ASTP Proposes Certification Criteria for Certain APIs

ASTP Proposes Certification Criteria for Patient, Payer and Provider APIs

On August 5, 2024, the US Department of Health and Human Services (HHS) Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP) published the Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability (HTI-2) Proposed Rule in the Federal Register as part of its continued focus on improving information sharing among health care stakeholders through the Health IT Certification Program.

This +Insight discusses the proposals related to payer, provider and patient application programming interfaces (APIs). For information on the proposed rule’s information blocking provisions, see our separate +Insight. We will also release a publication summarizing the rule’s Trusted Exchange Framework and Common Agreement proposals.

The deadline for submitting comments to ASTP regarding the proposed rule is October 4, 2024, at 5:00 pm EDT.

in depth


KEY PROPOSED CHANGES TO THE CERTIFIED API REQUIREMENTS

  • The proposed rule outlines a new set of certification criteria focused on facilitating the exchange of clinical and coverage information, drug formulary information and prior authorization information among patients, providers and payers.
  • Health information technology (IT) certified to these criteria includes requirements for specific Implementation Guides (IGs) that were not previously outlined in related rulemaking by the Centers for Medicare & Medicaid Services (CMS).

INTERSECTION WITH CMS RULEMAKING

CMS previously issued two separate final rules that leverage APIs to improve interoperability and data exchange across certain payers, providers and patients. The 2020 CMS Interoperability and Patient Access Final Rule required impacted payers to implement and maintain a patient access API to facilitate patient access to claims, encounter, clinical and other data. That same rule required impacted payers to implement payer-to-payer data exchange, but CMS subsequently subjected that requirement to enforcement discretion. The rule also required payers to adopt a provider directory API. The 2024 CMS Interoperability and Prior Authorization Final Rule then expanded on the 2020 rule and required implementation of three additional APIs: a provider access API, a payer-to-payer API and a prior authorization API.

These CMS rules apply to a subset of payers, specifically Medicare Advantage organizations, Medicaid fee-for-service (FFS) programs, Medicaid managed care plans, Children’s Health Insurance Program (CHIP) FFS programs, CHIP managed care entities and qualified health plan issuers on the federally facilitated exchanges. Although compliance dates vary based on payer type, impacted payers must generally implement the API provisions beginning on January 1, 2027.

While CMS required payers to comply with certain technical standards in the two final rules, the agency merely recommended compliance with relevant IGs that provide more specificity. CMS decided to provide more flexibility, initially, and to allow the IGs to be voluntarily updated as future improvements are made. However, CMS also reserved the right to make compliance with the more detailed IGs mandatory in future rulemaking.

More information on the CMS rules is available here, and the CMS-recommended IGs for each API type are detailed in the chart below.

API Name CMS Recommended Supporting IGs
Patient Access API
Provider Access API
  • See IGs for patient access API
Payer-to-Payer API
  • See IGs for patient access API
Provider Directory API
Documentation Requirements Lookup Service API
Prior Authorization Support (PAS) API
Bulk Data

API CERTIFICATION PROPOSALS

ASTP’s proposed rule outlines a set of health IT certification criteria for the patient, provider, payer and other APIs. ASTP notes in the proposed rule that although CMS only recommended use of certain IGs, ASTP would require certain IGs as part of its health IT certification criteria. While ASTP would require these IGs for health IT certification purposes, it cannot mandate that developers obtain certification for their API technology or that impacted payers covered under the CMS rules use certified technology. Certification is voluntary, but those seeking to be certified would need to comply with the HT1-2 proposals, if finalized, including the required IGs. It is also possible that CMS, in future rulemaking, could require impacted payers to use certified technology to meet the API requirements. The new API certification criteria would be included in the condition and maintenance of certification requirements.

The proposed rule outlines the proposed certification criteria for each API as follows:

  • Patient Access API: The certification criteria specify requirements to enable patients to access health and administrative information using an application of their choice. The proposal would require certified health IT modules to enable patient access to payer drug formulary information and to patient clinical, coverage and claims information, including provider remittances and enrollee cost-sharing.
  • Provider Access API: The proposed rule outlines “client” and “server” certification criteria to support provider access to payer information. This information would facilitate access to patient clinical, coverage and claims information, including information about patient encounters; dates of service; diagnoses; laboratory results; information from admit, discharge and transfer messages; information received from immunization registries; and information related to medications from pharmacy networks.
  • Payer-to-Payer API: The proposed rule would support the electronic exchange of data when a patient switches insurance plans. The criteria would facilitate sharing of payer claims and encounter data (excluding provider remittances and patient cost-sharing information).
  • Prior Authorization API: The proposed rule outlines certification criteria for payers and providers to conduct electronic prior authorization. Technology certified to these criteria would support the ability to request and populate prior authorization templates and to submit and respond to prior authorization requests.
  • Provider Directory API: The proposed rule specifies requirements for health IT that payers can use to publish information regarding the providers that participate in their networks. Technology certified under these criteria would help patients understand which providers, facilities and pharmacies are covered by their current (or future) health plan.

ACTION ITEMS AND NEXT STEPS

Impacted payers generally have until January 1, 2027, to adopt the previously finalized CMS API requirements. While not mandatory, the additional certification criteria included in the ASTP proposed rule provide more detail on how to implement and operationalize those requirements for certain health IT modules seeking certification. Based on prior experience, payers likely will have to invest significant time and effort in developing the technology, policies and practices required to meet CMS’s standards and to achieve certification under ASTP’s complementary criteria (including implementation of the IGs), if finalized. While other commercial payers are not covered under the CMS rules, they may also choose to implement these APIs and seek specific certifications to improve electronic data sharing.

THE McDERMOTT AND M+ DIFFERENCE

If you have questions about how the ASTP’s proposals would affect your organization if finalized, or if you would like assistance preparing comments to submit to ASTP, please contact any of the authors of this +Insight (Kristen O’Brien, Vice President – McDermott+,  James A. Cannatti III, Partner – McDermott Will & Emery, Daniel F. Gottlieb, Partner – McDermott Will & Emery,  Lauren Knizner, Regulatory Affairs Specialist – McDermott+, Jennifer S. Geetter, Partner – McDermott Will & Emery), your regular M+ consultant or McDermott lawyer.