Skip to main content

CMS Builds Upon Interoperability Rules with Prior Authorization Proposal

The Centers for Medicare & Medicaid Services (CMS) recently published the Advancing Interoperability and Improving Prior Authorization Processes Proposed Rule (Prior Authorization Proposed Rule), and, if certain components are finalized, impacted payors will be required to be in compliance by January 1, 2026.

The Prior Authorization Proposed Rule is meant to build upon the CMS Interoperability and Patient Access Final Rule (Patient Access Final Rule) and includes five proposals aimed at, according to CMS, increasing efficiency, reducing overall payor and provider burden, and improving patient access to electronic health information (EHI). Impacted health care payors include Medicare Advantage (MA) Organizations, Medicaid Managed Care Plans and Children’s Health Insurance Program (CHIP) Managed Care Entities, State Medicaid and CHIP Fee-for-Service (FFS) Programs, and Qualified Health Plan (QHP) Issuers on the Federally Facilitated Exchanges (FFEs). Among the more significant changes in the rule was the inclusion of MA Organizations as impacted payors.

Patient Access Application Programming Interfaces (APIs)

The Patient Access Final Rule currently requires that impacted payors maintain Fast Healthcare Interoperability Resources (FHIR)-based APIs that permit patients to use consumer-facing health applications to access certain data (Patient Access APIs). Through Patient Access APIs, applicable payors must make available, at a minimum:

  • adjudicated claims (including provider remittances and patient cost-sharing);
  • encounters with capitated providers; and
  • clinical data, including laboratory results, with a date of service on or after January 1, 2016, as maintained by the payor.

Payors must make this information available no later than one (1) business day after a claim is adjudicated or encounter or clinical data are received.

Beginning January 1, 2026, CMS proposed that impacted payors, via the Patient Access APIs, make additional information in connection with Prior Authorizations (PAs) available to patients. This information includes:

  • PA status;
  • the date the PA was approved or denied;
  • the date or circumstance under which the PA ends;
  • the items and services approved; and
  • the quantity used to date under the PA, excluding PA decisions for drugs

Impacted payors would need to make the information available to patients no later than one business day after the payor receives the PA request or following another type of status change for the PA.

This portion of the Prior Authorization Proposed Rule is geared at helping patients better understand their respective payor’s PA processes and the effect on their care. The rule would also require impacted payors to report annual metrics to CMS about patient use of the Patient Access API.

Provider Access APIs

CMS also proposed that health care providers with whom patients have a treatment relationship receive access to certain PA request and decision information through FHIR-based APIs. Beginning January 1, 2026, impacted payors would need to implement and maintain “Provider Access APIs” to enable payors to exchange current patients’ information with providers that are in payors’ respective networks, at the provider’s request. The rule defines in-network providers as “any provider or healthcare facility that is part of a specific health plan's network of providers with which it has a contract.” Both the Provider Access API and the Patient Access API would facilitate the FHIR-based exchange of claims and encounter data, as well as all United States Core Data for Interoperability (USCDI) data classes and data elements, such as immunizations, procedures, and assessment and plan of treatment if payors maintain such information. Impacted payors would also be required to provide a mechanism for patients to opt out of making their data available to providers through the Provider Access API.

Payor-to-Payor APIs

With the intent that patients would be able to maintain access to their information even after changing payors, CMS proposed to require that payors exchange certain types of patient data when patients move to a new payor, with the patient’s permission (i.e. patient opt-in). Specifically, by January 1, 2026, payors would be required to exchange claims and encounter data (excluding cost information), data elements identified in the USCDI version 1, and PA requests and decisions across FHIR-based APIs (Payor-to-Payor APIs). Impacted payors would need to make PA information available via the Payor-to-Payor API for the duration that the authorization is active and, for at least one year after the PA's last status change. The Payor-to-Payor APIs would be required to be compliant with the same technical standards, documentation requirements, and denial or discontinuation policies as the Patient Access APIs. CMS also proposed that impacted payors maintain a process to identify a new patient's prior and/or concurrent payor(s) to facilitate data exchange using the Payor-to-Payor API on at least a quarterly basis.

Improving PA Processes

CMS proposed a handful of requirements to enhance PA processes:

  • PARDD APIs – Impacted payors would be required to build and maintain a FHIR API that would automate certain PA tasks for providers (a Prior Authorization Requirements, Documentation and Decision (PARDD) API)). The PARDD API would, among other functionalities, (i) allow providers to query the payor's system to determine whether a PA was required for certain items and services and identify documentation requirements, making those requirements available within the provider's workflow and supporting the automated compilation of certain information from the provider's system; and (ii) support automated data compilation to populate the HIPAA-compliant prior authorization transactions, enabling payors to compile specific responses regarding PA statuses, including information about the reason for a denial. Impacted payors would be required to be in compliance beginning January 1, 2026; for Medicaid managed care plans and CHIP managed care entities, they would need to be in compliance by the rating period beginning on or after January 1, 2026, and for QHP issuers on the FFEs, compliance would be required for plan years beginning on or after January 1, 2026.  
  • Denial Reason – Impacted payors would be required to include a specific reason when they deny a PA request, irrespective of how they sent the PA decision. For PA decisions sent through the PARDD API from the payor to the provider, the payor would have to confirm whether the payor approves (and the duration of the approval) the PA request, denies the PA request, or requests more information from the provider to support the PA request.
  • Prior Authorization Time Frames – Impacted payors are required under current regulations to provide notice of decisions within fourteen (14) days for standard PA requests and within 72 hours for expedited PA requests. Beginning January 1, 2026, CMS proposes that impacted payors, except QHP issuers on the FFEs, to send PA decisions with seven (7) calendar days for standard PA requests and within 72 hours for expedited requests. QHP issuers on FFEs will continue to be required to provide notice of determination for pre-service claims within 15 days and notice of determination for urgent care claims within 72 hours.

CMS stated that it believes “the 7-calendar day timeframe for standard decisions could be achieved when [payors] implement their APIs with improved access to documentation requirements, which could support greater use of electronic prior authorization, and more efficient business processes once implemented.” CMS is also seeking comment on alternative time frames with shorter turnaround times, for example, 48 hours for expedited requests and five calendar days for standard requests. CMS uses the term “standard” PA to for non-expedited, non-urgent requests for PA and the term “expedited” PA for urgent requests.

  • Prior Authorization Metrics – Impacted payors would need to publicly report certain PA metrics by posting them directly on their respective websites or via publicly accessible hyperlink(s) on an annual basis.

Electronic PA Measure for Merit-based Incentive Payment System (MIPS) Eligible Clinicians and Hospitals and Critical Access Hospitals (CAHs)

For MIPS-eligible clinicians under the MIPS Promoting Interoperability performance category and eligible hospitals and CAHs under the Medicare Promoting Interoperability Program, CMS proposes a new PA measure in which PAs must be requested electronically from a PARDD API using data from certified EHR technology (CEHRT). These clinicians and entities would also be required to report the number of PAs requested using the PARDD API via CEHRT.

Interoperability Standards for APIs

Though CMS strongly recommends payors use certain Implementation Guides (IGs) for the Patient Access, Provider Access, Payor-to-Payor, and PARDD APIs, it said it is not ready to propose the IGs as a requirement of its interoperability initiatives.

Prior Authorization Proposed Rule Requests for Information (RFIs)

CMS also issued five RFIs in connection with the Prior Authorization Proposed Rule, covering these topics: barriers to adopting standards related to social risk data; advancing electronic data exchange among behavioral health providers; how Medicare FFS might best support improvements to the exchange of medical documentation between and among providers/suppliers and patients; how Trusted Exchange Framework and Common Agreement (TEFCA) Version 1 can support and advance the payor requirements that CMS proposed in this rule; and comment on evidence-based policies CMS could pursue that leverage health IT, data sharing, and interoperability to improve maternal health outcomes.

Industry Commentary and Conclusion

Many impacted industry stakeholders commended CMS’s goals to standardize interoperable exchange of EHI related to PA through APIs among payors and patients, payors and providers, and payors with other payors. However, some industry commentary called for CMS to continue to engage with stakeholders regarding how and when those goals are achieved.

The American Hospital Association (AHA) published commentary from the providers’ perspective, stating that it, among other items, believes that including drugs (which are currently not covered under the Prior Authorization Proposed Rule) under the medical benefit in the PARDD API is technologically feasible and that drugs should be provided under a patient’s medical benefit. The AHA also recommended that CMS conduct demonstrations prior to the Jan. 1, 2026, implementation date to ensure provider and payor participation and implementation.

America's Health Insurance Plans (AHIP), commenting on behalf of payors, suggested additional review of the Prior Authorization Proposed Rule to ensure the requirements are not inconsistent with or duplicative of other applicable rules and regulations. AHIP, among other recommendations, urged CMS to consider the timing of the Prior Authorization Proposed Rule through the lens of other requirements and challenges facing payors that require significant systems changes. AHIP cited examples such as the implementation of changes in connection with No Surprises Act compliance and the unwinding of certain waivers following the expiration of the COVID-19 Public Health Emergency on May 11, 2023.

We will be monitoring for additional guidance from CMS and updates on the development of a final rule for Advancing Interoperability and Improving Prior Authorization Processes.

Subscribe To Viewpoints


Pat focuses his practice on advising health care organizations on regulatory, compliance, data privacy, and transactional matters. He is also a Certified Information Privacy Professional–US (CIPP–US).