The CMS Interoperability and Prior Authorization final rule was published in the Federal Register on February 8, 2024. The rule creates significant new obligations and deadlines requiring the following payers to update their processes for prior authorization and the electronic exchange of health information:

  • Medicare Advantage Organizations (MAOs);
  • Medicaid managed care organizations (Medicaid MCOs);
  • CHIP managed care entities;
  • Medicaid and CHIP fee-for-service programs; and
  • issuers of Qualified Health Plans (QHPs) offered on the Federally-Facilitated Exchanges (FFEs).

For purposes of this post, we will refer to these impacted payers, collectively, as “Payers.”

Key Changes

Prior Authorization. The final rule provides new deadlines for Payers to make prior authorization decisions. Specifically, with the exception of QHP issuers on the FFEs, Payers must make prior authorization decisions within (i) 72 hours of receiving an expedited request1; and (ii) seven days of receiving a non-expedited request (with possible extensions of up to 14 days under certain circumstances). Payers also are required to include a specific reason for denying a prior authorization request and to publicly report prior authorization metrics to promote transparency. These obligations will commence in 2026, with specific start dates varying by Payer type. The final rule also clarifies (effective April 8, 2024) certain Medicaid beneficiary notice and fair hearing regulations that apply to Medicaid prior authorization decisions.

Application Programming Interfaces. To facilitate a more efficient data exchange process between providers requesting authorization and Payers, the latter will be required to develop a prior authorization application programming interface (API). In addition, Payers must
(i) expand their current Patient Access API2 to include information about prior authorizations, and (ii) implement a Provider Access API that allows providers to retrieve their patients’ data with respect to claims, encounters, clinical data, and prior authorization requests. Payers also are required to exchange, with patient permission, much of the same data using a new Payer-to-Payer API when a patient moves between, or has multiple, Payers. The compliance dates for the expanded and new API requirements were extended from 2026 in the proposed rule to 2027 in the final rule, with specific compliance dates again varying by Payer type. 

Incentive Payment Measures. To promote Prior Authorization API adoption, implementation and use, the final rule adds a new “Electronic Prior Authorization” measure for the Merit-based Incentive Payment System (MIPS) starting in the CY 2027 performance period/2029 MIPS payment year. To meet the minimum requirements of the measure, MIPS-eligible clinicians must request at least one prior authorization via a Prior Authorization API using data from certified electronic health record technology (CEHRT) or claim an exclusion. Otherwise, the clinician will receive a zero for the Promoting Interoperability performance category, which generally is worth 25 percent of the total final score for MIPs. CMS is adding a similar measure under the Medicare Promoting Interoperability Program for certain eligible hospitals and Critical Access Hospitals. The measure will be met if the relevant hospital requests an electronic prior authorization for at least one hospital discharge and one medical item or service beginning with the 2027 electronic health record reporting period. If these requests are not made, the hospital will not be considered a meaningful user of CEHRT and will be subject to a downward payment adjustment.

Key Takeaways

  • Payers should immediately begin analyzing their obligations under the new rule. Payers will need to plan and budget for timely compliance with the new and/or expanded Patient Access, Prior Authorization, Provider Access, and Payer-to-Payer API requirements. Toward this end, Payers likely will need to recruit and train staff, update or build out current APIs, update operational procedures, and complete required testing—all within a relatively short timeframe.
  • CMS continues to promote the electronic exchange of data to enhance care coordination and patient access. The final rule builds off of CMS’s May 1, 2020 Interoperability and Patient Access final rule, as well as HHS-ONC’s December 2023 HHS-ONC Health Data, Technology, and Interoperability final rule (“HTI-1”) final rule (which was summarized by the Dentons AI Advisory Team). Looking to the future, CMS signals in the preamble to the final rule its intent to further evaluate how the rule’s policies could apply in the Medicare fee-for service context.
  • Providers and patients should benefit from the new APIs. The new Prior Authorization API should allow providers to more easily
    (i) determine when a particular Payer requires prior authorization and (ii) comply with the Payer’s associated documentation requirements. This, in turn, should streamline the prior authorization process and help reduce a significant source of administrative burden for providers. The enhanced Patient Access API holds similar promise. While CMS acknowledges that the utilization of APIs will depend on many factors, including consumer familiarity and preference, the agency appears committed to taking concrete steps to promote, and track, usage of the new APIs, including through the introduction of new electronic prior authorization measures in the MIPS Promoting Interoperability and Medicare Promoting Interoperability Program. 
  • CMS’s focus on prior authorization is multi-pronged and part of a larger policy initiative.  Importantly, MAOs will be implementing these new regulatory requirements against a background of changing obligations relating to prior authorization more generally, as set forth in (i) 42 C.F.R. § 422.112(b)(8)(i)(A) and 42 CFR § 422.138 of the April 12, 2023 final MA and Part D rule, and (ii) new CMS guidance. Implementation of this final rule also will occur against the backdrop of increased provider and Congressional calls for greater transparency in the prior authorization process.
  1. This already was a requirement for (i) MAOs, 42 C.F.R. § 422.572(a)(1), (ii) Medicaid MCOs, 42 C.F.R. § 438.210(d)(2)(i), and (iii) CHIP managed care entities, 42 C.F.R. § 457.1230(d). ↩︎
  2. The Patient Access API is already required under CMS’s 2020 Interoperability and Patient Access final rule. ↩︎
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Janice Ziegler

About Janice Ziegler

Janice Ziegler is a partner in Dentons’ Life Sciences and Health Care sector team. She focuses on providing strategic, regulatory, transactional and legislative counseling to clients regarding the Medicare Secondary Payer (MSP) laws, government managed care programs, and federal and state health care privacy matters.

Full bio

Callan Smith

About Callan Smith

Callan J. Smith is a member of the national Health Care group and a resident of the Washington, DC office. He provides strategic counsel to clients navigating complicated federal legislative and regulatory issues, drawing on his decade of experience in Washington, DC.

Full bio

RELATED POSTS