
CMS-0057-F requires payers to expose FHIR APIs. "Compliance" is often invoked loosely; the four specific APIs and their conformance expectations set the actual bar.
Patient Access API
Payers expose patient's coverage, EOB, and clinical data via FHIR. Must support:
- US Core-conformant reads for Patient, Coverage, ExplanationOfBenefit - Da Vinci Member Data profiles - SMART launch spec for third-party app access
Provider Access API
Providers query payer data at point of care. Must support:
- SMART Backend Services (system-scope launch) - Da Vinci PDex profile - Reasonable rate limits for point-of-care use
Payer-to-Payer API
Cross-payer member data exchange. Must support:
- Bulk Data IG $export - Regulated turnaround (days, not weeks)
Prior Authorization API
Most complex. Must support:
- Da Vinci PAS (Prior Authorization Support) - Da Vinci CRD (Coverage Requirements Discovery) via CDS Hooks - Da Vinci DTR (Documentation Templates and Rules)
Conformance testing
Inferno test suites verify each API against the IGs. Run in CI on every deploy; failures block release.
Common compliance gaps
| Gap | Fix |
|---|---|
| Only SMART v1 scopes | Add v2 scope support |
| Bulk export sync-only | Add _since for incremental |
| Unversioned ValueSets | Pin versions per US Core |
| Custom PAS payload | Use IG-conformant structures |
| No CDS Hooks CRD | Add Da Vinci CRD support |
CMS-0057 compliance is engineering work, not a checkbox. Budget accordingly.