§ 457.731 - Access to and exchange of health data for providers and payers.  


Latest version.
  • § 457.731 xxx

    Cross Reference
    Link to an amendment published at

    Access to and exchange of health data for providers and payers.

    (a) Application programming interface to support data exchange from payers to providers—Provider Access API. Beginning January 1, 2027, unless granted an extension or exemption under paragraph (c) of this section, a State must do the following:

    (1) API requirements. Implement and maintain an application programming interface (API) conformant with all of the following:

    (i) Section 457.730(c)(2) through (4), (d), and (e).

    (ii) The standards in 45 CFR 170.215(a)(1), (b)(1)(i), (c)(1), and (d)(1).

    (2) Provider access. Make the data specified in § 457.730(b) with a date of service on or after January 1, 2016, excluding provider remittances and beneficiary cost-sharing information, that are maintained by the State, available to enrolled CHIP providers via the API required in paragraph (a)(1) of this section no later than 1 business day after receiving a request from such a provider, if all the following conditions are met:

    (i) The State authenticates the identity of the provider that requests access and attributes the beneficiary to the provider under the attribution process described in paragraph (a)(3) of this section.

    (ii) The beneficiary does not opt out as described in paragraph (a)(4) of this section.

    (iii) Disclosure of the data is not prohibited by other applicable law.

    (3) Attribution. Establish and maintain a process to associate beneficiaries with their enrolled CHIP providers to enable data exchange via the Provider Access API.

    (4) Opt out and patient educational resources.

    (i) Establish and maintain a process to allow a beneficiary or the beneficiary's personal representative to opt out of the data exchange described in paragraph (a)(2) of this section and to change their permission at any time. That process must be available before the first date on which the State makes beneficiary information available via the Provider Access API and at any time while the beneficiary is enrolled with the State.

    (ii) Provide information to beneficiaries in plain language about the benefits of API data exchange with their providers, their opt out rights, and instructions both for opting out of data exchange and for subsequently opting in, as follows:

    (A) Before the first date on which the State makes beneficiary information available through the Provider Access API.

    (B) No later than 1 week after enrollment.

    (C) At least annually.

    (D) In an easily accessible location on its public website.

    (5) Provider resources. Provide on its website and through other appropriate provider communications, information in plain language explaining the process for requesting beneficiary data using the Provider Access API required in paragraph (a)(1) of this section. The resources must include information about how to use the State's attribution process to associate beneficiaries with their providers.

    (b) Application programming interface to support data exchange between payers—Payer-to-Payer API. Beginning January 1, 2027, unless granted an extension or exemption under paragraph (c) of this section a State must do the following:

    (1) API requirements. Implement and maintain an API conformant with all of the following:

    (i) Section 457.730(c)(2) through (4), (d), and (e).

    (ii) The standards in 45 CFR 170.215(a)(1), (b)(1)(i), and (d)(1).

    (2) Opt in. Establish and maintain a process to allow beneficiaries or their personal representatives to opt into the State's payer to payer data exchange with the beneficiary's previous payer(s), described in paragraphs (b)(4) and (5) of this section, and with concurrent payer(s), described in paragraph (b)(6) of this section, and to change their permission at any time.

    (i) The opt in process must be offered as follows:

    (A) To current beneficiaries, no later than the compliance date.

    (B) To new beneficiaries, no later than 1 week after enrollment.

    (ii) If a beneficiary has coverage through any CHIP managed care entities within the same State while enrolled in CHIP, the State must share their opt in permission with those managed care entities to allow the Payer-to-Payer API data exchange described in this section.

    (iii) If a beneficiary does not respond or additional information is necessary, the State must make reasonable efforts to engage with the beneficiary to collect this information.

    (3) Identify previous and concurrent payers. Establish and maintain a process to identify a new beneficiary's previous and concurrent payer(s) to facilitate the Payer-to-Payer API data exchange. The information request process must start as follows:

    (i) For current beneficiaries, no later than the compliance date.

    (ii) For new beneficiaries, no later than 1 week after enrollment.

    (iii) If a beneficiary does not respond or additional information is necessary, the State must make reasonable efforts to engage with the beneficiary to collect this information.

    (4) Exchange request requirements. Exchange beneficiary data with other payers, consistent with the following requirements:

    (i) The State must request the data specified in paragraph (b)(4)(ii) of this section through the beneficiary's previous payers' API, if all the following conditions are met:

    (A) The beneficiary has opted in, as described in paragraph (b)(2) of this section, except for data exchanges between a State CHIP agency and its contracted managed care entities, which do not require a beneficiary to opt in.

    (B) The exchange is not prohibited by other applicable law.

    (ii) The data to be requested are all of the following with a date of service within 5 years before the request:

    (A) Data specified in § 457.730(b), excluding the following:

    (1) Provider remittances and enrollee cost-sharing information.

    (2) Denied prior authorizations.

    (B) Unstructured administrative and clinical documentation submitted by a provider related to prior authorizations.

    (iii) The State must include an attestation with this request affirming that the beneficiary is enrolled with the State and has opted into the data exchange.

    (iv) The State must complete this request as follows:

    (A) No later than 1 week after the payer has sufficient identifying information about previous payers and the beneficiary has opted in.

    (B) At a beneficiary's request, within 1 week of the request.

    (v) The State must receive, through the API required in paragraph (b)(1) of this section, and incorporate into its records about the beneficiary, any data made available by other payers in response to the request.

    (5) Exchange response requirements. Make available the data specified in paragraph (b)(4)(ii) of this section that are maintained by the State to other payers via the API required in paragraph (b)(1) of this section within 1 business day of receiving a request, if all the following conditions are met:

    (i) The payer that requests access has its identity authenticated and includes an attestation with the request that the patient is enrolled with the payer and has opted into the data exchange.

    (ii) Disclosure of the data is not prohibited by other applicable law.

    (6) Concurrent coverage data exchange requirements. When a beneficiary has provided sufficient identifying information about concurrent payers and has opted in as described in paragraph (b)(2) of this section, a State must do the following, through the API required in paragraph (b)(1) of this section:

    (i) Request the beneficiary's data from all known concurrent payers as described in paragraph (b)(4) of this section, and at least quarterly thereafter while the beneficiary is enrolled with both payers.

    (ii) Respond as described in paragraph (b)(5) of this section within 1 business day of a request from any concurrent payers. If agreed upon with the requesting payer, the State may exclude any data that were previously sent to or originally received from the concurrent payer.

    (7) Patient educational resources. Provide information to applicants or beneficiaries in plain language, explaining at a minimum: the benefits of Payer-to-Payer API data exchange, their ability to opt in or withdraw that permission, and instructions for doing so. The State must provide the following resources:

    (i) When requesting a beneficiary's permission for Payer-to-Payer API data exchange, as described in paragraph (b)(2) of this section.

    (ii) At least annually, in appropriate mechanisms through which it ordinarily communicates with current beneficiaries.

    (iii) In an easily accessible location on its public website.

    (c) Extensions and exemptions

    (1) Extension.

    (i) A State may submit a written application to request a one-time, 1-year extension of the requirements in paragraph (a) or (b) (or paragraphs (a) and (b)) of this section for its CHIP fee-for-service program. The written application must be submitted as part of the State's annual Advance Planning Document (APD) for Medicaid Management Information System (MMIS) operations expenditures, as described in part 433, subpart C, of this chapter, and approved before the compliance date for the requirements to which the State is seeking an extension. It must include all the following:

    (A) A narrative justification describing the specific reasons why the State cannot satisfy the requirement(s) by the compliance date and why those reasons result from circumstances that are unique to the agency operating the CHIP fee-for service program.

    (B) A report on completed and ongoing State activities that evidence a good faith effort towards compliance.

    (C) A comprehensive plan to meet the requirements no later than 1 year after the compliance date.

    (ii) CMS grants the State's request if it determines, based on the information provided, that—

    (A) The request adequately establishes a need to delay implementation; and

    (B) The State has a comprehensive plan to meet the requirements no later than 1 year after the compliance date.

    (2) Exemption.

    (i) A State operating a separate CHIP in which at least 90 percent of the State's CHIP beneficiaries are enrolled in CHIP managed care organizations, as defined in § 457.10, may request an exemption for its fee-for-service program from either or both of the following requirements:

    (A) Paragraph (a) of this section.

    (B) Paragraphs (b)(1) and (3) through (7) of this section.

    (ii) The State's exemption request must:

    (A) Be submitted in writing as part of a State's annual APD for MMIS operations expenditures before the compliance date for the requirements to which the State is seeking an exemption.

    (B) Include both of the following:

    (1) Documentation that the State meets the threshold for the exemption, based on enrollment data from section 5 of the most recently accepted CHIP Annual Report Template System (CARTS).

    (2) An alternative plan to ensure that enrolled providers will have efficient electronic access to the same information through other means while the exemption is in effect.

    (iii) CMS grants the exemption if the State establishes to CMS's satisfaction that the State—

    (A) Meets the threshold for the exemption; and

    (B) Has established an alternative plan to ensure that enrolled providers will have efficient electronic access to the same information through other means while the exemption is in effect.

    (iv) The State's exemption expires if either—

    (A) Based on the 3 previous years of available, finalized CHIP CARTS managed care and fee-for-service enrollment data, the State's managed care enrollment for 2 of the previous 3 years is below 90 percent; or

    (B)

    (1) CMS has approved a State plan amendment, waiver, or waiver amendment that would significantly reduce the percentage of beneficiaries enrolled in managed care; and

    (2) The anticipated shift in enrollment is confirmed by the first available, finalized CARTS managed care and fee-for-service enrollment data.

    (v) If a State's exemption expires under paragraph (c)(2)(iv) of this section, the State is required to do both of the following:

    (A) Submit written notification to CMS that the State no longer qualifies for the exemption within 90 days of the finalization of annual CARTS managed care enrollment data that demonstrates that there has been the requisite shift from managed care enrollment to fee-for-service enrollment resulting in the State's managed care enrollment falling below the 90 percent threshold.

    (B) Obtain CMS approval of a timeline for compliance with the requirements in paragraph (a) or (b) (or paragraphs (a) and (b)) of this section within 2 years of the expiration of the exemption.

    [89 FR 8983, Feb. 8, 2024

    .

    ]