Supporting Statement – Part A

Background

Health Information Technology is changing the patient experience and the way we do business in health care, including the way we can better serve patients by enabling them to have secure access to their own information. In May 2020, the Centers for Medicare & Medicaid Services (CMS) finalized new requirements in the CMS Interoperability and Patient Access final rule (“final rule”) (85 FR 25510), that focused on advancing and improving patient access to their own health information. This final rule includes requirements for certain payers to develop two Application Programming Interfaces (API) – one to enable the exchange of information on behalf of a patient into a health app, and one to support access to provider directory information. In the final rule, CMS requires use of a certain technical standard – the HL7 Fast Healthcare Interoperability Resources (FHIR) standard for the APIs and recommends the use of certain Implementation Guides (IG) to ensure consistency in implementation of the APIs. CMS expects that use of these APIs could be instrumental in improving exchange of information between payers and their enrollees, and between providers and their patients, as well as enhancing the delivery of healthcare services.

This rule indirectly supports the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule which requires covered entities to provide individuals with an electronic copy of their health information if that information is both requested in that format and readily producible (See 45 C.F.R § 164.524(c)(2)(i)) and is a precursor to the final rule from the Office of the National Coordinator, which requires health care providers to allow patients to download their data to a health app by the end of 2022.

The CMS final rule includes certain provisions that meet elements of the collection of information provisions under the Paperwork Reduction Act (PRA), which are described below. This request is an update to the original submission of the PRA package associated with CMS-9115-F (RIN0938-AT79) (85 FR 25510).

• The final rule requires certain payers to implement and maintain a Patient Access API which enables patients to request that the payer send administrative and clinical (healthcare) data to a health app.¹ CMS believes there are benefits associated with individuals having easier access to their health data. CMS and other federal agencies are promoting the use of standards for the secure exchange of health data to support better engagement with the healthcare system. For example, by authorizing their payer to make certain data accessible via a third-party app (health app), using an API built on a standard, once in possession of the data, patients may be better able to communicate with their care teams and coordinate their care. Patients who have easier electronic access to their health information may feel more empowered to make informed decisions when discussing their health needs with providers, or when considering changing to a different health plan.

• The final rule also requires certain payers to make standardized information about their provider networks available through a Provider Directory API.² While existing statutes and implementing regulations require certain impacted payers to either publish a directory on their website (Medicaid, Medicare Advantage [MA] organizations, and QHPs), or make a hard copy available to enrollees (Medicaid and CHIP managed care plans) the Provider Directory API requirement may allow for patients to more easily find a provider, or compare provider networks while they are considering their options for changing health plans.

• The final rule also revises an existing Medicaid requirement at 42 CFR 423.910 that requires states to transmit system generated data files (“MMA files”) at least monthly to CMS to identify all dual eligible individuals. This provision requires that states participate in daily exchange of buy-in data, which includes both sending MMA data files to CMS and receiving responses from CMS (effective April 1, 2022). CMS expects this revised requirement to improve the experience of dually eligible individuals and the ability of providers and payers to coordinate eligibility, enrollment, benefits, and/or care for the dually eligible population. There are state, beneficiary and provider benefits to this new policy. For states, there is a faster transition to Medicare drug coverage. The sooner a dual eligible beneficiary transitioning from Medicaid drug coverage to Medicare Part D drug coverage gets auto enrolled into a Medicare drug plan, the fewer claims get paid erroneously by the state and the fewer they have to recoup from pharmacists (who then have the burden of reaching out to reconcile with the new Part D plan). There is also a faster turnaround to Medicare as primary for other services. More frequent file submission increases the speed of identifying new Medicare Parts A/B enrollment, so states can more quickly implement edits so Medicaid does not cover those Medicare services. This also has the benefit of reducing oversight risks related to audits on third party liability. Beneficiaries benefit because they have faster access to Medicare subsidies. Dual status on the MMA file prompts CMS to deem individuals automatically eligible for the Medicare Part D low income subsidy (LIS), make changes to LIS status (e.g., prompted by a move to a nursing facility or use of home and community based services [HCBS]), and auto enroll them into Medicare prescription drug coverage back to the start of dual status. This reduces beneficiary cost-sharing and improves access to Medicare-covered medications.

• Finally, this final rule requires that certain providers enter their digital contact information into the National Plan and Provider Enumeration System (NPPES), which was updated to capture this data element. The digital contact information can be used to facilitate secure sharing of health information between providers and other healthcare organizations. CMS encouraged providers to update their NPPES records to add their digital contact information, and in the final rule, CMS stated that it would publicly report the names and national provider identifiers (NPIs) of providers who do not have digital contact information included in NPPES. Public reporting on cms.gov began in March 2022 and these reports are being updated quarterly.

Additional details about the information collections CMS expects for the Patient Access API, Provider Directory API, exchange of state MMA files, and NPPES provider digital contact information are discussed below.

Patient Access API Data Collection

Payers impacted in the final rule are required to provide certain health data to patients through the Patient Access API if requested. This includes adjudicated claims data (including cost, specifically provider remittances and enrollee cost-sharing), encounter data, and clinical data, such as the data and data elements in the U.S. Core for Data Interoperability dataset (USCDI version 1), if available and maintained by the payer. In addition, MA organizations that offer a Medicare Advantage prescription drug (MA-PA) plan are required to include formulary data including covered Part D drugs and any tiered formulary structure or utilization management procedure which pertains to those drugs. Medicaid and CHIP FFS, as well as managed care plans are required to include information about covered outpatient drugs and updates to that information including preferred drug list information. Though CMS does not collect this information, it is considered an information collection activity under the PRA because our rule requires the disclosure of this information by a third party (the payer) to someone else (a health app).

Provider Directory API Data Collection

MA organizations, Medicaid and CHIP FFS, Medicaid managed care plans, and CHIP managed care entities are required to enable access to certain provider directory information to patients through the Provider Directory API. MA organizations must provide a complete and accurate directory of the MA organization’s network of contracted providers, including names, addresses, phone numbers, and specialties. Similarly, Medicaid and CHIP FFS, Medicaid managed care plans, and CHIP managed care entities must provide a complete and accurate directory of the state’s provider directory information specified in section 1902(a)(83). In addition, MA-PD plans must provide the MA-PD pharmacy directory, including pharmacy name, phone number, number of pharmacies in the network, and mix (e.g., type of pharmacy, such as “retail pharmacy”). Again, though CMS does not collect this information, it is considered an information collection activity under the PRA because our rule requires the disclosure of this information by a third party (the payer or developer of a directory), and then the release of this information to others (the public).

Exchange of State MMA Data Files

States are required to send MMA file data identifying all dual eligible individuals to CMS daily. This data is being collected by CMS and is an Office of Management and Budget (OMB) approved information collection under OMB control number 0938-0958 (CMS-10143). According to this PRA package, states have been required to submit at least one file per month since 2005 (42 CFR 423.910). However, states have the option to submit multiple MMA files throughout the month (up to one per day). Until the compliance date of the final rule, most states submitted data at least weekly. Ensuring that the information on dual eligibility status is accurate and up-to-date by increasing the frequency of federal-state data exchange is an important step in the path to improving the efficiency of state and federal operations. This action supports access to drug coverage for beneficiaries, reducing the potential for claim errors, and improving the enrollment processes for Medicare Part A and B. Effective April 1, 2022, CMS required states to update the frequency in §423.910(d), for the submission of required MMA files to CMS daily, and to make conforming edits to §423.910(b)(1). Daily means every business day, but if no new transactions are available to transmit, data would not need to be submitted on that day.

NPPES Provider Digital Contact Information Data Collection

The Secretary of the Department of Health and Human Services (HHS) adopted the standard unique health identifier for health care providers as a requirement of HIPAA. The HIPAA Administrative Simplification: Standard Unique Health Identifier for Health Care Providers final rule published on January 23, 2004, adopts the NPI as the standard unique health identifier for health care providers. Health care providers that are covered entities under HIPAA must apply for and use NPIs in standard transactions (adopted under HIPAA). Other health care providers are eligible for NPIs but are not required by regulation to apply for them or use them. Health care providers began applying for NPIs on May 23, 2005, which were included in the NPPES. An NPI is expected to last for the “life” of the health care provider (i.e., until the death of an individual or until the dissolution of an organization); therefore, a health care provider applies for an NPI only one time. In addition, the 21^st Century Cures Act required providers to include certain additional data in NPPES for purposes of improving data exchange and interoperability, including endpoint information such as:

1. Endpoint Type

2. Endpoint

3. Endpoint description

4. Endpoint Use

5. Endpoint Content Type

6. Is the Endpoint affiliated to another Organization?

7. Endpoint Location

The May 2020 CMS Interoperability and Patient Access final rule finalized that CMS will publicly report the names and NPIs of those providers who do not have digital contact information included in the NPPES. This system was updated to accommodate the digital contact information in 2018. The PRA packages for this information collection are approved under OMB control numbers 0938-0931 (CMS-10114) and 0938-1427 (CMS-10749).

A. Justification

1. Need and Legal Basis

As described in the Background section above, CMS is requiring impacted payers to both collect, maintain, and share information with patients (beneficiaries and enrollees), while also collecting certain information in the normal course of business to improve services to certain beneficiaries. These actions support CMS and other federal initiatives to advance interoperability and improve patient access to health information, in alignment with goals to improve healthcare. Though CMS is not collecting the information from the APIs, and will not have access to any of the information, this requirement falls under the PRA because our rule requires disclosure by the payer as the third party to the enrollee or beneficiary.

There is an established legal basis for the collection of information payers must provide via the Patient Access API and the Provider Directory API for some of the impacted payers. With respect to the collection of information via the Patient Access API, Section 1853(h) of the Social Security Act (“the Act”) mandates that MA organizations provide patients timely access to their medical records and information.

The following provisions of the Act mandate the collection of information that payers must provide via the Provider Directory API pursuant to this final rule:

• Section 1852(c) (requires MA organizations to disclose specific information about the plan, covered benefits, and the network of providers)

• Section 1860D-4(a) (requires MA organizations that offer an MA-PD plan to disclose Part D claims, pharmacy directory information, and formulary information to be disclosed to employees)

• Section 1902(a)(83) (requires Medicaid state agencies to publish a provider directory on the state’s public website)

• Section 1932(a)(6) (requires that Medicaid managed care plans provide information to patients about providers)

• QHPs must meet certain minimum certification standards, such as network adequacy, inclusion of Essential Community Providers and non-discrimination. These standards are described under 45 CFR 155 and 156. Specifically, at 156.230, a QHP issuer must make its provider directory for a QHP available to the Exchange for a publication online in accordance with guidance from HHS and to potential enrollees in hard copy upon request. The general public is able to view all of the current providers for a plan in the provider directory on the QHP issuer’s public Website through a clearly identifiable link or tab and without creating or accessing an account or entering a policy number.

2. Information Users

Patient Access API and Provider Directory API

According to 5 CFR §1320.3(c), collection of information means the obtaining, causing to be obtained, soliciting, or requiring the disclosure to an agency, third parties or the public of information by or for an agency by means of identical questions posed to, or identical reporting, recordkeeping, or disclosure requirements imposed on, ten or more persons, whether such collection of information is mandatory, voluntary, or required to obtain or retain a benefit. “Collection of information” includes any requirement or request for persons to obtain, maintain, retain, report, or publicly disclose information. Requirements by an agency for a person to obtain or compile information for the purpose of disclosure to members of the public or the public at large, through posting, notification, labeling or similar disclosure requirements constitute the collection of information whenever the same requirement to obtain or compile information would be a collection of information if the information were directly provided to the agency. The information users are enrollees and patients – specifically those who are enrolled with the payers required to comply with the provisions in the final rule. Payers must provide access to the specified data through the API to a health app at the direction of an enrollee, or make provider directories publicly accessible on a website, or make the data accessible through their APIs.

Under either scenario, the information will be used only for the purposes listed in the final rule. CMS will not be an information user of either API, and does not intend to conduct any quantitative or qualitative analysis of the information or to use it for informing future policy decisions. For this reason, no statistical analysis has been provided as part of this information collection request.

To reiterate, CMS will not be accessing or using the information referenced in this information collection. Patients may use the information payers provide via the Patient Access API to facilitate communication with their care teams, coordinate their care, make informed decisions about their healthcare needs and make decisions regarding changing to a different health plan. Patients may use the information payers provide via the Provider Directory API to compare provider networks. Providers may also use this information to learn about other providers in their network.

Dual Eligible Files

In the PRA package currently approved under OMB control number 0938-0958 (CMS-10143) for the dual eligible transmission, the data file is provided by states to CMS on dual eligible beneficiaries. The new process will require a count of all full benefit dual eligible beneficiaries with an active Part D plan enrollment in the month. CMS will make this selection of records using dual eligibility status codes contained in the person-month record to identify all full-benefit dual eligible beneficiaries (codes 02, 04, and 08). In the case where in a given month, multiple records were submitted for the same beneficiary in multiple file submittals, the last record submitted for that beneficiary shall be used to determine the final effect on the phase-down count. Risk adjustment for Part C payments to MA plans is also monthly. However, CMS daily auto enrolls individuals into Part D plans, deems them automatically eligible for the Part D low income subsidy, and provides dual status on provider eligibility queries on Medicare Parts A/B eligibility.

NPPES Digital End Point

The NPPES website is a secure, intelligent, and interactive national data storage system maintained and housed at the Virtual Data Center (VDC) hosted by the Companion Data Services (CDS), which is the company that maintains CMS’ Data Centers. It has limited user access through strict CMS systems access protocols. Access to the data maintained in NPPES is limited to CMS, NPPES contractor employees responsible for provider NPI processing, and the providers who have NPI files in the NPPES. Providers or their authorized representative enter their digital end point on this portal in the same way they enter an initial NPI application or any update to their NPI record.

3. Use of Information Technology

This information collection involves the development of Patient Access and Provider Directory APIs, which are automated tools, similar to an application which enable electronic access to healthcare and/or related health information for patients. As previously discussed, CMS finalized new policies for certain payers to implement Patient Access and Provider Directory APIs. APIs are created by IT software developers and enable other developers to create apps that can interact with that API without needing to know the internal workings of the initial developer’s software.

The Patient Access API enables a payer to exchange data with a third-party app so patients can download their data from a mobile device and have access to the data at any time. The Provider Directory API enables patients to electronically access provider information on a website or mobile device to locate specific information about providers, enabling them to make selections on a variety of factors.

The dual eligible data files are created electronically from each state eligibility system and transferred electronically using: Managed File transfer (MFT) Internet Server MFT Platform, Connect:Direct, Gentran or Cyberfusion infrastructure. The files will be used by state and federal staff.

The NPPES system has been in place since 2007, and no new technology was developed to enable submission of the digital end point by providers. The field for this data point has been available since 2018.

4. Duplication of Efforts

For the Patient Access and Provider Access APIs, the information in this information collection document does not duplicate any other effort and the information cannot be obtained from any other source. The payers are the recipients and maintainers of this information on behalf of the beneficiaries.

For the dual eligible data files, there is no duplication of effort or information associated with this request. The Medicaid eligibility data are submitted to CMS through the Transformed Medicaid Statistical Information System (T-MSIS) on a monthly basis within three weeks after the end of the month; those files are not timely enough for the purposes for which we require the MMA file submission. States do submit files at least monthly to pay for the Medicare Part B premium for many – but not all – dually eligible beneficiaries; those files’ data are not complete enough for the purposes for which we require MMA file submission.

5. Small Businesses

While a significant number (more than five [5] percent) of not-for-profit organizations and small businesses are affected by this final rule, the impact is not significant. To assess impact, we used data from this resource: app://resources/notifications.html which shows that the total (not discounted) net effect of this final rule over 10 years would be $714 million. The API requirements in this final rule affect: 1) QHP issuers on the FFEs (excluding the Provider Directory API requirement); 2) MA organizations, including those that are also Part D sponsors of MA-PD plans; and 3) Medicaid managed care plans with a minimum threshold for small business size of $41.5 million (https://www.sba.gov/federal-contracting/contracting-guide/size-standards).

In the final rule, we determined that there were several ways to assess whether MA organizations met the $41.5 million threshold for small businesses. Using projected monetary requirements and projected enrollment for 2018 from submitted bids, we determined that approximately 30 percent of the MA organizations fell below the $41.5 million threshold for small businesses. Because Medicaid managed care plans receive 100 percent capitation from the state, we expected that the costs associated with the API provisions of the final rule would be included in their capitation rates and may be reasonable, appropriate, and attainable costs whether or not they are a small business.

For the assessment of the impact on QHP issuers on the FFEs, based on data in the public CMS Medical Loss Ratio (MLR) files, commercial health insurance issuers had premium revenue of $77 billion for individual market plan coverage in 2016. Therefore, the aggregate raw cost of the final rule over 10 years, $762 million (low estimate) and $1.3 billion (high estimate), is significantly below the three (3) to five (5) percent threshold for significant impact to commercial plans. We determined that although a significant number of small plans under each program are affected by this rule, on average, this impact was not significant. Additionally, for QHP issuers on the FFEs, an exceptions process had been defined in the final rule.

For the dual eligible data collection, this information collection affects state staff only and does not impact any small businesses or other small entities.

For NPPES, there will be minimal impact on small businesses as the length of time to read, complete, and submit the online form; we expect the time to complete this process would be less than ten minutes.

6. Less Frequent Collection

For the two APIs, the disclosure of information to the patient is driven directly by the requests made from the patient to the payer (the rule is explicit for the Patient Access API that the payer only release data to the health app at the request of the patient). Thus, the disclosure could be once, to establish the data in the app, and then on a regular cadence based on the availability of new data if the patient uses services. For the Provider Directory API, disclosure of information again is based on patient use of the API, as patients or other providers search for information about provider locations, availability or comparisons. This frequency is not predictable.

This final rule requires states to send MMA file data identifying all dual eligible individuals to CMS daily. CMS leverages MMA data on dual eligibility status into systems supporting all four parts of the Medicare program. Accordingly, it is essential that dual eligibility status is collected daily to ensure that it is accurate and up-to-date. Given that dual eligibility status can change at any time, collecting MMA data less frequently than daily may negatively impact access to the correct level of benefit at the correct level of payment.

7. Special Circumstances

There are no special circumstances that would require an information collection to be conducted in a manner that requires respondents to:

• Report information to the agency more often than quarterly

• Prepare a written response to a collection of information in fewer than 30 days after receipt of it

• Submit more than an original and two copies of any docu­ment

• Retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years

• Collect data in connection with a statistical survey that is not designed to produce valid and reli­able results that can be generalized to the universe of study

• Use a statistical data classi­fication that has not been reviewed and approved by OMB

• Include a pledge of confidentiality that is not supported by authority estab­lished in statue or regulation, that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use

• Submit propri­etary trade secret, or other confidential information unless the agency can demon­strate that it has instituted procedures to protect the information's confidentiality to the extent permitted by law

8. Federal Register/Outside Consultation

The Notice of Proposed Rule Making published on March 4, 2019 (84 FR 7610; RIN 0938-AT79) and served as the 60-day Federal Register notice. PRA-related public comments were received. A summary of the comments and our response has been added to this package.

9. Payments/Gifts to Respondents

There will be no payment or gifts of any kind given to participants under this PRA. Payments pertaining to participation in the programs in which the health plans are contracted are not directly connected to this PRA package, as compliance is managed under separate program requirements.

10. Confidentiality

All information collection under this initiative will be maintained in strict accordance with statutes and regulations governing confidentiality requirements. HIPAA-covered entities subject to information collection under this final rule, and their business associates will be responsible for compliance with the HIPAA Privacy and Security Rules, the Federal Trade Commission Act (FTC Act), regulations protecting sensitive information under Part II, and any state laws applicable to their business activities including, but not limited to, their handling of enrollees’ Personal Health Information (PHI) and other data. CMS maintains responsibility for the data.

CMS will comply with all Privacy Act, Freedom of Information laws, and regulations that apply to the collection of provider information. Privileged or confidential commercial or financial information is protected from public disclosure by Federal law 5 U.S.C. 522(b)(4) and Executive Order 12600.

11. Sensitive Questions

There are no sensitive questions associated with this collection. Specifically, the collection does not solicit questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private.

12. Burden Estimates (Hours & Wages)

12.1 Wages

In this PRA package we are updating the data used in the final rule. To derive average costs, we used data from the U.S. Bureau of Labor Statistics’ May 2021 National Occupational Employment and Wage Estimates which on the date we updated this PRA package can be accessed at uniform resource locator (URL) (https://www.bls.gov/oes/current/oes_nat.htm). Table 1 presents the mean hourly wage, the cost of fringe benefits (calculated at 100 percent of salary), and the adjusted hourly wage.

TABLE 1: Occupation Titles and Wage Rates (updated July 2022)

Occupation Title	Occupation Code	Mean Hourly Wage ($/hr)	Fringe Benefit ($/hr)	Adjusted Hourly Wage ($/hr)
Administrators and Network Architects	15-1240	$49.25	$49.25	$98.50
Security Engineer	17-2199	$51.83	$51.83	$103.66
Computer and Information Analysts	15-1210	$50.40	$50.40	$100.80
General Operations Manager	11-1021	$55.41	$55.41	$110.82
Operations Research Analysts	15-2031	$46.07	$46.07	$92.14
Software Developers, Applications	15-1252	$58.17	$58.17	$116.34
Computer and Information Systems Managers	11-3021	$78.33	$78.33	$156.66
Designers	27-1020	$25.56	$25.56	$51.12
Technical Writer	27-3042	$39.17	$39.17	$78.34
Computer Systems Analysts	15-1211	$49.14	$49.14	$98.28
Network and Computer Systems Administrators	15-1244	$43.87	$43.87	$87.74
Medical Records and Health Information Technician	29-2072	$23.23	$23.23	$46.46
Medical and Health Service Managers	11-9111	$57.61	$57.61	$115.22

We are adjusting our employee hourly wage estimates by a factor of 100 percent. This is a rough adjustment, both because fringe benefits and overhead costs vary significantly from employer to employer, and because methods of estimating these costs vary widely from study to study.

12.2 Burden Estimates

Patient Access API and Provider Directory API

CMS is calculating burden based on the estimated requirement to implement two APIs. One for the purpose of enabling patients to request access to certain data maintained by the impacted payers and have that data transferred to a health app, and one to view information about providers available through their payer, via a Provider Directory API.

The burden to the payers to implement the Patient Access and Provider Directory APIs is based on the following assumptions:

• The Patient Access API permits a third-party application to retrieve patient data based on an individual’s request.

• The Provider Directory API will publish information about the payer’s provider network on a public website.

To implement the new requirements, the impacted payers will conduct three major work phases:

1. Initial design. Tasks will include determining available resources (personnel, hardware, cloud space, etc.); assessing whether to use in-house resources to facilitate an API connection or contract the work to a third party; convening a team to scope, build, test, and maintain the API; performing a data availability scan to determine any gaps between internal data models and the data required for the necessary HL7 FHIR implementations; and mitigating any gaps discovered in the available data.

2. Development. Tasks will include mapping of existing data to HL7 FHIR standards, allocating hardware for the necessary environments; building a new FHIR server or leveraging existing FHIR servers; determining the frequency and method by which internal data are populated on the FHIR server; building connections between the databases and the FHIR server; working with third-party application developers to attest to certain privacy provisions.

3. Testing. Performing capability and security testing; vetting third-party applications, testing all systems; testing with third party applications; mitigating any gaps and finalizing implementation.

The burden associated with the requirement for QHP issuers on the FFEs to implement the Patient Access API will be captured in a separate PRA Package with OMB Control Number CMS-10433; OMB 0938-1187. This information is captured in the issuer application data for the Network ID and Provider Directory URL Data Elements: Network ID numbers identifying each provider network for purposes of plan-to-network mapping and specific URLs associated with the provider directory for each plan. This package is expected to be published in calendar year (CY) 2022.

The burden estimate related to the requirements for the two APIs reflects the time and effort needed for the payers to implement the technology using the recommended standards, and to maintain the data to either transmit to the patients or to maintain in their systems to share with the patients. In the proposed rule, we estimated an initial one-time cost associated with implementing the API requirements of $789,356, based on 2018 wage estimates, per organization (84 FR 7659). However, in the final rule, in response to public comment, we provided updated cost estimates for implementing and maintaining the Patient Access and Provider Directory APIs, and developed a range of estimates – from low to high.

The estimate we calculated for implementing the APIs is based on a compilation of personnel types and subject matter experts who would be involved in the effort, from administrators to network architects and computer information analysts.

In this PRA package, we use the following assumptions:

• There are 345 impacted payers.

• We estimate a one-time burden assessment of 16,800 hours per organization or state and a total of 5,796,000 (16,800 hours per organization x 345 organizations) hours across all organizations or states.

• The one-time cost to implement API requirements is $1,689,739 per organization or state per implementation; and

• $582,835,824 across all organizations or states to implement the APIs.

1 Impacted payers in the final rule include: Medicare Advantage (MA) organizations, Medicaid and Children's Health Insurance Program (CHIP) fee-for-service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFE).

2 Impacted payers are the same as those payers identified in footnote 1, except QHP issuers on the FFE are excluded because there are existing requirements for online directories for QHP issuers.

6