Enforcement Timeline
Key dates and milestones from CMS-9115-F through CMS-0057-F enforcement and beyond
Understanding the enforcement timeline helps payers plan their conformance strategy. CMS-0057-F did not emerge in a vacuum — it builds on nearly a decade of interoperability rulemaking.
Congress passes the 21st Century Cures Act, directing CMS and ONC to promote interoperability and reduce information blocking in healthcare.
Original interoperability and patient access final rule. Established baseline FHIR API requirements for Medicare Advantage, Medicaid managed care, and CHIP. Required Patient Access API and Provider Directory API by July 1, 2021.
Impact: Established FHIR R4 as the mandated standard and introduced the concept of FHIR-based payer APIs as a regulatory requirement.
Payers subject to CMS-9115-F must have Patient Access and Provider Directory APIs operational.
Reality: Many payers delayed implementation citing technical complexity. CMS issued limited enforcement actions in Year 1.
Expands FHIR API requirements to additional payer types and adds three new APIs: Drug Formulary, Prior Authorization, and Payer-to-Payer Data Exchange. Establishes January 1, 2027 as the compliance deadline for all five APIs.
Scope expansion: Extends from ~3,000 payers under CMS-9115-F to >5,000 payers under CMS-0057-F.
All five FHIR APIs — four new under CMS-0057-F plus CMS-9115-F's Provider Directory — must be operational and conformant to published Implementation Guides. Payers must support:
- Patient Access API (HL7 US Core / CARIN Blue Button)
- Provider Directory API (DaVinci PDEX Plan Net)
- Drug Formulary API (DaVinci PDEX Formulary)
- Prior Authorization API (DaVinci Prior Authorization)
- Payer-to-Payer Data Exchange (DaVinci PDEX)
CMS has explicitly stated it will enforce this deadline.
CMS-0057-F is not a one-time certification requirement. APIs must maintain conformance throughout their operational lifetime. Common post-deployment risks:
- Code deployments that unintentionally alter data models
- Dependency updates that change serialization behavior
- Configuration changes affecting authentication mechanisms
- Implementation Guide updates requiring API modifications
This is where continuous monitoring becomes critical. Passing initial conformance testing does not guarantee ongoing conformance.
FHIR Implementation Guides are living specifications. As HL7 workgroups publish new versions of US Core, DaVinci IGs, and other referenced specifications, payers must update their APIs to maintain conformance.
Example: US Core 6.0.0 → 6.1.0 → 7.0.0 transitions may introduce new mustSupport elements, deprecate old extensions, or change cardinality constraints.
Why Continuous Monitoring Matters
Most payers are focused on passing point-in-time conformance testing (Inferno, Touchstone) before the January 2027 deadline. However, CMS-0057-F establishes an ongoing operational requirement, not a one-time certification event.
Between January 2027 and the next major IG update, your APIs will undergo:
- Dozens of code deployments
- Hundreds of dependency updates
- Configuration changes across environments
- Infrastructure migrations (cloud provider changes, Kubernetes upgrades, database version updates)
Any one of these changes can introduce specification drift. Tessara detects drift before it becomes an enforcement finding.