(a) Application programming interface to support data exchange from payers to providers—Provider Access API. Beginning January 1, 2027, an MA organization must do the following:

(1) API requirements. Implement and maintain an application programming interface (API) conformant with all of the following:

(i) Section 422.119(c)(2) through (4), (d), and (e).

(ii) The standards in 45 CFR 170.215(a)(1), (b)(1)(i), (c)(1), and (d)(1).

(2) Provider access. Make the data specified at § 422.119(b) with a date of service on or after January 1, 2016, excluding provider remittances and enrollee cost-sharing information, that are maintained by the MA organization available to in-network providers via the API required in paragraph (a)(1) of this section no later than 1 business day after receiving a request from such a provider, if all the following conditions are met:

(i) The MA organization authenticates the identity of the provider that requests access and attributes the enrollee to the provider under the attribution process described in paragraph (a)(3) of this section.

(ii) The enrollee does not opt out as described in paragraph (a)(4) of this section.

(iii) Disclosure of the data is not prohibited by other applicable law.

(3) Attribution. Establish and maintain a process to associate enrollees with their in-network providers to enable data exchange via the Provider Access API.

(4) Opt out and patient educational resources. (i) Establish and maintain a process to allow an enrollee or the enrollee's personal representative to opt out of the data exchange described in paragraph (a)(2) of this section and to change their permission at any time. That process must be available before the first date on which the MA organization makes enrollee information available via the Provider Access API and at any time while the enrollee is enrolled with the MA organization.

(ii) Provide information to enrollees in plain language about the benefits of API data exchange with their providers, their opt out rights, and instructions both for opting out of data exchange and for subsequently opting in, as follows:

(A) Before the first date on which the MA organization makes enrollee information available through the Provider Access API.

(B) No later than 1 week after the coverage start date or no later than 1 week after receiving acceptance of enrollment from CMS, whichever is later.

(C) At least annually.

(D) In an easily accessible location on its public website.

(5) Provider resources. Provide on its website and through other appropriate provider communications, information in plain language explaining the process for requesting enrollee data using the Provider Access API required in paragraph (a)(1) of this section. The resources must include information about how to use the MA organization's attribution process to associate enrollees with their providers.

(b) Application programming interface to support data exchange between payers—Payer-to-Payer API. Beginning January 1, 2027, an MA organization must do the following:

(1) API requirements. Implement and maintain an API conformant with all of the following:

(i) Section 422.119(c)(2) through (4), (d), and (e).

(ii) The standards in 45 CFR 170.215(a)(1), (b)(1)(i), and (d)(1).

(2) Opt in. Establish and maintain a process to allow enrollees or their personal representatives to opt into the MA organization's payer to payer data exchange with the enrollee's previous payer(s), described in paragraphs (b)(4) and (5) of this section, and with concurrent payer(s), described in paragraph (b)(6) of this section, and to change their permission at any time.

(i) The opt in process must be offered as follows:

(A) To current enrollees, no later than the compliance date.

(B) To new enrollees, no later than 1 week after the coverage start date or no later than 1 week after receiving acceptance of enrollment from CMS, whichever is later.

(ii) If an enrollee does not respond or additional information is necessary, the MA organization must make reasonable efforts to engage with the enrollee to collect this information.

(3) Identify previous and concurrent payers. Establish and maintain a process to identify a new enrollee's previous and concurrent payer(s) to facilitate the Payer-to-Payer API data exchange. The information request process must start as follows:

(i) For current enrollees, no later than the compliance date.

(ii) For new enrollees, no later than 1 week after the coverage start date or no later than 1 week after receiving acceptance of enrollment from CMS, whichever is later.

(iii) If an enrollee does not respond or additional information is necessary, the MA organization must make reasonable efforts to engage with the enrollee to collect this information.

(4) Exchange request requirements. Exchange enrollee data with other payers, consistent with the following requirements:

(i) The MA organization must request the data listed in paragraph (b)(4)(ii) of this section through the enrollee's previous payers' API, if all the following conditions are met:

(A) The enrollee has opted in, as described in paragraph (b)(2) of this section.

(B) The exchange is not prohibited by other applicable law.

(ii) The data to be requested are all of the following with a date of service within 5 years before the request:

(A) Data specified in § 422.119(b) excluding the following:

(1) Provider remittances and enrollee cost-sharing information.

(2) Denied prior authorizations.

(B) Unstructured administrative and clinical documentation submitted by a provider related to prior authorizations.

(iii) The MA organization must include an attestation with this request affirming that the enrollee is enrolled with the MA organization and has opted into the data exchange.

(iv) The MA organization must complete this request as follows:

(A) No later than 1 week after the payer has sufficient identifying information about previous payers and the enrollee has opted in.

(B) At an enrollee's request, within 1 week of the request.

(v) The MA organization must receive, through the API required in paragraph (b)(1) of this section, and incorporate into its records about the enrollee, any data made available by other payers in response to the request.

(5) Exchange response requirements. Make available the data specified in paragraph (b)(4)(ii) of this section that are maintained by the MA organization to other payers via the API required in paragraph (b)(1) of this section within 1 business day of receiving a request, if all the following conditions are met:

(i) The payer that requests access has its identity authenticated and includes an attestation with the request that the patient is enrolled with the payer and has opted into the data exchange.

(ii) Disclosure of the data is not prohibited by other applicable law.

(6) Concurrent coverage data exchange requirements. When an enrollee has provided sufficient identifying information about concurrent payers and has opted in as described in paragraph (b)(2) of this section, an MA organization must do the following, through the API required in paragraph (b)(1) of this section:

(i) Request the enrollee's data from all known concurrent payers as described in paragraph (b)(4) of this section, and at least quarterly thereafter while the enrollee is enrolled with both payers.

(ii) Respond as described in paragraph (b)(5) of this section within 1 business day of a request from any concurrent payers. If agreed upon with the requesting payer, the MA organization may exclude any data that were previously sent to or originally received from the concurrent payer.

(7) Patient educational resources. Provide information to enrollees in plain language, explaining at a minimum: the benefits of Payer-to-Payer API data exchange, their ability to opt in or withdraw that permission, and instructions for doing so. The MA organization must provide the following resources:

(i) When requesting an enrollee's permission for Payer-to-Payer API data exchange, as described in paragraph (b)(2) of this section.

(ii) At least annually, in appropriate mechanisms through which it ordinarily communicates with current enrollees.

(iii) In an easily accessible location on its public website.

[89 FR 8974, Feb. 8, 2024]