Federally regulated health insurers will have to turn around prior authorization decisions much more quickly under a recent rule finalized by the CMS. Beginning in 2026, health insurers will be required to either approve or deny an urgent prior authorization request within 72 hours. For standard or non-urgent requests, payers will have seven calendar days to respond. These deadlines cut the current timeframes for some payers to issue decisions in half, regulators said. Payers will also have to provide a specific reason for denying a prior authorization request, which should help doctors resubmit or appeal the request if needed. The rule, first proposed in December 2022, has support from both payers and providers and is expected to create roughly $15 billion in savings over the next decade.
More on Final Rule
The rule will require impacted payers to implement a standards-based Patient Access Application Programming Interface (API) and information about certain prior authorizations to the data available via that Patient Access API. CMS believes that the rule changes will improve patients’ understanding of their payer’s prior authorization process and its impact on their care. The rule also will require impacted payers to implement and maintain a Provider Access API to share patient data with the patient’s in-network providers, and to make the following data must be made available via the Provider Access API: Individual claims and encounter data (excluding provider remittances and enrollee cost-sharing information); data classes and data elements in the United States Core Data for Interoperability (USCDI); and prior authorization information (excluding those for drugs).
The rule will also require impacted payers to maintain an attribution process to associate patients with their in-network or enrolled providers and to allow patients to opt out of having their data available to providers. The Final Rule will require impacted payers to provide patients with plain language information about the benefits of API data exchange with their providers and their ability to opt out.
In addition, the rule will require impacted payers to implement and maintain a Payer-to-Payer API to make available claims and encounter data, data classes and data elements in the USCDI data set, and information about certain prior authorizations. According to CMS, this will help improve care continuity when a patient changes payers. Impacted payers will be required to provide patients with plain language information about the benefits of Payer-to-Payer API data exchange and their ability to opt in.
Regarding prior authorization timelines, impacted payers must send prior authorization decisions within 72 hours of receipt for expedited requests and seven calendar days for standard requests. Additionally, beginning in 2026, impacted payers must provide a specific reason for denied prior authorization decisions via portal, fax, email, mail, or phone. This requirement does not apply to prior authorization decisions for drugs. According to CMS, this requirement is intended to facilitate communication and transparency between payers, providers, and patients, and to improve providers’ ability to resubmit prior authorization requests. Impacted payers must also publicly report certain prior authorization metrics annually by posting them on their website. CMS is finalizing these policies with a compliance date starting January 1, 2026, and the initial set of metrics must be reported by March 31, 2026.
The rule will add a new measure (Electronic Prior Authorization) to the Health Information Exchange (HIE) objective for the MIPS Promoting Interoperability performance category and the Medicare Promoting Interoperability Program. MIPS eligible clinicians will report the Electronic Prior Authorization measure by attestation beginning with the Calendar Year 2027 performance period/CY 2029 MIPS payment year, and eligible hospitals and CAHs will be required to report the measure beginning with the CY 2027 EHR reporting period.
Notably, this rule does not apply to drugs, only medical items and services. Providers have been pushing the administration to address prior authorization of drugs. But CMS decided not to because standards and technical systems can differ depending on whether drugs are administered in a physician’s office or a hospital or picked up at a pharmacy. The decision to exclude drugs from the latest prior authorization revamp means other new protections, like standards around electronic information-sharing and reporting, will not apply to cancer drugs and other kinds of specialty care that patients receive in a doctor’s office or hospital.