Payerbox Docs

CMS-9115-F

The 2020 CMS Interoperability and Patient Access final rule was published in the Federal Register on May 1, 2020. It established two FHIR APIs that impacted payers have been required to maintain since January 1, 2021.

APIs in scope

APIPayerbox doc
Patient AccessPatient Access
Provider DirectoryProvider Directory

Patient Access API

Member-authorized access via SMART App Launch / OAuth 2.0; returns USCDI clinical data, adjudicated claims (with remittances and enrollee cost-sharing), encounters with capitated providers, and lab results.

PropertyValue
Compliance dateJanuary 1, 2021
Update SLANo later than one business day after the payer adjudicates a claim or receives encounter data
AuthenticationMember-authorized (SMART App Launch, OAuth 2.0, OpenID Connect)
Service-date floorJanuary 1, 2016
End-user authentication required?Yes — member must authorize each app

Citations

Payer typeCFR section
Medicare Advantage42 CFR 422.119
Medicaid FFS42 CFR 431.60
Medicaid MCO42 CFR 438.242(b)(5)
CHIP FFS42 CFR 457.730
CHIP MCO42 CFR 457.1233(d) (incorporates 438.242(b)(5) by reference)
QHP on FFE45 CFR 156.221

Provider Directory API

Public, unauthenticated FHIR API exposing contracted providers, pharmacies, networks, and plans.

PropertyValue
Compliance dateJanuary 1, 2021
Update SLANo later than 30 calendar days after the payer receives directory information or an update
AuthenticationNone for end-users; app-key registration permitted for traffic management
Required data elementsProvider names, addresses, phone numbers, specialties (plus pharmacy name/address/phone/network count/type for MA-PD)

Citations

Payer typeCFR section
Medicare Advantage42 CFR 422.120
Medicaid FFS42 CFR 431.70
Medicaid MCO42 CFR 438.242(b)(6)
CHIP FFS42 CFR 457.760
CHIP MCO42 CFR 457.1233(d) (incorporates 438.242(b)(6) by reference)
QHP on FFEExempt — 45 CFR 156.221(i) already requires a machine-readable directory

What CMS-0057-F changed

CMS-0057-F kept the Provider Directory API intact and extended the Patient Access API: from January 1, 2027, impacted payers must also expose prior-authorization request and decision data through Patient Access, with a 1-business-day SLA after the payer receives the prior-auth event. See CMS-0057.

References

Last updated: