Fact Sheets

Reducing Provider and Patient Burden by Improving Prior Authorization Processes, and Promoting Patients’ Electronic Access to Health Information CMS-9123-P: Fact Sheet

Building on the CMS Interoperability and Patient Access final rule (CMS-9115-F), this proposed rule would place new requirements on Medicaid and CHIP managed care plans, state Medicaid and CHIP fee-for-service programs, and Qualified Health Plans (QHP) issuers on the Federally-facilitated Exchanges (FFEs) to improve the electronic exchange of health care data, and streamline processes related to prior authorization. The rule would require increased patient electronic access to their health care information, and would improve the electronic exchange of health information among payers, providers and patients. Together, these policies would play a key role in reducing overall payer and provider burden and improving patient access to health information.

This rule includes five sets of proposals and five requests for information.


Patient Access Application Programming Interface (API)

In the Interoperability and Patient Access final rule (CMS-9115-F), we finalized our policy to require a select group of CMS-regulated payers to implement a Fast Healthcare Interoperability Resources (FHIR)-based Patient Access API. In this proposed rule, starting January 1, 2023, we would require impacted payers to include, as part of the already established Patient Access API, information about the patient’s pending and active prior authorization decisions to ensure patients have a better understanding of the prior authorization process and its impact on their care.

This proposed rule would also require impacted payers to establish, implement, and maintain an attestation process for third-party application developers to attest to certain privacy policy provisions prior to retrieving data via the payer’s Patient Access API.

And, this rule would require impacted payers to report metrics quarterly about patient use of the Patient Access API to CMS to assess the impact the API is having on patients.  

Provider Access APIs

In order to better facilitate coordination of care, and in support of a move to value-based care, we are proposing to require impacted payers to build and maintain a Provider Access API for payer-to-provider data sharing of claims and encounter data (not including cost data), a sub-set of clinical data as defined in the U.S. Core Data for Interoperability (USCDI) version 1, and pending and active prior authorization decisions for both individual patient requests and groups of patients starting January 1, 2023. We are proposing the use of the HL7 FHIR Bulk Data Access (Flat FHIR) specification to facilitate the exchange of data for more than one patient at a time.

Documentation and Prior Authorization Burden Reduction through APIs

Prior authorization is an administrative process used in healthcare for providers to request approval from payers to provide a medical service, prescription, or supply. The prior authorization request is made before those medical services or items are rendered. While prior authorization has its benefits, patients, providers, and payers alike have experienced burden from it. And, it has been identified as a major source of provider burnout. Providers expend staff resources to identify prior authorization requirements and navigate the submission and approval processes, resources that could otherwise be directed to clinical care and processes that vary across payers. Patients may unnecessarily pay out-of-pocket or abandon treatment altogether when prior authorization is delayed. In an attempt to alleviate some of the administrative burden of prior authorization and to improve the patient experience, we are proposing a number of policies to help make the prior authorization process more efficient and transparent.

Document Requirement Lookup Service (DRLS) API: We are proposing to require impacted payers build and maintain a FHIR-enabled DRLS API -- that could be integrated with a provider’s electronic health record (EHR) -- to allow providers to electronically locate prior authorization requirements for each specific payer from within the provider’s workflow.

Prior Authorization Support (PAS) API: We are proposing to require impacted payers build and maintain a FHIR-enabled electronic Prior Authorization Support API that has the capability to send prior authorization requests and receive responses electronically within their existing workflow (while maintaining the integrity of the HIPAA transaction standards).

Denial Reason: We are proposing to require impacted payers include a specific reason for a denial when denying a prior authorization request, regardless of the method used to send the prior authorization decision, to facilitate better communication and understanding between the provider and payer.

Shorter Prior Authorization Timeframes: We are proposing to require impacted payers (not including QHP issuers on the FFEs) to send prior authorization decisions within 72 hours for urgent requests and 7 calendar days for standard requests.

Prior Authorization Metrics: We are proposing to require impacted payers publicly report data about their prior authorization process, such as the percent of prior authorization requests approved, denied, and ultimately approved after appeal, and average time between submission and determination, to improve transparency into the prior authorization process, which will help patients understand.

These prior authorization policies are proposed to take effect January 1, 2023, with the initial set of metrics proposed to be reported by March 31, 2023.

Payer-to-Payer Data Exchange on FHIR

In the Interoperability and Patient Access final rule (CMS-9115-F), we finalized a requirement that, at a patient’s request, CMS-regulated payers must exchange certain patient health information, and maintain that information, thus creating a longitudinal health record for the patient that is maintained with their current payer. While we encouraged the use of a FHIR-based API for this data exchange, we did not require it. In this proposed rule, we are expanding on this concept to increase data flow among impacted payers and improve patient access to their health information with the following proposals.

Payer-to-Payer API: We are now proposing to enhance the previously finalized payer-to-payer data exchange requirements for impacted payers by requiring that such exchange be via a FHIR-based Payer-to-Payer API, and that in addition to a sub-set of clinical data as defined in the USCDI version 1, impacted payers would also be required to exchange claims and encounter data (not including cost data), and information about pending and active prior authorization decisions, at a patient’s request.

Payer-to-Payer Data Exchange at Enrollment: We are proposing to require impacted payers share claims and encounter data (not including cost data), a sub-set of clinical data as defined in the USCDI version 1, and information about pending and active prior authorization decisions at enrollment, for payers that have a specific annual open enrollment period, or during the first calendar quarter of each year. Payers could efficiently exchange information for one or more patients at one time using the HL7 FHIR Bulk specification, allowing patients to take their health information with them as they move from one payer to another.

Leveraging Information about Pending and Active Prior Authorization Decisions during Patient Transitions: As part of this proposal we would encourage patients’ new impacted payers to consider such information from previous payers when making new prior authorization determinations, potentially eliminating the need for patients and providers to repeat the prior authorization process with the new payer. We are seeking comment on the extent to which impacted payers should be limited from requiring patients to undergo repeat evaluations for the purposes of reaffirming coverage or prior authorization decisions without first reviewing the medical records and notes of the previous payer to determine if and why a repeat test is needed.

These policies are proposed to take effect January 1, 2023.

Adoption of Health IT Standards and Implementation Specifications

On behalf of HHS, the Office of the National Coordinator for Health IT (ONC) is proposing to adopt the implementation specifications described in this regulation at 45 CFR 170.215—Application Programming Interfaces—Standards and Implementation Specifications as standards and implementation specifications for health care operations. ONC is proposing these implementation specifications for adoption by HHS as part of a nationwide health information technology infrastructure that supports reducing burden and health care costs and improving patient care. By ONC proposing these implementation specifications in this way, CMS and ONC together work to ensure a unified approach to advancing standards in HHS that adopts all interoperability standards in a consistent manner, in one location, for HHS use. Proposing to adopt the specified implementation guides (IGs) to support implementation of the proposed APIs would ensure full interoperability of the APIs and reduce implementation burden.

Requests for Information (RFIs)

Methods for Enabling Patients and Providers to Control Sharing of Health Information

We are seeking comment for potential future rulemaking to elicit feedback on the role patients and providers would like to have in granular control over the sharing of patient health information – should patients and/or providers be able to dictate which information from a medical record is shared when and with whom? We also seek comment on solutions stakeholders are using to segment sensitive health information, such as data under 42 CFR Part 2, which covers medical information on mental and behavioral health, including substance use disorder treatment.

Electronic Exchange of Behavioral Health Information

We are seeking comment for potential future rulemaking on how to advance electronic data exchange among behavioral health providers. We seek comment on how CMS might leverage APIs or other solutions to facilitate this electronic data exchange between and with behavioral health providers, who have lagged behind other provider types in EHR adoption.

Reducing Burden and Improving Electronic Information Exchange of Documentation and Prior Authorization

We are seeking input on processes and uses of electronic prior authorization transactions exchanged between payers, providers, and patients, and if advancements in the types or uses of such transaction standards can support the priorities of this proposed rule. We are interested in learning more from industry about the benefits of implementing HL7 FHIR implementation specifications for health care information exchange, including the readiness and operational implications of using these specifications. And, we request comment specifically on including an Improvement Activity under the Merit-based Incentive Payment System (MIPS) to support the use of the Prior Authorization Support (PAS) API by providers.

Reducing the Use of Fax Machines for Health Care Data Exchange

We are seeking comment on how CMS can reduce the use of facsimile (fax) technology across programs. We are working to identify all programs and processes that currently require and/or encourage the use of a fax for data exchange. In an effort to reduce burden and increase efficiency, we ask the health care community to tell us where electronic data exchange could replace the fax, how this would improve workflow and patient care, and what challenges payers and providers would face if use of the fax for health care data exchange was completely eliminated.

Accelerating the Adoption of Standards Related to Social Risk Data

We request information on barriers to adopting standards, and opportunities to accelerate adoption of standards, related to social risk data. We recognize that social risk factors (e.g., housing instability, food insecurity) influence patient health and health care utilization. And, we understand that providers in value-based arrangements rely on comprehensive, high-quality social risk data. Given the importance of these data, we look to understand how to better standardize and liberate these data.

The proposed rule is available to review today at: . The comment period will close on January 4, 2021.

For more information on the CMS proposed rule, please visit: