• Federally regulated health insurers — including Medicare Advantage plans — will have to turn around prior authorization decisions much more quickly under a rule finalized by the CMS on Wednesday.
  • Beginning in 2026, health insurers will be required to either approve or deny an urgent prior authorization request within 72 hours. For standard or non-urgent requests, payers will have seven calendar days to respond. These deadlines cut the current timeframes for some payers to issue decisions in half, regulators said.
  • Payers will also have to provide a specific reason for denying a prior authorization request, which should help doctors resubmit or appeal the request if needed, the CMS said. The rule, first proposed in December 2022, has support from both payers and providers and is expected to create roughly $15 billion in savings over the next decade.
Dive Insight:

Prior authorization is a process wherein a doctor must get approval from a patient’s health insurer before providing a medical service, like prescribing a drug or performing a surgery.

Payers argue prior authorization is a necessary evil to curb nonessential healthcare costs. However, doctors and patients say the process contributes to physician burnout by increasing paperwork, while leaving patients in limbo as they wait for an unknown bureaucrat to approve their care plan.

Recent cases of patients experiencing severe health outcomes and even death following prior authorization delays have increased pressure on health insurance companies to roll back the policies. Facing pressure — and in anticipation of rulemaking — a number of major payers have walked back the requirements, including UnitedHealthcare and CVS-owned Aetna, though physicians argue more reform is needed.

Wednesday’s final rule doesn’t restrict payers’ use of prior authorization. But the shorter timeline to turn decisions around, and the requirement to include rationale in their decisions, should streamline the process, the CMS said.

Along with the timeframe changes, the 822-page rule requires payers to post certain prior authorization metrics on their websites, including which services require prior authorizations, the number of denials and approvals, and prior authorization denials overturned after appeal.

Payers will also have to implement a standardized application programming interface, or API, for prior authorization by January 2027. APIs are sets of rules that enable different computer programs to communicate with one another.

Setting a standardized API will allow providers and payers to automate the end-to-end prior authorization process, the CMS said.

Payers and providers came out against the government’s decision to set that standard, called HL7 FHIR, last summer, arguing it would conflict with another data exchange standard called X12. In response to those concerns, the HHS said it wouldn’t enforce the X12 standard for organizations that comply with Wednesday’s prior authorization rule.

However, regulators will “continue to evaluate” prior authorization standards for future rulemaking, the HHS said.

Along with an API for prior authorization, payers will also be required to expand their API for patient access to include information about prior authorizations, and to create an API for provider access that can be used to retrieve patients’ claims, encounter, clinical and prior authorization data.

If a patient moves between payers or is covered by more than one, insurers will also have to exchange those data with each other using a payer-to-payer API.

The CMS originally required payers to share patient data with one another at a patient’s request under information blocking rules finalized in 2020, with the goal of creating a longitudinal health record that could follow patients in a healthcare system, regardless of coverage changes.

However, regulators said in 2021 they wouldn’t enforce the policy after payers raised concerns about operational challenges and risks to data quality, given a lack of specificity in the rule.

Wednesday’s rule applies to MA plans, state Medicaid and Children’s Health Insurance Program agencies, Medicaid and CHIP managed care plans and plans on the Affordable Care Act exchanges.

For MA plans, the changes come in addition to an April final rule meant to stop them from enacting more restrictive prior authorization processes than what’s allowed under Medicare’s coverage requirements.

Regulators have zeroed in on utilization management reform in MA specifically after a prior authorization rule proposed during the Trump administration controversially left the plans out.

An HHS Office of Inspector General report found some MA plans routinely deny prior authorization requests, even those that should have been approved under Medicare. A 2018 audit by the OIG found MA plans ultimately approved 75% of requests that were originally denied following appeal.