The CMS interoperability rules are not one deadline — they are a cascade. The 2020 Interoperability and Patient Access Final Rule put the Patient Access and Provider Directory APIs in place, and the 2024 Interoperability and Prior Authorization Final Rule expands them and adds new APIs with key requirements effective in 2027. For payers, the question is no longer whether to comply but how to do it without scrambling at each deadline. Taction Software builds the FHIR APIs the rules require — Patient Access, Provider Directory, Payer-to-Payer, and Prior Authorization — and helps you sequence the work against the dates.
We provide the technical implementation; the regulatory determination of your obligations remains yours and your compliance team’s. For the broader payer stack, see our payer software development practice.
Schedule a CMS Compliance Assessment (Free 60-Min) → (NDA-protected)
FHIR & Da Vinci specialist team · payer-tech credentials · HIPAA + BAA · CMS rule implementation expertise
CMS Interoperability Rule Requirements Timeline
Patient Access API (Effective 2021)
Required since 2021 under the Patient Access Final Rule, letting members retrieve their data through third-party apps — and expanded by the 2024 rule to include prior-authorization information.
Provider Directory API
Also required since 2021, exposing a public-facing, current provider directory via FHIR.
Payer-to-Payer Data Exchange
The 2024 Prior Authorization Final Rule establishes a FHIR-based payer-to-payer API, with the requirement effective in 2027, so member data follows them between plans.
Prior Authorization API (Effective 2027)
The 2024 rule’s Prior Authorization API (and the related Provider Access API) carry requirements effective in 2027, with certain decision-timeframe and reporting provisions phasing in starting 2026 — see our prior authorization automation and utilization management work.
Compliance Requirements by API
Patient Access API (CARIN BB)
Built to the CARIN Blue Button guide, exposing claims and encounter data, clinical data, cost and out-of-pocket information, and provider directory — on our FHIR API development foundation.
Provider Directory API (Da Vinci PDex)
A FHIR R4 provider directory with real-time updates and a public-facing endpoint, built to the relevant Da Vinci guide.
Payer-to-Payer Data Exchange
Member onboarding data, historical claims and clinical data, and a member-initiated workflow so a member’s history transfers when they change plans.
Prior Authorization API
Da Vinci PA implementation — CRD, DTR, and PAS — with a provider submission workflow that fits the EHR.
Penalty & Enforcement Risk
Non-compliance carries real consequences. CMS can publicly report non-compliant plans, and enforcement can include compliance actions and, depending on program, monetary and operational penalties; for Medicare Advantage, interoperability performance ties into broader oversight. Rather than quote specific figures, we focus on getting you compliant ahead of the dates so enforcement risk never materializes.
Our Compliance Methodology
Gap Assessment
We assess your current state against each API requirement and the applicable deadlines.
FHIR Service Implementation
We stand up or extend the FHIR services the APIs require.
Da Vinci Profile Implementation
We implement the CARIN and Da Vinci profiles each API is built to.
Member Identity & Authentication
We implement member identity and the authorization model (including SMART/OAuth patterns) so access is secure and standards-based.
Operational Compliance Documentation
We produce the operational and attestation documentation that demonstrates compliance.
Combined CMS + Cures Act Strategy
The CMS and ONC/Cures Act requirements overlap, and treating them as one program saves money: overlapping requirements are addressed once, on shared FHIR infrastructure, with an audit and documentation crosswalk that maps controls across both — see our overview of 21st Century Cures Act compliance.
Timeline & Investment
We work to a per-API compliance timeline, give you a total compliance investment estimate scoped to your environment, and recommend a phased approach that hits each deadline in priority order rather than attempting everything at once.
Schedule a CMS Compliance Assessment (Free 60-Min) →
Frequently Asked Questions
What if we miss the PA API 2027 deadline?
Missing it exposes you to CMS enforcement and the reputational and operational consequences of public non-compliance reporting, on top of the provider and member friction the API was meant to relieve. The practical answer is to start now — the 2027 requirements are knowable today, and a phased plan makes the deadline very achievable if you begin early.
Can we use 1upHealth / vendor for compliance?
Yes. Platforms like 1upHealth can accelerate compliance significantly, and we implement on them where they fit. We help you decide between a platform, custom build, or hybrid, then implement and document it — the platform provides capability, but correct implementation and attestation are still required.
Bulk data API requirements?
The rules leverage FHIR Bulk Data (Flat FHIR) for efficient exchange of large data sets, and we implement the Bulk Data API where the requirements and your use cases call for it, alongside the per-member access APIs.
Member consent management?
Member access and payer-to-payer exchange are member-authorized, so consent and authorization management are central. We build the consent capture, authorization, and access-control workflows so data moves only when the member has approved it, consistent with our data security and HIPAA-compliant development practices.
Schedule a CMS Compliance Assessment (Free 60-Min) →
Reviewed by Taction Software’s payer technology and FHIR engineering team. ISO 27001-certified information security management. We provide technical implementation; regulatory determinations remain with your compliance team. PHI is handled under a signed BAA.