Add a bookmark to get started

12 February 20244 minute read

CMS finalizes interoperability and prior authorization rule

On February 8, 2024, the Centers for Medicare & Medicaid Services (CMS) published its Interoperability and Prior Authorization Final Rule for the implementation and maintenance of certain application programming interfaces (APIs) and to establish new rules for prior authorization processes.  

Most of the Final Rule’s requirements only apply directly to Medicare Advantage (MA) organizations, state Medicaid and Children's Health Insurance Program (CHIP) fee-for-service programs, Medicaid managed care plans, CHIP managed care entities, and issuers of qualified health plans offered on the Federally Facilitated Exchanges (collectively, the “Impacted Payers”).  

The Final Rule also adds a new measure for the Merit-based Incentive Payment System (MIPS) to incentivize eligible clinicians and hospitals to use the prior authorization API required of Impacted Payers under this Final Rule.

CMS specifically intends for this Final Rule to build on the interoperability requirements from a May 2020 final rule on Interoperability and Patient Access (2020 Final Rule).

Changes impacting payers

Changes to existing API obligations and newly required APIs

The 2020 Final Rule already established an obligation for Impacted Payers to implement and maintain a patient access API.  As revised by this new Final Rule, Impacted Payers must (1) expand the patient access API to include information about prior authorizations (excluding prior authorizations for covered drugs); and (2) implement and maintain three new APIs for in-network provider access, payer-to-payer data exchange, and prior authorizations. 

The provider access API is intended to allow an in-network provider to request and receive their patients’ claims, encounter, clinical, and prior authorization data through the provider’s electronic health record or practice management system.  The payer-to-payer API will facilitate data exchanges among payers at the start of coverage and between concurrent payers.  Lastly, the prior authorization API will allow a provider to query the payer for its prior authorization requirements, send a prior authorization request to the payer, and receive a decision from the payer whether (and for how long) it has approved the request.  

Impacted Payers must implement these APIs by January 1, 2027.

New reporting and publication requirements

Beginning January 1, 2026, Impacted Payers will be required to report to CMS certain metrics regarding their patient access API usage.  They will also be required to publicly post certain information regarding their prior authorization metrics.  

New prior authorization process rules

Also effective beginning January 1, 2026, Impacted Payers will be required to meet new prior authorization process requirements.  These changes include new obligations to send prior authorization decisions within 72 hours for expedited requests and within 7 calendar days for standard requests, and provide a reason for denial of prior authorization requests.  

Changes impacting providers

As noted above, to incentivize provider use of the prior authorization API, CMS is also introducing new electronic prior authorization measures under MIPS for eligible clinicians under the Promoting Interoperability performance category and for eligible hospitals and critical access hospitals under the Medicare Promoting Interoperability Program.  These providers will complete an annual attestation beginning in 2027 regarding their usage of the API, unless an exemption applies.

Key takeaways for payers and providers

While the Final Rule primarily impacts payers, both payers and providers are encouraged to carefully assess not only their compliance obligations (eg, MIPS reporting for applicable providers), but also the impact of the Final Rule on their overall business operations.  Impacted Payers will likely need to engage vendors or their in-house resources to develop, implement, and maintain the appropriate APIs (or otherwise license the same from third parties).  With access to expanded data sets and new options for requesting and receiving prior authorizations, prudent providers will learn how to best utilize the APIs and data to facilitate coverage and treatment for their patients.

With the implementation of these APIs, payers and providers should also take into account the APIs and data exchanges as part of their data privacy and security compliance programs.  For instance, payers and providers are encouraged to consider conducting a technical and nontechnical evaluation of the operational changes resulting from the APIs and data exchanges in advance of implementation. They may also consider analyzing the threats and vulnerabilities to their information systems as a result of these data exchanges as part of their regular HIPAA and cybersecurity risk assessments, each of which may necessitate updates to their policies and procedures, and further determine whether their technology and other vendors are prepared to support these changes going forward.

Please contact the authors for more information.