On August 5, 2024, the US Department of Health and Human Services (HHS) Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP) published the Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability (HTI-2) Proposed Rule in the Federal Register as part of its continued focus on improving information sharing among health care stakeholders through the Health IT Certification Program.
This +Insight discusses the proposals related to payer, provider and patient application programming interfaces (APIs). For information on the proposed rule’s information blocking provisions, see our separate +Insight. We will also release a publication summarizing the rule’s Trusted Exchange Framework and Common Agreement proposals.
The deadline for submitting comments to ASTP regarding the proposed rule is October 4, 2024, at 5:00 pm EDT.
KEY PROPOSED CHANGES TO THE CERTIFIED API REQUIREMENTS
INTERSECTION WITH CMS RULEMAKING
CMS previously issued two separate final rules that leverage APIs to improve interoperability and data exchange across certain payers, providers and patients. The 2020 CMS Interoperability and Patient Access Final Rule required impacted payers to implement and maintain a patient access API to facilitate patient access to claims, encounter, clinical and other data. That same rule required impacted payers to implement payer-to-payer data exchange, but CMS subsequently subjected that requirement to enforcement discretion. The rule also required payers to adopt a provider directory API. The 2024 CMS Interoperability and Prior Authorization Final Rule then expanded on the 2020 rule and required implementation of three additional APIs: a provider access API, a payer-to-payer API and a prior authorization API.
These CMS rules apply to a subset of payers, specifically Medicare Advantage organizations, Medicaid fee-for-service (FFS) programs, Medicaid managed care plans, Children’s Health Insurance Program (CHIP) FFS programs, CHIP managed care entities and qualified health plan issuers on the federally facilitated exchanges. Although compliance dates vary based on payer type, impacted payers must generally implement the API provisions beginning on January 1, 2027.
While CMS required payers to comply with certain technical standards in the two final rules, the agency merely recommended compliance with relevant IGs that provide more specificity. CMS decided to provide more flexibility, initially, and to allow the IGs to be voluntarily updated as future improvements are made. However, CMS also reserved the right to make compliance with the more detailed IGs mandatory in future rulemaking.
More information on the CMS rules is available here, and the CMS-recommended IGs for each API type are detailed in the chart below.
API CERTIFICATION PROPOSALS
ASTP’s proposed rule outlines a set of health IT certification criteria for the patient, provider, payer and other APIs. ASTP notes in the proposed rule that although CMS only recommended use of certain IGs, ASTP would require certain IGs as part of its health IT certification criteria. While ASTP would require these IGs for health IT certification purposes, it cannot mandate that developers obtain certification for their API technology or that impacted payers covered under the CMS rules use certified technology. Certification is voluntary, but those seeking to be certified would need to comply with the HT1-2 proposals, if finalized, including the required IGs. It is also possible that CMS, in future rulemaking, could require impacted payers to use certified technology to meet the API requirements. The new API certification criteria would be included in the condition and maintenance of certification requirements.
The proposed rule outlines the proposed certification criteria for each API as follows:
ACTION ITEMS AND NEXT STEPS
Impacted payers generally have until January 1, 2027, to adopt the previously finalized CMS API requirements. While not mandatory, the additional certification criteria included in the ASTP proposed rule provide more detail on how to implement and operationalize those requirements for certain health IT modules seeking certification. Based on prior experience, payers likely will have to invest significant time and effort in developing the technology, policies and practices required to meet CMS’s standards and to achieve certification under ASTP’s complementary criteria (including implementation of the IGs), if finalized. While other commercial payers are not covered under the CMS rules, they may also choose to implement these APIs and seek specific certifications to improve electronic data sharing.
THE McDERMOTT AND M+ DIFFERENCE
If you have questions about how the ASTP’s proposals would affect your organization if finalized, or if you would like assistance preparing comments to submit to ASTP, please contact any of the authors of this +Insight (Kristen O’Brien, Vice President – McDermott+, James A. Cannatti III, Partner – McDermott Will & Emery, Daniel F. Gottlieb, Partner – McDermott Will & Emery, Lauren Knizner, Regulatory Affairs Specialist – McDermott+, Jennifer S. Geetter, Partner – McDermott Will & Emery), your regular M+ consultant or McDermott lawyer.