In addition to reshaping prior authorization processes for payors and hospitals, CMS’ Interoperability and Prior Authorization final rule (CMS-0057-F) introduces a new requirement that will give providers direct electronic access to their patients’ health data held by payors through a Provider Access application programming interface (API). While the compliance burden falls on payors, there are practical implications for providers. Understanding what is coming will help providers take advantage of this new data channel when it goes live in 2027.
What Is the Provider Access API?
Under CMS-0057-F, certain health payors, including Medicare Advantage (MA) organizations, Medicaid and Children’s Health Insurance Program (CHIP) managed care plans, state Medicaid and CHIP fee-for-service programs, and Qualified Health Plan (QHP) issuers on the federal exchanges will be required to build and maintain a Provider Access API. This is a standardized, electronic interface that allows in-network providers to request patient data directly from payors and receive it within one business day.
The rule builds on the Patient Access API that CMS required payors to implement in 2021, which gave patients the ability to pull their own health data through third-party applications. The Provider Access API takes the next logical step: making that same data available directly to treating providers through the systems they already use, such as electronic health records (EHRs) and practice management systems, without the patient needing to act as the intermediary.
What Data Will Be Available Through the Provider Access API?
When a provider submits a request through the API, payors will be required to make available the following information within one business day:
- Claims and encounter data dating back to January 1, 2016
- Clinical data aligned with United States Core Data for Interoperability (USCDI) standards
- Structured information related to prior authorizations, including status, approval or denial dates, and the specific reason for any denial
Provider remittances and patient cost-sharing information are explicitly excluded from the requirement, as CMS determined those data elements have limited clinical value for treatment and care coordination purposes.
How Will Accessing API Data Work in Practice?
The intent is for data to flow directly into a provider’s existing EHR or practice management system, rather than requiring providers to log in to a separate payor portal or navigate a new application. Before or during a patient visit, a provider will be able to request the patient’s data from their payor and receive a response within one business day. For practices that already share upcoming appointment information with payors, the data could be ready before the patient ever walks in the door.
Payors will be required to verify that a treatment relationship exists between the requesting provider and the patient before releasing any information. Patients also retain the ability to opt out of the Provider Access API entirely, so access will not be universal across all patients.
How Can Provider Organizations Use the API Data?
Providers are not required to use the API, and no penalties exist for those who choose not to. The Provider Access API has the potential to surface prior authorization history, claims from other treating providers, and clinical data that patients may not have been able to relay themselves, all accessible in advance of a scheduled visit. This could help reduce duplicate testing, improve care coordination, and give clinical teams a more complete picture of each patient’s history at the point of care.
The compliance deadline gives payors until January 1, 2027 for most plan types to have Provider Access API functionality in place. Between now and then, EHR and practice management vendors will be working to build integrations that bring this data into clinical workflows.
How Forvis Mazars Can Help
Our healthcare consulting professionals will continue to monitor CMS guidance and implementation developments related to CMS-0057-F and the Provider Access API. If you have questions about how this rule may affect your organization’s operations, technology strategy, or value-based care programs, please reach out to our team.