The Winter Whirlwind of FHIRy New Regulations

Benji Graham Profile Photo Bellese Logo Benji Graham

Feb 13th • 4 min read

As is often the case with healthcare regulations here in the US, major new updates tend to come in waves. With that in mind, the past 4 weeks or so have been a tsunami! Riding in on the crest of that wave are three major regulatory updates:

  • The HTI-1 final rule from ONC regarding Health Data, Technology, and Interoperability
  • The CMS-0057-F Advancing Interoperability final rule from CMS including updates for Payer to Payer data sharing, Provider data sharing, and Prior Authorization updates
  • The TEFCA Common Agreement version 2.0 draft that outlines rules for Qualified Health Information Networks (QHINs)

All three of these updates have major implications on the world of FHIR and the health data standards community. Major impacts from the HTI-1 rule include updates to information blocking rules, updates to the Health IT certification Program’s standards - which include adopting the SMART launch implementation guide version 2, as well as electronic case reporting using the CDA and FHIR specifications - and perhaps most impactful of all, the raising of the baseline USCDI standard version from v1 to v3. USCDI is the US Core Data for Interoperability, and defines the set of data classes and attributes required to be considered “interoperable” for health data here in the US. 

On the surface, these changes might not seem to reverberate much through the healthcare industry, but when we look at the updates in the CMS-0057-F rule, we understand that the knock-on effects of raising the USCDI standard to v3 will be felt by Payers everywhere. Under the current rules, the baseline standard is USCDI v1, with version 3.1.1 of the US Core FHIR implementation guide doing the work of ensuring that patient data meets that standard. When the requirement for USCDI v3 becomes enforceable on 01/01/2026, Payers will be required to have Patient data adhere to US Core version 6.1.0. It’s possible this could represent a heavy lift for some payers or FHIR solution vendors who built their Patient Access API models around US Core 3.1.1.

Sticking with the Advancing Interoperability rule, there were a lot more brand new requirements packed in there that we need to discuss! Chief among these are major updates to electronic prior authorization in the US. First on this - Payers are now required to make current and previous (at least the past 12 months) Prior Authorization decisions available to Patients, their in-network Providers, and other Payers should the Patient switch plans and opt in to data sharing. These Prior Auth decisions must include pended or in-process current requests, as well as denials that have plain language reasons included in those FHIR resources. Additionally, Payers must now provide FHIR APIs that allow providers to discover if prior authorization is required for a given service, provide documentation rules and questionnaire templates in the event that prior auth is required, and finally allow providers to submit all of the required documentation in a FHIR bundle for the purpose of requesting a prior auth for a given service. None of this is very new, CMS had previously outlined this requirement in the December ‘22 proposed rule for Advancing Interoperability. What IS new, however, is that CMS have announced that enforcement discretion will be granted for payers and providers who do not wish to comply with the HIPAA law provision mandating the use of the X12 278 transaction for requesting and responding to prior authorizations. That means that all payers and providers will have the option of leveraging FHIR-based communications through the entire prior authorization process from end-to-end, no longer needing to translate into and out of FHIR and X12 or vice-versa. 

The Advancing Interoperability final rule also calls for data sharing between Payers, where eligible Patients who switch plans can opt in to having their data from their previous plan shared with their new plan. Additionally, In-network providers will now be able to access the same data classes from the Payer-to-Payer API on a new Provider Access API, so long as they can attribute a treatment relationship with the Patient to the payer. 

Speaking of Payer data sharing - the draft of the TEFCA common agreement v2 dropped in our laps the same week as the Advancing Interoperability final rule. This updated version contains some new rules around QHIN accountability, Security concerns, and a Directory service for endpoint discoverability. The draft is currently open for comments.

As with all of these standards and regulations, the industry will get the most out of them if we all participate in the discussion and make sure we have a seat at the table. It’s important that we voice our opinions and concerns, and ensure that real-world business use cases are being considered. CMS considered over 900 comments when composing their final rule for Advancing Interoperability, with ONC considering over 600 comments for HTI-1, so please speak up and let your voice be heard!


Until next time, 


Benji Graham

FHIR Evangelist


Author

Benji Graham Bellese Profile Photo
Benji Graham
FHIR Evangelist