Compliance and Enforcement
Compliance and Enforcement
- Does CMS require certification to determine if a payer’s APIs comply with the requirements of the Interoperability and Patient Access final rule (CMS-9115-F)?
No, CMS does not require that payers certify their APIs as part of the requirements imposed on Medicare Advantage (MA) Organizations, Medicaid Managed Care Plans, State Medicaid Agencies, Children’s Health Insurance Program (CHIP) Agencies, CHIP Managed Care Entities, and Issuers of Qualified Health Plans (QHPs) on the Federally-Facilitated Exchanges (FFEs). However, these impacted payers are required to conduct routine testing and monitoring, and update their systems as appropriate, to ensure the API functions properly, including conducting assessments to verify that the API is fully and successfully implementing privacy and security features such as those required to comply with Health Insurance Portability and Accountability Act (HIPAA) requirements in 45 CFR parts 160 and 164, 42 CFR parts 2 and 3, and other applicable laws protecting the privacy and security of individually identifiable data. [1]
- Does CMS require that payers test their application programming interfaces (APIs)? What testing tools should implementers use for the implementation guides (IGs) suggested in the Interoperability and Patient Access final rule?
The CMS Interoperability and Patient Access final rule requires impacted payers to conduct routine testing and monitoring of their APIs and to make updates as appropriate, to ensure the API functions properly. [2]
CMS recommends that impacted payers use the implementation guides and testing tools developed for use with Fast Healthcare Interoperability Resources® (FHIR) APIs. The authoring organizations of the implementation guides, Health Level 7® (HL7) Da Vinci and the CARIN Alliance have chosen to use certain testing tools that are available on the HL7® Da Vinci Implementer website. For more information, visit that web page at: https://confluence.hl7.org/display/DVP/Da+Vinci+Implementer+Support
There are at least two different levels of testing that can be performed:
- FHIR® API validation: These tests validate that the FHIR® APIs conform to the FHIR® IGs that specify the API, including terminologies.
- Rule conformance/certification: These tests evaluate the API and the data content. This can be done with synthetic sample data or with actual data.
- How will CMS evaluate compliance with the provisions of the Interoperability and Patient Access final rule?
Compliance with the provisions of the Interoperability and Patient Access final rule will be assessed in accordance with the oversight policies of each impacted program. The Medicare Advantage and Medicaid managed care programs each have programs in place to evaluate compliance of contracted entities. Issuers of Qualified Health Plans (QHPs) on the Federally-Facilitated Exchanges (FFEs) will be evaluated through the annual QHP certification application process, and in the final rule we indicated that we would provide additional guidance to QHP issuers on how they would demonstrate compliance (85 FR 25553). Medicare Advantage plans will be evaluated using annual survey instruments. Similarly, the States will use their contract vehicle to complete assessments. Each program will provide information about evaluation mechanisms at a later date.
- How will the requirement to meet prior authorization decision timelines be enforced if payers do not comply?
In the CMS Interoperability and Prior Authorization final rule (CMS-0057-F), we said that each CMS program oversees compliance under existing program authorities and responsibilities for each type of impacted payer. Oversight and compliance procedures vary among these CMS programs, and CMS may choose from an array of possible enforcement actions, based on a payer’s status in the program, previous compliance actions, and corrective action plans. Patients and providers may submit an inquiry or complaint to the appropriate authority, depending on their coverage. With respect to compliance for prior authorization decision timelines, each program has authority to enforce the policies.