CMS Releases Interoperability and Prior Authorization Final Rule

The Centers for Medicare & Medicaid Services (CMS) has finalized the CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F).

The rule outlines requirements to streamline health information exchange (HIE) and prior authorization processes for Medicare Advantage (MA) organizations, Medicaid and the Children’s Health Insurance Program (CHIP) fee-for-service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and issuers of Qualified Health Plans (QHPs) offered on Federally-Facilitated Exchanges (FFEs).

Together, these policies aim to improve the prior authorization process and reduce burdens on patients, providers, and payers, with expected savings of approximately $15 billion over ten years.

“When a doctor says a patient needs a procedure, it is essential that it happens in a timely manner,” Xavier Becerra, HHS secretary, said in a press release. “Too many Americans are left in limbo, waiting for approval from their insurance company. Today, the Biden-Harris Administration is announcing strong action that will shorten these wait times by streamlining and better digitizing the approval process.” 

Chiquita Brooks-LaSure, CMS administrator, noted that the agency is committed to breaking down barriers in the healthcare industry to improve care delivery.

“Increasing efficiency and enabling healthcare data to flow freely and securely between patients, providers, and payers and streamlining prior authorization processes supports better health outcomes and a better healthcare experience for all,” noted LaSure.

While prior authorization can help ensure medical care is necessary and appropriate, it can be a barrier to patient care when providers must fulfill varying healthcare payer requirements or face long waits for prior authorization decisions.

The CMS final rule creates requirements for certain payers to streamline the prior authorization process. The rule also complements the Medicare Advantage requirements finalized in the Contract Year (CY) 2024 MA and Part D final rule, which add continuity of care requirements and reduce disruptions for beneficiaries.

Primarily beginning in 2026, the rule will require impacted payers (not including QHP issuers on the FFEs) to send prior authorization decisions within 72 hours for expedited requests and seven calendar days for standard requests for medical items and services. For some healthcare payers, this new timeframe for standard requests slashes current decision timeframes by half.

The rule also requires all impacted payers to include a specific reason for denying a prior authorization request, which is set to help facilitate resubmission of the request or an appeal when necessary. Finally, the rule will require impacted payers to report prior authorization metrics publicly.

The rule also requires impacted payers to implement a Health Level 7 (HL7) Fast Healthcare Interoperability Resources (FHIR) Prior Authorization application programming interface (API) for automation of the electronic prior authorization process between healthcare providers and payers.

Together, these new requirements for the prior authorization process will reduce administrative burdens on the healthcare workforce and drive patient-centered care by preventing avoidable delays in care.

Additionally, in response to feedback received on multiple rules, HHS will announce the use of enforcement discretion for the Health Insurance Portability and Accountability Act of 1996 (HIPAA) X12 278 prior authorization transaction standard to further boost efficiency in the prior authorization process.

Covered entities that implement an all-FHIR-based Prior Authorization API pursuant to the CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F) who do not use the X12 278 standard as part of their API implementation will not be enforced against under HIPAA Administrative Simplification allowing flexibility for covered entities to use a FHIR-only or FHIR and X12 combination API to meet the requirements.

Covered entities may also choose to make an X12-only prior authorization transaction available. HHS will continue to evaluate the HIPAA prior authorization transaction standards for future rulemaking.

CMS is also finalizing API requirements to enhance health data exchange and foster efficiency across the healthcare system. Informed by public comments., CMS is delaying the dates for compliance with the API policies from generally January 1, 2026, to January 1, 2027.

In addition to the Prior Authorization API, beginning January 2027, the rule requires impacted payers to expand their current Patient Access API to include prior authorization data. Further, impacted payers must implement a Provider Access API that providers can use to retrieve patients’ claims, encounter, clinical, and prior authorization data.

Also based on public comments on previous payer-to-payer data exchange policies, CMS is mandating impacted payers to exchange, with a patient’s permission, most of those same data using a Payer-to-Payer FHIR API when a patient moves between payers or has multiple concurrent payers. 

Lastly, the rule adds a new Electronic Prior Authorization measure for eligible clinicians under the Merit-based Incentive Payment System (MIPS) Promoting Interoperability performance category and eligible hospitals and critical access hospitals (CAHs) in the Medicare Promoting Interoperability Program to report their use of payers’ Prior Authorization APIs to submit prior authorization requests.

The Workgroup for Electronic Data Interchange (WEDI) applauded CMS on the release of the final rule. 

"Through the deployment of API technology, this historic final rule is expected to usher in a substantial reduction of administrative burden and unprecedented levels of health information exchange between health plans, providers, and the patients they serve," Charles Stellar, WEDI president & CEO, wrote in an emailed statement.

"With stakeholders expected to face significant challenges adopting these new standards and revised workflows, WEDI will continue its role as convenor to identify solutions and best practices to ensure successful industry implementation," Stellar said.