On December 13, 2022, the Centers for Medicare and Medicaid Services (“CMS”) issued a proposed rule, titled Advancing Interoperability and Improving Prior Authorization Processes (“Proposed Rule”), to improve patient and provider access to health information and streamline processes related to prior authorizations for medical items and services. We provided key information about that proposed rule on our website here. Then, on January 17, 2024, CMS issued a final rule, titled CMS Interoperability and Prior Authorization (“Final Rule”), which affirms CMS’ commitment to advancing interoperability and improving prior authorization processes.

Once the final rule is published in the Federal Register on February 8, 2024, it can be accessed here. The payers impacted by the Final Rule include Medicare Advantage (“MA”) organizations, state Medicaid and Children’s Health Insurance Program (“CHIP”) agencies, Medicaid and CHIP managed care plans, and plans on the Affordable Care Act exchanges (collectively, “Impacted Payers”). Merit-based Incentive Payment System (“MIPS”) eligible clinicians, operating under the Promoting Interoperability performance category of MIPS, and eligible hospitals and critical access hospitals (“CAHs”), operating under the Medicare Promoting Interoperability Program, are impacted by the Final Rule, as well.

In this blog, we will highlight the similarities and differences between the Proposed Rule and the Final Rule to shed some light on CMS’ latest priorities related to advancing interoperability and improving prior authorization processes.

Patient Access API

The Proposed Rule would have required Impacted Payers to implement and maintain a Patient Access Application Programming Interface (“API”) to provide patients with valuable access to certain health records. After receiving stakeholder input, CMS has finalized its proposal to require Impacted Payers to provide patients access to certain information including claims, cost sharing data, encounter data, and a set of clinical data that can be accessed via health applications. CMS believes this access will improve care coordination efforts and access to appropriate care. CMS has also finalized its proposal to include information about prior authorization requests and decisions regarding care and coverage through the Patient Access API. The Final Rule requires the Patient Access API to have patient data available for the patient’s application but does not require the Patient Access API to push the information to the patient. CMS hopes to improve continuity of patient care by having centralized patient data accessible through the Access API.

Impacted Payers must implement this requirement by January 1, 2027. This is a change from the Proposed Rule, which proposed to have the requirement take effect on January 1, 2026. Impacted Payers will be required to submit annual Patient Access API usage data metrics to CMS beginning January 1, 2026.

Provider Access API

The Proposed Rule provided that Impacted Payers must build and maintain a Provider Access API to improve continuity of care and to assist with the move towards value-based payment models, as well as to facilitate the sharing of patient data with in-network providers. Impacted Payers are required to make claims and encounter data, data classes and data elements in the United States Core Data for Interoperability (“USCDI”) and specified prior authorization information, including the quantity of items or services, available to providers through the Provider Access API. However, the requirement for prior authorization information does not extend to prior authorizations for drugs. The Proposed Rule also required Impacted Payers to provide a mechanism to allow for patients to opt out of providing their health data to the Provider Access API. Impacted Payers are required to inform their patients of the benefits of data sharing on the Provider Access API and allow patients to opt out of sharing their data on the exchange. 

After receiving stakeholder input, CMS decided to finalize its original proposal with the modification to not require Impacted Payers to share the quantity of items or services under a prior authorization. In response to comments, CMS finalized the rule to require the patient opt out policy and patient educational resources to use “plain language” as compared to the “non-technical, simple, and easy-to-understand language” from the Proposed Rule. CMS recommends that Impacted Payers create granular controls to allow patients to opt out of making data available to specific providers.

Impacted Payers must implement this requirement by January 1, 2027. This is a change from the Proposed Rule, which proposed to have the requirement take effect on January 1, 2026.

Payer-to-Payer API

The Proposed Rule required Impacted Payers to implement and maintain a Payer-to-payer API using the Fast Healthcare Interoperability Resources (“FHIR”) standard to ensure patients can maintain continuity of care and have uninterrupted access to their health data. This standard will achieve greater uniformity and will ultimately lead to payers having more complete and continuous patient information available to share with patients and providers even as patients move across different providers and payers.

After receiving stakeholder input, CMS decided to finalize this proposal with the modification that Impacted Payers are required to maintain and exchange five years of patient data from date of service instead of the patients’ entire health record. Under the Final Rule, Impacted Payers would not be responsible for a patient’s entire medical history. This is meant to alleviate significant burdens on Impacted Payers without jeopardizing care continuity and continuations of prior authorizations.

The Final Rule requires that Impacted Payers make available claims and encounter data (excluding provider remittances and patient cost-sharing information), all data classes and data elements included in the USCDI and information about prior authorizations (excluding those for drugs) available on the Payer-to-payer API. The required standards for the Payer-to-payer API are:

  • HL7 FHIR Release 4.0.1 at 45 CFR 170.215(a)(1);
  • US Core IG STU 3.1.1 at 45 CFR 170.215(b)(1)(i); and
  • Bulk Data Access IG v1.0.0: STU 1 at 45 CFR 170.215(d)(1). 

CMS encourages all payers, that are not Impacted Payers subject to the Final Rule, to consider also implementing the Payer-to-payer API so that all participants in the U.S. healthcare system can benefit from the data exchange to better facilitate continuity of care.

Impacted Payers must implement this requirement by January 1, 2027. This is a change from the Proposed Rule, which proposed to have the requirement take effect on January 1, 2026. 

Prior Authorization API

In the Proposed Rule, CMS proposed to require Impacted Payers to build and maintain a FHIR Prior Authorization Requirements, Documentation, and Decision (“PARDD”) API, which would:

  • Use technology in conformance with certain standards and implementation specifications in 45 CFR 170.215;
  • Be populated with the Impacted Payer’s list of covered items and services for which prior authorization is required and accompanied by any documentation requirements;
  • Be able to determine requirements for any other data, forms, or medical record documentation required by the Impacted Payer for the items or services for which the provider is seeking prior authorization and while maintaining compliance with the mandatory Health Insurance Portability and Accountability Act (“HIPAA”) transaction standards; and
  • Ensure that Impacted Payer responses include information regarding whether or not the Impacted Payer approves the request with the date or circumstance under which the authorization ends, whether the Impacted Payer denies the request with the specific reason for denial, or whether the Impacted Payer requests more information from the provider to support the prior authorization request.

However, CMS noted that its proposal did not apply to drugs of any type that could be covered by an Impacted Payer and its proposal did not modify or hinder the HIPAA rules in any way.

After receiving stakeholder input, CMS decided to finalize this proposal as is, but CMS noted that the Department of Health and Human Services will be announcing the use of its enforcement discretion for the HIPAA X12 278 prior authorization transaction standard with leeway for covered entities that comply with the Final Rule. Specifically, CMS stated that covered entities that implement an all-FHIR-based Prior Authorization API pursuant to the Final Rule without the X12 278 standard as part of their API implementation will not bear enforcement under HIPAA Administrative Simplification. 

Impacted Payers must implement this requirement by January 1, 2027. This is a change from the Proposed Rule, which proposed to have the requirement take effect on January 1, 2026.

Improving Prior Authorization Processes

Prior Authorization Time Frames

In the Proposed Rule, CMS proposed to require Impacted Payers, not including plans on the Affordable Care Act exchanges, to send prior authorization decisions within 72 hours for expedited requests and seven calendar days for standard requests. CMS also sought comment on alternative timeframes with shorter turnaround times, such as 48 hours for expedited requests and five calendar days for standard requests. CMS noted that it wanted to learn more about the technological and administrative barriers that may prevent Impacted Payers from meeting shorter timeframes.

After receiving stakeholder input, CMS decided to finalize its original proposal by requiring Impacted Payers, excluding qualified health plan issuers on federal facilitated exchanges, to send prior authorization decisions for expedited requests within 72 hours and prior authorization decisions for standard requests within seven calendar days. These timeframes are significantly shorter than existing timeframes. For example, Medicare Advantage organizations must provide a standard prior authorization decision notice within 14 calendar days.

As proposed in the Proposed Rule, Impacted Payers are required to comply with this requirement by January 1, 2026.

Denial Reason

In the Proposed Rule, CMS proposed to require Impacted Payers to include a specific reason when they deny a prior authorization request, regardless of the method used to send the prior authorization decision. By doing this, CMS aimed to facilitate better communication and understanding between the provider and Impacted Payer and, if necessary, a successful resubmission of prior authorization requests. CMS also noted that the Proposed Rule would reinforce existing Federal and state requirements to notify providers and patients when an adverse decision is made about a prior authorization request and that the Proposed Rule would simplify the notification process by allowing the Impacted Payers to send the notification through the consolidated PARDD API system.

After receiving stakeholder input, CMS decided to finalize its proposal to require Impacted Payers to provide a specific reason for denied prior authorization decisions, regardless of the method used to send the prior authorization request. CMS emphasized that the decisions may be communicated via portal, fax, email, mail, or phone, although it stated that nothing in the Final Rule will change existing written notice requirements. CMS also underlined the fact that this provision does not apply to prior authorization decisions for drugs, as it explained in the Prior Authorization API section of the Final Rule.

As proposed in the Proposed Rule, payers are required to comply with this requirement by January 1, 2026.

Prior Authorization Metrics

In the Proposed Rule, CMS proposed to require Impacted Payers to publicly report certain prior authorization metrics by posting them directly on the Impacted Payer’s website or via publicly accessible hyperlinks on an annual basis. CMS specifically included the following metrics in that proposal:

  • A list of all items and services that require prior authorization;
  • The percentage of standard prior authorization requests that were approved, aggregated for all items and services;
  • The percentage of standard prior authorization requests that were denied, aggregated for all items and services;
  • The percentage of standard prior authorization requests that were approved after appeal, aggregated for all items and services;
  • The percentage of prior authorization requests for which the timeframe for review was extended, and the request was approved, aggregated for all items and services;
  • The percentage of expedited prior authorization requests that were approved, aggregated for all items and services;
  • The percentage of expedited prior authorization requests that were denied, aggregated for all items and services;
  • The average and median time that elapsed between the submission of a request and determinations by Impacted Payers, for standard prior authorizations, aggregated for all items and services; and
  • The average and median time that elapsed between the submission of a request and decisions by Impacted Payers for expedited prior authorizations, aggregated for all items and services.

After receiving stakeholder input, CMS decided to finalize its proposal to require Impacted Payers to publicly report certain prior authorization metrics without any changes.

As proposed in the Proposed Rule, Impacted Payers are required to report the initial set of metrics by March 31, 2026.

Electronic Prior Authorization Measure for MIPS Eligible Clinicians and Eligible Hospitals and Critical Access Hospitals

In the Proposed Rule, CMS proposed to require MIPS eligible clinicians, operating under the Promoting Interoperability performance category of MIPS, as well as eligible hospitals and CAHs, operating under the Medicare Promoting Interoperability Program, to report the number of prior authorizations for medical items and services – but not drugs — that they request electronically from a PARDD API using data from certified electronic health record technology.

After receiving stakeholder input, CMS decided to finalize its proposal to require the reporting. In the Final Rule, CMS stated that MIPS eligible clinicians will have to attest “yes” to requesting a prior authorization electronically via a Prior Authorization API and using data from certified electronic health record technology for at least one medical item or service ordered during the CY 2027 performance period or, if applicable, report an exclusion. CMS also stated that eligible hospitals and CAHs will have to do the same for at least one hospital discharge and medical item or service ordered during the 2027 electronic health record reporting period or, if applicable, report an exclusion.

CMS expects the Final Rule to improve coordination of care and to create further movement toward a value-based care system. CMS also encourages affected entities to meet the requirements in the Final Rule as soon as possible.