Summary of Key Points: Prior Authorization Rule
Background
On Jan. 17, CMS finalized the CMS Interoperability and Prior Authorization final rule. This rule sets requirements for Medicare Advantage (MA) organizations, state Medicaid and CHIP fee-for-service (FFS) programs, Medicaid managed care plans, CHIP managed care entities and Qualified Health Plans (QHPs) on the Federally Facilitated Exchanges to improve the electronic exchange of health care data and to streamline the prior authorization process. The CMS fact sheet is available.
Key issues included in the rule are:
- The rule establishes requirements for payers to streamline the prior authorization process, beginning in 2026, requiring prior auth decisions to be sent within 72 hours for expedited requests and seven calendar days for standard requests (some exceptions for Exchange Plans).
- The rule also requires payers to implement HL7 Fast Healthcare Interoperability Resources (FHIR) Prior Auth application programming interface (API) which can be used to facilitate a more efficient electronic prior auth exchange (enforcement effective Jan. 2027). Medicare FFS has already implemented an electronic prior auth API.
- Affected payers will also be required to expand their current Patient Access API to include information about prior authorizations and add functionality to retrieve patients’ claims, encounter, clinical, and prior authorization data.
- CMS also adds new measures for the Merit-Based Incentive Payment System (MIPS) Promoting Interoperability performance category and for hospitals eligible for the Medicare Promoting Interoperability Program, to encourage providers to adopt electronic prior authorization processes.
Prior Authorization Process Changes
Notable changes to the prior authorization process outlined in the rule include:
- CMS is requiring affected payers, excluding QHP Exchange plans, to send prior authorization decisions within 72 hours for expedited (urgent) requests and seven calendar days for standard (non-urgent) requests.
- Payers must provide a specific reason for denied prior authorization decisions (regardless of the method used to send the request) via portal, fax, email, mail, or phone – Effective beginning in 2026.
Standards and Implementation Guides for APIs
The required standards and implementation specifications will standardize the way the information is being requested and what is communicated back. CMS finalized greater specificity for standards that are applicable to each API.
The required standards and implementation specifications include:
- United States Core Data for Interoperability (USCDI)
- HL7® Fast Healthcare Interoperability Resources (FHIR®) Release 4.0.1
- HL7 FHIR US Core Implementation Guide (IG) Standard for Trial Use (STU) 3.1.1
- HL7 SMART Application Launch Framework Implementation Guide Release 1.0.0
- FHIR Bulk Data Access (Flat FHIR) (v1.0.0: STU 1)
- OpenID Connect Core 1.0
See Table H3 of the final rule for additional detail. Payers may also use an updated ONC-approved standard if the update does not disrupt end users’ ability to access the required data through the API.
It is strongly recommended that payers use the following Implementation Guides (IGs) when implementing APIs to reduce burden and increase interoperability:
- HL7 FHIR CARIN Consumer Directed Payer Data Exchange (CARIN IG for Blue Button®) IG Version STU 2.0.0
- HL7 SMART App Launch IG Release 2.0.0 to support Backend Services Authorization
- HL7 FHIR Da Vinci Payer Data Exchange (PDex) IG Version STU 2.0.0
- HL7 FHIR Da Vinci PDex US Drug Formulary IG Version STU 2.0.1
- HL7 FHIR Da Vinci PDex Plan-Net IG Version STU 1.1.0
- HL7 FHIR Da Vinci Coverage Requirements Discovery (CRD) IG Version STU 2.0.1
- HL7 FHIR Da Vinci Documentation Templates and Rules (DTR) IG Version STU 2.0.0
- HL7 FHIR Da Vinci Prior Authorization Support (PAS) IG Version STU 2.0.1
See Table H3 of the final rule for additional detail.
In the HTI-1 final rule, ONC finalized expiration dates for several of these required standards to indicate when a version of a standard may no longer be used, CMS intends to align with these updated versions. CMS Required API Interoperability Standards Summary.
| Standards | Patient Access API | Provider Access API | Provider Directory API | Payer-to-Payer API | Prior Authorization API |
| USCDI at 45 CFR 170.213 | Yes | Yes | N/A | Yes | N/A |
| FHIR Release 4.0.1 | Yes | Yes | Yes | Yes | Yes |
| HL7 FHIR US Core IG STU 3.1.1 | Yes | Yes | Yes | Yes | Yes |
| HL7 SMART App Launch Framework IG 1.0.0 | Yes | Yes | No | No | Yes |
| HL7 FHIR Bulk Data Access IG v 1.0.0 STU 1 | No | Yes | No | Yes | No |
| OpenID Connect Core 1.0 | Yes | No | No | No | No |
Reproduced from CMS slide deck, CMS Interoperability Final Rule Overview, Jan. 24, 2024
Patient Access API
This rule requires affected payers to make prior authorization information available via the Patient Access API. CMS required payers to implement an HL7 FHIR Patient Access API in the CMS Interoperability and Patient Access final rule. Implementation is required by Jan. 1, 2027. Payers will need to report certain metrics on Patient Access API usage annually, starting in Jan. 2026, to give CMS more information to assess usage leading up the implementation date (reported in March).
Provider Access API
Affected payers are required to implement and maintain a Provider Access API to share patient data with in-network providers with whom the patient has a treatment relationship. This will include information such as:
- Individual claims and encounter data (absent provider remittances and enrollee cost-sharing information)
- Data classes and data elements in the United States Core Data for Interoperability (USCDI)
- Certain prior authorization information (excluding drug information)
Payers will be required to maintain an attribution process to associate patients with in-network or enrolled providers whom they have a treatment relationship with and allow patients to opt-out of having data available to providers under these requirements. Implementation is required by Jan. 1, 2027.
Payer-to-Payer API
This rule requires payers to implement and maintain a Payer-to-Payer API to make certain claims and encounter data available to improve continuity of care when a patient changes payer. A patient would need to opt-in to provide permission under these requirements. Implementation is required by Jan. 1, 2027. Payers will need to identify previous and concurrent payers, no later than one week after the start of coverage in most cases. New payers will need to request patient data from any previous payers no later than one week after the start of coverage, if the patient has opted in. Previous payers will have to provide the data they maintain with dates of service within five years of the date of the request, and they must provide this data within one day of receiving the request. Patient data must then be incorporated into the new payer’s patient record. When a patient has concurrent coverage with two or more payers, patient data must be exchanged within one week of the start of coverage and at least quarterly thereafter.
Prior Authorization API
Affected payers are required to implement and maintain a Prior Authorization API. This API must be populated with a list of covered items and services, identify documentation requirements for prior authorization approval, and support prior authorization requests and responses. Other functionality includes:
- Communication regarding approval of prior authorization requests
- Date and circumstance prior authorization ends
- Communication of denials, including a specific reason for the denial
Implementation is required by Jan. 1, 2027. Covered entities that implement an all-FHIR based Prior Authorization API that do not use the X12 278 standard as part of their API implementation will not be enforced against under HIPAA Administrative Simplification as part of enforcement discretion to allow flexibility for covered entities to use a FHIR-only, or FHIR and X12 combination API to satisfy requirements of this rule. Covered entities can also choose to enable an X12-only prior authorization transaction.
Measures on Electronic Prior Authorization for Clinicians and Hospitals
To assess use of electronic prior authorization, CMS is adding new measures for clinicians and hospitals on electronic prior authorization. The measure will be added to the Health Information Exchange (HIE) objective for the MIPS Promoting Interoperability performance category beginning with the 2027 calendar year (CY) performance period, and for eligible hospitals and Critical Access Hospitals (CAHs) beginning with the CY 2027 EHR reporting period. This will be a yes/no attestation measure with certain exclusions that can be claimed.
- MIPS eligible clinicians – must attest yes to requesting a prior authorization electronically via a Prior Authorization API using data from a certified electronic health record technology (CEHRT) for at least one medical item or service, excluding drugs, ordered during the CY 2027 performance period.
- Eligible hospitals and CAHs – must attest yes to requesting a prior authorization request electronically via a Prior Authorization API using data from CEHRT for at least one hospital discharge and medical item or service, excluding drugs, ordered during the CY 2027 EHR reporting period.
This paper discusses seven policy changes that CMS could consider, which could help to advance the efforts of quality improvement in relation to improving equity in health outcomes across ACOs. These policy changes must be implemented in a step-wise manner, and each recommendation is designed to build off of the learnings of each change. Importantly, it must be emphasized that relying on good data to address health equity is critically important to the success of these efforts. Finally, it is critical to note that we cannot embark on these changes without also giving clinicians and ACOs the tools and resources they need to implement and deploy interventions to reduce these inequities and to improve patient care for underserved populations. There must also be a recognition that health equity solutions will be localized and, therefore, will need to look different in different locations, markets, and populations. Finally, as these policy options are considered it is important to recognize the additional burden that may be placed on clinicians, and, therefore, it will be critical to find ways to minimize this burden that could come in the form of additional data collection requirements and potential costs to alter electronic health records (EHRs) to collect and report data. NAACOS is committed to advancing the value-based care movement, and our members want to see an effective, coordinated, patient-centric healthcare system that focuses on keeping all individuals healthy. Implementing these policy changes can provide an important opportunity to reduce health inequities and transition our health system to a culture of value.