Applicability and Purpose
Last month, the Centers for Medicare and Medicaid Services (CMS) published its Interoperability and Prior Authorization final rule. The provisions found in this final rule pertain to the following entities:
- Medicare Advantage (MA) organizations
- State Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs
- Medicaid managed care plans
- CHIP managed care entities
- Qualified Health Plan (QHP) issuers on the Federally Facilitated Exchanges (FFEs)
Collectively termed “impacted payers,” the above health-related programs and plans are required under the rule to implement and maintain certain Health Level 7® (HL7®) Fast Healthcare Interoperability Resources® (FHIR®) application programming interfaces (APIs) for the purpose of improving the electronic exchange of healthcare data and the streamlining of the prior authorization process.
To encourage providers to adopt electronic prior authorization processes, the final rule also adds a new measure for Merit-based Incentive Payment System (MIPS) eligible clinicians under the Promoting Interoperability performance category of MIPS, as well as for eligible hospitals and critical access hospitals (CAHs), under the Medicare Promoting Interoperability Program. The ostensible purpose of these API-related policies is the improvement of patient, provider and payer access to interoperable patient data and the reduction of burdens associated with prior authorization processes.
Timetables and Provisions
Impacted payers must, according to the rule, implement certain operational provisions, generally beginning January 1, 2026. However, impacted payers generally have until January 1, 2027 to meet the API development and enhancement requirements of the rule. The exact compliance dates vary by payer type.
This final rule includes the following provisions:
Patient Access API
Impacted payers are required to add information about prior authorizations (excluding those for drugs) to the data available via that Patient Access API. This requirement must be implemented by January 1, 2027.
Provider Access API
Impacted payers must implement and maintain a Provider Access API to share patient data with in-network providers with whom the patient has a treatment relationship. Impacted payers will be required to make available, via the Provider Access API, individual claims and encounter data and specified prior authorization information (excluding those for drugs). These requirements must be implemented by January 1, 2027.
Prior Authorization API
The rule requires impacted payers to implement and maintain a Prior Authorization API that is populated with its list of covered items and services, can identify documentation requirements for prior authorization approval, and supports a prior authorization request and response. These Prior Authorization APIs must also communicate whether the payer approves the prior authorization request (and the date or circumstance under which the authorization ends), denies the prior authorization request (and a specific reason for the denial), or requests more information. This requirement must be implemented beginning January 1, 2027.
Prior Authorizations Generally
Impacted payers (excluding QHP issuers on the FFEs) must send prior authorization decisions within 72 hours for expedited (i.e., urgent) requests and seven calendar days for standard (i.e., non-urgent) requests. Beginning in 2026, impacted payers must provide a specific reason for denied prior authorization decisions, regardless of the method used to send the prior authorization request. As with all policies in this final rule, this provision does not apply to prior authorization decisions for drugs. These operational or process-related prior authorization policies are being finalized with a compliance date starting January 1, 2026.
For a fuller treatment of the final rule, you can click on the following link to a CMS fact sheet: CMS Interoperability and Prior Authorization Final Rule CMS-0057-F | CMS.