Early this year, the United States Centers for Medicare and Medicaid Services (CMS) issued a final rule on Interoperability and Prior Authorization. Under the final rule, CMS emphasizes the need to improve the exchange of health information to “achieve appropriate and necessary access to health records for patients, healthcare providers, and payers.” The final rule also attempts to improve the prior authorization process through policies and technology so that patients can remain at the center of their care.
The final rule enhances the 2020 CMS Interoperability and Patient Access Final Rule, including new provisions to increase data sharing and reduce overall payer, healthcare provider, and patient burdens by improving prior authorization and data exchange practices.
Under the final rule, Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan (QHP) issuers on the Federally Facilitated Exchanges (FFEs), (collectively considered “impacted payers”) are required to implement and maintain certain Health Level 7® (HL7®) Fast Healthcare Interoperability Resources® (FHIR®) application programming interfaces (APIs) to improve the electronic exchange of health care data and streamline prior authorization processes. The final rule also adds a new measure for Merit-based Incentive Payment System (MIPS) eligible clinicians under the Promoting Interoperability performance category as well as for eligible hospitals and critical access hospitals under the Medicare Promoting Interoperability Program, to encourage providers to adopt electronic prior authorization processes.
Patient Access API
The final rule requires impacted payers to implement an HL7® FHIR® Patient Access API. Under the Patient Access API, impacted payers must add information about prior authorizations (excluding drug prior authorizations) to the data available to patients.
Provider Access API
Impacted payers will also need to implement and maintain a Provider Access API to share patient data with in-network providers with whom the patient has a treating relationship. Payers will need to make the following information available via the Provider Access API: individual claims and encounter data (without provider remittances and enrollee cost-sharing information); data classes and data elements in the United States Core Data for Interoperability (USCDI); and specified prior authorization information (excluding those for drugs).
Payers will also need to maintain an attribution process to associate patients with in-network or enrolled providers and to allow patients the ability to opt out of having their data available to providers.
Payer-to-Payer API
Impacted payers will also be required to implement and maintain a Prior Authorization API, populated with its list of covered items and services that will also be able to identify documentation requirements for prior authorization approval and support a prior authorization request and response. The Prior Authorization API must also be able to communicate whether a payer approves the prior authorization request (with the date or circumstance under which the authorization will end), denies the prior authorization request (with a specific reason for the denial), or requests additional information.
Impacted payers (with the exception of QHP issuers on the FFEs) to send prior authorization decisions within 72 hours for expedited requests and seven calendar days for standard requests. Additionally, starting January 1, 2026, payers must provide a specific reason for all denied prior authorization decisions (except for drugs).
Timeline for Implementation
Impacted payers are required to implement certain provisions no later than January 1, 2026, with the exception of the application programming interface requirements, which impacted payers will primarily have until January 1, 2027, to meet those requirements.
Importantly, the final rule does not apply to commercial insurance plans. There is currently legislation drafted in the United States Senate that would require the data-sharing requirements to be expanded across the health insurance sector.
Support for the Final Rule
“This is a welcome first step in ensuring providers have the most comprehensive data set available about their patients,” said Jerry Penso, MD, MBA, AMGA president and CEO. “Quickly sharing data ensures appropriate care is provided, and just as importantly, any unnecessary or duplicative care is avoided. Patients will get the care they need and avoid the care they don’t.”