CMS Is Building Infrastructure Without a Plan to Govern It

The Centers for Medicare & Medicaid Services’ (CMS) latest pivot toward building a national digital infrastructure signals a long-overdue and promising maturation of its modernization agenda. But for all the focus on APIs, directories, and data sharing, the true challenge is less about technology and more about governance: who will own, operate, and sustain the digital rails of the American healthcare economy?

At the heart of CMS’s May 2025 Health Technology Ecosystem RFI and its accompanying listening session is an ambitious attempt to architect foundational platforms for a digitized, interoperable health system. The agency’s agenda is strikingly comprehensive: a national provider directory, revamped identity verification, expanded patient data access via Blue Button 2.0, general release of Data at the Point of Care, and deeper participation in trusted data exchange frameworks. These are not pilot projects. These are digital utilities, and CMS is staking its credibility on getting them right.

But the road to healthcare interoperability is already cluttered with half-built bridges. ONC’s USCDI standards, TEFCA governance, and decades of health information exchange (HIE) efforts have all offered moments of momentum followed by retrenchment, fragmentation, or vendor capture. CMS’s current proposals risk the same fate unless the agency gets serious about two things: financial sustainability and governance structure.

Build it once, fund it forever?

A national provider directory is the kind of bureaucratic moonshot that should have happened 10 years ago. Fragmented directories are a known source of waste, claim denials, and network inaccuracies. Yet previous CMS and HHS efforts, like the Medicare Advantage Provider Directory Review or the NPPES cleanup, have failed to institutionalize reliable, up-to-date directories across payer-provider systems.

To succeed now, CMS must define not only technical standards and data inputs but also legal requirements for participation and clear accountability for data upkeep. This means rulemaking, not just convening. Without a funded, mandatory backbone, similar to how EHR certification was enforced under MU. This will again be a voluntary patchwork.

More than logging in

Bringing “modern identity verification” to Medicare.gov is welcome, particularly if it brings coherence across provider, beneficiary, and payer portals. But it also underscores how fragmented the identity layer remains across healthcare. While banks and retailers routinely use biometrics or tokenized credentials, healthcare still defaults to outdated logins, portal silos, and fax confirmations.

If CMS is serious about digital trust infrastructure, it needs to commit to a federated identity strategy aligned with NIST guidelines and TEFCA’s QHIN requirements. Otherwise, new credentials will just be new friction.

Blue Button 2.0 and DPC: Access ≠ Action

CMS touts its expansion of Blue Button 2.0 and the general release of Data at the Point of Care (DPC) as breakthroughs for patient-centered data. But mere access is not utility. As research from JAMA and Health Affairs has repeatedly shown, APIs alone don’t drive outcomes unless they are tied to clinical workflows, payment models, or performance metrics.

If CMS wants to ensure these data tools move the needle, they must be embedded into value-based care contracts, ACO data strategies, and payment integrity algorithms. Otherwise, the agency will keep building highways that few clinicians know how, or are incentivized, to drive on.

Who governs the ecosystem?

The language of CMS’s RFI is steeped in ecosystem logic with shared platforms, multi-stakeholder data exchange, interoperable layers. But ecosystems without clear governance bodies tend to fragment. What’s missing here is a credible public-private entity with regulatory authority and technical neutrality which is something akin to a “Digital Health Infrastructure Council” charged with managing the standards, certification, and accountability layers across these initiatives.

Absent this, vendors will dominate with proprietary extensions, regional HIEs will retreat into walled gardens, and the federal investments will yield marginal returns.

What CMS should do next

To ensure these infrastructure investments lead to real transformation, CMS must:

• Tie infrastructure participation to payment incentives (e.g., make provider directory compliance a condition of participation for Medicare Advantage plans).

• Establish a centralized governance council for digital health infrastructure with authority over standards and compliance.

• Invest in usability, not just access—tools like Blue Button and DPC must integrate seamlessly with EHR workflows and patient decision-making.

• Secure sustained funding mechanisms—infrastructure is not a grant; it’s a utility that requires perpetual support.

The RFI and listening session reflect real vision from CMS. But this vision must now harden into durable policy, enforceable mandates, and shared governance. America doesn’t need more pilots. It needs infrastructure that lasts.

The deadline for RFI comments is June 16, 2025. Stakeholders who care about shaping the digital future of Medicare would do well to speak now all the while CMS is still building the tracks, not just managing the traffic.