The Centers for Medicare & Medicaid Services (CMS) affirms its commitment to advancing interoperability and improving prior authorization processes with the publication of the CMS Interoperability and Prior Authorization final rule (CMS-0057-F). Through the provisions in this final rule, Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan (QHP) issuers on the Federally Facilitated Exchanges (FFEs), (collectively “impacted payers”) are required to implement and maintain certain Health Level 7® (HL7®) Fast Healthcare Interoperability Resources® (FHIR®) application programming interfaces (APIs) to improve the electronic exchange of health care data, as well as to streamline prior authorization processes. To encourage providers to adopt electronic prior authorization processes, this final rule also adds a new measure for Merit-based Incentive Payment System (MIPS) eligible clinicians under the Promoting Interoperability performance category of MIPS, as well as for eligible hospitals and critical access hospitals (CAHs), under the Medicare Promoting Interoperability Program.
Building on the technological foundation of the May 2020 CMS Interoperability and Patient Access final rule (85 FR 25510), these API policies will improve patient, provider, and payer access to interoperable patient data and reduce the burden of prior authorization processes.
Impacted payers must also implement certain operational provisions, generally beginning January 1, 2026. In response to public comment on the proposed rule, impacted payers have until compliance dates, generally beginning January 1, 2027, to meet the API development and enhancement requirements in this final rule. The exact compliance dates vary by the type of payer.
This final rule includes the following provisions:
Patient Access API
In the CMS Interoperability and Patient Access final rule, we required impacted payers to implement an HL7® FHIR® Patient Access API. In this final rule, we are requiring impacted payers to add information about prior authorizations (excluding those for drugs) to the data available via that Patient Access API. In addition to giving patients access to more of their data, this will help patients understand their payer’s prior authorization process and its impact on their care. This requirement must be implemented by January 1, 2027.
To assess Patient Access API usage, beginning January 1, 2026, we are requiring impacted payers to report annual metrics to CMS about Patient Access API usage.
Provider Access API
To facilitate care coordination and support movement toward value-based payment models, we are requiring that impacted payers implement and maintain a Provider Access API to share patient data with in-network providers with whom the patient has a treatment relationship. Impacted payers will be required to make the following data available via the Provider Access API: individual claims and encounter data (without provider remittances and enrollee cost-sharing information); data classes and data elements in the United States Core Data for Interoperability (USCDI); and specified prior authorization information (excluding those for drugs).
We are also requiring impacted payers to maintain an attribution process to associate patients with in-network or enrolled providers with whom they have a treatment relationship and to allow patients to opt out of having their data available to providers under these requirements. Impacted payers will be required to provide plain language information to patients about the benefits of API data exchange with their providers and their ability to opt out.
These requirements must be implemented by January 1, 2027.
Payer-to-Payer API
To support care continuity, we are requiring that impacted payers implement and maintain a Payer-to-Payer API to make available claims and encounter data (excluding provider remittances and enrollee cost-sharing information), data classes and data elements in the USCDI and information about certain prior authorizations (excluding those for drugs). Impacted payers are only required to share patient data with a date of service within five years of the request for data. This will help improve care continuity when a patient changes payers and ensure that patients have continued access to the most relevant data in their records.
We are also finalizing an opt-in process for patients to provide permission under these requirements. Impacted payers are required to provide plain-language educational resources to patients that explain the benefits of the Payer-to-Payer API data exchange and their ability to opt in.
These requirements must be implemented by January 1, 2027.
Prior Authorization API
We are requiring impacted payers to implement and maintain a Prior Authorization API that is populated with its list of covered items and services, can identify documentation requirements for prior authorization approval, and supports a prior authorization request and response. These Prior Authorization APIs must also communicate whether the payer approves the prior authorization request (and the date or circumstance under which the authorization ends), denies the prior authorization request (and a specific reason for the denial), or requests more information. This requirement must be implemented beginning January 1, 2027.
In response to feedback received on multiple rules, extensive stakeholder outreach, and to further promote efficiency in the prior authorization process, HHS will be announcing the use of enforcement discretion for the Health Insurance Portability and Accountability Act of 1996 (HIPAA) X12 278 prior authorization transaction standard. Covered entities that implement an all-FHIR-based Prior Authorization API pursuant to the CMS Interoperability and Prior Authorization final rule that do not use the X12 278 standard as part of their API implementation will not be enforced against under HIPAA Administrative Simplification, thus allowing limited flexibility for covered entities to use a FHIR-only or FHIR and X12 combination API to satisfy the requirements of the CMS Interoperability and Prior Authorization final rule. Covered entities may also choose to make available an X12-only prior authorization transaction. HHS will continue to evaluate the HIPAA prior authorization transaction standards for future rulemaking.
Improving Prior Authorization Processes
Prior Authorization Decision Timeframes: We are requiring impacted payers (excluding QHP issuers on the FFEs) to send prior authorization decisions within 72 hours for expedited (i.e., urgent) requests and seven calendar days for standard (i.e., non-urgent) requests.
Provider Notice, Including Denial Reason: Beginning in 2026, impacted payers must provide a specific reason for denied prior authorization decisions, regardless of the method used to send the prior authorization request. Such decisions may be communicated via portal, fax, email, mail, or phone. As with all policies in this final rule, this provision does not apply to prior authorization decisions for drugs. This requirement is intended to both facilitate better communication and transparency between payers, providers, and patients, as well as improve providers’ ability to resubmit the prior authorization request, if necessary. Some impacted payers are also subject to existing requirements to provide information about denials to providers, patients, or both through notices. These existing notices are often required in writing, but nothing in this final rule changes these existing requirements.
Prior Authorization Metrics: We are requiring impacted payers to publicly report certain prior authorization metrics annually by posting them on their website.
These operational or process-related prior authorization policies are being finalized with a compliance date starting January 1, 2026, and the initial set of metrics must be reported by March 31, 2026.
Electronic Prior Authorization Measure for MIPS Eligible Clinicians and Eligible Hospitals and Critical Access Hospitals (CAHs)
We are adding a new measure, titled “Electronic Prior Authorization,” to the Health Information Exchange (HIE) objective for the MIPS Promoting Interoperability performance category and the Medicare Promoting Interoperability Program. MIPS eligible clinicians will report the Electronic Prior Authorization measure beginning with the Calendar Year (CY) 2027 performance period/CY 2029 MIPS payment year and eligible hospitals and CAHs beginning with the CY 2027 EHR reporting period. This will be an attestation measure, for which the MIPS eligible clinician, eligible hospital, or CAH reports a yes/no response or claims an applicable exclusion, rather than the proposed numerator/denominator.
To successfully report the Electronic Prior Authorization measure:
- MIPS eligible clinicians must attest “yes” to requesting a prior authorization electronically via a Prior Authorization API using data from certified electronic health record technology (CEHRT) for at least one medical item or service (excluding drugs) ordered during the CY 2027 performance period or (if applicable) report an exclusion.
- Eligible hospitals and CAHs must attest “yes” to requesting a prior authorization request electronically via a Prior Authorization API using data from CEHRT for at least one hospital discharge and medical item or service (excluding drugs) ordered during the 2027 EHR reporting period or (if applicable) report an exclusion.
Required Standards and Recommended Implementation Guides (IGs) for APIs
Required Standards
The required standards and implementation specifications in this final rule include the following:
- United States Core Data for Interoperability (USCDI)
- HL7® Fast Healthcare Interoperability Resources (FHIR®) Release 4.0.1
- HL7 FHIR US Core Implementation Guide (IG) Standard for Trial Use (STU) 3.1.1
- HL7 SMART Application Launch Framework Implementation Guide Release 1.0.0
- FHIR Bulk Data Access (Flat FHIR) (v1.0.0: STU 1)
- OpenID Connect Core 1.0
For information on which required standards and implementation specifications apply to each API, see Table H3 of the final rule.
We also allow flexibility for impacted payers to use updated versions of the standards and IGs. Impacted payers may use an updated ONC-approved standard, instead of the standard specified in regulation, if the update does not disrupt end users’ ability to access the required data through the API.
Recommended Implementation Guides
When implementing the updated Patient Access API, the existing Provider Directory API, and the new APIs (Provider Access, Payer-to-Payer, and the Prior Authorization APIs), we strongly encourage impacted payers to use the following IGs, as applicable, to reduce burden and increase interoperability:
- HL7 FHIR CARIN Consumer Directed Payer Data Exchange (CARIN IG for Blue Button®) IG Version STU 2.0.0
- HL7 SMART App Launch IG Release 2.0.0 to support Backend Services Authorization
- HL7 FHIR Da Vinci Payer Data Exchange (PDex) IG Version STU 2.0.0
- HL7 FHIR Da Vinci PDex US Drug Formulary IG Version STU 2.0.1
- HL7 FHIR Da Vinci PDex Plan-Net IG Version STU 1.1.0
- HL7 FHIR Da Vinci Coverage Requirements Discovery (CRD) IG Version STU 2.0.1
- HL7 FHIR Da Vinci Documentation Templates and Rules (DTR) IG Version STU 2.0.0
- HL7 FHIR Da Vinci Prior Authorization Support (PAS) IG Version STU 2.0.1
For information on which recommended IGs apply to each API, see Table H3 of the final rule.
The final rule is available to review today in the Federal Register at: https://www.federalregister.gov/public-inspection/2024-00895/medicare-and-medicaid-programs-patient-protection-and-affordable-care-act-advancing-interoperability.
For more information, please visit: https://www.cms.gov/newsroom/press-releases/cms-finalizes-rule-expand-access-health-information-and-improve-prior-authorization-process.
CMS Advancing Interoperability and Improving Prior Authorization Processes Final Rule (CMS-0057-F)
###
Get CMS news at cms.gov/newsroom, sign up for CMS news via email and follow CMS on Twitter @CMSgov.