Become a CHIME25 Ambassador: bring your team at a discount and unlock VIP perks Apply Today!

CIO Boot Camp Card Image

CHIME Comments to CMS on Advancing Interoperability and Improving Prior Authorization

Date

Mon, Mar 13, 2023, 06:00 AM

Download PDF


March 13, 2023


Submitted via the Federal eRulemaking Portal: http://www.regulations.gov


Administrator Chiquita Brooks-LaSure

Centers for Medicare and Medicaid Services

7500 Security Boulevard

Baltimore, MD 21244


RE: Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Advancing Interoperability and Improving Prior Authorization Processes for Medicare Advantage Organizations, Medicaid Managed Care Plans, State Medicaid Agencies, Children’s Health Insurance Program (CHIP) Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans on the Federally-facilitated Exchanges, Merit-based Incentive Payment System (MIPS) Eligible Clinicians, and Eligible Hospitals and Critical Access Hospitals in the Medicare Promoting Interoperability Program CMS-0057-P


Dear Administrator Brooks-LaSure:


The College of Healthcare Information Management Executives (CHIME) respectfully submits our comments to the Centers for Medicare & Medicaid Services (CMS) in response to the “Proposed Rule” – referred to below as the “December 2022 CMS Interoperability and Prior Authorization proposed rule” – as published in the Federal Register on December 13, 2022 (Vol. 87, No. 238).


Background


CHIME is an executive organization dedicated to serving chief information officers (CIOs), chief medical information officers (CMIOs), chief nursing information officers (CNIOs) and other senior healthcare IT leaders. With over 5,000 members, CHIME provides a highly interactive, trusted environment enabling senior professional and industry leaders to collaborate; exchange best practices; address professional development needs; and advocate for the effective use of information management to improve the health and healthcare in the communities they serve.


Key Recommendations


In our comments, CHIME provides responses to address the proposals included in this Notice of Proposed Rulemaking (NPRM). This proposed rule formally withdraws the December 2020 CMS Interoperability and Prior Authorization proposed rule – but CMS notes that in this proposal, they are incorporating feedback they received from public commenters.


Our feedback on this new proposed rule can be distilled into a key topic – standardization. Critically, there must be a standardized process in place prior to implementing and/or mandating any technology standards.


CHIME believes that API requirements should be consistent across all stakeholders – providers and payers. Electronic health record (EHR) vendors need to feed the new application programming interface (API) information into the API, and the API needs to pull this information. Therefore, healthcare delivery organizations (HDOs) will need to change their prior authorization workflows. Then, changes to prior authorization workflows will need to be changed within each individual EHR. Thus, a standardized integration process is critical; the final rule must include the requirements for all stakeholders in order to realize success of these APIs. When measuring the metrics of success, there should be metrics of success for all stakeholders; measuring success in these policies should be non-punitive for providers.


Additionally, we offer feedback and recommendations to constructively improve the proposed rule. By creating this opportunity for stakeholders to engage – especially those with the subject matter and expertise in healthcare information technology (IT) – throughout the policy development and implementation process, we believe invaluable input will be garnered. We thank CMS for encouraging input from a wide variety of voices – including healthcare providers – on the policies put forth in this proposed rule.


Detailed Recommendations


CMS received hundreds of comments on the December rule from public commenters expressing concerns; therefore, they decided to withdraw that proposed rule and is now issuing this proposal “to provide impacted entities with more clarity.” While CMS asserts that “commenters largely supported the intent of the proposals and the proposals themselves, many noted and emphasized that Medicare Advantage (MA) organizations were not included among the impacted payers.” CHIME agrees with the latter part of that statement and applauds CMS for including MA organizations among the “impacted payers” in this proposed rule.


This proposed rule would place new requirements on MA organizations, state Medicaid and Children’s Health Insurance Program (CHIP) fee-for-service (FFS) programs, Medicaid managed care plans and CHIP managed care entities, and Qualified Health Plan (QHP) issuers on the Federally Facilitated Exchanges (FFE) – referred to as the “impacted players” in the proposal – to address issues with the electronic exchange of healthcare data and streamline processes related to prior authorization. These proposed requirements include the implementation of several Health Level 7 (HL7®) Fast Healthcare Interoperability Resources (FHIR®) application programming interfaces (API) related to patient access, provider access, data exchange, and prior authorization. CMS states that taken together, these newly proposed policies would play a key role in reducing overall payer and provider burden and improving patient access to health information.


There are several practical issues that must be addressed before the efficiencies envisioned by CMS are realized: 1) Participation by all payers, not just “impacted payers”; 2) Greater standardization and a thorough analysis on the security implications; and 3) A more thorough review of the provider burdens that will ensue without addressing these practical considerations. Currently, with the ongoing evolution of healthcare data exchange facilitated by APIs it is essential to ensure that the data needed is standardized and ready to be exchanged via API, and that the burden of implementation is jointly placed on the vendors and payers, not just the providers. When referring to “standardization” outside of “technology standards” throughout our comments, we are broadly referring to standardization in terms of consistency, including consistent processes, timelines and deadlines, as well as shared burden and shared benefit.


CHIME has and continues to be a staunch champion when it comes to the need for the use of technology standards aimed at facilitating better patient care. We furthermore believe that standardization and payer participation are the only ways that these proposals could serve the purpose that CMS has envisioned. Without making these proposals a joint responsibility across stakeholders specifically across the entire ecosystem of healthcare payers – not simply a subset – CMS will simply shift more burden onto providers that are already severely strained, understaffed, and under-resourced. While we do not believe that is the agency’s intent, we nonetheless believe that in practice this is what will occur.


Across all stakeholders, different provider data sets from provider directories flow down into the foundational healthcare transaction systems to support different operational workflows. The difference in data sets, the integration of the data across the stakeholders and the flow down of data to the operational transactions systems, needs to be more deeply understood before the proposed FHIR APIs can be designed. Without greater standardization, integration understanding, and participation by all payers, these proposed APIs cannot lead to the efficiencies CMS envisions and most certainly will not better enable providers to coordinate care for their patients and for patients to communicate with their providers. It furthermore could constitute a significant burden on small and underresourced providers – especially long-term and post-acute care providers. Most providers are experiencing significant challenges related to pandemic burnout, workforce shortages, and rising cybersecurity attacks.


Reducing Provider Burden and Greater Standardization, Security & Use of APIs


It is important to remember that without private payer plans being subject to these requirements adoption and utilization will most likely remain low among providers as many of their patient populations fall into either private payer or MA categories. We appreciate the proposal includesMA organizations as an impacted payer, and acknowledge that CMS has reissued the Request for Information (RFI) to solicit information related to opportunities for improving the electronic exchange of medical documentation between providers to support prior authorization programs for Medicare FFS.


CHIME would like to take this opportunity to re-emphasize the recommendations we offered CMS previously in our comment letter in response to last year’s RFI on ways to strengthen MA plans. We believe that increasing standardization across the thousands of MA plans and Medicare Advantage Organizations (MAOs) – including, but not limited to, standardized submission processes, response times from MA and MAOs to providers regarding delays/denials of services, payment time frames, and time requirements to respond to appeals – will reduce the burden on providers. Standardization across the policies regarding how MA plans are paid and administered would offer a significant reduction in burden on clinicians across the care continuum, decreasing the current “clinician burnout” that our country is facing. Importantly, reducing the substantial time providers must spend navigating individual MA plans and their evolving rules would “unlock” countless hours of time that could be used to improve patient care and innovate new workflow and care processes. Before CMS undertakes a complex process of establishing these APIs, we recommend they address some of the foregoing issues related to MA plans.


The rapid growth of MA has left a lack of standardization and regulations between MA and those that currently govern the Medicare FFS program and its participants. While there are federal statutes and regulations governing MA and MAOs, a fragment of them are applicable to the inherent association between MA and the healthcare providers caring for the beneficiaries of MA plans. The standardization and additional oversight of MA would improve care for beneficiaries and better enable providers to coordinate care for their patients.


In many instances, each payer has the option to choose how to meet the above indicated “legal requirements”, such as providing a patient list to a provider. By continuing to allow each payer the option to choose their own process, a significant burden is placed on providers. For example, providers that accept multiple different payers will continue to face scenarios where retrieving a patient list could include as many as ten – if not more – different processes. If CMS chooses to simply ignore the shared responsibilities of payers – and legal obligations – and require equal participation of payers, these APIs will create additional burden on providers and would render CMS’ stated intention to reduce provider burden completely moot.Further, without requirements for private payers to utilize the Provider-Access APIs, there remains limited applicability for providers to utilize this API, as it would not impact a significant portion of their patient population.


Finally, it is crucial that these APIs are standardized. As previously discussed above, if each payer creates its own specification for how providers should access their respective API, then a scenario exists where a provider needs to maintain a multitude of specifications to connect to each individual API – this would defeat the intent of standardization. With each connection implementation different, providers would inherit a significant burden of having to work through potentially 10 or more different APIs for as many as 20 different payers and connection specifications. Exponentially increasing the burden to retrieve information has the potential to discourage healthcare providers from participation and utilization of the Provider Access API. Taken together, we fail to see how, without addressing the collective issues we raise, that the estimated total burden across all providers would be reduced by at least 206 million hours, resulting in a total cost savings of approximately $15 billion in savings – which CMS asserts.


According to Definitive Healthcare, private payer revenue was $713 billion in 2020 as contrasted with Medicare revenue which was $178 billion. Furthermore, providers contract with 20 payers on average – leading to a multitude of complexities, especially if you are not including all payers when building these proposed APIs. In other words, without all payers – including private payers – being subject to the same requirements as providers and clinicians, the burden reduction envisioned by CMS in this proposal will be nearly impossible; especially given most providers’ patient populations fall into either private payers or MA plans.


Additionally, while provider participation in the mandates included within these proposed rules remains voluntary, a significant burden would be placed on providers if they were to become mandatory given that, in many instances, each payer has the option to choose how to meet requirements. Understanding the long-term ramifications of these policies is important and CHIME urges CMS to ensure payers do not inadvertently pass down burden through the implementation of the proposed FHIR APIs.


CHIME previously recommended that CMS and payers work with the vendors of EHR technology and other provider utilized technology to ensure that access to the Patient Access API for providers does not require additional costly deployments of updated EHR technology for providers. Without this collaboration a scenario could present itself where payers are encouraging providers to utilize an API that they are not able to access or utilize in a care setting. We also have significant concerns around payers self-policing their APIs – and strongly believe more oversight will be needed.


Patient Access and Provider Access APIs


The proposed Provider Access API would allow a provider to initiate a request, for example, when the provider needs access to a patient’s data prior to or during a patient visit. Both this proposed Provider Access API and the Patient Access API would facilitate the FHIR-based exchange of claims and encounter data, as well as all data classes and data elements included in a content standard already adopted 3 , such as Immunizations, Procedures, and Assessment and Plan of Treatment, should the payer maintain such information. Both the Patient Access and Provider Access APIs would require payers to share information related to prior authorization requests and decisions (including related administrative and clinical documentation) for items and services (excluding drugs). There are many providers – especially those in the long-term and post-acute care space – that would be unable to benefit from a Provider Access API.


CMS is proposing to require that information about prior authorizations – and related administrative and clinical documentation – be available via the Patient Access API for as long as the authorization is active, and at least one year after the last status change. They have formulated the proposal for at least one year after any status change; however, CMS notes that this would be particularly relevant to denied and expired prior authorizations, to ensure that they would be available for at least a year after expiring or being denied. CMS is not proposing to require impacted payers to share a patient’s full prior authorization history, “because that could comprise a significant amount of information that may no longer be clinically relevant.”


CHIME disagrees with the proposal to require information about prior authorizations only be available for as long as the authorization is active, and at least one year after the status change. There should be full transparency regarding prior authorization decisions. This would not only be essential to the provider – but critically, their patient – to be able to see if a denial was previously made and why it was denied. Often, patients switch MA plans, or the MA plan they are enrolled in changes their criteria annually. Therefore, information about prior authorizations, especially denied and expired prior authorizations, should be available to clinicians for the duration of the patient’s history. Furthermore, it would encourage provider discussions with their patient, ultimately resulting in improved care coordination. Providers are doing everything they can to help their patients navigate the complexities of prior authorization. Ensuring their patients are at their healthiest is of the utmost importance to our members. It is essential that CMS shift the burden from being solely on the patients and the providers – and ensure that payers share the burden, too, as they have the ultimate authority to make these impactful decisions.


Prior Authorization Requirements, Documentation, and Decision (PARDD) API


To improve the patient experience and access to care, CMS is proposing several new requirements for prior authorization processes that CMS believes would ultimately reduce burden on patients, providers, and payers. To streamline the prior authorization process, CMS is proposing to require all impacted payers to implement and maintain a FHIR Prior Authorization Requirements, Documentation, and Decision API (PARDD API).


The PARDD API would streamline the prior authorization process by automating the process to determine whether a prior authorization is required for an item or service, thereby “eliminating one of the major pain points of the existing prior authorization process.” The API would then be able to query the payer’s prior authorization documentation requirements and make those requirements available within the provider’s workflow as well as support the automated compilation of certain information from the provider’s system. Finally, the API would support an automated approach to compiling the necessary data elements to populate the HIPAA-compliant prior authorization transactions and enable payers to compile specific responses regarding the status of the prior authorization, including information about the reason for a denial. The true burden most of our members experience is with payers providing updated information in a timely manner – or not at all – to providers. CHIME urges CMS to recognize that the API technical standards will require providers to hire additional staff to implement them.


The cumbersome technology and burdensome process of prior authorization creates additional and significant barriers to care. It is detrimental to the most vulnerable patients that need timely access to care. CHIME believes that CMS should disconnect prior-authorization proposals from these APIs; the technology piece is the easiest part .Before implementing FHIR APIs, CMS should make significant reforms to prior authorization in its entirety. If the underlying processes remain convoluted and change annually (e.g., includes unstructured/structured documentation), the APIs will not assist with “standardization” or reducing burden on providers.


Our members believe that a standardized process must come before technology standards are implemented. We do not want technology to drive inefficient processes; to accomplish the reduction of inefficiencies in the prior authorization process, it must be standardized. Said another way, we do not believe it is fruitful to digitalize a flawed paper process. Bringing provider organizations – including CHIME members – to the table with CMS and impacted payers would help to ensure that data standards are appropriately placed within a redesigned process.


“Historically, Medicare beneficiaries were rarely required to receive prior authorization. That is still the case for beneficiaries enrolled in traditional Medicare, who are only required to obtain prior authorization for a limited set of services. However, virtually all Medicare Advantage enrollees (99%) were enrolled in a plan that required prior authorization for some services in 2022. Most commonly, higher cost services, such as chemotherapy or skilled nursing facility stays, require prior authorization.” As part of implementing the PARDD API, CHIME recommends that the services – particularly for MA beneficiaries – with the highest prior authorization requests be standardized and implemented as a pilot program before full implementation. In other words, CMS should do a “pilot use case” of the most requested prior authorization services. In implementing a pilot program, CMS could make changes to the current prior authorization process, which would in turn, allow CMS to create a set of services where there is a low propensity for fraud, and/or a low cost. These services should then be exempt from prior authorization. Exempting certain services or sets of services – such as total knee arthroplasty (TKA) with physical therapy (PT) – from the prior authorization process in the MA program will truly eliminate a significant burden on providers.


Additionally, we believe that all stakeholders should agree upon implementation guides (IG) for each of the APIs. In the final rule, CMS should identify the requirements – including IGs – for each stakeholder in the final rule. The PARDD API will impact the workflow of providers and payers. Those optimized workflows will then need to be built into policies and procedures, which then need to be built into EHRs, and then built into APIs. As proposed, CMS puts the onus of success on providers rather than the impacted payers – and standards of providers are not the same standards of payers.


Additionally, CHIME has significant concerns that impacted payers are not required to send prior authorization decisions via any other method outside of these APIs. This has the likelihood to be extremely problematic for providers – it is a sensitive and important workflow that would directly impact patient care – and therefore, must be implemented perfectly. As currently proposed, there is no “backup system” to the APIs. Furthermore, CMS and impacted payers will need to provide substantial education for patients as a part of implementing these APIs. There should be a mechanism in place to let patients know their prior authorization decision has been submitted and to alert them when it is accepted or denied, and it should be in clear and understandable language. The impacted payer communication cannot be out of sync with the rest of what is happening in a patient’s current clinical situation. For example, if a provider schedules a surgery for a patient and submits the prior authorization request, what happens if the patient receives an alert that their prior authorization has been denied? Who should the patient contact? What are the next steps required? The impacted payers must be able to communicate this and any relevant information to the patient in a clear, concise, and consistent manner.


CMS is proposing that the response to whether a prior authorization request has been approved (and for how long), denied (with the reason for the denial), or a request for more information to support the prior authorization – if transmitted to providers via the PARDD API workflow process or other means, would be sufficient to satisfy the current statutory requirement 5 for notice to providers. CMS is proposing to require impacted payers (not including QHP issuers on the FFEs) send prior authorization decisions within 72 hours for expedited (i.e., urgent) requests and seven calendar days for standard (i.e., non-urgent) requests. CMS is also seeking comment on alternative time frames with shorter turnaround times, for example, 48 hours for expedited requests and five calendar days for standard requests.


CHIME strongly opposes the proposed timelines for prior authorization decisions. We are urging CMS to implement an “alternative time frame” with a shorter turnaround time. Specifically, we are supportive of a prior authorization decision timeline of 24 hours maximum for expedited requests and 48 hours maximum for standard requests . The longer a patient remains in a higher acuity setting of care while providers are waiting for a prior authorization decision – the larger the risk to the patients’ health and the larger the financial burden is to the Medicare fee-for-service (FFS) program.


As currently proposed, if a payer fails to meet the timeline for approval or other decision, providers should contact the payer to obtain the status of the request and determine if supporting documentation is needed to complete processing of the authorization or if there are other reasons for the delay in a decision. CMS does not believe it is practical to require payers to default to an approval for prior authorization requests for which a timely response has not been provided. CHIME strongly disagrees. Furthermore, we believe that a non-response should imply an automatic approval of prior authorization requests. In other words, if an impacted payer does not respond to a prior authorization request within the above time frames, the provider can assume that it is an authorization of services and must be reimbursed.


Our members believe that if impacted payers are inserted into the clinical decision-making process, which should be between a medical provider and a patient – the payers have a minimum responsibility to rapidly respond to providers. While we believe that clinical decision making should be left solely to clinicians and their patients, certain protections must be provided for patients (e.g., shorter prior authorization decision timelines).


Patient Safety Considerations


One of the most significant challenges inhibiting the safe and secure electronic exchange of health information is the lack of a national, recognized patient identification standard. As our healthcare system moves toward nationwide health information exchange, the lack of this essential core functionality is the single biggest barrier to achieving true interoperability. CHIME has consistently advocated for a national, digital patient identification standard. As the exchange of health data becomes more commonplace, the accurate, efficient identification of patients with their medical record data is a foundational component to interoperability and without it – is a major threat to patient safety. Our members take the protection of their patients’ healthcare data as not only a legal obligation, but their mission. Patient data safety is crucial for maintaining trust in the patient-provider relationship; ensuring that patient data remains safe even when they are outside of the four walls of the hospital or other healthcare setting only helps strengthen that bond.


Attribution Process


CMS states: “Patient attribution is a method of identifying a patient-provider treatment relationship. Attribution is a critical component to ensure that patient health data are shared only with appropriate providers.” For the Provider Access API CMS is proposing to require that payers develop an attribution process to associate patients with their providers to help ensure that a payer only sends a patient’s data to providers who are requesting that data and who have a treatment relationship with that patient.


CMS does not wish to be overly prescriptive about how payers could generate an attribution list for providers, but it would be necessary for payers to establish a process to meet these proposed attribution requirements for the Provider Access API. Because the standards for the attribution process continue to evolve, CMS is not specifying how payers should identify whether a specific patient can be attributed to the requesting provider. Instead, CMS is encouraging “the community to continue to collaborate on viable approaches.”


CHIME agrees that attribution is a critical component, and ensuring patient health data is only shared with the appropriate providers is essential. We respectfully request that CMS consider our comments (above) regarding a national, digital patient identification standard. Again, while we agree that the concept is well-intended, we worry this will not address some of the key challenges it aims to solve. Attribution is the first step in any linkage of a provider to the patient in any delivery system. These processes are already well-established in most HDOs. CHIME agrees that attributed providers and those providers with a patient-provider relationship where they may not be the attributed provider have access to the Provider Access API.


CHIME also believes that providers should not have to simply “take what payers give them” – and that there are many ways that an attribution process can be done in order greater benefit and protect patients. First, the attribution process must be a collaborative process involving impacted payers and providers from the beginning . By including providers, they can assist in attribution logic with impacted payers to use the same defined attribution workflows. If the attribution process is left to each impacted payer, and they each create their own – it will create significant burden on providers.


A standardized, consistent attribution process with defined attribution workflows is the only way to ensure that this proposal will be safe for providers, payers, and most importantly – patients. For example, how would each impacted payer verify that a provider has a relationship with a new patient? They could utilize claims data to indicate a patient has a “patient-provider treatment relationship”; however, with new patients, it adds a layer of complexity. The most efficient, safe, accurate way to attribute a new patient to a provider will require provider engagement with the impacted payers.


CHIME urges CMS to ensure that “the community” can “continue to collaborate on viable approaches” by requiring a workgroup or advisory committee to ensure that providers can officially and effectively collaborate and exchange their invaluable input with the impacted payers.


Conclusion


CHIME appreciates the opportunity to comment on this Notice of Proposed Rulemaking (NPRM). We applaud CMS for including MA organizations among the “impacted payers.”


In addition to the above recommendations focused on standardization, existing challenges, and provider burden, we would like to reiterate that we are respectfully requesting that CMS implement a prior authorization decision timeline of 24 hours maximum for expedited requests and 48 hours maximum for standard requests. Furthermore, we believe that a non-response to prior authorization requests within the above time frames should result in an authorization of services.


CHIME believes that all API requirements should be consistent across all stakeholders – providers and payers. We respectfully request that CMS take into consideration that a standardized process must come before technology standards are implemented. CHIME does not want technology to drive inefficient processes. To accomplish the reduction of inefficiencies and provider burden in healthcare – especially those in the prior authorization process – there must be standardization. In other words, we do not believe it is fruitful to digitalize a flawed paper process.


In closing, we would like to thank CMS for providing the opportunity to comment on this NPRM. Should you have any questions or if we can be of assistance, please contact Chelsea Arnone, Director, Federal Affairs at [email protected] .


Sincerely,


Russell P. Branzell, CHCIO, LCHIME

President and CEO | CHIME

Download PDF

Recommended for you

  1. post

    CHIME AI principle

    Unveiling the Future of Healthcare with CHIME's AI Principles

    Jul 30, 2024

    CHIME's AI Principles serve as a beacon, promoting patient safety, administrative efficiencies, regulatory oversight, innovation, and equity.

  2. audio

    CHIMECAST Hero

    From Chaos to Clarity: Data Strategies for Scalable AI in Healthcare

    Apr 08, 2025

    This episode covers the evolving role of AI and data infrastructure in healthcare, the importance of building robust, scalable data foundations before implementing AI, and advanced analytics to ensure measurable outcomes.

  3. post

    Washington, DC

    CHIME Responds to RFI from E&C Privacy Working Group

    Apr 07, 2025

    CHIME responds to a request for information from a privacy working group led by Energy and Commerce Committee Chairman Brett Guthrie and Vice Chairman John Joyce.

  4. post

    tlrt-graphic

    Connecting the Dots: Infrastructure in the Age of Hyperconnected Care Delivery

    Apr 04, 2025

    This roundtable of experts discussed how to address some of the most pressing challenges in infrastructure development, including deciding on hosting options, addressing gaps in connectivity for remote patient care, and planning for a device-driven future in the hospital and in the community.