Featuring: Cara Tucker | Legal Counsel
What you need to know: Certain types of health plans will be required to provide decisions on prior authorizations within 72 hours (for urgent requests) and seven calendar days (for standard requests), along with reasoning for any denials. These payers must also implement new APIs to streamline electronic prior authorization processes. Operational processes will take effect in 2026 with compliance dates in 2027. This is a welcome regulation in the American healthcare industry where 94% of physicians reported that prior authorization led to delays in patient care, and 46% said these policies led to urgent or emergency care.
The Centers for Medicare & Medicaid Services (CMS) recently released a final rule tightening the prior authorization time frame for certain plan types, including Medicare Advantage Organizations, Medicaid Fee-For-Service (FFS) and managed care programs, Children’s Health Insurance Program (CHIP) FFS and managed care programs, and Qualified Health Plan (QHP) issuers on the Federally Facilitated Exchanges (FFEs).
The CMS Interoperability and Prior Authorization Final Rule outlines new deadlines for prior authorization decisions, specifically 72 hours for urgent requests and seven calendar days for standard requests. Previously, these time frames for response could vary between different plan types and managed care plans.
New transparency provisions mean that impacted payers must also provide insights into:
- Reasons for care denials: CMS will now require impacted payers to send notices to providers when they make a decision, including a specific reason for denial when they deny a prior authorization request.
- Prior authorization programs as a whole: Aggregated metrics from each health plan must be publicly reported each year.
In addition to adhering to the new prior authorization time frame, impacted payers must also implement Prior Authorization, Patient Access, Provider Access, and Payer-to-Payer APIs. In an industry with an increasing focus on interoperability, these new standards go a long way toward facilitating communication and improving data-sharing for the benefit of patient care and treatment.
Impact: removing barriers to patient care
The final rule deals with the logistics of deadlines and technological interoperability, yet it is patients and providers who are intended to benefit the most. This is because the final rule’s main components are focused on standardization and transparency with the goal of reducing the burden of the prior authorization process.
The rule requires payers to provide:
- Standardized decision timelines: The timeframes for response will encourage payers to better communicate and coordinate with their third-party vendors to whom they may outsource prior authorization decisions. These prior authorization time frames, combined with the requirement to provide a denial reason, will go far to relieve providers of existing burdens relating to chasing payers and their vendors for an answer and related reason.
- Denial reasons: Providing a denial reason seems obvious, but payers too often do not offer any explanation for why a healthcare provider’s prior authorization request is denied. If anything, payers’ reasons are often conclusory statements and boilerplate text that do not speak to the specifics of their decision in relation to the individual patient’s care and treatment. Payer denials may also use proprietary codes or text, which burdens providers who are left with no option but to decipher a specific payer’s proprietary and inefficient method of communication.
- Publicly reported metrics: CMS is requiring impacted payers to publicly report certain prior authorization metrics by posting them directly on the payer’s website or via publicly accessible hyperlink(s) on an annual basis. This will enhance transparency and understanding within the industry as to the effectiveness of these rules in promoting interoperability and improving prior authorization processes.
Limitations of the prior authorization time frame final rule
None of the new requirements apply to employer-sponsored health plans, which are the most common type of coverage in the United States, covering approximately 54% of the population. In response to comments, CMS said it encourages these types of plans to voluntarily meet the requirements of the final rule to allow patients they cover to have the same interoperable access to their data as those patients with coverage through impacted payers.
The requirements also do not apply to drugs of any type that could be covered by impacted payers. CMS explained that this is because the standards and processes for issuing prior authorization for drugs differ from those that apply to medical items and services.
Additionally, there are already existing regulations for some impacted payers which require prior authorization responses for drugs within certain timeframes. In the final rule, however, CMS said that it would consider options for future rulemaking to address improvements to the prior authorization processes for drugs.
Options around prior authorization time frame compliance
The requirements of this final rule are optimized towards patients’ and providers’ best interests but will only be as effective as the level of payer compliance. What if payers don’t adhere to the new rules or are otherwise inconsistent in their implementation?
As an initial matter, providers must be able to identify instances of payer noncompliance with these requirements. Identifying noncompliance may require new reporting, as well as effective education and training of utilization management and appeals teams. Training and education on the requirements must include how your organization intends to respond to noncompliance and hold payers accountable. This may include, for example, scripting for appeals.
If the noncompliance is not overturned on appeal, or it continues or is systemic, do providers have any sort of regulatory recourse? CMS addressed this question in the final rule, noting that many commenters expressed concern regarding the lack of a proposed mechanism to ensure compliance.
CMS said that its oversight and compliance procedures and processes vary among the different impacted payers, and CMS may consequently take different compliance and enforcement actions. Depending on the plan type, CMS said that patients and providers “may submit an inquiry or complaint to the appropriate authority.”
To effectively file a complaint for noncompliance with these requirements, providers will need to be able to identify the plan type and then the appropriate regulatory authority. This will vary, and Ensemble’s payer strategy team can help.
Encouraging provider + hospital adoption
To encourage provider adoption of electronic prior authorization processes, the final rule requires a new measure for Merit-based Incentive Payment System (MIPS) eligible clinicians under the Promoting Interoperability performance category of MIPS, as well as for eligible hospitals and critical access hospitals (CAHs) under the Medicare Promoting Interoperability Program.
The new measure will ask clinicians and hospitals to attest “yes” to requesting a prior authorization electronically through a Prior Authorization API during the Calendar Year 2027 performance period.
A better outcome for patients + providers
Existing processes are unsustainable. They unfairly and unnecessarily burden providers with the onerous task of navigating each payer’s prior authorization requirements from submission, data requirements and appeal of inappropriate denials.
The entire process wrongfully detracts limited and valuable resources away from patient care and contributes to provider burnout. It imposes a substantial financial burden on providers who must employ teams of individuals to assist in navigating the disparate prior authorization processes between payers. Most critically, these payer processes cause delays in patient care and treatment plans, which can directly lead to patient harm.
At Ensemble Health Partners, we fervently support the newly published final rule from CMS. Regulatory efforts to standardize, automate and streamline prior authorization processes help ensure patients receive timely access to necessary care and work to remove undue burden from healthcare providers.
Cara Tucker has been an attorney for over 10 years, specializing in healthcare and regulatory compliance. She currently serves as legal counsel managing regulatory updates at Ensemble Health Partners, developing legally based strategies and procedures to holistically resolve systemic payor issues to increase revenue, reduce administrative burdens and mitigate risk.
These materials are for general informational purposes only. These materials do not, and are not intended to, constitute legal or compliance advice, and you should not act or refrain from acting based on any information provided in these materials. Neither Ensemble Health Partners, nor any of its employees, are your lawyers. Please consult with your own legal counsel or compliance professional regarding specific legal or compliance questions you have.