Skip to main content

What the CMS Prior Authorization Rule Means for Healthcare Payers

By John Zimmerer, VP of Healthcare Marketing at Smart Communications

It took a little longer than I expected, but on January 17, 2024, the Centers for Medicare and Medicaid Services (CMS) issued its final rule regarding data interoperability and prior authorizations (PAs).  

In this article, I address some of the most frequently asked questions about the final rule, and what I see as key takeaways for health payers. Plus, learn how leading customer communications management (CCM) solutions can help you comply with new, and existing, regulations. 

Past Is Prologue for the CMS Prior Authorization Rule

In December of 2022, CMS issued a proposed rule, “that would improve patient and provider access to health information and streamline processes related to prior authorization for medical items and services.” 

To improve access to health information, CMS proposed payers adopt Health Level 7® (HL7®) Fast Healthcare Interoperability Resources® (FHIR®) standards and publish new or updated patient and provider application programming interfaces (APIs). The proposed rule also outlined an electronic prior authorization process that would require payers to determine and communicate a decision within 72 hours (expedited PAs) or seven calendar days (standard PAs) and include a specific reason with any denial. 

It took CMS just over one year to release the final rule. I’m sure that the lag was due in no small part to the large volume of correspondence they received about the proposed rule. CMS had to parse nearly 900 letters “with hundreds of individual comments specific to the importance of the topic of prior authorization and the critical timing of addressing this issue.” 

Who Is Affected by the CMS Prior Authorization Final Rule? 

Many US health payers and plans (and a few types of providers) are subject to the final rule, including: 

  • Medicare Advantage Organizations (MAOs)
  • Medicaid managed care plans
  • Children’s Health Insurance Program (CHIP) fee-for-service plans
  • Qualified Health Plan (QHP) Issuers on the Federally-facilitated Exchanges (FFE) 

What Are the CMS Prior Authorization Final Rule Compliance Deadlines? 

Most of the implementation deadlines are January 1, 2027, including the Patient Access API, Provider Access API, Payer-to-Payer API. However, beginning January 1, 2026 (or plan years beginning on or after that date for QHP issuers on the FFEs), impacted payers will be required to annually report “certain metrics about patient access requests made via the Patient Access API.” These metrics include: 

  • The number of prior authorizations requested by type (expedited/standard);
  • The average time between submission and decision; and
  • ​​​​​​​The percentage of prior authorizations approved, denied, and approved after appeal. 

Which Prior Authorizations Are Impacted by the Final Rule? 

Prior authorizations for things like medical services and equipment are subject to the final rule. Prior authorizations for medications are specifically carved out of the final rule. CMS didn’t provide a reason (that I could find) for specifically excluding things like specialty pharmacy prior auths. 

What Is the ‘Plain Language’ Requirement in the Final Rule? 

CMS has mandated that payers communicate several things in “plain language”, including: 

  • The reason for denying a prior authorization
  • ​​​​​​​The benefits to patients of API data exchange with their providers 
  • The benefits of Payer-to-Payer API data exchange 
  • The ability for patients to opt in or out of certain data exchanges and how to do it
  • Explaining the process for requesting patient data using the Provider Access API 

CMS encourages impacted payers to follow the Federal Government’s plain language guidelines available at the website. CMS “did not propose standardized denial codes or a specific set of denial reasons for payers to use.” Instead, they referred to the X12 Service Review Decision Reason Codes, which I find interesting for a few reasons. 

For one, even though they’ve been in use for a long time, I wouldn’t consider the X12 codes to meet the “plain language” test. And throughout the final rule document, CMS appears to be leaning away from X12 in favor of FHIR. For example, CMS refers to the HL7 FHIR Da Vinci Prior Authorization Support (PAS) implementation guide, which maps between FHIR and X12 transactions. Talk about emerging standards: As of this writing, that standard is in the trial use stage. I’m willing to bet it will be finalized relatively quickly, though, given the final rule deadlines. 

What Else Is Included in the Prior Authorization Final Rule? 

Quite a bit, considering it’s over 700 pages! I've expanded on some highlights below. 

Impacted payers must establish and maintain a process that allows patients to opt out of data exchange via the Provider Access API, including allowing patients to change their permissions at any time. If there’s one thing providers have proven they’re not good at, it is preference management, so this will be a challenge. 

Impacted payers are required to provide “educational resources in plain language” to patients about the Provider Access API. This must include: 

  • Information about the benefits of API data exchange with provider
  • The patients’ opt out rights
  • Instructions for both opting out of data exchange and for subsequently opting in 

“Impacted payers must make this information available to patients before the first date on which the payer makes their information available via the Provider Access API, no later than one week after the start of coverage, and at least annually. These resources must also be available in an easily accessible location on payers’ public websites.”  

Furthermore, “impacted payers must provide on their website and through other appropriate provider communications, information in plain language explaining the process for requesting patient data using the Provider Access API. The resources must include information about how to use the payers’ attribution process to associate patients with their providers.” 

Payers will need to be able to provide prior authorization information, including “related administrative and clinical documentation”, “while the prior authorization is active and for one year after the last status change”. Payers will also be required to maintain five years’ worth of prior authorization history. 

For additional information, you might want to check out the overview presentation from CMS

How Can Smart Communications Help Payers Comply with the CMS Prior Authorization Final Rule? 

There are a few ways Smart Communications can help you meet the requirements of the CMS final rule. 

First, we can help you meet the communication-related requirements, particularly the explanatory and educational communications that will need to be sent to patients, providers and members. SmartCOMM™ would be a great choice for this use case. It’s perfect for high-volume communications like these and it has content analysis tools built in to make sure you’re using plain language. And, with our large and growing list of prebuilt integrations, you can connect it to your enterprise architecture to generate and send communications on demand over the member’s preferred channel. 

If your current prior authorization solutions won’t be enough to handle some of the new requirements, particularly when PAs can’t be auto approved and you need something to manage the back-and-forth between provider and payer, then our SmartIQ™ software might be able to help. It’s particularly good at managing workflows and tracking the metrics you’ll need to start reporting in 2026. 

If you’d like to know more about how we and our partners can help meet the new prior authorization requirements, get in touch with us. We’re here for you.

About the Author
John Zimmerer is the Vice President of Vertical Marketing, Healthcare at Smart Communications, where he acts as a subject matter expert on the digital transformation of customer communications and data-centric, often form-based workflows. Most recently, John has been researching and writing about improving customer experience in healthcare and is regarded as a thought leader in this area. John has over 20 years of software product marketing experience. His areas of expertise include market research, analyst relations, public relations and digital marketing.