mean a more diverse set of 
proprietary solutions, resulting in little to no interoperability.
    Comment: A commenter stated that there is transformative effort and 
overall risk in requiring the Patient Access, Provider Access, and 
Payer-to-Payer APIs to be implemented around the same time. A commenter 
noted that the attachments standard is not mature and that could hinder 
non-structured data exchange such as in CMS's proposals to require 
prior authorization documentation in the Patient Access, Provider 
Access, and Payer-to-Payer APIs. The commenter noted there is a risk in 
needing necessary endpoint connections and the functionality to convert 
documents between FHIR exchanges to be established by payers, 
providers, and health IT vendors for the purpose of data exchange. The 
commenter recommended that CMS first require the APIs and then add the 
exchange of attachments a few years later.
    Response: For the Patient Access, Provider Access, and Payer-to-
Payer APIs, we are requiring impacted payers to share claims and 
encounter data, all data classes and data elements included in a 
content standard at 45 CFR 170.213 (USCDI), and certain information 
about prior authorizations. Many of the data classes and data elements 
are already required for the Patient Access API, which means that 
payers have already formatted these data and prepared their systems to 
share via a FHIR API. We thus believe that payers can concurrently 
implement the APIs in this final rule.
    We agree that standards for transmitting documentation and 
attachments via the FHIR APIs are still under development and in 
testing, and thus not yet in widespread use across the industry. 
Further, as elaborated in sections II.A. and II.B. of this final rule, 
we agree that the burden of requiring impacted payers to make 
unstructured documentation available via the Patient Access and 
Provider Access APIs outweighs the benefits such documentation would 
provide. However, as discussed in section II.C., for the Payer-to-Payer 
API we are finalizing a requirement to exchange structured and 
unstructured administrative and clinical documentation submitted by 
providers related to prior authorization requests and decisions.
    Comment: Multiple commenters encouraged CMS to work with ONC to 
ensure relevant technical standards and related IGs are sufficiently 
mature and reflect the proper content and policies to allow seamless 
data transfers between payers and providers. Another commenter urged 
CMS to work in partnership with ONC to establish a clear pathway for 
the required IGs including: (1) the ability to advance IG versions 
outside the regulatory cycle; (2) adequate time for industry to 
understand and adopt new IG versions; and (3) limiting options, so as 
not to disrupt interoperability.
    Response: As previously mentioned in this section, the primary 
components of the FHIR standard are mature, as are the standards we are 
requiring in this rule. We acknowledge that the FHIR resource profiles 
included in the IGs we recommend are of varying levels of maturity, we 
believe they are sufficiently mature for industry to start implementing 
them. We refer readers to our discussion on IG maturity in section 
II.G.3.b. of this final rule. We will continue to closely coordinate 
our policies with ONC to ensure that they are mutually reinforcing. We 
are also finalizing our proposal to allow payers to use updated 
standards, specifications, or IGs for each API, as long as certain 
conditions are met, including that the updated version does not disrupt 
an end user's ability access the data required for that API.
    Comment: A few commenters shared concerns with the lack of a 
mandatory testing system, as well as lack of available test data, 
staging environments, sandboxes, and other mechanisms to help 
developers test their APIs. A commenter suggested CMS conduct usage 
validity testing of the payers' APIs throughout the development and 
deployment process of the APIs to track and mitigate any risks 
associated with missing or incorrect data. The commenter requested that 
CMS delay the enforcement timeline to accommodate these critical 
prerequisites. Likewise, another commenter recommended that CMS 
postpone publication of the final rule until it can require both the 
technical standards and IGs to prevent non-standard implementation 
across the industry. The commenter recommended that CMS work with the 
HL7 Da Vinci workgroup and ONC to ensure the APIs and associated 
standards are tested for complex use cases and to scale. Another 
commenter recommended CMS define or promote conformity to the ONC 
Inferno Framework. Another commenter recommended that CMS should 
establish a mandatory testing system like the ONC Cypress testing tool 
for the proposed APIs and data standards requirements.
    Multiple commenters noted that testing should be conducted in a 
variety of clinical settings, including small, independent, and rural 
practices, and with all end users to ensure that the technical 
standards and IGs are effective, adaptable, and efficient. A commenter 
highlighted that it is critical that any solution be fully developed 
and tested prior to wide-scale industry rollout and required usage to 
ensure the best return on the investment of industry resources. The 
commenter stated that this process should include careful consideration 
of the transactions' scalability, privacy guardrails, and ability to 
complete administrative tasks in a real-world setting. Other commenters 
recommended that CMS establish additional pilot testing programs to 
ensure industry readiness before the compliance dates.
    Response: We agree that testing is an important part of the 
implementation process and will continue to support industry efforts to 
do so, including coordinating with ONC and HL7, including the DaVinci 
Accelerator, on such efforts. We will also continue to engage with ONC 
to determine whether the Inferno Framework \177\ could be utilized in 
the future. HL7's IG testing process includes privacy and security 
testing. Also, FAST,\178\ which is an initiative started by ONC, 
identifies FHIR scalability gaps, defines solutions to address current 
barriers, and identifies needed infrastructure for scalable FHIR 
solutions. Real-world testing can only be accomplished if payers choose 
to pilot an implementation during the testing phase, which CMS cannot 
require participation in. However, we are not delaying publication of 
this final rule, as we understand that industry requires a firm 
commitment from the Federal Government to the adoption and 
recommendation of standards. Based on comments received, and as 
discussed throughout this final rule, we are delaying the compliance 
dates for all the policies that require API development and enhancement 
to 2027, which will

[[Page 8931]]

allow additional time for FHIR specifications to continue to be refined 
and advanced to support the policies in this final rule.
---------------------------------------------------------------------------

    \177\ Office of the National Coordinator for Health Information 
Technology (n.d.). Inferno. Retrieved from https://inferno.healthit.gov/.
    \178\ Health Level Seven International (2023, October 13). FHIR 
at Scale Taskforce (FAST). Retrieved from https://confluence.hl7.org/display/FAST.
---------------------------------------------------------------------------

    We also appreciate the multiple comments received on the importance 
of testing and the provision of examples, such as the ONC Cypress 
testing tool, which is an open-source tool used in the ONC Health IT 
Certification Program to ensure certified health IT accurately 
calculates electronic clinical quality measures (eCQMs). We will 
continue to collaborate with ONC and DaVinci on testing the APIs and 
with HL7 on communication and outreach to payers, developers, and 
providers.
    Comment: Multiple commenters urged CMS to closely track and 
participate in the standards development process to ensure that all 
perspectives are considered, such as providers, payers, and other 
applicable end users. Multiple other commenters urged CMS and ONC to 
provide funding to HL7 FHIR Accelerators and task forces. A commenter 
expressed their desire for CMS to increase opportunities for greater 
stakeholder participation in the standards development process. Another 
commenter recommended that CMS release a formal assessment of the 
status of technology development in support of the new requirements to 
demonstrate that the technology is fully developed and implementable.
    Response: We are an active participant in the standards development 
process through various workgroups and FHIR Accelerators. A few of the 
recommended IGs have been developed by HL7 FHIR Accelerator programs, 
which bring together individuals across the industry to create and 
adopt IGs in alignment with HL7, which allows new and revised 
requirements to become open industry standards. Under HL7 FHIR 
Accelerators, interested parties within the industry have defined, 
designed, and created use-case-specific implementations of FHIR to 
address value-based care initiatives. Some HL7 FHIR Accelerators, such 
as Da Vinci and CARIN, have created IGs that we recommend be used for 
the Patient Access, Provider Directory, Provider Access, Payer-to-
Payer, and Prior Authorization APIs. We also provide contract support 
to supplement existing work led by the SDOs and FHIR Accelerators. 
Further, we cohost an annual FHIR Connectathon testing event with HL7 
and encourage diverse stakeholder participation from payers, providers 
and patient advocates. HL7 has developed a FHIR Maturity Model (FMM) 
\179\ that defines thresholds of standards maturity as part of their 
standards development and publication process. HL7 requires a specific 
maturity level for parts of the standards development and publication 
process. We also note that ONC publishes an Interoperability Standards 
Assessment (ISA).\180\ The latest published 2023 version provides 
information on the HL7 standards that are required or recommended in 
this rule.
---------------------------------------------------------------------------

    \179\ Health Level Seven International (n.d.). Version 
Management Policy. Retrieved from http://hl7.org/fhir/R4/versions.html#maturity.
    \180\ Office of the National Coordinator for Health Information 
Technology (2023). 2023 Interoperability Standards Advisory 
Retrieved from https://www.healthit.gov/sites/isa/files/inline-files/2023%20ReferenceM.A20Edition_ISA_508.pdf.
---------------------------------------------------------------------------

    Comment: A commenter urged CMS to pay close attention to principles 
that focus on assessing provider impact, measuring success in achieving 
stated goals, and monitoring standards development and use. The 
commenter stated that these principles can help guide CMS and 
developers to better respond to provider needs. Another commenter urged 
CMS to ensure that the technical standards meet provider and patient 
needs and accurately embody CMS's goals to improve care and reduce 
provider burden.
    Response: We will continue to assess standards development and use 
as an active participant in the HL7 community and FHIR workgroups. We 
also encourage stakeholders to participate and contribute to the work 
of the SDOs in the standards development and evolution, because broad 
engagement would support the improvement of interoperable standards.
    Comment: A commenter recommended continued Federal support of 
ongoing standards development and data interoperability work, including 
financial and technical support, for SDOs such as the HL7 Da Vinci 
Workgroup, FAST, and other applicable workgroups. Some commenters 
encouraged CMS to advance the FAST initiatives to address the ongoing 
challenges of patient matching, identity management, security and 
authentication, and access to the necessary digital endpoints. Another 
commenter expressed support for incentives and investment in FHIR-based 
pilots and technology, stating that this would move the industry 
towards FHIR APIs for real-time information exchange.
    Response: We agree and intend to continue our support for and 
participation in various standards development activities. As noted 
previously, we provide contract support to supplement existing work led 
by the SDOs and FHIR Accelerators. We believe that the policies that we 
are finalizing are a crucial step in moving the industry towards real-
time information exchange.
    Comment: A commenter stated that to assist providers in making 
informed decisions, CMS should apply the same ``discrete data element 
standards'' the agency applied to the original Patient Access API to 
the new prior authorization data added to the Patient Access, Provider 
Access, and Payer-to-Payer APIs. Another commenter requested that CMS 
consider synchronizing the required technical standards for those three 
APIs given that the APIs are functionally identical. The commenter 
stated that having a single standardized API for the three different 
access types (patient, provider, and payer) would provide three key 
benefits: (1) simplifies the technical approach for initial rollout and 
any future changes; (2) allows Medicaid programs to focus on challenges 
that these APIs pose; and (3) reduces end user confusion since end 
users will see the same data shared through the APIs. A commenter 
requested that CMS continue to standardize and harmonize API 
requirements to reduce potential burden for providers and confusion for 
consumers. Another commenter stated that these requirements should be 
consistent across all stakeholders.
    Response: Each of the APIs in this rule will require sharing only 
structured documentation, except for the Payer-to-Payer API, which 
includes unstructured administrative and clinical documentation 
submitted by a provider to support a prior authorization request. We 
intentionally based the requirements for the Provider Access and Payer-
to-Payer APIs on the content requirements for the Patient Access API, 
to facilitate reuse, since payers have already formatted these data 
elements and prepared their systems to share these standardized data 
via a FHIR API. Payers already devoted the development resources to 
build a FHIR API infrastructure when they implemented the Patient 
Access API, which can be adapted for additional interoperability use 
cases. While the data we are requiring to be shared via these APIs 
would be nearly identical, they have different use cases, thus 
necessitating separate API regulatory requirements. We also encourage 
payers to reuse infrastructure for all the APIs. Payers may implement 
the API functionality by using one or multiple APIs, depending on their 
approach, as long as all

[[Page 8932]]

requirements are met for each of the APIs.
    Comment: Multiple commenters recommended that CMS align the 
technical standards provisions outlined in this rule with the HIPAA 
Standards for Health Care Attachments proposed rule (87 FR 78438). A 
commenter recommended that CMS work with ONC to do so. Another 
commenter stated that they support both rules and urged CMS to ensure 
that there are no duplicative efforts. Another commenter recommended 
removing the prior authorization provisions outlined in the HIPAA 
Standards for Health Care Attachments proposed rule and moving forward 
with finalizing FHIR-based standards and transactions. Another 
commenter encouraged CMS to work with ONC to align any prior 
authorization proposals with HHS's proposal to establish a national 
standard for electronic attachments.
    Response: Requirements to use certain HIPAA transaction standards 
for prior authorization were proposed in the HIPAA Standards for Health 
Care Attachments proposed rule. These are related policies, and we will 
ensure a path toward implementation that will allow payers and 
providers to comply with both. However, because that rule has not been 
finalized, we cannot comment on how the standards would align with the 
policies in this rule. If finalized, in that final rule we would 
discuss the impact of those policies and any opportunities to align 
with our policies in this final rule. We will also continue to work 
with ONC on alignment between standards in this rule, and other 
standards adopted across CMS.
    Comment: Multiple commenters recommended that CMS institute 
financial incentives for market suppliers, providers, and payers to 
participate in the testing and development of technical standards, IGs, 
and applicable processes. The commenter stated that one of the primary 
challenges of standards development and testing is a lack of financial 
and regulatory incentives for stakeholders to participate, which then 
slows down testing. Multiple commenters cautioned CMS to consider the 
cost of establishing the proposed API infrastructure. Another commenter 
noted that implementation will require integration between the newly 
acquired API functionality and the existing data sources, which 
includes exporting data from current systems to be imported and stored 
within a FHIR-compliant repository so that it can be presented via the 
API to the user. Multiple commenters requested that CMS provide 
technical assistance and resources to help the industry implement the 
APIs and meet all the technical standards and requirements outlined in 
this rule. Another commenter requested that CMS engage with 
stakeholders to develop resources and technical assistance to help 
industry operationalize and meet the proposed technical standards and 
API requirements outlined in the rule and any other parallel agency 
efforts.
    Response: At this time, we lack statutory authority to provide 
financial incentives to participate in the testing and development of 
technical standards, IGs, and applicable processes. While we do not 
currently provide funding for IT infrastructure development costs 
(except for Medicaid agencies, as discussed in section II.E. of this 
final rule), we do provide educational webinars providing overviews of 
the technical requirements in the interoperability rules. Additional 
public resources also exist through HL7, such as their Connectathons, 
HL7 website resources, and HL7 FHIR workgroup meetings that are 
generally available. We also cohost an annual Connectathon with HL7, 
which is free for stakeholders to attend. Ultimately, each payer is 
responsible for ensuring that their users are trained on their systems.
    Comment: A commenter stated that a frequent problem is that there 
is not a well-established or monitored mechanism for an implementer to 
contact a payer about implementation issues or implementation 
questions. The commenter stated that this is an important missing piece 
to making widespread implementation viable. The commenter reflected on 
the experience of third-party apps engaging with payers to implement 
the existing Patient Access API. They stated that third-party apps 
struggle with finding someone to fix issues, answer questions, approve 
their registrations, and address other barriers to implementation they 
experienced.
    Multiple commenters stated that to support the proposed APIs, 
provider and payer endpoints must be included in a national directory, 
available to support endpoint discovery, before the compliance dates of 
the Provider Access, Payer-to-Payer, and Prior Authorization APIs. A 
commenter stated that a CMS NDH should be initiated to help find 
provider and payer endpoints. Another commenter stated that the lack of 
an authoritative central directory could create a significant gap in 
the ability for industry to move many critical interoperability 
initiatives forward. Another commenter stated the proposed technical 
standards for APIs is a helpful step to greater interoperability; 
however, CMS failed to properly account for the complexity of this 
implementation. The commenter recommended that CMS should implement a 
national directory so that each plan and provider must maintain only 
one incoming/outgoing connection.
    Response: We acknowledge commenter concerns that there is not a 
monitored mechanism for contacting a payer about implementation issues 
or implementation questions. We thank the commenters for their concern 
that the lack of an authoritative central directory is a gap in the 
ability to move forward with interoperability initiatives. We do 
understand that a directory of payer and provider digital endpoints 
would be highly beneficial to facilitate our Payer-to-Payer, Provider 
Access, and Prior Authorization APIs policies, and as discussed in 
section I.D. of this final rule we are committing to exploring an NDH 
that contains payers' digital endpoints in support of the Payer-to-
Payer API and providers' digital endpoints. We will also explore 
including payer contact information, including whom to contact 
regarding API implementation issues or questions, in any NDH we 
propose.
    Comment: A commenter stated that adding standard data classes and 
data elements around high-priority use cases is an effective strategy 
to make data more accessible to consumers. The commenter noted that the 
Provider Directory and Patient Access APIs can serve as a base for the 
other proposed APIs. The commenter provided recommendations to help CMS 
achieve this goal such as establishing operational standards to help 
developers, requiring payers to register app developers and grant 
authorization to production access without regard to out-of-band 
consent standards payers choose to implement, and establishing stronger 
requirements for payers to make this information available. The 
commenter also recommended that (1) CMS require impacted payers to 
establish sandbox environments; (2) CMS impose a reasonable time 
standard to mitigate implementation delays; (3) CMS require impacted 
payers to perform conformance tests and report results to the public; 
and (4) CMS require that impacted payers' technical documentation for 
the Patient Access API notes what USCDI data are made available. 
Another commenter recommended that CMS should develop a roadmap in 
partnership with the private sector for all the technical use cases 
outlined in the proposed rule.
    Response: We appreciate the additional suggestions, however, many

[[Page 8933]]

of those were not proposed and therefore, we cannot include such 
provisions in the final rule. We also understand the value of a sandbox 
environment and acknowledge the value of payers establishing sandbox 
environments for implementers to test; however, we realize there are 
industry costs to doing so.
    Comment: Multiple commenters encouraged CMS to consider alternative 
approaches to achieving data exchange. A commenter recommended that CMS 
consider other types of interoperability technology beyond APIs and 
request/response data exchange, which can lead to multiple copies of 
data. The commenter suggested CMS consider services that provide 
virtual real-time data updates. Another commenter recommended that CMS 
work with ONC to develop a future-looking approach to allow consumers 
to direct the sharing of claims data with third-party entities via a 
national exchange platform. A commenter recommended that CMS, ONC, and 
HL7 work together to build the infrastructure for a standard for ADT 
data.
    Response: While we appreciate the commenters who asked us to 
consider services that provide virtual real-time data updates and we 
recognize the importance of needing the patient information as soon as 
possible or in real time, we also believe that requiring that at this 
time would cause undue burden on impacted payers. We nonetheless 
encourage payers to make data available to requesting providers as soon 
as they are able. We understand the concern over duplicative 
information, and it is not our intention to increase provider burden 
sharing data through the APIs referenced in this final rule. There are 
IT solutions available for providers' EHRs or practice management 
systems, such as SMART on FHIR apps, which can make the data received 
via the APIs actionable and avoid duplicative information. We also note 
that standards for ADT data are outside the scope of this final rule.
    Comment: A commenter highlighted that health IT challenges can 
sometimes be larger than they appear. The commenter stated that 
regulatory requirements can be tailored to coincide with health IT 
functionalities that are currently available to support organizations 
in accomplishing interoperability in a more affordable way.
    Response: We thank the commenter for their input and will continue 
to closely coordinate with industry to decrease implementation burden 
wherever possible.
    Comment: A commenter urged CMS not to finalize the interoperability 
proposals until stakeholders have had a chance to review and comment on 
ONC's HTI-1 proposed rule, which was still under review at the Office 
of Management and Budget (OMB) at the time of publication of the CMS 
Interoperability and Prior Authorization proposed rule.
    Response: We recognize that commenters are interested in ONC 
policies that relate to the policies in the proposed rule. ONC has 
since published the HTI-1 final rule. While related, these rules 
address separate areas of CMS and ONC authority. We are not finalizing 
any modifications from the proposed rule based on HTI-1 other than 
updating our regulatory citations and incorporating expiration dates 
ONC has finalized for particular standards at 45 CFR 170.215. 
Therefore, we did not offer an additional comment period.
    Comment: Multiple commenters expressed appreciation for CMS not 
requiring health IT certification for the interoperability requirements 
outlined in this proposed rule. A commenter stated that establishing 
certification criteria based on the current HL7 Da Vinci IGs is 
premature. The commenter noted that providers must use data from CEHRT 
for the electronic prior authorization measure, which will serve as a 
spur for adoption of certified health IT. Another commenter noted that 
some of the proposed APIs require multiple health IT systems to 
interact and support a complex workflow and stated that establishing a 
certification approach using functional capabilities would be 
challenging, and encouraged CMS to engage with providers and payers to 
gather information to establish a well-defined and scalable set of 
guidelines and capabilities.
    Opposite to that, a commenter recommended that CMS work with ONC to 
incorporate new standards and requirements for API use by EHR vendors 
as certification criteria in the ONC Health IT Certification Program.
    Response: We did not propose and are not finalizing any other 
requirements related to certification under the ONC Health IT 
Certification Program in this final rule. However, we note that the 
Unified Agenda, at the time of this final rule's publication, includes 
an entry for a proposed rule from ONC (RIN 0955-AA06).\181\ The 
description indicates that that proposed rule aims to advance 
interoperability, including proposals to expand the use of certified 
APIs for electronic prior authorization. We plan to continue to explore 
how potential updates to the ONC Health IT Certification Program could 
support our policies and will address any updates to our requirements 
related to the Certification Program in future rulemaking.
---------------------------------------------------------------------------

    \181\ Office of Information and Regulatory Affairs (n.d.). 
Health Data, Technology, and Interoperability: Patient Engagement, 
Information Sharing, and Public Health Interoperability. Retrieved 
from https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202304&RIN=0955-AA06.
---------------------------------------------------------------------------

    Comment: A commenter recommended that CMS should establish a 
consistent set of technical standards between the TEFCA and CMS-
required APIs so that the industry does not have to implement multiple 
different standards depending upon the exchange partner or mechanism 
for exchange.
    Response: We refer readers to section II.B. of this final rule for 
a discussion on the interaction between policies that require API 
development or enhancement and TEFCA.
    Comment: A commenter recommended CMS consider a policy requiring 
third-party payers, benefit managers, and any other party conducting 
utilization management to accept and respond to standard electronic 
prior authorization transactions for pharmacy benefits that use a 
nationally recognized format, such as the NCPDP SCRIPT standard. 
Similarly, another commenter stated that CMS should encourage health IT 
vendors and developers to provide retail pharmacies with technical IT 
infrastructure to bridge the gap between pharmacy claim systems and 
medical benefit claims systems and noted that many retail pharmacies 
only utilize the NCPDP standards and do not have the capability to 
enroll as DME suppliers and submit claims using X12 transactions. 
Another commenter recommended that CMS explore the need to designate an 
electronic transaction standard for drugs covered under a medical 
benefit.
    Response: We appreciate stakeholders' interest in pharmacy 
standards and bridging the gap between pharmacy and medical benefit 
systems and we recognize the need to do so in the future. However, as 
noted in section I.D.3., standards for data exchange for any pharmacy 
claims and drugs covered under medical benefits are excluded from our 
policies and out of scope for this rule.
    Comment: A commenter stated that under the ONC Health IT 
Certification Program, APIs must be registered within 15 days (45 CFR 
170.315(g)(10)). However, the commenter stated that CMS did not impose 
any registration requirements for the proposed payer

[[Page 8934]]

APIs. The commenter recommended that CMS should consider imposing a 
reasonable registration period for APIs to address delays reported by 
CARIN members throughout the onboarding and authorization process to 
acquire test accounts, sandbox access to test API connections, and 
troubleshooting support.
    Response: We did not propose registration deadlines as a 
requirement for payer APIs in the same fashion as the health IT 
certification criterion at 45 CFR 170.315(g)(10), such that Health IT 
Modules certified to 45 CFR 170.315(g)(10) must register patient-facing 
applications within 15 days (per associated requirements at 45 CFR 
170.404(b)); however, we acknowledge that such requirements can help to 
support the usability of APIs. We may further explore how to 
incorporate registration deadlines into our API requirements in future 
rulemaking.
    Comment: A commenter recommended setting an implementation date 
before January 1, 2026, and mandating HL7 FHIR Release 4.0.1. The 
commenter also recommended operational enhancements for payers such as 
payers allowing longer lifespans on access tokens, payers not imposing 
unsupported security and authentication workflows, and payers 
supporting test accounts and synthetic data in production environments. 
The commenter noted that these recommendations would dramatically 
improve access to data from available open APIs while setting standards 
for payers and their interoperability vendors to follow.
    Response: HL7 FHIR Release 4.0.1 has already been adopted by HHS in 
the ONC Cures Act final rule at 45 CFR 170.215 (85 FR 25521). We will 
continue to work with payers on testing and implementation of their 
interoperability APIs through FHIR Connectathons and encourage 
stakeholders to participate in FHIR workgroups. We will explore 
additional enhancements through future rulemaking.
    Comment: A commenter recommended using the most recently approved 
HL7 Da Vinci IG that supports HL7 FHIR Release 4.0.1. The commenter 
stated that the SMART App Launch IG does not support HL7 FHIR Release 
4.0.1.
    Response: We thank the commenter for their recommendation, but we 
disagree that the SMART App Launch IG does not support HL7 FHIR Release 
4.0.1, as the SMART App Launch IG is built on top of the FHIR Release 
4.0.1 specification itself. The SMART App Launch IG specifies a number 
of capabilities, including user authentication and authorization, back-
end service authentication, application launch, and context sharing, 
that systems can use to interact within the FHIR R4 standard.
    Comment: A commenter sought clarification on the use case for the 
Bulk Data Access IG for the Patient Access API, since one of the 
biggest challenges for EHR vendors today is determining how to handle 
inbound data exchanged via the FHIR standard.
    Response: We did not propose, nor are we finalizing, a requirement 
to require the Bulk Data Access IG for the Patient Access API.
b. Additional Implementation Guide Discussion
    In the proposed rule, we discussed that several of the recommended 
IGs, such as HL7[supreg] FHIR[supreg] Da Vinci Payer Data Exchange 
(PDex) IG, build on specific profiles within the US Core IG (87 FR 
7615). Following the publication of the HTI-1 final rule, at 45 CFR 
170.215(b)(1) there are two adopted versions of the US Core IG: the US 
Core IG STU 3.1.1 (at 45 CFR 170.215(b)(1)(i)), until this standard 
expires on January 1, 2026, and the US Core IG STU 6.1.0 (at 45 CFR 
170.215(b)(1)(ii)). We only proposed to require US Core STU 3.1.1 
because it was the only version adopted at the time of the proposed 
rule. However, we recognize that some of the recommended IGs (and 
subsequent versions) may use profiles added in US Core IG STU 6.1.0. 
Payers can use updated versions of the recommended IGs that rely on 
newer versions of the US Core IG, if those updated versions meet our 
existing requirements finalized in the CMS Interoperability and Patient 
Access final rule (85 FR 25532), as discussed further below.
    Specifically, in the proposed rule, we recognized that the data 
content for each API may only require a subset of the profiles defined 
within the US Core IG and gave examples (87 FR 76314-76315). While we 
want to ensure that implementers' systems create FHIR resources 
conformant to the US Core IG, where applicable, to support 
interoperability across implementations, we also do not want to require 
payers to engage in unnecessary development. Therefore, we proposed and 
are finalizing that impacted payers are only required to use technology 
conformant with the US Core IG, where applicable (that is, where there 
is a corresponding FHIR resource to the data content requirements for 
the API). If a FHIR resource is part of the required data content and 
has been profiled by the US Core IG, then the payer must support the 
FHIR resource according to the FHIR resource profile's ``Structure 
Definition'' in the US Core IG. For example, because the ``Patient'' 
FHIR resource is required in the Patient Access API, the ``Patient'' 
FHIR resource must conform with the ``US Core Patient Profile,'' 
including all the ``mandatory'' and ``must support'' requirements 
specified in the US Core IG.
c. Using Updated Versions of Required Standards
    In the CMS Interoperability and Patient Access final rule (85 FR 
25510), we established that impacted payers could use an updated 
version of a required standard for the Patient Access or Provider 
Directory APIs under certain conditions. Payers may use updated 
versions of standards at 45 CFR 170.213 and 170.215 if the following 
conditions are met: (1) the National Coordinator has approved the 
updated version for use in the ONC Health IT Certification Program, (2) 
the updated version of the standard does not disrupt an end user's 
ability to access the required data via that API, and (3) the updated 
standard is not prohibited by law (85 FR 25522). Payers may use an 
updated version if required by other applicable law. We proposed to 
extend this policy to allow payers to use updated versions of a 
standard to the Provider Access, Payer-to-Payer, and Prior 
Authorization APIs. Under that proposal, impacted payers could upgrade 
to newer versions of the required standards, subject to those limiting 
conditions (87 FR 76315).
    One of those conditions for using updated versions of the standards 
at 45 CFR 170.213 and 170.215 is that the National Coordinator has 
approved the updated version for use in the ONC Health IT Certification 
Program. The National Coordinator approves updated versions of 
standards in the ONC Health IT Certification Program through SVAP, 
pursuant to 45 CFR 170.555, which was finalized in the ONC Cures Act 
final rule as a Maintenance of Certification flexibility included in 
the real-world testing Condition of Certification (85 FR 25775). This 
flexibility permits health IT developers to voluntarily use, in certain 
certified Health IT Modules, newer versions of adopted standards so 
long as specific conditions are met, providing a predictable and timely 
approach within the ONC Health IT Certification Program to keep pace 
with the industry's standards development efforts.
    Under SVAP, after a standard has been adopted through notice and 
comment rulemaking, ONC engages in

[[Page 8935]]

an open and transparent process to timely ascertain whether a more 
recent version of an adopted standard or implementation specification 
should be approved by the National Coordinator for developers' 
voluntary use in the ONC Health IT Certification Program. ONC publishes 
updated versions of standards under consideration for SVAP and lists 
the updated versions of standards that the National Coordinator has 
approved as part of the Interoperability Standards Advisory on 
HealthIT.gov.\182\ Members of the public can use this resource to 
review standards that may be approved through SVAP in the future, as 
well as provide input on which updated versions should be approved. We 
encourage impacted payers to review these resources to better 
understand how updated versions of the standards at 45 CFR 170.213 and 
170.215 may be approved by the National Coordinator through SVAP and 
become available for payers to use in their APIs, provided other 
specified conditions for using updated standards are met. Several 
updated versions of the standards currently at 45 CFR 170.213 and 
170.215 have been approved by the National Coordinator through 
SVAP,\183\ including USCDI v2 and v3; US Core IG STU 4.0.0, 5.0.1, and 
6.1.0; SMART App Launch IG Release 2.0.0; and Bulk Data Access IG 
v2.0.0: STU 2. As soon as the National Coordinator approves updated 
versions through SVAP, we consider the updated versions to have met 
this condition for use by impacted payers for our API requirements. We 
emphasize that if impacted payers choose to use updated standards, it 
must not disrupt an end user's ability to access the required data. We 
are finalizing this proposal, as proposed.
---------------------------------------------------------------------------

    \182\ Office of the National Coordinator for Health Information 
Technology (n.d.). SVAP. Retrieved from https://www.healthit.gov/isa/standards-version-advancement-process.
    \183\ Office of the National Coordinator for Health Information 
Technology (2023, September 11). Standards Version Advancement 
Process (SVAP). Retrieved from https://www.healthit.gov/topic/standards-version-advancement-process-svap.
---------------------------------------------------------------------------

    Comment: Multiple commenters expressed support for CMS's proposal 
to allow flexibility for payers to use updated versions of certain 
standards and specifications required for APIs in the proposed rule. A 
commenter expressed support for aligning standards between the Patient 
Access, Provider Access, and Payer-to-Payer APIs, as this ensures data 
compatibility between use cases. Another commenter stated that the 
standards and specifications at 45 CFR 170.215 are more advanced and 
better aligned with present efforts to streamline prior authorization 
workflows by leveraging HL7's FAST work. Another commenter stated that 
these standards support widespread interoperability, ease 
implementation, and minimize complexity and costs. A commenter 
expressed strong support for CMS's efforts to promote portability of 
patients' EHI between providers and payers to assure continuity of care 
by further building on the common standards platform of FHIR APIs using 
USCDI, where applicable. Multiple commenters expressed support for the 
continued alignment between CMS and ONC regarding updates to technical 
standards and specifications through the rulemaking process.
    Response: We acknowledge and thank commenters for their support of 
our policies.
    Comment: A commenter stated that CMS's approach to mandating 
technical standards by referencing specific standards in regulation is 
novel for health information exchange. The commenter stated that prior 
data exchanges, such as the HIPAA standard transactions or the machine-
readable files, have everything defined in the named specifications and 
not defined by reference to another standard in regulation. The 
commenter stated that having standards specified elsewhere allows for 
the referenced standards to be changed which would then have the 
cascading effect of requiring changes in all the APIs on the timeframe 
of the standard change for the APIs to remain conformant. The commenter 
disagreed with this regulatory approach and stated that it is better to 
have each API specified separately and to be self-contained (that is, 
not having referenced standards). The commenter stated that this way 
individual APIs could be evaluated for change on their own merits, as 
standards in the HIPAA Standards for Health Care Attachments proposed 
rule are currently being evaluated with the potential change in the 
version for the X12 278 transaction standard for attachments under 
HIPAA (version 6020) or for the X12 837 transaction standard for 
claims, and the X12 835 transaction standard for remittance advice 
being recommended by X12 for consideration to X12 8020 transaction 
standard for plan premium payments, or the recommended upgrade of three 
other X12 transactions to version 8030, including claim status, health 
plan enrollment, and health plan premium payments.
    Response: We appreciate the commenter's concerns regarding the 
timing of updates to required standards via reference to other 
regulations. We intend to collaborate with ONC to ensure updates to 
standards are deployed with reasonable timeframes and sufficient 
advance notice for payers to make any required updates to their APIs. 
Aligning with the HHS-adopted API standards and associated 
implementation specifications at 45 CFR 170.215 is important to ensure 
consistency. We are finalizing the versions of the required standards 
that were at 45 CFR 170.215 at the time of this proposed rule. However, 
ONC has since finalized the HTI-1 final rule (89 FR 1192), which 
adopted updated versions of certain standards including the US Core IG 
STU 6.1.0 (at 45 CFR 170.215(b)(1)(ii)) and the SMART App Launch IG 
Release 2.0.0 (at 45 CFR 170.215(c)(2)). Additionally, ONC has 
finalized expiration dates for the US Core IG STU 3.1.1 (at 45 CFR 
170.215 (b)(1)(i)) and the SMART App Launch Framework IG Release 1.0.0 
(at 45 CFR 170. 215(c)) to indicate when a version of a standard may no 
longer be used. We intend to align with the updated versions finalized 
at 45 CFR 170.215 through future rulemaking prior to the API compliance 
dates. While we did not propose to require those updated versions, we 
emphasize that impacted payers are permitted to use them based on our 
policy to allow updated versions of required standards, as discussed 
below.
    The update and review process for HIPAA transaction standards 
follows a statutory review process but does not include the same 
testing and balloting process we require for the standards and IGs. 
Furthermore, the HL7 standards and IGs adopted by ONC may be updated 
for use in the ONC Health IT Certification Program through the SVAP. We 
rely on this flexibility in our update policy by allowing payers to use 
versions of standards at 45 CFR 170.213 and 170.215 that have been 
approved by the National Coordinator, enabling a nimble approach to 
industry testing and innovation. This does not currently exist under 
the HIPAA standard transaction reference model process.
    Comment: Multiple commenters recommended that CMS update the 
clinical data requirements to USCDI v2. The commenters also recommended 
that CMS give guidance on if and when USCDI v3 and v4 may be required. 
The commenters noted that use of these updated standards would advance 
health equity and public health work. A commenter strongly recommended 
that impacted payers incorporate data elements identified in a newer 
version of the USCDI, specifically USCDI v3, instead of the proposed 
USCDI v1. The commenter noted that USCDI v1 does not constitute an 
elaborated list of data

[[Page 8936]]

elements compared to the most recent versions, which incorporate 
elements that play a critical role in electronic data exchange. Another 
commenter requested CMS and ONC provide guidance regarding using newer 
versions of USCDI and associated US Core IG. The commenter noted that 
this guidance will be helpful when multiple versions of the USCDI are 
available for use, so all third-party app developers have clear 
expectations and understanding regarding what data they need to be able 
to share and receive.
    Response: As discussed in section II.A.2.d., we are finalizing a 
change to the required data content for the Patient Access, Provider 
Access and Payer-to-Payer APIs to a standard listed at 45 CFR 170.213. 
At the time of the CMS Interoperability and Prior Authorization 
proposed rule, USCDI v1 was the only version of the USCDI adopted at 45 
CFR 170.213. However, ONC has since published the HTI-1 final rule, 
which establishes a January 1, 2026, expiration date for USCDI v1 and 
adopts USCDI v3 at 45 CFR 170.213. After January 1, 2026, USCDI v3 
would be the only version specified at 45 CFR 170.213 that has not 
expired (89 FR 1192). In this way, the required version of the USCDI 
for the APIs in this final rule will advance in alignment with versions 
adopted by ONC in 45 CFR 170.213. When more than one version of USCDI 
is adopted at 45 CFR 170.213 and have not expired, payers may conform 
to either version.
    As stated previously in this section, we are also finalizing our 
proposal that an updated version of a standard could be used if it is 
required by other law, or if ONC has approved the updated version for 
use in the ONC Health IT Certification Program, users are able to 
access the required data via the API, and it is not prohibited by other 
law. In order to identify updated standards that have been approved for 
use in the ONC Health IT Certification Program, payers can review the 
standards approved through the SVAP on ONC's website https://www.healthit.gov/isa/standards-version-advancement-process, as well as 
standards that are being considered for approval through SVAP (new 
standards for SVAP are approved annually).
    We note that USCDI v2 was approved in the 2022 SVAP cycle, while 
USCDI v3 was approved as part of the 2023 SVAP cycle.\184\ We also note 
that several updated versions of the US Core IG subsequent to the 
required US Core IG STU 3.1.1 have been approved by the National 
Coordinator through the SVAP and are available for payers to use under 
this policy, including US Core IG STU 4.0.0, 5.0.1, and 6.1.0.\185\
---------------------------------------------------------------------------

    \184\ Office of the National Coordinator for Health Information 
Technology (2023, September 11). Standards Version Advancement 
Process (SVAP). Retrieved from https://www.healthit.gov/topic/standards-version-advancement-process-svap.
    \185\ Office of the National Coordinator for Health Information 
Technology (2023, September 11). Standards Version Advancement 
Process (SVAP). Retrieved from https://www.healthit.gov/topic/standards-version-advancement-process-svap.
---------------------------------------------------------------------------

    The US Core IG is updated annually to reflect changes to the USCDI, 
and each US Core IG version is built to a specific version of the 
USCDI. For instance, US Core IG STU 3.1.1 is built to USCDI v1 and the 
US Core IG STU 6.1.0 is built to USCDI v3. As the recommended IGs 
continue to be refined and advance, they may reference different 
versions of the US Core IG based on updated versions of the USCDI. 
Implementers are encouraged to adopt the newer versions of the 
recommended IGs as they are published. Consistent with our final 
policies to allow payers to use updated standards at 42 CFR 170.215 if 
they have been approved by the National Coordinator for use in the ONC 
Health IT Certification Program and other conditions, implementers may 
use updated versions of US Core referenced to the specifications in 
recommended IGs. HL7 and the FHIR Accelerators are aware of these 
concerns and are working on an approach to enable greater version 
support for IGs.
    Comment: Multiple commenters supported flexibility to use updated 
standards, such as ONC's SVAP for certified health IT developers, to 
allow payers to use the most current recognized versions of vocabulary 
standards and interoperability standards or specifications used in the 
certification. A commenter stated that CMS should only require new 
versions of standards, specifications, and IGs after testing and 
adequate time for implementation. Another commenter stated that the 
mechanism to allow implementers to advance versions of standards in 
this rule as long as using an updated standard does not impair access 
to data through the API can be used for any or all IGs used to support 
these APIs or related auxiliary processes (for example, patient 
attribution).
    Response: We appreciate the support for this policy. The standards 
we are requiring in this final rule are those that we believe are 
sufficiently mature. We intend for future rulemaking to operate 
similarly. As stated, payers can implement the latest versions of the 
required standards and IGs as long as they meet the specified 
conditions, such as not impairing access to data through the API.
    Comment: Multiple commenters stated that use of specific FHIR-based 
standards, specifications, and IG versions should align with those 
approved by ONC through SVAP. A commenter stated that CMS requirements 
and adoption timelines should remain coordinated with ONC's 
progression. The commenter suggested that CMS use a more general 
reference to the ONC Health IT Certification Program and SVAP. Another 
commenter stated that ONC will be providing a more current set of 
standards and specification versions soon through ONC Health IT 
Certification Program updates. The commenter stated that it is 
imperative that CMS require developed APIs to conform to the most 
recently approved SVAP standards within 12 months of approval. The 
commenter also recommended that CMS coordinate with ONC to include more 
standards and IGs in the SVAP to align with the rule. The commenter 
also recommended that CMS include a transition period (for example, 12 
months).
    Response: We appreciate the commenters feedback and remind readers 
that under this final rule, in addition to our coordination with ONC, 
payers are permitted to voluntary use updated standards provided it 
does not disrupt an end user's ability to access the data available 
through the API. In addition, implementers may advance to those 
standard versions approved by the ONC through SVAP.
    We decline at this time to set a timeline by which we would require 
impacted payers to use the updated version of the standard rather than 
the adopted version of the standard. We believe the voluntary nature of 
the SVAP supports a transitional period--also a request from 
commenters--by allowing for a flexible implementation of standards 
versions between regulatory cycles during which ONC revises the adopted 
version to the latest update for each standard. We will continue to 
engage with patients, providers, payers, health IT developers, and our 
Federal partners to ensure that this approach balances the need to 
advance standards with the need for flexible transition periods for 
updates. We will also continue to work with ONC in their efforts to 
support HHS and the health care industry through the advancement and 
adoption of interoperable standards and implementation specifications 
for a wide range of health IT use cases.
    We support innovation and continued efforts to refine standards in 
a way that will leverage the most recent technological advancements. 
Thus, we also sought comment on the process we

[[Page 8937]]

should use to adopt or allow new versions of standards and 
implementation specifications over time. We received many comments in 
response to our request for comment and will consider this feedback for 
future rulemaking and guidance. We are finalizing the proposal to allow 
payers to use an updated standards, specifications, or IGs if required 
by law, or if the updated standard, specification, or IG is approved 
for use in the ONC Health IT Certification Program, do not disrupt an 
end user's ability to access the required data, and is not prohibited 
by law for each of the APIs at the CFR sections listed in Table H2.
3. Recommended Standards To Support APIs
    In the CMS Interoperability and Patient Access final rule (85 FR 
25529), we noted that there are publicly available IGs that provide 
implementation information that impacted payers can use to meet the 
regulatory requirements for these APIs. Using those IGs supports 
interoperability and allows impacted payers to avoid developing an 
approach independently, which could save time and resources. In this 
final rule, we are recommending specific IGs that are relevant to each 
of the APIs, which may be used in addition to the required standards at 
45 CFR 170.215.
    In the December 2020 CMS Interoperability proposed rule, we 
proposed to require impacted payers to use certain IGs, including the 
CARIN IG for Blue Button[supreg], HL7[supreg] FHIR[supreg] Da Vinci 
PDex IG, HL7[supreg] FHIR[supreg] Da Vinci PDex U.S. Drug Formulary IG, 
HL7[supreg] FHIR[supreg] Da Vinci PDex Plan Net IG, HL7[supreg] 
FHIR[supreg] Da Vinci Coverage Requirements Discovery (CRD) IG, 
HL7[supreg] FHIR[supreg] Da Vinci Documentation Templates and Rules 
(DTR) IG, and HL7[supreg] FHIR[supreg] Da Vinci Prior Authorization 
Support (PAS) IG (85 FR 82586) to support the APIs in that proposed 
rule. As discussed in section I.A. of this final rule, we are 
withdrawing the December 2020 CMS Interoperability proposed rule. We 
also noted that these IGs continue to be developed and refined through 
the HL7 ballot and standard advancement process to better support the 
Patient Access, Provider Access, Payer-to-Payer, and Prior 
Authorization APIs.
a. Recommending vs. Requiring Implementation Guides
    In the CMS Interoperability and Prior Authorization proposed rule, 
we proposed to recommend CARIN for Blue Button, PDex, PDex U.S. Drug 
Formulary, PDex Plan Net, CRD, DTR, and PAS IGs for specific APIs, as 
listed in Table 10 of the proposed rule (87 FR 76320). We also 
solicited comments on whether CMS should propose to require these 
recommended IGs in future rulemaking and other ways that we could 
support innovation and interoperability. We emphasize that while we are 
not requiring payers to use the recommended IGs listed in Table H3, we 
may propose requiring payers to use these and other IGs in future 
rulemaking, should they reach sufficient maturity.
    After careful consideration of the versions of the IGs that were 
available at the time of the proposed rule, we determined that we were 
not ready to propose them as requirements. We stated that we believed 
these IGs would continue to be refined over time as interested parties 
have opportunities to test and implement them, and as such, we chose to 
recommend them rather than require them. Specifically, we stated we 
would continue to monitor and evaluate the IG development and consider 
whether to propose them as a requirement at some future date. In this 
final rule, we are finalizing our recommendation to use the CARIN for 
Blue Button, PDex, PDex U.S. Drug Formulary, PDex Plan Net, CRD, DTR, 
and PAS IGs for the Patient Access, Provider Access, Provider 
Directory, Payer-to-Payer, and Prior Authorization APIs, as applicable 
and listed in Table H3. We also note that several of the recommended 
IGs have had updated versions published since the CMS Interoperability 
and Prior Authorization proposed rule. Thus, we have updated Table H3 
accordingly to represent the most recent published versions of the 
recommended IGs. Because these are only recommended IGs, we do not 
codify version updates through rulemaking.
    We acknowledge that by recommending rather than requiring certain 
IGs, there is potential for implementation variation that could limit 
interoperability and ultimately lead to rework for implementers if 
requirements are introduced later. However, we concluded at the time of 
the proposed rule that it was more important to not require the IG 
versions available at that time due to the maturity of the versions 
available. We recommended, but did not propose to require, these IGs 
because we wanted to ensure that implementers can use subsequent 
versions of these IGs without being restricted to the version available 
when we issued the notice of proposed rulemaking. As discussed in 
section II.G.2.c. of this final rule, we are finalizing a provision to 
allow payers the flexibility to use updated versions of certain 
standards required for the APIs in this final rule. In the CMS 
Interoperability and Prior Authorization proposed rule (87 FR 76316), 
we acknowledged that subsequent versions of the recommended IGs may 
include substantial changes that would not be consistent with the 
requirement that an updated standard must not impair access to data 
through the API. We intend to monitor IG development and may propose to 
require specific IGs at a future date and/or allow for voluntary 
updates under our flexibility policies. We received comments on our 
decision to recommend, rather than require the listed IGs in the 
proposed rule.
    Comment: Multiple commenters appreciated CMS's decision to 
recommend rather than require the CARIN for Blue Button, PDex, PDex 
U.S. Drug Formulary, PDex Plan Net, CRD, DTR, and PAS IGs. A commenter 
supported CMS's decision to recommend instead of requiring IGs given 
that some of the standards and IGs are not yet mature enough for 
industry adoption. Another commenter appreciated CMS's decision to 
recommend rather than require IGs due to the interplay between this 
rule and the HIPAA Standards for Health Care Attachments proposed rule.
    Response: We thank commenters for their support of our decision to 
recommend certain IGs in the proposed rule, which we believe balanced 
the need to provide guidance and flexibility to industry as standards 
advance.
    Comment: Multiple other commenters supported the recommended IGs, 
but noted concern that these IGs do not have enough outside involvement 
in the development phase, which could result in gaps in workflows. 
However, the commenters noted that they are confident that the HL7 
Accelerator workgroups will provide the necessary maturity if given 
sufficient time.
    Response: These standards development activities do have outside 
parties involved throughout the standards development process. We 
encourage all interested parties, especially those who already have the 
experience implementing the APIs, to engage with the process. HL7 and 
the Accelerators welcome and solicit feedback for all of their IGs and 
specifications. Meeting participation is largely open to the public, 
and one does not have to be a member to participate in testing events 
and many other standards development activities.
    Comment: Multiple commenters disagreed with CMS's decision to 
recommend rather than require the IGs and expressed concern for CMS's 
decision to not require certain IGs, with

[[Page 8938]]

one concerned that not requiring the IGs will impact the level of 
interoperability necessary to support data exchange. Commenters urged 
CMS to consider the potential for implementation variation in APIs and 
limit industry-wide interoperability. Multiple commenters expressed 
that it is important that adherence to IG requirements is required, not 
just encouraged, to ensure the industry adopts these to obtain the 
benefits of the near real-time Prior Authorization API transactions. 
Another commenter recommended that CMS adopt and require IGs as quickly 
as possible. The commenters stated that without IGs, there is a risk 
that early work done by health IT developers and the health care 
community will have to be refactored or restarted to meet the IG 
guidelines. A commenter stated that CMS should act swiftly to encourage 
the creation of more appropriate IGs and recommended that CMS work with 
payers to create electronic systems and interfaces that are consistent 
and easy to use.
    Another commenter stated that not requiring certain IGs is not in 
line with the interoperability goals and prior authorization 
initiatives outlined in this rule to obligate providers to report on 
their adoption of this technology if that technology will not be 
uniformly adopted and implemented between different payers. A commenter 
stated that it is critical that all data contributors be held to the 
same set of rules and required to adopt the same standards and IGs. To 
ameliorate this, the commenter recommended that the IGs be required 
rather than recommended, and that a mere recommendation may result in 
more burden and duplicative work. A commenter stated that because CMS 
is not requiring certain IGs, it is unfair and contrary to the goals of 
these interoperability and prior authorization initiatives to obligate 
MIPS eligible clinicians, eligible hospitals, and CAHs to report on 
their adoption of this technology when that technology will not be 
uniformly adopted and implemented between different payers.
    Multiple commenters recommended that CMS require impacted payers to 
use the CARIN for Blue Button, HL7[supreg] FHIR[supreg] Da Vinci 
Patient Coverage Decisions Exchange (PCDE), PDex, PDex U.S. Drug 
Formulary, PDex Plan Net, CRD, DTR, and PAS IGs while allowing for 
adaptability and advancement of those IGs over time. A commenter stated 
that requiring certain IGs would move payers toward standardized data 
exchange. A commenter noted that most of the IGs have been around for 
several years, and most have been tested in multiple Connectathons, 
pilot projects, and in production environments. The commenter believes 
having consistent, well-understood data fields with clear meaning that 
everyone uses the same way is a key element of any API or any 
successful data exchange. The commenter stated that using standard IGs 
would move industry toward interoperable data exchange.
    Response: We received a significant number of comments on both 
sides regarding requiring IGs and not requiring IGs, which indicates 
that there is not broad agreement across the industry. In the proposed 
rule, we sought to strike a balance by requiring the standards and IGs 
adopted at 45 CFR 170.215 in alignment with ONC and recommending 
additional IGs for each API implementation. We acknowledge that by not 
requiring all the available IGs, there is potential for implementation 
variation in these APIs that could limit interoperability and 
ultimately lead to re-work for implementers if requirements are 
introduced later. However, at the time of the proposed rule, we 
believed it was more important not to require these IGs while they were 
still undergoing additional enhancements. We disagree with the concern 
that our decision to not propose to require certain IGs is unfair and 
contrary to the goals of these interoperability and prior authorization 
initiatives of this final rule. The required standards at 45 CFR 
170.215 mean that impacted payers must implement these APIs using the 
FHIR standard, which will advance interoperability. We continue to 
strongly recommend using the other recommended IGs listed in Table H3.
    As stated previously, we also believe that the approach in the 
proposed rule of recommending, but not requiring, the specific IGs and 
versions provided directional guidance with flexibility to the industry 
in order to allow for additional improvements to be made without 
locking implementers into versions of the IGs available at the time of 
the proposed rule. Under the recommendations in the proposed rule, as 
these IGs progress, industry could continue to harmonize on common 
approaches that work, eventually culminating in a required set of 
specifications when ready through updates to CMS policy. To not 
identify any specific IGs would have meant a more diverse set of 
proprietary solutions with little to no interoperability. Our 
recommendations provide direction to implementers.
    Comment: A commenter stated that the development and maintenance of 
standards and IGs are an extension of Federal policy that does not go 
through the rulemaking process. They noted that it is critical that 
this development and maintenance process be consensus-based, fair, 
transparent, and open to all stakeholders. The commenter continued by 
stating that the IG creation process is currently driven by a limited 
number of volunteers that do not broadly represent the industry, which 
results in IG resource and profile versioning issues. The commenter 
stated that CMS should ensure there is no fee to fully participate in 
the process for the regulatorily required exchanges and relying on an 
American National Standards Institute (ANSI)-accredited process to 
develop the IGs would improve the approach.
    Response: We acknowledge that standards and IGs are not developed 
through the rulemaking process. Rather, standards and IGs go through 
the rulemaking process if and when they are proposed to be adopted. We 
also appreciate that commenters are invested in the quality of the IGs 
and the SDO, and affirm, as we stated in the CMS Interoperability and 
Patient Access final rule (85 FR 25540), that development and 
maintenance of standards are the purview of SDOs, and that interested 
parties, including Federal agencies, participate in that process. 
Stakeholders have the opportunity for review and comment on the 
standards both at the time they are being developed, as well as during 
the proposed rule comment period. HL7 is an ANSI-accredited \186\ SDO, 
and Da Vinci is an accelerator workgroup under the umbrella of HL7 and 
operates under the same rules of all ANSI accredited SDOs in the manner 
in which they obtain consensus on standards. Furthermore, HL7 standards 
are free and open-source, and documentation is available to anyone to 
ensure that all developers can equally access information. Using these 
freely available materials will reduce the development burden for both 
payers and app developers and facilitate industry-wide 
interoperability. Similarly, participation in online working meetings 
and providing feedback as part of the standards development process is 
free, and diverse organizational representation is critical to the 
quality of the standards and IGs. Thus, we encourage as many 
organizations as possible with a stake in the development and quality 
of these guides to participate. HHS uses different authorities to adopt 
and require standards that are developed and

[[Page 8939]]

maintained by organizations such as HL7 using the processes described 
previously. For instance, ONC has adopted the standards and 
implementation specifications at 45 CFR 170.215 cross-referenced in 
this final rule under the authority of section 3004 of the Public 
Health Service Act.
---------------------------------------------------------------------------

    \186\ ANSI oversees standards and conformance of processes for 
all SDOs. See American National Standards Institute (2023). ANSI. 
Retrieved from https://ansi.org/.
---------------------------------------------------------------------------

    Comment: A commenter suggested CMS emphasize that using the IGs is 
not limited to literal use, but also interpretive use to model 
interactions within the respective health IT configuration in a way 
that is illustrative rather than prescriptive.
    Response: IGs contain both SHALL and SHOULD statements, which 
respectively indicate whether health IT systems must meet certain 
requirements to conform to the IG or are just strongly recommended to. 
While implementers will be required to conform with the required IGs we 
are finalizing, we remind readers that the recommended IGs can be 
implemented as they see fit as long as they meet the requirements of 
the API.
b. Implementation Guide Maturity
    In the proposed rule, we welcomed further information about the 
maturity of the recommended IGs, including considerations about further 
development that may be needed prior to us proposing to require the IGs 
we recommended (87 FR 76317).
    Comment: Multiple commenters expressed concern regarding the 
maturity, scalability, and real-world testing of the IGs recommended in 
the proposed rule. Multiple commenters were concerned that there may be 
compatibility issues between the current and future versions of the IGs 
given that the IG versions are not currently finalized. A commenter 
stated that slight variations in API implementation could significantly 
increase burden placed on the provider community. A commenter 
recommended that CMS and ONC issue guidance on what could be expected 
in the IG guidelines to inform early work and to encourage as much 
fidelity to these IGs as possible.
    Response: We are committed to continuing to work with HL7, the 
Accelerators, and interested parties within the industry to define, 
participate in, and convene testing events, as well as developing and 
maintaining the specifications, thereby moving them toward greater 
maturity. We acknowledge that, as with any standard, potential 
compatibility issues could arise throughout development. These 
standards are subject to a standards development process where changes 
are reviewed and compatibility is an important consideration, 
increasing with the level of use and adoption. As IGs mature, the 
number of potential compatibility issues between versions is expected 
to decrease. Likewise, as IGs continue through the standards 
development process, they will be enhanced to address areas of variance 
among payers that are barriers to interoperability. We determined that 
it was important to recommend these IGs to move the industry and 
provide direction towards a common set of specifications, as opposed to 
not including these recommendations, which would lead to a greater 
number of variations and cause a greater burden.
    Comment: A commenter recommended that CMS explain that support for 
SMART Backend Services specification is also required with the Bulk 
Data Access IG. Another commenter stated that significant limitations 
exist for the Bulk Data Access IG and OpenID Connect Core standard. The 
commenter noted that it is unknown when the Bulk Data Access IG will be 
ready for implementation and use on a large scale.
    Response: The Bulk Data Access IG v1.0.0: STU 1 includes the option 
for SMART Backend Services specification to enable system-to-system 
authentication and authorization of backend services. The Backend 
Services specification that was included in Bulk Data Access IG v1.0.0: 
STU 1 was moved to SMART App Launch IG Release 2.0.0. Therefore, we 
strongly recommend that the SMART Backend Services specification of the 
SMART App Launch IG Release 2.0.0 be supported and thus have included 
this recommendation for both the Provider Access and Payer-to-Payer 
APIs in Table H3. We acknowledge that not all connections may use 
backend services, but when such services are available, payers may wish 
to use the HL7 SMART Framework. More recent versions of the SMART App 
Launch IG specification, starting with Release 2.0.0, incorporate the 
SMART Backend Services, which ONC has adopted in the HTI-1 final rule 
at 45 CFR 170.215(c). We further remind readers that though we are 
requiring impacted payers to support Bulk Data Access IG for the 
Provider Access and Payer-to-Payer APIs in this final rule (Table H3), 
payers are free to set their own criteria for using bulk data exchange.
    Comment: A commenter recommended that CMS delay API implementation 
until the recommended IGs are ready to be required. The commenter noted 
that the proposed APIs are not feasible without standardized adoption 
and expressed concern that the necessary IGs to implement the APIs are 
not mature, tested, or ready to scale. A commenter suggested that CMS 
should work with interested parties across the health IT community to 
propose and finalize IGs that are not mature prior to mandating their 
use.
    Response: We remind readers that we are finalizing 2027 compliance 
dates for the policies that require API development and enhancement 
partly to allow industry additional time to implement the needed 
functionality within their internal systems. By requiring some IGs and 
recommending others, we believe that we achieved the appropriate 
balance between moving industry forward, while allowing flexibility for 
continued development of IGs that were not sufficiently mature at the 
time of the proposed rule to propose to require.
    Comment: A commenter encouraged CMS to take on an active role in 
the continued development and testing of the HL7 Da Vinci IGs. The 
commenter recommended that CMS review and release a formal assessment 
of the technology development no later than July 1, 2024.
    Response: We are a member of HL7 and monitor their activities by 
attending the HL7 Da Vinci workgroups, providing contract support for 
the development of the IGs, and tracking the ballot process. Through 
these efforts, we are continuously engaged in IG development and 
maintenance. We thank commenters for their suggestion but note that the 
request to release a formal assessment of technology development no 
later than July 1, 2024, is out of scope for this final rule.
    Comment: Multiple commenters urged CMS to identify a baseline or 
``floor'' version of the technical standards and IGs, and multiple 
other commenters recommended CMS develop a formal standards advancement 
process, like the SVAP, to give industry the opportunity to continue 
refining, testing, and deploying new versions. Multiple commenters 
noted that requiring an updated version of an IG as a baseline 
requirement must be done officially through government regulation. 
Another commenter recommended CMS develop a strategy or a process to 
decide which version of IGs or standards should be required. A 
commenter believed that all interested parties should agree upon IGs 
for each of the APIs. The commenter stated that in the final rule, CMS 
should identify the requirements, including IGs, for all interested 
parties. Another commenter recommended that CMS explain the 
functionalities of specific

[[Page 8940]]

IGs they would like applied to each of the APIs.
    Multiple commenters urged CMS to work with interested parties to 
identify a limited number of IGs to require so industry is not 
overwhelmed with too many IGs. Moreover, multiple commenters expressed 
concern about requiring more than one IG for specific API 
implementations and requested that CMS only require one IG. A commenter 
noted they support clear and unambiguous standards to achieve true 
interoperability.
    Response: The required standards and recommended IGs for each of 
the APIs are listed in Table H3 and represent the minimum expected of 
impacted payers. The FHIR IGs have been developed to fulfill a specific 
purpose and therefore requiring more than one IG for a specific API is 
appropriate. Specifically, the IGs we are recommending all have 
individual purposes and we are only recommending those relevant to each 
API as listed in Table H3. We also remind interested parties that the 
IGs go through a consensus-based process and participation in the 
online meetings and providing feedback is free, thus, we encourage as 
many organizations as possible with an investment in the development 
and quality of these guides to participate.
    Comment: Multiple commenters recommended that CMS explain how 
technical standards and IGs will be mapped to specific API 
functionalities.
    Response: We refer readers to Table H3 for an outline of which 
standards and IGs pertain to which APIs. We also remind readers that 
our recommended IGs can support the required standards for the specific 
API we are recommending them for.
    Comment: Multiple commenters expressed support for work done by the 
CARIN Alliance, which provides a method for all payers to make 
submitted and processed claims data available to patients and has 
sufficient maturity to ensure a successful implementation. Multiple 
commenters requested that CMS consider mandating the CARIN IG for Blue 
Button. A commenter stated that otherwise, stakeholders will have to 
support multiple IGs, which adds burden and increases technology 
complexity making development and implementation challenging. Multiple 
commenters expressed support for clear and unambiguous standards.
    A commenter stated the CARIN IG for Blue Button already produces an 
EOB for in-patient, out-patient, professional, pharmacy, dental, and 
vision services through a set of FHIR profiles. The commenter noted 
that these same profiles could provide the required non-financial view 
of the EOBs to meet the requirements outlined in this proposed rule by 
using the ``Summary View'' returned by FHIR's summary parameter search.
    Response: We agree about the importance of the CARIN Alliance's 
work. However, for reasons explained in section II.G.3.a. of this final 
rule, we did not propose to require several IGs which are listed in 
Table H3 as Recommended IGs, including the CARIN IG for Blue Button. 
Regarding the recommendation to leverage the non-financial view of a 
CARIN IG for Blue Button, we note that in order to do this, the CARIN 
IG for Blue Button would need to be updated, or other guidance provided 
to support this requirement, and that the data be made available 
through the appropriate API. Work is currently underway in CARIN and in 
coordination with HL7 Da Vinci PDex workgroup to define this guidance.
    Comment: A commenter noted that a September 2021 Frequently Asked 
Questions (FAQ) \187\ document published by CMS states that payers 
would be compliant with the Patient Access API requirements if they 
used the CMS-recommended IG (CARIN for Blue Button IG v1.1.0: STU 1) to 
build their APIs, but that that IG version does not enable the 
inclusion of dental or vision claims, which were added in the most 
recent version. Multiple commenters supported guidance or rulemaking to 
support oral and vision claims using the CARIN IG for Blue Button 
v2.0.0: STU 2 version.
---------------------------------------------------------------------------

    \187\ Health Informatics and Interoperability Group (2021). 
Patient Access API FAQ. Retrieved from https://www.cms.gov/priorities/key-initiatives/burden-reduction/faqs/patient-access-api.
---------------------------------------------------------------------------

    A commenter recommended that CMS reaffirm that impacted payers 
would be compliant with the requirements for the Patient Access and 
Provider Access, and Payer-to-Payer APIs if they follow the CMS 
recommended IGs. The commenter also recommended that CMS further 
explain that the absence of dental and vision claims information in the 
proposed APIs would not result in payer noncompliance given that the 
recommended CARIN IG for Blue Button does not include dental and vision 
claims.
    Response: At the time the proposed rule was drafted, the CARIN IG 
for Blue Button v1.1.0: STU 1 was the latest published version for use. 
Since then, CARIN IG for Blue Button v2.0.0: STU 2 was released, which 
indeed includes dental and vision (vision as part of the professional 
and non-clinician profile). We are therefore modifying our 
recommendation listed in Table H3 to ``HL7 FHIR Consumer Directed Payer 
Data Exchange (CARIN IG for Blue Button) IG v2.0.0: STU 2.'' In 
addition to the required standards listed in Table H3, if impacted 
payers use the recommended IGs also listed in Table H3 for the APIs and 
follow the IGs to specification to build their APIs, they would be 
conformant with the technical requirements.
    Comment: A commenter expressed support for exchanging data via FHIR 
APIs and noted that the PDex IG STU 2.0.0 includes a prior 
authorization profile to share prior authorization information, but 
this profile is not yet published. However, another commenter noted 
that the HL7 Da Vinci PDex workgroup is actively completing an initial 
set of updates to the PDex IG to facilitate sharing prior authorization 
information and that the workgroup will make any necessary revisions to 
support the provisions outlined in the proposed rule to include any 
related administrative and clinical documentation. Another commenter 
was concerned that some of the proposed data elements for prior 
authorization have not yet been profiled within FHIR IGs.
    A commenter stated that payers should already have familiarity with 
the PDex IG as it was recommended as part of the Patient Access API. 
The commenter continued that using the PDex IG to support the new set 
of information will also reduce burden.
    Response: The recently published PDex IG STU 2.0.0 specification 
\188\ does include a Prior Authorization profile that enables payers to 
communicate prior authorization decisions and changes to the status of 
a prior authorization requests. Based on feedback and developments in 
the industry, in addition to the required IGs and previously 
recommended IGs, we are now recommending the PDex IG STU 2.0.0. for the 
Patient Access, Provider Access, and Payer-to-Payer APIs, as listed in 
Table H3. We are delaying the compliance dates for the APIs finalized 
in this rule to 2027, which allows for additional time for the FHIR 
standard and IGs to continue to be refined and advanced to support all 
of the policies in this final rule.
---------------------------------------------------------------------------

    \188\ Health Level Seven International (2020). Da Vinci Payer 
Data Exchange. Retrieved from http://hl7.org/fhir/us/davinci-pdex/STU1/.
---------------------------------------------------------------------------

    Comment: A commenter noted that the proposed rule suggested that 
the Provider Directory API finalized in the CMS Interoperability and 
Patient Access final rule will be conformant with the PDex Plan Net IG 
STU 1.1.0. A commenter stated their belief in

[[Page 8941]]

standards-based methods for the electronic transmission of health 
information. The commenter continued that successful standards-based 
conveyance of digital health care information relies on clear and 
unambiguous standards that apply across the industry. The commenter 
stated that the PDex Plan Net IG meets this requirement.
    Response: We agree with commenters on the utility of the PDex Plan 
Net IG, and are thus recommending its use for the Provider Directory 
API.
    Comment: Multiple commenters recommended CMS and HL7 ensure the 
CRD, DTR, and PAS IGs are fully tested prior to the effective date of 
the final rule, as the IGs have not been adequately or widely tested in 
real-time clinical settings. A commenter expressed concern with 
required versus situational data elements in the current versions of 
the recommended IGs outlined in the proposed rule. The commenter noted 
that the CRD, DTR, and PAS IGs have data elements and processes that 
are listed as optional despite their utility for automation. Another 
commenter provided the example that the CRD IG does not require the 
return of documentation templates and rules, so the provider would be 
required to initiate a separate transaction to determine the 
requirements for a prior authorization. Additionally, this commenter 
stated that the CRD IG allows for hyperlinks to be returned to the 
provider. The commenter stated that this means that a valid response to 
a coverage requirements discovery request can be a hyperlink to a 
third-party prior authorization vendor where the provider would have to 
initiate a prior authorization request through a provider portal and 
drop to a manual process outside of their EHR and practice management 
system.
    Response: The HL7 Da Vinci IGs that we recommend specifically for 
the Prior Authorization API are the CRD, DTR, and PAS IGs. These were 
created as three distinct IGs that were loosely coupled instead of 
created as a single IG in order to provide implementation flexibility 
and the ability to disconnect the processes where necessary. A number 
of optional or ``situational'' elements are included in these guides to 
connect them into a single workflow where needed. While we value the 
specificity of other comments regarding the functions of the IGs, such 
as hyperlinks and connecting to external portals, these are the purview 
of the HL7 Implementation division. We will work with HL7 and 
implementers to coordinate appropriate support for such questions prior 
to the compliance dates.
    Comment: A commenter stated that it was their understanding that 
the HL7 Da Vinci PCDE IG was developed with minimal payer input. The 
commenter stated that there may be a need for additional time for 
impacted payers to understand and implement the IG. Furthermore, the 
commenter expressed concern that the PCDE IG only addresses the 
movement of data between the provider and payer and does not address 
the back-end systems that will need to ingest and process new 
information for continuity of care. The commenter urged CMS to continue 
exploring other opportunities to promote data exchange. The commenter 
acknowledged that there are many industry solutions being developed to 
facilitate the coordination of benefits between providers. The 
commenter stated that these options could prove to be better solutions 
for the industry in the future and recommended that CMS continue to 
monitor and enable technical innovation in this area.
    A commenter noted that CMS has included two mentions of the PCDE 
IG. They stated that there is one reference in the preamble of the 
proposed rule (87 FR 76336); however, in the preamble ``Payer Coverage 
Decision Exchange'' is followed by a parenthetical reference to 
``PDex.'' The commenter stated that the PCDE IG was also listed in 
Table 10 (87 FR 76321), though, there are no additional or substantive 
mentions of the PCDE IG in the proposed rule. The commenter believes 
that it is possible the mention of the PCDE IG was unintentional.
    Response: We acknowledge that the PDex IG has expanded to include 
prior authorization data and development of PCDE IG is not currently 
active. Thus, while we acknowledge the drafting error the commenter 
previously noted, we are no longer recommending the PCDE IG for the 
Payer-to-Payer API.
    Comment: A commenter suggested that CMS consider recommending the 
HL7[supreg] FHIR[supreg] Member Attribution (ATR) List IG, which is 
currently in the publication process. The commenter stated this IG 
focuses on attribution lists for risk-based contracts and it could 
serve as an exchange standard for all payers.
    Response: While we did not include the ATR List IG as one of 
recommendations listed in Table H3, we note that industry expects that 
the next version will be published well before the compliance dates for 
API development and enhancement policies in this final rule. Payers are 
permitted to use the ATR List IG, and we will explore including it, 
either as a recommendation or requirement, in future rulemaking.
    Comment: Multiple commenters recommended that CMS consider 
leveraging the HL7 FHIR Da Vinci Reducing Clinician Burden (RCB) IGs. A 
commenter shared that revisions to the RCB IGs are underway to make 
prior authorization documentation supporting medical necessity, which 
is assembled by the ordering provider, available to the performing 
provider. The updated IG is currently titled FHIR Orders Exchange 
(FOE), and updates should be balloted in the September 2023 SVAP cycle. 
Another commenter stated that they believe RCB IGs would help industry 
work towards future readiness for a certified Health IT Module(s) to be 
included within the ONC Health IT Certification Program.
    Response: We thank commenters for their suggestions and will 
consider them for future rulemaking.
    Comment: A commenter stated that the HL7[supreg] FHIR[supreg] Da 
Vinci Clinical Data Exchange (CDex) IG would enable providers to obtain 
additional information that may have been missing or not yet available 
on the initial order request.
    Response: Though we neither proposed nor recommended the CDex IG, 
we recognize that the CDex IG is being developed to exchange 
attachments via the Prior Authorization API. Impacted payers are 
permitted to use the CDex IG and are encouraged to participate in the 
ongoing testing as the IG is further developed. Though HL7 has included 
the ability to exchange attachments in its suite of IGs, and this would 
be available for use voluntarily, this final rule does not address 
health care attachments. We will consider either requiring or 
recommending the CDex IG in future rulemaking.
    Comment: A commenter recommended using the HL7 Da Vinci DTR IG to 
specify how payers codify their rules in clinical quality language for 
real-time determination.
    Response: We are currently recommending the DTR IG for the Prior 
Authorization API. We will continue to monitor and evaluate the 
development of the recommended IGs listed in Table H3 and consider 
whether to propose them as a requirement at some future date.
c. Authentication and Authorization
    Comment: Multiple commenters encouraged CMS to work with HL7 to 
integrate the UDAP into the IGs created by HL7. A commenter stated that 
a security framework based on a tiered OAuth security specification is 
required

[[Page 8942]]

to enable the scalable exchange within trust frameworks. The commenter 
stated that industry will not be able to implement at scale based on 
how the standards were proposed and suggested CMS focus on making sure 
this work is in place prior to making the APIs in the proposed rule 
mandatory. In addition, the commenter stated that the HL7 Da Vinci PDex 
IG depends on mTLS to establish the identity of each of the 
organizations involved in the exchange while other payer-to-provider 
and payer-to-patient exchanges rely on OAuth and the SMART framework.
    Response: We thank the commenters for their responses and 
understand their concerns. As discussed in section II.B. of this final 
rule, we are currently supporting efforts to define the specifications 
for authentication at scale through UDAP via the FAST Security IG and 
mTLS through the PDex IG.
    We acknowledge that authentication and authorization via user 
credentials, using means such as OpenID Connect Core and OAuth 2.0, is 
a requirement for APIs in which individually identifiable user access 
is necessary, such as the Patient Access API. In order to use OpenID 
Connect Core, each user would need to have credentials with the payer 
(or delegated authentication/authorization entity) to access the API. 
Thus, we are maintaining OpenID Connect Core 1.0 as a required standard 
for the Patient Access API.
    We recognize that while protocols involving specific user 
credentials as managed by a payer could be used for the Provider Access 
and Prior Authorization APIs, other protocols, such as SMART Backend 
Services, mTLS, UDAP, or other trust community-specified means, may be 
easier to implement at scale. Likewise, protocols requiring user level 
credentials, managed by the payer, are generally not appropriate for 
business-to-business data exchanges like the Payer-to-Payer API where 
an individual may not be directly initiating the exchange. Therefore, 
upon further consideration of our proposals, we are not finalizing 
OpenID Connect Core (at 45 CFR 170.215(b)) as either a required or 
recommended standard for the Provider Access, Payer-to-Payer, and Prior 
Authorization APIs.
    We are recommending SMART Backend Services Authorization for both 
the Provider Access and the Payer-to-Payer APIs. However, payers will 
be able to choose the protocols or combination of protocols they deem 
appropriate as long as they meet appropriate security and privacy 
requirements. We acknowledge that payers will likely use different 
protocols, which could represent a barrier to enabling data exchange at 
scale. Specifications such as UDAP and the tiered OAuth profile is an 
available option for payers and may enable data exchange in a scalable 
way by providing dynamic client registration and delegated 
authentication potentially within and across trust communities. We 
appreciate the comments, will continue to monitor the progress of UDAP 
development and implementation, and will consider including it in 
future rulemaking.
    Comment: A commenter stated that the HL7[supreg] FHIR[supreg] Da 
Vinci Health Record Exchange (HRex) IG Coverage Profile allows for 
UDAP, which may be viable solution for authentication. The commenter 
stated that the HL7 FAST STU 1 Security IG should be considered 
foundational in the future for all IGs that require registration, 
authentication, and authorization. Additionally, the commenter 
suggested that CMS should explain that requiring handwritten signatures 
continues to be appropriate when the impacted payer deems it necessary. 
The commenter recommended that CMS should support industry discussions 
and actions toward UDAP alignment across IGs, when and where 
appropriate.
    Response: We recognize that methods including, but not limited to 
UDAP, may be appropriate depending on the payer's specific needs and 
the API. We believe that appropriate security controls can be 
implemented without requiring handwritten signatures, unless required 
by other applicable law. We continue to monitor the progress of IG 
development and remind readers that this final rule does not restrict 
payers from using other IGs (assuming they are not an earlier version 
than we specify). We will continue to monitor IG development and 
consider requiring or recommending additional IGs in future rulemaking.
4. Required Standards and Recommended Implementation Guides To Support 
APIs
    Using standards and IGs supports consistent implementations across 
the industry. In Table H1 of this final rule, we list the CFR citations 
that require impacted payers to use API technology conformant with the 
standards and specifications outlined in this section of the rule. We 
also include Table H3 to provide a clear outline of which standards we 
require and which IGs we recommend for each API.
BILLING CODE 4150-01-P

[[Page 8943]]

[GRAPHIC] [TIFF OMITTED] TR08FE24.011


[[Page 8944]]


[GRAPHIC] [TIFF OMITTED] TR08FE24.012


[[Page 8945]]


[GRAPHIC] [TIFF OMITTED] TR08FE24.013

BILLING CODE 4150-01-C

[[Page 8946]]

5. Final Action
    After considering the comments received, and for the reasons 
discussed in the CMS Interoperability and Prior Authorization proposed 
rule (87 FR 76238) and our response to those comments (as summarized 
previously), we are finalizing our proposals regarding interoperability 
standards for the Patient Access, Provider Access, Provider Directory, 
Payer-to-Payer, and Prior Authorization APIs.
    We are finalizing greater specificity for the standards at 45 CFR 
170.215 that are applicable to each API, with some modifications. 
Specifically, impacted payers will only be required to use the 
applicable standards and specifications that we have identified as 
necessary for the Patient Access, Provider Access, Provider Directory, 
Payer-to-Payer, and Prior Authorization APIs. Those standards are 
listed as ``required'' in Table H3. We are also finalizing a 
modification to incorporate the expiration dates ONC adopted at 45 CFR 
170.215(b)(1)(i) and (c)(1) since the CMS Interoperability and Prior 
Authorization proposed rule was published.
    We are finalizing our proposal to allow impacted payers to use 
updated standards, specifications, or IGs for each of these APIs, under 
the following conditions: the updated version of the standard is 
required by other applicable law; or (1) the updated version of the 
standard is not prohibited under other applicable law, (2) the National 
Coordinator has approved the updated version for use in the ONC Health 
IT Certification Program, and (3) the updated version does not disrupt 
an end user's ability to access the data required to be available 
through the API. We note that for the required standards at 45 CFR 
170.215, several updated versions have been approved by the National 
Coordinator for use in the ONC Health IT Certification Program,\189\ 
including, but not limited to, the US Core IG STU 6.1.0, the SMART App 
Launch IG Release 2.0.0, and the Bulk Data Access IG (v2.0.0: STU 2).
---------------------------------------------------------------------------

    \189\ Office of the National Coordinator for Health Information 
Technology (2023, September 11). Standards Version Advancement 
Process (SVAP). Retrieved from https://www.healthit.gov/topic/standards-version-advancement-process-svap.
---------------------------------------------------------------------------

    Finally, we are recommending specific IGs, listed as 
``recommended'' in Table H3, which we encourage payers to use in 
addition to the required standards at 45 CFR 170.215.

III. Collection of Information Requirements

    Under the Paperwork Reduction Act (PRA) of 1995, we are required to 
provide 60-day notice in the Federal Register and solicit public 
comment before a collection of information requirement is submitted to 
the OMB for review and approval. To fairly evaluate whether an 
information collection should be approved by OMB, section 3506(c)(2)(A) 
of the PRA of 1995 requires that we solicit comment on the following 
issues:
     The need for information collection and its usefulness in 
carrying out the proper functions of our agency.
     The accuracy of our estimate of the information collection 
burden.
     The quality, utility, and clarity of the information to be 
collected.
     Recommendations to minimize the information collection 
burden on the affected public, including automated collection 
techniques.
    We requested public comment on areas of this document that contain 
information collection requirements (ICRs).

A. Background

    Payers and providers should be able to take advantage of new 
technologies that improve their ability to exchange information 
efficiently, enhance operations, and streamline processes to benefit 
patient care. Payers should share prior authorization rules in more 
transparent ways to enable providers to meet their requirements, and 
thereby, avoid care delays. To continue advancements in our commitment 
to interoperability, we are finalizing our proposals for certain 
impacted payers to implement FHIR APIs and make other process 
improvements to help streamline prior authorizations and improve data 
exchange between payers, providers, and patients. Impacted payers will 
be required to report metrics for the information about how often 
patients use the Patient Access API and about prior authorization 
processes to assess implementation of our policies. The final rule 
includes provisions that will reduce the amount of time to process 
prior authorization requests and improvements for communications about 
denied prior authorizations. Combined, these provisions should reduce 
the burden on providers, payers, and patients and enhance patient care 
coordination.
    To incentivize provider use of the Prior Authorization API, we are 
finalizing a policy to add a new measure for MIPS eligible clinicians 
under the MIPS Promoting Interoperability performance category and for 
eligible hospitals and CAHs under the Medicare Promoting 
Interoperability Program. Beginning with the CY 2027 performance 
period/2029 MIPS payment year (rather than the CY 2026 performance 
period/2028 MIPS payment year), we are finalizing this measure as an 
attestation (yes/no response); we intend to propose a scoring 
methodology for the measure in future rulemaking. This new measure will 
be included in a PRA package related to this final rule.

B. Wage Estimates

    To derive average costs, we used data from the U.S. Bureau of Labor 
(BLS) Statistics' National Occupational Employment and Wage Estimates 
\190\ and aligned our analysis with other CMS regulatory actions. Table 
J1 presents the mean hourly wage, the cost of fringe benefits and 
overhead (calculated at 100 percent of salary), and the adjusted hourly 
wage.
---------------------------------------------------------------------------

    \190\ U.S. Bureau of Labor Statistics (2021, March 31). May 2020 
National Occupational Employment and Wage Estimates. Retrieved from 
https://www.bls.gov/oes/2020/may/oes_nat.htm.

---------------------------------------------------------------------------

[[Page 8947]]

[GRAPHIC] [TIFF OMITTED] TR08FE24.014

    We adjusted the employee hourly wage estimates by a factor of 100 
percent or doubling of the BLS wage estimates. This is a rough 
adjustment because fringe benefits and overhead costs vary 
significantly across employers based on the age of employees, location, 
years of employment, education, vocations, and other factors.

C. Information Collection Requirements

    Consistent with our approach in the CMS Interoperability and 
Patient Access final rule (85 FR 25622), we determined ICRs by 
evaluating cost and burden at the impacted payer level. We determined 
that 365 impacted payers together represent the possible plans, 
entities, issuers, and state programs impacted by these proposals. The 
increase in impacted payers from the first CMS Interoperability and 
Patient Access final rule (85 FR 25510) corresponds to the average 
annual increase in impacted payers for new market entries. The total 
estimated burden on these impacted payers is described in detail in the 
following ICRs and Table J9 at the end of this section. We estimated 
the total number of burden hours across all impacted payers in the 
first year of implementation at 6.9 million hours; assuming a total 
cost to impacted payers to begin at approximately $182 million in the 
first and second years, increasing to $199 million in the third year 
and decreasing to $142 million by the fourth and subsequent years.
    We requested comments on each ICR described in the proposed rule 
(87 FR 76330), and on the assumptions made in deriving these burden 
estimates. We received a few comments on the burden of the proposals 
and acknowledge those comments with responses later in this section. 
Since we did not receive specific data to include to modify estimates, 
no revisions have been made.
1. Information Collection Requirements Regarding Reporting of Patient 
Access API Metrics to the Centers for Medicare and Medicaid Services 
(42 CFR 422.119, 431.60, 438.242, 457.730, and 457.1233 and 45 CFR 
156.221)
    CMS does not currently collect data on using the Patient Access API 
and does not have industry data on the extent to which patients are 
requesting to download their data from their payer into an app. We are 
finalizing the requirement that impacted payers annually report certain 
metrics to CMS about usage of the Patient Access API. Specifically, we 
will collect the total number of unique patients whose data are 
transferred via the Patient Access API to a health app designated by 
the patient; and the total number of unique patients whose data are 
transferred more than once via the Patient Access API to a health app 
designated by the patient. We estimate that impacted payers will 
conduct two major work phases: (1) implementation, which includes 
defining requirements and system design to generate and compile 
reports; and (2) maintenance, which we define as including the 
compilation and transmission of annual reports to CMS. During the 
implementation phase, impacted payers will need to prepare their 
systems to capture the data to be transmitted to CMS.
    The burden estimate related to the requirements reflects the time 
and effort needed to identify, collect, and disclose the information. 
The costs include an initial set of one-time costs associated with 
implementing the reporting infrastructure and ongoing annual 
maintenance costs to report after the reporting infrastructure has been 
established.
    Table J2 includes our computational estimates for first-year 
implementation and ongoing maintenance costs and was used to develop 
the official statement of burden found in Table J9. In finalizing these 
calculations, we assumed a two-person team of software/web developers 
and a business operations specialist spending an aggregate of 160 and 
40 hours, respectively, for the first and subsequent years, at a total 
cost per impacted payer (rounded) of $15,000 and $3,000. The aggregate 
burden (rounded) for 365 impacted payers will be 60,000 hours and 
15,000 hours for the first and subsequent years at a cost of $5.5 
million and $1 million.

[[Page 8948]]

[GRAPHIC] [TIFF OMITTED] TR08FE24.015

    We did not receive comments specific to the estimates for the 
Patient Access API metrics reporting.
---------------------------------------------------------------------------

    \191\ U.S. Bureau of Labor Statistics (2021, March 31). May 2020 
National Occupational Employment and Wage Estimates. Retrieved from 
https://www.bls.gov/oes/2020/may/oes_nat.htm.
---------------------------------------------------------------------------

2. Information Collection Requirements Regarding the Provider Access 
API (42 CFR 422.121, 431.61, 438.242, 457.731, and 457.1233 and 45 CFR 
156.221)
    Research shows that patients achieve better outcomes when their 
medical records are more complete and there are more data available to 
the health care provider at the point of care.\192\ Making 
comprehensive information available to providers could thus improve the 
care experience for patients. Ensuring that providers have access to 
relevant patient data could also reduce the burden on patients to 
recall and relay information during an appointment and provide 
confirmation that the patient's recollection of prior care is accurate. 
This has not always been possible in a disconnected health care system. 
However, interoperable standards and technology now make it possible 
for providers to access more patient data for a more comprehensive view 
of their patients' health history and status. We are finalizing the 
Provider Access API requirements as described in section II.B.2. of 
this final rule which permits providers to receive standardized patient 
data to coordinate care. Cost estimates for this API were developed 
based on the methodology finalized in the CMS Interoperability and 
Patient Access final rule (85 FR 25510). In that rule, we estimated 
that impacted payers would conduct three major work phases: initial 
design, development and testing, and long-term support and maintenance 
(85 FR 25605). In this final rule, we assume the same major phases of 
work will take place for each of the new APIs, with a different level 
of effort during each work phase.
---------------------------------------------------------------------------

    \192\ Office of the National Coordinator for Health Information 
Technology (2019, June 4). Improved Diagnostics & Patient Outcomes. 
Retrieved from https://www.healthit.gov/topic/health-it-basics/improved-diagnostics-patient-outcomes.
---------------------------------------------------------------------------

    In the initial design phase, tasks include determining available 
resources (for example, personnel, hardware, cloud storage space, 
etc.), assessing whether to use in-house or contracted resources to 
facilitate an API connection, convening a team to scope, build, test, 
and maintain the API, gap analysis, and gap mitigation. During the 
development and testing phase, impacted payers will conduct mapping of 
existing data to the FHIR standards, hardware allocation for the 
necessary environments (development, testing, production), building a 
new FHIR-based server or leveraging existing FHIR servers, determining 
the frequency and method by which internal data are populated on the 
FHIR server, building connections between the databases and the FHIR 
server, performing capability and security testing, and vetting 
provider requests.
    Table J3 summarizes the aggregate burden for complying with the 
Provider Access API requirements. We provide illustrative points to 
explain the calculations within the table and the terms used for the 
headings. The occupational categories on the left side of the table 
include the titles of the types of labor categories who will perform 
the work, for example, Database Administrators and Architects, 
Engineers, and Computer System Analysts.
    On the top row, under the label ``Database Administrators,'' the 
labor cost of $97.20 per hour was obtained from the BLS. The $97.20 
represents the mean wage for this occupational title. The calculations 
in Table J3 reflect time over the period of the project. We estimate 
that a Database Administrator might spend 480 hours in total to 
complete this task. The 480 hours are found in the column titled 
``Primary Hours.'' The word primary, as used in the CMS 
Interoperability and Patient Access final rule (85 FR 25510), refers to 
the amount of time most organizations would require for this work. The 
total cost of $46,656 for each organization is obtained by multiplying 
the 480 hours by the $97.20 per hour wage. This $46,656 is found in the 
column labeled ``Total Cost, Primary.''
    We provide low and high estimates representing a range of possible 
time and costs across all organizations. The low estimate is half the 
primary estimate, which is 240 hours. The high estimate is 720 hours. 
These numbers are found in the low and high columns (hours) of the top 
row. The corresponding low and high costs are obtained by multiplying 
the low and high estimates of hours by the $97.20 per hour wage. This 
is a reasonable range that captures the amount of time and cost all 
organizations may spend on completing this work.
    The explanation provided for the top row applies to each of the ten 
occupational titles. The sum of the total hours and costs provides a 
typical organization's total cost. This number is found in the ``Totals 
for a Single Impacted Payer'' row. As depicted, the typical 
organization might take a total of 2,800 hours at a cost of $270,045. 
We estimate the impact by organization rather than by payer since many 
organizations may have entities in several of the programs to which 
this final rule applies: MA organizations, state Medicaid and CHIP FFS 
programs, Medicaid managed care plans, CHIP managed care entities, and 
QHP issuers on the FFEs.
    To arrive at the total cost of the final rule, we multiplied the 
single organization cost by 365 payers--that is, the number of 
organizations hosting plans across the programs. For example, the total 
primary hourly burden of the rule is 1,022,000 (365 organizations x 
2,800 for a single organization).
    Similar to the methodology used in the CMS Interoperability and 
Patient Access final rule (85 FR 25510), we estimate maintenance costs 
for future years after the API is established at 25 percent of the 
aggregate cost. We arrived

[[Page 8949]]

at 25 percent based on our experience with the industry. Rather than 
list more columns or create another table, we provide a footnote 
indicating that maintenance is estimated to be 25 percent of the cost. 
For example, the primary aggregate burden over all 365 organizations is 
$98.6 million, implying that the annual maintenance costs are expected 
to be $24.6 million (25 percent x $98.6 million).
[GRAPHIC] [TIFF OMITTED] TR08FE24.016

    Although compliance with this provision will be required on January 
1, 2027, we believe it is reasonable to assume that this API will have 
to be under development before this date to conduct testing and ensure 
compliance. Acknowledging that impacted payers will have varying 
technological and staffing capabilities, as we did in the first CMS 
Interoperability and Patient Access final rule (85 FR 25606), we are 
finalizing our estimate that the development of this API will require 
1,400 to 4,200 hours of work. We have distributed the cost over 3 
calendar years to give impacted payers the flexibility to complete the 
necessary work (see Table J9).
    Comment: A few commenters disagreed with CMS's calculations for the 
total burden regarding hours and costs across all impacted payers and 
stated that the estimates are significantly understated. These 
commenters stated that they were not confident that the proposed rule 
captured the true cost of transitioning to the technical standards.
    Response: We acknowledge comments about our calculations capturing 
the costs of transitioning to the technical standards, however, the 
commenters who made these statements did not include any supporting 
data which we could analyze or include in the final rule. We are aware 
of and have included available information in our estimates and 
analysis to address connections, testing, security, and onboarding of 
third parties, to accommodate the potential costs and burden for each 
API implementation. Additionally, we believe our estimates are the best 
possible, without additional information, and reasonable assumptions of 
staff and time, with ranges to account for low and high costs. We 
welcome continued input from payers and developers based on 
implementation of the Patient Access and Provider Directory APIs from 
the CMS Interoperability and Patient Access final rule, as well as the 
requirements finalized in this final rule. Such information will also 
be informative for purposes of future rulemaking.
    Comment: A commenter noted that it is unrealistic for CMS to expect 
that the industry can obtain the resources necessary to comply with the 
provisions outlined in the proposed rule within the current budget year 
when the requirements will not be finalized until the final rule is 
issued. The commenter recommended that CMS revise the compliance dates 
of these provisions to be 36 months after issuance of the final rule 
and scheduled on a date other than the end of a calendar year.
    Response: We have acknowledged the constraints on both budget 
cycles for certain impacted payers such as state Medicaid and CHIP 
agencies, as well as the technical complexities of implementation, and 
are finalizing a compliance date in 2027 for policies in this final 
rule that require API development or enhancement. As explicitly noted 
previously, the hours of work needed to build the API as indicated in 
Table J3, acknowledges that impacted payers will have varying 
technological and staffing capabilities.
a. API Maintenance Costs--All APIs
    The third phase for implementation is long-term support and 
maintenance. Here we discuss our methodology for the development of the 
costs in aggregate for all APIs outlined in this final rule. As 
relevant to the APIs discussed in sections III.C.2., 3., and 6. of this 
final rule, we estimate ongoing maintenance costs for the Provider 
Access, Payer-to-Payer, and Prior Authorization APIs, in aggregate. The 
costs of the API development are split into three phases: initial 
design, development and testing, and long-term support and maintenance. 
We assume that maintenance costs only account for the cost associated 
with the technical requirements as outlined in this rule. Any changes 
to requirements would add burden, which would be discussed in future 
rulemaking. Throughout this section, we discuss the initial design, 
development, and testing costs per API. This final rule addresses the 
total maintenance cost for all three APIs.
    As discussed in the first CMS Interoperability and Patient Access 
final rule (85 FR 25606), once the API is established, there will be an 
annual cost to maintain the FHIR server, including the cost of 
maintaining the necessary patient data and performing capability and 
security testing. We believe there are efficiencies to be gained in 
implementation and maintenance since the APIs rely on several of the 
same underlying foundational technical

[[Page 8950]]

specifications and content. For example, the same standards will be 
used to implement the new APIs as were used to implement the Patient 
Access and Provider Directory APIs, including FHIR and complementary 
security and app registration protocols. We also believe that 
maintenance costs will be higher than what we estimated for the CMS 
Interoperability and Patient Access final rule for the new APIs in this 
final rule, as our estimates also account for new data mapping needs, 
standards upgrades, additional data storage, system testing, initial 
bug fixes, fixed-cost license renewals, contracting costs, and ongoing 
staff education and training.
    To account for these maintenance costs, we based our estimates on 
input from industry experience piloting and testing APIs for provider 
access, prior authorization, and payer to payer data exchange. We 
estimated an annual cost averaging approximately 25 percent of the 
primary estimate for one-time API costs. In Table J9, we account for 
this maintenance cost separately for each API (at 25 percent of the 
one-time API cost). As discussed previously, the overlap in some of the 
recommended IGs across the APIs should result in shared efficiency that 
we believe supports the assumption that maintenance should be accounted 
for in aggregate and is presented in this section as such.
    We requested public comment on our approach and assumptions for the 
aggregate maintenance cost of the APIs, including whether our estimate 
was reasonable or should be modified, and did not receive specific 
comments on the aggregate maintenance costs.
3. Information Collection Requirements Regarding the Prior 
Authorization API (42 CFR 422.122, 431.80, 438.242, 457.732, and 
457.1233 and 45 CFR 156.223)
    This API addresses ongoing challenges of the prior authorization 
process, including identifying whether a prior authorization is 
required for an item or service; identifying the payer documentation 
requirements for prior authorization; compiling the necessary data 
elements to populate the HIPAA-compliant prior authorization 
transactions; and enabling payers to provide a specific response 
regarding the status of the prior authorization, including information 
about the reason for denial. We are finalizing the requirement for 
impacted payers to implement and maintain a Prior Authorization API in 
this final rule. Use of the Prior Authorization API will begin 2027 (by 
January 1, 2027, for MA organizations and Medicaid and CHIP FFS 
programs; by the rating period beginning on or after January 1, 2027, 
for Medicaid managed care plans and CHIP managed care entities; and for 
plan years beginning on or after January 1, 2027, for QHP issuers on 
the FFEs).
    As discussed previously, with respect to the Provider Access API, 
we estimate that impacted payers will need to conduct three major work 
phases to implement the requirements for the Prior Authorization API: 
initial design, development and testing, and long-term support and 
maintenance. Furthermore, for the Prior Authorization API, additional 
tasks are necessary to accomplish the requirements. For the costs for 
the third phase--long-term support and maintenance--our methodology for 
the development of those costs in aggregate for all APIs is presented 
in section III.D. of this final rule.
    We based our estimate on feedback from industry experts on the 
anticipated burden of implementing the Prior Authorization API and on 
current pilots. We continue to believe the estimates to be reasonable 
regarding the implementation burdens on impacted payers to develop APIs 
that can facilitate the prior authorization process. In addition to 
implementing this API, impacted payers will be required to send a 
specific reason for prior authorization requests that are denied. As 
discussed in section II.D. of this final rule, while the Prior 
Authorization API will use the FHIR standard to support its basic 
capabilities, covered entities must also use the adopted X12 278 
transaction standard and remain HIPAA-compliant. Given the added 
complexity of accounting for the HIPAA standards, we have accounted for 
the multiple skill sets required and licensing costs for accessing the 
X12 standards in developing the burden estimates. The recommended HL7 
IGs are freely available, as HL7 provides access to all IGs as open-
source materials. This makes the HL7 standards, IGs, reference 
implementations, and test scripts available free of charge to the 
health care and developer community but requires usage and possibly 
transaction costs for the X12 standards. We have accounted for the 
necessary engineers, subject matter experts, and health informaticists 
in our estimates. These personnel resources will need to convert 
payers' prior authorization rules into computable, structured formats, 
create provider questionnaires regarding whether a patient had a 
medical necessity for a medical item or service, create formats that 
can interface with the provider's EHR or practice management system, 
create and execute mapping between the HL7 and X12 codes, and integrate 
the Prior Authorization API with external systems or servers.
    Though this provision will be effective on January 1, 2027, this 
API will be under development before that date. Acknowledging that 
impacted payers have varying technological and staffing capabilities, 
we estimate that the development of the API will require 5,440 to 
16,320 hours of work. In Table J9, we have distributed the cost over 
approximately 3 calendar years to give impacted payers the flexibility 
to complete the necessary work.
    Table J4 presents total burden estimates for the Prior 
Authorization API (initial design, followed by development and 
testing). This table presents the calculations associated with the 
total costs. The numbers from this table are used in Table J9 to 
present costs per year for 3 years. Based on the same assumptions as 
those included in the CMS Interoperability and Patient Access final 
rule (85 FR 25510), we used the medium estimate as the primary 
estimate.
    The narrative description provided for Table J3 also applies to 
Table J4. Both tables estimate API costs for 365 organizations and 
indicate follow-up annual maintenance costs by analyzing costs for a 
single payer using a team spanning approximately ten occupational 
titles.
BILLING CODE 4150-28-P

[[Page 8951]]

[GRAPHIC] [TIFF OMITTED] TR08FE24.017

BILLING CODE 4150-28-C
    We requested public comment on our approach and assumptions for the 
implementation cost of the Prior Authorization API, including whether

[[Page 8952]]

our estimates and ranges are reasonable or should be modified. We did 
not receive any comments on this section.
4. Information Collection Requirements Regarding Requirements To Send 
Prior Authorization Decisions Within Certain Timeframes (42 CFR 
422.568, 422.570, 422.631, 438.210, 440.230, 457.495, and 457.1230)
    Patients need to have timely access to care, and providers need to 
receive timely responses to their requests for authorization to 
requests for services for their patients, particularly when waiting for 
answers can delay the pursuit of alternatives. To increase transparency 
and reduce burden, we are finalizing our proposal to require that 
certain impacted payers, not including QHP issuers on the FFEs, send 
prior authorization decisions within 72 hours for expedited requests 
and 7 calendar days for standard requests. Impacted payers will have to 
comply with these provisions beginning January 1, 2026. We note that 
Medicaid managed care plans and CHIP managed care entities will have to 
comply with these provisions by the rating period beginning on or after 
January 1, 2026.
    To implement this policy, there will be up-front costs for impacted 
payers to update their policies and procedures. We anticipate this 
burden per payer is 8 hours of work by a general and operations manager 
to update the policies and procedures, reflecting two half-days of work 
at a per-entity cost of $967. Therefore, the total burden for all 365 
impacted payers is 2,920 hours of work at a first-year cost of $0.4 
million (rounded). These calculations are summarized in Table J5.
[GRAPHIC] [TIFF OMITTED] TR08FE24.018

    We requested public comment on our assumptions, estimates, and 
approach but received no comments on this proposal and therefore are 
finalizing these estimates without modification.
5. Information Collection Requirements Regarding the Requirement for 
Public Reporting of Prior Authorization Metrics (42 CFR 422.122, 
438.210, 440.230, 457.732, and 457.1230 and 45 CFR 156.223)
    To support transparency for patients to understand prior 
authorization processes, provide some assistance in choosing health 
coverage, and for providers when selecting or evaluating payer networks 
we are finalizing our proposal to require that impacted payers publicly 
report certain prior authorization metrics on their websites. Impacted 
payers will be required to report aggregated data annually for the 
previous calendar year's data, beginning March 31, 2026.
    We estimate that impacted payers will conduct two major work 
phases: implementation, which includes defining requirements, system 
design, and updates to generate and compile reports; and maintenance, 
including an annual compilation of reports and public reporting of 
metrics on a website. In the first phase, impacted payers will need to 
define requirements concerning the types and sources of data that need 
to be compiled regarding prior authorization activities and data, build 
the capability for a system to generate reports, and update or create a 
public web page to post the data. In the second phase, impacted payers 
will need to create the reports and post them to a public web page 
annually.
    Table J6 itemizes the activities, hours, and dollar burdens for the 
first-year implementation and estimated annual maintenance costs. We 
assumed a team of two staff consisting of a software and web developer 
with a business operations specialist.
     First-year implementation will impose a burden of 320 
hours for the first year and 120 hours for subsequent years, at the 
cost of $30,000 and $9,000 (rounded), for the first and subsequent 
years, respectively.
     The aggregate burden of the first-year implementation 
across 365 impacted payers will be 117,000 hours and 44,000 hours 
(rounded) for the first and subsequent years, respectively, at a cost 
of $10.8 million and $3.3 million (rounded) for the first and 
subsequent years.
[GRAPHIC] [TIFF OMITTED] TR08FE24.019


[[Page 8953]]


6. Information Collection Requirements Regarding the Payer-to-Payer API 
Implementation (42 CFR 422.121, 431.61, 438.242, 42 CFR 457.731, and 
457.1233 and 45 CFR 156.222)
    Patients may wish to carry certain health information with them 
when they change payers, in part so that they can track the services 
they have received, and to ensure that a new payer has information 
about their past health history for purposes of managing their care 
with new or current providers. We are finalizing the requirements for 
impacted payers to implement and maintain a Payer-to-Payer API as 
described in section II.C. of this final rule. These provisions will 
improve care coordination among payers by requiring payers to exchange, 
at a minimum, adjudicated claims and encounter data (excluding provider 
remittances and patient cost-sharing information), all data classes and 
data elements included in a content standard at 45 CFR 170.213 (USCDI), 
and certain information about prior authorizations. This exchange will 
be required via a Payer-to-Payer API beginning in 2027 (by January 1, 
2027, for MA organizations and Medicaid and CHIP FFS programs; by the 
rating period beginning on or after January 1, 2027, for Medicaid 
managed care plans and CHIP managed care entities; and for plan years 
beginning on or after January 1, 2027, for QHP issuers on the FFEs).
    As discussed for the other APIs in this rule, impacted payers will 
conduct three major work phases: initial design, development and 
testing, and long-term support and maintenance.
    There will be some costs for impacted payers to implement the 
Payer-to-Payer API that are unique to this API. There could be costs to 
test and integrate the Payer-to-Payer API with payer systems, albeit 
potentially lower costs than those estimated for the Provider Access 
API. We estimate the one-time implementation costs at about one-third 
the cost of a full de novo Provider Access API implementation based on 
input from developers who have implemented and piloted prototype APIs 
using the required standards. We accounted for the necessary skill sets 
of staff required as we also believe there will be unique costs for 
implementing the PDex IG so that payers can exchange active and pending 
prior authorization decisions and related documentation and forms when 
an enrollee or beneficiary enrolls with a new impacted payer.
    Table J7 presents the total activities, hours, and dollar burdens 
for implementing the Payer-to-Payer API given our assumptions on the 
initial design phase and the development and testing phase. Based on 
the same assumptions as those published in the CMS Interoperability and 
Patient Access final rule (85 FR 25510), we have the medium estimate as 
the primary estimate. We provide the following narrative explanation of 
Table J7:
     For the primary estimate, one-time implementation efforts 
for the first two phases will require, on average, a total of 916 hours 
per organization at an average cost of $96,072 per organization.
     The aggregate burden of the one-time implementation costs 
across 365 impacted payers will be 334,000 hours (rounded) at the cost 
of $35.1 million (rounded). This corresponds to the primary estimate; 
the low and high estimates are obtained by multiplying the primary 
estimate by factors of one-half and one and one-half, respectively.
[GRAPHIC] [TIFF OMITTED] TR08FE24.020

    Though this provision will be effective on January 1, 2027, the API 
will be under development before that date. Acknowledging that impacted 
payers will have varying technological and staffing capabilities, the 
development of the API will require 458 to 1,374 hours of work. In 
Table J9, we have distributed the cost estimates over 3 calendar years 
to give impacted payers the flexibility to complete the work.
    We requested public comment on our approach and assumptions for the 
cost of the Payer-to-Payer API, including whether our estimates and 
ranges are reasonable or should be modified, and received none.
7. Information Collection Requirements Regarding the Electronic Prior 
Authorization Measure for Merit-Based Incentive Payment System and the 
Medicare Promoting Interoperability Program
    The estimates in this section have been submitted to OMB in a PRA 
package (OMB control number 0938-1278). The burden associated with the 
proposed requirement for eligible hospitals and CAHs to report the 
Electronic Prior Authorization measure for the Medicare Promoting 
Interoperability Program will be captured in the next revision to the 
PRA package currently approved under OMB control number 0938-1278 (CMS-
10552).
    As explained in section II.F. of this final rule, in response to 
the December 2020 CMS Interoperability proposed rule (85 FR 82586), 
commenters indicated that provider reporting would be an appropriate 
lever by which CMS could encourage using the APIs to enable enhanced 
electronic documentation discovery and facilitate electronic prior 
authorization. Thus, to encourage MIPS eligible clinicians, eligible 
hospitals, and CAHs to implement and use electronic prior authorization 
and the corresponding

[[Page 8954]]

API, we proposed to add a new measure, called the Electronic Prior 
Authorization measure, for MIPS eligible clinicians under the MIPS 
Promoting Interoperability performance category and for eligible 
hospitals and CAHs under the Medicare Promoting Interoperability 
Program. After consideration of public comments, we have modified the 
Electronic Prior Authorization measure requirements which are further 
described and addressed in section II.F. of this final rule.
    We are finalizing that MIPS eligible clinicians would report the 
Electronic Prior Authorization measure beginning with the CY 2027 
performance period/2029 MIPS payment year (rather than the CY 2026 
performance period/2028 MIPS payment year) and that eligible hospitals 
and CAHs would report the Electronic Prior Authorization measure 
beginning with the CY 2027 EHR reporting period (rather than the CY 
2026 EHR reporting period). For the CY 2027 performance period/2029 
MIPS payment year for MIPS eligible clinicians and the CY 2027 EHR 
reporting period for eligible hospitals and CAHs, we are finalizing 
with a modification that the Electronic Prior Authorization measure be 
structured as an attestation (yes/no), instead of a numerator and 
denominator measure as originally proposed for both MIPS eligible 
clinicians, and eligible hospitals and CAHs. As an attestation measure, 
MIPS eligible clinicians, eligible hospitals, and CAHs are required to 
report a ``yes'' or ``no'' response or report an applicable exclusion, 
for the Electronic Prior Authorization measure. Additionally, we are 
finalizing that this measure will not be assigned points.
    For the MIPS Promoting Interoperability performance category, 
satisfactory performance on this measure can be demonstrated only by 
reporting a ``yes'' response or claiming an applicable exclusion. A 
``no'' response will result in the MIPS eligible clinician failing to 
meet the minimum reporting requirements, and therefore not being 
considered a meaningful EHR user for MIPS, as set forth in section 
1848(o)(2)(A) of the Act and defined in 42 CFR 414.1305, for the MIPS 
payment year. MIPS eligible clinicians who do not report a ``yes'' 
response or claim an applicable exclusion for the Electronic Prior 
Authorization measure as specified (that is, they do not submit the 
measure or report a ``no'' response on the attestation without claiming 
an applicable exclusion) will not earn a score for the MIPS Promoting 
Interoperability performance category (a score of zero for the 
category). A MIPS eligible clinician's score in the Promoting 
Interoperability performance category is generally worth 25 percent of 
their total final score for MIPS (42 CFR 414.1375(a); 414.1380(c)(1)).
    For the Medicare Promoting Interoperability Program, only a ``yes'' 
response on the attestation, or claiming an applicable exclusion, will 
fulfill the minimum requirements of this measure. A ``no'' response 
will result in the eligible hospital or CAH failing to meet the minimum 
program requirements, and therefore would not be considered a 
meaningful user of CEHRT, as defined in section 1886(n)(3) of the Act 
for an EHR reporting period (42 CFR 495.24(f)(1)(i)(A)). Eligible 
hospitals and CAHs that do not meet the minimum program requirements 
are subject to a downward payment adjustment.
    The burden in implementing these requirements consists of reporting 
an attestation (a ``yes'' or ``no'' response) or claiming an exclusion. 
In the RIA, section IV. of this final rule, we estimate burden based on 
the effort it takes to report a response for the measure. This 
estimated burden to report would be the same whether it is to report a 
``yes or no'' response or to report a numerator and denominator as 
initially proposed. Therefore, modifying the measure to be reported as 
an attestation does not change the overall cost estimates included in 
the RIA for this provision. System maintenance is an umbrella term that 
includes all activities needed to keep a system running. The two main 
components of system maintenance are preventive and corrective 
maintenance, which include software tasks such as fixing bugs, updating 
data sources, deleting old software tasks, adding new tasks, testing, 
and verification. Maintenance requirements for systems were estimated 
at 25 percent of total software creation costs, reflecting updates and 
bug fixes, as well as deletion and creation of software tasks (85 FR 
82649). There will be a moderate software update to implement the 
provisions of this final rule, and there will be no added burden over 
and above the burden of maintaining already existing software.
    The data for the reports on prior authorizations and related claims 
should already be stored in the system software of health care 
providers who may be required to retain such data for compliance and 
regulatory reasons. To report the Electronic Prior Authorization 
attestation (yes/no) measure as specified by CMS, the provisions in 
this rule should not impose a significant burden of denoting the 
information in the system.
    For the added burden of extracting, compiling, reviewing, and 
submitting the attestation, we assume that for each report, a Medical 
Records Specialist will spend about half a minute (0.0083 hours) 
extracting the already-existing data at a cost of $0.39 (1/120 hour 
(\1/2\ minute) x $46.42 per hour). To obtain the aggregate burden, we 
multiply by the number of entities. This is done separately for 
eligible hospitals and CAHs, and MIPS eligible clinicians in Table J8.

[[Page 8955]]

[GRAPHIC] [TIFF OMITTED] TR08FE24.021

    The following items provide support and rationale for the entries 
in Table J8:
     The hourly burden estimates of \1/2\ minute (1/120 = 
0.00833 hour) for transmission of the Electronic Prior Authorization 
attestation (yes/no) response to CMS are consistent with the revised 
estimates of burden presented in the FY 2024 IPPS/LTCH proposed rule 
(88 FR 27204). The hourly burden estimates for the Electronic Prior 
Authorization measure are based on the collection of burden estimates 
calculated for the Query of Prescription Drug Monitoring Program 
measure.
     The estimate of 4,500 hospitals (including eligible 
hospitals and CAHs) is consistent with the revised estimates presented 
in the FY 2024 IPPS/LTCH final rule (88 FR 27205).
     The existing MIPS reporting policies allow MIPS eligible 
clinicians to report at the individual or group level. As noted in the 
CY 2024 PFS proposed rule (88 FR 52666), CMS did not propose any 
submission changes for the MIPS Promoting Interoperability performance 
category and therefore refers to previous rules for respondent and 
burden estimates. In Table 132 of the CY 2023 PFS final rule (87 FR 
70163), the estimated number of respondents submitting MIPS Promoting 
Interoperability performance data was based on 2021 participation data 
collected during the PHE for the COVID-19 pandemic. We anticipate that 
participation will change over the next 10 years and volumes will 
rebound to pre-pandemic numbers. We determined that the respondent 
estimates in Table 122 of the CY 2023 PFS proposed rule (87 FR 46370) 
are more representational of what we anticipate participation will look 
like when the Prior Authorization API and associated Electronic Prior 
Authorization measure provisions are implemented given that these 
estimates are based on pre-pandemic participation data from CY 2019. 
Therefore, we maintain that an estimated 54,770 individual or group 
MIPS eligible clinicians will submit an attestation for the Electronic 
Prior Authorization measure under the MIPS Promoting Interoperability 
performance category for the CY 2027 performance period/2029 MIPS 
payment year. The 54,770 is the sum of the 43,117 individual MIPS 
eligible clinicians, 11,633 groups, and 20 subgroups estimated to 
submit MIPS Promoting Interoperability performance data. The ICRs 
currently approved under OMB control number 0938-1314 are approved 
through January 31, 2025.
     The FY 2024 IPPS/LTCH proposed rule uses mean hourly wage 
estimates (88 FR 27204), consistent with this final rule and the CMS 
Interoperability and Patient Access final rule (85 FR 25605). For 
purposes of clarification, we have provided both mean and median 
estimates.
    ++ For eligible hospitals and CAHs, the total cost is $1,741 (4,500 
hospitals and CAHs x \1/2\ minute x $46.42 per hour), which equals 
$0.002 million as shown in Table J9. This rounds to $0.0 million. 
Calculations using the median instead of the average after rounding are 
identical. This shows that the bottom-line rounded figure would not 
change if we used the median instead of the average. The entries in 
Table J9 are rounded numbers while the actual dollar amounts are 
provided in Table J8.
    ++ For MIPS eligible clinicians, the total cost is $21,186 (54,770 
clinicians x \1/2\ minute x $46.42 per hour). Since Table J9 relates to 
Table K6 in the RIA, we expressed the $21,186 using RIA accounting 
standards, which require rounding to the nearest tenth of a million. It 
follows that $21,186 is equivalent to $0.021 million, as shown in Table 
J9. This value is rounded to $0.0 in the RIA.
    Comment: A commenter stated the calculation for the aggregate 
estimates for the Electronic Prior Authorization measure costs is 
unreasonable and lacks a reasonable basis. This commenter stated there 
is no way for an employee to run a report in half a minute, as logging 
into the computer system with two-factor authentication alone can take 
1 to 2 minutes. The commenter stated getting to the report in the EHR 
can take \1/2\ to 1 minute and running a large report can easily take 
\1/2\ to 2 minutes. The report then needs to be verified and 
transmitted. The commenter stated instead of half a minute, the process 
is closer to 5 to 10 minutes. Another commenter stated that the 
analysis does not account for the payer burden of connecting and 
testing with all EHRs and practice management systems, specifically the 
high costs and time commitments. The commenter requested CMS's 
clarification on whether payers are only required to share with EHR 
systems certified under the ONC Health IT Certification Program.
    Response: We appreciate concerns about the timing for reporting but 
respectfully disagree, particularly because we have modified the 
reporting specifications for the Electronic Prior Authorization 
measure. We are finalizing this measure with modifications such that, 
beginning with the CY 2027 performance period/2029 MIPS payment year 
and the CY 2027 EHR reporting period, a MIPS eligible clinician, 
eligible hospital, or CAH will report a ``yes'' or ``no'' response for 
the Electronic Prior Authorization measure or claim an exclusion, 
instead of a numerator and denominator measure as originally proposed. 
If the MIPS eligible clinician, eligible hospital, or CAH does not 
report a ``yes'' response for the Electronic Prior Authorization 
measure or claim an exclusion, they will receive a zero score for the 
MIPS Promoting Interoperability performance category or the Medicare 
Promoting Interoperability

[[Page 8956]]

Program, respectively. We are finalizing reporting of the Electronic 
Prior Authorization measure as an attestation (yes/no) measure 
beginning with the CY 2027 performance period/2029 MIPS payment year 
and the CY 2027 EHR reporting period. With these modifications, 
completing and reporting the attestation for the Electronic Prior 
Authorization measure will not take 10 minutes, but significantly less 
time to enter into the reporting system. We are explicitly describing 
time spent reporting the Electronic Prior Authorization measure in this 
final rule, and half a minute is more representational for reporting a 
single attestation measure. The entire reporting process for these 
programs may take longer to complete, for example, 5-to-10 minutes. The 
amount of time it takes to report data to CMS is dependent on whether 
the person reporting the data needs to establish their account 
credentials, the amount of data being reported, and the method through 
which the data is being submitted. However, this calculation does not 
intend to calculate the amount of time it takes to conduct the entire 
process or report all performance data, rather it is solely evaluating 
the estimated amount of time a person would spend on reporting the 
Electronic Prior Authorization measure.
    We also acknowledge this commenter's concern about the basis for 
the aggregate estimates for the Electronic Prior Authorization measure. 
However, this commenter did not provide additional data to which we 
could compare our estimates. Furthermore, we disagree with the 
commenter as we used information from other interested parties as well 
as studies to determine that the cost savings will be substantial after 
a period of years because of the improvements in the prior 
authorization process for reducing manual effort and delays in 
services.
    We did not receive any other comments on this section of the rule. 
After consideration of public comments, we are finalizing the estimates 
without modification.

D. Summary of Information Collection Burdens

    We have explained the costs of individual provisions in this 
section. Table J9 summarizes costs for the first and subsequent years 
of these provisions and is based on the following assumptions:
     Modified compliance dates for the policies in this final 
rule that require API development or enhancement, Medicare Promoting 
Interoperability Program, and MIPS Promoting Interoperability 
performance category until the CY 2027 performance period/2029 MIPS 
payment year or CY 2027 EHR reporting period to give 3 years (36 
months) for appropriate implementation activities.
     Maintenance costs for the three APIs are, as indicated in 
the tables of this section, assumed to be 25 percent of total costs; 
these maintenance costs will be incurred in CY 2027 and subsequent 
years.
     Certain provisions will be effective in January 2026; 
thus, no costs are reflected from 2023 through 2025. However, for the 
building of the API systems, we assume impacted payers will be 
performing these updates in CY 2024 through 2026 to be prepared for the 
CY 2027 compliance date.
     Labor costs in Table J9 are either BLS wages when a single 
staff member is involved or a weighted average representing a team 
effort, which is obtained by dividing the aggregate cost by the 
aggregate hours.
     Table J9 reflects the primary estimate. The full range of 
estimates for all provisions is presented in the RIA section of this 
final rule.
BILLING CODE 4150-28-P

[[Page 8957]]

[GRAPHIC] [TIFF OMITTED] TR08FE24.022

BILLING CODE 4150-28-C

[[Page 8958]]

E. Conclusion

    The provisions of this final rule are expected to improve data 
sharing across impacted payers and providers by facilitating access, 
receipt, and exchange of patient data. We are committed to providing 
patients, providers, and payers with timely access to patient health 
information. We requested comments on our approaches for estimating 
cost burden and cost savings and received a few comments which have 
been incorporated herein.
    The requirements of this final rule are extensions of the 
requirements of the CMS Interoperability and Patient Access final rule 
(85 FR 22510). Therefore, the ICRs have been submitted to OMB for 
review and approval.

IV. Regulatory Impact Analysis

A. Statement of Need

    As described in prior sections of this final rule, the changes to 
42 CFR parts 422, 431, 435, 438, 440, and 457 and 45 CFR part 156 
further support CMS's efforts to empower patients by increasing 
electronic access to health care data, while keeping that information 
safe and secure. The provisions in this final rule build on the 
foundation we laid out in the CMS Interoperability and Patient Access 
final rule to move the health care system toward increased 
interoperability by enabling better data sharing capabilities of 
impacted payers, encouraging health care providers' use of new 
capabilities, and making health-related data more easily available to 
patients through standards-based technology.
    The provisions in this final rule place new requirements on MA 
organizations, state Medicaid and CHIP FFS programs, Medicaid managed 
care plans, CHIP managed care entities, and QHP issuers on the FFEs to 
further improve the electronic exchange of health-related data and 
streamline prior authorization processes. We believe these provisions 
will improve health information exchange and facilitate appropriate 
patient, provider, and payer access to health information via APIs, 
while the policies related to prior authorization should improve 
certain administrative processes. The final rule also adds a new 
attestation measure for eligible hospitals and CAHs under the Medicare 
Promoting Interoperability Program and for MIPS eligible clinicians 
under the MIPS Promoting Interoperability performance category.

B. Overall Impact

    We examined the impacts of this final rule as required by Executive 
Order 12866 on Regulatory Planning and Review (September 30, 1993), 
Executive Order 13563 on Improving Regulation and Regulatory Review 
(January 18, 2011), Executive Order 14094, entitled ``Modernizing 
Regulatory Review'' (April 6, 2023), the Regulatory Flexibility Act 
(RFA) (September 19, 1980, Pub. L. 96-354), Executive Order 13272 on 
Proper Consideration of Small Entities in Agency Rulemaking (August 13, 
2002), section 1102(b) of the Act, section 202 of the Unfunded Mandates 
Reform Act of 1995 (UMRA) (March 22, 1995, Pub. L. 104-4), and 
Executive Order 13132 on Federalism (August 4, 1999) and the 
Congressional Review Act (5 U.S.C. 804(2)).
    Executive Orders 12866 and 13563 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health, and safety effects, distributive impacts, and equity). 
Executive Order 14094, entitled ``Modernizing Regulatory Review,'' 
amends section 3(f)(1) of Executive Order 12866 (Regulatory Planning 
and Review). The amended section 3(f) of Executive Order 12866 defines 
a ``significant regulatory action'' as an action that is likely to 
result in a rule: (1) having an annual effect on the economy of $200 
million or more in any 1 year (adjusted every 3 years by the 
Administrator of the Office of Information and Regulatory Affairs 
(OIRA) for changes in gross domestic product), or adversely affect in a 
material way the economy, a sector of the economy, productivity, 
competition, jobs, the environment, public health or safety, or state, 
local, territorial, or tribal governments or communities; (2) creating 
a serious inconsistency or otherwise interfering with an action taken 
or planned by another agency; (3) materially altering the budgetary 
impacts of entitlement grants, user fees, or loan programs or the 
rights and obligations of recipients thereof; or (4) raise legal or 
policy issues for which centralized review would meaningfully further 
the President's priorities or the principles set forth in this 
Executive order, as specifically authorized in a timely manner by the 
Administrator of OIRA in each case.
    Based on our estimates, OMB's OIRA has determined this rulemaking 
to be significant per section 3(f)(1) as measured by having an annual 
effect of $200 million in at least 1 year, and hence is also a major 
rule under Subtitle E of the Small Business Regulatory Enforcement 
Fairness Act of 1996 (also known as the Congressional Review Act). 
Accordingly, we have prepared an RIA that, to the best of our ability, 
presents the costs and benefits of this final rule.
    These provisions will result in some financial burden for impacted 
payers and certain providers as discussed in section III. of this final 
rule. In the proposed rule, we weighed the potential burdens against 
the potential benefits and believe the benefits outweigh the costs (87 
FR 76340). Based on our estimates, the total burden across all 
providers would be reduced by at least 220 million hours over 10 years, 
resulting in a total cost savings of at least $16 billion over 10 years 
as seen in Table K6. We did not include these savings in the 10-year 
Summary Table (Table K9), nor in the Monetized Table (Table K11), as 
explained later on in this section of the final rule.
    Comment: Some commenters disagreed with CMS's calculated cost to 
implement the provisions outlined in the proposed rule and expressed 
that the actual cost will be much higher than estimated. A commenter 
stated that they fail to see how the estimated total burden across all 
providers would be reduced by the proposed rule's estimates of 206 
million hours resulting in the total cost saving of $15 billion that 
CMS asserted in the proposed rule.
    Response: While we appreciate that commenters do not concur with 
the cost estimates, we used the best available data to us at the time 
we developed the rule and made related assumptions about the reduction 
in hours for clerical, nursing, and provider staff as a result of the 
final policies. We are re-stating our assessments of those assumptions 
and calculations in this final rule. Though commenters and implementers 
did not submit new data for consideration, we did make a slight 
revision in the total cost savings to say ``at least $16 billion'' 
which includes adjustments of where some of the savings would occur. 
The potential savings are significant, and we firmly believe that the 
policies in this final rule will streamline operations, improve 
efficiencies, and pave the way for substantial changes in the way staff 
use technology to exchange data and conduct business, particularly for 
prior authorization. We welcome tangible data from commenters which we 
could use for comparative analysis of costs and savings.
    Comment: A commenter raised concerns with the impact analysis and 
cost calculations CMS included in the proposed rule, taking issue with 
CMS using data that includes the cost of all prior authorizations, 
which includes prescription drugs (accounting for 70 percent of prior 
authorizations), to

[[Page 8959]]

calculate the savings potential of the proposed rule, as the policies 
do not apply to all prior authorizations. The commenter stated that 
accurate calculations would likely reveal that the rule as proposed is 
too costly to implement unless CMS modifies it to include prior 
authorization for prescription drugs, as well as all health plans.
    Response: We emphasize that this rule does not apply to 
prescription drugs that may be self-administered, administered by a 
provider, or that may be dispensed or administered in a pharmacy or 
hospital, or OTC drugs. We explicitly note that estimates do not 
include all prior authorizations and that formulary prior 
authorizations are excluded from our calculation of savings. In 
addition, this rule does not apply to all health plans and services, 
but rather to certain impacted payers, including MA organizations, 
state Medicaid and CHIP FFS programs, Medicaid managed care plans, CHIP 
managed care entities, and QHP issuers on the FFEs. We welcome 
alternative data to support further analysis and will continue to 
collect information as the final rule is implemented.

C. Regulatory Flexibility Act

    Executive Order 13272 requires that HHS thoroughly review rules to 
assess and take appropriate account of their potential impact on small 
businesses, small governmental jurisdictions, and small organizations 
(as mandated by the RFA). HHS considers a ``significant'' impact to be 
3 to 5 percent or more of the affected entities' costs or revenues. For 
background on the RFA references in the proposed rule, please see 87 FR 
76340.
    We confirm our analysis of the impacted entities as described in 
section IV.C. of this final rule.
1. Payers
    The 365 payer organizations will perform updates to systems to 
implement the required APIs and prepare for reporting requirements. As 
in the proposed rule, we use the term parent organizations in this 
final rule to refer to the impacted payers (87 FR 76238). The combined 
parent organizations administer MA plans, state Medicaid and CHIP FFS 
programs, Medicaid managed care plans, CHIP managed care entities, and 
QHP issuers on the FFEs.
    The North American Industry Classification System (NAICS) category 
relevant to these provisions is Direct Health and Medical Insurance 
Carriers, NAICS 524114, which has a $47.0 million threshold for small 
size. 75 percent of payers in this category have under 500 employees, 
thereby meeting the definition of small businesses.
    The 365 parent organizations, including state Medicaid and CHIP 
agencies, are responsible for implementing and maintaining three new 
APIs, updating policies and procedures to accommodate revised 
timeframes for making prior authorization decisions, and reporting 
certain metrics either to CMS or making information available to the 
public. We determined that state Medicaid and CHIP agencies, as well as 
many MA organizations, Medicaid managed care plans, CHIP managed care 
entities, and QHP issuers on the FFEs are not considered small 
entities. Furthermore, MA organizations and Medicaid managed care plans 
and CHIP managed care entities have many of their costs covered through 
capitation payments from the Federal Government, and thus we conclude 
there is no significant burden on small entities in this final rule.
    We are finalizing the provisions that require API development or 
enhancement as proposed. We also note that some QHP issuers on the FFEs 
will be able to apply for an exception to these requirements, and 
certain states operating Medicaid and CHIP FFS programs will be able to 
apply for an extension or exemption, under which they will not be 
required to meet the new provisions of this final rule that require API 
development or enhancement on the compliance dates, provided certain 
conditions are met, as discussed in section II.E. further mitigating 
potential burden for those payers.
a. Medicare Advantage
    On an annual basis, MA organizations estimate their costs for the 
upcoming year and submit bids and proposed plan benefit packages to 
CMS. Upon approval, the plan commits to providing the proposed 
benefits, and CMS commits to paying the plan either the full amount of 
the bid, if the bid is below the benchmark (a ceiling on bid payments 
annually calculated from Original Medicare data); or the benchmark 
amount, if the bid amount is greater than the benchmark. Thus, there is 
a cost to plans to bid above the benchmark that is not funded by 
government payments. Additionally, if an MA organization bids above the 
benchmark for any of its plans, section 1854 of the Act requires the MA 
organization to charge enrollees a premium for that amount. In the 
proposed rule, we provided a further explanation regarding MA 
organizations' bids and government payment processes for MA plans and 
MA plans with prescription drug coverage (MA-PDs) and refer readers to 
that discussion for additional detail (87 FR 76341).
    Table K1 reports the percentage of MA organizations bidding above 
the benchmark, along with the percentage of affected enrollees in 
recent years. This table reports aggregates of proprietary bid data 
collected by the Office of the Actuary (OACT). The CMS threshold for 
what constitutes a substantial number of small entities for purposes of 
the RFA is 3 to 5 percent. As shown in Table K1, both the percentage of 
plans and the percentage of affected enrollees are below this 3 to 5 
percent threshold. Consequently, we conclude that the number of plans 
bidding above the benchmark is not substantial for purposes of the RFA.

[[Page 8960]]

[GRAPHIC] [TIFF OMITTED] TR08FE24.023

    The preceding analysis shows that meeting the direct costs of this 
final rule does not have a significant economic impact on a substantial 
number of small entities as required by the RFA.
    There are certain indirect consequences of the final policies, 
which will also have an economic impact. We explained that at least 98 
percent of MA organizations bid below the benchmark. Thus, we estimate 
that their projected costs for providing services to Medicare 
beneficiaries for the coming year are fully paid by the Federal 
Government. However, the government additionally pays the plan a 
``beneficiary rebate'' amount that is an amount equal to a percentage 
(between 50 and 70 percent, depending on a plan's quality rating) 
multiplied by the amount by which the benchmark exceeds the bid. The 
rebate is used to provide additional benefits to enrollees in the form 
of reduced cost-sharing or other supplemental benefits or to lower the 
Part B or Part D premiums for enrollees (supplemental benefits may also 
partially be paid by enrollee premiums). If the provisions of this 
final rule cause the MA organization's bids to increase and if the 
benchmark remains unchanged or increases by less than the bid does, the 
result will be a reduced rebate and, possibly fewer supplemental 
benefits, or higher premiums for the health plans' enrollees. However, 
as noted previously, the number of plans bidding above the benchmark to 
whom this burden applies does not meet the RFA criteria of a 
significant number of plans.
    It is possible that if the provisions of this final rule cause bids 
to increase, MA organizations will reduce their profit margins, rather 
than substantially change their benefit packages. This may be in part 
due to market forces; a plan lowering supplemental benefits even for 1 
year may lose enrollees to competing plans that offer these 
supplemental benefits. Thus, it can be advantageous to the plan to 
reduce profit margins, rather than reduce supplemental benefits. With 
this, plans would balance competitive pressures with profit targets 
immediately following a new regulation. As the regulations are 
typically finalized within a few months of the bid submission deadline, 
plans may have more time to enact strategies that do not require large 
benefit changes in subsequent years, such as negotiations for 
supplemental benefit offerings. However, it may be inappropriate to 
consider the relevant regulatory impacts (and thus the profit 
considerations) as temporary because the issuance of a series of 
regulations sustains the effects.\193\ As a result, changes in benefits 
packages may be plausible. We did not receive any comments on this 
section of the RIA regarding small entities, nor on our assumptions 
about the impact or the general summary of the structure for MA bids. 
We are therefore finalizing this analysis as is. Based on the 
previously discussed considerations, the Secretary has certified that 
this final rule will not have a significant impact on a substantial 
number of small entities.
---------------------------------------------------------------------------

    \193\ See similar discussion in previous regulatory analyses: 
Contract Year 2023 Policy and Technical Changes to the Medicare 
Advantage and Medicare Prescription Drug Benefit Programs, 87 FR 
27704 (May 9, 2022). Retrieved from https://www.federalregister.gov/d/2022-09375; and Changes to the Medicare Advantage and the Medicare 
Prescription Drug Benefit Program for Contract Year 2021 and 2022, 
87 FR 22290 (April 14, 2022). Retrieved from https://www.federalregister.gov/d/2022-07642.
---------------------------------------------------------------------------

b. Medicaid and CHIP
    Title XIX of the Act established the Medicaid program as a Federal-
state partnership to provide and finance medical assistance to 
specified groups of eligible individuals. States claim Federal matching 
funds quarterly based on their program expenditures. Since states are 
not small entities under the RFA, we need not discuss the burden 
imposed on them by this final rule.
    Medicaid managed care plans and CHIP managed care entities receive 
100 percent capitation from the state; we expect that the projected 
costs associated with the provisions of this final rule will be 
included in their capitation rates. Consequently, we assert that there 
will be no substantial impact on a significant number of these 
entities.
    As discussed in section II.E. of this final rule for the provisions 
that require API development or enhancement, states operating Medicaid 
and CHIP FFS programs may apply for an extension of 1 year to come into 
compliance with the requirements of this final rule. These same 
organizations may also apply for an exemption from the requirements if 
certain conditions are met.
    Comments pertaining to the Medicaid and CHIP explanation of Federal 
matching funds are addressed in that section of this final rule, as are 
those related to the extension and exemption processes.
c. Qualified Health Plan Issuers on the Federally-Facilitated Exchanges
    Few, if any, QHP issuers on the FFEs are small enough to fall below 
the size thresholds for a small business established by the SBA. 
Consistent with previous CMS analysis in the SHOP/QHP final rule (78 FR 
33233), we estimated that any issuers considered small businesses would 
likely be subsidiaries of larger issuers that would not be considered 
small businesses (78 FR 33238), and thus would not share the same 
burdens as an independent small business. Therefore, even though QHP 
issuers do not receive Federal reimbursement for the costs of providing 
care, we do not conclude that there would be a significant small entity 
burden for these issuers. In addition, an exception process is 
available to QHP issuers on the FFEs, which could further help to 
address regulatory burden that could otherwise prohibit a QHP issuer 
from participating in an FFE.
    We did not receive any comments specific to the QHP summary section 
of this RFA. Comments related to the

[[Page 8961]]

exception process for QHPs are addressed in section II.E.
2. Providers
    In response to public comments on the December 2020 CMS 
Interoperability proposed rule (85 FR 82586), CMS proposed a new 
Electronic Prior Authorization measure for MIPS eligible clinicians 
under the MIPS Promoting Interoperability performance category, and for 
eligible hospitals and CAHs under the Medicare Promoting 
Interoperability Program. CMS proposed that the Electronic Prior 
Authorization measure would be required for MIPS eligible clinicians 
beginning with the CY 2026 performance period/2028 MIPS payment year 
and for eligible hospitals and CAHs beginning with the CY 2026 EHR 
reporting year. However, after consideration of substantial feedback 
from commenters described in section II.F. of this final rule, we are 
finalizing a modification to the Electronic Prior Authorization measure 
proposal. Rather than requiring MIPS eligible clinicians, eligible 
hospitals, and CAHs to report a numerator and denominator for the 
Electronic Prior Authorization measure, we are finalizing the measure 
structured as an attestation (yes/no) measure for both MIPS eligible 
clinicians, and eligible hospitals and CAHs. As an attestation measure, 
MIPS eligible clinicians, eligible hospitals, and CAHs will report a 
``yes'' or ``no'' response or report an applicable exclusion for the 
Electronic Prior Authorization measure. Additionally, we are finalizing 
that this measure will not be assigned points.
    For the MIPS Promoting Interoperability performance category, 
satisfactory performance on this measure can be demonstrated only by 
reporting a ``yes'' response or claiming an applicable exclusion. A 
``no'' response will result in the MIPS eligible clinician failing to 
meet the minimum reporting requirements, and therefore not being 
considered a meaningful EHR user for MIPS, as set forth in section 
1848(o)(2)(A) of the Act and defined at 42 CFR 414.1305, for the MIPS 
payment year. MIPS eligible clinicians that do not report a ``yes'' 
response or claim an applicable exclusion for the Electronic Prior 
Authorization measure as specified (that is, they do not submit the 
measure or report a ``no'' response on the attestation without claiming 
an applicable exclusion) will not earn a score for the MIPS Promoting 
Interoperability performance category (a score of zero for the 
category). A MIPS eligible clinician's score in the Promoting 
Interoperability performance category is generally worth 25 percent of 
their total final score for MIPS (42 CFR 414.1375(a); 414.1380(c)(1)).
    For the Medicare Promoting Interoperability Program, only a ``yes'' 
response on the attestation, or claim of an applicable exclusion, will 
fulfill the minimum requirements of this measure. A ``no'' response 
will result in the eligible hospital or CAH failing to meet the minimum 
program requirements, therefore not being considered a meaningful user 
of CEHRT, as defined in section 1886(n)(3) of the Act for an EHR 
reporting period (42 CFR 495.24(f)(1)(i)(A)). Eligible hospitals and 
CAHs that do not meet the minimum program requirements are subject to a 
downward payment adjustment.
    With regard to MIPS eligible clinicians, eligible hospitals, and 
CAHs, a discussion of the burden is provided in section III., and 
supporting data are shown in Table J8. As noted previously, we modified 
the provision for the Electronic Prior Authorization measure in this 
final rule based on comments indicating that the denominator 
calculation would impose a significant burden on providers. We have 
calculated the burden per individual provider at under $2.50 per year 
(\1/2\ minute of labor times an hourly wage of under $50).
    Based on all information provided herein, we conclude that the 
requirements of the RFA have been met by this final rule.
    We did not receive comments on this subject in the RFA. The 
modification to the Electronic Prior Authorization measure was not 
determined to have a significant financial effect on this RIA because 
there is no need to re-calculate the numerator and denominator and the 
information will be reported as an attestation. We are finalizing this 
section as is.

D. Unfunded Mandates Reform Act and Executive Order 13132 Requirements

    Section 202 of the UMRA also requires that agencies assess 
anticipated costs and benefits before issuing any rule whose mandates 
require spending in any 1 year of $100 million in 1995 dollars, updated 
annually for inflation. In 2023, that threshold is approximately $177 
million. This final rule will not impose an unfunded mandate that 
results in the expenditure by state, local, and tribal governments, in 
the aggregate, or by the private sector, of more than $177 million in 
any 1 year.
    Executive Order 13132 establishes certain requirements that an 
agency must meet when it publishes a final rule that imposes 
substantial direct costs on state and local governments, preempts state 
law, or otherwise has federalism implications. As previously outlined, 
while the provisions that require API development or enhancement will 
be a requirement for state Medicaid and CHIP agencies as described in 
this final rule, the cost per beneficiary for implementation is 
expected to be negligible when compared with the overall cost per 
beneficiary. The analysis we conducted did not consider Federal 
matching funds provided to state Medicaid and CHIP agencies, and the 
conclusion was the same: there is not expected to be a significant cost 
impact on state entities.
    For Medicaid and CHIP, we are unaware of any provisions in this 
final rule that conflict with state law, and no commenters raised a 
pre-emption issue other than the timeframe issue discussed later in 
this section. Therefore, we do not anticipate any preemption of state 
law. As discussed in section II.D. of this final rule, some state laws 
regarding timeframes for prior authorization decisions may be different 
than the provisions in this final rule. However, an impacted payer will 
be able to comply with both state and Federal requirements by complying 
with whichever imposes the shorter timeframe. We invited states to 
comment on the proposed rule if they believed that any proposal in this 
rule would conflict with state law. We received a few comments from 
states and other organizations regarding the preemption of state law 
regarding timeframes and addressed these comments regarding prior 
authorization decision timeframes and compliance with state law in 
section II.D. of this final rule.
    As noted previously in this section, we considered whether the 
provisions in this final rule imposed substantial costs on state or 
local governments, preempted state law, or had federalism implications 
and concluded that the rule does not. Therefore, the requirements of 
Executive Order 13132 are not applicable.

E. Regulatory Review Costs

    If regulations impose administrative costs on private entities, 
such as the time needed to read and interpret this final rule, we are 
required to estimate the cost associated with regulatory review. We 
modeled our estimates of this burden based on similar estimates 
presented in the CMS Interoperability and Patient Access final rule (85 
FR 25510). In the proposed rule, we cited three numbers that were 
needed to calculate this estimate: (1) number of staff per entity 
performing the reading; (2) number of hours of reading; and (3) number 
of entities reviewing the final

[[Page 8962]]

rule. We estimated a one-time aggregated total review cost of $1.3 
million ($128.71 x 10 hours of reading time x 500 entities x two staff 
per entity). We requested comments on our estimate and assumptions. 
However, we did not receive any comments. For further details on this 
matter, refer to the proposed rule at 87 FR 76343. Therefore, we are 
finalizing the analysis as presented.

F. Impact of Individual Proposals

    The provisions of this final rule all have information collection-
related burdens. This information is provided in Table J9 in section 
III. of this final rule. Table K2 provides a list of the ICRs by number 
and title, as well as the table numbers in which we provided an impact 
assessment.
[GRAPHIC] [TIFF OMITTED] TR08FE24.024

    Additionally, this RIA section provides an analysis of expected 
savings to providers arising from the replacement of paper documents 
related to prior authorization and other plan requirements with EHRs. 
Although these savings are neither included in the Monetized Table 
(Table K11) nor in the Summary Table (Table K9), we believe that these 
large savings are an important consideration in understanding this 
final rule. We have identified our assumptions for savings at the end 
of this section.
    Comment: Several commenters sought clarification regarding CMS's 
analysis of how the proposed rule would impact industry. Commenters 
stated that the discussion of the costs and benefits of the proposed 
rule was not specific enough and disagreed with CMS's claim that the 
benefits of the provisions are greater than the costs. Additionally, a 
commenter noted that the costs estimated in the proposed rule vastly 
underestimate the true cost of implementing and complying with the 
provisions. The commenters provided recommendations on certain concepts 
and ideas that CMS should take into consideration when assessing the 
regulatory impact of this rule.
    A few commenters expressed concerns over the calculations 
associated with prior authorization. For example, one commenter noted 
that CMS failed to account for the increase in prior authorization 
burden since the publication of the Casalino report in 2009. Another 
commenter noted that CMS failed to include a 2.5 percent fee for 
electronic prior authorization transactions and the costs healthcare 
providers expect to incur. A commenter agreed that some upfront costs 
would be incurred but noted that new burdens and costs would be imposed 
on payers, which must be considered. Another commenter noted that there 
is little to no quantitative or qualitative data to justify CMS's 
approach to calculating cost and savings associated with the provisions 
in this rule.
    Several commenters recommended that CMS work with payers and 
providers to develop protocols to help identify specific cost savings 
and efficiencies from automating the prior authorization process.
    Response: CMS bases the impact analysis on data we can obtain from 
past research and other available information. During development of 
the proposed rule, we made certain assumptions about implementation and 
development costs. However, based on the number of pilots in the launch 
phase, we are optimistic that we will have additional data following 
implementation. To the extent feasible, we encourage industry to share 
data with us, which would be subject to all requested confidentiality 
and proprietary protections afforded under the Freedom of Information 
Act.\194\ We will look for opportunities to engage with impacted 
entities to identify both cost savings and expenditures based on 
automation of prior authorization processes which would support the 
publication of the findings.
---------------------------------------------------------------------------

    \194\ Office of Information Policy, U.S. Department of Justice 
(n.d.). Freedom of Information Act Homepage. Retrieved from https://www.foia.gov/.
---------------------------------------------------------------------------

    Comment: A commenter noted that it is unrealistic for CMS to expect 
that industry can obtain the resources necessary to comply with these 
policies within the current budget year when the requirements will not 
be finalized until the final rule is issued. The commenter recommended 
that CMS revise the compliance dates for these provisions to be 36 
months after issuance of the final rule and scheduled on a date other 
than the end of a calendar year. Another commenter recommended that CMS 
reconsider the proposed timeline of certain provisions in the rule 
given the critiques on the RIA and consider reshaping this rule into a 
roadmap with milestones along the journey that would signal that a new 
requirement was ready for implementation. A commenter recommended that 
CMS adjust the RIA to account for changes in the FHIR-based standards 
and recommended IGs.
    Response: We appreciate concerns about implementation costs and 
timing, as they pertain to this impact analysis, for states which are 
dependent on state fiscal timelines for approvals and procurements. We 
also remind readers that some impacted payers may be eligible to apply 
for extensions, exceptions, and exemptions under certain circumstances, 
as described in section II.E. of this final rule. We believe that the 
finalized extensions,

[[Page 8963]]

exceptions, and exemptions will adequately address any contingencies 
faced by individual payers and other affected entities. Finally, as 
stated in section I.D. of this final rule, we are finalizing compliance 
dates in 2027 for the policies in this final rule that require API 
development or enhancement, in recognition of the need for analysis, 
procurement, training, testing, and development. We appreciate the 
commenter's feedback on updating our impact analyses to account for 
changes to the FHIR standards, specifications, and IGs. However, we 
disagree that updates to standards, specifications, and IGs should be 
accounted for in the impact analysis. Changes to standards, 
specifications, and IGs do not have any bearing on the calculation of 
an impact analysis. We acknowledge that it will be important for 
implementers to remain engaged in the HL7 workgroups and implementation 
forums. We are requiring entities to use certain IGs specified in this 
final rule and the ONC Cures Act final rule (85 FR 25642); those 
standards will remain consistent. Should there be updates to any of 
those standards or IGs, changes will be made available to implementers 
through SVAP, as they are tested and approved by ONC. Industry is 
strongly encouraged to participate in that process to ensure awareness 
and readiness, but we do not believe that the changes or process for 
those changes is of significance for the impact analysis.
    Finally, as discussed earlier in this final rule, some commenters 
wrote regarding the potential costs that might be passed on to 
providers from EHR vendors or payers for use of the APIs, in the form 
of user fees. We recognize that EHR vendors, providers, and payers have 
costs of doing business, particularly for the development and 
implementation of the APIs, as described in this RIA. We strongly 
encourage EHR vendors to only charge reasonable fees for any initial or 
periodic system configurations required to access payers' API 
endpoints. We did not include information regarding user fees for APIs 
in this impact analysis because of the lack of available data on the 
costs incurred between payers, developers, EHRs and providers. However, 
we are committed to monitoring and evaluating the expanding landscape 
of API usage and will consider opportunities to provide future guidance 
on this topic, to ensure that we can provide comprehensive and up-to-
date information for our industry partners.
    The Summary Table (Table K9) of this section, using Table J9 as a 
basis, provides a 10-year impact estimate. Table K9 includes impact by 
year, by type (parent organizations, including state Medicaid and CHIP 
agencies), as well as the cost burden to the Federal Government, 
allocations of cost by program, and payments by the Federal Government 
to MA organizations, Medicaid, and CHIP, as well as the premium tax 
credits (PTCs) paid to certain enrollees in the individual market.

G. Alternatives Considered

    We stated in the proposed rule that we are continuing to build on 
the efforts initiated with the CMS Interoperability and Patient Access 
final rule (85 FR 25510) and the work we have done to advance 
interoperability, improve care coordination, and empower patients with 
access to their data. This final rule covers several provisions aimed 
at achieving these goals. We described alternatives to our proposals in 
the proposed rule and the reasons we did not select them as proposed 
provisions. The details for each of those alternatives and the 
rationale behind not including them are available in the proposed rule 
at 87 FR 76344.
1. Alternatives Considered for the Patient Access API Enhancements
    We are finalizing modifications to our proposals to require payers 
to make enhancements to the Patient Access API, which was finalized in 
the CMS Interoperability and Patient Access final rule (85 FR 25510). 
We are requiring payers to make additional information available to 
patients through the Patient Access API and to report certain metrics 
about patient use of the Patient Access API to CMS annually. We 
considered several policy alternatives for the Patient Access API. 
These are described in the proposed rule at 87 FR 76344, and relevant 
comments regarding the Patient Access API are addressed in section 
II.A. of this final rule.
    Regarding reporting Patient Access API metrics, we considered 
requiring impacted payers to publicly report these metrics more 
frequently than annually. For example, we considered a quarterly 
requirement. Public comments on the December 2020 CMS Interoperability 
proposed rule (85 FR 82586) indicated a preference for less frequent 
reporting to reduce burden on payers. Annual statistics on such 
utilization should be sufficient to accomplish our goal of 
understanding patient utilization of the API. Comments regarding 
reporting on Patient Access API metrics are addressed in section II.A. 
of this final rule.
    The quantitative effect of quarterly reporting will likely not 
change the bottom line of $1.6 billion cost over 10 years shown in 
Table K9. However, we acknowledge it may change marginally to $1.7 
billion. As shown in the various tables of section III. of this final 
rule, the annual cost of reporting is estimated at $3.2 million based 
on hours of work required by a business operations specialist. If we 
required quarterly reporting this would quadruple the estimate or add 
about $10 million annually--or a little under $100 million over 10 
years. This would raise the $1.558 billion cost to at most $1.658 
which, when rounded, would be either $1.6 or $1.7 billion.
    We also considered earlier compliance dates for the proposed 
enhancements to the Patient Access API. In the proposed rule, we stated 
it would be more appropriate, and less burdensome on impacted payers to 
propose compliance dates for these provisions in 2026 (by January 1, 
2026, for MA organizations and state Medicaid and CHIP FFS programs; by 
the rating period beginning on or after January 1, 2026, for Medicaid 
managed care plans and CHIP managed care entities; and for plan years 
beginning on or after January 1, 2026, for QHP issuers on the FFEs), 
which would have provided a 2-year implementation timeframe. However, 
based on public comments, we are finalizing a compliance dates in 2027 
(by January 1, 2027, for MA organizations and state Medicaid and CHIP 
FFS programs; by the rating period beginning on or after January 1, 
2027, for Medicaid managed care plans and CHIP managed care entities; 
and for plan years beginning on or after January 1, 2027, for QHP 
issuers on the FFEs) for the policies in this final rule that require 
API development or enhancement. Additional information regarding the 
updated compliance dates for the APIs is available in sections I.D., 
II.A., II.B., II.C., and II.D. of this final rule.
    Had we implemented the rule a year earlier, the aggregate $1.6 
billion over 10 years would change to $1.7 billion over 10 years. The 
total cost for creating the various APIs would not change; rather, they 
would be apportioned over 2 years rather than 3 years. However, if we 
required compliance a year earlier, then the maintenance costs of $142 
million per year would begin in year 3 rather than in year 4. This 
would add an extra $142 million per year of cost raising the aggregate 
10-year cost of $1.55 billion to $1.69 billion or $1.7 billion after 
rounding.

[[Page 8964]]

2. Alternatives Considered for the Provider Access API
    To better facilitate the coordination of care across the health 
care continuum, we are finalizing our proposal to require impacted 
payers to implement and maintain a Provider Access API. This API will 
require payers to make available to certain providers the same types of 
data they make available to patients via the enhanced Patient Access 
API.
    As noted in the proposed rule at, we considered other data types 
that could be exchanged via the Provider Access API and considered only 
requiring the exchange of all data classes and data elements included 
in a content standard at 45 CFR 170.213 (USCDI) (87 FR 76345). While 
this would have required that less data be exchanged and, thus, be less 
burdensome for impacted payers to implement, we believed that claims 
and encounter information would complement the content standard and 
offer a broader and more holistic understanding of a patient's 
interactions with the health care system. Furthermore, the data that we 
proposed to be made available through the Provider Access API aligns 
with the data that we proposed to be made available to individual 
patients through the Patient Access API. We also considered including 
additional data elements as required for the Provider Access API, 
requiring a complete set of data available from the payer's system. 
However, we did not receive such suggestions from industry, including 
patients, and such a large volume of data types might have been 
overwhelming for providers, would have been an excessive cost, and 
would likely not have met minimum necessary provisions. A more robust 
description of the alternatives and our rationale for not selecting 
those are set out in the proposed rule (87 FR 76346). We did not 
receive comments specifically on the alternatives considered in this 
section. Other comments regarding the Provider Access API are addressed 
in section II.B. of this final rule.
3. Alternatives Considered for the Payer-to-Payer API
    We are finalizing our proposal to require impacted payers to 
implement and maintain a Payer-to-Payer API that makes certain data 
available to other payers via a FHIR API. This provision will make the 
same data that is being made available to patients and providers also 
available to other payers when a patient changes plans. This will allow 
patients to take their data with them as they move from one payer to 
another. Before finalizing this provision, we considered several 
alternative provisions which we described in detail in the proposed 
rule (87 FR 76346).
    For example, in the CMS Interoperability and Patient Access final 
rule, we finalized a policy to require payers to exchange data with 
other payers but did not require a specific mechanism for the payer to 
payer data exchange to occur. Rather, we required impacted payers to 
receive data in whatever format it was sent and accept data in the form 
and format it was received, which ultimately complicated implementation 
by requiring payers to accept data in different formats. The cost to 
implement these various formats cannot be calculated because there are 
endless possibilities and combinations of ways the data could have been 
exchanged under the previously finalized policy.
    Unlike the policy finalized in the CMS Interoperability and Patient 
Access final rule, the use of an API would reduce the amount of 
implementation cost needed for this data exchange. Importantly, for the 
Payer-to-Payer API, once an organization implements the other APIs of 
this final rule, less additional investment will be necessary to 
implement the payer to payer data exchange, as payers would be able to 
leverage the infrastructure already established for the Patient Access 
and Provider Access APIs. The updated background information for the 
recommended IGs is found in section II.G. and explains how the existing 
resources can be tailored to meet the provisions set out in this final 
rule. Given this available infrastructure and the efficiencies of 
sharing standardized data via the API, we determined it was most 
advantageous for payers to implement an API for this enhanced data 
exchange. We did not receive any comments on this section, but comments 
specific to the proposal for the Payer-to-Payer API are addressed in 
section II.C. of this final rule.
4. Alternatives Considered for the Prior Authorization API and Other 
Prior Authorization Process Requirements
    We are finalizing our proposals for several important policies to 
improve the prior authorization process, which we described in the 
proposed rule (87 FR 76346). Our final policy to require that all 
impacted payers implement and maintain a Prior Authorization API will 
ultimately help patients receive the items and services they need in a 
timely fashion, and support streamlined communication between providers 
and payers. The Prior Authorization API aims to improve care 
coordination by providing more structured information about when a 
prior authorization is required, information that is required to 
approve a prior authorization, and facilitating electronic prior 
authorization. The API will be accessible to providers to integrate 
directly into their workflow while maintaining compliance with the 
mandatory HIPAA transaction standard. The standards and IGs that 
support the development of this API are already being tested and 
piloted with some success between providers and payers, and we believe 
as enhancements to the IGs are made over the next few years, more 
organizations will see the benefit for their programs.
    As noted previously, we described our considerations for a phased 
approach, or partial implementation of the API over time, and explained 
why we did not propose those options. We did not receive comments in 
support of a partial implementation in part because of the risk that 
such an option might result in inconsistent implementations and 
increase burden for providers. As indicated, though quantitative data 
from current prior authorization pilots have been shared informally 
with the public, it has not yet been submitted to CMS for use in 
official evaluations or analysis. CMS anticipates receipt of the pilot 
results in CY 2024.
    Though we do not have specific data, we believe the quantitative 
effects of a phased in implementation option would be negligible. The 
total cost of developing the Prior Authorization API would not change; 
however, such an approach could mean delaying the 25 percent 
maintenance costs by 1 or 2 years, as well as the overall benefits of 
the API.
    We are finalizing our requirement that impacted payers publish 
certain data about their performance on prior authorization, on a 
public website, and though we considered options for this reporting, we 
believe in the first few years of program implementation it will be 
important to gather feedback from payers, providers and patients as to 
the usability of the information being made available before modifying 
the requirement. As explained in section II.D. of this final rule, CMS 
is committed to working with impacted entities on best practices for 
reporting.
    We considered using only the X12 278 transaction standard adopted 
under HIPAA rather than requiring the implementation of a FHIR API to 
support the Prior Authorization API. While the adopted X12 278 
transaction standard defines the content and format for the exchange of 
data for prior authorization, it does not have the

[[Page 8965]]

functionality of the FHIR standard or IGs to support the requirements 
of the Prior Authorization API. This includes the ability to 
accommodate all of a payers' business rules, indicate which supporting 
documents are required, create a questionnaire, and conduct an end-to-
end transaction via FHIR for real-time responses. We received 
confirmation through many comments that the X12 standard is not 
designed to enable using SMART on FHIR apps connected to the provider's 
EHR system, nor is it designed for the scope envisioned in this rule, 
including extraction of payer rules, a compilation of data into 
electronic-based questionnaires, or communication with EHRs. The 
substantive comments on this subject are addressed in section II.D. of 
this final rule.
    We are finalizing the operational, non-technical provisions related 
to prior authorization processes, including requirements for certain 
impacted payers to respond to expedited prior authorization requests 
within 72 hours, and to standard prior authorization requests within 7 
calendar days. We received many comments suggesting that the response 
timeframes be shortened because of the potential impact on patient 
care, and those comments are addressed in section II.D. of this final 
rule.
    Understanding the importance of providers and patients getting 
decisions as quickly as possible, we believe that the timeframes 
outlined in the proposed rule are a significant step to help increase 
reliability in the prior authorization process and establish clear 
expectations without being overly burdensome for payers.

H. Savings Through the Adoption of the Prior Authorization Provisions 
by Health Care Providers

1. Overview
    As described in section II.D. of this final rule, we have finalized 
new requirements related to prior authorization for impacted payers, 
and in section II.F. of this final rule, we described a new Electronic 
Prior Authorization measure and the associated reporting requirements 
for MIPS eligible clinicians, eligible hospitals, and CAHs.
    In section III.C. of this final rule, we discussed the ICRs 
regarding cost estimates for reporting and the potential burden 
specifically for the MIPS eligible clinicians, eligible hospitals, and 
CAHs. Here we address the anticipated cost savings of these provisions 
for the broader health care provider population, which is inclusive of, 
but not limited to the MIPS eligible clinicians, eligible hospitals, 
and CAHs.
    We believe that all health care providers can benefit from the 
provisions for impacted payers to implement the APIs in this final rule 
and base these cost-savings estimates over 10 years. We use the 
estimated total number of providers, with estimates described in this 
section of the final rule. To conduct this analysis, we used available 
resources and invited comments on our assumptions, the data, and our 
citations.
    The savings estimated in this final rule are true savings, not 
transfers, since they reflect savings in reducing the administrative 
costs required to process prior authorizations. However, these savings 
will be an indirect consequence of the final rule, not direct savings. 
This final rule supports efforts to significantly reduce time spent on 
manual activities. In general, it is only appropriate to claim that a 
regulatory provision's benefits are greater than its costs after a 
substantive and preferably quantitative, assessment of the pre-existing 
market failure and the provisions' suitability for addressing it. As a 
result of data limitations and other analytic challenges preventing 
such an assessment, the illustrative savings estimates are neither 
included in the Monetized Table (Table K11) nor the Summary Table 
(Table K9) of this final rule. Nevertheless, the savings could be 
significant, and we believe should be a factor in the industry's 
assessment of this final rule. In the proposed rule, we requested 
comments on how CMS might attribute savings benefits to avoid double-
counting, and how CMS could account for both costs and benefits from 
policy interactions but did not receive specific comments in response.
    We are only quantifying savings of reduced paperwork for health 
care providers. However, the improved efficiencies outlined in this 
rule have potential positive consequences, which could lead to savings. 
Several surveys by the AMA cited in section II.D. of this final rule, 
list adverse qualitative consequences of the current paper-based prior 
authorization system, including life-threatening adverse medical 
events, missed, or abandoned treatments, hospitalization, and permanent 
bodily damage, however, we do not have specific data related to 
outcomes.
2. Methodology for Savings Analysis
    The approach adopted in quantifying savings is to quantify those 
that we can reliably estimate and note that they are minimal savings. 
The provisions of this rule potentially affect individual physicians, 
physician groups, hospitals, and CAHs. However, for purposes of 
quantification, we initially estimate a reduced paperwork burden for 
individual physicians and physician groups, which shows a savings of 
several billion dollars over 10 years. We base the estimate on the 
number of hours per week spent on prior authorization, using 
information about individual physicians and physician groups from 
survey data we believe to be reliable (three surveys of several 
thousand groups from 2006, 2021, and 2022 cited in this section of the 
final rule). To calculate our estimates, we used the same physician 
information and made certain assumptions of its applicability to 
hospitals. The purpose of using this comprehensive provider information 
from three different periods was that no other comprehensive data set 
was available to identify savings from reduced paperwork. Our initial 
estimate was for savings of several billion dollars for individual 
physicians and physician groups.
    To estimate reductions in spending on paperwork for prior 
authorization for hospitals, we assumed that hospitals perform similar 
prior authorization activities to individual physicians and physician 
groups. We made this assumption because we do not have a basis for 
making a more accurate assumption; that is, we do not have survey data 
of similar quality for hospitals on the number of hours per week spent 
on prior authorization and the proportion of hours per week spent by 
physicians, nurses, and clerical staff.
    To support the assumptions on potential benefits for hospital prior 
authorization, we rely on data from previously published rules. To 
avoid repetition of numbers and sources we summarize all updates in 
this final rule, along with the estimates of the proposed rule, 
subtotals, and sources in Table K3. Throughout this section, numbers 
without specified sources, come from this table.
BILLING CODE 4150-28-P

[[Page 8966]]

[GRAPHIC] [TIFF OMITTED] TR08FE24.025

BILLING CODE 4150-28-C
    To calculate the burden and savings for the final rule, we are 
using the data from the FY 2024 IPPS/LTCH proposed rule (88 FR 27205), 
FY 2024 OPPS proposed rule (88 FR 49552), and CY 2023 PFS proposed rule 
(87 FR 46370) rather than the CY 2023 PFS final rule (87 FR 69404) or 
CY 2024 PFS final rule (88 FR 78818), as these sources more accurately 
reflect the anticipated number of hospitals and providers impacted by 
our provisions beginning on January 1, 2027. We believe these sources 
are more reflective of the eligible hospitals and CAHs who will 
participate in the Medicare Promoting Interoperability Program and the 
MIPS eligible clinicians participating in the MIPS Promoting 
Interoperability performance category over time. We elected to use MIPS 
eligible clinician participation data from the CY 2023 PFS proposed 
rule, rather than the CY 2023 PFS final rule or CY 2024 PFS final rule, 
to estimate the number of MIPS eligible clinicians reporting MIPS 
Promoting Interoperability data to CMS because the 45 percent reduction 
in the estimated number of individual MIPS eligible clinicians 
reporting MIPS Promoting Interoperability data between the CY 2023 PFS 
proposed rule (based on CY 2019 participation data) and the CY 2023 PFS 
final rule (based on CY 2021 participation data) appear to be lower due 
to the effects of the COVID-19 PHE. Likewise, the number of individual 
MIPS eligible clinicians reporting MIPS Promoting Interoperability data 
as estimated in the CY 2024 PFS final rule (based on CY 2022 
participation data) remain impacted by the COVID-19 PHE,\195\ which 
formally ended on May 11, 2023. We do not believe this reduction in 
MIPS eligible clinicians reporting MIPS Promoting Interoperability data 
will be persistent and believe it is reasonable that participation 
numbers in future years may revert to their former levels (before the 
COVID-19 PHE).
---------------------------------------------------------------------------

    \195\ U.S. Department of Health and Human Services (2023, May 
9). Fact Sheet: End of the COVID-19 Public Health Emergency. 
Retrieved from www.hhs.gov. https://www.hhs.gov/about/news/2023/05/09/fact-sheet-end-of-the-covid-19-public-health-emergency.html.
---------------------------------------------------------------------------

    Additionally, we modified another assumption for this final rule, 
acknowledging an increase in hours spent on prior authorization from 13 
hours per week spent on prior authorization in 2021 to 14 hours per 
week spent on prior authorization in 2022. We did so using AMA survey 
data results which we believe are more reasonable. This change in data 
encouraged us to update our estimations accordingly.
    To account for these changes, and to avoid injecting our own 
subjective

[[Page 8967]]

biases on the changes, we have included calculations using both years 
of the AMA prior authorization survey data. The two total savings 
estimates are based on the AMA prior authorization survey data, one 
using 2021 survey data and the other using 2022 survey data, which 
differed by about 10 percent. Both resulted in estimated savings of 
several billion dollars over 10 years. The amount and effect of these 
changes as well as the deviation from the proposed rule estimates are 
set out below.
    Additionally, given that estimates for MIPS eligible clinicians 
reporting MIPS Promoting Interoperability data in the CY 2023 PFS final 
rule were based on CY 2021 participation data collected during the 
COVID-19 PHE, we are using data published in the CY 2023 PFS proposed 
rule as cited in Table K3 for our calculations. We believe that this is 
reasonable because the MIPS eligible clinician estimates from the CY 
2023 PFS proposed rule are based on pre-pandemic participation data 
from CY 2019. As noted previously, we do not believe the reductions in 
participation in the MIPS Promoting Interoperability performance 
category will continue long term. We believe it reasonable to assume 
that participation numbers will continue to increase, at a minimum, by 
the compliance dates for the policies that require API development or 
enhancement (beginning on January 1, 2027).
3. Physicians and Hospitals
    The approach presented in the proposed rule, and finalized here, 
computes aggregate savings for physician or group physician practices 
by first estimating the savings for a single individual physician or 
group physician practice based on supporting surveys, and then 
multiplying this single savings by the number of practices. Using the 
updated numbers from Table K3 results in savings of at least $15.8 
billion over 10 years for individual and physician groups.
    We assume hospitals are conducting the prior authorization process 
in a manner similar to physicians. Thus, the individual physician and 
group physician practices would save at least $15.8 billion over 10 
years, as shown in Table K6, and the combined physician practices and 
hospitals (207,515 practices consisting of 199,543 individual physician 
and group physician practices plus 7,972 hospitals and CAHs) would save 
at least $16.5 billion (207,515/199,543 x $15.8 billion). To the 
nearest billion, both $15.8 and $16.5 round to $16 billion. The 
numerical savings are the same whether we include or exclude hospitals.
4. Base Estimates of Paperwork Savings to Providers
    In calculating the potential savings, uncertainties arise in four 
areas. The result of this illustrative analysis is that we find a 
minimal potential savings point estimate of $15 billion (using 2021 AMA 
prior authorization survey data) and $16 billion (using 2022 AMA prior 
authorization survey data) over 10 years. To provide credibility to 
this savings analysis we have, where we lacked better data, 
underestimated any unknown quantities with minimal estimates and 
additionally studied the effect of a range of estimates.
    In the next few paragraphs, we summarize the four uncertainties and 
indicate how we approached the estimation. We refer readers to a more 
detailed discussion of these assumptions in the proposed rule (87 FR 
76348). We received one comment on the quantitative estimate for 
providers and have responded to that comment elsewhere in the final 
rule. However, because no additional data was provided, we are not 
changing general assumptions in this final rule, except that we are 
updating numbers based on Table K3.
a. Assumptions on the Relative Proportion of Current Workload Hours and 
Costs by Staff for Prior Authorization
     For labor costs, we used the mean hourly wages from the 
BLS.
     For total hours spent per week on prior authorization by 
staff overall we use the latest 2022 AMA survey (Table K3) rather than 
the estimate used in the proposed rule, which was based on the 2021 AMA 
prior authorization survey.
     For the estimates of the current proportions by the staff 
of paperwork involved in prior authorization processes, the type of 
staff involved, and the type of physician offices, we used numbers in a 
survey presented by Casalino et al. (2009),\196\ which gave a detailed 
analysis based on a validated survey instrument employed in 2006. By 
dividing, for each staff type, the total prior authorization time spent 
per week across all physician practices, over the total prior 
authorization time spent across all practices and all staff types, we 
obtained the proportion of time each staff type spent per week on prior 
authorization. These proportions were applied to the updated total time 
per week spent on prior authorization as given in Table K3.
---------------------------------------------------------------------------

    \196\ Casalino, L.P., Nicholson, S., Gans, D., Hammons, T., 
Morra, D., Karrison, T., & Levinson, W. (May 2009). What Does It 
Cost Physician Practices to Interact with Health Insurance Plans? 
Health Affairs, 28(4): w533-w543. doi: 10.1377/hlthaff.28.4.w533.
---------------------------------------------------------------------------

    The updated results are presented in Table K4 which shows that 
individual and group physician practices annually used, on average, at 
least 728 hours per year at a cost of at least $52,642 on prior 
authorization.
[GRAPHIC] [TIFF OMITTED] TR08FE24.026


[[Page 8968]]


    Here, we provide information on the row on registered nurses for 
demonstration purposes. Registered nurses are estimated to spend at 
least 9 hours per week on prior authorization, and hence, spend 467.5 
hours per year (9 hours per week x 52 weeks per year). By multiplying 
the 467.5 hours per year spent on prior authorization by the mean wages 
per hour for registered nurses, $76.94, obtained from the BLS, we 
obtain an aggregate annual cost of $35,969 for registered nurses 
dealing with prior authorization. The other rows are interpreted 
following the same process.
b. Assumptions on the Total Number of Individual and Group Physician 
Practices
    Table K4 presents the current hour and dollar burden for a single 
physician group and single physician office. To obtain the aggregate 
annual burden of prior authorizations for all physician practices, we 
use the data in Table K3, which includes a reference to 199,543 total 
individual and group physician practices. This number is used to inform 
Table K6 which represents a 10-year summary of annual costs.
c. Assumptions on the Reduction in Hours Spent on Prior Authorization 
as a Result of the Provisions of This Final Rule
    Table K4 provides current hours spent on prior authorizations. To 
calculate potential savings, we assume how much these hours will be 
reduced as a result of the provisions of this final rule.
    A detailed discussion driving our assumptions was presented in the 
proposed rule (87 FR 76350). Based on the provisions in this final 
rule, we assume that physicians, nurses, and clerical staff will reduce 
the time they spend on prior authorization by 10 percent, 50 percent, 
and 25 percent respectively. Having received no comments on our 
estimates, we have retained these estimates for purposes of the final 
calculations. The savings, updated with the numbers from Table K3, is 
presented in Table K5.
    The narrative following Table K5 presents the total 10-year savings 
with different reduction assumptions; however, these different 
reduction assumptions do not materially change the range of estimates.
[GRAPHIC] [TIFF OMITTED] TR08FE24.027

    To provide an explanation of Table K4, we use registered nurses as 
an example. registered nurses spend 467.5 hours per year on prior 
authorization (see Table K3). If we assume that registered nurses, as a 
result of the finalized provisions of this rule, reduce the number of 
hours per week by 50 percent (about half a day, or 4 hours, per week) 
then they would save 233.7 hours per year (50 percent x 467.5 hours). 
Multiplying the hours saved, 233.7 hours, by the mean hourly wage for 
registered nurses, $76.94, the annual aggregate savings per physician 
practice is $17,984. The other rows may be interpreted similarly.
d. Assumptions on the Number of Individual and Group Physician 
Practices Adopting the Provisions of This Final Rule
    As in the proposed rule, we are not assuming that over 10 years all 
199,543 individual and group physician practices would adopt the 
provisions outlined in this final rule. Instead, we assume the 
following:
     Because of the payment consequences for not adopting the 
provisions of this final rule, we assume all 54,770 MIPS eligible 
clinicians (individual and group), a subset of the 199,543 estimated 
individual and group physician practices, would adopt the provisions in 
this rule in CY 2027 (the first year for payer compliance). This 
assumption of compliance by all MIPS eligible clinicians (individual 
and group) in the first year of payer compliance is consistent with the 
assumptions in the proposed rule (87 FR 76351).
     As in the proposed rule, by 2036, we assume 50 percent of 
all individual and physician practices will adopt the provisions of 
this final rule. The reasons for this assumption are fully discussed in 
the proposed rule (87 FR 76351). However, we acknowledge that 78 
percent of providers have adopted EHRs, in part to meet ONC 
requirements.\197\ Therefore, this estimate of 50 percent is already an 
underestimate of the percent of individual and physician practices who 
would adopt and benefit from the provisions of this rule.
---------------------------------------------------------------------------

    \197\ Office of the National Coordinator for Health Information 
Technology (n.d.). National Trends in Hospital and Physician 
Adoption of Electronic Health Records. Retrieved from https://
www.healthit.gov/data/quickstats/national-trends-hospital-and-
physician-adoption-electronic-health-
records#:~:text=Office%20of%20the%20National%20Coordinator,IT%20Quick
%2DStat%20%2361.&text=As%20of%202021%2C%20nearly%204,%25)%20adopted%2
0a%20certified%20EHR.
---------------------------------------------------------------------------

     We do not assume a constant increase per year but rather a 
gradual increase per year, starting with the participation of 54,770 
MIPS eligible clinicians in 2027 and growing exponentially to 99,772 
(50 percent of 199,543) individual and physician group practices in 
2036.
    Applying these assumptions, based on the 2022 estimates results (as 
shown in

[[Page 8969]]

Table K6), is at least a $15.8 billion ($15,829.3 million) savings over 
10 years for individual and group physician practices. If we include 
hospitals by increasing the amount by 4 percent, the estimate would be 
at least $16.5 billion ($16,461.7 million). The estimate rounded to the 
nearest billion is at least $16 billion. Had we used the 2021 estimates 
we would obtain $15 billion in savings.
    This $16 billion revised estimate differs from the $15 billion 
estimate presented in the proposed rule is due to the change noted in 
Table K3: a 7.7 percent increase in hours per week spent on prior 
authorization (14 hours in 2022 versus 13 hours in 2021 based on the 
AMA survey). This result is consistent with comments from industry who 
thought our estimates were too low regarding the impact of prior 
authorization on practices and hospitals. After adjusting for this 
change estimate, and as noted in Tables K4 and K5, we obtain the 
additional savings potential. Note that the range of savings based on 
different assumptions of savings per staff, $13 to $20 billion over 10 
years, still includes the estimate of $15 billion as noted in the 
proposed rule.
[GRAPHIC] [TIFF OMITTED] TR08FE24.028

    The headers of Table K6 show the logic and sources of the column 
entries. The reduced hours per year per practice spent on prior 
authorization for 2027 is calculated as shown here: 16.1 million hours 
equals 294 hours per year per practice x 199,543 practices x 27.45 
percent participation. Similarly, the dollar savings per year per 
practice resulting from reduced time spent on prior authorization, 
$21,026, obtained from Table K5, when multiplied by 27.45 percent of 
all 199,543 group and physician practices yields $1.2 billion ($1,151.6 
million) reduced dollar spending in 2027.
    By summing the reduced hours and dollars per year we obtain an 
aggregate reduction of at least 220.97 million hours and at least $15.8 
billion ($15,829.3 million) in reduced spending on paperwork 
activities. Finally, by adding 4 percent of these numbers to account 
for hospitals, we obtain a total annual reduction of at least 229.27 
million hours and at least a $16.5 billion ($16,461.7 million) 
reduction.
    As in the proposed rule, we obtained a range of estimates by 
varying the assumptions of Table K5 which assume that physicians, 
nurses, and clerical staff save 10, 50, and 25 percent respectively. If 
we assume that all staff types uniformly reduce hours spent by 33 
percent, then dollar spending is reduced by $13.2 billion without 
hospitals to $13.7 billion with hospitals factored in over 10 years. If 
we assume that all staff types uniformly reduce hours spent by 50 
percent, then dollar spending is reduced by about $19.8 billion without 
hospitals to $20.6 billion with hospitals factored in. Thus, the range 
of savings, $10 billion to $20 billion presented in the proposed rule, 
is slightly narrowed in this final rule to $13 to $20 billion, 
including providers and hospitals.

I. Summary of Costs to the Federal Government

    In this section, we present a 10-year Summary Table of costs (Table 
K9), an analysis of Federal impacts, and the Monetized Table (Table 
K11).
    To analyze the cost of this final rule to the Federal Government, 
we utilize a method of allocating costs by program (MA, Medicaid, CHIP, 
and QHP issuers on the FFEs). As the cost is shared by the 365 parent 
organizations, including state Medicaid and CHIP agencies, there is no 
readily available way to allocate costs per parent organization across 
programs since the percentage of each parent organization's 
expenditures on the different programs is not publicly available.
    To address this, we utilize the same method used in the CMS 
Interoperability and Patient Access final rule (85 FR 25612). In that 
final rule, we used the public CMS Medical Loss Ratio (MLR) files, 
which break out total premiums among the various programs. The 
advantages and disadvantages of such an approach are fully discussed in 
that rule. Table K7 presents the 2021 MLR data of premiums by program 
and the resulting percentages by program. We use these percentages to 
allocate costs by program. This allocation of cost by program forms a 
basis to calculate the Federal Government's cost for the proposed 
provisions of this rule.

[[Page 8970]]

[GRAPHIC] [TIFF OMITTED] TR08FE24.029

    To calculate Federal costs for MA organizations, we use the CMS 
internal data used to produce the CMS Trustees' Report. This internal 
data indicates that the Trust Fund will pay about 34 percent of plan 
costs over the next 10 years. The remaining costs (for the 98 to 99 
percent of plans bidding below the benchmark) are borne by the plans. 
Similarly, we can calculate the Federal Medicaid payments using the 
percentages in Table K8.
[GRAPHIC] [TIFF OMITTED] TR08FE24.030

    Table K8 is based on the most recent projections of the CMS OACT 
for the FY 2024 Budget.
    We illustrate the interpretation of the column by explaining the 
items in the 2025 column. The number at the bottom of the column, 65.40 
percent, answers the question ``What proportion of the interoperability 
systems costs for Medicaid is the Federal Government expected to pay?'' 
There are two components to this calculation.
    The first is the share of Medicaid managed care. Those costs are 
directly paid by the MCOs, which in turn would be expected to raise 
administrative costs for those plans. The Federal share of that is: 
Federal Medical Assistance Percentage (FMAP) \198\ x the managed care 
(MC) share of Medicaid; for 2025, this is 58.10 percent x 56.80 
percent. The second is the share of the FFS program costs. The FFS 
program side of Medicaid would have higher administrative costs. The 
Federal share of this would be 90 percent in year 1 and 75 percent 
after year 1. For 2025, this is equal to 75 percent x (1-56.8 percent). 
The sum of these two components, 58.10 percent x 56.80 percent + 75 
percent x (1-56.8 percent), equals 65.40 percent as shown in the bottom 
row. When we multiply, in Table K9, the total annual cost of 
interoperability for Medicaid by 65.40 percent we obtain the amount the 
Federal Government is expected to pay for the interoperability system 
costs for Medicaid.
---------------------------------------------------------------------------

    \198\ Federal Medical spending is determined by the amount that 
states spend. The Federal share for most health care services is 
determined by the FMAP. The FMAP is based on a formula that provides 
higher reimbursement to states with lower per capita incomes 
relative to the national average.
---------------------------------------------------------------------------

    It should be noted that although the compliance dates for policies 
in this final rule that do not require API development or enhancement 
are in 2026, and the compliance dates for policies that require API 
development or enhancement are in 2027. We expect plans to begin 
constructing software systems for the provisions that require API 
development or enhancement upon publication of this final rule.
    Based on the discussion presented in Tables K7 and K8, Table K9 
presents the calculation of all numerical impacts of this final rule by 
program, government, and QHP issuers on the FFEs.
BILLING CODE 4150-28-P

[[Page 8971]]

[GRAPHIC] [TIFF OMITTED] TR08FE24.031

BILLING CODE 4150-28-C
    For Table K9:
     As explained in connection with Table J9 in the Collection 
of Information section, the data in Table K9 is based on 2027 
compliance dates for policies that require API development or 
enhancement and the Electronic Prior Authorization measure for MIPS and 
the Medicare Promoting Interoperability Program and compliance dates in 
2026

[[Page 8972]]

for the policies that do not require API development or enhancement.
     The bottom-line totals in the columns of Table J9 labeled 
``1st Year Cost'' through ``4th Year Cost'' are the totals found in the 
``Total Cost'' column of Table K9 in rows 2024 through 2027 
respectively. The totals in the column ``4th and Subsequent Year 
Costs'' in Table J9 are found in the rows labeled 2028 through 2033 in 
the ``Total Cost'' column of Table K9.
     The Total Cost to MIPS Eligible Clinicians, Eligible 
Hospitals and CAHs column reflects the aggregate cost of producing 
reports for MIPS eligible clinicians (including individual clinicians 
and groups), eligible hospitals, and CAHs, as found in Table J9 for 
years 2027 and further.
     The total 10-year cost (excluding PTC payments and savings 
from prior authorization) is, as shown in Table K9, $1.6 billion. This 
number uses the primary estimates for the provisions that require API 
development or enhancement. The low and high 10-year total costs are 
$0.8 billion and $2.3 billion, respectively.
     The Cost of Final Rule to Payers by Program columns: We 
applied the percentages from Table K7 to obtain the cost of the rule to 
payers by program (MA, Medicaid, CHIP, and QHP issuers on the FFEs).
     The Cost of Final Rule to Government by Program columns: 
For the QHP issuers on the FFEs, the government does not pay anything. 
For managed care the Government pays approximately 34 percent (the 
exact amount varying slightly from year to year and was obtained from 
projections by OACT). For Medicaid, we applied the percentages of 
payment by the Federal Government discussed in the narrative in Table 
K8 to obtain the cost by program.
     PTC Payments: The Government does not reimburse QHP 
issuers on the FFEs, neither prospectively nor retrospectively, for 
their expenses in furnishing health benefits. However, the government 
offers QHP enrollees PTCs to help cover the cost of premiums for the 
plans. QHP issuers on the FFEs have the option to deal with increased 
costs by either temporarily absorbing them (for purposes of market 
competitiveness--see, however, a caveat elsewhere in this RIA), 
increasing premiums to enrollees, or reducing non-essential health 
benefits. To the extent that issuers increase premiums for individual 
market QHPs on the FFEs, there would be Federal PTC impacts. The 
purpose of the PTC is to assist enrollees in paying premiums. Because 
PTC is available only if an individual purchases a QHP on an Exchange 
and the individual generally has a household income between 100 and 400 
percent of the Federal Poverty Level, the PTC estimates apply only to 
Exchange plans. Note, the Inflation Reduction Act of 2022 (IRA) \199\ 
extended the expanded PTC eligibility provision set forth in the 
American Rescue Plan Act of 2021 (ARP) through the 2025 plan year.
---------------------------------------------------------------------------

    \199\ H.R. 5376--117th Congress (2021-2022): Inflation Reduction 
Act of 2022 (2022, August 16). Retrieved from https://www.congress.gov/bill/117th-congress/house-bill/5376.
---------------------------------------------------------------------------

    In the PTC estimate, we have accounted for the fact that some 
issuers have both Exchange and non-Exchange plans, and some issuers 
have only non-Exchange plans. We reflected these assumptions with 
global adjustments, so we believe the estimates are reasonable in 
aggregate. Specifically, the methodology to estimate the PTC impact of 
the projected expense burden is consistent with the method used to 
estimate the PTC impact in the CMS Interoperability and Patient Access 
final rule (85 FR 25612). Within the FFE states, the estimated expense 
burden would impact premium rates in the individual market and is 
spread across both Exchange and non-Exchange plans. PTCs are only paid 
in the Exchanges and are calculated as a function of the second lowest-
cost silver plan and the eligible individual's household income. The 
estimate of these impacts uses the assumption that the industry would 
increase the second lowest-cost silver plan premium rate in the same 
amount as the overall premium rate increase. This assumption allows the 
application of the overall rate increase to the projected PTC payments 
in the FFE states to estimate the impact on PTC payments.
     The total cost to the government is the sum of payments 
related to each program. This payment is a transfer from the Government 
to payers for MA and Medicaid, CHIP, and QHP enrollees.
     For MA organizations, Medicaid and CHIP, the remaining 
costs are the difference between the total cost to payers and what the 
Federal Government pays. For the individual market, the remaining costs 
to payers would be the total cost absorbed by the payers and not passed 
on through premium increases. Since the PTC is paid on behalf of 
individuals and not the payers, it therefore does not reduce the 
expenses of the payers.
    The dollar savings from reduced paperwork burden for an increase in 
using electronic prior authorization (Tables K4 and K5) is not included 
in Table K9.
    Table K10 describes how the various plans (and states) would bear 
the costs remaining after federal payments. We follow the same 
methodology and discussion presented in the CMS Interoperability and 
Patient Access final rule (85 FR 25612). In the table we explain the 
possible ways payers may manage extra implementation costs. We 
emphasize that Table K10 only includes possibilities. The impacted 
payers would make decisions about how to defray these remaining costs 
based on market dynamics and internal business decisions; we have no 
uniform way of predicting what these actual behaviors and responses 
will be.

[[Page 8973]]

[GRAPHIC] [TIFF OMITTED] TR08FE24.032

     Individual Market Plans: Individual market plans have the 
option of absorbing costs or passing costs to enrollees in the form of 
higher premiums. In some cases, for reasons of market competitiveness, 
plans may absorb the increased costs rather than increase premiums.
     Medicaid and CHIP: Assuming roughly 71 million patients 
enrolled nationally (inclusive of state Medicaid and CHIP FFS programs, 
Medicaid managed care plans, and CHIP managed care entities), Medicaid 
and CHIP would see an added cost of under a dollar per beneficiary per 
year; this contrasts with a total cost per beneficiary per year for the 
Medicaid and CHIP programs of several thousand dollars.\200\
---------------------------------------------------------------------------

    \200\ Centers for Medicare and Medicaid Services Newsroom (2020, 
January 30). Medicaid Facts and Figures [verbar] CMS. Retrieved from 
https://www.cms.gov/newsroom/fact-sheets/medicaid-facts-and-figures.
---------------------------------------------------------------------------

     Medicare Advantage: In their bids (submitted in the month 
of June prior to the beginning of the coverage year), MA plans would 
address the reduced rebates (arising from increased bid costs due to 
the increased costs of this final rule being included in the bid) by 
either: temporarily absorbing costs by reducing profit margins, 
reducing the supplemental benefits paid for by the rebates, or raising 
enrollee cost-sharing or premium. We believe many plans, for 
competitive reasons, would choose to retain a zero-dollar premium 
increase and either absorb losses for 1 year or reduce rebate-funded 
supplemental benefits.
    We received no comments specific to Table K10 or the methods 
impacted payers will use to deal with the costs of this rule and are 
therefore finalizing it as is.

J. Accounting Statement and Table

    As required by OMB Circular A-4 (available at https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A4/a-4.pdf), the following table, Table K11, summarizes the 
classification of annualized costs associated with the provisions of 
this final rule for the 10 years, 2024 through 2033. This accounting 
table is based on Table K9 and includes the costs of this final rule to 
certain providers, including hospitals and CAHs, MA organizations, 
state Medicaid and CHIP programs, and QHP issuers on the FFEs. It does 
not include the potential savings from Table K6 arising from reduced 
burden due to providers, hospitals, and CAHs using electronic prior 
authorization. Minor discrepancies in totals reflect use of underlying 
spreadsheets, rather than intermediate rounded amounts. Table K11 is 
stated in 2023 dollars, with expected compliance dates in 2027 for the 
provisions of this final rule that require API development or 
enhancement.
[GRAPHIC] [TIFF OMITTED] TR08FE24.033


[[Page 8974]]


    In accordance with the provisions of Executive Order 12866, this 
final rule was reviewed by OMB.
    Chiquita Brooks-LaSure, Administrator of the Centers for Medicare & 
Medicaid Services, approved this document on January 12, 2024.

List of Subjects

42 CFR Part 422

    Administrative practice and procedure, Health facilities, Health 
maintenance organizations (HMO), Medicare, Penalties, Privacy, 
Reporting and recordkeeping requirements.

42 CFR Part 431

    Grant programs--health, Health facilities, Medicaid, Privacy, 
Reporting and recordkeeping requirements, State fair hearings.

42 CFR Part 435

    Aid to Families with Dependent Children, Grant programs--health, 
Medicaid, Notices, Reporting and recordkeeping requirements, 
Supplemental Security Income (SSI), Wages.

42 CFR Part 438

    Grant programs--health, Medicaid, Reporting and recordkeeping 
requirements.

42 CFR Part 440

    Grant programs--health, Medicaid.

42 CFR Part 457

    Administrative practice and procedure, Grant programs--health, 
Health insurance, Reporting and recordkeeping requirements.

45 CFR Part 156

    Administrative practice and procedure, Advertising, Brokers, 
Conflict of interests, Consumer protection, Grant programs--health, 
Grants administration, Health care, Health insurance, Health 
maintenance organizations (HMO), Health records, Hospitals, Indians, 
Individuals with disabilities, Intergovernmental relations, Loan 
programs--health, Medicaid, Organization and functions (Government 
agencies), Prescription drugs, Public assistance programs, Reporting 
and recordkeeping requirements, Technical assistance, Women, Youth.

    For the reasons set forth in the preamble, the Centers for Medicare 
& Medicaid Services amends 42 CFR chapter IV and the Department of 
Health and Human Services amends 45 CFR part 156 as set forth below:

TITLE 42--PUBLIC HEALTH

PART 422--MEDICARE ADVANTAGE PROGRAM

0
1. The authority citation for part 422 continues to read as follows:

    Authority: 42 U.S.C. 1302, 1306, 1395w-22 through 1395w-28, and 
1395hh.


0
2. Section 422.119 is amended by--
0
a. In paragraph (b)(1)(ii), removing the word ``and'' at the end of the 
paragraph;
0
b. Revising paragraph (b)(1)(iii);
0
c. Adding paragraphs (b)(1)(iv) and (v); and
0
d. Revising paragraphs (c)(1), (c)(4)(ii)(C), (e)(2), (f), and (h).
    The revisions and additions read as follows:


Sec.  422.119  Access to and exchange of health data and plan 
information.

* * * * *
    (b) * * *
    (1) * * *
    (iii) All data classes and data elements included in a content 
standard in 45 CFR 170.213 that are maintained by the MA organization 
no later than 1 business day after the MA organization receives the 
data; and
    (iv) Beginning January 1, 2027, the information in paragraph 
(b)(1)(iv)(A) of this section about prior authorizations for items and 
services (excluding drugs, as defined in paragraph (b)(1)(v) of this 
section), according to the timelines in paragraph (b)(1)(iv)(B) of this 
section.
    (A) The prior authorization request and decision, including all of 
the following, as applicable:
    (1) The prior authorization status.
    (2) The date the prior authorization was approved or denied.
    (3) The date or circumstance under which the prior authorization 
ends.
    (4) The items and services approved.
    (5) If denied, a specific reason why the request was denied.
    (6) Related structured administrative and clinical documentation 
submitted by a provider.
    (B) The information in paragraph (b)(1)(iv)(A) of this section 
must--
    (1) Be accessible no later than 1 business day after the MA 
organization receives a prior authorization request;
    (2) Be updated no later than 1 business day after any status 
change; and
    (3) Continue to be accessible for the duration that the 
authorization is active and at least 1 year after the prior 
authorization's last status change.
    (v) Drugs are defined for the purposes of paragraph (b)(1)(iv) of 
this section as any and all drugs covered by the MA organization, 
including any products that constitute a Part D drug, as defined by 
Sec.  423.100 of this chapter, and are covered under the Medicare Part 
D benefit.
* * * * *
    (c) * * *
    (1) Must implement and maintain API technology conformant with 45 
CFR 170.215(a)(1), (b)(1)(i), (c)(1), and (e)(1);
* * * * *
    (4) * * *
    (ii) * * *
    (C) Using the updated version of the standard, implementation 
guide, or specification does not disrupt an end user's ability to 
access the data specified in paragraph (b) of this section or 
Sec. Sec.  422.120, 422.121, and 422.122 through the required APIs.
* * * * *
    (e) * * *
    (2) Makes this determination using objective, verifiable criteria 
that are applied fairly and consistently across all apps and developers 
through which parties seek to access electronic health information, as 
defined in 45 CFR 171.102, including but not limited to, criteria that 
rely on automated monitoring and risk mitigation tools.
    (f) Reporting on Patient Access API usage. Beginning in 2026, by 
March 31 following any calendar year that it offers an MA plan, an MA 
organization must report to CMS the following metrics, in the form of 
aggregated, de-identified data, for the previous calendar year at the 
contract level in the form and manner specified by the Secretary:
    (1) The total number of unique enrollees whose data are transferred 
via the Patient Access API to a health app designated by the enrollee.
    (2) The total number of unique enrollees whose data are transferred 
more than once via the Patient Access API to a health app designated by 
the enrollee.
* * * * *
    (h) Applicability. An MA organization must comply with the 
requirements of this section beginning in paragraphs (a) through (e) 
and (g) of this section beginning January 1, 2021, unless otherwise 
specified, and with the requirements in paragraph (f) of this section 
beginning in 2026, with regard to data:
    (1) With a date of service on or after January 1, 2016; and
    (2) That are maintained by the MA organization.

0
3. Section 422.121 is added to read as follows:


Sec.  422.121  Access to and exchange of health data for providers and 
payers.

    (a) Application programming interface to support data exchange from

[[Page 8975]]

payers to providers--Provider Access API. Beginning January 1, 2027, an 
MA organization must do the following:
    (1) API requirements. Implement and maintain an application 
programming interface (API) conformant with all of the following:
    (i) Section 422.119(c)(2) through (4), (d), and (e).
    (ii) The standards in 45 CFR 170.215(a)(1), (b)(1)(i), (c)(1), and 
(d)(1).
    (2) Provider access. Make the data specified at Sec.  422.119(b) 
with a date of service on or after January 1, 2016, excluding provider 
remittances and enrollee cost-sharing information, that are maintained 
by the MA organization available to in-network providers via the API 
required in paragraph (a)(1) of this section no later than 1 business 
day after receiving a request from such a provider, if all the 
following conditions are met:
    (i) The MA organization authenticates the identity of the provider 
that requests access and attributes the enrollee to the provider under 
the attribution process described in paragraph (a)(3) of this section.
    (ii) The enrollee does not opt out as described in paragraph (a)(4) 
of this section.
    (iii) Disclosure of the data is not prohibited by other applicable 
law.
    (3) Attribution. Establish and maintain a process to associate 
enrollees with their in-network providers to enable data exchange via 
the Provider Access API.
    (4) Opt out and patient educational resources. (i) Establish and 
maintain a process to allow an enrollee or the enrollee's personal 
representative to opt out of the data exchange described in paragraph 
(a)(2) of this section and to change their permission at any time. That 
process must be available before the first date on which the MA 
organization makes enrollee information available via the Provider 
Access API and at any time while the enrollee is enrolled with the MA 
organization.
    (ii) Provide information to enrollees in plain language about the 
benefits of API data exchange with their providers, their opt out 
rights, and instructions both for opting out of data exchange and for 
subsequently opting in, as follows:
    (A) Before the first date on which the MA organization makes 
enrollee information available through the Provider Access API.
    (B) No later than 1 week after the coverage start date or no later 
than 1 week after receiving acceptance of enrollment from CMS, 
whichever is later.
    (C) At least annually.
    (D) In an easily accessible location on its public website.
    (5) Provider resources. Provide on its website and through other 
appropriate provider communications, information in plain language 
explaining the process for requesting enrollee data using the Provider 
Access API required in paragraph (a)(1) of this section. The resources 
must include information about how to use the MA organization's 
attribution process to associate enrollees with their providers.
    (b) Application programming interface to support data exchange 
between payers--Payer-to-Payer API. Beginning January 1, 2027, an MA 
organization must do the following:
    (1) API requirements. Implement and maintain an API conformant with 
all of the following:
    (i) Section 422.119(c)(2) through (4), (d), and (e).
    (ii) The standards in 45 CFR 170.215(a)(1), (b)(1)(i), and (d)(1).
    (2) Opt in. Establish and maintain a process to allow enrollees or 
their personal representatives to opt into the MA organization's payer 
to payer data exchange with the enrollee's previous payer(s), described 
in paragraphs (b)(4) and (5) of this section, and with concurrent 
payer(s), described in paragraph (b)(6) of this section, and to change 
their permission at any time.
    (i) The opt in process must be offered as follows:
    (A) To current enrollees, no later than the compliance date.
    (B) To new enrollees, no later than 1 week after the coverage start 
date or no later than 1 week after receiving acceptance of enrollment 
from CMS, whichever is later.
    (ii) If an enrollee does not respond or additional information is 
necessary, the MA organization must make reasonable efforts to engage 
with the enrollee to collect this information.
    (3) Identify previous and concurrent payers. Establish and maintain 
a process to identify a new enrollee's previous and concurrent payer(s) 
to facilitate the Payer-to-Payer API data exchange. The information 
request process must start as follows:
    (i) For current enrollees, no later than the compliance date.
    (ii) For new enrollees, no later than 1 week after the coverage 
start date or no later than 1 week after receiving acceptance of 
enrollment from CMS, whichever is later.
    (iii) If an enrollee does not respond or additional information is 
necessary, the MA organization must make reasonable efforts to engage 
with the enrollee to collect this information.
    (4) Exchange request requirements. Exchange enrollee data with 
other payers, consistent with the following requirements:
    (i) The MA organization must request the data listed in paragraph 
(b)(4)(ii) of this section through the enrollee's previous payers' API, 
if all the following conditions are met:
    (A) The enrollee has opted in, as described in paragraph (b)(2) of 
this section.
    (B) The exchange is not prohibited by other applicable law.
    (ii) The data to be requested are all of the following with a date 
of service within 5 years before the request:
    (A) Data specified in Sec.  422.119(b) excluding the following:
    (1) Provider remittances and enrollee cost-sharing information.
    (2) Denied prior authorizations.
    (B) Unstructured administrative and clinical documentation 
submitted by a provider related to prior authorizations.
    (iii) The MA organization must include an attestation with this 
request affirming that the enrollee is enrolled with the MA 
organization and has opted into the data exchange.
    (iv) The MA organization must complete this request as follows:
    (A) No later than 1 week after the payer has sufficient identifying 
information about previous payers and the enrollee has opted in.
    (B) At an enrollee's request, within 1 week of the request.
    (v) The MA organization must receive, through the API required in 
paragraph (b)(1) of this section, and incorporate into its records 
about the enrollee, any data made available by other payers in response 
to the request.
    (5) Exchange response requirements. Make available the data 
specified in paragraph (b)(4)(ii) of this section that are maintained 
by the MA organization to other payers via the API required in 
paragraph (b)(1) of this section within 1 business day of receiving a 
request, if all the following conditions are met:
    (i) The payer that requests access has its identity authenticated 
and includes an attestation with the request that the patient is 
enrolled with the payer and has opted into the data exchange.
    (ii) Disclosure of the data is not prohibited by other applicable 
law.
    (6) Concurrent coverage data exchange requirements. When an 
enrollee has provided sufficient identifying information about 
concurrent payers and has opted in as described in paragraph (b)(2) of 
this section, an MA organization must do the following, through the API 
required in paragraph (b)(1) of this section:
    (i) Request the enrollee's data from all known concurrent payers as 
described

[[Page 8976]]

in paragraph (b)(4) of this section, and at least quarterly thereafter 
while the enrollee is enrolled with both payers.
    (ii) Respond as described in paragraph (b)(5) of this section 
within 1 business day of a request from any concurrent payers. If 
agreed upon with the requesting payer, the MA organization may exclude 
any data that were previously sent to or originally received from the 
concurrent payer.
    (7) Patient educational resources. Provide information to enrollees 
in plain language, explaining at a minimum: the benefits of Payer-to-
Payer API data exchange, their ability to opt in or withdraw that 
permission, and instructions for doing so. The MA organization must 
provide the following resources:
    (i) When requesting an enrollee's permission for Payer-to-Payer API 
data exchange, as described in paragraph (b)(2) of this section.
    (ii) At least annually, in appropriate mechanisms through which it 
ordinarily communicates with current enrollees.
    (iii) In an easily accessible location on its public website.

0
4. Section 422.122 is added to read as follows:


Sec.  422.122  Prior authorization requirements.

    (a) Communicating a reason for denial. Beginning January 1, 2026, 
if the MA organization denies a prior authorization request (excluding 
request for coverage of drugs as defined in Sec.  422.119(b)(1)(v)), in 
accordance with the timeframes established in Sec. Sec.  422.568(b)(1) 
and 422.572(a)(1), the response to the provider must include a specific 
reason for the denial, regardless of the method used to communicate 
that information.
    (b) Prior Authorization Application Programming Interface (API). 
Beginning January 1, 2027, an MA organization must implement and 
maintain an API conformant with Sec.  422.119(c)(2) through (4), (d), 
and (e), and the standards in 45 CFR 170.215(a)(1), (b)(1)(i), and 
(c)(1) that--
    (1) Is populated with the MA organization's list of covered items 
and services (excluding drugs, as defined in Sec.  422.119(b)(1)(v)) 
that require prior authorization;
    (2) Can identify all documentation required by the MA organization 
for approval of any items or services that require prior authorization;
    (3) Supports a Health Insurance Portability and Accountability Act 
(HIPAA)-compliant prior authorization request and response, as 
described in 45 CFR part 162; and
    (4) Communicates the following information about prior 
authorization requests:
    (i) Whether the MA organization--
    (A) Approves the prior authorization request (and the date or 
circumstance under which the authorization ends);
    (B) Denies the prior authorization request; or
    (C) Requests more information.
    (ii) If the MA organization denies the prior authorization request, 
it must include a specific reason for the denial.
    (5) In addition to the requirements of this section, an MA 
organization using prior authorization polices or making prior 
authorization decisions must meet all other applicable requirements 
under this part, including Sec.  422.138 and the requirements in 
subpart M of this part.
    (c) Publicly reporting prior authorization metrics. Beginning in 
2026, following each calendar year that it offers an MA plan, an MA 
organization must report prior authorization data, excluding data on 
drugs as defined in Sec.  422.119(b)(1)(v), at the MA contract level by 
March 31. The MA organization must make the following data from the 
previous calendar year publicly accessible by posting them on its 
website:
    (1) A list of all items and services that require prior 
authorization.
    (2) The percentage of standard prior authorization requests that 
were approved, aggregated for all items and services.
    (3) The percentage of standard prior authorization requests that 
were denied, aggregated for all items and services.
    (4) The percentage of standard prior authorization requests that 
were approved after appeal, aggregated for all items and services.
    (5) The percentage of prior authorization requests for which the 
timeframe for review was extended, and the request was approved, 
aggregated for all items and services.
    (6) The percentage of expedited prior authorization requests that 
were approved, aggregated for all items and services.
    (7) The percentage of expedited prior authorization requests that 
were denied, aggregated for all items and services.
    (8) The average and median time that elapsed between the submission 
of a request and a determination by the MA plan, for standard prior 
authorizations, aggregated for all items and services.
    (9) The average and median time that elapsed between the submission 
of a request and a decision by the MA plan for expedited prior 
authorizations, aggregated for all items and services.

0
5. Section 422.568 is amended by--
0
a. Revising paragraph (b)(1);
0
b. Redesignating paragraph (b)(2) as paragraph (b)(3);
0
c. Adding new paragraph (b)(2); and
0
d. In newly redesignated paragraph (b)(3), removing the phrase ``under 
the provisions in paragraph (b)(1)(i) of this section'' and adding in 
its place the phrase ``under the provisions in paragraph (b)(2) of this 
section.''
    The revision and addition read as follows:


Sec.  422.568  Standard timeframes and notice requirements for 
organization determinations.

* * * * *
    (b) * * *
    (1) Requests for service or item. Except as provided in paragraph 
(b)(2) of this section, when a party has made a request for an item or 
service, the MA organization must notify the enrollee of its 
determination as expeditiously as the enrollee's health condition 
requires but no later than either of the following:
    (i) For a service or item not subject to the prior authorization 
rules in Sec.  422.122, 14 calendar days after receiving the request 
for the standard organization determination.
    (ii) Beginning on or after January 1, 2026, for a service or item 
subject to the prior authorization rules in Sec.  422.122, 7 calendar 
days after receiving the request for the standard organization 
determination.
    (2) Extensions; requests for service or item--(i) Extension of 
timeframe on a request for service or item. The MA organization may 
extend the timeframe by up to 14 calendar days under any of the 
following circumstances:
    (A) The enrollee requests the extension.
    (B) The extension is justified and in the enrollee's interest due 
to the need for additional medical evidence from a noncontract provider 
that may change an MA organization's decision to deny an item or 
service.
    (C) The extension is justified due to extraordinary, exigent, or 
other non-routine circumstances and is in the enrollee's interest.
    (ii) Notice of extension. (A) When the MA organization extends the 
timeframe, it must--
    (1) Notify the enrollee in writing of the reasons for the delay; 
and
    (2) Inform the enrollee of the right to file an expedited grievance 
if the enrollee disagrees with the MA organization's decision to grant 
an extension.
    (B) The MA organization must notify the enrollee of its 
determination as expeditiously as the enrollee's health

[[Page 8977]]

condition requires, but no later than upon expiration of the extension.
* * * * *


Sec.  422.570  [Amended]

0
6. Section 422.570 is amended in paragraph (d)(1) by removing the 
phrase ``request to the standard timeframe and make the determination 
within the 72-hour or 14-day timeframe, as applicable, established'' 
and adding in its place the phrase ``request to a standard organization 
determination and make the determination within the applicable 
timeframe, established''.

0
7. Section 422.631 is amended by revising paragraphs (d)(2)(i)(B), 
(d)(2)(iv)(B)(1), and (d)(2)(iv)(B)(2)(i) to read as follows:


Sec.  422.631  Integrated organization determinations.

* * * * *
    (d) * * *
    (2) * * *
    (i) * * *
    (B) Except as described in paragraph (d)(2)(i)(A) of this section, 
the applicable integrated plan must send a notice of its integrated 
organization determination as expeditiously as the enrollee's health 
condition requires but no later than either of the following:
    (1) For a service or item not subject to the prior authorization 
rules in Sec.  422.122, 14 calendar days after receiving the request 
for the standard integrated organization determination.
    (2) Beginning on or after January 1, 2026, for a service or item 
subject to the prior authorization rules in Sec.  422.122, 7 calendar 
days after receiving the request for the standard integrated 
organization determination.
* * * * *
    (iv) * * *
    (B) * * *
    (1) Automatically transfer a request to the standard timeframe and 
make the determination within the applicable timeframe established in 
paragraph (d)(2)(i)(B) of this section for a standard integrated 
organization determination. The timeframe begins the day the applicable 
integrated plan receives the request for expedited integrated 
organization determination.
    (2) * * *
    (i) Explains that the applicable integrated plan will process the 
request using the timeframe for standard integrated organization 
determinations;
* * * * *

PART 431--STATE ORGANIZATION AND GENERAL ADMINISTRATION

0
8. The authority citation for part 431 continues to read as follows:

    Authority: 42 U.S.C. 1302.

0
9. Section 431.60 is amended by--
0
a. Revising paragraph (b)(3);
0
b. Adding paragraphs (b)(5) and (6);
0
c. Revising paragraphs (c)(1), (c)(4)(ii)(C), and (e)(2);
0
d. Removing paragraph (g);
0
e. Redesignating paragraph (f) as paragraph (g); and
0
f. Adding new paragraph (f) and paragraph (h).
    The revisions and addition read as follows:


Sec.  431.60  Beneficiary access to and exchange of data.

* * * * *
    (b) * * *
    (3) All data classes and data elements included in a content 
standard in 45 CFR 170.213 that are maintained by the State no later 
than 1 business day after the State receives the data; and
* * * * *
    (5) Beginning January 1, 2027, the information in paragraph 
(b)(5)(i) of this section about prior authorizations for items and 
services (excluding drugs as defined in paragraph (b)(6) of this 
section), according to the timelines in paragraph (b)(5)(ii) of this 
section.
    (i) The prior authorization request and decision, including all of 
the following, as applicable:
    (A) The prior authorization status.
    (B) The date the prior authorization was approved or denied.
    (C) The date or circumstance under which the prior authorization 
ends.
    (D) The items and services approved.
    (E) If denied, a specific reason why the request was denied.
    (F) Related structured administrative and clinical documentation 
submitted by a provider.
    (ii) The information in paragraph (b)(5)(i) of this section must--
    (A) Be accessible no later than 1 business day after the State 
receives a prior authorization request;
    (B) Be updated no later than 1 business day after any status 
change; and
    (C) Continue to be accessible for the duration that the 
authorization is active and at least 1 year after the prior 
authorization's last status change.
    (6) Drugs are defined for the purposes of paragraph (b)(5) of this 
section as any and all drugs covered by the State.
* * * * *
    (c) * * *
    (1) Must implement and maintain API technology conformant with 45 
CFR 170.215(a)(1), (b)(1)(i), (c)(1), and (e)(1);
* * * * *
    (4) * * *
    (ii) * * *
    (C) Using the updated version of the standard, implementation 
guide, or specification does not disrupt an end user's ability to 
access the data specified in paragraph (b) of this section or 
Sec. Sec.  431.61, 431.70, and 431.80, through the required APIs.
* * * * *
    (e) * * *
    (2) Makes this determination using objective, verifiable criteria 
that are applied fairly and consistently across all apps and developers 
through which parties seek to access electronic health information, as 
defined in 45 CFR 171.102, including but not limited to criteria that 
rely on automated monitoring and risk mitigation tools.
* * * * *
    (f) Reporting on Patient Access API usage. Beginning in 2026, by 
March 31 of each year, a State must report to CMS the following 
metrics, in the form of aggregated, de-identified data, for the 
previous calendar year at the State level in the form and manner 
specified by the Secretary:
    (1) The total number of unique beneficiaries whose data are 
transferred via the Patient Access API to a health app designated by 
the beneficiary; and
    (2) The total number of unique beneficiaries whose data are 
transferred more than once via the Patient Access API to a health app 
designated by the beneficiary.
* * * * *
    (h) Applicability. A State must comply with the requirements in 
paragraphs (a) through (e) and (g) of this section beginning January 1, 
2021, and with the requirements in paragraph (f) of this section 
beginning in 2026, with regard to data:
    (1) With a date of service on or after January 1, 2016; and
    (2) That are maintained by the State.

0
10. Section 431.61 is added to read as follows:


Sec.  431.61  Access to and exchange of health data for providers and 
payers.

    (a) Application programming interface to support data exchange from 
payers to providers--Provider Access API. Beginning January 1, 2027, 
unless granted an extension or exemption under paragraph (c) of this 
section, a State must do the following:
    (1) API requirements. Implement and maintain an application 
programming interface (API) conformant with all of the following:
    (i) Section 431.60(c)(2) through (4), (d), and (e).
    (ii) The standards in 45 CFR 170.215(a)(1), (b)(1)(i), (c)(1), and 
(d)(1).
    (2) Provider access. Make the data specified in Sec.  431.60(b) 
with a date of

[[Page 8978]]

service on or after January 1, 2016, excluding provider remittances and 
beneficiary cost-sharing information, that are maintained by the State 
available to enrolled Medicaid providers via the API required in 
paragraph (a)(1) of this section no later than 1 business day after 
receiving a request from such a provider, if all the following 
conditions are met:
    (i) The State authenticates the identity of the provider that 
requests access and attributes the beneficiary to the provider under 
the attribution process described in paragraph (a)(3) of this section.
    (ii) The beneficiary does not opt out as described in paragraph 
(a)(4) of this section.
    (iii) Disclosure of the data is not prohibited by other applicable 
law.
    (3) Attribution. Establish and maintain a process to associate 
beneficiaries with their enrolled Medicaid providers to enable data 
exchange via the Provider Access API.
    (4) Opt out and patient educational resources. (i) Establish and 
maintain a process to allow a beneficiary or the beneficiary's personal 
representative to opt out of the data exchange described in paragraph 
(a)(2) of this section and to change their permission at any time. That 
process must be available before the first date on which the State 
makes beneficiary information available via the Provider Access API and 
at any time while the beneficiary is enrolled with the State.
    (ii) Provide information to beneficiaries in plain language about 
the benefits of API data exchange with their providers, their opt out 
rights, and instructions both for opting out of data exchange and for 
subsequently opting in, as follows:
    (A) Before the first date on which the State makes beneficiary 
information available through the Provider Access API.
    (B) No later than 1 week after enrollment.
    (C) At least annually.
    (D) In an easily accessible location on its public website.
    (5) Provider resources. Provide on its website and through other 
appropriate provider communications, information in plain language 
explaining the process for requesting beneficiary data using the 
Provider Access API required in paragraph (a)(1) of this section. The 
resources must include information about how to use the State's 
attribution process to associate beneficiaries with their providers.
    (b) Application programming interface to support data exchange 
between payers--Payer-to-Payer API. Beginning January 1, 2027, unless 
granted an extension or exemption under paragraph (c) of this section, 
a State must do the following:
    (1) API requirements. Implement and maintain an API conformant with 
all of the following:
    (i) Section 431.60(c)(2) through (4), (d), and (e).
    (ii) The standards in 45 CFR 170.215(a)(1), (b)(1)(i), and (d)(1).
    (2) Opt in. Establish and maintain a process to allow beneficiaries 
or their personal representatives to opt into the State's payer to 
payer data exchange with the beneficiary's previous payer(s), described 
in paragraphs (b)(4) and (5) of this section, and with concurrent 
payer(s), described in paragraph (b)(6) of this section, and to change 
their permission at any time.
    (i) The opt in process must be offered as follows:
    (A) To current beneficiaries, no later than the compliance date.
    (B) To new beneficiaries, no later than 1 week after enrollment.
    (ii) If a beneficiary has coverage through any Medicaid MCO, 
prepaid inpatient health plan (PIHP), or prepaid ambulatory health plan 
(PAHP) within the same State while enrolled in Medicaid, the State must 
share their opt in permission with those MCO, PIHP, or PAHP to allow 
the Payer-to-Payer API data exchange described in this section.
    (iii) If a beneficiary does not respond or additional information 
is necessary, the State must make reasonable efforts to engage with the 
beneficiary to collect this information.
    (3) Identify previous and concurrent payers. Establish and maintain 
a process to identify a new beneficiary's previous and concurrent 
payer(s) to facilitate the Payer-to-Payer API data exchange. The 
information request process must start as follows:
    (i) For current beneficiaries, no later than the compliance date.
    (ii) For new beneficiaries, no later than 1 week after enrollment.
    (iii) If a beneficiary does not respond or additional information 
is necessary, the State must make reasonable efforts to engage with the 
beneficiary to collect this information.
    (4) Exchange request requirements. Exchange beneficiary data with 
other payers, consistent with the following requirements:
    (i) The State must request the data specified in paragraph 
(b)(4)(ii) of this section through the beneficiary's previous payers' 
API, if all the following conditions are met:
    (A) The beneficiary has opted in, as described in paragraph (b)(2) 
of this section, except for data exchanges between a State Medicaid 
agency and its contracted MCOs, PIHPs, or PAHPs, which do not require a 
beneficiary to opt in.
    (B) The exchange is not prohibited by other applicable law.
    (ii) The data to be requested are all of the following with a date 
of service within 5 years before the request:
    (A) Data specified in Sec.  431.60(b), excluding the following:
    (1) Provider remittances and enrollee cost-sharing information.
    (2) Denied prior authorizations.
    (B) Unstructured administrative and clinical documentation 
submitted by a provider related to prior authorizations.
    (iii) The State must include an attestation with this request 
affirming that the beneficiary is enrolled with the State and has opted 
into the data exchange.
    (iv) The State must complete this request as follows:
    (A) No later than 1 week after the payer has sufficient identifying 
information about previous payers and the beneficiary has opted in.
    (B) At a beneficiary's request, within 1 week of the request.
    (v) The State must receive, through the API required in paragraph 
(b)(1) of this section, and incorporate into its records about the 
beneficiary, any data made available by other payers in response to the 
request.
    (5) Exchange response requirements. Make available the data 
specified in paragraph (b)(4)(ii) of this section that are maintained 
by the State to other payers via the API required in paragraph (b)(1) 
of this section within 1 business day of receiving a request, if all 
the following conditions are met:
    (i) The payer that requests access has its identity authenticated 
and includes an attestation with the request that the patient is 
enrolled with the payer and has opted into the data exchange.
    (ii) Disclosure of the data is not prohibited by other applicable 
law.
    (6) Concurrent coverage data exchange requirements. When a 
beneficiary has provided sufficient identifying information about 
concurrent payers and has opted in as described in paragraph (b)(2) of 
this section, a State must do the following, through the API required 
in paragraph (b)(1) of this section:
    (i) Request the beneficiary's data from all known concurrent payers 
as described in paragraph (b)(4) of this section, and at least 
quarterly thereafter while the beneficiary is enrolled with both 
payers.
    (ii) Respond as described in paragraph (b)(5) of this section 
within 1 business day of a request from any concurrent payers. If 
agreed upon with the

[[Page 8979]]

requesting payer, the State may exclude any data that were previously 
sent to or originally received from the concurrent payer.
    (7) Patient educational resources. Provide information to 
applicants or beneficiaries in plain language, explaining at a minimum: 
the benefits of Payer-to-Payer API data exchange, their ability to opt 
in or withdraw that permission, and instructions for doing so. The 
State must provide the following resources:
    (i) When requesting a beneficiary's permission for Payer-to-Payer 
API data exchange, as described in paragraph (b)(2) of this section.
    (ii) At least annually, in appropriate mechanisms through which it 
ordinarily communicates with current beneficiaries.
    (iii) In an easily accessible location on its public website.
    (c) Extensions and exemptions--(1) Extension. (i) A State may 
submit a written application to request a one-time, 1-year extension of 
the requirements in paragraph (a) or (b) of this section (or paragraphs 
(a) and (b)) for its Medicaid fee-for-service (FFS) program. The 
written application must be submitted as part of the State's annual 
Advance Planning Document (APD) for Medicaid Management Information 
System (MMIS) operations expenditures described in part 433, subpart C, 
of this chapter, and approved before the compliance date for the 
requirements to which the State is seeking an extension. It must 
include all the following:
    (A) A narrative justification describing the specific reasons why 
the State cannot satisfy the requirement(s) by the compliance date and 
why those reasons result from circumstances that are unique to the 
agency operating the Medicaid FFS program.
    (B) A report on completed and ongoing State activities that 
evidence a good faith effort towards compliance.
    (C) A comprehensive plan to meet the requirements no later than 1 
year after the compliance date.
    (ii) CMS grants the State's request if it determines, based on the 
information provided, that--
    (A) The request adequately establishes a need to delay 
implementation; and
    (B) The State has a comprehensive plan to meet the requirements no 
later than 1 year after the compliance date.
    (2) Exemption. (i) A State operating a Medicaid program in which at 
least 90 percent of the State's Medicaid beneficiaries are enrolled in 
Medicaid managed care organizations, as defined in Sec.  438.2 of this 
chapter, may request an exemption for its FFS program from either or 
both of the following requirement(s):
    (A) Paragraph (a) of this section.
    (B) Paragraphs (b)(1) and (3) through (7) of this section.
    (ii) The State's exemption request must:
    (A) Be submitted in writing as part of a State's annual APD for 
MMIS operations expenditures before the compliance date for the 
requirements to which the State is seeking an exemption.
    (B) Include both of the following:
    (1) Documentation that the State meets the threshold for the 
exemption, based on enrollment data from the most recent CMS ``Medicaid 
Managed Care Enrollment and Program Characteristics'' (or successor) 
report.
    (2) An alternative plan to ensure that enrolled providers will have 
efficient electronic access to the same information through other means 
while the exemption is in effect.
    (iii) CMS grants the exemption if the State establishes to CMS's 
satisfaction that the State--
    (A) Meets the threshold for the exemption; and
    (B) Has established an alternative plan to ensure that enrolled 
providers will have efficient electronic access to the same information 
through other means while the exemption is in effect.
    (iv) The State's exemption expires if either--
    (A) Based on the 3 previous years of available, finalized Medicaid 
Transformed Medicaid Statistical Information System (T-MSIS) managed 
care and FFS enrollment data, the State's managed care enrollment for 2 
of the previous 3 years is below 90 percent; or
    (B)(1) CMS has approved a State plan amendment, waiver, or waiver 
amendment that would significantly reduce the percentage of 
beneficiaries enrolled in managed care; and
    (2) The anticipated shift in enrollment is confirmed by the first 
available, finalized Medicaid T-MSIS managed care and FFS enrollment 
data.
    (v) If a State's exemption expires under paragraph (c)(2)(iv) of 
this section, the State is required to do both of the following--
    (A) Submit written notification to CMS that the State no longer 
qualifies for the exemption within 90 days of the finalization of 
annual Medicaid T-MSIS managed care enrollment data that demonstrates 
that there has been the requisite shift from managed care enrollment to 
FFS enrollment resulting in the State's managed care enrollment falling 
below the 90 percent threshold.
    (B) Obtain CMS approval of a timeline for compliance with the 
requirements in paragraph (a) or (b) (or paragraph0s (a) and (b)) of 
this section within 2 years of the expiration of the exemption.

0
11. Section 431.80 is added to subpart B to read as follows:


Sec.  431.80  Prior authorization requirements.

    (a) Communicating a reason for denial. Beginning January 1, 2026, 
if the State denies a prior authorization request (excluding a request 
for coverage of drugs as defined in Sec.  431.60(b)(6)), in accordance 
with the timeframes established in Sec.  440.230(e)(1) of this chapter, 
the response to the provider must include a specific reason for the 
denial, regardless of the method used to communicate that information.
    (b) Prior Authorization Application Programming Interface (API). 
Unless granted an extension or exemption under paragraph (c) of this 
section, beginning January 1, 2027, a State must implement and maintain 
an API conformant with Sec.  431.60(c)(2) through (4), (d), and (e), 
and the standards in 45 CFR 170.215(a)(1), (b)(1)(i), and (c)(1) that--
    (1) Is populated with the State's list of covered items and 
services (excluding drugs, as defined in Sec.  431.60(b)(6)) that 
require prior authorization;
    (2) Can identify all documentation required by the State for 
approval of any items or services that require prior authorization;
    (3) Supports a HIPAA-compliant prior authorization request and 
response, as described in 45 CFR part 162; and
    (4) Communicates the following information about prior 
authorization requests:
    (i) Whether the State--
    (A) Approves the prior authorization request (and the date or 
circumstance under which the authorization ends);
    (B) Denies the prior authorization request; or
    (C) Requests more information.
    (ii) If the State denies the prior authorization request, it must 
include a specific reason for the denial.
    (c) Extensions and exemptions--(1) Extension. (i) A State may 
submit a written application to request a one-time, 1-year extension of 
the requirements in paragraph (b) of this section for its Medicaid FFS 
program. The written application must be submitted as part of the 
State's annual APD for MMIS operations expenditures described in part 
433, subpart C, of this chapter; and approved before the compliance 
date in paragraph (b) of this section. It must include all the 
following:
    (A) A narrative justification describing the specific reasons why 
the

[[Page 8980]]

State cannot satisfy the requirement(s) by the compliance date and why 
those reasons result from circumstances that are unique to the agency 
operating the Medicaid FFS program.
    (B) A report on completed and ongoing State activities that 
evidence a good faith effort towards compliance.
    (C) A comprehensive plan to meet the requirements no later than 1 
year after the compliance date.
    (ii) CMS grants the State's request if it determines, based on the 
information provided, that--
    (A) The request adequately establishes a need to delay 
implementation; and
    (B) The State has a comprehensive plan to meet the requirements no 
later than 1 year after the compliance date.
    (2) Exemption. (i) A State operating a Medicaid program in which at 
least 90 percent of the State's Medicaid beneficiaries are enrolled in 
Medicaid managed care organizations, as defined in Sec.  438.2 of this 
chapter, may request an exemption for its FFS program from the 
requirements in paragraph (b) of this section.
    (ii) The State's exemption request must:
    (A) Be submitted in writing as part of a State's annual APD for 
MMIS operations expenditures before the compliance date in paragraph 
(b) of this section.
    (B) The State's request must include both of the following:
    (1) Documentation that the State meets the threshold for the 
exemption, based on enrollment data from the most recent CMS ``Medicaid 
Managed Care Enrollment and Program Characteristics'' (or successor) 
report.
    (2) An alternative plan to ensure that enrolled providers will have 
efficient electronic access to the same information through other means 
while the exemption is in effect.
    (iii) CMS grants the exemption if the State establishes to CMS's 
satisfaction that the State--
    (A) Meets the threshold for the exemption; and
    (B) Has established an alternative plan to ensure that enrolled 
providers will have efficient electronic access to the same information 
through other means while the exemption is in effect.
    (iv) The State's exemption expires if either--
    (A) Based on the 3 previous years of available, finalized Medicaid 
Transformed Medicaid Statistical Information System (T-MSIS) managed 
care and FFS enrollment data, the State's managed care enrollment for 2 
of the previous 3 years is below 90 percent; or
    (B)(1) CMS has approved a State plan amendment, waiver, or waiver 
amendment that would significantly reduce the percentage of 
beneficiaries enrolled in managed care; and
    (2) The anticipated shift in enrollment is confirmed by the first 
available, finalized Medicaid T-MSIS managed care and FFS enrollment 
data.
    (v) If a State's exemption expires under paragraph (c)(2)(iv) of 
this section, the State is required to do both of the following--
    (A) Submit written notification to CMS that the State no longer 
qualifies for the exemption within 90 days of the finalization of 
annual Medicaid T-MSIS managed care enrollment data that demonstrates 
that there has been the requisite shift from managed care enrollment to 
FFS enrollment resulting in the State's managed care enrollment falling 
below the 90 percent threshold.
    (B) Obtain CMS approval of a timeline for compliance with the 
requirements in paragraph (b) of this section within 2 years of the 
expiration of the exemption.

0
12. Section 431.201 is amended by revising the definition of ``Action'' 
to read as follows:


Sec.  431.201  Definitions.

* * * * *
    Action means one of the following:
    (1) A termination, suspension of, or reduction in covered benefits 
or services, including benefits or services for which there is a 
current approved prior authorization;
    (2) A termination, suspension of, or reduction in Medicaid 
eligibility, or an increase in beneficiary liability, including a 
determination that a beneficiary must incur a greater amount of medical 
expenses to establish income eligibility in accordance with Sec.  
435.121(e)(4) or Sec.  435.831 of this chapter;
    (3) A determination that a beneficiary is subject to an increase in 
premiums or cost-sharing charges under subpart A of part 447 of this 
chapter; or
    (4) A determination by a skilled nursing facility or nursing 
facility to transfer or discharge a resident and an adverse 
determination by a State regarding the preadmission screening and 
resident review requirements of section 1919(e)(7) of the Act.
* * * * *

0
13. Section 431.220 is amended by--
0
a. In paragraph (a)(1)(iv), removing the term ``or'' from the end of 
the paragraph;
0
b. In paragraph (a)(1)(v), removing the period from the end of the 
paragraph and adding in its place ``; or''; and
0
c. Adding paragraph (a)(1)(vi).
    The addition reads as follows:


Sec.  431.220  When a hearing is required.

    (a) * * *
    (1) * * *
    (vi) A prior authorization decision.
* * * * *

PART 435--ELIGIBILITY IN THE STATES, DISTRICT OF COLUMBIA, THE 
NORTHERN MARIANA ISLANDS, AND AMERICAN SAMOA

0
14. The authority citation for part 435 continues to read as follows:

    Authority:  42 U.S.C. 1302.

0
15. Section 435.917 is amended by--
0
a. Revising the headings of paragraphs (a) and (b); and
0
b. Revising paragraph (b)(2).
    The revisions read as follows:


Sec.  435.917  Notice of agency's decision concerning eligibility, 
benefits, or services.

    (a) Notice of determinations. * * *
    (b) Content of notice--* * *
    (2) Notice of adverse action. Notice of adverse action including 
denial, termination, or suspension of eligibility or change in benefits 
or services. Any notice of denial, termination, or suspension of 
Medicaid eligibility, or, in the case of beneficiaries receiving 
medical assistance, denial of or change in benefits or services must be 
consistent with Sec.  431.210 of this chapter.
* * * * *

PART 438--MANAGED CARE

0
16. The authority citation for part 438 continues to read as follows:

    Authority:  42 U.S.C. 1302.

0
17. Section 438.9 is amended by revising paragraph (b)(7) to read as 
follows:


Sec.  438.9  Provisions that apply to non-emergency medical 
transportation PAHPs.

* * * * *
    (b) * * *
    (7) The PAHP standards in Sec. Sec.  438.206(b)(1), 438.210, 
438.214, 438.224, 438.230, and 438.242, excluding the requirement in 
Sec.  438.242(b)(7), to comply with Sec.  431.61(a) and (b) of this 
chapter.
* * * * *


Sec.  438.62  [Amended]

0
18. Section 438.62 is amended by removing paragraphs (b)(1)(vi) and 
(vii).

0
19. Section 438.210 is amended by--
0
a. Revising paragraphs (d)(1) and (d)(2)(i);
0
b. Redesignating paragraph (f) as paragraph (g); and
0
c. Adding new paragraph (f).
    The addition and revision read as follows:

[[Page 8981]]

Sec.  438.210  Coverage and authorization of services.

* * * * *
    (d) * * *
    (1) Standard authorization decisions. (i) For standard 
authorization decisions, provide notice as expeditiously as the 
enrollee's condition requires and:
    (A) For rating periods that start before January 1, 2026, within 
state established time frames that may not exceed 14 calendar days 
after receiving the request for service.
    (B) For rating periods that start on or after January 1, 2026, 
within state established time frames that may not exceed 7 calendar 
days after receiving the request for service.
    (ii) Standard authorization decisions may have an extension to the 
timeframes in paragraph (d)(1)(i) of this section up to 14 additional 
calendar days if--
    (A) The enrollee or the provider requests the extension; or
    (B) The MCO, PIHP, or PAHP justifies (to the State agency upon 
request) a need for additional information and how the extension is in 
the enrollee's interest.
    (2) * * *
    (i) For cases in which a provider indicates, or the MCO, PIHP, or 
PAHP determines, that following the standard timeframe could seriously 
jeopardize the enrollee's life or health or ability to attain, 
maintain, or regain maximum function, the MCO, PIHP, or PAHP must make 
an expedited authorization decision and provide notice as expeditiously 
as the enrollee's health condition requires and no later than 72 hours 
after receipt of the request for service.
* * * * *
    (f) Publicly reporting prior authorization metrics. Beginning 
January 1, 2026, following each calendar year it has a contract with a 
State Medicaid agency, the MCO, PIHP, or PAHP must report prior 
authorization data, excluding data on any and all drugs covered by the 
MCO, PIHP, or PAHP, at the plan level by March 31. The MCO, PIHP, or 
PAHP must make the following data from the previous calendar year 
publicly accessible by posting them on its website:
    (1) A list of all items and services that require prior 
authorization.
    (2) The percentage of standard prior authorization requests that 
were approved, aggregated for all items and services.
    (3) The percentage of standard prior authorization requests that 
were denied, aggregated for all items and services.
    (4) The percentage of standard prior authorization requests that 
were approved after appeal, aggregated for all items and services.
    (5) The percentage of prior authorization requests for which the 
timeframe for review was extended, and the request was approved, 
aggregated for all items and services.
    (6) The percentage of expedited prior authorization requests that 
were approved, aggregated for all items and services.
    (7) The percentage of expedited prior authorization requests that 
were denied, aggregated for all items and services.
    (8) The average and median time that elapsed between the submission 
of a request and a determination by the MCO, PIHP or PAHP, for standard 
prior authorizations, aggregated for all items and services.
    (9) The average and median time that elapsed between the submission 
of a request and a decision by the MCO, PIHP or PAHP, for expedited 
prior authorizations, aggregated for all items and services.
* * * * *

0
20. Section 438.242 is amended by revising paragraph (b)(5) and adding 
paragraphs (b)(7) through (9) to read as follows:


Sec.  438.242  Health information systems.

* * * * *
    (b) * * *
    (5) Subject to paragraph (b)(8) of this section, implement and 
maintain a Patient Access Application Programming Interface (API) 
required in Sec.  431.60 of this chapter as if such requirements 
applied directly to the MCO, PIHP, or PAHP and:
    (i) Include all encounter data, including encounter data from any 
network providers the MCO, PIHP, or PAHP is compensating based on 
capitation payments and adjudicated claims and encounter data from any 
subcontractors.
    (ii) Exclude covered outpatient drugs as defined in section 
1927(k)(2) of the Act.
    (iii) Report metrics specified in Sec.  431.60(f) of this chapter 
at the plan level.
* * * * *
    (7) By the rating period beginning on or after January 1, 2027, 
comply with Sec. Sec.  431.61(a), (b)(1) and (4) through (6), and 
(b)(7)(ii) and (iii) and 431.80(b) of this chapter as if such 
requirements applied directly to the MCO, PIHP, or PAHP
    (8) By the rating period beginning on or after January 1, 2026, 
comply with Sec.  431.80(a) of this chapter as if such requirements 
applied directly to the MCO, PIHP, or PAHP according to the decision 
timeframes in Sec.  438.210(d).
    (9) The following timeframes apply to paragraph (b)(5) of this 
section:
    (i) Except for the requirements in Sec.  431.60(b)(5), (g), and (h) 
of this chapter, comply with the requirements of Sec.  431.60 of this 
chapter by January 1, 2021.
    (ii) Comply with the requirements in Sec.  431.60(b)(5) and (g) of 
this chapter by the rating period beginning on or after January 1, 
2026.
    (iii) Beginning in 2026, by March 31 following any year the MCO, 
PIHP, or PAHP operates, comply with the reporting requirements in Sec.  
431.60(h) of this chapter for the previous calendar year's data, in the 
form of aggregated, de-identified metrics, at the plan level.
* * * * *

PART 440--SERVICES: GENERAL PROVISIONS

0
21. The authority citation for part 440 continues to read as follows:

    Authority: 42 U.S.C. 1302.

0
22. Section 440.230 is amended by adding paragraph (e) to read as 
follows:


Sec.  440.230  Sufficiency of amount, duration, and scope.

* * * * *
    (e) For prior authorization requests for items and services 
(excluding drugs, as defined in Sec.  431.60(b)(6) of this chapter), 
the State Medicaid agency must--
    (1) Beginning January 1, 2026, make prior authorization decisions 
within the following timeframes:
    (i) For a standard determination, as expeditiously as a 
beneficiary's health condition requires, but in no case later than 7 
calendar days after receiving the request, unless a shorter minimum 
timeframe is established under State law. The timeframe for standard 
authorization decisions can be extended by up to 14 calendar days if 
the beneficiary or provider requests an extension, or if the State 
agency determines that additional information from the provider is 
needed to make a decision.
    (ii) For an expedited determination, as expeditiously as a 
beneficiary's health condition requires, but in no case later than 72 
hours after receiving the request, unless a shorter minimum timeframe 
is established under State law.
    (2) Provide the beneficiary with notice of the agency's prior 
authorization decision in accordance with Sec.  435.917 of this chapter 
and provide fair hearing rights, including advance notice, in 
accordance with part 431, subpart E, of this chapter.

[[Page 8982]]

    (3) Beginning in 2026, annually report prior authorization data, 
excluding data on drugs, as defined in Sec.  431.60(b)(6) of this 
chapter, at the State level by March 31. The State must make the 
following data from the previous calendar year publicly accessible by 
posting them on its website:
    (i) A list of all items and services that require prior 
authorization.
    (ii) The percentage of standard prior authorization requests that 
were approved, aggregated for all items and services.
    (iii) The percentage of standard prior authorization requests that 
were denied, aggregated for all items and services.
    (iv) The percentage of standard prior authorization requests that 
were approved after appeal, aggregated for all items and services.
    (v) The percentage of prior authorization requests for which the 
timeframe for review was extended, and the request was approved, 
aggregated for all items and services.
    (vi) The percentage of expedited prior authorization requests that 
were approved, aggregated for all items and services.
    (vii) The percentage of expedited prior authorization requests that 
were denied, aggregated for all items and services.
    (viii) The average and median time that elapsed between the 
submission of a request and a determination by the State Medicaid 
agency, for standard prior authorizations, aggregated for all items and 
services.
    (ix) The average and median time that elapsed between the 
submission of a request and a decision by the State Medicaid agency for 
expedited prior authorizations, aggregated for all items and services.

PART 457--ALLOTMENTS AND GRANTS TO STATES

0
23. The authority citation for part 457 continues to read as follows:

    Authority:  42 U.S.C. 1302.

0
24. Section 457.495 is amended by revising paragraph (d) to read as 
follows:


Sec.  457.495  State assurance of access to care and procedures to 
assure quality and appropriateness of care.

* * * * *
    (d) That decisions related to the prior authorization of health 
services are completed as follows:
    (1) Before January 1, 2026. (i) In accordance with the medical 
needs of the patient, within 14 days after receipt of a request for 
services. A possible extension of up to 14 days may be permitted if the 
enrollee requests the extension or if the physician or health plan 
determines that additional information is needed; or
    (ii) In accordance with existing State law regarding prior 
authorization of health services.
    (2) On or after January 1, 2026. (i) In accordance with the medical 
needs of the enrollee, but no later than 7 calendar days after 
receiving the request for a standard determination and by no later than 
72 hours after receiving the request for an expedited determination. A 
possible extension of up to 14 days may be permitted if the enrollee 
requests the extension or if the physician or health plan determines 
the additional information is needed; or
    (ii) In accordance with existing State law regarding prior 
authorization of health services.
    (3) Enrollee notification. Provide the enrollee with--
    (i) Notice of the State's prior authorization decision; and
    (ii) Information on the enrollee's right to a review process, in 
accordance with Sec.  457.1180.

0
25. Section 457.700 is amended by revising paragraph (c) to read as 
follows:


Sec.  457.700  Basis, scope, and applicability.

* * * * *
    (c) Applicability. The requirements of this subpart apply to 
separate child health programs and Medicaid expansion programs, except 
that Sec. Sec.  457.730, 457.731, and 457.732 do not apply to Medicaid 
expansion programs. Separate child health programs that provide 
benefits exclusively through managed care entities may meet the 
requirements of Sec. Sec.  457.730, 457.731, and 457.732 by requiring 
the managed care entities to meet the requirements of Sec.  
457.1233(d).

0
26. Section 457.730 is amended by--
0
a. Revising paragraph (b)(3);
0
b. Adding paragraphs (b)(5) and (6);
0
c. Revising paragraphs (c)(1), (c)(4)(ii)(C), and (e)(2);
0
d. Removing paragraph (g);
0
e. Redesignating paragraph (f) as paragraph (g); and
0
f. Adding new paragraph (f) and paragraph (h).
    The revisions and additions read as follows:


Sec.  457.730  Beneficiary access to and exchange of data.

* * * * *
    (b) * * *
    (3) All data classes and data elements included in a content 
standard in 45 CFR 170.213 that are maintained by the State no later 
than 1 business day after the State receives the data; and
* * * * *
    (5) Beginning January 1, 2027, the information in paragraph 
(b)(5)(i) of this section about prior authorizations for items and 
services (excluding drugs as defined in paragraph (b)(6) of this 
section), according to the timelines in paragraph (b)(5)(ii) of this 
section.
    (i) The prior authorization request and decision, including all of 
the following, as applicable:
    (A) The prior authorization status.
    (B) The date the prior authorization was approved or denied.
    (C) The date or circumstance under which the prior authorization 
ends.
    (D) The items and services approved.
    (E) If denied, a specific reason why the request was denied.
    (F) Related structured administrative and clinical documentation 
submitted by a provider.
    (ii) The information in paragraph (b)(5)(i) of this section must--
    (A) Be accessible no later than 1 business day after the State 
receives a prior authorization request;
    (B) Be updated no later than 1 business day after any status 
change; and
    (C) Continue to be accessible for the duration that the 
authorization is active and at least 1 year after the prior 
authorization's last status change.
    (6) Drugs are defined for the purposes of paragraph (b)(5) of this 
section as any and all drugs covered by the State.
    (c) * * *
    (1) Must implement and maintain API technology conformant with 45 
CFR 170.215(a)(1), (b)(1)(i), (c)(1), and (e)(1);
* * * * *
    (4) * * *
    (ii) * * *
    (C) Using the updated version of the standard, implementation 
guide, or specification does not disrupt an end user's ability to 
access the data specified in paragraph (b) of this section or 
Sec. Sec.  457.731, 457.732, and 457.760 through the required APIs.
* * * * *
    (e) * * *
    (2) Makes this determination using objective, verifiable criteria 
that are applied fairly and consistently across all apps and developers 
through which parties seek to access electronic health information, as 
defined in 45 CFR 171.102, including but not limited to criteria that 
rely on automated monitoring and risk mitigation tools.
* * * * *
    (f) Reporting on Patient Access API usage. Beginning in 2026, by 
March 31 of each year, a State must report to CMS the following 
metrics, in the form of aggregated, de-identified data, for the 
previous calendar year at the State level

[[Page 8983]]

in the form and manner specified by the Secretary:
    (1) The total number of unique beneficiaries whose data are 
transferred via the Patient Access API to a health app designated by 
the beneficiary; and
    (2) The total number of unique beneficiaries whose data are 
transferred more than once via the Patient Access API to a health app 
designated by the beneficiary.
* * * * *
    (h) Applicability. A State must comply with the requirements in 
paragraphs (a) through (e) and (g) of this section beginning January 1, 
2021, and with the requirements in paragraph (f) of this section 
beginning in 2026, with regard to data:
    (1) With a date of service on or after January 1, 2016; and
    (2) That are maintained by the State.

0
27. Section 457.731 is added to read as follows:


Sec.  457.731  Access to and exchange of health data for providers and 
payers.

    (a) Application programming interface to support data exchange from 
payers to providers--Provider Access API. Beginning January 1, 2027, 
unless granted an extension or exemption under paragraph (c) of this 
section, a State must do the following:
    (1) API requirements. Implement and maintain an application 
programming interface (API) conformant with all of the following:
    (i) Section 457.730(c)(2) through (4), (d), and (e).
    (ii) The standards in 45 CFR 170.215(a)(1), (b)(1)(i), (c)(1), and 
(d)(1).
    (2) Provider access. Make the data specified in Sec.  457.730(b) 
with a date of service on or after January 1, 2016, excluding provider 
remittances and beneficiary cost-sharing information, that are 
maintained by the State, available to enrolled CHIP providers via the 
API required in paragraph (a)(1) of this section no later than 1 
business day after receiving a request from such a provider, if all the 
following conditions are met:
    (i) The State authenticates the identity of the provider that 
requests access and attributes the beneficiary to the provider under 
the attribution process described in paragraph (a)(3) of this section.
    (ii) The beneficiary does not opt out as described in paragraph 
(a)(4) of this section.
    (iii) Disclosure of the data is not prohibited by other applicable 
law.
    (3) Attribution. Establish and maintain a process to associate 
beneficiaries with their enrolled CHIP providers to enable data 
exchange via the Provider Access API.
    (4) Opt out and patient educational resources. (i) Establish and 
maintain a process to allow a beneficiary or the beneficiary's personal 
representative to opt out of the data exchange described in paragraph 
(a)(2) of this section and to change their permission at any time. That 
process must be available before the first date on which the State 
makes beneficiary information available via the Provider Access API and 
at any time while the beneficiary is enrolled with the State.
    (ii) Provide information to beneficiaries in plain language about 
the benefits of API data exchange with their providers, their opt out 
rights, and instructions both for opting out of data exchange and for 
subsequently opting in, as follows:
    (A) Before the first date on which the State makes beneficiary 
information available through the Provider Access API.
    (B) No later than 1 week after enrollment.
    (C) At least annually.
    (D) In an easily accessible location on its public website.
    (5) Provider resources. Provide on its website and through other 
appropriate provider communications, information in plain language 
explaining the process for requesting beneficiary data using the 
Provider Access API required in paragraph (a)(1) of this section. The 
resources must include information about how to use the State's 
attribution process to associate beneficiaries with their providers.
    (b) Application programming interface to support data exchange 
between payers--Payer-to-Payer API. Beginning January 1, 2027, unless 
granted an extension or exemption under paragraph (c) of this section a 
State must do the following:
    (1) API requirements. Implement and maintain an API conformant with 
all of the following:
    (i) Section 457.730(c)(2) through (4), (d), and (e).
    (ii) The standards in 45 CFR 170.215(a)(1), (b)(1)(i), and (d)(1).
    (2) Opt in. Establish and maintain a process to allow beneficiaries 
or their personal representatives to opt into the State's payer to 
payer data exchange with the beneficiary's previous payer(s), described 
in paragraphs (b)(4) and (5) of this section, and with concurrent 
payer(s), described in paragraph (b)(6) of this section, and to change 
their permission at any time.
    (i) The opt in process must be offered as follows:
    (A) To current beneficiaries, no later than the compliance date.
    (B) To new beneficiaries, no later than 1 week after enrollment.
    (ii) If a beneficiary has coverage through any CHIP managed care 
entities within the same State while enrolled in CHIP, the State must 
share their opt in permission with those managed care entities to allow 
the Payer-to-Payer API data exchange described in this section.
    (iii) If a beneficiary does not respond or additional information 
is necessary, the State must make reasonable efforts to engage with the 
beneficiary to collect this information.
    (3) Identify previous and concurrent payers. Establish and maintain 
a process to identify a new beneficiary's previous and concurrent 
payer(s) to facilitate the Payer-to-Payer API data exchange. The 
information request process must start as follows:
    (i) For current beneficiaries, no later than the compliance date.
    (ii) For new beneficiaries, no later than 1 week after enrollment.
    (iii) If a beneficiary does not respond or additional information 
is necessary, the State must make reasonable efforts to engage with the 
beneficiary to collect this information.
    (4) Exchange request requirements. Exchange beneficiary data with 
other payers, consistent with the following requirements:
    (i) The State must request the data specified in paragraph 
(b)(4)(ii) of this section through the beneficiary's previous payers' 
API, if all the following conditions are met:
    (A) The beneficiary has opted in, as described in paragraph (b)(2) 
of this section, except for data exchanges between a State CHIP agency 
and its contracted managed care entities, which do not require a 
beneficiary to opt in.
    (B) The exchange is not prohibited by other applicable law.
    (ii) The data to be requested are all of the following with a date 
of service within 5 years before the request:
    (A) Data specified in Sec.  457.730(b), excluding the following:
    (1) Provider remittances and enrollee cost-sharing information.
    (2) Denied prior authorizations.
    (B) Unstructured administrative and clinical documentation 
submitted by a provider related to prior authorizations.
    (iii) The State must include an attestation with this request 
affirming that the beneficiary is enrolled with the State and has opted 
into the data exchange.
    (iv) The State must complete this request as follows:
    (A) No later than 1 week after the payer has sufficient identifying 
information about previous payers and the beneficiary has opted in.

[[Page 8984]]

    (B) At a beneficiary's request, within 1 week of the request.
    (v) The State must receive, through the API required in paragraph 
(b)(1) of this section, and incorporate into its records about the 
beneficiary, any data made available by other payers in response to the 
request.
    (5) Exchange response requirements. Make available the data 
specified in paragraph (b)(4)(ii) of this section that are maintained 
by the State to other payers via the API required in paragraph (b)(1) 
of this section within 1 business day of receiving a request, if all 
the following conditions are met:
    (i) The payer that requests access has its identity authenticated 
and includes an attestation with the request that the patient is 
enrolled with the payer and has opted into the data exchange.
    (ii) Disclosure of the data is not prohibited by other applicable 
law.
    (6) Concurrent coverage data exchange requirements. When a 
beneficiary has provided sufficient identifying information about 
concurrent payers and has opted in as described in paragraph (b)(2) of 
this section, a State must do the following, through the API required 
in paragraph (b)(1) of this section:
    (i) Request the beneficiary's data from all known concurrent payers 
as described in paragraph (b)(4) of this section, and at least 
quarterly thereafter while the beneficiary is enrolled with both 
payers.
    (ii) Respond as described in paragraph (b)(5) of this section 
within 1 business day of a request from any concurrent payers. If 
agreed upon with the requesting payer, the State may exclude any data 
that were previously sent to or originally received from the concurrent 
payer.
    (7) Patient educational resources. Provide information to 
applicants or beneficiaries in plain language, explaining at a minimum: 
the benefits of Payer-to-Payer API data exchange, their ability to opt 
in or withdraw that permission, and instructions for doing so. The 
State must provide the following resources:
    (i) When requesting a beneficiary's permission for Payer-to-Payer 
API data exchange, as described in paragraph (b)(2) of this section.
    (ii) At least annually, in appropriate mechanisms through which it 
ordinarily communicates with current beneficiaries.
    (iii) In an easily accessible location on its public website.
    (c) Extensions and exemptions--(1) Extension. (i) A State may 
submit a written application to request a one-time, 1-year extension of 
the requirements in paragraph (a) or (b) (or paragraphs (a) and (b)) of 
this section for its CHIP fee-for-service program. The written 
application must be submitted as part of the State's annual Advance 
Planning Document (APD) for Medicaid Management Information System 
(MMIS) operations expenditures, as described in part 433, subpart C, of 
this chapter, and approved before the compliance date for the 
requirements to which the State is seeking an extension. It must 
include all the following:
    (A) A narrative justification describing the specific reasons why 
the State cannot satisfy the requirement(s) by the compliance date and 
why those reasons result from circumstances that are unique to the 
agency operating the CHIP fee-for service program.
    (B) A report on completed and ongoing State activities that 
evidence a good faith effort towards compliance.
    (C) A comprehensive plan to meet the requirements no later than 1 
year after the compliance date.
    (ii) CMS grants the State's request if it determines, based on the 
information provided, that--
    (A) The request adequately establishes a need to delay 
implementation; and
    (B) The State has a comprehensive plan to meet the requirements no 
later than 1 year after the compliance date.
    (2) Exemption. (i) A State operating a separate CHIP in which at 
least 90 percent of the State's CHIP beneficiaries are enrolled in CHIP 
managed care organizations, as defined in Sec.  457.10, may request an 
exemption for its fee-for-service program from either or both of the 
following requirements:
    (A) Paragraph (a) of this section.
    (B) Paragraphs (b)(1) and (3) through (7) of this section.
    (ii) The State's exemption request must:
    (A) Be submitted in writing as part of a State's annual APD for 
MMIS operations expenditures before the compliance date for the 
requirements to which the State is seeking an exemption.
    (B) Include both of the following:
    (1) Documentation that the State meets the threshold for the 
exemption, based on enrollment data from section 5 of the most recently 
accepted CHIP Annual Report Template System (CARTS).
    (2) An alternative plan to ensure that enrolled providers will have 
efficient electronic access to the same information through other means 
while the exemption is in effect.
    (iii) CMS grants the exemption if the State establishes to CMS's 
satisfaction that the State--
    (A) Meets the threshold for the exemption; and
    (B) Has established an alternative plan to ensure that enrolled 
providers will have efficient electronic access to the same information 
through other means while the exemption is in effect.
    (iv) The State's exemption expires if either--
    (A) Based on the 3 previous years of available, finalized CHIP 
CARTS managed care and fee-for-service enrollment data, the State's 
managed care enrollment for 2 of the previous 3 years is below 90 
percent; or
    (B)(1) CMS has approved a State plan amendment, waiver, or waiver 
amendment that would significantly reduce the percentage of 
beneficiaries enrolled in managed care; and
    (2) The anticipated shift in enrollment is confirmed by the first 
available, finalized CARTS managed care and fee-for-service enrollment 
data.
    (v) If a State's exemption expires under paragraph (c)(2)(iv) of 
this section, the State is required to do both of the following:
    (A) Submit written notification to CMS that the State no longer 
qualifies for the exemption within 90 days of the finalization of 
annual CARTS managed care enrollment data that demonstrates that there 
has been the requisite shift from managed care enrollment to fee-for-
service enrollment resulting in the State's managed care enrollment 
falling below the 90 percent threshold.
    (B) Obtain CMS approval of a timeline for compliance with the 
requirements in paragraph (a) or (b) (or paragraphs (a) and (b)) of 
this section within 2 years of the expiration of the exemption.

0
28. Section 457.732 is added to read as follows:


Sec.  457.732  Prior authorization requirements.

    (a) Communicating a reason for denial. Beginning January 1, 2026, 
if the State denies a prior authorization request (excluding a request 
for coverage of drugs as defined in Sec.  457.730(b)(6)), in accordance 
with the timeframes established in Sec.  457.495(d), the response to 
the provider must include a specific reason for the denial, regardless 
of the method used to communicate that information.
    (b) Prior Authorization Application Programming Interface (API). 
Unless granted an extension or exemption under paragraph (d) of this 
section, beginning January 1, 2027, a State must implement and maintain 
an API conformant with Sec.  457.730(c)(2) through (4), (d), and (e), 
and the standards in 45 CFR 170.215(a)(1), (b)(1)(i), and (c)(1) that--
    (1) Is populated with the State's list of covered items and 
services (excluding

[[Page 8985]]

drugs as defined in Sec.  457.730(b)(6)) that require prior 
authorization;
    (2) Can identify all documentation required by the State for 
approval of any items or services that require prior authorization;
    (3) Supports a HIPAA-compliant prior authorization request and 
response, as described in 45 CFR part 162; and
    (4) Communicates the following information about prior 
authorization requests:
    (i) Whether the State--
    (A) Approves the prior authorization request (and the date or 
circumstance under which the authorization ends);
    (B) Denies the prior authorization request; or
    (C) Requests more information.
    (ii) If the State denies the prior authorization request, it must 
include a specific reason for the denial.
    (c) Publicly reporting prior authorization metrics. Beginning in 
2026, a State must annually report prior authorization data, excluding 
data on drugs as defined in Sec.  457.730(b)(6), at the State level by 
March 31. The State must make the following data from the previous 
calendar year publicly accessible by posting them on its website:
    (1) A list of all items and services that require prior 
authorization.
    (2) The percentage of standard prior authorization requests that 
were approved, aggregated for all items and services.
    (3) The percentage of standard prior authorization requests that 
were denied, aggregated for all items and services.
    (4) The percentage of standard prior authorization requests that 
were approved after appeal, aggregated for all items and services.
    (5) The percentage of prior authorization requests for which the 
timeframe for review was extended, and the request was approved, 
aggregated for all items and services.
    (6) The percentage of expedited prior authorization requests that 
were approved, aggregated for all items and services.
    (7) The percentage of expedited prior authorization requests that 
were denied, aggregated for all items and services.
    (8) The average and median time that elapsed between the submission 
of a request and a determination by the State, for standard prior 
authorizations, aggregated for all items and services.
    (9) The average and median time that elapsed between the submission 
of a request and a decision by the State for expedited prior 
authorizations, aggregated for all items and services.
    (d) Extensions and exemptions--(1) Extension. (i) A State may 
submit a written application to request a one-time, 1-year extension of 
the requirements in paragraph (b) of this section for its CHIP fee-for-
service program. The written application must be submitted and approved 
as part of the State's annual Advance Planning Document (APD) for 
Medicaid Management Information System (MMIS) operations expenditures 
described in part 433, subpart C, of this chapter, and approved before 
the compliance date in paragraph (b) of this section. It must include 
all the following:
    (A) A narrative justification describing the specific reasons why 
the State cannot satisfy the requirement(s) by the compliance date and 
why those reasons result from circumstances that are unique to the 
agency operating the CHIP fee-for service program;
    (B) A report on completed and ongoing State activities that 
evidence a good faith effort toward compliance.
    (C) A comprehensive plan to meet the requirements no later than 1 
year after the compliance date.
    (ii) CMS grants the State's request if it determines, based on the 
information provided, that--
    (A) The request adequately establishes a need to delay 
implementation; and
    (B) The State has a comprehensive plan to meet the requirements no 
later than 1 year after the compliance date.
    (2) Exemption. (i) A State operating a separate CHIP in which at 
least 90 percent of the State's CHIP beneficiaries are enrolled in CHIP 
managed care organizations, as defined in Sec.  457.10, may request an 
exemption for its fee-for-service program from the requirements in 
paragraph (b) of this section.
    (ii) The State's exemption request must:
    (A) Be submitted in writing as part of a State's annual APD for 
MMIS operations expenditures before the compliance date in paragraph 
(b) of this section.
    (B) Include both of the following:
    (1) Documentation that the State meets the threshold for the 
exemption, based on enrollment data from section 5 of the most recently 
accepted CARTS.
    (2) An alternative plan to ensure that enrolled providers will have 
efficient electronic access to the same information through other means 
while the exemption is in effect.
    (iii) CMS grants the exemption if the State establishes to CMS's 
satisfaction that the State--
    (A) Meets the threshold for the exemption; and
    (B) Has established an alternative plan to ensure that its enrolled 
providers will have efficient electronic access to the same information 
through other means while the exemption is in effect.
    (iv) The State's exemption expires if either--
    (A) Based on the 3 previous years of available, finalized CHIP 
CARTS managed care and fee-for-service enrollment data, the State's 
managed care enrollment for 2 of the previous 3 years is below 90 
percent; or
    (B)(1) CMS has approved a State plan amendment, waiver, or waiver 
amendment that would significantly reduce the percentage of 
beneficiaries enrolled in managed care; and
    (2) The anticipated shift in enrollment is confirmed by the first 
available, finalized CARTS managed care and fee-for-service enrollment 
data.
    (v) If a State's exemption expires under paragraph (d)(2)(iv) of 
this section, the State is required to do both of the following:
    (A) Submit written notification to CMS that the State no longer 
qualifies for the exemption within 90 days of the finalization of 
annual CARTS managed care enrollment data that demonstrates that there 
has been the requisite shift from managed care enrollment to fee-for-
service enrollment resulting in the State's managed care enrollment 
falling below the 90 percent threshold.
    (B) Obtain CMS approval of a timeline for compliance with the 
requirements in paragraph (b) of this section within 2 years of the 
expiration of the exemption.

0
29. Section 457.1206 is amended by revising paragraph (b)(6) to read as 
follows:


Sec.  457.1206  Non-emergency medical transportation PAHPs.

* * * * *
    (b) * * *
    (6) The PAHP standards in Sec.  438.206(b)(1) of this chapter, as 
cross-referenced by Sec. Sec.  457.1230(a) and (d) and 457.1233(a), 
(b), and (d), excluding the requirement in Sec.  438.242(b)(7) of this 
chapter to comply with Sec.  431.61(a) of this chapter.
* * * * *

0
30. Section 457.1230 is amended by revising paragraph (d) to read as 
follows:


Sec.  457.1230  Access standards.

* * * * *
    (d) Coverage and authorization of services. The State must ensure, 
through its contracts, that each MCO, PIHP, or PAHP complies with the 
coverage and authorization of services requirements in accordance with 
the terms of Sec.  438.210 of this chapter, except that the following 
do not apply:

[[Page 8986]]

    (1) Section 438.210(a)(5) of this chapter (related to medical 
necessity standard).
    (2) Section 438.210(b)(2)(iii) of this chapter (related to 
authorizing long term services and supports (LTSS)).

TITLE 45--Public Welfare

PART 156-HEALTH INSURANCE ISSUER STANDARDS UNDER THE AFFORDABLE 
CARE ACT, INCLUDING STANDARDS RELATED TO EXCHANGES

0
31. The authority citation for part 156 continues to read as follows:

    Authority: 42 U.S.C. 18021-18024, 18031-18032, 18041-18042, 
18044, 18054, 18061, 18063, 18071, 18082, and 26 U.S.C. 36B.

0
32. Section 156.221 is amended by--
0
a. In paragraph (b)(1)(ii), removing the word ``and'' at the end of the 
paragraph;
0
b. Revising paragraph (b)(1)(iii);
0
c. Adding paragraphs (b)(1)(iv) and (v); and
0
d. Revising paragraphs (c)(1), (c)(4)(ii)(C), (e)(2), (f), and (i).
    The revisions and addition read as follows:


Sec.  156.221  Access to and exchange of health data and plan 
information.

* * * * *
    (b) * * *
    (1) * * *
    (iii) All data classes and data elements included in a content 
standard in 45 CFR 170.213 that are maintained by the Qualified Health 
Plan (QHP) issuer no later than 1 business day after the QHP issuer 
receives the data; and
    (iv) For plan years beginning on or after January 1, 2027, the 
information in paragraph (b)(1)(iv)(A) of this section about prior 
authorizations for items and services (excluding drugs, as defined in 
paragraph (b)(1)(v) of this section), according to the timelines in 
paragraph (b)(1)(iv)(B) of this section.
    (A) The prior authorization request and decision, including all of 
the following, as applicable:
    (1) The prior authorization status.
    (2) The date the prior authorization was approved or denied.
    (3) The date or circumstance under which the prior authorization 
ends.
    (4) The items and services approved.
    (5) If denied, a specific reason why the request was denied.
    (6) Related structured administrative and clinical documentation 
submitted by a provider.
    (B) The information in paragraph (b)(1)(iv)(A) of this section 
must--
    (1) Be accessible no later than 1 business day after the QHP issuer 
receives a prior authorization request;
    (2) Be updated no later than 1 business day after any status 
change; and
    (3) Continue to be accessible for the duration that the 
authorization is active and at least 1 year after the prior 
authorization's last status change.
    (v) Drugs are defined for the purposes of paragraph (b)(1)(iv) of 
this section as any and all drugs covered by the QHP issuer.
* * * * *
    (c) * * *
    (1) Must implement and maintain API technology conformant with 45 
CFR 170.215(a)(1), (b)(1)(i), (c)(1), and (e)(1);
* * * * *
    (4) * * *
    (ii) * * *
    (C) Using the updated version of the standard, implementation 
guide, or specification does not disrupt an end user's ability to 
access the data specified in paragraph (b) of this section or 
Sec. Sec.  156.221, 156.222, and 156.223 through the required APIs.
* * * * *
    (e) * * *
    (2) Makes this determination using objective, verifiable criteria 
that are applied fairly and consistently across all apps and developers 
through which parties seek to access electronic health information, as 
defined in 45 CFR 171.102, including but not limited to criteria that 
rely on automated monitoring and risk mitigation tools.
    (f) Reporting on Patient Access API usage. Beginning in 2026, by 
March 31 following any calendar year that it offers a QHP on a 
Federally-facilitated Exchange, a QHP issuer must report to CMS the 
following metrics, in the form of aggregated, de-identified data, for 
the previous calendar year at the issuer level in the form and manner 
specified by the Secretary:
    (1) The total number of unique enrollees whose data are transferred 
via the Patient Access API to a health app designated by the enrollee.
    (2) The total number of unique enrollees whose data are transferred 
more than once via the Patient Access API to a health app designated by 
the enrollee.
* * * * *
    (i) Applicability. A QHP issuer on an individual market Federally-
facilitated Exchange, not including QHP issuers offering only stand-
alone dental plans, must comply with the requirements in paragraphs (a) 
through (e) and (g) of this section beginning with plan years beginning 
on or after January 1, 2021, and with the requirements in paragraph (f) 
of this section beginning in 2026, with regard to data:
    (1) With a date of service on or after January 1, 2016; and
    (2) That are maintained by the QHP issuer for enrollees in QHPs.

0
33. Section 156.222 is added to read as follows:


Sec.  156.222  Access to and exchange of health data for providers and 
payers.

    (a) Application programming interface to support data exchange from 
payers to providers--Provider Access API. Unless granted an exception 
under paragraph (c) of this section, for plan years beginning on or 
after January 1, 2027, QHP issuers on a Federally-facilitated Exchange 
must do the following:
    (1) API requirements. Implement and maintain an application 
programming interface (API) conformant with all of the following:
    (i) Section 156.221(c)(2) through (4), (d), and (e).
    (ii) The standards in 45 CFR 170.215(a)(1), (b)(1)(i), (c)(1), and 
(d)(1).
    (2) Provider access. Make the data specified in Sec.  156.221(b) 
with a date of service on or after January 1, 2016, excluding provider 
remittances and enrollee cost-sharing information, that are maintained 
by the QHP issuer to available in-network providers via the API 
required in paragraph (a)(1) of this section no later than 1 business 
day after receiving a request from such a provider, if all the 
following conditions are met:
    (i) The QHP issuer authenticates the identity of the provider that 
requests access and attributes the enrollee to the provider under the 
attribution process described in paragraph (a)(3) of this section.
    (ii) The enrollee does not opt out as described in paragraph (a)(4) 
of this section.
    (iii) Disclosure of the data is not prohibited by other applicable 
law.
    (3) Attribution. Establish and maintain a process to associate 
enrollees with their in-network providers to enable data exchange via 
the Provider Access API.
    (4) Opt out and patient educational resources. (i) Establish and 
maintain a process to allow an enrollee or the enrollee's personal 
representative to opt out of data exchange described in paragraph 
(a)(2) of this section and to change their permission at any time. That 
process must be available before the first date on which the QHP issuer 
makes enrollee information available via the Provider Access API and at 
any time while the enrollee is enrolled with the QHP issuer.
    (ii) Provide information to enrollees in plain language about the 
benefits of

[[Page 8987]]

API data exchange with their providers, their opt out rights, and 
instructions both for opting out of data exchange and for subsequently 
opting in, as follows:
    (A) Before the first date on which the QHP issuer makes enrollee 
information available through the Provider Access API.
    (B) No later than 1 week after the after the coverage start date or 
no later than 1 week after the effectuation of coverage, whichever is 
later.
    (C) At least annually.
    (D) In an easily accessible location on its public website.
    (5) Provider resources. Provide on its website and through other 
appropriate provider communications, information in plain language 
explaining the process for requesting enrollee data using the Provider 
Access API required in paragraph (a)(1) of this section. The resources 
must include information about how to use the QHP issuer's attribution 
process to associate enrollees with their providers.
    (b) Application programming interface to support data exchange 
between payers--Payer-to-Payer API. Unless granted an exception under 
paragraph (c) of this section, for plan years beginning on or after 
January 1, 2027, QHP issuers on a Federally-facilitated Exchange must 
do the following:
    (1) API requirements. Implement and maintain an API conformant with 
all of the following:
    (i) Section 156.221(c)(2) through (4), (d), and (e).
    (ii) The standards in 45 CFR 170.215(a)(1), (b)(1)(i), and (d)(1).
    (2) Opt in. Establish and maintain a process to allow enrollees or 
their personal representatives to opt into the QHP issuer's payer to 
payer data exchange with the enrollee's previous payer(s), described in 
paragraphs (b)(4) and (5) of this section, and with concurrent 
payer(s), described in paragraph (b)(6) of this section, and to change 
their permission at any time.
    (i) The opt in process must be offered as follows:
    (A) To current enrollees, no later than the compliance date.
    (B) To new enrollees, no later than 1 week after the coverage start 
date or no later than 1 week after the effectuation of coverage, 
whichever is later.
    (ii) If an enrollee does not respond or additional information is 
necessary, the QHP issuer must make reasonable efforts to engage with 
the enrollee to collect this information.
    (3) Identify previous and concurrent payers. Establish and maintain 
a process to identify a new enrollee's previous and concurrent payer(s) 
to facilitate the Payer-to-Payer API data exchange. The information 
request process must start as follows:
    (i) For current enrollees, no later than the compliance date.
    (ii) For new enrollees, no later than 1 week after the coverage 
start date or no later than 1 week after the effectuation of coverage, 
whichever is later.
    (iii) If an enrollee does not respond or additional information is 
necessary, the QHP issuer must make reasonable efforts to engage with 
the enrollee to collect this information.
    (4) Exchange request requirements. Exchange enrollee data with 
other payers, consistent with the following requirements:
    (i) The QHP issuer must request the data specified in paragraph 
(b)(4)(ii) of this section through the enrollee's previous payers' API, 
if all the following conditions are met:
    (A) The enrollee has opted in, as described in paragraph (b)(2) of 
this section.
    (B) The exchange is not prohibited by other applicable law.
    (ii) The data to be requested are all of the following with a date 
of service within 5 years before the request:
    (A) Data specified in Sec.  156.221(b) excluding the following:
    (1) Provider remittances and enrollee cost-sharing information.
    (2) Denied prior authorizations.
    (B) Unstructured administrative and clinical documentation 
submitted by a provider related to prior authorizations.
    (iii) The QHP issuer must include an attestation with this request 
affirming that the enrollee is enrolled with the QHP issuer and has 
opted into the data exchange.
    (iv) The QHP issuer must complete this request as follows:
    (A) No later than 1 week after the payer has sufficient identifying 
information about previous payers and the enrollee has opted in.
    (B) At an enrollee's request, within 1 week of the request.
    (v) The QHP issuer must receive, through the API required in 
paragraph (b)(1) of this section, and incorporate into its records 
about the enrollee, any data made available by other payers in response 
to the request.
    (5) Exchange response requirements. Make available the data 
specified in paragraph (b)(4)(ii) of this section that are maintained 
by the QHP issuer to other payers via the API required in paragraph 
(b)(1) of this section within 1 business day of receiving a request, if 
all the following conditions are met:
    (i) The payer that requests access has its identity authenticated 
and includes an attestation with the request that the patient is 
enrolled with the payer and has opted into the data exchange.
    (ii) Disclosure of the data is not prohibited by other applicable 
law.
    (6) Concurrent coverage data exchange requirements. When an 
enrollee has provided sufficient identifying information about 
concurrent payers and has opted in as described in paragraph (b)(2) of 
this section, a QHP issuer on a Federally-facilitated Exchange must do 
the following, through the API required in paragraph (b)(1) of this 
section:
    (i) Request the enrollee's data from all known concurrent payers as 
described in paragraph (b)(4) of this section, and at least quarterly 
thereafter while the enrollee is enrolled with both payers.
    (ii) Respond as described in paragraph (b)(5) of this section 
within 1 business day of a request from any concurrent payers. If 
agreed upon with the requesting payer, the QHP issuer may exclude any 
data that were previously sent to or originally received from the 
concurrent payer.
    (7) Patient educational resources. Provide information to enrollees 
in plain language, explaining at a minimum: the benefits of Payer-to-
Payer API data exchange, their ability to opt in or withdraw that 
permission, and instructions for doing so. The QHP issuer must provide 
the following resources:
    (i) When requesting an enrollee's permission for Payer-to-Payer API 
data exchange, as described in paragraph (b)(2) of this section.
    (ii) At least annually, in appropriate mechanisms through which it 
ordinarily communicates with current enrollees.
    (iii) In an easily accessible location on its public website.
    (c) Exception. (1) If a plan applying for QHP certification to be 
offered through a Federally-facilitated Exchange believes it cannot 
satisfy the requirements in paragraph (a) or (b) (or paragraphs (a) and 
(b)) of this section, the issuer must include a narrative justification 
in its QHP application that describes all of the following:
    (i) The reasons why the issuer cannot reasonably satisfy the 
requirements for the applicable plan year.
    (ii) The impact of non-compliance upon providers and enrollees.
    (iii) The current or proposed means of providing health information 
to payers.
    (iv) Solutions and a timeline to achieve compliance with the 
requirements in paragraph (a) or (b) of this section (or paragraphs (a) 
and (b)).
    (2) The Federally-facilitated Exchange may grant an exception to 
the requirements in paragraph (a) or (b) (or paragraphs (a) and (b)) of 
this section if

[[Page 8988]]

the Exchange determines that making QHPs of such issuer available 
through such Exchange is in the interests of qualified individuals in 
the State or States in which such Exchange operates, and an exception 
is warranted to permit the issuer to offer QHPs through the FFE.

0
34. Section 156.223 is added to read as follows:


Sec.  156.223  Prior authorization requirements.

    (a) Communicating a reason for denial. Beginning January 1, 2026, 
if the QHP issuer denies a prior authorization request (excluding a 
request for coverage of drugs as defined in Sec.  156.221(b)(1)(v)), 
the response to the provider must include a specific reason for the 
denial, regardless of the method used to communicate that information.
    (b) Prior Authorization Application Programming Interface (API). 
Unless granted an exception under paragraph (d) of this section, for 
plan years beginning on or after January 1, 2027, a QHP issuer on a 
Federally-facilitated Exchange must implement and maintain an API 
conformant with Sec.  156.221(c)(2) through (4), (d), and (e), and the 
standards in 45 CFR 170.215(a)(1), (b)(1)(i), and (c)(1) that--
    (1) Is populated with the QHP issuer's list of covered items and 
services (excluding drugs as defined in Sec.  156.221(b)(1)(v)) that 
require prior authorization;
    (2) Can identify all documentation required by the QHP issuer for 
approval of any items or services that require prior authorization;
    (3) Supports a HIPAA-compliant prior authorization request and 
response, as described in 45 CFR part 162; and
    (4) Communicates the following information about prior 
authorization requests:
    (i) Whether the QHP issuer--
    (A) Approves the prior authorization request (and the date or 
circumstance under which the authorization ends);
    (B) Denies the prior authorization request; or
    (C) Requests more information.
    (ii) If the QHP issuer denies the prior authorization request, it 
must include a specific reason for the denial.
    (c) Publicly reporting prior authorization metrics. Beginning in 
2026, following each year it offers a QHP on a Federally-facilitated 
Exchange, a QHP issuer must report prior authorization data, excluding 
data on drugs as defined in Sec.  156.221(b)(1)(v), at the issuer level 
by March 31. The QHP issuer must make the following data from the 
previous calendar year publicly accessible by posting them on its 
website:
    (1) A list of all items and services that require prior 
authorization.
    (2) The percentage of standard prior authorization requests that 
were approved, aggregated for all items and services.
    (3) The percentage of standard prior authorization requests that 
were denied, aggregated for all items and services.
    (4) The percentage of standard prior authorization requests that 
were approved after appeal, aggregated for all items and services.
    (5) The percentage of prior authorization requests for which the 
timeframe for review was extended, and the request was approved, 
aggregated for all items and services.
    (6) The percentage of expedited prior authorization requests that 
were approved, aggregated for all items and services.
    (7) The percentage of expedited prior authorization requests that 
were denied, aggregated for all items and services.
    (8) The average and median time that elapsed between the submission 
of a request and a determination by the QHP issuer, for standard prior 
authorizations, aggregated for all items and services.
    (9) The average and median time that elapsed between the submission 
of a request and a decision by the QHP issuer for expedited prior 
authorizations, aggregated for all items and services.
    (d) Exception. (1) If a plan applying for QHP certification to be 
offered through a Federally-facilitated Exchange believes it cannot 
satisfy the requirements in paragraph (b) of this section, the issuer 
must include a narrative justification in its QHP application that 
describes all of the following:
    (i) The reasons why the issuer cannot reasonably satisfy the 
requirements for the applicable plan year.
    (ii) The impact of non-compliance upon providers and enrollees.
    (iii) The current or proposed means of providing health information 
to providers.
    (iv) Solutions and a timeline to achieve compliance with the 
requirements in paragraph (b) of this section.
    (2) The Federally-facilitated Exchange (FFE) may grant an exception 
to the requirements in paragraph (b) of this section if the Exchange 
determines that making QHPs of such issuer available through such 
Exchange is in the interests of qualified individuals in the State or 
States in which such Exchange operates and an exception is warranted to 
permit the issuer to offer QHPs through the FFE.

Xavier Becerra,
Secretary, Department of Health and Human Services.
[FR Doc. 2024-00895 Filed 1-18-24; 4:15 pm]
BILLING CODE 4150-28-P