The Beltway is shorthand for Washington, DC, named for I-495, the highway loop that encircles the capital. More than a road, it’s a cultural dividing line. Inside it, you have Congress, CMS, ONC, HHS, and the machinery of federal policy. Outside it, you have everyone who has to live with what that machinery produces.
I’ve spent a lot of time on both sides. As former National Coordinator for Health IT at ONC, I was in healthcare policy up close: the deliberations, the compromises, the deliberateness of rulemaking. What’s happening right now at CMS and ONC has digital momentum. The administration has kicked up the pace. The window for “we’ll get to it eventually” is closing.
Last week I hosted Inside the Beltway LIVE, a live digital policy briefing for healthcare payers, providers, and the broader healthcare community. We covered a lot of ground. Below is a recap of what I think matters most, followed by a full Q&A from the session.
If you’d rather watch than read, the full recording is available here.
Congress Is Gridlocked. The Regulators Are Not.
Let me be direct: don’t wait for Congress to solve healthcare’s digital problems. With a razor-thin split in both chambers and political appointments stalled by Congress, meaningful legislative action on prior authorization, PBMs, or Medicare is unlikely before the midterms. One senator moving in either direction changes the math entirely.
Almost all of the consequential movement right now is coming from the executive branch, specifically from CMS and ONC. If your organization isn’t tracking the regulatory calendar closely, you’re already playing catch-up.
CMS-0062-P: What CMS-0057 Left Unfinished
The centerpiece of what I covered in the webinar was CMS-0062-P, the proposed 2026 Interoperability Standards and Prior Authorization for Drugs rule. The full text is on the Federal Register. The comment period closes June 15. Submit your comments early. The federal register website is highly sensitive to non-ASCII characters like “ and ”.
Here is what the rule proposes, and why it matters:
FHIR specs go from advisory to required. Under CMS-0057, the Da Vinci APIs were largely best-practice recommendations. Under CMS-0062, they would be mandated. I’ve watched “it would be great if you did that” turn into “you are required to do that” before, and it always catches organizations flat-footed. Don’t let it happen here.
Prior authorization now covers drugs. This is the big expansion. CMS-0057 didn’t touch medications. CMS-0062-P does, and it does so across two separate pathways. Medical benefit drugs – think IV-administered biologics for rheumatoid arthritis, multiple sclerosis, and inflammatory bowel disease, conditions where the treatments are extraordinarily expensive – will use the Da Vinci FHIR prior authorization protocols. Pharmacy benefit and Part D drugs will move through NCPDP protocols, the same standards used today for prescription routing through networks like Surescripts. If you run a Part D plan, you need to be thinking about both.
Endpoint reporting to the National Healthcare Provider and Services Directory becomes mandatory. Within 60 days of the rule being finalized, which I expect could happen as early as this summer, payers will be required to report their FHIR endpoints and capability statements. This is where enforcement gets real. Before, CMS didn’t have effective tools to check who was actually in compliance. Now they can run a bot against a directory. It becomes trivially simple to identify who’s falling short.
Prior authorization reporting gets granular. Starting October 1, 2027, payers will need to report actual numbers on prior authorization activity, not just general statistics. Standard versus expedited breakdowns won’t be enough. CMS wants the details.
Most implementation timelines in the rule target October 1, 2027. Plan accordingly.
The National Healthcare Directory Is Finally Becoming Operational
One of the developments I find most significant, and most underappreciated, is CMS finally making the National Healthcare Provider and Services Directory real. This consolidates a sprawling set of directories protocols – NPI, PECOS, and others CMS has maintained for payment purposes – into a single, API-accessible resource with FHIR endpoints.
Think of it as the healthcare equivalent of domain name servers on the internet. When you type a URL into your browser, a domain name server translates it into an IP address. That same concept, applied to healthcare providers and their data endpoints, is what CMS is building here. Every API relationship depends on knowing who you’re talking to and how to reach them. The directory makes that possible at scale.
Under CMS-0062-P, payers will be required to publish their endpoints into it. The mandate and the infrastructure are arriving together.
ONC Is Shifting to an API-First Model
ONC spent the last 15 years focused on what EHRs do. Under Coordinator Tom Keane, the focus is shifting to how data moves. That’s a meaningful change in orientation.
Expect upcoming rulemaking to tighten API requirements and clarify the obligations of both sides of the API relationship. It takes two to tango: payer-provider APIs have a sender and a receiver, and for years the receiver side has been underspecified. That’s changing.
ONC has also been designated as the arbiter of which standards are current and enforceable across the CMS API landscape – DaVinci, PDEX, CDEX, the attribution standard for provider rosters, all of it. That’s a significant consolidation of authority.
On information blocking: the plaintiff’s bar is paying attention. The 21st Century Cures Act is silent on whether there is a right of private action, but I expect that question to get tested. Worth watching.
The Bigger Picture: From Claims to Clinical Performance
What CMS and ONC are doing right now is analogous to laying railroad tracks. The APIs, the directories, the identity standards, the endpoint requirements — these are infrastructure. Just as federal policy set the railroad gauge width for the transcontinental railroad, federal policy is now setting the standards for healthcare’s digital infrastructure.
The organizations that position themselves to operate on that infrastructure earliest will have a durable advantage. For payers, that means the competitive model is shifting. STARS ratings are a zero-sum game – that is not going to change. The plans that win won’t win by gaming risk adjustment scores. They’ll win by getting genuinely smart about clinical data: moving from a claims model to a clinical performance model.
That requires modern data architecture. FHIR is a transmission standard, not a storage standard. The data coming through these APIs is high-volume, high-velocity, and highly heterogeneous – FHIR resources, CSVs, CCDs, images, script files. Lakehouse architectures are how the modern computing world handles this kind of data. Healthcare organizations that get there will actually be able to use the data flowing through these APIs. The ones that don’t will collect it and never touch 90% of it.
1upHealth Is Built for This Moment
Everything in CMS-0062-P maps directly to what 1upHealth’s platform is designed to handle.
Our Electronic Prior Authorization solution supports the Da Vinci CRD, DTR, and PAS workflows that are moving from advisory to required. Our Payer-to-Payer Data Exchange capability handles concurrent coverage and claims history exchange under CMS-0057. Our Provider Access and Provider Directory products address the API requirements that are becoming enforcement priorities. And our Formulary solution covers the drug coverage data exchange that CMS-0062-P is bringing fully into scope for the first time.
If your plan is assessing readiness against the CMS-0062 timeline, I’d encourage you to reach out.
Your CMS Healthcare Regulation Questions- Answered
The following questions were submitted by attendees during the live webinar. Questions answered live are included with my responses. Questions we didn’t get to live are also listed below.
Q: The cost of modern patient identity systems – id.me, login.gov, CLEAR – is significantly higher and presents a barrier to adoption. Would you disagree?
A: CMS is aware of this and is actively working with these vendors to reduce costs. There’s also competition: login.gov is a government option already in use for Social Security access. I expect prices to come down materially. What I found striking is that in the first two weeks CMS offered these identity options, over a million users authenticated with no advertising or public outreach. And 70% of them already had a qualifying credential. Adoption is further along than most people assume.
Q: Why is this so political? In most industries, best practices are set by the industry itself. Shouldn’t healthcare do the same?
A: As a country, we’ve made a deliberate political choice to heavily regulate healthcare, the same way we’ve chosen to heavily regulate education while leaving food largely to market dynamics. Each administration tilts the dial. Some toward deregulation, some toward equity as an overriding priority. That’s not a bug. It reflects genuine philosophical disagreement that goes back centuries. The encouraging thing is that digital infrastructure and interoperability have bipartisan support, which is unusual in this environment and worth taking seriously.
Q: Do you think CMS will be able to consolidate their directories into one, or will we land on two or three?
A: I’m optimistic. CMS has a strong team working on it and a powerful mandate driven by fraud prevention. The scale of Medicare fraud – I’d estimate it’s on the order of $100 billion a year – creates enormous pressure to get provider identity right. AI-powered provider matching can get to near-arbitrary precision. CMS is also rebuilding their core claims engine, which is now 30 to 40 years old. The directory consolidation will happen.
Q: How can we prevent a data lakehouse from becoming a data landfill? Most organizations fund IT to build massive data stores and never use 90% of what they collect.
A: This is the right question. Lakehouse architectures come with tooling that helps: timestamps, data tagging, versioning, and temporal query capabilities that didn’t exist in older storage models. Storage costs continue to fall. But the harder question is how you actually use the data – what AI tools you’re running on it and how you translate clinical data into care insights. The architecture is necessary infrastructure. The intelligence layer on top of it is what creates value.
Q: I’ve heard that no Primary Source Verification (PSV) is needed for data acquired for quality via regulated EHR endpoints. True or false?
A: False, for now. PSV is still required under NCQA’s current audit process for STARS ratings. NCQA knows this model is outdated. The Digital Quality Measures (DQM) initiative exists precisely to shift from random audits to comprehensive FHIR endpoint-based measurement. The challenge is that NCQA’s business model hasn’t fully aligned with modern data flows yet. It will get there. Watch the ECDS pipeline. NCQA has a roadmap for migrating current quality fields to digital formats.
Q: Transparency mandates often focus on source data, but how are we measuring whether these disclosures actually empower patients? Are we just creating a new form of Terms and Conditions that no one reads?
A: Apps will increasingly use this information if plan designs allow or more likely require actual shopping for care.
Q: How will CMS-0057 impact the market and vendors in the space? How will the role of clearinghouses change? Any specific implications for 1upHealth?
A: Clearinghouses have been designed for claims transactions. As dollar flow is increasingly directed by clinical performance, new API-driven architectures will emerge.
Q: Does it make sense to mandate via rulemaking that Type 1 and Type 2 NPI providers keep contact information updated within a defined window of any change? This would have positive knock-on effects for fraud prevention and many-to-many data exchange.
A: It seems inevitable that timely URLs will be critical for all providers as healthcare joins the rest of the world in using APIs.
Q: These FHIR APIs will generate big data across thousands of endpoints. It isn’t just a big data problem – it’s a big data source problem.
A: Payers will need to shift to a big-data approach if they are going to have success in the future. Clinical data cannot be seen as just an appendage to claims data.
Q: Do any of the rules address standards and requirements for clinical, operational, and financial data exchange for analytics use cases, not just transactional ones?
A: The beauty and power of FHIR APIs and its simple underlying JSON notation is that these standards can be used for any operational or analytical use.
Stay In the Loop
The regulatory calendar isn’t slowing down. CMS-0062-P comments are due June 15, 2026. Final rules, directory requirements, and implementation deadlines are compressing.
If you want to understand where your health plan stands and what it takes to be ready, request a CMS-0062-P readiness assessment or get in touch with our team.
We’ll keep watching the Beltway.
