The Centers for Medicare & Medicaid Services (CMS) issued the CMS Interoperability and Prior Authorization Final Rule (Final Rule) on Jan. 17, 2024. The agency proposed the rule in December 2022 (See Holland & Knight's previous Health Dose Blog, Dec. 13, 2022). CMS also issued a press release and published a fact sheet that provides an overview of the Final Rule.
The Final Rule continues CMS' efforts to encourage interoperability and availability of electronic health information. These efforts complement recent updates made by the Office of the National Coordinator for Health Information Technology (ONC) to the ONC Health IT Certification Program and Information Blocking Rule. Further, the rule's adoption smooths the path for the Improving Seniors' Timely Access to Care Act, a bipartisan bill meant to reform prior authorization that stalled in 2022.
The Final Rule establishes several new requirements for Medicare Advantage organizations, state Medicaid and Children's Health Insurance Program (CHIP) fee-for-service programs, Medicaid managed care plans, CHIP managed care entities and issuers of Qualified Health Plans (QHPs) offered on the Federally Facilitated Exchanges (FFEs). Impacted Payers will be required to implement APIs to increase and streamline the exchange of electronic health information and improve their prior authorization processes for medical items and services (excluding drugs). Notably, CMS excluded all drugs – including Part B drugs paid through a medical benefit from this requirement. CMS notes in the Final Rule that it did not anticipate the overwhelming response it received in favor of including drugs, so it will evaluate options for potentially including them in the future.
The Final Rule also establishes a new Electronic Prior Authorization attestation measure as part of the Merit-Based Incentive Payment System (MIPS) and the Medicare Promoting Interoperability Program. This new measure will require eligible clinicians, hospitals and critical access hospitals (CAHs) to attest to submitting an electronic prior authorization request for medical items or services (excluding drugs) at least once per year beginning in 2027 to be considered a "meaningful user" of ONC-certified electronic health record technology (CEHRT), unless an exclusion applies.
In a change from the Proposed Rule, many of these requirements will take effect on Jan. 1, 2027, a one-year implementation delay from what was proposed. The Patient Access API, prior authorization decision time frames and denial reason requirements will take effect in 2026, and the Provider Access API and Payer-to-Payer API requirements must be implemented by Jan. 1, 2027. CMS believes these time frames to be appropriate to ensure sufficient time to train staff and build and update APIs and operational procedures.
Provider Notice
Beginning in 2026, Impacted Payers must provide a specific reason for denied prior authorization decisions, regardless of the method used to send the prior authorization request. Impacted Payers must also send prior authorization decisions within 72 hours for expedited (urgent) requests and seven calendar days for standard (nonurgent) requests. They must also publicly report specific prior authorization metrics by posting them on their website or through publicly accessible hyperlinks annually. The first set of metrics must be publicly reported by March 31, 2026.
Patient Access API and Prior Authorization Metrics
CMS finalized a requirement that Impacted Payers must implement a Health Level 7 Fast Healthcare Interoperability Resources Patient Access API.
CMS notes that the primary goal of the Patient Access API is to provide access to health information to patients. However, the lack of a coordinated exchange of health information makes it challenging for patients to access their health information effectively, and prior authorization requests and decision information are important components of this data set.
Therefore, CMS finalized its proposal to require Impacted Payers to include prior authorization information in the data that must be made available to patients through the Patient Access API. This information includes:
- prior authorization status
- date of the prior authorization approval or denial
- date or circumstance under which the authorization ends
- items and services approved
In cases of a prior authorization denial, Impacted Payers must provide a specific rationale for this determination. Consistent with other provisions of the Final Rule, this requirement would not apply to drugs.
Prior authorization information shared via the Patient Access API must be made available no later than one business day after the Impacted Payer receives a prior authorization request, and information must be updated no later than one business day after any status change.
Furthermore, to better understand how patients access data made available through the Patient Access API, CMS requires Impacted Payers to post certain prior authorization metrics on their websites or through publicly accessible hyperlinks annually. This information must include:
- the total number of unique patients whose data is transferred via the Patient Access API to a health app designated by the patient
- the total number of unique patients whose data is transferred more than once via the Patient Access API to a health app designated by the patient
The first set of metrics is required to be publicly reported by March 31, 2026. Going forward, all Impacted Payers must report the previous calendar year's metrics to CMS by March 31 following any year that they offered that type of plan.
Provider Access API
Impacted Payers will be required to maintain and implement a Provider Access API. Payers will be required to make the following data available via the Provider Access API: individual claims and encounter data (without provider remittances and enrollee cost-sharing information), data classes and data elements in the United States Core Data for Interoperability (USCDI) and specified prior authorization information (excluding those for drugs). Impacted Payers must provide this information within one business day of the provider's request.
These requirements must be implemented by Jan. 1, 2027, for Medicare Advantage organizations, state Medicaid and CHIP fee-for-service programs, Medicaid managed care plans other than nonemergency medical transportation, prepaid ambulatory health plans, CHIP managed care entities and QHP issuers on the FFEs. Provisions do not apply to Medicare fee-for-service, but CMS is considering how future proposals could apply.
Payer-to-Payer API
CMS requires that Impacted Payers implement and maintain a Payer-to-Payer API to make available claims and encounter data (excluding provider remittances and enrollee cost-sharing information), data classes and data elements in the USCDI, and information about certain prior authorizations (excluding those for drugs).
Payers are only required to share patient data with a date of service within five years of the request for data. CMS is also finalizing an opt-in process for patients to provide permission under these requirements. Impacted Payers are required to provide plain-language educational resources to patients that explain the benefits of the Payer-to-Payer API data exchange and their ability to opt in. Within one week of obtaining a beneficiary's permission (and at least quarterly thereafter for concurrent payers), the Impacted Payer must request the data from the beneficiary's previous and concurrent payers. Impacted Payers must fulfill Payer-to-Payer API requests within one business day. These requirements must be implemented by Jan. 1, 2027.
Prior Authorization API
Impacted Payers are required to implement a Prior Authorization API to allow providers to:
- query the payer's system to determine whether prior authorization is required for covered items and services and what documentation is needed
- send a prior authorization request from the provider's electronic health record (EHR) or practice management system to the payer
- receive a decision from the payer whether (and for how long) it has approved the request
These requirements must be implemented by Jan. 1, 2027.
To reduce the compliance burden, CMS announced that Impacted Payers that implement the Prior Authorization API using Health Level 7 Fast Healthcare Interoperability Resources standards will benefit from enforcement discretion under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) if they do not use the HIPAA X12 278 prior authorization transaction standard.
Electronic Prior Authorization Measure for the Merit-Based Incentive Payment System (MIPS)
To encourage utilization of Prior Authorization APIs, CMS is finalizing a new measure, "Electronic Prior Authorization," to the Health Information Exchange objective for the MIPS Promoting Interoperability performance category and the Medicare Promoting Interoperability Program.
MIPS-eligible clinicians will report the Electronic Prior Authorization measure beginning with the Calendar Year (CY) 2027 performance period/CY 2029 MIPS payment year, and eligible hospitals and critical access hospitals will begin with the 2027 EHR reporting period. This will be an attestation measure for which the MIPS-eligible clinician, eligible hospital or CAH reports a yes/no response or claims an applicable exclusion rather than the proposed numerator/denominator.
