Seismic waves were felt across health plans this week with the finalization of the CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F). The rule sets requirements for Medicare Advantage (MA) organizations and several other “impacted payers”, to improve the electronic exchange of health information and prior authorization processes for medical items and services. The anticipated financial impact will result in approximately $15 billion of estimated savings over ten years.
The changes require the use of APIs to automate process for government payer types to increase efficiency, improve coordination of care and outcomes for members. This final rule streamlines the prior authorization process and will slash authorization decisions to 72 hours for expedited and 7 calendar days for standard requests. All prior authorization requests will require a specific reason for denying a request to facilitate the appeals process. The big kicker here is that plans are also required to publicly report prior authorization metrics. These changes require immediate planning to impacted payors to meet compliance requirements, system configuration, training, and operations.
This final rule includes the following provisions:
Patient Access API
In the CMS Interoperability and Patient Access final rule, we required impacted payers to implement an HL7® FHIR® Patient Access API. In this final rule, we are requiring impacted payers to add information about prior authorizations (excluding those for drugs) to the data available via that Patient Access API. In addition to giving patients access to more of their data, this will help patients understand their payer’s prior authorization process and its impact on their care. This requirement must be implemented by January 1, 2027.
To assess Patient Access API usage, beginning January 1, 2026, we are requiring impacted payers to report annual metrics to CMS about Patient Access API usage.
Provider Access API
To facilitate care coordination and support movement toward value-based payment models, we are requiring that impacted payers implement and maintain a Provider Access API to share patient data with in-network providers with whom the patient has a treatment relationship. Impacted payers will be required to make the following data available via the Provider Access API: individual claims and encounter data (without provider remittances and enrollee cost-sharing information); data classes and data elements in the United States Core Data for Interoperability (USCDI); and specified prior authorization information (excluding those for drugs).
We are also requiring impacted payers to maintain an attribution process to associate patients with in-network or enrolled providers with whom they have a treatment relationship and to allow patients to opt out of having their data available to providers under these requirements. Impacted payers will be required to provide plain language information to patients about the benefits of API data exchange with their providers and their ability to opt out.
These requirements must be implemented by January 1, 2027.
To support care continuity, we are requiring that impacted payers implement and maintain a Payer-to-Payer API to make available claims and encounter data (excluding provider remittances and enrollee cost-sharing information), data classes and data elements in the USCDI and information about certain prior authorizations (excluding those for drugs). Impacted payers are only required to share patient data with a date of service within five years of the request for data. This will help improve care continuity when a patient changes payers and ensure that patients have continued access to the most relevant data in their records.
We are also finalizing an opt-in process for patients to provide permission under these requirements. Impacted payers are required to provide plain-language educational resources to patients that explain the benefits of the Payer-to-Payer API data exchange and their ability to opt in.
These requirements must be implemented by January 1, 2027.
Prior Authorization API
We are requiring impacted payers to implement and maintain a Prior Authorization API that is populated with its list of covered items and services, can identify documentation requirements for prior authorization approval, and supports a prior authorization request and response. These Prior Authorization APIs must also communicate whether the payer approves the prior authorization request (and the date or circumstance under which the authorization ends), denies the prior authorization request (and a specific reason for the denial), or requests more information. This requirement must be implemented beginning January 1, 2027.
In response to feedback received on multiple rules, extensive stakeholder outreach, and to further promote efficiency in the prior authorization process, HHS will be announcing the use of enforcement discretion for the Health Insurance Portability and Accountability Act of 1996 (HIPAA) X12 278 prior authorization transaction standard. Covered entities that implement an all-FHIR-based Prior Authorization API pursuant to the CMS Interoperability and Prior Authorization final rule that do not use the X12 278 standard as part of their API implementation will not be enforced against under HIPAA Administrative Simplification, thus allowing limited flexibility for covered entities to use a FHIR-only or FHIR and X12 combination API to satisfy the requirements of the CMS Interoperability and Prior Authorization final rule. Covered entities may also choose to make available an X12-only prior authorization transaction. HHS will continue to evaluate the HIPAA prior authorization transaction standards for future rulemaking.
Questions about what these changes mean to your organization? ContactUs@rebellisgroup.com