The Centers for Medicare and Medicaid Services (“CMS”) issued a proposed rule, “Advancing Interoperability and Improving Prior Authorization Processes” (the “Proposed Rule”), that is intended to improve patient and provider access to health information and streamline processes related to prior authorization for medical items and services. The Proposed Rule would withdraw CMS’s December 18, 2020 Interoperability and Prior Authorization proposed rule, build on the policies finalized in the agency’s May 1, 2020 Interoperability and Patient Access final rule, and incorporate feedback CMS received from commenters on the December 2020 proposed rule.

The Proposed Rule, among other proposals, provides for new rules and standards for a payer-to-payer data exchange. Notably, CMS proposes that its electronic prior authorization requirements would also apply to Medicare Advantage organizations (“MAOs”) – a significant change from the previous iteration of the rule, which only included state Medicaid and Children’s Health Insurance Program (“CHIP”) agencies, Medicaid and CHIP managed care plans, and plans on the Affordable Care Act exchanges. In this post, we focus on the potential impact on MAOs of 1) the payer-to-payer data exchange and 2) prior authorization requirements.

Payer-to-Payer Data Exchange Requirements

CMS’s Interoperability and Patient Access final rule finalized a policy to require payers, including MAOs, to exchange data with other payers, but did not require a specific mechanism for the data exchange. Rather, CMS required impacted payers to receive data in whatever format it was sent and accept data in the form and format it was received, which ultimately complicated implementation by requiring payers to accept data in different formats.

CMS found that the lack of technical specifications for the data exchange requirement was creating challenges for implementation, which could have created differences in implementation across the industry, poor data quality, operational challenges, and increased administrative burden. MS noted that differences in implementation approaches could have created gaps in patient health information that would have conflicted directly with the intended goal of interoperable payer-to-payer data exchange.

As a result, CMS is again proposing to require impacted payers, including MAOs, to implement a data exchange using a Fast Healthcare Interoperability Resources (“FHIR”) Application Programming Interface (“API”), but with changes to the December 2020 proposed rule. It anticipates that these proposals will lead to greater uniformity in implementation and ultimately lead to payers having more complete information available to share with patients and providers.

1. Technical Standards

CMS proposes using the technical standards, base content and vocabulary standards used for the Patient Access API for this proposed Payer-to-Payer API. It believes that the overlap between the requirements for the Patient Access API and the Provider Access API, also discussed in the Proposed Rule, would ease the API development and implementation process for payers. It also proposes that the API must be conformant with the API standards at 45 CFR 170.215.

2. Content Requirements

CMS proposes that impacted payers must implement and maintain a FHIR Payer-to-Payer API to make available all data classes and data elements included in a content standard adopted at 45 CFR 170.213 (United States Core Data for Interoperability (USCDI), July 2020 Errata, Version 1), claims and encounter data (excluding provider remittances and enrollee cost-sharing information), and prior authorization requests and decisions (and related administrative and clinical documentation) that the payer maintains with a date of service on or after January 1, 2016.

3. Identifying Previous and Concurrent Payors and Opt In

CMS proposes that impacted payers maintain a process to identify a new patient’s previous and/or concurrent payer(s) to facilitate data exchange using the Payer-to-Payer API. As part of this process, impacted payers would be required to allow a patient to report multiple previous and/or concurrent payers if they had (or continue to have) concurrent coverage. If a patient does report multiple previous payers, impacted payers would be required to request that patient’s data from all previous and/or concurrent payers. In addition, prior to the start of coverage, impacted payers would need to establish and maintain an opt in process to gather patient permission for payer-to-payer data exchange.

4. Requesting Data Exchange and Responding to Requests

Impacted payers would be required to request appropriate data from any previous and/or concurrent payers through the Payer-to-Payer API, and would be required to include an attestation with the request for data affirming that the patient has enrolled with that requesting payer and has opted in to the data exchange.

5. Data Exchange Requirements for Concurrent Coverage

Impacted payers would be required, within one week of the start of a new patient’s coverage, to request initial data exchange from any concurrent payers that the patient reports, and thereafter to request data exchange with those payers no less frequently than once per calendar quarter.

6. Data Incorporation and Maintenance

CMS proposes that any information received by an impacted payer through the data exchange should be incorporated into the patient’s record with the new payer.

7. Patient Education Requirements

CMS proposes that impacted payers be required to provide patients with educational materials in non-technical, simple, and easy-to-understand language, explaining at a minimum: the benefits of Payer-to-Payer API data exchange, their ability to opt in or withdraw a previous opt in decision, and instructions for doing so.

Prior Authorization Requirements

CMS defines prior authorization as the process through which a healthcare provider obtains approval from a payer before providing care. Prior authorization requirements are established by payers to help control costs and ensure payment accuracy by verifying that an item or service is medically necessary, meets coverage criteria, and is consistent with standards of care before the item or service is provided. CMS states that while the process has a role in healthcare, it “has also been identified as a major source of provider burnout, and can become a health risk for patients if inefficiencies in the process cause care to be delayed.”

In a press release, CMS Administrator Chiquita Brooks-LaSure stated that the prior authorization proposals will “streamline the prior authorization process and promote health care data sharing to improve the care experience across providers, patients, and caregivers – helping us to address avoidable delays in patient care and achieve better health outcomes for all.” The CMS Fact Sheet and FAQs provide further insight on the proposed changes.

Citing the ongoing impact that prior authorization has on patient care, health system costs, and administrative burdens for providers, CMS seeks to streamline the prior authorization process in the Proposed Rule by requiring the following changes.

1. Implementation and Maintenance of an API

CMS proposes that all impacted payers, including MAOs, should implement and maintain a FHIR Prior Authorization Requirements, Documentation, and Decision (“PARDD”) API, which would automate the process to determine whether a prior authorization is required for an item or service. CMS is not proposing to apply these requirements to drugs that are covered by the MAO.

Specifically, CMS proposes that, beginning January 1, 2026, impacted payers would be required to:

• Implement and maintain a FHIR PARDD API using technology conformant with certain standards and implementation specifications in 45 CFR 170.215.

• Ensure that the PARDD API is populated with the payer’s list of covered items and services, excluding drugs, for which prior authorization is required and accompanied by any documentation requirements.

• Include functionality to determine requirements for any other data, forms, or medical record documentation required by the payer for the items or services for which the provider is seeking prior authorization and while maintaining compliance with the mandatory HIPAA transaction standards.

• Ensure that the PARDD API responses from the payer to the provider include information regarding payer approval (and for how long) or denial (with a specific reason) of the request, or request more information from the provider to support the prior authorization request.

2. Timeframes for Decisions and Communications

CMS discusses providers’ concerns that excessive wait times for prior authorization decisions often cause delays to patient care, including transfers between hospitals and post-acute care facilities, treatment, medication, and supplies, and create medical risks in some cases. Currently, MAOs have 72 hours to respond for requests for expedited determinations (42 CFR 422.570) and 14 days to respond to requests for standard determinations (with an ability to extend the timeframe up to 14 days if the payer requires additional information to approve the request or where the extension is justified due to extraordinary, exigent, or other non-routine circumstances and is in the enrollee’s interest) (42 CFR 422.568).

Beginning January 1, 2026, MAOs would be required to send prior authorization decisions as expeditiously as a patient’s health condition requires, but no later than 72 hours for expedited requests and seven calendar days for standard requests. Further, CMS seeks comments on alternative timeframes with shorter turnaround times, such as 48 hours for expedited requests and five calendar days for standard requests; specifically, CMS states that it wishes to learn more about potential technological and administrative barriers that may prevent payers from meeting these shorter timeframes.

3. Providing Clear Reasoning for Denials

CMS believes the prior authorization process could be improved through better communication between payers and providers, particularly with regards to the reasons for denying a prior authorization. CMS believes that providing an understandable reason for a denial could allow a provider to take appropriate actions such as re-submitting the request with updated information, identifying alternatives for the patient, appealing the decision, or communicating the decision to the patient. It asserts that this may alleviate issues such as treatment abandonment and delays in care. Accordingly, CMS proposes that beginning January 1, 2026, payers would be required to provide a specific reason for denied prior authorization decisions (excluding prior authorization decisions for drugs) regardless of the method used to send the prior authorization request.

CMS notes that the Proposed Rule intends to reinforce existing Federal and state requirements to notify providers and patients when an adverse decision is made about a prior authorization request. Rather than having to send the response through multiple vehicles, the reasoning would only need to be submitted via the PARDD API process. For example, CMS notes that under the MA program, actions that constitute an “organization determination” at 42 CFR 422.566(b) already include a prior authorization (or “pre-service”) decision. The Proposed Rule provides that, under existing § 422.566(b), an organization determination would include a request for prior authorization using the PARDD API under the proposed provisions at 42 CFR 422.122.

4. Public Reporting

MAOs would be required to publicly report prior authorization metrics for each calendar year by March 31 of the following year. MAOs would be required to make the following data accessible directly on their websites or via hyperlink(s):

1. A list of all items and services that require prior authorization;

2. The percentage of standard prior authorization requests that were approved, aggregated for all items and services;

3. The percentage of standard prior authorization requests that were denied, aggregated for all items and services;

4. The percentage of standard prior authorization requests that were approved after appeal, aggregated for all items and services;

5. The percentage of prior authorization requests for which the timeframe for review was extended, and the request was approved, aggregated for all items and services;

6. The percentage of expedited prior authorization requests that were approved, aggregated for all items and services;

7. The percentage of expedited prior authorization requests that were denied, aggregated for all items and services;

8. The average and median time that elapsed between the submission of a request and a determination by the MAO, for standard prior authorizations, aggregated for all items and services; and

9. The average and median time that elapsed between the submission of a request and a decision by the MAO for expedited prior authorizations, aggregated for all items and services.

Looking Forward

CMS’ proposals are not the only ones to include electronic prior authorization requirements for MAOs: In September, the House passed the Improving Seniors’ Timely Access to Care Act which requires MAOs to (1) establish an electronic prior authorization program that meets specified standards, including the ability to provide real-time decisions in response to requests for items and services that are routinely approved; (2) annually publish specified prior authorization information, including the percentage of requests approved and the average response time; and (3) meet other standards, as set by CMS, relating to the quality and timeliness of prior authorization determinations. The Senate is likely to vote soon on the legislation, which has bipartisan support.

Though these proposals have not been finalized, MAOs and other impacted payers should anticipate that data exchange and prior authorization requirements will impact their organization beginning January 1, 2026. Payers may want to start considering what procedures and processes they will need to implement to comply with the proposed changes. Further, payers should consider submitting comments on the Proposed Rule, which are due on March 13, 2023.