FHIR Compliance: What Actually Ships Under CMS-0057-F

FHIR Compliance: What Actually Ships Under CMS-0057-F

CMS-0057-F requires payers to expose FHIR APIs. "Compliance" is often invoked loosely; the four specific APIs and their conformance expectations set the actual bar.

Patient Access API

Payers expose patient's coverage, EOB, and clinical data via FHIR. Must support:

- US Core-conformant reads for Patient, Coverage, ExplanationOfBenefit - Da Vinci Member Data profiles - SMART launch spec for third-party app access

Provider Access API

Providers query payer data at point of care. Must support:

- SMART Backend Services (system-scope launch) - Da Vinci PDex profile - Reasonable rate limits for point-of-care use

Payer-to-Payer API

Cross-payer member data exchange. Must support:

- Bulk Data IG $export - Regulated turnaround (days, not weeks)

Prior Authorization API

Most complex. Must support:

- Da Vinci PAS (Prior Authorization Support) - Da Vinci CRD (Coverage Requirements Discovery) via CDS Hooks - Da Vinci DTR (Documentation Templates and Rules)

Conformance testing

Inferno test suites verify each API against the IGs. Run in CI on every deploy; failures block release.

Common compliance gaps

Gap Fix
Only SMART v1 scopes Add v2 scope support
Bulk export sync-only Add _since for incremental
Unversioned ValueSets Pin versions per US Core
Custom PAS payload Use IG-conformant structures
No CDS Hooks CRD Add Da Vinci CRD support

CMS-0057 compliance is engineering work, not a checkbox. Budget accordingly.