Understanding CMS-0057-F

What it takes to comply – and why the real work goes beyond just standing up APIs

The CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F) is often described as an API mandate – but that’s only part of the story. The rule introduces four FHIR® APIs, but also defines what data must flow through them, how quickly it must be updated, and which operational processes must surround them. It’s not just about standing up endpoints – it’s about integrating prior authorization workflows, verifying treatment relationships, managing consent, and enabling real-time, standards-based data exchange at scale.

That’s why meeting these requirements isn’t just a compliance exercise. It’s an interoperability challenge that spans claims systems, clinical data, provider directories, patient education, and more. And it’s why understanding the rule in detail is so important – because the way you implement it will affect not just your regulatory standing, but your internal complexity, member experience, and long-term flexibility.

Below, we’ve broken down the specific expectations for each API – and how CareEvolution® is positioned to help payers meet these requirements without taking on unnecessary technical debt or vendor sprawl.

What the Rule Actually Requires (And Why It’s Not Just About APIs)

CMS-0057-F isn’t just another set of interoperability mandates, it’s a significant operational shift in how payers manage and exchange data, particularly around prior authorizations. The rule introduces four FHIR APIs with highly specific expectations for what data must be shared, how quickly, and with whom.

Patient Access API: Expanded to include prior auth

Payers must enhance their Patient Access APIs to include prior authorization data (excluding drugs). This isn’t just a binary status – it includes the approval or denial date, the items/services approved, and the specific reason for any denial. Active prior authorizations must be included, as well as any prior auths that had a status change in the past year. Importantly, this applies regardless of how the request was originally submitted – phone, fax, portal, or API. Updates must be reflected in the API within 1 business day.

In addition, payers must begin reporting on Patient Access API usage. Starting in 2026, annual usage metrics must be submitted to CMS by March 31 each year, covering the prior calendar year. The first report, due March 31, 2026, must cover usage in calendar year 2025 and include counts of unique users and repeat users of the API.

Provider Access API: Structured, permissioned data sharing

This API requires payers to share patient data – including claims, encounter data, USCDI clinical elements, and prior auth details – with in-network providers who have an active treatment relationship. Unlike the Patient Access API, no patient app is involved. Instead, the burden is on the payer to: 1) verify the treatment relationship, 2) manage patient opt-outs, and 3) educate both patients and providers. This includes establishing a provider attribution process and delivering updates within 1 business day of a request or status change.

Payer-to-Payer API: A departure from patient-mediated exchange

This expands previous guidance and now mandates bulk FHIR-based exchange between payers. When a member switches health plans, the new plan must request up to 5 years of historical data (excluding denied prior auths and cost-sharing info), and the previous plan must respond within 1 week. For concurrent coverage, data sharing must occur quarterly. Payers must also implement a process to identify prior payers, collect member opt-in, and include an attestation with every request.

Prior Authorization API: Not just electronic, but accountable

This API must support full prior auth workflows: discovery (what requires prior auth), submission, tracking, and final determination. It must expose documentation requirements and deliver decisions within 72 hours for expedited requests and 7 calendar days for standard ones. Updates must be reflected in the API within 1 business day and records retained for at least 1 year after the last status change.

Separate from the API requirements, new operational rules take effect January 1, 2026, requiring payers to consistently meet these turnaround times, and provide clear, specific reasons for any denial – regardless of submission method. In addition, payers must publicly report prior authorization metrics beginning March 31, 2026, covering calendar year 2025. Required metrics include approval/denial rates, appeals outcomes, extended reviews, and average decision times.

Implementation Timeline

Requirement	Effective Date^*
Prior auth process improvements (e.g., decision timeframes, denial reasons)	January 1, 2026
First public reporting of prior auth metrics (reporting on calendar year 2025)	March 31, 2026
First Patient Access API usage report to CMS (reporting on calendar year 2025)	March 31, 2026
All four CMS-required APIs live and in production	January 1, 2027

* Compliance dates may vary slightly depending on plan type (e.g., MA, Medicaid FFS, CHIP, QHPs on FFEs). See CMS final rule for specific applicability by organization type.

How CareEvolution is positioned to support you

CareEvolution isn’t focused on building one-size-fits-all compliance APIs – we’re focused on solid infrastructure that can be adapted and extended when real-world needs arise. That’s exactly what CMS-0057-F demands. Our Orchestrate platform already delivers much of the architectural groundwork needed to support CMS’s mandates.

Real-world FHIR experience

We’ve delivered SMART-on-FHIR APIs in production to national payers – meeting CMS-9115-F requirements long before many vendors had a demo. Our FHIR stack includes OAuth 2.0, app registration, and transaction-level security. We’ve already worked through the real-world complexity that lies beneath a “conformant” API spec.

Modular data platform

CMS-0057-F doesn’t live in a silo – it touches prior auth systems, member portals, and clinical data. Orchestrate was built for this. Our platform ingests, transforms, and routes data across systems at scale. It normalizes disparate sources, maps to FHIR, and supports both push- and pull-based workflows. That’s what powers CMS-compliant APIs – not just standing up an endpoint.

While CMS-0057-F mandates APIs, what it actually demands is a platform for real-time data transformation, access control, and attribution logic. Orchestrate is that platform – transforming siloed inputs into FHIR, applying business rules, and delivering structured outputs across clinical, claims, and administrative systems.

Designed for bulk exchange

The Payer-to-Payer API is grounded in HL7’s Bulk Data Access spec. Orchestrate already handles large-scale extract/load operations using asynchronous workflows and trust-based models across organizations. That foundation maps cleanly to what CMS requires.

Built to integrate, not replace

Unlike closed-box compliance tools, we don’t require rip-and-replace. Need to expose structured prior auth data? We’ll connect to your existing workflows and surface the data via standards-based APIs. You keep your infrastructure – we bring the interoperability.

Ready for HL7 Da Vinci workflows

We track Da Vinci IG’s closely – CRD, DTR, PAS, PDex, PCDE, and more . While many are still maturing, our team is equipped to implement them. Orchestrate supports rule-based routing, document assembly, and status change notifications – all key to delivering prior auth via PAS.

Proven in high-stakes environments

Orchestrate supports national payers, multi-state Medicaid plans, and enterprise health systems. We understand uptime, data governance, analytics, and trust frameworks. This isn’t theoretical – we’ve solved interoperability problems at scale .

Our infrastructure powers population-level data exchange – handling high volumes, ensuring system-to-system trust, and integrating directly into production workflows. We’re not layering APIs on spreadsheets – we’re building for scale, security, and sustainability.

Why Payers Choose CareEvolution

Flexible integration with existing UM, claims, and provider network systems
FHIR-native architecture supporting one-off queries and bulk exchange
1-day update readiness to meet regulatory SLAs
Real-world security and access management with OAuth2, scopes, and registration
Modular deployment – start with Patient Access, expand as needed

A platform that grows with the mandate

Whether it’s extending Patient Access to include prior auth, enabling real-time provider data exchange, or standing up Payer-to-Payer workflows, Orchestrate is designed to help you meet CMS-0057-F without introducing new vendors or unnecessary complexity.

From infrastructure to implementation, we’re ready to work with you to build what compliance – and your organization – really needs.