The Interoperability and Prior Authorization Final Rule: Implications for Providers, Patients, and Care Delivery
In an era of rapid technological advancement in healthcare, regulatory changes are driving a new dawn of efficiency and patient-centered care. The Interoperability and Prior Authorization Final Rule (CMS-0057-F) by the Centers for Medicare & Medicaid Services (CMS) seeks to reshape healthcare administration, reduce burdens, and enhance patient outcomes by accelerating prior authorization turnaround times by payers and implementing expanded application programming interfaces (APIs). This rule is part of CMS’s ongoing efforts to make data flowing through the health care system, particularly consumer data, more interoperable. You can read the final rule here, and view the fact sheet here and the press release here.
This blog post explores the requirements of payers in the new rule, the limitations of the rule on prescription drugs, and the rule’s potential benefits for healthcare providers and patients.
Faster, More Transparent Prior Authorization Decisions
More uniform and, in some cases, shorter prior authorization maximum turnaround times by impacted payers are the most meaningful changes of the final rule that providers should be aware of. Impacted payers include Medicare Advantage (MA) organizations, state Medicaid and CHIP fee-for-service programs, Medicaid managed care plans (MCOs), and CHIP managed care entities. Notably, the timelines apply regardless of whether the request for prior authorization is made through electronic means or manual processes (e.g., fax). Specifically, the final rule sets forth the following maximum federal timelines for impacted payers to adjudicate and respond to prior authorization requests:
- Beginning 1/1/2026, standard requests must be processed within 7 calendar days.
- This standard request timeframe can be extended by up to 14 calendar days if:
- Enrollee requests an extension,
- The extension is justified in the enrollee’s interest due to the need for additional medical evidence from a noncontract provider that may change the payer’s decision to deny an item or service, or
- The extension is justified due to extraordinary, exigent, or other non-routine circumstances and is in the enrollee’s best interest.
- The payer must notify the enrollee in writing of the reasons for the delay and inform the enrollee of the right to file an expedited grievance (which is unique to MA) if the enrollee disagrees with the extension.
- This standard request timeframe can be extended by up to 14 calendar days if:
- Beginning 1/1/2026, expedited requests must be processed within 72 hours after receipt of the request for services.
- To promote transparency, impacted payers must publicly report certain metrics about their prior authorization process. The initial set of metrics must be reported by March 31, 2026.
It is important to note a few caveats to this new requirement:
- The requirement does not apply to requests to cover a drug. Therefore, timelines for payers to adjudicate and respond to prior authorization requests for drugs will continue to be addressed in a program-specific manner and in accordance with state and federal law.
- States may impose more stringent timelines or standards for prior authorization adjudications, which may be relevant for Medicaid managed care organizations and CHIP managed care entities in particular.
The Drive for Improved Health Data Exchange and Care Accessibility
The final rule also builds on CMS’s requirements on payers to develop APIs to facilitate real-time access to patient information for providers, other payers, and patients alike. While providers are not required by CMS to use these APIs, doing so could increase efficiency and facilitate higher success rates for prior authorization requests, and CMS has finalized an incentive program for eligible Medicare-participating clinicians and hospitals to utilize the Prior Authorization API.
- Prior Authorization API: This API is a new requirement designed to streamline the prior authorization process by providing real-time information on covered services and a payer’s unique documentation requirements. The API will allow providers to determine whether a specific payer requires prior authorization for a certain item or service (excluding drugs) and to query the payer’s prior authorization documentation requirements directly from the provider’s system. The API must support a HIPAA-compliant prior authorization request and response, as described in the administrative simplification rules under 45 CFR Part 162. The API must communicate the status of the request (approval, denial with a reason, or information requested). As such, the API could facilitate quicker responses to authorization requests, including approvals and denials (with reasons), or requests for additional information. The implementation of this API is slated for January 1, 2027. Similar to the minimum federal timelines discussed above, this API does not apply to drug requests. Impacted payers that must build this API are MA organizations, state Medicaid and CHIP FFS programs, Medicaid managed care plans (MCOs), CHIP managed care entities and qualified health plan issuers on the federally facilitated Exchanges (but not on the state-based Exchanges).
- Given that there is no affirmative requirement for providers to use the Prior Authorization API when working through a prior authorization request, CMS attempts to use its enforcement authority over a subset of Medicare providers – MIPS clinicians, hospitals and critical access hospitals – by establishing new Promoting Interoperability metrics associated with electronic prior authorization, beginning with the 2027 performance period. Specifically, these providers must report a yes/no attestation or (if applicable) an exclusion to their adoption of the Prior Authorization API in their reporting to CMS.
- Other API Changes. The final rule also refines one existing API requirement and finalizes two new APIs on impacted payers:
- Patient Access API: The rule extends the existing Patient Access API to include non-drug prior authorization information by January 1, 2027. Starting January 1, 2026, impacted payers must also report annual usage metrics to CMS.
- Provider Access API: This new API facilitates care coordination by allowing in-network providers access to patient data, including claims, prescription and other drug claims, encounter data, USCDI data elements, and certain non-drug prior authorization information. Implementation is required by January 1, 2027, with an opt-out mechanism for patients.
- Payer-to-Payer API: To ensure continuity of care when a patient switches payers, this new API requires payers to make available to other payers and to enrollees available claims and encounter data, prescription and other drug claims, and certain non-drug prior authorization information, dating back five years from the date of the request to allow the new payer to receive a comprehensive view of a patient’s medical history. Educational materials explaining the benefits and opt-in process must be provided to patients.
Implications for Healthcare Providers and Patients
While it is far from clear if providers will be ready to embrace the new technological advancements, the streamlined processes and tools finalized by the new rule have the potential to significantly reduce the administrative overhead for healthcare providers, allowing them more time to focus on patient care rather than paperwork. Further, CMS estimates that this rule will result in at least $16 billion in savings, primarily for providers, over 10 years.
For patients, the benefits are twofold: quicker access to necessary medical interventions and greater transparency regarding healthcare decisions. Providers should monitor for future policies that would expand these finalized requirements to drugs.
DoseSpot simplifies the ePA process for healthcare providers with seamless integrations. Partnering with industry leaders like CoverMyMeds and Surescripts, DoseSpot delivers an integrated ePA solution that aligns effortlessly with your ePrescribing workflow. Real-time prescription benefits provide personalized treatment options, empowering both providers and patients. Plus, ePA saves valuable staff time by streamlining paperwork and improving information accuracy for better patient care. Learn more or request a demo today.
FAQs
What is the purpose of the CMS Interoperability and Prior Authorization Final Rule?
The rule is designed to enhance the interoperability of healthcare data and improve the prior authorization processes. This aims to streamline access and exchange of healthcare information among Medicare Advantage organizations, state Medicaid, CHIP programs, and other impacted payers.
Who are the impacted payers?
Impacted payers generally include Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs, Medicaid managed care plans (managed care organizations, or MCOs), CHIP managed care entities, and Qualified Health Plan (QHP) issuers on the Federally Facilitated Exchanges (FFEs). However, QHP issuers on the FFEs do not need to comply with the minimum federal timelines for adjudicating and responding to prior authorizations.
Are there new reporting requirements for impacted payers?
Yes, there are several new reporting requirements for impacted payers, including:
- Prior Authorization Metrics: Impacted payers must publicly report certain prior authorization metrics for non-drug requests annually by posting them on their websites beginning March 31, 2026. These metrics include the number of prior authorization requests received, the number of prior authorization requests denied, the average time taken to make prior authorization decisions for standard and expedited requests, the number of requests for additional information, and the number of prior authorization requests overturned upon appeal.
- Patient Access API Usage Metrics: Starting January 1, 2026, impacted payers must report annual metrics to CMS about the usage of the Patient Access API. These metrics include the number of unique users, the frequency of use, and the types of data accessed. This will help CMS monitor the effectiveness of the API and identify areas for improvement in patient data access.
When do the major provisions of this final rule come into effect?
- Prior Authorization Decision Timelines – Impacted payers (excluding QHP issuers on the FFEs) must send non-drug prior authorization decisions within 72 hours for expedited (i.e., urgent) requests and seven calendar days for standard (i.e., non-urgent) requests. This requirement begins on January 1, 2026.
- Patient Access API – Impacted payers are required to add non-drug prior authorization data to their patient access API by January 1, 2027. To assess Patient Access API usage, beginning January 1, 2026, CMS is requiring impacted payers to report annual metrics to CMs about Patient Access API usage.
- Provider Access API – This must be implemented to share patient data with in-network providers, with compliance required by January 1, 2027.
- Payer-to-Payer API – To facilitate care continuity, this API must be maintained to share relevant patient data, effective January 1, 2027.
- Prior Authorization API – Required to facilitate electronic prior authorization requests and responses, with implementation starting January 1, 2027.
How will these changes benefit patients?
Patients will benefit from faster prior authorization decisions for non-drug benefits, with urgent requests being processed within 72 hours and standard requests within seven calendar days starting January 1, 2026. This will reduce delays in receiving necessary care and improve the overall healthcare experience. Further, the APIs will enhance patients’ access to their healthcare data, allowing them to better understand and manage their care, especially regarding prior authorizations.
Do the prior authorization changes apply to drugs?
No. According to the final rule preamble (89 FR 8762), the policies for prior authorization APIs, timelines, and processes in this final rule “do not apply to drugs of any type, meaning any drugs that could be covered by the impacted payers in this final rule (for example, prescription drugs that may be self-administered, administered by a provider, or that may be dispensed or administered in a pharmacy or hospital), because the processes and standards for prior authorization of drugs differ from [the policies in this final rule].”
How do the finalized APIs apply to drugs?
The Patient Access API requires payers to send claims data related to prescription and other drug claims via the API. However, prior authorization information required to be exchanged via the Patient Access, Prior Authorization, Provider, and Payer-to-Payer APIs does not need to include information about drug prior authorization requests. CMS notes “payers may voluntarily incorporate their business rules for prior authorizations for drugs using the Prior Authorization API now being finalized in this rule.” 89 FR 8859.
What quality measures and incentives are being added for healthcare providers?
A new measure for Merit-based Incentive Payment System (MIPS) eligible clinicians and hospitals under the Promoting Interoperability performance categories is being added. This measure would be added to the Promoting Interoperability Performance Category and address at least one medical item or service (excluding drugs) ordered by the MIPS-eligible clinician/hospital during the performance period, the prior authorization is requested electronically from a Prior Authorization API using data from CEHRT.
What standards and guides are recommended for implementing these APIs?
CMS strongly recommends the following implementation guides to reduce the burden and increase interoperability:
- HL7 FHIR CARIN Consumer Directed Payer Data Exchange (CARIN IG for Blue Button®) IG Version STU 2.0.0
- HL7 SMART App Launch IG Release 2.0.0 to support Backend Services Authorization
- HL7 FHIR Da Vinci Payer Data Exchange (PDex) IG Version STU 2.0.0
- HL7 FHIR Da Vinci PDex US Drug Formulary IG Version STU 2.0.1
- HL7 FHIR Da Vinci PDex Plan-Net IG Version STU 1.1.0
- HL7 FHIR Da Vinci Coverage Requirements Discovery (CRD) IG Version STU 2.0.1
- HL7 FHIR Da Vinci Documentation Templates and Rules (DTR) IG Version STU 2.0.0
- HL7 FHIR Da Vinci Prior Authorization Support (PAS) IG Version STU 2.0.1
Source: Faegre Drinker Consulting