Notes from the CMS and ASTP/ONC RFI Meeting in Washington, DC

I attended the CMS and ASTP/ONC RFI meeting, which drew 300+ participants from across the healthcare industry. Participants included tech vendors, providers, payers, life science companies, patient advocates, trade associations, health information networks, consultants, investors, and government officials. Attendance and engagement were impressive given the short runway to get the event organized.

The purpose of the meeting was to spark discussion around the topics raised in the recent CMS Request for Information (RFI) on the Health Technology Ecosystem. The day featured remarks from federal agency leadership, panel discussions, and interactive breakout sessions, including sticky note brainstorming exercises.

Many of you are already aware, but for completeness, here are the official announcements from CMS:

We are building a national healthcare directory, starting with provider information. It will be a dynamic, interoperable directory that connects the data CMS has with what the industry knows, so we all work from the same map.

— CMSGov (@CMSGov) June 3, 2025

Key Announcements:

a. CMS will build a national healthcare directory
b. The Blue Button API will be expanded to improve access and usability
c. Medicare.gov will adopt modern identity verification methods
d. Data at the point of care (DPC) will become generally available (i.e., Medicare claims data will be available via API to providers for treatment purposes)
e. CMS will participate in trusted data exchange

Opening Session Highlights

1. Leadership from across HHS, including HHS (RFK Jr), CMS (Oz), FDA (Makary), NIH (Bhattacharya), and DOGE (Gleason) were present, signaling strong interagency alignment. Here’s a photo.
2. Panelists shared personal stories about difficulty accessing family members’ health records or otherwise having to play ‘human information router’ across healthcare and insurer entities. Anecdotes grounded the day’s discussions in real-world patient experiences and made clear where the system fails today.
3. CVS Aetna announced a $20B investment in the health tech ecosystem.
4. A recurring theme: “Enforce the regulations already on the books.“
5. Another one: “Certify the APIs, not the EHRs.“

National Directory Breakout Session

There were multiple break-out sessions, but I chose to attend the National Directory session first. Facilitators kicked off the discussion with the following questions:

1. What should we do to make a great national healthcare directory?
2. How do we ensure that a consolidated healthcare directory has the most current and accurate data about a provider (address, specialty, affiliations with hospitals and groups, identifiers, licenses, etc.)?
3. What data would be helpful for interoperability: endpoints, network participation? How do we make sure these information and valid and current?
4. How do we correctly expose participation that providers have with payer plans? How do we keep this information current and accurate?

Responses didn’t always fit neatly into categories, so here’s a synthesized list of insights that emerged:

1. CMS acknowledged issues in its own data—notably the misalignment among NPPES, PECOS, and other sources and the accuracy issues in the data. There’s a clear need to solve the data mastery in government alongside the private sector. CMS wants to set an example by improving its own data.
2. Initial focus is establishing a directory to support interoperability (patient data use cases). While demographic and consumer-facing information (e.g., insurance, addresses, phone numbers, specialties) is important, it appears to be part of a future phase. The first priority is to collect and organize information about providers (e.g., endpoints, Direct addresses) that enables interoperability (i.e., patient access, provider access, payer-to-payer, prior authorization). An important question to consider: how much demographic information is necessary for third-party apps (and the patients they are serving) to resolve to the right endpoint? That will dictate what information sits in the first version of the National Directory, and what the data can be used for. The NDH pilot in Oklahoma appears to prioritize provider demographic data. Will that effort evolve or merge with the CMS announced initiative?
3. Architectural debates: centralized vs. federated vs. delegated models. Everybody agrees that there’s redundant data entry, that there’s unnecessary administrative burden for payers and providers, and wouldn’t it be great if the information were all in one place? What begins to split the room is when questions about ownership, storage, and responsibility emerge. Here are some of the questions:
   • Should the data be entered and managed in federated systems and then synchronized with a centralized national directory as an ‘aggregator’ for the entire industry?
   • Alternatively, could the data be collected and submitted locally, but it’s only vetted and finalized in a centralized national directory? And, industry participants should only get information directly from a centralized directory, and not from the adjacent, federated contributors?
   • Should data be ‘pushed’ into a centralized national directory, or does the centralized national directory ‘pull’ from pre-existing (albeit fragmented) sources of truth?
   • Is the responsibility of vetting and ensuring data is accurate and fit-for-use a function of the national directory, or will there be dependency on responsible third-parties to do that in the directory?
   • It seems like (editorial alert) that the concerns behind the questions are about a) protecting current business models and ways of operating versus b) protecting against the risk of directory fragmentation and blunting the impact of a national directory. It will be interesting to see how CMS engages with incumbents who are serving important directory-related roles in industry.
4. DNS as a metaphor. This came up both in the opening remarks and in the national directory breakout. It refers to not storing patient data centrally, but pointing to the endpoints that have it. That metaphor breaks down when applied to provider data, which likely does need to be stored directly in the directory (because at least some of the provider data is the metadata necessary to resolve to the right endpoint).
5. What information is necessary to resolve endpoints? Suggestions from participants included provider brand names, identifiers, practitioner-to-organization affiliations, logos, and organizational hierarchy. But would data like address, phone number, and specialty also play a role?
6. Who should vet the data? Options floated included licensing boards, professional associations, organizations and their vendors (when it comes to endpoints), and the providers themselves.
7. Completeness was emphasized. Completeness means all providers, all lines of business, all geographies. Providers mean any individual or organization who can provide care to a patient. From CMS’s perspective, completeness means that all participants are getting data from the directory.
8. Provider burden is real. Many providers don’t know their own endpoints or have time to manage them. A hierarchical model: (organization> organization > provider > vendor > endpoint) could enable organizational attestation, lighten the load, and support endpoint resolution. A handful of clinicians were in attendance and described how there needs to be incentives or accountability to keep data up-to-date, otherwise they (or their staff) will not update data in yet another system.
9. Accuracy of information:
   • NPPES is often outdated.
   • Payer directories have well-documented accuracy issues. Payers are not always updating their directories in a timely fashion, or they are overwriting good data with bad data.
   • Rosters are difficult to maintain. A common workaround is to associate all providers with all locations, or to submit the same rosters from month-to-month.
   • There was discussion around the appropriate granularity (plan-level vs. network-level) in the directory to support consumer use cases. While most payers comply, there are still some payers that do not report this information within their Provider Directory APIs.
   • What constitutes “accurate” will depend on the specific use case and the supporting data.
   • There needs to be a scalable, repeatable methodology to measure accuracy.
10. Value-based care (VBC) was cited as a potential use case that could better align incentives between payers and providers for accurate provider directory data. Defacto has observed that some payers who introduced contractual incentives for directory data have achieved higher levels of accuracy. Also, other payers in the same markets are benefitting from those higher accuracy levels.
    • For payers interested in learning where they stand in the market in terms of directory accuracy (and the provider orgs contributing the most errors), check out Defacto’s Directory Risk Report.
11. Get data from the source. There was some debate about whether appointment scheduling APIs could help. Some argued that while scheduling itself is complex, signals from those APIs could help clean up directories. Self-reported “Accepting New Patients” status has been seen as unreliable on its own, and not specific enough (i.e., you may be accepting new patients, but how long will it take to get an appointment?). There are also reports that some health system directories are publishing machine-readable schema.org data within their directories in anticipation of greater AI agent traffic. This could be a way of getting data that is more aligned with consumer ‘doc search’ use case versus payment use cases.

Health Tech, Data, and Networks Session

I also attended the breakout on Health Tech, Data, and Networks, where a debate emerged around standards vs. outcomes within information networks. The prevailing view at first was that detailed standards are necessary. But as discussion progressed, some attendees began to shift their perspective: perhaps regulators are being too prescriptive on standards. Standards are rarely implemented to the letter, occasionally enforced, and compliance mentality can lead to “check-the-box” behavior. Often, the collateral victim is the use case that the mandated standard sought to enable. Another point mentioned is that adversarial relationships exist between payers, providers, and other participants, and that some will implement/interpret requirements (in a self-favoring way) to hide important data. If CMS focuses more on outcomes, the industry might have greater flexibility to innovate while still achieving policy goals. Not everyone in the meeting agreed, but the shift in tone was notable.

Final Notes

CMS/ASTP is accepting formal comments on the RFI through June 16 via the Federal Register. Although CMS has announced its directional intent, many important implementation details are still undecided. For those who weren’t at the meeting, there’s still an opportunity to make your voice heard. They’re also accepting video remarks, so break out your ring lights (seriously, many organizations have recorded real world demonstrations, and these are being watched by CMS officials). As of now, 80 comments have been received, 30 of which are publicly posted. As CMS releases more of the comments, Defacto will be monitoring and summarizing these.