CMS Issues Interoperability and Prior Authorization Final Rule

On January 17, 2024, the Centers for Medicare & Medicaid Services (CMS) issued the Interoperability and Prior Authorization Final Rule (Final Rule), which establishes requirements applicable to certain impacted payers which are intended to improve the electronic exchange of health information and prior authorization processes. The application programming interface (API) requirements will take effect January 1, 2027, while the operational provisions will take effect January 1, 2026. CMS has issued a helpful slide deck summarizing the Final Rule.

We provide our key takeaways below, followed by a summary of the Final Rule’s provisions.

Takeaways

• While many payers are still focused on adoption of the 2020 interoperability requirements (the “2020 Requirements”) and there is limited use of the APIs included in the 2020 Requirements, CMS is continuing to push payers to provide patients, providers, and other payers additional access to data via standardized, Health Level Seven International® (HL7) Fast Healthcare Interoperability Resources 1 (FHIR)-based APIs. Impacted payers have until January 1, 2027 to implement these API requirements, but based on prior experience, it will take significant effort for the payers to develop the technology, policies and practices to meet the additional compliance obligations.
• Payers should keep in mind that, although not currently required, CMS highly encourages compliance with the Implementation Guides (IGs) identified in the Final Rule that support consistent implementation of the adopted standards and has underscored that the IGs will likely be mandated in the future. Therefore, impacted payers should consider alignment with the IGs in their implementation and closely follow updates to these IGs.
• CMS has stated that payers can implement FHIR-based Prior Authorization APIs instead of using the HIPAA X12 278 standard under the HIPAA Transaction Rule as part of their API implementation if they implement FHIR-based APIs.

Summary of the CMS Final Rule

1. APIs
   In the Final Rule, CMS builds on the previously adopted API requirements, including requirements for additional information that certain payers must provide via the Patient Access API and new requirements for certain payers to implement three additional APIs: Provider Access API, Payer-to-Payer API, and Prior Authorization API. CMS is also requiring a number of standards and implementation specifications to apply to each API. Payers subject to these requirements are Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan (QHP) issuers on the Federally Facilitated Exchanges (FFEs), (collectively “impacted payers”).
   • Patient Access API: Beginning January 1, 2026, CMS is requiring impacted payers to report annual metrics to CMS about Patient Access API usage. By January 1, 2027, CMS is requiring impacted payers to add certain information about prior authorizations to the data available via that Patient Access API. This does not include prior authorization for prescription drugs. CMS stated that it is looking into applying requirements for prior authorization to prescription drugs that would be covered as part of medical services for future policy making.
   • Provider Access API: By January 1, 2027, CMS is requiring that impacted payers implement and maintain a Provider Access API to share patient data with in-network providers with whom the patient has a treatment relationship. The data that must be made available is individual claims and encounter data (without provider remittances and enrollee cost-sharing information); data classes and data elements in the United States Core Data for Interoperability (USCDI); and specified prior authorization information (excluding those for drugs). CMS is also requiring impacted payers to maintain a process to associate patients with their treating providers (in-network or enrolled) and to allow patients to opt-out of data sharing with providers under these requirements.
   • Payer-to-Payer API: By January 1, 2027, CMS is requiring that impacted payers implement and maintain a Payer-to-Payer API to make available to certain other payers, at the member’s discretion, claims and encounter data (excluding provider remittances and enrollee cost-sharing information), data classes and data elements in the USCDI and information about certain prior authorizations (excluding those for drugs). CMS is requiring that impacted payers are only required to share patient data with a date of service within five years of the request for data. Also, CMS confirmed that the exchange must be ongoing for concurrent members, meaning if a member is enrolled in two or more plans at the same time the payers must continue to exchange information. Otherwise, if a member changed coverage, only one payer-to-payer exchange is required. Finally, CMS confirmed that members must opt-in to payer-to-payer information sharing.
   • Prior Authorization API: By January 1, 2027, CMS is requiring impacted payers to implement and maintain a Prior Authorization API to automate the prior authorization process for providers. Information provided through the Prior Authorization API must include a list of covered items and services and documentation requirements for prior authorization approval. This API must support a request for prior authorization and a response, including whether the payer approves the prior authorization request, denies the prior authorization request, or requests more information.
     
     We note that CMS requires compliance with specified FHIR standards for the Patient, Provider, Payer-to-Payer, and Prior Authorization APIs, and identifies implementation guides (IGs) that align with these standards. CMS notes that the IGs are important to support interoperability, but, as noted above, only recommends, rather than requires, that impacted payers follow these IGs at this time.
     
     Finally, CMS stated that it will be announcing enforcement discretion for all HIPAA covered entities, not just payers subject to this Final Rule, which are required to use the X12 278 prior authorization standard under the HIPAA Transaction Rule, if they implement FHIR-based APIs as part of their API implementation.
2. Improving Prior Authorization Processes
   CMS is requiring most impacted payers to send prior authorization decisions within 72 hours for expedited (i.e., urgent) requests and seven calendar days for standard (i.e., non-urgent) requests. CMS states that whether a request is expedited or standard should be indicated by the provider and there is a marker in the prior authority IG. CMS also clarifies that at this time, there is no mandated standard for attachments and it will be up to payers to decide what documentation should be attached to a prior authorization decision. Beginning January 1, 2026, CMS is requiring payers to provide a specific reason for denied prior authorization decisions (other than decisions relating to prescription drugs), regardless of the method used to send the prior authorization request. Beginning March 31, 2026, CMS is also requiring impacted payers to publicly report certain prior authorization metrics annually by posting them on their website.
3. Electronic Prior Authorization Measures
   CMS is adding a new measure, titled “Electronic Prior Authorization,” to the Health Information Exchange (HIE) objective for the Merit-based Incentive Payment System (MIPS) Promoting Interoperability performance category and the Medicare Promoting Interoperability Program. MIPS eligible clinicians will report the Electronic Prior Authorization measure beginning with the Calendar Year (CY) 2027 performance period/CY 2029 MIPS payment year and eligible hospitals and critical access hospitals (CAHs) beginning with the CY 2027 Electronic Health Record (EHR) reporting period. This will be an attestation measure, for which the MIPS eligible clinician, eligible hospital, or CAH reports a yes/no response if the MIPS eligible clinician, eligible hospital or CAH used the Prior Authorization API to submit at least one prior authorization request electronically or claims an applicable exclusion. CMS explained that providers that do not have to submit prior-authorizations as part of their practice or because of they are part of a gold card program, would meet an exemption from this new measure.

Conclusion

The Crowell team encourages impacted payers to develop a roadmap for implementation and assign teams that can ensure that these APIs are implemented effectively, timely, and in accordance with the requirements. We are closely watching these requirements and applicable guidance. For assistance with compliance or for more information, please contact the professionals listed below, or your regular Crowell contact.