BY Jacque K. Steelman and Michael R. Alexander, Brown & Fortunato, P.C.
The Centers for Medicare & Medicaid Services (“CMS”) recently finalized the CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F) (the “Rule”). The Rule requires a number of federally funded payers (“Payers”) to implement and maintain application programming interfaces (“APIs”). These APIs are intended to improve the electronic exchange of healthcare data and streamline the authorization process required by payers for specific procedures and treatments. To put this Rule into place, CMS has rolled out a three-year implementation timeline.
Starting January 1, 2027, the Rule will require Payers to have certain systems in place, including the following:
Warning: Undefined variable $posClass in /home1/mjhnewsc/public_html/wp-content/plugins/ap-plugin-scripteo/lib/functions.php on line 1078
- Health Level 7 Fast Healthcare for Interoperability Resources Patient Access API. Health Level 7 (“HL7®”) is the standards development organization that develops the Fast Healthcare for Interoperability Resources Standard. The API for patients must be consistent with the technical standards finalized in the CMS Interoperability and Patient Access final rule (85 FR 2558), as well as HL7®. This API will allow patients to have access to more of their data, and it will also allow patients to understand their payer’s prior authorization process and its impact on their care. The reason behind this requirement is to allow patient data to be centralized and not scattered across multiple disconnected systems. This will also allow providers to obtain a clear picture of the patient’s care history and any critical information the patient forgets or is unable to provide to the provider. Currently, payers must only provide this information to in-network or enrolled providers.
Warning: Undefined variable $posClass in /home1/mjhnewsc/public_html/wp-content/plugins/ap-plugin-scripteo/lib/functions.php on line 1078
- Provider Access API. This API will allow for the sharing of patient data with in-network providers with whom the patient has a treatment relationship. This includes making certain information available via the Provider Access API, such as the following: individual claims and encounter data; data classes; data elements in the United States Core Data Interoperability; and specified prior authorization information. CMS also requires Payers to maintain an attribution process to associate patients with in-network or enrolled providers with whom they have a treatment relationship. The Payers must now allow patients to opt out of having their data available to providers under the requirements. The Payers must provide the patient with information regarding the benefits of the API data exchange with their providers and their ability to opt-out in plain language.
- Payer-to-Payer API. Payers must implement and maintain a Payer-to-Payer API to make information related to claims and encounter data, data classes, data elements in the USCDI, and shareable information about specific prior authorizations available. Payers must share patient data with a date of service within five years of the request for data. This will improve continuity of care when a patient changes payers and ensure that patients have continued access to the most relevant data in their records.
Warning: Undefined variable $posClass in /home1/mjhnewsc/public_html/wp-content/plugins/ap-plugin-scripteo/lib/functions.php on line 1078
- Prior Authorization API. Payers must also now implement and maintain a Prior Authorization API that includes its list of covered items and services, identifies documentation requirements for prior authorization approval, and supports a prior authorization request and response. The Providers can use the Prior Authorization API to determine if a specific payer requires prior authorization for a specific item or service. This will alleviate the administrative burden in the existing prior authorization process. This API must provide certain information regarding prior authorizations:
(1) The prior authorization status;
(2) The date the prior authorization was approved or denied;
(3) The date or circumstance under which the prior authorization ends;
(4) The items and services approved;
(5) If denied, a specific reason why the request was denied; and
(6) Related structured administrative and clinical documentation submitted by a provider.
The Prior Authorization API will also have to communicate whether the payer approves the prior authorization request, denies the prior authorization request, or requests more information. Payers must send prior authorization decisions within 72 hours of expedited requests and seven calendar days for standard requests.
Starting in 2026, payers must provide a specific reason for denying prior authorization decisions. The reason for denial may be communicated via porta, fax, email, mail, or phone, regardless of the method used to send the prior authorization request by providers. CMS specifically excluded the entire “Part D Drugs” scope from this Rule, but the Rule does apply to prior authorizations covered as a medical benefit, including those for DME, supplies dispensed at a pharmacy, or therapeutic devices. The requirement will allow better communication and transparency between payers, providers, and patients. It will also make it easier to resubmit a prior authorization if necessary.
Payers must now also publicly report prior authorization metrics annually on their website. Prior authorization information will also be accessible by patients in the Patient Access API. This will allow patients to see what information is needed and what has been provided on their behalf.
The final rule will potentially improve communication between payers, providers, and patients, support better access to health information, and result in a more efficient healthcare system for all involved.