- What must be included in the impacted payer’s prior authorization decision response via the Prior Authorization API?
The final rule did not include a requirement for impacted payers to use the Prior Authorization API to make real-time decisions on prior authorization requests, but the automation that the API provides could improve decision timeframes. Though we anticipate that some responses or decisions may be made in real-time, other decisions will continue to necessitate review and evaluation by clinical reviewers (the 2024 CMS Interoperability and Prior Authorization final rule [CMS-0057-F] requires impacted payers, excluding QHP issuers on the FFEs, to send decisions within 72 hours for expedited [i.e., urgent] requests and seven calendar days for standard [i.e., non-urgent] requests). Automating a complex process such as prior authorization will be an ongoing process of continuous improvement.
- How does the rule change the timeframe requirements for responses to prior authorization requests?
We are requiring impacted payers to send prior authorization decisions to providers within 72 hours for expedited (i.e., urgent) requests and seven calendar days for standard (i.e., non-urgent) requests.
- How do impacted payers report Prior Authorization metrics to comply with the reporting requirement? Is there available guidance for format and method for submission of these metrics?
Under the 2024 CMS Interoperability and Prior Authorization final rule (CMS-0057-F), beginning in 2026, and annually thereafter, impacted payers (MA organizations, state Medicaid and CHIP programs, Medicaid managed care plans, CHIP managed care entities, and QHP issuers on the FFEs) must post certain aggregated prior authorization metrics from the previous year (89 FR 8889) on their public-facing website. MA organizations will report at the contract level, state Medicaid and CHIP FFS programs will report at the state level, Medicaid managed care plans and CHIP managed care entities will report at the plan level, and QHP issuers on the FFEs will report at the issuer level (89 FR 8897).
Payers must report the following metrics for medical items and services (excluding drugs) subject to prior authorizations each year:
- A list of all items and services that require prior authorization (excluding drugs).
- The percentage of standard prior authorization requests that were approved, aggregated for all items and services.
- The percentage of standard prior authorization requests that were denied, aggregated for all items and services.
- The percentage of standard prior authorization requests that were approved after appeal, aggregated for all items and services.
- The percentage of prior authorization requests for which the timeframe for review was extended, and the request was approved, aggregated for all items and services.
- The percentage of expedited prior authorization requests that were approved, aggregated for all items and services.
- The percentage of expedited prior authorization requests that were denied, aggregated for all items and services.
- The average and median time that elapsed between the submission of request and a determination by the payer, plan, or issuer, for standard prior authorizations, aggregated for all items and services.
- The average and median time that elapsed between the submission of a request and a decision by the payer, plan, or issuer, for expedited prior authorizations, aggregated for all items and services.
(89 FR 8889 - 8890)
As we discuss in the final rule, CMS has developed a Prior Authorization Metrics Reporting Template (PDF) for impacted payers regarding recommended content and format for use in their public reports of prior authorization metrics as well as best practices about the website locations for the prior authorization metrics (89 FR 8892 - 8893). In addition, it may be helpful for impacted payers to review how the Medicare FFS program publicly reports prior authorization metrics and presents those metrics on its website (see Prior Authorization and Pre-Claim Review Initiatives) (89 FR 8892).
- Are impacted payers required to make real-time decisions on prior authorization requests?
The final rule did not include a requirement for impacted payers to use the Prior Authorization API to make real-time decisions on prior authorization requests, but the automation that the API provides could improve decision timeframes. Though we anticipate that some responses or decisions may be made in real-time, other decisions will continue to necessitate review and evaluation by clinical reviewers (the 2024 CMS Interoperability and Prior Authorization final rule requires impacted payers, excluding QHP issuers on the FFEs, to send decisions within 72 hours for expedited [i.e., urgent] requests and seven calendar days for standard [i.e., non-urgent] requests). Automating a complex process such as prior authorization will be an ongoing process of continuous improvement.
- Does the March 31, 2026, compliance date for the Prior Authorization metrics reporting requirements in the 2024 CMS Interoperability and Prior Authorization final rule reflect the date on which reporting must begin, or the date on which metric data collection must begin for the purpose of being subsequently reported?
The 2024 CMS Interoperability and Prior Authorization final rule (CMS-0057-F) requires impacted payers (MA organizations, state Medicaid and CHIP programs, Medicaid managed care plans, CHIP managed care entities, and QHP issuers on the FFEs) to publicly report certain prior authorization metrics for the previous calendar year (89 FR 8897). Accordingly, the first year this requirement goes into effect, impacted payers must post prior authorization metrics for calendar year 2025 on their websites by March 31, 2026. Please note that this means that impacted payers are required to collect prior authorization metrics in 2025.
Each program office will send out a letter with program-specific information for complying with these requirements.
- How should impacted payers account for appeals in terms of the total count of prior authorization decisions?
The total number of approved prior authorization requests should include requests that were initially approved as well as requests that were approved after appeal. Additionally, the total number of denied prior authorization requests should include the requests that were denied after appeal. The prior authorization metrics reporting template is available here for reference (hyperlink: https://www.cms.gov/files/document/prior-authorization-metrics-reporting-overview-template.pdf (PDF)). This approach is taken because the overall approval/denial rate should reflect the total of all prior authorization requests, regardless of whether they were appealed or not.
Additionally, the “appeals” metrics do not differentiate between internal reviews by the impacted payer and reviews by an external organization contracted by an impacted payer. The appeals metrics should aggregate all levels of appeals.
The definition of an "appeal" for purposes of these metrics differs between types of impacted payers. For Medicare Advantage, appeals are defined at 42 CFR Part 422, Subpart M and for Qualified Health Plan (QHP) issuers on the Federally Facilitated Exchanges they are defined at 45 CFR 147.136(a)(2)(ii). Appeals for state Medicaid Fee-For-Service (FFS) programs are described in 42 CFR 431 Subpart E and for Medicaid managed care plans in 42 CFR 438 Subpart F. Appeals for state Children's Health Insurance Program (CHIP) FFS programs are described in 42 CFR 457 Subpart K and for CHIP managed care entities in 42 CFR 457.1260. States should report only appeals that qualify under these definitions for each program.
- Impacted payers are required to make prior authorization decisions within specific timeframes. When does the prior authorization decision timeframe clock start?
The prior authorization decision timeframe clock starts immediately when an impacted payer receives a prior authorization request with all information and documentation requested to make a determination.
The impacted payer’s obligation to make and communicate a prior authorization decision under CMS-0057-F decision timeframe requirements is tied to the receipt of a prior authorization request. Depending on the item or service, the payer may require documentation criteria from the provider to successfully review a prior authorization request. Once those criteria have been satisfied by the provider, the request is considered submitted for purposes of the determination timeframe. This does not include additional information subsequently requested by the payer that was not included in the initial request for documentation. That is, the clock does not stop or restart if additional documentation is requested that was not disclosed to the provider when they submitted the original request.
Within the Prior Authorization API, the Coverage Requirements Discovery (CRD) implementation guide (IG) is an HL7 FHIR standard and workflow that allows providers to determine whether prior authorization is required, what coverage rules apply, and what specific documentation is needed. (89 FR 8861) A check for coverage requirements and the CRD response, by itself, does not start the decision timeframe clock for a payer. While a CRD response may inform a provider that prior authorization is required and what documentation is needed, it alone does not constitute the submission of a prior authorization request. Payers should thus not treat the electronic check for whether prior authorization is needed as the initiation of a prior authorization request for purposes of starting the decision clock.
- An episode of care can include more than one prior authorization request for specific services, procedures, or extended stays; for reporting the required prior authorization metrics, how should those prior authorizations be counted?
The requirements in the 2024 CMS Interoperability and Prior Authorization final rule (CMS-0057-F) are structured around individual prior authorization requests and not episodes of care, meaning each prior authorization request should be counted and reported individually regardless of whether it is part of a broader episode of care.
Therefore, if an episode of care includes more than one prior authorization, the prior authorization for the initial hospital admission and then each subsequent prior authorization tied to that admission should be counted individually.
- If a retroactive prior authorization is required, such as when a procedure took place and was approved afterward, is it still counted as a prior authorization?
Yes, a retroactive prior authorization should still be counted as a prior authorization request for metrics reporting and should be categorized and reported as either a standard or expedited authorization based on how the plan processed it at the time of the request.
The regulatory timeframe requirements under 42 CFR § 438.210 apply to the decision-making process, not to whether the service has already occurred. Therefore, if a retroactive prior authorization request was made as a standard request, it counts as a standard prior authorization. If, on the other hand, it was made as an urgent request, then it should be reported as expedited. The fact that the service was rendered before the authorization decision does not change its classification for reporting purposes.
Note: Through its recent proposed rule CMS-0062-P, CMS is proposing updates to the requirements for reporting of prior authorization decisions and API usage metrics. For further information, please refer to the Fact Sheet here.