General

The CMS Interoperability and Prior Authorization final rule requires impacted payers (specifically, Medicare Advantage​ [MA] Organizations, State Medicaid and Children’s Health Insurance Program [CHIP] agencies​, Medicaid managed care plans​ and CHIP managed care entities, and Qualified Health Plan [QHP] issuers on the Federally Facilitated Exchanges [FFEs]) to implement and maintain three new Fast Healthcare Interoperability Resources® (FHIR®) APIs:

• The Provider Access API, to share with in-network providers with whom the patient has a treatment relationship the following data: individual claims and encounter data (without provider remittances and enrollee cost-sharing information), the data classes and data elements in a content standard adopted by the Office of the National Coordinator for Health Information Technology (ONC) in 45 CFR 170.213 (the United States Core Data for Interoperability (USCDI)), and certain prior authorization data.
• The Payer-to-Payer Access API, to exchange with a patient’s new or concurrent payers when a patient changes payers or has two or more payers at the same time (e.g. individuals who are dually eligible for Medicare and Medicaid). Largely this same data must be shared (excluding information about denied prior authorizations), as well as both structured and unstructured administrative and clinical documentation submitted by a provider,
• The Prior Authorization API, to allow a provider to query a payer’s system to determine whether prior authorization (PA) is required for specific medical items and services (excluding drugs), as well as to view a list of the payer’s list of covered items and services. In addition, this API must have the functionality to identify a payer’s documentation requirements for the items or services that require prior authorization. The API must also support the creation and exchange of the prior authorization requests themselves from providers and responses from payers (including whether the request was approved or denied, and a specific reason for any such denial).

Additionally, the CMS Interoperability and Prior Authorization final rule expands the requirements for the existing Patient Access API, finalized in the May 2020 CMS Interoperability and Patient Access final rule (CMS-9115-F, 85 FR 25510) to include information about the patient’s prior authorizations for items and services (excluding drugs). This prior authorization data must be accessible for at least one year after the last status change (e.g., approval, denial, expiration) of the prior authorization.

The chart below summarizes the main differences between the Patient Access, Provider Access, and Payer-to-Payer API requirements, standards, and related policies. However, see CMS-0057-F for a full discussion of these policies.

* Impacted payers are only required to share data that they maintain. They are not required to seek out data within this content that they do not maintain. 

CMS excluded drugs from both the Prior Authorization API and the process requirements for prior authorizations in the CMS Interoperability and Prior Authorization final rule (CMS-0057-F) because the standards, processes, and decision timeframes for issuing prior authorizations for drugs differ from those that apply to medical items and services. However, payers are not prohibited from including drugs covered under a medical benefit in their Prior Authorization APIs, as the Coverage Requirements Discovery (CRD) Implementation Guide ^[1] can accommodate information about certain medications. CMS may evaluate opportunities to address prior authorization for drugs in future policy proposals.

Some providers participating in the Medicare FFS program may be able to submit prior authorization requests through a CMS Prior Authorization API. CMS’s Provider Compliance Group (PCG) is using Fast Healthcare Interoperability Resources® (FHIR®) for exchanging healthcare information electronically between different systems through its PCG-FHIR Server. Using the PCG-FHIR Server will allow for the processing of various healthcare transactions, including prior authorization requests. Review Contractors and Providers who are interested in testing and piloting the PCG-FHIR Server may visit the PCG website or email pcg-fhir@mettles.com.

Depending on the specific API, developers, providers, and other payers will need to discover payers’ digital endpoints individually, and each payer will have to maintain a contact list of other payers for data exchange.

The only commercial payers affected by this final rule are QHPs offered on the FFEs. The requirements in the CMS Interoperability and Prior Authorization final rule (CMS-0057-F) were finalized under CMS’s authority to regulate Medicare, Medicaid, and Qualified Health Plans (QHPs) offered on the Federally facilitated Exchanges (FFEs). The requirements do not apply to other health insurance issuers or group health plans. Impacted payers that offer both health plans subject to the requirements of the CMS Interoperability and Prior Authorization final rule and those that are not (e.g., commercial health plans outside the Exchanges, like employer-based plans) may voluntarily implement the application programming interface (API) and prior authorization policies across all their plans, as long as there are no conflicts with other Federal or state laws. In fact, CMS encourages all payers to voluntarily implement the policies in this final rule for all their plans, to ensure equal access to the services and benefits for all patients and members.