CMS releases Interoperability and Prior Authorization Final Rule 

Under a final rule released today, impacted payers will be required to send prior authorization decisions within 72 hours for urgent requests and seven calendar days for standard requests.

The Centers for Medicare and Medicaid Services released this and other provisions in the Interoperability and Prior Authorization final rule.

It affects Medicare Advantage organizations, state Medicaid and Children’s Health Insurance Program, fee-for-service programs, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan issuers on the Federally Facilitated Exchanges.

All are required to implement and maintain certain Health Level 7 Fast Healthcare Interoperability Resources application programming interfaces to improve the electronic exchange of healthcare data, as well as to streamline prior authorization processes. 

Impacted payers must also implement certain operational provisions beginning January 1, 2026. 

In response to public comment on the proposed rule, impacted payers have until compliance dates, generally beginning January 1, 2027, to meet the API development and enhancement requirements in this final rule. The exact compliance dates vary by the type of payer, CMS said.

For providers, the final rule encourages the adoption of electronic prior authorization processes by adding a new measure for Merit-based Incentive Payment System (MIPS) eligible clinicians under the Promoting Interoperability performance category of MIPS, as well as for eligible hospitals and critical access hospitals under the Medicare Promoting Interoperability Program. 

WHY THIS MATTER

The API policies will improve patient, provider and payer access to interoperable patient data and reduce the burden of the prior authorization processes, CMS said.

MGMA’s SVP of government affairs, Anders Gilberg, said, “With prior authorization continuously ranking as the most burdensome regulatory issue facing medical groups, MGMA supports today’s action by CMS to finalize its proposals to streamline and standardize the process. The increased transparency provisions – requiring health plans to provide clarity on the reasoning behind care denials and to publicly report aggregated metrics about their prior authorization programs annually – will help shine a light on the egregious abuse of prior authorization by payers under the guise of looking out for patients’ best interests. This final rule is an important step forward towards MGMA’s goal of reducing the overall volume of prior authorization requests – only then will medical groups find meaningful reprieve from these onerous, ill-intentioned administrative requirements that dangerously impede patient care.”

PROVISIONS IN THE FINAL RULE

Patient Access API

The CMS Interoperability and Patient Access final rule requires impacted payers to implement an HL7 FHIR Patient Access API. 

Impacted payers need to add information about prior authorizations (excluding those for drugs) to the data available via that Patient Access API. 

In addition to giving patients access to more of their data, this will help patients understand their payer’s prior authorization process and its impact on their care. This requirement must be implemented by January 1, 2027.

Beginning January 1, 2026, CMS is requiring impacted payers to report annual metrics to CMS about Patient Access API usage.

Provider Access API

Payers are being required to implement and maintain a Provider Access API to share patient data with in-network providers. This is to facilitate care coordination and support movement toward value-based payment models, CMS said.

Payers will be required to make the following data available via the Provider Access API: individual claims and encounter data (without provider remittances and enrollee cost-sharing information), data classes and data elements in the United States Core Data for Interoperability (USCDI), and specified prior authorization information (excluding those for drugs). 

CMS is also requiring impacted payers to maintain an attribution process to associate patients with in-network or enrolled providers with whom they have a treatment relationship and to allow patients to opt out of having their data available to providers under these requirements. Impacted payers will be required to provide plain-language information to patients about the benefits of API data exchange with their providers and their ability to opt out.

These requirements must be implemented by January 1, 2027. 

Payer-to-Payer API

CMS is requiring that impacted payers implement and maintain a Payer-to-Payer API to make available claims and encounter data (excluding provider remittances and enrollee cost-sharing information), data classes and data elements in the United States Core Data for Interoperability (USCDI), and information about certain prior authorizations (excluding those for drugs).

Payers are only required to share patient data with a date of service within five years of the request for data. This will help improve care continuity when a patient changes payers and ensure that patients have continued access to the most relevant data in their records, CMS said. 

CMS is also finalizing an opt-in process for patients to provide permission under these requirements. Impacted payers are required to provide plain-language educational resources to patients that explain the benefits of the Payer-to-Payer API data exchange and their ability to opt in.

These requirements must be implemented by January 1, 2027.

Prior Authorization API

Payers must implement and maintain a Prior Authorization API that has a list of covered items and services, can identify documentation requirements for prior authorization approval, and supports a prior authorization request and response. 

These Prior Authorization APIs must also communicate whether the payer approves the prior authorization request (and the date or circumstance under which the authorization ends), denies the prior authorization request (and a specific reason for the denial) or requests more information. 

This requirement must be implemented beginning January 1, 2027.

In response to feedback received on multiple rules and to extensive stakeholder outreach, and in order to further promote efficiency in the prior authorization process, the Department of Health and Human Services will be announcing the use of enforcement discretion for the Health Insurance Portability and Accountability Act of 1996 (HIPAA) X12 278 prior authorization transaction standard. 

Covered entities that implement an all-FHIR-based Prior Authorization API pursuant to the CMS Interoperability and Prior Authorization final rule that do not use the X12 278 standard as part of their API implementation will not be enforced against under HIPAA Administrative Simplification. This allows for limited flexibility for covered entities to use a FHIR-only or FHIR and X12 combination API to satisfy the requirements of the CMS Interoperability and Prior Authorization final rule. 

Covered entities may also choose to make available an X12-only prior authorization transaction. HHS will continue to evaluate the HIPAA prior authorization transaction standards for future rulemaking.

Prior authorization decision time frames

CMS is requiring impacted payers (excluding qualifying health plans on the federally-facilitated exchanges, to send prior authorization decisions within 72 hours for expedited (urgent) requests and seven calendar days for standard (nonurgent) requests. 

Provider notice, including denial reason

Beginning in 2026, impacted payers must provide a specific reason for denied prior authorization decisions, regardless of the method used to send the prior authorization request. Such decisions may be communicated via portal, fax, email, mail or phone. 

As with all policies in the final rule, this provision does not apply to prior authorization decisions for drugs. 

CMS said this requirement is intended to both facilitate better communication and transparency between payers, providers and patients, as well as improve providers’ ability to resubmit the prior authorization request, if necessary. 

Some impacted payers are also subject to existing requirements to provide information about denials to providers, patients or both, through notices. These existing notices are often required in writing, but nothing in the final rule changes these existing requirements. 

Prior authorization metrics

CMS is requiring impacted payers to publicly report certain prior authorization metrics annually by posting them on their website.

These operational or process-related prior authorization policies are being finalized, with a compliance date starting January 1, 2026. The initial set of metrics must be reported by March 31, 2026.

Electronic Prior Authorization measure for MIPS eligible clinicians, eligible hospitals and critical access hospitals 

CMS is adding a new measure, “Electronic Prior Authorization” to the Health Information Exchange (HIE) objective for the MIPS Promoting Interoperability performance category and the Medicare Promoting Interoperability Program. 

MIPS eligible clinicians will report the Electronic Prior Authorization measure beginning with the Calendar Year 2027 performance period/CY 2029 MIPS payment year, and eligible hospitals and critical access hospitals beginning with the 2027 EHR reporting period. This will be an attestation measure for which the MIPS eligible clinician, eligible hospital or CAH reports a yes/no response or claims an applicable exclusion, rather than the proposed numerator/denominator.

For information on which required standards and implementation specifications apply to each API, see the final rule.

THE LARGER TREND

The final rule builds on the technological foundation of the May 2020 CMS Interoperability and Patient Access final rule. 

Email the writer: SMorse@himss.org