What's ahead for prior authorizations as new requirements loom

Prior authorization timeframes

Effective Jan. 1, 2026, the Interoperability and Prior Authorization Final Rule requires impacted payers to meet specific prior authorization decision timeframes, provide specific denial reasons for all prior authorizations and collect data for reporting in the spring.

Impacted payers include Medicare Advantage organizations, Medicaid and the Children’s Health Insurance Program (CHIP) fee-for-service programs, Medicaid managed care plans, CHIP managed care entities and issuers of Qualified Health Plans offered on the Federally-Facilitated Exchanges.

This group of payers and health plans will have to send prior authorization decisions within 72 hours for urgent requests and seven calendar days for standard requests. For some payers, this new timeframe reduces prior authorization decision times in half, CMS reported in the rule.

If a prior authorization is denied, impacted payers must also provide the specific reasons for the denial regardless of how the request was submitted, whether through the web, portal or fax. While a standardized industry list of reasons is not yet widely published, common scenarios requiring a detailed explanation include inadequate clinical support for the service or item, failure to meet coverage criteria, incorrect coding, and incomplete or missing documentation.

The goal behind this requirement is to shift away from vague explanations and provide actionable information so that a provider understands the necessary next steps, such as submitting additional information, identifying alternative treatment options or filing an appeal.

Reasons for denials are also one of the metrics that impacted payers must report publicly starting in 2026.

By March 31, 2026, impacted payers will also need to disclose approval and denial rates, average decision turnaround times and approvals after appeals. The metrics, to be published on payer websites, will cover data from the 2025 calendar year.

These reporting requirements apply to various payer types, including Medicare Advantage organizations, state Medicaid and CHIP programs and Qualified Health Plan issuers on the exchanges, with reporting levels depending on the payer type. Additionally, beginning in 2026, payers must report metrics to CMS annually regarding patient data requests through the Patient Access API.

API requirements

By 2027, the Interoperability and Prior Authorization Final Rule will also require the use of four APIs in the prior authorization process.

First, impacted payers will need to implement the Prior Authorization API to facilitate a more efficient electronic prior authorization process between payers and providers. This API enables providers to query a payer's system to determine whether an authorization is required for a specific service or item and to view a list of the payer's covered items and services. The API must also convey the payer's documentation requirements for prior authorizations and be able to exchange the requests themselves, including those from providers and responses from payers.

Second, the rule will require the use of the Provider Access API, which enables data sharing with in-network providers with whom a patient has a treatment relationship. Data that will be shared includes individual claims and encounter data, data classes and elements in an ONC-approved content standard and other prior authorization data.

Third, the final rule requires the use of the Payer-to-Payer Access API for exchanging a patient's new or concurrent payers when they change payers or they have two or more at once (e.g., patients dually eligible for Medicaid and Medicare). The data shared will largely be the same as the Provider Access API, except for information about denied prior authorizations. The API will also support both structured and unstructured administrative and clinical documentation submitted by a provider.

Fourth, the rule requires the use of the Patient Access API. This API is meant to enable patients to access their own health data, including claims data and information about the impacts of prior authorization processes.

The Patient Access API has been at play in healthcare for some years now, with initial compliance for plans to provide claims, encounter and clinical data via the API starting in 2021. However, under the new requirements, payers must use the Patient Access API to give patients information on prior authorization approvals and denials and reasons for denials, with payers expected to update the information through the API within one business day of the request's decision change.

All the required APIs were created by Health Level Seven (HL7) using the Fast Healthcare Interoperability Resources (FHIR) standard, which has gained traction as a data standard among payers, providers and health IT vendors. HL7 FHIR has been praised for being a robust and flexible standard that enables interoperability across different healthcare stakeholders.

Accelerating adoption of electronic prior authorizations

The Interoperability and Prior Authorization Final Rule seeks to address industry-wide complaints about prior authorizations -- decisions take too long, providers are unsure of how to rectify a denial and slow decisions and denials result in patient care barriers, to name a few.

The mandate will help the industry overcome many of these issues by accelerating the adoption of electronic prior authorizations, according to Laurent Rotival, executive vice president and CIO of Cambia Health Solutions, which owns six regional health plans.

"With the effectiveness of the mandate come January 1 of next year, I think we're going to expect a far faster adoption now, driven by CMS and not just because of the strict value," he said.

Electronic prior authorizations are not new; in fact, Cambia, through one of its Regence health plans, has implemented an electronic prior authorization workflow with one of its payer partners to streamline the process using an FHIR API. The workflow has reduced decision timeframes for the payer and provider to about 20 seconds and provides a letter detailing if the provider needs to send additional information or correct an issue.

This potential solution exists and is demonstrating value, yet prior authorizations remains one of the most manual administrative processes for medical plans. Only about a third (35%) of prior authorizations are conducted fully electronically, according to the 2024 Index Report from the Council for Affordable Quality Healthcare.

Defining the data standard through the rule will boost this percentage, Rotival said.

"Exchanging data in this industry is extraordinarily difficult, but it's not because a lack of standards," he explained. "It's a question of rallying around one standard."

However, providers like Anna Taylor, MS, CIPCT, associate vice president of population health and value-based care at MultiCare Connected Care, are still skeptical about how the rule will truly digitize the prior authorization process.

"I'm 50/50 on it," she admitted. "I have hope that people will do the right thing, but I also think that, when money is at play, it always makes for interesting behavior. So, I hope people see this as an opportunity to mature the work that they do today."

In other words, payers shouldn't focus on codifying their portals, which have historically delayed the shift to electronic prior authorizations, according to the CAQH Index Report.

Most requests were handled in a partial electronic manner, including through portals, the report stated. Notably, it took providers about 16 minutes, on average, to use a payer's portal for a prior authorization request -- the highest time spent conducting an administrative transaction using a portal.

Taylor's perspective echoes what many providers are feeling about the looming requirements. There is a major opportunity to transform this process, but the reality is that organizational resistance and financial considerations may limit the rule's impact. Regulations could serve as a foundation for more sophisticated healthcare approaches if embraced properly, she explained.

This is an idea payers may want to consider to advance the spirit of the rule, as they also comply with all of its requirements, in order to finally address the burdensome prior authorization process.

Jacqueline LaPointe is a graduate of Brandeis University and King's College London. She has been writing about healthcare finance and revenue cycle management since 2016.