Over the next three years, healthcare payers face the implementation end of the recent Department of Health and Human Services (HHS) rulemaking push designed to boost interoperability via mandate. CMS 0057 is coming soon, but it is not the only thing on the minds of US payers.
Earlier this year, the Trusted Exchange Framework and Common Agreement (TEFCA), an HHS-backed nationwide health information exchange, incentivized all participants to support FHIR API data exchange by requiring responses to queries originating in FHIR. While participation in TEFCA is voluntary, many of the largest data players in healthcare have already signed on, including Epic, eHealth Exchange, and Commonwell, as well as many of the providers, payers, and HCIT companies in their networks. As additional use cases roll out, TEFCA could provide payers the clinical data and providers the financial and operational data they each respectively seek to complete a longitudinal patient record.
Now, CMS-0057 will push payers, irrespective of their participation in TEFCA, to continue their transition to FHIR. By January 1, 2027, payers participating in CMS programs must meet baseline FHIR standards for a variety of API-enabled data operations.
CMS-0057 compliance will require covered payers to provide FHIR API access to patients, providers, and other payers, as well as to build a FHIR API to facilitate prior authorization. This digital transformation may seem like a daunting task, particularly for a segment of the healthcare sector with well-documented interoperability barriers.
However, promisingly, a 2022 CAQH report found that roughly 60% of the nation’s largest payers had already developed patient and provider APIs. The largest remaining implementation barriers for these companies are navigating how to make these APIs publicly available, as required by statute, without compromising security or operations. This statistic is an indicator of how payers’ mindsets have shifted since implementing measures to adhere to CMS-9115. Unlike the reactive CMS-9115 implementations, the market’s mindset has shifted to focusing on scalable FHIR implementations and offerings. A few years ago, it was not clear how deep the compliance measures would go for FHIR, but that is no longer the case. Smart, mature payers will leverage the CMS-0057 rollout to develop reusable infrastructure for years to come. These payer leaders are viewing the new compliance mandate as an opportunity for aligned modernization, not just another fragmented, check-the-box effort like some compliance measures of the past.
Looking forward, the next year will separate payers into two groups – those with the time and flexibility to undertake a systematic data transformation and those scrambling to become compliant just under the deadline. The first group will use the next year to hone their strategic data vision, find a strong implementation partner, and build out the required FHIR APIs while keeping an eye on their own cybersecurity posture. The second group will be constrained by time, limited to implementation partners not already committed to projects, and more likely to leave themselves vulnerable to cyberattacks.
While new HHS FHIR API requirements shouldn’t be a major cause for concern for payers, the clock has started for those organizations that wish to be in the driver’s seat of their own digital transformations.
Timeline
Importantly, even though organizations don’t have to have their FHIR APIs online until January 2027, the contracting crunch for e-prior authorization is coming much sooner. Payers participating in CMS programs have until January 1, 2026, to reduce prior authorization decisions to 72 hours for urgent requests. Also starting in 2026, payers will also have to report approval metrics and provide a specific reason for any denials.
While organizations may be tempted to treat these deadlines as separate priorities, the most prudent will act early to avoid the implementation partner crunch coming in 2025. Most payers, both large and small, will not have the capacity to build out prior authorization infrastructure internally – and the old, manual prior authorization procedure will only become a bigger burden on payers as they struggle to meet accelerated timelines and reporting starting in 2026.
Working Backwards
The Staffing Crunch
Today, HCIT vendors are already rolling out healthcare data and prior authorization solutions. Early movers are taking advantage of these offerings to begin developing compliance and data strategies alongside HCIT implementation partners – subject experts who understand how to build out prior authorization capabilities, de-silo healthcare data, and turn claims processing from a burden to an insight-generating advantage. However, by 2025, every payer covered by the new CMS regulation will be searching for an implementation partner and the available bandwidth of implementation market leaders will be extremely low, creating “the crunch.”
To avoid the crunch, payers must act now to secure an implementation partner and create a strategy for meeting both CMS turnaround time and reporting requirements for prior authorization before 2026. Even if this process doesn’t have to be completed through a single API until 2027, the complexity of building out the appropriate data and decision flows means that organizations waiting until 2025 to begin thinking about prior authorization will already be playing catch-up – and will more than likely be doing so without a market-leading implementation vendor.
Even if late-acting payers find the right implementation partner, the condensed timeline and thinly stretched resources will raise the price of implementation significantly. This makes the prior authorization buildout a costly push to remain compliant rather than a strategic opportunity to gain a competitive data and service advantage over the rest of the industry. In other words, getting caught in the coming staffing crunch is bad news for payers and a hefty setback on the road to prior authorization.
Why Move Early?
Moving early allows payers to be more strategic about their prior authorization push. For organizations that are yet to begin the move to FHIR-based APIs for prior authorization, several lessons can be learned from the early adopters.
First, organizations must have a plan before they begin restructuring data flows and API infrastructure. Data infrastructure for healthcare organizations is a pressing challenge – a poorly-considered data transformation without a strategic vision may bring an organization into compliance, but it will prevent that company from harnessing its data assets to extract additional value. Insights into care, longitudinal data records, value-based care, and enterprise AI applications all require specific data infrastructure. Smart organizations will stop, revisit or create a strategic data vision, then undertake the infrastructure development necessary to achieve a modern, data-forward business model.
Second, API security is a massive vulnerability for both large and small healthcare organizations. A 2023 report found that 78% of healthcare organizations experienced an API security breach in the previous year – a staggeringly high vulnerability rate for a core element of modern data architecture. Untangle’s own research found that many leading health organizations either did not understand API security or did not have an adequate strategy in place to limit exposure and respond to vulnerabilities. At the heart of this challenge is a lack of understanding, control, and monitoring of the entire organizational API landscape. Before deploying yet another API and needing to make it compliant, smart payers will take the opportunity to understand their API architecture and build a secure environment with the appropriate level of protection for these new public APIs.
Finally, payers are concerned that publicly available APIs, particularly provider directories, will be vulnerable to API abuse. API abuse is a leading API security risk, and the solution once again comes down to preparation and strategy. API security vendors offer protection from API abuse – by working with an expert before beginning a digital transformation, payers can avoid scrambling to fix their security posture with the compliance deadline looming.
While these three lessons can help late FHIR API adopters close the gap with current interoperability leaders, payers need to be careful not to wait too long to begin reshaping their data infrastructure. Database refactoring in an enterprise organization can be a daunting task. With January 2026 and 2027 deadlines looming, this leaves late 2024 and 2025 as the cutoff dates for payers to begin the push towards better prior authorization and the FHIR API transition.
What are the Benefits of Moving Early?
Even for organizations with substantial in-house teams, moving early can have clear advantages.
Learning Together:
- Firstly, as compliance measures and interpretations evolve over the next few years, sharing the effort with a partner can reduce reaction time to any changes. Organizations can learn in parallel with their vendor partners, with the vendors acting as an extension of their team.
Preferred Pricing:
- Vendors appreciate early adopters and are typically willing to incentivize first movers with preferred, pilot pricing. Later, if a payer organization chooses to wait to achieve compliance, the vendor partners may have already determined an approach and will often price that into their service offerings.
Influence over Implementation:
- Early adopters have the strongest influence over partner implementations and product backlogs. Electing to move first, payers are most likely to ensure the standard implementation of the partner meets their specific needs. Late adopters may have to adapt to the “standard way” the partner implements, conforming to the earlier adopters’ needs and preferences.
Who Should Payers Work with?
As payers plan to address the interoperability efforts of today (TEFCA) and the compliance of tomorrow (CMS-0057), choosing interoperability partners is an important step. While FHIR integrations allow for more vendor agnosticism than ever before, as previous decades required organizations “marrying” their IT partners with custom API integrations in bespoke ways, switching costs are still relatively high. Despite the convergence of exchange formats to FHIR, there is not yet a single, unified FHIR schema, and FHIR-to-FHIR connections still require “localizations” for the partners involved.
When choosing a partner to work with, assuming the payer does not plan on homegrowing all interoperability infrastructure (which we would not recommend), here are the areas that Untangle Health recommends you focus on for a new partner:
- Trust: A partner should be a trusted name. While we support and encourage new entrants, the venture crazed 2010s created too many zombies and soon-to-be-sunsetted startups.
- Security : We cannot ignore the fact that each new API integration expands your threat surface by another node. Integrations (even on your network) must be taken seriously. A partner that understands and exceeds security requirements is a partner for the long term.
- Performance: If we believe TEFCA and FHIR are the future, then transaction performance cannot be ignored. Whether querying a QHIN, interoperating with other payers or providers, or simply completing operational tasks, we should never be talking about seconds and calls per minute. We should be focused on round-trip milliseconds and millions of calls per minute.
- Service: It is no secret that there is a resource shortage in healthcare technology and the learning curve can be steep. Based on your staffing model, choosing a partner that can flex up service based on need may be necessary to meet mandated and internally-generated timelines.
- Partnership: It’s a small world in the healthcare IT space, you should find partners that want to deepen and expand relationships. There are many win-win scenarios, and finding a partner that is interested in helping each organization meet strategic goals will ensure lasting success and help prevent you from choosing a partner that is not a going concern.
What is Next?
For payer organizations without a CMS-0057 compliance plan in place, now is the time to act. Completing the partner selection process in 2024 is necessary to take full advantage of the opportunity in front of you. If your organization needs to open up its architecture to accommodate FHIR APIs for new use-cases, leverage that as an opportunity for thoughtful improvements and optimizations.
If you are feeling stuck, give us a shout. Untangle Health works closely with organizations across the Healthcare Data Value Chain, both on the buy and sell side. We represent and advise technology partners capable of meeting compliance and we also work with payers like you as they determine the optimal approach for their specific organizational needs.