CMS Interoperability Compliance

Information blocking is a practice by a healthcare actor that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI). Under the 21st Century Cures Act and the ONC Information Blocking Final Rule (45 CFR Part 171), four categories of actors are subject to information blocking provisions: healthcare providers, health IT developers of certified health IT, health information exchanges (HIEs), and health information networks (HINs). The rule defines eight exceptions where interfering with EHI access is permissible — including preventing harm, protecting privacy, security concerns, recovering reasonable costs, responding to infeasibility, licensing terms, content and manner conditions, and health IT performance. When a practice does not fall within a recognized exception, it constitutes information blocking. Penalties include civil monetary penalties of up to $1 million per violation for health IT developers, HIEs, and HINs, while provider violations are subject to appropriate disincentives determined by HHS.

CMS-0057-F — formally titled the CMS Interoperability and Prior Authorization Final Rule — is the most comprehensive CMS interoperability rule to date. Published in January 2024, it requires Medicare Advantage, Medicaid, CHIP, and Qualified Health Plan (QHP) issuers to comply in two phases: operational requirements by January 1, 2026, and FHIR API implementation by January 1, 2027. Beginning in 2026, payers must provide specific denial reasons for prior authorization decisions and meet response timeframes of 72 hours for urgent requests and 7 calendar days for standard requests. By 2027, payers must implement a Prior Authorization API (Da Vinci PAS), a Provider Access API for provider data sharing, payer-to-payer data exchange using FHIR Bulk Data Access, and enhanced Patient Access API requirements building on CMS-9115-F. The rule also introduces prior authorization metrics reporting — payers must publicly report approval rates, denial rates, average decision timeframes, and overturn rates on their websites and to CMS. CMS-0057-F represents a fundamental shift toward API-first, FHIR-based data exchange for the payer industry.

The CMS Prior Authorization API is a FHIR R4-based API that CMS-0057-F requires impacted payers to implement by January 2027. The API must conform to the HL7 Da Vinci Prior Authorization Support (PAS) implementation guide and enable providers to electronically submit prior authorization requests, query the status of pending requests, and receive approval or denial decisions with reason codes. The Prior Authorization API uses FHIR Claim resources for request submission, ClaimResponse resources for payer decisions, and Task resources for asynchronous status tracking. Payers must respond to prior authorization requests within 72 hours for urgent requests and 7 calendar days for standard requests. The API must also support attachment submission for clinical documentation and return structured denial reasons mapped to standardized code sets. This API is designed to replace phone and fax-based prior authorization workflows that currently consume significant administrative resources for both providers and payers.

The ONC Information Blocking Final Rule defines four categories of actors subject to information blocking provisions. Healthcare providers include hospitals, physicians, and other clinical professionals as defined under 42 USC 300jj. Health IT developers of certified health IT are companies that develop, maintain, or offer certified electronic health record technology — this includes major EHR vendors and health IT platforms that hold ONC certification. Health information exchanges (HIEs) are organizations that facilitate the electronic exchange of health information between providers and other stakeholders in their region or network. Health information networks (HINs) are entities that determine, oversee, or administer policies and procedures for electronic health information exchange among a broad set of participants. Each actor category faces different enforcement mechanisms — health IT developers, HIEs, and HINs face civil monetary penalties of up to $1 million per violation, while healthcare providers face appropriate disincentives through existing CMS and OIG enforcement frameworks.

The ONC Information Blocking Final Rule establishes eight exceptions under which interfering with EHI access, exchange, or use is permissible. The Preventing Harm exception allows restrictions to protect patients or others from substantial harm. The Privacy exception permits restrictions required by state or federal privacy law, including patient consent preferences. The Security exception allows restrictions necessary to protect EHI from cybersecurity threats. The Infeasibility exception applies when fulfilling a request is technically infeasible or imposes an undue burden. The Health IT Performance exception allows temporary restrictions to maintain system availability or performance. The Content and Manner exception permits actors to establish reasonable content standards and delivery methods for EHI. The Fees exception allows recovery of reasonable costs for EHI access and exchange. The Licensing exception permits reasonable licensing terms for interoperability elements. Each exception has specific conditions that must be satisfied — actors must document their rationale and demonstrate that their practice meets the exception requirements to avoid information blocking liability.

Da Vinci is a collaborative project within HL7 International that develops FHIR implementation guides specifically designed for payer-provider data exchange in the United States. The Da Vinci project brings together payers, providers, health IT vendors, and government agencies to create standardized, FHIR-based specifications that solve real-world interoperability challenges — from prior authorization and claims data exchange to care gaps reporting and risk adjustment. Da Vinci implementation guides are critical because CMS has adopted them as the technical standard for compliance with interoperability rules. CMS-0057-F specifically requires conformance with Da Vinci PAS (Prior Authorization Support), PDex (Payer Data Exchange), Plan Net (Provider Directory), and other Da Vinci IGs for payer API implementations. Key Da Vinci IGs include PAS for prior authorization, PDex for member data exchange, Plan Net for provider directories, Alerts for admission and discharge notifications, CRD for coverage requirements discovery, and DTR for documentation templates and rules. As CMS continues to expand interoperability requirements, Da Vinci implementation guides will remain the foundation for compliant payer-provider data exchange.

Healthcare EDI (Electronic Data Interchange) refers to the standardized electronic exchange of administrative and financial transactions between healthcare organizations — primarily using the ASC X12 transaction sets mandated under HIPAA. Key healthcare EDI transactions include the 837 (claims submission), 835 (electronic remittance advice/payment), 270/271 (eligibility inquiry and response), 278 (prior authorization request and response), and 834 (enrollment and disenrollment). Healthcare EDI has been the backbone of payer-provider administrative data exchange for decades, running through clearinghouses like Availity, Change Healthcare, and Trizetto that handle transaction routing, validation, and translation. CMS interoperability rules are now layering FHIR-based APIs on top of existing EDI infrastructure — the CMS-0057-F Prior Authorization API (Da Vinci PAS) is designed to complement, and eventually replace, the X12 278 transaction for prior authorization. Organizations pursuing CMS compliance need to maintain existing EDI connectivity while building new FHIR endpoints, which is why Saga IT's integration approach supports both FHIR R4 and X12 EDI in parallel.

A healthcare clearinghouse is an intermediary that processes and routes electronic administrative transactions between providers and payers. Under HIPAA, clearinghouses serve as covered entities that receive non-standard or standard EDI transactions, validate them against HIPAA transaction formats, and forward them to the appropriate payer or provider. Major healthcare clearinghouses include Availity, Change Healthcare (Optum), Trizetto, and Waystar. Clearinghouses handle claims submission (837), eligibility verification (270/271), claim status inquiries (276/277), remittance processing (835), and prior authorization (278) — collectively processing billions of transactions annually. For CMS interoperability compliance, clearinghouses are evolving to support both traditional X12 EDI and FHIR-based API exchange. Many clearinghouses now offer FHIR-enabled APIs that translate between X12 and FHIR formats, enabling providers and payers to adopt CMS-mandated FHIR APIs without abandoning existing EDI infrastructure. Saga IT integrates with all major clearinghouse platforms for both EDI and FHIR connectivity.