Centers for Medicare & Medicaid Services Issues Interoperability and Prior Authorization Final Rule

By John Gibson and Robert Shaw

As part of its ongoing mission to modernize and improve the interoperability of the health care system, on January 17, 2024, the Centers for Medicare & Medicaid Services (CMS) finalized the CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F) (the "Final Rule").

The Final Rule is designed to improve electronic exchange of health information and streamline prior authorization processes to advance patient access to care, ultimately contributing to better health outcomes. Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan (QHP) issuers on the Federally Facilitated Exchanges (FFEs) (the "Impacted Payers") will be subject to measures under the Final Rule designed to promote transparency around their prior authorization processes, including public disclosure of the reasoning and methodology behind denials.

Summary of Final Rule:

Application Programming Interfaces (APIs)

Starting January 1, 2027, the Impacted Payers must implement the following application programming interfaces (APIs), which will provide a technological basis for improving access to interoperable patient data and simplify the prior authorization process:

1. Patient Access API

Originally required under the CMS Interoperability and Patient Access final rule ("Patient Access Final Rule"), the Patient Access API is designed to facilitate patients with easy access to claims, encounter information, and related clinical data such as laboratory results, provider remittances, and patient cost-sharing as applicable to specific claims. To provide patients with greater transparency about payer prior authorization processes, the Final Rule requires Impacted Payers to incorporate prior authorization information into the data available under the Patient Access API.

2. Provider Access API

The Provider Access API aligns with CMS’ continued shift to value-based care models by streamlining the sharing of patient data between in-network providers. Also subject to the required technical standards in the Patient Access Final Rule, the Provider Access API is designed to give providers access to patient data from payers necessary to better coordinate the provision of care, including individual claims and encounter data (without provider remittances and enrollee cost-sharing information); data classes and data elements in the United States Core Data for Interoperability (USCDI); and specified prior authorization information (excluding those for drugs).

3. Payer-to-Payer API

To preserve continued access to care, the Payer-to-Payer API is designed to facilitate the exchange of patient data when a patient moves between payers, including information such as adjudicated claims, encounter data and certain information about the patient’s prior authorizations. Impacted Payers must obtain permission from new patients to request data from a patient’s previous payer, which must occur no later than 1 week from the start of coverage or at the patient’s request. Impacted Payers that provide concurrent coverage of a patient must exchange the patient’s data at least quarterly to ensure a complete record for such patient.

4. Prior Authorization API

Lastly, the Final Rule finalizes the Prior Authorization API, which will permit providers to determine in a timely manner the items and services for which specific payers require prior authorization, including enabling providers to query the payer’s prior authorization requirements directly form the provider’s system.

The Final Rule also finalizes specific technical standards that are applicable to each API, which can be found in detail via the link below.

Requirements for Prior Authorization Process

Effective January 1, 2026, Impacted Payers must comply with new requirements for their prior authorization processes:

  • Impacted Payers must send notices to providers when they make prior authorization decisions, including a detailed explanation for denials, when applicable.
  • Impacted Payers must respond to prior authorization requests within 72 hours for expedited requests (urgent) and seven calendar days for standard requests (non-urgent).
  • To promote transparency, Impacted Payers must publicly report certain metrics about their prior authorization processes. The initial set of metrics must be reported by March 31, 2026.

Electronic Prior Authorization for MIPS Eligible Clinicians and Hospitals

The Final Rule also incentivizes adoption of the Prior Authorization API among MIPS eligible clinicians, eligible hospitals, and critical access hospitals by adding a new "Electronic Prior Authorization" category under the Health Information Exchange (HIE) objective in the MIPS Promoting Interoperability performance category and the Medicare Promoting Interoperability Program, which will begin with the calendar year 2027 performance period/2029 MIPS payment year and the calendar year 2027 electronic health record reporting period. Eligible providers may report a yes/no attestation to satisfy this new category.

The Final Rule is available on the Federal Register here.

The CMS fact sheet for the Final Rule is available here.

If you have questions about the CMS Interoperability and Prior Authorization Final Rule, please contact Robert Shaw or John Gibson, or the Smith Anderson lawyer with whom you currently work.



Jump to Page

This website uses cookies to enhance your browsing experience and improve functionality. To learn more, you may view our Privacy Policy. By continuing to browse Smith Anderson's website, you are accepting our use of cookies in accordance with our privacy policy.