Provider Access API | CMS-0057-F Requirements & Implementation Guide

```

Why a Provider Access API

Today, providers lack a standardized mechanism to retrieve patient data held by payers. This gap creates redundant testing, delayed care decisions, and fragmented patient records. The Provider Access API closes this gap by requiring payers to expose a FHIR endpoint that providers can query within their clinical workflows — aligning payer data access with the same technical standards used for EHR interoperability.

Data Available Through the Provider Access API

Adjudicated Claims & Encounters

Claims and encounter data — excluding provider remittances and patient cost-sharing information.

USCDI Clinical Data

All data classes and elements in the content standard at 45 CFR 170.213 (currently USCDI v1 transitioning to USCDI v3).

Prior Authorization Information

Status, decisions, and details of active and historical prior authorizations for the provider's attributed patients.

Key Distinction from Patient Access API: The Provider Access API deliberately excludes provider remittance and patient cost-sharing data. This scoping protects contractual rate confidentiality while still giving providers the clinical and administrative data they need for care delivery.

Patient Opt-Out Rights

Patients must have the ability to opt out of having their data shared with providers through this API. Payers are required to implement a clear opt-out process and disseminate educational resources to both patients and providers about the API's purpose, the types of data shared, and how to exercise opt-out rights.

Compliance Dates

MA organizations & state Medicaid/CHIP FFS programs: January 1, 2027
Medicaid managed care plans & CHIP managed care entities: Rating period beginning on or after January 1, 2027
QHP issuers on the FFEs: Plan years beginning on or after January 1, 2027

Technical Implementation

Required Standards

The Provider Access API must conform to the same base technical standards as the Patient Access API:

HL7 FHIR Release 4.0.1 (45 CFR 170.215(a)(1))
US Core IG STU 3.1.1 (45 CFR 170.215(b)(1)(i))
FHIR Bulk Data Access IG v1.0.0 (45 CFR 170.215(d)(1)) — for bulk data retrieval by provider organizations

Authentication & Authorization

Unlike the Patient Access API (which uses SMART App Launch for consumer-facing OAuth flows), the Provider Access API will use backend service authentication patterns appropriate for system-to-system data exchange. CMS has strongly recommended the SMART Backend Services authorization profile for this purpose.

Recommended Implementation Guides

CMS strongly recommends payers use the HL7 Da Vinci Payer Data Exchange (PDex) Implementation Guide and the Da Vinci Prior Authorization Support (PAS) IG to profile the FHIR resources exposed through this API. These IGs define payer-specific resource profiles, search parameters, and capability statements that help ensure consistent implementation across payers.

Relationship to Value-Based Care

The Provider Access API is explicitly designed to accelerate the transition to value-based care models. By giving providers real-time access to adjudicated claims and prior authorization data, payers enable risk-bearing providers to manage population health more effectively, reduce unnecessary utilization, and close gaps in care — all without building custom point-to-point integrations with each payer.

Next: Payer-to-Payer API → ← Patient Access API

```

The Provider Access API Under CMS-0057-F