What the Prior Authorization Proposed Rule Means for Payers

Patient Data Exchange Proposals

The Interoperability and Patient Access final rule finalized a policy requiring certain payers to implement a Health Level 7 (HL7) Fast Healthcare Interoperability Resources (FHIR) Patient Access Application Programming Interface (API).

The proposed rule would require payers to include information about patients’ prior authorization decisions in the Patient Access API no later than one business day after the payer receives the request. This would help patients understand their payer’s prior authorization process and how it could impact their care.

Payers would also have to report annual metrics about patient use of the Patient Access API to CMS, including the number of patients whose data is transferred via the API to a patient’s health app and the number of patients whose data is transferred more than once.

If the rule is finalized, payers must create a Provider Access API to share patient data with in-network providers. In-network providers must be able to access patient claims and encounter data, data elements included in the United States Core Data for Interoperability (USCDI) version 1, and prior authorization requests and decisions.

The proposal requires payers to provide an option for patients to opt out of making their data available to providers through the API. Payers would also have to provide educational resources to patients and providers explaining how to properly navigate the API.

In addition to facilitating data access for patients and providers, the proposed rule would require payers to exchange information with other payers in certain circumstances. Payers would be required to implement a FHIR API to share claims and encounter data and prior authorization data when a patient changes health plans.

New payers would have to request patient data from the previous payer within one week of the start of coverage, and previous payers must provide the data within one day of receiving the request.

This exchange will only be required if the patient grants the payers permission.

If a patient has concurrent coverage with multiple payers, the payer must make the patient’s data available to the concurrent payer at least quarterly.

Where a patient has concurrent coverage with two or more payers, the impacted payers would be required to make the patient’s data available to the concurrent payer at least quarterly.

If the rule is finalized, payers must comply with the API requirements starting January 1, 2026.

Prior Authorization Proposals

The proposals focused on prior authorization aim to reduce payer and provider burden associated with the process and improve the patient experience by minimizing care delays.

First, payers would be required to build and maintain a prior authorization requirements, documentation, and decision (PARDD) API to automate the process for providers to determine if a prior authorization is necessary by providing a list of covered items and services.

The FHIR PARDD API would also identify prior authorization information and document requirements and communicate prior authorization decisions. This proposal would not modify HIPAA rules or impact the use of the current adopted standard for prior authorization transactions, CMS noted.

The proposed rule would require payers to include a specific reason when they deny a prior authorization request, regardless of the method used to send the decision. Payers must also share request approvals and the approval lengths or if they require more information. The proposal aims to facilitate better communication between providers and payers and allow for successful request resubmissions.

In addition, CMS has proposed to require payers to send standard prior authorization decisions within seven days and expedited decisions within 72 hours. The agency is seeking feedback on alternative time frames with shorter turnaround times.

Payers would also have to publicly report aggregated data about their prior authorization process annually, including the percent of requests approved, denied, and approved after appeal, and the average time between submission and decision. This data should be posted directly on the payer’s website or via publicly accessible hyperlinks.

The prior authorization policies would take effect on January 1, 2026. The first set of proposed metrics would have to be reported by March 31, 2026.

Provider Requirements

CMS proposed adding an electronic prior authorization measure to the Promoting Interoperability performance category of the Merit-based Incentive Payment System (MIPS). This proposal would impact MIPS-eligible clinicians, eligible hospitals, and critical access hospitals (CAHs).

The providers would have to report the number of prior authorizations requested electronically from a PARDD API using data from a certified EHR technology (CEHRT).

This measure would go into effect starting calendar year (CY) 2026 when it will be a required but unscored measure. CMS has proposed developing a scoring methodology in subsequent rulemaking for CY 2027 and beyond.

Requests for Information

The proposed rule included several requests for information (RFIs). One RFI seeks feedback on the barriers to adopting standards related to social risk factor data and ways to accelerate the adoption of these standards.

The rule also seeks comments on improving the electronic exchange of behavioral health information and the exchange of patient health data in the Medicare fee-for-service program.

Finally, CMS issued RFIs on the Trusted Exchange Framework and Common Agreement (TEFCA) version 1 and evidence-based policies that leverage health IT, data sharing, and interoperability to improve maternal health.