On January 17, 2024, the Centers for Medicare & Medicaid Services (“CMS”) issued a final rule regarding interoperability and prior authorization (the “Rule”). CMS-0057-F.  The Rule’s goals, according to CMS, are to facilitate the electronic exchange of health-care data, improve and expedite prior authorization processes, and reduce related burdens for payers, healthcare providers, and patients, with estimated savings of $15 billion over 10 years.  The Rule’s changes focus on two areas: (1) interoperability advancement and (2) prior authorization streamlining.  Both changes target federally regulated health insurers such as Medicare Advantage Organizations, state Medicaid and Children’s Health Insurance Program (“CHIP”) Fee-for-Service programs, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan (“QHP”) issuers on the Federally Facilitated Exchanges (“FFEs”), (collectively, “Impacted Payers”).

For interoperability advancement, Impacted Payers must implement and maintain four application programing interfaces (“APIs”), which are software that allow other software applications to exchange information and features more efficiently.  These four APIs are (1) the Patient Access API, (2) the Provider Access API, (3) the Payer-to-Payer API, and (4) the Prior Authorization API.  Although compliance dates vary based on payer type, Impacted Payers must generally implement these four APIs by January 1, 2027.

First, Payers must implement the Patient Access API and supplement the API’s available data with information about prior authorizations (excluding those for drugs). This API’s purpose is to enhance patients’ data access and understanding of the impacts of their payers’ prior authorization processes.

Payers must also implement the Provider Access API to share patient data with the patients’ in-network providers and make individual claims and encounter data (excluding provider remittances and enrollee cost-sharing information), data classes and data elements in the United States Core Data for Interoperability (“USCDI”), and certain prior authorization information (excluding those for drugs) available to various providers. The purpose of this API is to improve care coordination and promote a shift to value based payment models.

In addition, Payers must implement the Payer-to-Payer API to make claims and encounter data (excluding provider remittances and enrollee cost-sharing information), data classes and data elements in the USCDI and information about certain prior authorizations (excluding those for drugs) available to different payers. Impacted Payers must also provide information to patients about their ability to opt into Payer-to-Payer API data-sharing and the benefits of doing so. Specifically, this API intends to enhance patient care continuity.

Finally, Payers must implement the Prior Authorization API to identify documentation requirements for prior authorization approval and support prior authorization requests and responses from payers. This API will be used to further accelerate prior authorization decisions.

In terms of streamlining prior authorization decisions, by January 1, 2026, Payers (excluding QHPs on FFEs) must send prior authorization decisions within 72 hours for urgent requests and seven calendar days for non-urgent requests, halving the previous timeframes. In addition, by 2026 Impacted Payers must provide specific rationales for denied prior authorizations and make annual public reports about certain prior authorizations metrics. Significantly, these policies do not apply to prior authorization decisions for drugs.

Lastly, the Rule provides a new measure for Merit-based Incentive Payment System (MIPS) eligible clinicians under the Promoting Interoperability performance category of MIPS as well as for eligible hospitals and critical access hospitals (CAHs), under the Medicare Promoting Interoperability Program in order to incentivize provider’s implementation of electronic prior authorization processes.

Ultimately, Payers have work to do to implement the APIs and amend their prior authorization policies and procedures to comply with the new requirements.  The new prior authorization rules take effect on January 1, 2026 and the new APIs must be in place on January 1, 2027.   These changes impact plans subject to federal regulations, including as Medicare Advantage plans, Medicaid managed care organizations and qualified health plans offered on the FFE.