Prior auth goes API-first

Prior authorization is moving from phone calls and fax machines into software interfaces that insurers must support. (cms.gov) The Centers for Medicare & Medicaid Services finalized the rule on January 17, 2024, and said impacted payers must begin meeting operational requirements on January 1, 2026, with API compliance dates generally beginning January 1, 2027. The rule covers Medicare Advantage, state Medicaid and Children’s Health Insurance Program programs, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan issuers on the federally facilitated exchanges. (cms.gov) An application programming interface, or API, is a standard way for one computer system to ask another for data. In this rule, payers must maintain a Health Level 7 Fast Healthcare Interoperability Resources, or HL7 FHIR, Prior Authorization API for medical items and services, not drugs. (cms.gov) CMS said providers should be able to use that API from inside an electronic health record or other health IT system to check whether prior authorization is required, see documentation rules, submit the request, and receive the decision. CMS also said the final rule did not require real-time decisions, even if some responses may happen immediately. (cms.gov) The response clocks are now explicit. CMS said impacted payers, excluding Qualified Health Plan issuers on the federally facilitated exchanges, must send decisions within 72 hours for urgent requests and seven calendar days for standard requests. (cms.gov) The same rule also forces more of the prior authorization process into structured fields that software can exchange. CMS said payers must add prior authorization information to the Patient Access API, build a Provider Access API, and build a Payer-to-Payer API so data can move among patients, clinicians, and insurers in a standard format. (cms.gov) That puts pressure on electronic health record vendors and provider workflows, because data captured as free text or scanned PDFs is harder to reuse in an API transaction. CMS said there are not yet certified health IT criteria for electronic prior authorization in the current Office of the National Coordinator program, though the HTI-2 proposed rule would add certification criteria that support data exchange for prior authorization. (cms.gov, healthit.gov) The technical plumbing comes from the HL7 Da Vinci project, which has published implementation guides for coverage checks, documentation prompts, and prior authorization support. HL7 said its Prior Authorization Support guide is meant to let a provider’s system request authorization and send the needed clinical information at the point of service. (cms.gov, hl7.org) CMS estimated the broader interoperability and prior authorization rule would produce about $15 billion in savings over 10 years. The agency tied that number to less manual work for payers and providers and faster exchange of data among plans, clinicians, and patients. (cms.gov) The old process is still widespread enough that physicians report heavy weekly volume. The American Medical Association’s 2024 survey said physicians complete 39 prior authorizations per physician per week, and 93% said prior authorization delays care. (ama-assn.org) The practical change is simple: prior authorization is becoming a transaction that software can initiate, route, and track. By January 2027, the insurers covered by the rule will have to expose that process through APIs instead of leaving it to fax queues and call centers. (cms.gov, cms.gov)