CMS Finalizes Rule to Expand Access to Health Information and Improve the Prior Authorization Process

In January 2024, CMS finalized the Interoperability and Prior Authorization Rule (CMS-0057-F), establishing what may be the most consequential regulatory shift in prior authorization since the ACA. The rule requires Medicare Advantage organizations, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan issuers on the federal exchange to implement FHIR-based APIs for electronic prior authorization by January 1, 2027. For physician practices buried under the weight of manual PA processes, this rule represents both a significant opportunity and a reason for cautious optimism.

What the Rule Actually Requires

The core mandate is straightforward: payers must build and maintain a Prior Authorization Requirements, Documentation, and Decision (PARDD) API that allows providers to electronically determine whether a service requires prior authorization, what documentation is needed, and submit requests through standardized channels. Payers must also respond to urgent requests within 72 hours and standard requests within 7 calendar days — a meaningful improvement over the current landscape where practices routinely wait weeks for determinations.

The rule also requires payers to include a specific reason when denying a PA request, ending the practice of vague or opaque denial rationale that leaves practices guessing about what additional information might change the outcome. This transparency requirement, while seemingly minor, could fundamentally change how practices approach appeals.

Why This Matters for Physician Practices

The AMA reports that physician practices complete an average of 39 prior authorizations per physician per week, with each request consuming significant staff time for phone calls, fax transmissions, portal navigation, and follow-up. The CMS rule does not eliminate prior authorization — it modernizes the infrastructure through which PA operates.

For practices, the implications are layered:

• Electronic submission through standardized APIs could dramatically reduce the time staff spends navigating payer-specific portals and phone trees
• Mandated response timelines create enforceable accountability where none existed before
• Required denial reasoning gives practices concrete information to inform appeal strategies
• Standardized data formats enable practices to analyze denial patterns across payers systematically

The Implementation Reality

The 2027 compliance deadline gives payers roughly three years from finalization to build, test, and deploy these systems. That timeline is ambitious given the technical complexity of FHIR implementation at scale, and history suggests that payer compliance with health IT mandates tends to lag behind deadlines. Practices should prepare for an uneven rollout where some payers meet the requirement on schedule while others seek extensions or implement minimally compliant solutions.

The rule also does not address the volume of prior authorization requirements themselves. A payer can comply fully with the electronic PA mandate while still requiring prior authorization for the same breadth of services. Faster denials are still denials. The structural question of whether payers use PA appropriately remains a separate policy battle being fought at the state level and in Congress.

What Practices Should Do Now

Practices do not need to wait until 2027 to benefit from this rule's direction. The shift toward electronic PA and structured denial data is already influencing how forward-thinking practices organize their denial management operations. Building systematic workflows for tracking PA requests, analyzing denial patterns by payer and service type, and preparing evidence-based appeals positions a practice to take full advantage of the electronic infrastructure as it comes online. The practices that treat this rule as a signal — not just a future compliance event — will be best positioned when the deadline arrives.