Frequently asked questions

The rule applies to "impacted payers" including:

• Medicare Advantage (MA) organizations
• State Medicaid and CHIP Fee-for-Service (FFS) programs
• Medicaid managed care plans
• CHIP managed care entities
• Qualified Health Plan (QHP) issuers on Federally Facilitated Exchanges (FFEs)

The primary deadline is January 1, 2027, when all five FHIR APIs must be fully operational. However, several requirements take effect earlier:

Yes. CMS has enforcement authority and can impose penalties including corrective action plans, financial penalties, and in severe cases, termination of contracts for Medicare Advantage organizations and Medicaid managed care plans. The specific penalties vary by payer type and the nature of the violation.

All APIs must use HL7 FHIR Release 4.0.1 (R4) as the base standard. Additionally, specific implementation guides are required for each API, such as FHIR US Core IG STU 3.1.1, Da Vinci Implementation Guides, and CARIN IG for Blue Button STU 2.0.0.

It depends on the API:

• Provider Directory API: Must be publicly accessible without authentication
• Patient Access API: Requires patient authentication via SMART App Launch
• Provider Access API: Requires provider authentication and established treatment relationship
• Payer-to-Payer API: Requires authentication between payers
• Prior Authorization API: Requires provider authentication

Yes. The ONC-developed Inferno tool is available to test FHIR API implementations for compliance with the required standards. This tool validates conformance to FHIR specifications, implementation guides, and proper data element inclusion. It's recommended to use Inferno throughout development and before go-live.

The Patient Access API must include:

• Individual claims and encounter data (including provider remittances and cost-sharing)
• All USCDI data elements
• Prior authorization decisions (excluding drugs)
• Clinical data as available from provider systems

Beginning January 1, 2026, payers must make prior authorization decisions within: These timeframes apply to all items and services requiring prior authorization, excluding drugs covered under Medicare Part D.

Starting in 2026, when a prior authorization request is denied, the payer must provide:

• A specific reason for the denial
• The clinical rationale supporting the decision
• Reference to the coverage criteria or policy applied
• Information about the appeals process

Generic denial reasons are no longer acceptable.

By March 31, 2026 (and annually thereafter), payers must publicly post metrics including:

• Total number of prior authorization requests received
• Number and percentage approved
• Number and percentage denied
• Average and median decision timeframes
• Breakdown by expedited vs. standard requests
• Patient Access API usage statistics

The rule requires:

• SMART App Launch Framework 1.0.0 for patient and provider authentication
• OAuth 2.0 for authorization
• OpenID Connect Core 1.0 for identity verification
• Support for both standalone and EHR launch sequences

These standards ensure secure, standardized authentication across all APIs.

Yes. If your organization already has a Patient Access API from previous CMS regulations, it must be enhanced to include:

• Prior authorization decisions (excluding drugs)
• Updated to FHIR US Core IG STU 3.1.1
• Enhanced metrics reporting capabilities

The enhanced API must be operational by January 1, 2027.

Provider directory information must be updated to reflect changes within 30 calendar days. This includes updates to:

• Provider participation status
• Contact information and locations
• Specialties and services offered
• Facility information

The 30-day requirement ensures patients and providers have access to current network information.

Yes. Many payers work with third-party vendors or technology partners to develop and maintain the required APIs. However, the payer remains ultimately responsible for compliance with all CMS requirements, including API functionality, data accuracy, uptime requirements, and security standards.