Articles

What Providers Need to Know About the CMS Interoperability and Prior Authorization Rule

Date: July 2, 2024
The Centers for Medicare & Medicaid Services (CMS) issued a final rule on January 17, 2024, to improve the efficiency and transparency of healthcare delivery by requiring the use of standardized application programming interfaces (APIs) for data exchange among payers, providers, and patients by requiring certain plans to establish and maintain an API for:
 
  • Patient Access
  • Provider Access
  • Pay-to-payer Access
  • Prior Authorization tracking
 
The rule, titled CMS Interoperability and Prior Authorization (CMS-0057-F), aims to reduce administrative burden, increase patient access to health information, and promote interoperability across the healthcare system regarding medical services. The rule applies to several types of payers, including:
 
  • Medicare Advantage Organizations,
  • State Medicaid and CHIP agencies,
  • Medicaid Managed Care Plans,
  • CHIP Managed Care Entities, and
  • Qualified Health Plan issuers on Federally-facilitated Exchanges.
 
These plans  must implement non-technical provisions by Jan. 1, 2026, and meet the API development and enhancement requirements by Jan. 1, 2027 to enable data sharing with patients, providers, and other payers. The rule also requires payers to provide educational resources to patients and providers about the API data exchange and the opt-in and opt-out processes. Payers must also report de-identified patient use data of the Patient Access API to CMS annually, starting from January 1, 2026. 
 
Plans not required to comply include Medicare fee-for-service, QHP issuers that offer stand-alone dental plans, Federally facilitated small business health options program exchanges, and State-based exchanges.
 
The rule also affects eligible hospitals and critical access hospitals that participate in the Medicare Promoting Interoperability Program, as well as MIPS eligible clinicians that participate in the MIPS Promoting Interoperability performance category. These providers must report two new electronic prior authorization measures for the CY 2027 performance period/2029 MIPS payment year or the CY 2027 EHR reporting period. 
 
The rule also establishes new standards and timelines for improving prior authorization processes for all payers and providers. The rule specifies the technical standards and implementation guides that payers and providers must use to develop and enhance their APIs. The rule is expected to benefit patients, providers, and payers by reducing administrative burden, improving care coordination, enhancing patient choice, and promoting innovation. CMS provides several resources and contact information for stakeholders to learn more about the rule and its implementation.
 
How the Rule Affects Different Types of Providers
 
The CMS Interoperability and Prior Authorization final rule has different implications for different types of providers, depending on their participation in CMS programs and their use of certified EHR technology. The following sections summarize the main requirements and deadlines for each type of provider.
 
Eligible Hospitals and Critical Access Hospitals Participating in the Medicare Promoting Interoperability Program
 
Eligible hospitals and critical access hospitals (CAHs) that participate in the Medicare Promoting Interoperability Program must report two new electronic prior authorization measures for the CY 2027 EHR reporting period. The measures are:
 
  1. Electronic Prior Authorization Support for Items and Services Requiring Prior Authorization: Indicates whether the provider's certified EHR technology supports the identification of items and services that require prior authorization and the payer-specific documentation requirements.
  2. Electronic Prior Authorization Requests and Responses: Indicates whether the provider's certified EHR technology supports the electronic submission and receipt of prior authorization requests and responses.
 
These measures are part of the Health Information Exchange objective, which has a total of 40 points. Providers must report a 'yes' for both measures, or claim an exclusion if they do not perform prior authorization, to earn the full points. Providers that report a 'no' for either measure will receive a score of zero for the entire objective, which could affect their overall score and payment adjustment.
 
Providers must use the Prior Authorization API to submit and receive prior authorization requests and responses electronically, unless an exception applies. The API must conform to the HL7® FHIR® Release 4.0.1 as the foundational standard and the US Core Data for Interoperability (USCDI) Version 1 as the minimum data set.  Providers must also use the technical standards and implementation guides specified by CMS for the Prior Authorization API.
 
MIPS Eligible Clinicians Participating in the MIPS Promoting Interoperability Performance Category
 
MIPS eligible clinicians that participate in the MIPS Promoting Interoperability performance category must report two new electronic prior authorization measures for the CY 2027 performance period/2029 MIPS payment year. The measures are the same as those for eligible hospitals and CAHs participating in the Medicare Promoting Interoperability Program, as described above.
 
Like hospitals and CAH, the reporting scoring has the same repercussions for reporting a ‘yes’ or a ‘no’ and the reports must use also conform to HL7® FHIR® Release 4.0.1 and use the technical standards and implementation guides.
 
Other Providers
 
Other providers that are not directly affected by the CMS Interoperability and Prior Authorization final rule may still benefit from the increased availability and exchange of health information among payers, patients, and other providers. For example, providers that are not participating in the Medicare Promoting Interoperability Program or the MIPS Promoting Interoperability performance category may still use the Prior Authorization API to streamline their prior authorization processes with payers that are subject to the rule. Providers that are not in-network with payers that are subject to the rule may still access their patients' claims, encounter data, and prior authorization information from other payers through the Provider Access API, if the patient has a treatment relationship with them and has not opted out of the data sharing. Providers may also benefit from the improved prior authorization processes and timelines that apply to all payers and providers, regardless of their participation in CMS programs or their use of certified EHR technology.
 
Frequently Asked Questions
 
The following are some frequent areas of concern that have been addressed about the CMS Interoperability and Prior Authorization final rule and its implications for providers.
 
Benefits of Using the Prior Authorization API for Providers
 
The Prior Authorization API is designed to automate and simplify the prior authorization process for providers and payers. By using the API, providers can:
 
  • Identify whether an item or service requires prior authorization from the payer and what documentation is needed for the request
  • Submit and receive prior authorization requests and responses electronically, without the need for phone calls, faxes, or paper forms
  • Track the status and outcome of prior authorization requests and access the reasons for any denials
  • Reduce the time and resources spent on prior authorization and avoid delays in patient care
  • Improve the accuracy and completeness of prior authorization requests and responses
  • Enhance the interoperability and security of health information exchange.
 
Where to Access the Prior Authorization API and other APIs Required By The Rule
 
Providers can access the Prior Authorization API and other APIs required by the rule through their certified EHR technology or other health IT systems that support the technical standards and implementation guides specified by CMS. Providers may need to work with their EHR vendors or other health IT developers to ensure that their systems are compatible and compliant with the API requirements. Providers may also need to register with the payers that are subject to the rule and obtain their digital endpoints (i.e., electronic addresses) to initiate the data exchange. CMS is exploring the possibility of creating a national directory of digital endpoints to facilitate the data exchange among payers and providers.
 
Exceptions or Exemptions for using the Prior Authorization API or Reporting the Electronic Prior Authorization Measures
 
Providers may claim an exception or exemption for using the Prior Authorization API or reporting the electronic prior authorization measures in certain circumstances. For example, providers may claim an exception if:
 
  1. They do not perform prior authorization for any items or services
  2. They are unable to submit or receive prior authorization requests or responses electronically due to internet outages, natural disasters, public health emergencies, or other extraordinary circumstances beyond their control
  3. They are prohibited by law or regulation from using the Prior Authorization API for certain items or services or certain types of payers
  4. They encounter technical or operational issues with the Prior Authorization API that prevent them from using it as intended.
 
Providers must document the reason and duration of the exception and report it to CMS as part of their attestation or submission for the Medicare Promoting Interoperability Program or the MIPS Promoting Interoperability performance category.
 
CMS Monitoring and Enforcement of the Rule
 
CMS will monitor and enforce the compliance with the rule through various mechanisms, such as:
 
  • Requiring payers to submit annual attestations and reports to CMS on their implementation and maintenance of the APIs and their prior authorization processes and metrics
  • Requiring providers to submit attestations and reports to CMS on their use of the Prior Authorization API and their performance on the electronic prior authorization measures
  • Conducting audits and investigations on payers and providers based on complaints, referrals, or other sources of information
  • Imposing penalties or sanctions on payers and providers that fail to comply with the rule, such as civil monetary penalties, negative payment adjustments, or program exclusions.
 
CMS will also provide guidance and technical assistance to payers and providers to help them understand and implement the rule.
 
The Rule Does NOT Apply to Prior Authorizations for Drugs
 
CMS held an online informational session on the final rule on March 26, 2024. CMS Chief Informatics Officer and Director of Health Informatics and Interoperability Group, Alex Mugge, MPH clarified during the presentation that the rule applies to medical items and services only — no drug. Mugge noted that payers aren’t restricted from including drug prior authorizations in these policies and can include drug authorizations voluntarily, but the rule does not require it. Mugge noted that CMS is considering separate rule making for prior authorization of drugs.
 
Commentaries on Criticisms of the Rule
 
The CMS Interoperability and Prior Authorization final rule has received mixed reactions from various stakeholders in the healthcare industry. Some have praised the rule for its potential to improve patient care and reduce administrative burden, while others have raised concerns about its feasibility, impact, and scope. The following are some commentaries on the common criticisms of the rule.
 
The rule is too complex and burdensome for payers and providers to implement and comply with.
 
The rule is intended to simplify and streamline the prior authorization process and the data exchange among payers, providers, and patients, not to add more complexity and burden. The rule adopts widely recognized and accepted standards and implementation guides for the APIs, such as the HL7® FHIR® Release 4.0.1 and the USCDI Version 1, to ensure consistency and interoperability across the healthcare system. The rule also provides flexibility and options for payers and providers to use updated versions of the standards or other implementation guides, as long as they do not disrupt the end users' ability to access the data required by the rule. The rule also allows for exceptions and exemptions for payers and providers in certain circumstances, such as internet outages, natural disasters, or public health emergencies. CMS will also provide resources and support to payers and providers to help them implement and comply with the rule.
 
The rule does not adequately protect the privacy and security of health information exchanged through the APIs.
 
The rule requires payers and providers to comply with all applicable federal and state laws and regulations regarding the privacy and security of health information, such as the Health Insurance Portability and Accountability Act (HIPAA) and the 21st Century Cures Act. The rule also requires payers and providers to use secure and encrypted methods for the data exchange through the APIs, such as the OAuth 2.0 and OpenID Connect standards. The rule also gives patients the right to access their own health information through the Patient Access API and to opt in or opt out of the data sharing through the Provider Access API and the Payer-to-Payer API. The rule also requires payers to report only de-identified patient use data of the Patient Access API to CMS, and to provide educational resources to patients and providers about the benefits and risks of the API data exchange. CMS will also monitor and enforce the compliance with the rule and impose penalties or sanctions for any violations of the privacy and security requirements.
 
The rule does not address the underlying issues of prior authorization, such as the variation, inconsistency, and lack of evidence-based criteria among payers.
 
The rule acknowledges that prior authorization is a complex and multifaceted issue that requires collaboration and coordination among payers, providers, and other stakeholders. The rule does not intend to dictate or interfere with the clinical or coverage decisions of payers or providers, but rather to improve the transparency and efficiency of the prior authorization process. The rule requires payers to provide clear and specific information about their prior authorization requirements, decisions, and reasons for denials, and to report certain metrics about their prior authorization processes on their public websites. The rule also requires payers to adhere to new standards and timelines for making prior authorization decisions, such as seven calendar days for standard decisions and 72 hours for expedited decisions. The rule also encourages payers and providers to use the Prior Authorization API to automate and expedite the prior authorization requests and responses, and to reduce errors and delays. The rule also supports the use of evidence-based criteria and clinical decision support tools for prior authorization, as recommended by various industry groups and best practices. CMS will also continue to work with payers, providers, and other stakeholders to address the underlying issues of prior authorization and to promote high-quality and value-based care.
 
The CMS Interoperability and Prior Authorization is complex and has more details beyond this article. The rule will likely have compliance pitfalls along the way for all parties involved. If providers have questions about how to implement the new requirements, please feel free to reach out to Rachel Carey at rcarey@whitefordlaw.com.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.