United States: CMS Finalizes New Electronic Prior Authorization Requirements For Payers And Providers

On January 17, 2024, the Centers for Medicare & Medicaid Services ("CMS") issued the CMS Interoperability and Prior Authorization final rule (the "CMS Final Rule").¹ The CMS Final Rule is a continuation of CMS's efforts to encourage interoperability and availability of electronic health information ("EHI") and complements the Office of the National Coordinator for Health Information Technology's ("ONC") parallel efforts to improve the access, exchange, and use of EHI through the ONC Health Information Technology ("Health IT") Certification Program and the Information Blocking Rule.²

The CMS Final Rule aims to reduce provider burden related to prior authorization processes and improve patients' access to timely care. It establishes several new requirements for Medicare Advantage ("MA") organizations, state Medicaid and Children's Health Insurance Program ("CHIP") Fee-for-Service ("FFS") programs, Medicaid managed care plans, CHIP managed care entities, and issuers of Qualified Health Plans ("QHPs") offered on the Federally Facilitated Exchanges ("FFEs") (collectively, "Impacted Payers"). Impacted Payers will be required to implement application programming interfaces ("APIs") to increase and streamline the exchange of EHI and improve their prior authorization processes for medical items and services (excluding drugs). The CMS Final Rule also establishes a new Electronic Prior Authorization attestation measure as part of the Merit-based Incentive Payment System ("MIPS") and the Medicare Promoting Interoperability Program. This new measure will require eligible clinicians, hospitals, and critical access hospitals ("CAHs") to attest to submitting an electronic prior authorization request for medical items or services (excluding drugs) at least once per year beginning in 2027 to be considered a "meaningful user" of ONC-certified electronic health record technology ("CEHRT"), unless an exclusion applies.

Key provisions of the CMS Final Rule are summarized below.

I. Updates to and Implementation of APIs

The CMS Final Rule updates requirements for the previously established Patient Access API and also establishes three new required APIs: a Provider Access API, a Payer-to-Payer API, and a Prior Authorization API.

Impacted Payers are required to comply with these API requirements beginning in 2027.³ State Medicaid and CHIP FFS programs are afforded the opportunity to seek a one-time, one-year extension to the compliance date for implementing the Provider Access, Payer-to-Payer, and Prior Authorization APIs, and also may request exemptions from the requirement to implement these three APIs if at least 90% of their beneficiaries are enrolled in managed care organizations. In addition, QHP issuers may apply to FFEs for an exception from the requirement to implement these three APIs, which an FFE may grant if it determines that making the issuer's QHPs available would benefit individuals obtaining coverage through the FFE, notwithstanding the absence of the APIs.

a. Patient Access API

In the 2020 CMS Interoperability and Patient Access Final Rule,⁴ CMS required that Impacted Payers maintain and implement a Patient Access API to share certain information, including patient claims, encounter data, and a set of clinical data (including laboratory results), with patients through health applications. Impacted Payers must make this information available via the Patient Access API no later than one business day after a claim is adjudicated or encounter or clinical data are received. The CMS Final Rule adds prior authorization request and decision data to the categories of required information for the Patient Access API. Impacted Payers will be required to make prior authorization request and decision data available for the duration that the authorization is active and at least one year after the last status change. Prior authorization information shared via the Patient Access API must be made available no later than one business day after the Impacted Payer receives a prior authorization request, and information must be updated no later than one business day after any status change.

Furthermore, to better understand how patients are accessing data made available through the Patient Access API, CMS is requiring that Impacted Payers annually report certain Patient Access API metrics beginning January 1, 2026.

b. Provider Access API

Impacted Payers will be required to maintain and implement a Provider Access API to allow in-network providers to access claims and encounter data, all United States Core Data for Interoperability ("USCDI") data classes and data elements,⁵ and certain prior authorization information for patients with which the provider has a treatment relationship. Impacted Payers must provide this information within one business day of the provider's request. Impacted Payers must also establish an attribution process to associate patients with specific providers. In addition, CMS will require Impacted Payers to provide educational resources to beneficiaries about the Provider Access API, including a beneficiary's right to opt out and an explanation of the process the beneficiary can follow to do so.

c. Payer-to-Payer API

To facilitate payer-to-payer data exchange as a means to improve care coordination, CMS is requiring that Impacted Payers implement and maintain a Payer-to-Payer API through which payers may request data from the previous five years for a newly enrolled beneficiary or a beneficiary who has multiple payers. A Payer-to-Payer API must make available claims and encounter data, all USCDI data classes and data elements, and certain information about prior authorizations for dates of service within the previous five years. Impacted Payers must also provide educational resources to beneficiaries about the Payer-to-Payer API and establish an opt-in process to request a beneficiary's permission for exchange of his or her information within one week of the start of coverage. Within one week of obtaining a beneficiary's permission (and at least quarterly thereafter for concurrent payers), the Impacted Payer must request the data from the beneficiary's previous and concurrent payers. Impacted Payers must fulfill Payer-to-Payer API requests within one business day. These requirements replace the more limited payer-to-payer data exchange requirements that CMS established in the 2020 CMS Interoperability and Patient Access Final Rule.

d. Prior Authorization API

The CMS Final Rule also requires Impacted Payers to implement a Prior Authorization API to allow providers to (1) query the payer's system to determine whether a prior authorization is required for covered items and services and what documentation is needed; (2) send a prior authorization request from the provider's electronic health record ("EHR") or practice management system to the payer; and (3) receive a decision from the payer whether (and for how long) it has approved the request. The goal of this requirement is to lessen provider and payer burden associated with prior authorizations, and to reduce delays in patient care that result from inefficiencies in prior authorization processes. To reduce compliance burden, CMS announced that Impacted Payers that implement the Prior Authorization API using Health Level 7 Fast Healthcare Interoperability Resources standards will benefit from enforcement discretion under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") if they do not use the HIPAA X12 278 prior authorization transaction standard.

II. Requirements for Prior Authorization Processes

To further improve prior authorization processes, the CMS Final Rule also implements three additional requirements for Impacted Payers:

• Timeframes for Prior Authorization Decisions: Beginning in 2026, Impacted Payers must provide notice of their prior authorization decisions to providers and patients within 72 hours for expedited requests and within seven calendar days for standard requests, unless applicable state law requires shorter timeframes.
• Reasons for Denying Prior Authorization Requests: Beginning in 2026, Impacted Payers must provide a specific reason for denials of prior authorization requests within the decision timeframes outlined above, regardless of the method by which the prior authorization request or decision is sent.
• Public Reporting Requirements for Prior Authorization Metrics: Beginning in 2026, Impacted Payers must publicly report certain aggregated prior authorization metrics annually on their website. Before the compliance date, CMS may issue guidance on the recommended format and content for publicly reporting these prior authorization metrics.

III. Electronic Prior Authorization Measure for MIPS Promoting Interoperability Performance Category and Medicare Promoting Interoperability Program

MIPS, under CMS's Quality Payment Program, and the Medicare Promoting Interoperability Program are programs established by CMS to encourage eligible clinicians, eligible hospitals, and CAHs to demonstrate meaningful use of CEHRT. To encourage utilization of Prior Authorization APIs, CMS is finalizing a new "Electronic Prior Authorization" measure for the MIPS Promoting Interoperability performance category beginning with the Calendar Year ("CY") 2027 performance period/2029 MIPS payment year and for the Medicare Promoting Interoperability Program beginning with the CY 2027 EHR reporting period.

For this newly finalized "Electronic Prior Authorization" measure, eligible clinicians, hospitals, and CAHs must attest to requesting prior authorization electronically via a Prior Authorization API using data from CEHRT for at least one medical item or service (excluding drugs) ordered during the applicable performance/reporting period. Attesting "no" or failing to report the measure would result in the eligible clinician, hospital, or CAH not being considered a "meaningful user" of CEHRT, thereby failing to meet minimum Promoting Interoperability requirements. Eligible clinicians, hospitals, and CAHs that do not order any non-drug medical items or services requiring prior authorization or that only order such items or services from a payer that does not offer a Prior Authorization API during the performance/reporting period qualify for an exclusion from this requirement.

The consequences of losing "meaningful user" status can be significant. For eligible clinicians, this would result in a Promoting Interoperability score—which represents 25% of the total MIPS score—of zero.⁶ Eligible clinicians with a MIPS score below the CMS-established benchmark incur a penalty of up to 9% of their Medicare payments.⁷ For an eligible hospital, failure to meet the requirements to be a meaningful user of CEHRT leads to a 75% lower annual increase in Medicare payments based on an inflation market basket update or rate of increase for hospitals that CMS publishes each year.⁸ For a CAH, loss of "meaningful user" status would lead to a reduction in payments received from CMS under the Medicare Promoting Interoperability Program from 101% to 100% of its reasonable costs.⁹

The CMS Final Rule represents the latest development in CMS's efforts to advance health information interoperability and modernize traditionally burdensome processes among payers, health care providers, and patients. These efforts complement ONC's recent updates to the ONC Health IT Certification Program and Information Blocking Rule, and CMS suggests in the CMS Final Rule that the two agencies will continue to coordinate moving forward, including with respect to health IT certification requirements to support provider submission of prior authorization requests using certified health IT. Impacted Payers and eligible clinicians, hospitals, and CAHs should prepare to comply with the new CMS Final Rule requirements by the time they take effect.

Footnotes

1. The full name of the CMS Final Rule is "Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Advancing Interoperability and Improving Prior Authorization Processes for Medicare Advantage Organizations, Medicaid Managed Care Plans, State Medicaid Agencies, Children's Health Insurance Program (CHIP) Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans on the Federally-Facilitated Exchanges, Merit-based Incentive Payment System (MIPS) Eligible Clinicians, and Eligible Hospitals and Critical Access Hospitals in the Medicare Promoting Interoperability Program." The CMS Final Rule is available at https://www.cms.gov/files/document/cms-0057-f.pdf.

2. Codified at 45 C.F.R. Part 171.

3. Specifically, "by January 1, 2027 for MA organizations and state Medicaid and CHIP FFS programs; by rating period beginning on or after January 1, 2027 for Medicaid managed care plans and CHIP managed care entities; and for plan years beginning on or after January 1, 2027 for QHP issuers on FFEs." CMS Final Rule, PDF pp. 96, 218–19, 355, 499.

4. CMS, Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Interoperability and Patient Access for Medicare Advantage Organization and Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans on the Federally-Facilitated Exchanges, and Health Care Providers, 85 Fed. Reg. 25,510 (May 1, 2020).

5. After January 1, 2026, the applicable standard is USCDI v3.

6. CMS, 21st Century Cures Act: Establishment of Disincentives for Health Care Providers That Have Committed Information Blocking Proposed Rule, 88 Fed. Reg. 74,947, 74,955, 58 (Nov. 1, 2023) (" CMS Information Blocking Disincentives Proposed Rule").

7. Id. at 74,958.

8. 42 U.S.C. § 1395ww(b)(3)(B)(ix).

9. CMS Information Blocking Disincentives Proposed Rule, 88 Fed. Reg. at 74,955.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.