• CMS has outlined requirements for Payers to share relevant member information with current or concurrent plans, fostering a longitudinal view of an individual's health journey. 
  • Payers will recognize the opportunity to leverage the CMS mandate to foster a more collaborative Healthcare ecosystem. By investing in bi-directional data exchange capabilities, Payers can request and access members' historical data from previous plans, enabling seamless care transitions and comprehensive care coordination. 
  • With seamless data portability and longitudinal health records, CMS Payer-to-Payer Data Exchange Final Rule has the potential to significantly improve the electronic exchange of health information, leading to better Healthcare outcomes, more informed decision-making, and increased transparency. 

In January 2024, the Centers for Medicare and Medicaid Services (CMS) published the groundbreaking Interoperability and Prior Authorization Final Rule (CMS-0057-F) [1], ushering in a new era of Healthcare data exchange and accessibility. While the rule primarily focuses on empowering members and Providers with seamless access to health records and transforming the electronic prior authorization process, it also introduced a pivotal mandate and guidelines for Payer-to-Payer (P2P) data exchange. Announced in May 2020 as part of the Interoperability and Patient Access Final Rule (CMS-9115-F) [2], the Payer-to-Payer API Rule was rescinded in December 2021 by CMS, due to challenges identified in the  implementation guidelines (IG) of the Da Vinci Project’s Payer Data Exchange (PDex) [3] solution. The challenges are now addressed and the updated [4] PDex IG is comprehensive, practical, and recommended by CMS in the 2024 Final Rule for regulatory compliance.

Payer-to-Payer rule - Understanding the mandates

Impacted Payers including Medicare Advantage (MA), Medicaid, CHIP, and Qualified Health Plan (QHP) issuers on the Federally Facilitated Exchanges (FFEs) must comply to the Payer-to-Payer Data Exchange API Rule, by January 1, 2027. The rule mandates that Payers share member data with other current or concurrent Payers when coverage begins and on a quarterly basis if the member has multiple Payers. Impacted Payers are mandated to share at least five years of member data rather than the full record. Unlike the previously proposed rule which required Payers to share only clinical data of their members, the 2024 final rule has mandated sharing holistic member health information including clinical data, adjudicated claims, encounter data, cost-sharing information, and prior authorization details, while requesting for the chosen Health Plans. 

Picture3-Jun-19-2024-06-13-25-5511-PM

Context behind the rule: Challenging the past and ensuring a promising future

CMS recognized that as members transition between different health plans, their medical data often remains siloed within each Payer's systems, hampering care continuity and coordination. Providers lack a comprehensive understanding of a member's medical history, potentially leading to redundant tests, inappropriate treatments, or adverse events. Members endure the frustration of repeating their medical history to every new Healthcare entity, while Payers grapple with inefficiencies and increased costs due to fragmented data. To bridge this gap, CMS has outlined requirements for Payers to share relevant member information with current or concurrent plans, fostering a longitudinal view of an individual's health journey. Providers can now access a member's complete health record, facilitating informed decision-making and personalized care. Members will enjoy the convenience of their data following them seamlessly, reducing redundancies and enhancing their overall Healthcare experience. Payers will gain valuable insights into their members' health histories, enabling better risk management, care coordination, and cost optimization.

Payer investment drivers and opportunities

While the rule aims at improving care continuity and coordination, it does not mandate Payers to request member data from prior or concurrent Health Plans. So, even though the recommended Da Vinci PDex IG outlines the steps and framework for bi-directional data exchange between requesting and data sharing among Payers, for compliance purpose, Payers are recommended to follow the Da Vinci PDex IG to share member data with a requesting Payer in a fast and accurate manner.

Keeping this in mind, it would be convenient to assume that Payers will have two distinct drivers to invest in P2P data exchange solutions: 1) to achieve regulatory compliance and 2) to enhance care continuity and coordination. Keeping regulatory compliance as the baseline requirement, impacted Payers are mandated to build an infrastructure to share requested member data with the requesting Health Plans. Payers can leverage the same FHIR-based solution that was built for Patient Access API, as per CMS Interoperability & Patient Access Final Rule (CMS-9115-F). Additionally, this will involve mutual authentication with other Payers to enable secure data sharing, member consent validation, and member matching operation capabilities.

However, forward-thinking Payers will recognize the opportunity to leverage the CMS mandate to foster a more collaborative Healthcare ecosystem. By investing in bi-directional data exchange capabilities, Payers can request and access members' historical data from previous plans, enabling seamless care transitions and comprehensive care coordination. This objective will require Payers to invest in a platform solution enabling the onboarding of Health Plans, bundling of member data to facilitate member match, and retrieval of bulk historical data using standards-based APIs and data models.

Step by Step Guide to Payer-to-Payer Data Exchange

Picture5-4

Step 1: Member consent and coverage information

A Payer requesting a new member's historical information from a prior or concurrent Health Plan Provider would require the member to authorize the new plan to collect their data, typically during enrollment or through a member portal, no later than a week of new coverage. Payers are also mandated to incorporate measures to respect privacy preferences, allowing members to opt-out of data sharing at any time. In addition to consent, the requesting Payer also needs to share member’s prior coverage information for the other Health Plan to perform member matching operation. Therefore, during the enrollment process, Payers are also required to capture details about the member’s prior health plan coverage, typically from the member’s old/ concurrent Health Plan coverage card.

Step 2: Mutual authentication

To establish a Payer-to-Payer data exchange, each Payer will need to create their own mutual authentication (mTLS) bundle which will be digitally signed by a Certificate Authority (CA) using public/ private key cryptography. The mTLS endpoint bundle needs to consist of a) the Payer’s signed identity certificate as an Endpoint resource, and b) details about the Health Plan and the operating entity that manages the endpoint. By publishing these mTLS bundles on the public GitHub repository or getting them endorsed by TEFCA or National Endpoint Directory, Payers will be able to discover and verify endpoints to initiate the secure connection required for the Payer-to-Payer data sharing workflow. 

Step 3: Health Plan registration

Once the requesting Payer (say, Payer 2) sets up the technical integration for system interactions with the previous (prior or concurrent) Payer (say, Payer 1), Payer 2 will need to follow OAuth 2.0 authorization framework for dynamic registration with Payer 1. Payer 2 will need to submit a digitally signed software statement JSON Web Token (JWT) containing the registration details to Payer 1. Upon successful validation of the JWT and registration details, Payer 1 will return client credentials (Client ID) to Payer 2. With these client credentials obtained during the registration process, Payer 2 can then proceed to access their API securely.

Step 4: Request for member matching

With proper authentication and authorization, Payer 2 can initiate individual or bulk member matching operation against Payer 1’s database. It should use member's details like demographics, prior coverage and consent information to definitively locate their records in Payer 1’s system. The FHIR resource profiles for each of the data elements are defined under HRex Patient Demographics, HRex Coverage Profile and PDex Consent Profile. The profiles specify that member demographics must include name, gender and address, coverage information should include the Member ID in prior/ concurrent Health Plan.

Step 5: Payer data exchange

Upon a successful match, and validation of member’s consent, Payer 1 will provide an individual or group FHIR ID, enabling the retrieval of the member's historical claims, encounters, cost-sharing, and prior authorization data, usually for the previous five years.

The technical specifications and guidelines for the Payer-to-Payer Data Exchange API suggest that using HL7 FHIR R4 is the preferred way to enable clinical data exchange. This approach is recommended because of the prior investment in converting clinical data elements to FHIR R4 for the Patient Access API.

Implement with caution or pay the price

While the exact calculation of effort is not explicitly provided by CMS, the agency has outlined the need for a strategic approach, resource planning, and adaptation to evolving technical specifications to facilitate a smooth and effective implementation of Payer-to-Payer data exchange. 

Failure to comply with the mandated requirements can lead to penalties imposed by CMS. Depending on the extent of the violation, CMS may take compliance actions from warning letters or requiring a corrective action plan, to enforcement actions including sanctions, civil money penalties and other measures. For example, if a Payer includes a fraudulent attestation that the patient is enrolled with the Payer and has opted for a Payer-to-Payer data exchange in its request for patient data, that entity could be subject to criminal or civil penalties.

Conclusion

With seamless data portability and longitudinal health records, CMS Payer-to-Payer Data Exchange Final Rule has the potential to significantly improve the electronic exchange of health information, leading to better Healthcare outcomes, more informed decision-making, and increased transparency. It will be a milestone in the pursuit of a truly interoperable and member-centric healthcare ecosystem.