CMS Interoperability and Prior Authorization Final Rule
(CMS-0057-F)
March 26, 2024
Who We Are
Office of Burden Reduction and Health Informatics (OBRHI)
Health Informatics and Interoperability Group (HIIG)
Mission: Promote the secure exchange,
access, and use of electronic health
information to support better informed
decision making and a more efficient
healthcare system.
Vision: A secure, connected healthcare
system that empowers patients and their
providers to access and use electronic
health information to make better
informed and more efficient decisions.
2
A Brief History of Federal Interoperability Effects
2009
Congress passes Health
Information Technology for
Economic and Clinical Health
(HITECH) Act; establishes
EHR Incentive Program
(“Meaningful Use”)
2018
CMS launches
Blue Button 2.0
2019
Meaningful Use becomes
Promoting Interoperability
Programs
2020
CMS publishes Interoperability
and Patient Access final rule
ONC publishes 21st Century Cures
Act final rule
CMS commits to transitioning to
digital quality measures (dQMs)
2021
CMS Patient Access final rule
policies become effective
2022
ONC Cures Act final rule policies
become effective
ONC releases RFI on electronic prior
authorization in ONC certification
CMS releases RFI on establishing
National Directory for Healthcare
CMS releases Adoption of Standards for
Health Care Attachment Transaction
proposed rule
2024
CMS publishes
Interoperability and
Prior Authorization
final rule
2023
First set of designated QHINs
joins the Network
ONC publishes Health Data,
Technology, and Interoperability
(HTI-1) final rule
Overview
On January 17, 2024, CMS released the CMS Interoperability and Prior Authorization final rule (CMS-0057-F).
This rule demonstrates CMS’ continued commitment to increasing efficiency by ensuring that health
information is readily available by leveraging Health Level 7® (HL7®) Fast Healthcare Interoperability Resources®
(FHIR®) standards.
Impacted payers are required to implement certain provisions generally by January 1, 2026. In response to
stakeholder comments on the proposed rule, impacted payers have until at least January 1, 2027, to meet the
application programming interface (API) development and enhancement requirements in this final rule.
The final rule will reduce patient, provider, and payer burden by streamlining prior authorization processes and
moving the industry toward electronic prior authorization.
Ultimately, reduced provider burden means
more quality time with patients.
4
Final Rule Overview
Provisions
• Patient Access API
• Provider Access API
• Payer-to-Payer API
• Prior Authorization API
• Improving Prior Authorization Processes
• New measures for Electronic Prior Authorization for
the Merit-based Incentive Payment System (MIPS)
Promoting Interoperability Performance Category
and the Medicare Promoting Interoperability
Program
Impacted Providers
• Eligible hospitals and critical access hospitals (CAHs)
participating in the Medicare Promoting
Interoperability Program
• MIPs eligible clinicians participating in the MIPS
Promoting Interoperability performance category
Impacted Payers
• Medicare Advantage (MA) Organizations
• State Medicaid and Children’s Health Insurance
Program (CHIP) agencies
• Medicaid Managed Care Plans and CHIP Managed
Care Entities
• Qualified Health Plan (QHP) issuers on the
Federally-facilitated Exchanges (FFEs)
5
Patient Access API
NEW DATA REQUIREMENTS (Beginning January 1, 2027)
Impacted payers are required to include certain information about patients’ prior authorization requests
and decisions (excluding those for drugs)
API USE METRICS (Effective January 1, 2026)
Impacted payers will annually report metrics in the form of aggregated, de-identified data to CMS about patient
use of the Patient Access API
6
Provider Access API
Beginning January 1, 2027
API REQUIREMENTS Impacted payers must implement and maintain a Provider Access API to share patient
data with in-network providers with whom the patient has a treatment relationship.
DATA REQUIREMENTS
The API must make available individual claims and encounter data (excluding provider remittances and enrollee
cost-sharing information), data classes and data elements in a content standard adopted by ONC (USCDI) and
specified prior authorization information (excluding those for drugs).
ATTRIBUTION
Impacted payers are required to develop an attribution process to associate patients with their providers to
ensure that a payer only sends data to providers for patients with whom they have a treatment relationship.
OPT OUT
Impacted payers are required to maintain a process for patients to opt out of having their health information
available and shared under the Provider Access API requirements.
7
Payer-to-Payer API
Beginning January 1, 2027
API & DATA REQUIREMENTS
Impacted payers must implement and maintain a Payer-to-Payer API to make available claims and encounter data
(excluding provider remittances and enrollee cost-sharing information), all data classes and data elements in a
content standard adopted by ONC (USCDI), and information about prior authorizations (excluding those for drugs
and those that were denied).
IMPACTED PAYERS MUST IDENTIFY PREVIOUS AND CONCURRENT PAYERS AND GIVE PATIENTS OPPORTUNITY
TO OPT IN
This must be done generally no later than one week after the start of coverage.
NEW PAYERS MUST REQUEST PATIENT DATA FROM ANY PREVIOUS PAYERS NO LATER THAN ONE WEEK AFTER
THE START OF COVERAGE, IF THE PATIENT HAS OPTED IN.
Previous payers will have to provide the data they maintain with dates of service within five years of the date of
the request, and they must provide this data within one day of receiving the request. Patient data must then be
incorporated into the new payer’s patient record.
CONCURRENT COVERAGE DATA EXCHANGE
Where a patient has concurrent coverage with two or more payers, impacted payers are required to exchange
patient data within one week of the start of coverage and at least quarterly thereafter.
8
Patient and Provider Educational Resources
Effective January 1, 2027
PROVIDER ACCESS API
Impacted payers must provide plain language resources to both:
• Patients about the benefits of API data exchange with their
providers, and their ability to opt out; and
• Providers about the process for requesting patient data and
the payer’s attribution process
PAYER-TO-PAYER API
Impacted payers must provide plain language materials to
patients about the benefits of Payer-to-Payer API data
exchange, their ability to opt in or withdraw a previous
opt in decision, and instructions for doing so.
9
Prior Authorization API
Beginning January 1, 2027
API REQUIREMENT
Impacted payers must implement and maintain a Prior Authorization API.
IDENTIFYING WHETHER AN ITEM OR SERVICE REQUIRES PRIOR AUTHORIZATION
The API must be populated with the list of items and services (excluding drugs) that require prior
authorization from the payer.
PAYER-SPECIFIC DOCUMENTATION REQUIREMENTS
The API must identify the payer’s documentation requirements for all items and services (excluding drugs)
that require a prior authorization request.
EXCHANGING PRIOR AUTHORIZATION REQUESTS AND RESPONSES
The API must support the creation and exchange of prior authorization requests from providers and
responses from payers.
10
Improving Prior Authorization Processes
Beginning January 1, 2026
PRIOR AUTHORIZATION DECISION TIMEFRAMES
Certain impacted payers are required to send standard prior authorization decisions within 7 calendar days
and expedited prior authorization decisions within 72 hours. This policy change for standard decisions does
not include QHPs on the FFEs.
PROVIDING A SPECIFIC REASON FOR DENIAL
Payers must provide specific information about prior authorization denials, regardless of how the prior
authorization request is submitted.
PRIOR AUTHORIZATION METRICS
Impacted payers are required to report certain metrics about their prior authorization processes on their
public website on an annual basis. This includes the percent of prior authorization requests approved,
denied, and approved after appeal, and average time between submission and decision.
11
Electronic Prior Authorization Measures
The Electronic Prior Authorization Measures are yes/no measures
instead of the proposed numerator/denominator measures.
Participants are required to report a yes response or claim an
exclusion to satisfy the reporting requirements for the CY 2027
performance period/2029 MIPS payment year or the CY 2027 EHR
reporting period (for the Medicare Promoting Interoperability
Program).
PARTICIPATING PROGRAMS
• MIPS Promoting Interoperability performance category (under
the HIE objective)
• Medicare Promoting Interoperability Program for Eligible
Hospitals and CAHs (under the HIE objective)
12
Interoperability Standards for APIs
MODIFICATION TO STANDARDS LANGUAGE
We have revised regulatory language to further clarify which ONC standards apply to each API.
USE OF UPDATED STANDARDS
An impacted payer may use an updated version of a required standard if using the updated
version does not disrupt an end user's ability to access the data required to be available through
the API and other conditions are met.
USE OF IMPLEMENTATION GUIDES
We strongly recommend impacted payers develop their APIs to conform with certain
implementation guides (IG).
13
Required API Interoperability Standards
Standards
Patient Access
API
Provider
Access API
Provider Directory
API
Payer-To-Payer
API
Prior Authorization
API
USCDI, at 45 CFR 170.213
Yes Yes
N/A
Yes
N/A
FHIR Release 4.0.1
Yes Yes Yes Yes Yes
HL7 FHIR US Core IG STU
3.1.1
Yes Yes Yes Yes Yes
HL7 SMART App Launch
Framework IG 1.0.0
Yes Yes No No Yes
HL7 FHIR Bulk Data Access
IG v 1.0.0 STU 1
No Yes No Yes No
OpenID Connect Core 1.0
Yes No No No No
Note: The Patient Access and Provider Directory API were finalized in the CMS Interoperability and Patient Access final rule.
14
Recommended IGs by API
Implementation Guide
Patient Access
API
Provider Access
API
Provider Directory
API
Payer-To-Payer
API
Prior Authorization
API
CARIN for Blue Button IG Version STU 2.0.0
Yes Yes No Yes No
FHIR SMART App Launch IG Release 2.0.0 to
support Backend Services Authorization
No Yes No Yes No
Da Vinci PDex IG Version STU 2.0.0
Yes Yes No Yes No
Da Vinci PDex U.S. Drug Formulary IG
Version STU 2.0.1
Yes No No No No
Da Vinci PDex Plan Net IG Version STU 1.1.0
No No Yes No No
Da Vinci Coverage Requirements Discovery
(CRD) IG Version STU 2.0.1
No No No No Yes
Da Vinci Documentation Templates/Rules
(DTR) IG Version STU 2.0.0
No No No No Yes
Da Vinci Prior Authorization Support (PAS)
IG Version STU 2.0.1
No No No No Yes
Note: The Patient Access and Provider Directory API were finalized in the CMS Interoperability and Patient Access final rule.
15
Resources
Interoperability Rules
• 2024 CMS Interoperability and Prior Authorization final rule: Final rule, Fact
Sheet
• 2023 ONC Health Data, Technology, and Interoperability (HTI-1) final rule:
Federal Register, Fact Sheet
• 2020 CMS Interoperability and Patient Access final rule: Federal Register, Fact
Sheet, and Frequently Asked Questions
• 2020 ONC 21st Century Cures Act final rule: Federal Register
Technical Standards and Implementation Support
• Technical Standards: FHIR, SMART IG/OAuth 2.0, OpenID Connect, USCDI
• Implementation Support for APIs: CARIN for Blue Button IG, PDex IG, PDex Formulary IG,
PDex Plan Net IG, US Core IG, CRD IG, DTR IG, PAS IG, Bulk Data Access IG
Visit the CMS
Interoperability website
for additional resources
and information!
16
