A Look into CMS Interoperability and Prior Authorization Final Rule

• Medicare Advantage (MA) organizations
• State Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs
• Medicaid managed care plans
• CHIP managed care entities
• Qualified Health Plan (QHP) issuers on the Federally Facilitated Exchanges (FFEs) 

For the Impacted Payers, the major requirement will be the implementation and maintenance of certain HL7 FHIR application programming interfaces (APIs). These APIs are aimed at making the exchange of electronic healthcare data easier while simplifying prior authorization processes.

The final rule also introduces a novel Electronic Prior Authorization attestation measure for Merit-based Incentive Payment System (MIPS) eligible clinicians under the Promoting Interoperability performance category of MIPS, as well as for eligible hospitals and critical access hospitals (CAHs) under the Medicare Promoting Interoperability Program.

• Patient Access API: The 2020 CMS Interoperability and Patient Access Final Rule required Impacted Payers to use Patient Access API. This would help patients electronically access personal health information, including claims, encounter data, and clinical data, one business day after claim adjudication or clinical data reception. The CMS final rule now additionally makes it necessary for Impacted Payers to share prior authorization requests and decision data on the Patient Access API while the authorization is active, for at least one year after the last change in status.
• Provider Access API: The CMS Final Rule requires Impacted Payers to implement a Provider Access API, allowing healthcare providers part of the insurance network to readily access their patients’ medical data elements, as outlined in the United States Core Data for Interoperability (USCDI). Impacted Payers must provide this data within one business day of the provider asking for it. Impacted Payers also need to link patients with their specific healthcare providers, provide information to patients regarding Provider Access APIs, and how unwilling patients can opt out.
• Payer-to-Payer API: Impacted Payers will be required to share important health information with each other to improve how they coordinate patient care. The Payer-to-Payer API will allow one Impacted Payer to ask another for information about a patient’s health from the previous five years. The information includes data elements specified in the United States Core Data for Interoperability (USCDI), as well as prior authorization details. Impacted Payers also need to educate patients about the Payer-to-Payer API. For patients who consent, Impacted Payers will need to request and share the data within one week of getting permission and continue to do so regularly. They also need to complete these requests within one business day. These new requirements replace the older, less comprehensive rules for sharing data between insurance companies that were established in 2020.
• Prior Authorization API: Under the Final Rule, Impacted Payers will be required to set up a Prior Authorization API. This will enable healthcare providers to check with Impacted Payers regarding prior authorization requirements, send prior authorization requests directly from their EHRs, and expedite the reception of the decisions made by the Impacted Payer. Impacted Payers using (Health Level 7 Fast Healthcare Interoperability Resources), shall not be penalized under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for not using a different standard called HIPAA X12 278 for prior authorization transactions.

With the goal of making Prior Authorization Processes more seamless, three requirements have been effected in the CMS Final Rule.

• Notification Timeframes for Prior Authorization Decisions: Impacted Payers will need to notify patients and providers regarding their prior authorization decisions. The timeframe for this will be 72 hours for urgent requests and seven calendar days for non-urgent ones, depending on state laws. This rule is set to take effect from 2026.
• Specifying Reasons for Denying Prior Authorization Requests: Starting from 2026, Impacted Payers will have to specify the reason behind denied prior authorization requests within the same timelines, irrespective of the mode of sending and receiving prior authorization requests and decisions.
• Public Reporting Requirements for Prior Authorization Metrics: From 2026, Impacted Payers will need to annually disclose summarized metrics regarding prior authorizations on their websites. Before the deadline for compliance, CMS might provide guidance regarding the preferred format and content for the public reporting of these prior authorization metrics.

The CMS provides programs such as MIPS and the Medicare Promoting Interoperability Program to promote and encourage the use of advanced health technology by healthcare providers. Starting in 2027, “Electronic Prior Authorization” will be introduced. Healthcare providers will need to use Prior Authorization API to request approval electronically for at least one medical item or service. Failing to do so means they will not be considered a “meaningful user” of health technology, impacting their scores and potential Medicare payments. Providers without relevant prior authorization needs or if their payer does not offer the tool may be exempt. The consequences for losing “meaningful user” status can include significant penalties for both individual clinicians and hospitals.

To learn more about Required Standards and Recommended Implementation Guides (IGs) for APIs, please refer to this CMS.gov fact sheet.

Ensuring seamless interoperability in healthcare, we adopt standards and best practices at Rockit that enable the exchange of information across various healthcare systems. Rockit specializes in top-notch HL7 and FHIR software development services, ensuring expertise in adherence to interoperability guidelines.

Our services encompass FHIR engineering and design, creating secure and compliant healthcare apps. We excel in FHIR STU3 and R4, ETL processes, and RESTful APIs, delivering consistent and accountable results. With a focus on domain expertise, we guarantee a high success rate and understand healthcare workflows and compliance exceptionally well. Our approach leverages interoperability and FHIR knowledge to provide efficient solutions, including FHIR-compliant EHR, data analytics, reusable components, and member/patient portals. Rockit promises real-time data visibility, improved collaboration, and a great user experience, ensuring scalability, adaptability, and a substantial return on investment.

Let’s redefine healthcare together – speak to one of our experts today.