Application Programming Interfaces (APIs) and Relevant Standards and Implementation Guides (IGs)
The Centers for Medicare & Medicaid Services (CMS) Interoperability and Patient Access Final Rule (85 FR 25510) requires Medicare Advantage (MA) organizations, Medicaid Fee-for-Service (FFS) Programs, Medicaid managed care plans, Children's Health Insurance Program (CHIP) FFS programs, CHIP managed care entities, and Qualified Health Plan issuers on the Federally-Facilitated Exchanges (FFEs) to implement application programming interface (API) technology to advance health data exchange. The CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F) builds on CMS' previous rule by outlining requirements for additional information that certain payers must provide via the Patient Access API and new requirements for certain payers to implement three additional APIs: Provider Access API, Payer-to-Payer API, and Prior Authorization API. The APIs finalized in CMS-9115-F and CMS-0057-F must meet certain technical standards to drive interoperability and increase provider and patient access to health information. The APIs are described below along with standards required by rulemaking and the Implementation Guides (IGs). CMS recommends payers use to support implementation—eliminating the need to develop an independent approach, which will save time and resources.
Impacted payers may use updated standards, specifications, or IGs for each of these APIs, under the following conditions: the updated version of the standard is required by other applicable law; or (1) the updated version of the standard is not prohibited under other applicable law, (2) the Assistant Secretary for Technology Policy (ASTP)/National Coordinator has approved the updated version for use in the Office of the National Coordinator for Health Information Technology (ONC) Health IT Certification Program, and (3) the updated version does not disrupt an end user’s ability to access the data required to be available through the API. We note that for the required standards at 45 CFR 170.215, several updated versions have been approved by the National Coordinator for use in the ONC Health IT Certification Program, including, but not limited to, the US Core IG STU 6.1.0, and the SMART App Launch IG Release 2.0.0.
Patient Access API
Through the already established Patient Access API, impacted payers are required to make information available to patients about prior authorization requests and decisions (excluding those for drugs) by January 1, 2027.
HL7 FHIR Release 4.0.1
HL7 SMART Application Launch Framework IG Release 1.0.0* and Release 2.0.0
Open ID Connect Core 1.0, incorporating errata set 1
Provider Access API
Impacted payers are required to implement and maintain APIs for payer to provider data sharing of individual claims and encounter data (excluding provider remittances and enrollee cost-sharing information), data classes, and data elements in a content standard adopted by ASTP/ONC (USCDI) and specified prior authorization information (excluding those for drugs) by January 1, 2027.
HL7 FHIR Release 4.0.1
HL7 SMART Application Launch Framework IG Release 1.0.0* and Release 2.0.0
HL7 FHIR Bulk Data Access IG (v.1.0.0: STU1)
HL7 SMART App Launch IG Release 2.0.0 to support Backend Services Authorization
*Adopted standards expiring on January 1, 2026 (89 FR 1192)
**Implementation Guides derived from adopted standards expiring on January 1, 2026 (89 FR 1192)
Payer-to-Payer API
Impacted payers must implement and maintain a Payer-to-Payer API to make available claims and encounter data (excluding provider remittances and enrollee cost-sharing information), all data classes, and data elements in a content standard adopted by ASTP/ONC (USCDI), and information about prior authorizations (excluding those for drugs and those that were denied).
HL7 FHIR Release 4.0.1
HL7 FHIR Bulk Data Access IG (v.1.0.0: STU1)
HL7 SMART App Launch IG Release 2.0.0 to support Backend Services Authorization
*Adopted standards expiring on January 1, 2026 (89 FR 1192)
**Implementation Guides derived from adopted standards expiring on January 1, 2026 (89 FR 1192)
Provider Directory API
Under the CMS Interoperability and Patient Access Final Rule and the CMS Interoperability and Prior Authorization Final Rule, Medicaid FFS programs, CHIP FFS programs, Medicaid managed care plans, and CHIP managed care entities are required to make provider directory information available via the Provider Directory API. The CMS Interoperability and Patient Access Final Rule includes MA organizations. This API must be accessible via a public-facing digital endpoint on the payer’s website.
HL7 FHIR Release 4.0.1
Prior Authorization API
The CMS Interoperability and Prior Authorization Final Rule requires impacted payers to implement and maintain a Prior Authorization API to automate the process for providers to determine whether a prior authorization is required, identify prior authorization information and documentation requirements, as well as facilitate the exchange of prior authorization requests and decisions from their electronic health records (EHRs) or practice management system. We note that under the Health Insurance Portability and Accountability Act (HIPAA), covered entities are required to use the currently adopted standard for prior authorization transactions. The name of the HIPAA prior authorization transaction is the X12 278.
The National Standards Group (NSG) announced an enforcement discretion for Health Insurance Portability and Accountability Act (HIPAA) covered entities that implement Fast Healthcare Interoperability Resources® (FHIR®) based Prior Authorization APIs as described in the CMS Interoperability and Prior Authorization final rule. In response to the final rule, NSG will not take HIPAA Administrative Simplification enforcement action against HIPAA covered entities that choose not to use the X12 278 standard as part of an electronic FHIR® prior authorization process.
Read the enforcement discretion (PDF)
HL7 FHIR Release 4.0.1
HL7 SMART Application Launch Framework IG Release 1.0.0* and Release 2.0.0