CMS Final Rule Requires Payers to Modify Prior Authorization, Create New APIs

Health Highlights

In the federal government’s latest effort to promote interoperability in the health care sector, on January 17 the Centers for Medicare & Medicaid Services (CMS) released a final rule that expands the requirements for electronic exchange of information between federally funded health plans, providers, and plan enrollees through application programming interfaces (APIs). For all health care services other than drugs, the final rule also streamlines operations related to prior authorization, the process through which a health care provider gets approval from a payer before providing care.

Among other requirements, the rule:

  • Adopts new procedural requirements for prior authorization requests for non-drug items and services, including maximum response times and a requirement for payers to provide a “specific reason” when they deny a request.
  • Expands the specifications the Patient Access API to include information on prior authorization. (This rule builds on the 2020 Interoperability and Patient Access final rule, which included a requirement for payers to implement a standards-based Patient Access API that would allow enrollees to access their health care information through third-party applications.)
  • Adds requirements for payers to implement three new APIs: a Provider API, a Payer-to-Payer API, and a Prior Authorization API.
  • Establishes a new provider quality measure in Medicare fee-for-service related to the use of electronic prior authorization.

The rule applies to the Medicare Advantage (MA), state Medicaid and Children’s Health Insurance Program (CHIP) fee-for-service (FFS) and managed care plans, and Qualified Health Plan (QHP) issuers on the federally facilitated exchanges (FFEs). The rule does not apply to other payers such as original Medicare, employer-sponsored plans, or QHPs on state-based exchanges.

Consistent with the proposed rule, the provisions relating to prior authorization—including the new timelines and API-related requirements—do not apply to drugs, including prescription drugs dispensed by a pharmacy as well as provider-administered drugs.

The final rule’s requirements take effect starting in 2026 or 2027, depending on the provision.

Prior Authorization Processes and Reporting

CMS finalized several substantive rules governing prior authorization processes for all items and services (except for drugs) intended to improve how patients and providers seek and receive approval from plans for coverage of services. These changes will take effect in 2026; the precise compliance date varies based on the type of payer.

The final rule requires payers to provide a “specific reason” for denied prior authorization decisions. CMS declined to provide a regulatory definition but noted in the preamble that “a specific reason for denial could include reference to the specific plan provisions on which the denial is based; information about or a citation to coverage criteria; how documentation did not support a plan of care for the therapy or service; a narrative explanation of why the request was denied, and specifically, why the service is not deemed necessary or that claim history demonstrated that the patient had already received a similar service or item.” This can be communicated via portal, fax, email, mail, or phone.

For all payers other than QHPs, the final rule requires notice of prior authorization decisions as expeditiously as a patient’s health condition requires but no later than seven calendar days, unless the payer obtains an extension of up to 14 calendar days total. For expedited requests, impacted payers must provide a decision within 72 hours, unless a shorter minimum timeframe is established under state law (note: MA organizations are exempt from such state-law requirements).

  • MA and Medicaid/CHIP managed care plans were already subject to a 72-hour timeframe for expedited requests, but the rule halves the current 14-day timeframe for standard requests.
  • CHIP FFS programs are similarly transitioning from 14 days to 7 days for standard requests, and they must comply with the expedited standard.
  • Medicaid FFS programs, meanwhile, are not currently subject to maximum timelines as to either standard or expedited requests.

The rule also requires payers to publicly report on their websites certain aggregated metrics about prior authorization—including rates of denials, rates of denials that are reversed on appeal, and resolution timelines—for both standard and expedited requests.

Application Programming Interfaces

These API requirements take effect in 2027. Again, the specific compliance dates vary by type of payer.

New Prior Authorization API

Payers must implement a Prior Authorization API to communicate with providers about prior authorization requirements and specific prior authorization requests. Specifically, the Prior Authorization API must: (1) identify the payer’s list of covered items and services that require prior authorization; (2) be able to identify all documentation required for approval of any items or services that require prior authorization; (3) support an HIPAA-compliant electronic prior authorization request from the provider and response from the payer; and (4) communicate whether the payer approves or denies a request, or requests more information. The API must be compliant with certain technical standards, documentation requirements, and denial or discontinuation policies, including Health Level 7 (HL7), FHIR, the U.S. Core Implementation Guide (IG), and SMART App Launch IG.

Providers will not be required to use the Prior Authorization API and may continue to submit prior authorization requests through other means if they so wish.

Expanding the Patient Access API

CMS has expanded the information payers must give to enrollees through the Patient Access API to include information about the patient’s prior authorization requests and decisions (excluding those for drugs). Payers will have to make available the prior authorization request and related structured administrative and clinical documentation, including the request status, the date the prior authorization was approved or denied, the date or circumstance under which the authorization ends, the items and services approved, and, if denied, the specific reason why the request was denied. Payers must make this information available no later than one business day after the payer receives the prior authorization request or when there is another type of status change for the prior authorization (e.g., a payer approves a pending request).

New Provider Access API

The new “Provider Access API” requires payers to share patient data with in-network providers with whom the patient has a treatment relationship. This API will generally give providers access to the same data available to patients through the Patient Access API. Payers will be required to make an enrollee’s claims and encounter data (excluding provider remittances and patient cost-sharing information), the USCDI data classes and elements, and certain information about prior authorizations maintained by the payer available no later than one business day after the provider initiates a request, subject to the following conditions:

  • Authentication: The payer authenticates the identity of the provider.
  • Attribution: The enrollee is attributed to the provider to ensure that the provider has a treatment relationship with the enrollee.
  • No opt-out:The enrollee has not opted out of disclosures to the provider. Payers must provide a mechanism for patients to opt out of the Provider Access API, although CMS states it does not intend to be prescriptive about how such a process is implemented.
  • Legal Compliance: The disclosure is not prohibited by any applicable law.

Unlike the Patient Access API, where the patient will request access to their own data through a health app, CMS expects that a provider accessing data through the Provider Access API would request and receive access to the patient’s information through their electronic health record (EHR), practice management system, or other technology solution for treatment or care coordination.

New Payer-to-Payer API

In the final rule, CMS requires payers to establish an API to exchange patient data with one another. The API could be used to coordinate benefits between payers when a patient transitions from one health plan to another or holds coverage simultaneously under multiple plans. (Some payers had previously been subject to a payer-to-payer exchange requirement under the May 2020 interoperability rule, but many payers to abandoned efforts to comply with this provision after CMS announced in December 2021 that it was not enforcing the requirement).

Consistent with the data types provided to patients and providers, payers must exchange all USCDI data classes and data elements, claims and encounter data (excluding provider remittances and enrollee cost-sharing information), prior authorization requests and decisions (excluding denied prior authorization requests and excluding those for drugs), and unstructured administrative and clinical documentation submitted by a provider related to prior authorizations. Payers must provide such data to the extent it relates to a date of service within five years of the request.

Payers generally must establish a process to identify their enrollees’ previous and/or concurrent payer(s) and ask their enrollees for permission to engage in payer-to-payer data exchange no later than one week after the start of coverage.

Prior Authorization Measures Under Medicare Incentive Programs

To incentivize provider use of the new Prior Authorization API, CMS finalized a new “Electronic Prior Authorization” measure to the health information exchange objective under the Medicare Promoting Interoperability Program and Medicare’s Merit-based Incentive Payment System (MIPS) Program. Under the new measure, certain providers must attest as to whether, during each reporting period, they requested a prior authorization electronically via a Prior Authorization API for at least one medical item, service, or hospital discharge using data from a Certified EHR Technology.

Gaps and Implications

CMS acknowledges significant gaps in the rule, including the following:

  • Provider and patient groups have criticized the decision to exclude drugs from the prior authorization reforms, commenting that drug prior authorization remains a time-consuming and inefficient process in many cases. In response, CMS said it would consider options for future rulemaking to address improvements to the prior authorization processes for drugs.
  • The largest health insurance market in the country – employer-based health insurance – is unaffected by the rule.
  • It is unclear how frequently enrollees, providers, and payers will make use of the new APIs once the mandate to make them available takes effect. In particular, some commentators questioned whether EHR compatibility issues might create challenges for providers seeking to make use of the new Prior Authorization and Provider APIs.

Given these concerns, stakeholders are likely to continue to pursue regulatory and legislative efforts to further promote interoperability and improve prior authorization.

Nevertheless, this final rule represents a significant step forward for electronic health care data exchange, including the digitization, standardization, and streamlining of prior authorization requirements, requests, and decisions. Over the coming years, affected payers will need to invest in implementing the new APIs and prior authorization processes. Plan enrollees and providers will have more opportunities to obtain sought-after data from plans. In turn, the rule may spur innovation among technology companies to update EHR platforms and develop third-party applications to interface with the new and expanded APIs.



pursuant to New York DR 2-101(f)

© 2024 Manatt, Phelps & Phillips, LLP.

All rights reserved