On January 17, 2024, the Centers for Medicare & Medicaid Services (CMS) released a final rule that will require certain payers to automate their prior authorization processes and implement application program interfaces (APIs) to improve the exchange of health information among payers, providers and patients. The rule outlines these new requirements, exceptions to the requirements and implementation deadlines. It also adds a new electronic prior authorization measure that clinicians and hospitals must report as part of the Merit-based Incentive Payment System (MIPS) Promoting Interoperability Category and the Medicare Promoting Interoperability Program, respectively.
The final rule comes at a time when Congress has been active on prior authorization reform, including through legislation. This +Insight compares the final rule with that legislation, highlights policies that are not included in the final rule and discusses next steps for prior authorization reform.
READ OUR ANALYSIS
Key Takeaways
- Impacted Payers: Payers subject to the rule include Medicare Advantage (MA) and Medicare Advantage/ Medicare Part D (MA-PD) plans, state Medicaid and Children’s Health Insurance Program (CHIP) fee-for-service (FFS) programs, Medicaid managed care plans and CHIP managed care entities, and Qualified Health Plan (QHP) issuers on the Federally Facilitated Exchanges (FFEs).
- Prior Authorization: The rule outlines new timeframes for prior authorization decisions, although some stakeholders had called for quicker turnaround times, especially for urgent requests. CMS also finalized that impacted payers must provide a specific reason for denied prior authorization decisions and publicly report certain prior authorization metrics on their website. These requirements are effective beginning in 2026.
- APIs: CMS finalized proposals to require impacted payers to implement and maintain APIs to improve patient access to data, to facilitate care coordination among providers and to support care continuity. The requirements for the Patient Access, Provider Access, Payer-to-Payer and Prior Authorization APIs must be met by January 1, 2027.
- Extensions, Exemptions and Exceptions: State Medicaid and CHIP FFS programs may apply for certain extensions or exemptions to the Provider Access, Payer-to-Payer and/or Prior Authorization API requirements. An exception process is also available to issuers applying for QHP certification that cannot satisfy the requirements for the Provider Access, Payer-to-Payer and Prior Authorization APIs.
- New Provider Requirements: CMS created new electronic prior authorization measures for MIPS and the Medicare Promoting Interoperability Program effective for the 2027 performance periods.
- Timeline: The rule’s API requirements will take effect on January 1, 2027, which is a one-year implementation delay from what was proposed. Prior authorization process changes and timeframe requirements begin in 2026. Impacted payers must report required prior authorization metrics by March 31, 2026.
- Provider Savings: CMS estimates that this rule will result in at least $16 billion in savings, primarily for providers, over 10 years.
- Not Addressed: The requirements in the rule explicitly exclude prescription drugs and do not apply to employer-sponsored insurance plans or Medicare FFS. CMS did not address payers’ use of algorithms or artificial intelligence (AI) to make prior authorization decisions.
- Congressional Interest in Prior Authorization: Legislation that would apply only to MA plans, the Improving Seniors’ Timely Access to Care Act (H.R. 3173/S. 3018 in the 117th Congress), proposed faster required approval timelines for prior authorization requests than the timelines in CMS’s final rule. The legislation stalled in the last session of Congress because of its cost. CMS’s final rule may bring the legislation’s cost down or might spur lawmakers to further amend the bill. Beyond legislation, Congress is using hearings, investigations and letters to highlight perceived problems with prior authorization practices.
