On January 17, 2024, Centers for Medicare & Medicaid Services issued a final rule that places significant new requirements on impacted payors regarding the process and timing of prior authorizations. Starting in 2026, Medicare Advantage (MA) organizations, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan (QHP) issuers will be required to send prior authorization decisions within 72 hours for urgent requests and seven days for standard requests. For some payors, this requirement may cut current decision timeframes in half. Payors also must articulate a specific reason for denying a prior authorization request. Payors are given the choice of how to communicate their denial: by portal, fax, email, mail, or phone.
The rule also requires payors to develop and incorporate numerous new processes related to their prior authorizations beginning January 1, 2027. Notably, payors must implement a Health Level 7 (HL7®) Fast Healthcare Interoperability Resources (FHIR®) Prior Authorization application programming interface (API). The API must be populated with a payor’s list of covered items and services, able to identify documentation requirements for prior authorization approval, and support a prior authorization request and response. The API must also be able to communicate whether the payor approves the prior authorization request with a supplied end date, denies the prior authorization request with a specific reason for the denial, or requests more information.
Further, impacted payors must implement three more APIs: Patient Access, Provider Access, and Payer-to-Payer Access. The Patient Access API must contain information about the prior authorization process and notify patients about their payor’s requirements. Payors must implement a Provider Access API to share patient data with in-network providers, including individual claims and encounter data, data classes and elements in the United States Core Data for Interoperability (USCDI), and specified prior authorization information. The Payer-to-Payer Access API requires impacted payors to exchange most of the same data available to other payors, with the patient’s permission, for patients with a date of service in the last five years.
The implementation of this API technology may be onerous. However, once in place, the API requirements should assist payors in meeting the authorization timeframe requirements. Still, the cost of the new rule to payors is significant. CMS estimates the rule will cost payors $182 million in the first year alone.
Please contact the authors with any questions regarding this final rule and its impact.
Client Alert 2024-014