How Vytivo fits alongside your CMS‑0057‑F APIs
Vytivo is a white‑label member application. Impacted payers remain responsible for building and operating Patient Access, Provider Access, Payer‑to‑Payer, and Prior Authorization APIs under CMS‑0057‑F. We consume those APIs when available or ingest files, increase member usage and comprehension, and provide export options and app‑level logs you can reconcile to your reporting. CMS
Patient Access API usage metrics collection covers calendar year 2025; first report is due to CMS by March 31, 2026. API requirements begin January 1, 2027 for: Patient Access (expanded to include prior authorization status), Provider Access, Payer‑to‑Payer, and Prior Authorization APIs. Prior auth decisions: 72 hours expedited and 7 calendar days standard. CMS
API timeline callouts
- Patient Access API expanded to include prior auth info by Jan 1, 2027; usage metrics for CY2025 due Mar 31, 2026.
- Provider Access API by Jan 1, 2027.
- Payer‑to‑Payer API by Jan 1, 2027 (five‑year lookback; member opt‑in).
- Prior Authorization API by Jan 1, 2027; operational prior auth requirements start in 2026 (including public metrics). Decisions: 72 hours expedited; 7 calendar days standard.
Required standards (verbatim)
USCDI, FHIR R4.0.1, US Core STU 3.1.1, SMART App Launch, Bulk Data, OpenID Connect. CMS
Payer requirement vs Vytivo role
Vytivo does not host regulated APIs. We act as an authorized third‑party app and file consumer.
| Payer requirement | Payer’s job | Vytivo’s role | How data leaves Vytivo |
|---|---|---|---|
| Patient Access API | Build/run API; capture and report CY2025 usage by Mar 31, 2026; expand to prior auth by Jan 1, 2027. | Authorized app; drive member comprehension/usage; provide app‑level logs to reconcile your metrics. | Member export: PDF summary + FHIR Bundle/NDJSON. Admin export: CSV/NDJSON. |
| Provider Access API | Build/run for in‑network providers. | Consume when permitted to enrich clinician pre‑reads; respect opt‑out. | EHR‑ready pre‑reads as PDF or CCDA for upload. |
| Payer‑to‑Payer API | Build/run; maintain five‑year lookback; member opt‑in. | Display whatever history you provide; we do not participate in transfers. | Member/admin exports upon request. |
| Prior Authorization API | Build/run CRD/DTR/PAS stack; post public metrics; adhere to decision timeframes. | Show member‑readable PA status/reasons pulled from your stack or files. | Member export of PA history as PDF/CSV. |
Can consume FHIR R4 resources when exposed by the payer: Patient, Encounter, Condition, Observation, MedicationRequest, MedicationStatement, Procedure, CarePlan, Coverage, DocumentReference. Bulk extracts can be ingested from NDJSON files.
SLAs & security
Enterprise-grade reliability, security, and compliance
Uptime
99.9% monthly; service credits up to 99.95% for enterprise
Support
24×7 critical incidents; 1-hour response (Sev-1), same-day (Sev-2)
Data refresh
Nightly ingest for EHR/claims; near real-time for member-initiated data
Portability
Export on request (FHIR & bulk formats)
Contract flexibility
Termination for convenience with defined hand-back window
SOC 2 Type II audit in flight
Report target: Q4 2025. HIPAA BAA available.
HIPAA Safeguards
HIPAA-aligned safeguards; BAA available during contracting
Data residency
Regional data residency as required; backups stored in-region.
Backups & recovery
RTO 4h / RPO 1h; daily snapshots; access restricted to SRE on-call.
Access control
SSO (SAML/OIDC), least-privilege access
Encryption
At rest and in transit
PHI boundary
Member app, intake, and graph process PHI; marketing site and static assets do not. Subprocessors listed in Trust Center.
Prompt & chat logging
Off by default for PHI. Redacted prompts; 30‑day default retention; access limited to security/quality reviewers. Opt‑out available. Model providers never train on your data.
Pen‑test summary
Latest executive summary available in Trust Center; remediation SLA: Critical 7d, High 14d, Medium 30d.
Log retention
App logs retained 30 days. Security event logs retained 365 days. Export artifacts retained 7 days.