Healthcare's Next Frontier: CMS Final Rule Signals a Paradigm Shift in Prior Authorization and Interoperability 

By Kim Boyd, Senior Consultant & Regulatory Resource Center Lead

On January 17, 2024, the Centers for Medicare & Medicaid Services (CMS) released the highly anticipated Interoperability and Prior Authorization Final Rule, signaling a significant leap forward in fostering interoperability and streamlining prior authorization (PA) processes in healthcare. In a nutshell, the rule gives select payers' deadlines by which they must issue prior authorizations and mandates select payer implementation of Fast Healthcare Interoperability Resources (FHIR) application programming interfaces (APIs) to improve data exchange between themselves and providers. This regulatory milestone, which harnesses the power of API technology to enhance transparency and efficiency, will, when fully implemented, hopefully reduce a myriad of clinical and administrative burdens currently faced by providers, patients, and payers.

The path to establishing this pivotal final rule has been marked by significant developments. Initially put forward in 2020, the proposed rule faced a sequence of changes, starting with a pause and then full withdrawal, paving the way for a new, modified proposal in December 2022. This iterative process was not based solely on a review of public input; it is, rather, a testament to CMS’ commitment to remain actively engaged with industry trends and dialogues, particularly those concerning FHIR standards.

After meticulous consideration of over 900 public comments, CMS refined the proposed rule to reflect the industry’s collective movement toward more mature interoperability solutions. The final rule is the culmination of this dynamic and inclusive process. CMS’ proactive stance has ensured the regulation encapsulates a wealth of industry insights, not only addressing data access and exchange but also significantly enhancing the utility of healthcare information. By championing a balanced approach inclusive of federal requirements and industry feedback, CMS has positioned the healthcare system to transcend boundaries, fostering an environment where data fluidity and patient-centered care can become the benchmarks of healthcare services based on value and quality.

While the final rule imposes compliance obligations on specific stakeholders, its broader impact on propelling the realization of APIs and real-time data exchange should not be ignored. Voluntary compliance is advised for commercial payers and other healthcare information technology (health IT) stakeholders not specifically held to compliance standards by the final rule. Stakeholders who voluntarily embrace this requirement with a forward-looking, strategic perspective will position themselves to capitalize on the full benefits of these technologies, anticipating certain future rulemaking while laying the foundation for interoperability.

The Impact of Mandated Compliance and Voluntary Participation

Payers, including Medicare Advantage organizations, state Medicaid and Children’s Health Insurance Programs (CHIPs), and qualified health plan (QHP) issuers on federally facilitated insurance exchanges, are mandated to comply. Providers, (i.e., Merit-based Incentive Payment System‒eligible clinicians and hospitals), via measures tied to certified health technology, are encouraged to adopt electronic prior authorization (ePA) processes.

The entities excluded from the scope of the final rule include issuers of stand-alone dental plans and those that provide QHPs solely through the federally facilitated Small Business Health Options Program exchanges, among others. Although Medicare fee-for-service plans are also among the stakeholders exempted, CMS has indicated that these plans are already in the process of adopting the standards and implementation guides specified in the rule, further signaling their movement toward achieving the goals of the final rule.

Compliance Timelines

Implementation timelines shifted by one year between the originally proposed rule published in 2022 and the final rule of early 2024. Impacted stakeholders must adhere to specific deadlines for compliance related not only to implementing FHIR APIs but also to data sharing, ePA measures, and reporting metrics.

Under the final rule, stakeholders are required to implement the newly mandated FHIR APIs, which include Provider Access, Payer-to-Payer, and Prior Authorization by January 1, 2027. Additionally, enhancements to the existing Patient Access API, incorporating new data sets, must be completed by January 1, 2026. This timeline also applies to the introduction of new timeframes for PA decisions and the establishment of related reporting metrics to CMS.

CMS has allocated a two-year period for stakeholders to align with the new reporting and performance measures, and a three-year timeframe to fully implement the mandated FHIR APIs. CMS' rationale for this extended timeline is to provide adequate time for the necessary steps of recruitment, training, API development and transformation of operational processes. This phased approach aims to ensure a smooth transition and successful integration of these requirements.

Unlocking Healthcare Transformation: APIs, Standards and Seamless Implementation

Delving into the technical nuances of the final rule, we must navigate through the mandatory standards and recommended guides to shed light on the groundbreaking potential for operational efficiencies.

Patient Access API - Unleashing Data Empowerment: The Patient Access API, though already in force, mandates specific payers to enhance it further. It requires timely provision of adjudicated claims, encounters with capitated providers and clinical data to patients through health apps within one business day of receiving claim or encounter data. Despite broad support for its potential in enhancing patient engagement, concerns around proprietary systems and low utilization rates have been raised.

Provider Access API - Bridging the Care Continuum: To foster care coordination and advance value-based care, impacted payers must implement the Provider Access API. Aligned with technical standards in the CMS Interoperability and Patient Access Final Rule, this API, based on HL7 FHIR Release 4.0.1, empowers providers to access current patient data, excluding certain details like provider remittances and patient cost-sharing information.

Payer-to-Payer API - Ensuring Continuity of Care: Focused on enhancing patient care continuity, the Payer-to-Payer API mandates select payers to implement a FHIR API for data exchange, allowing health data to follow patients when changing payers. The rule anticipates benefits like better coordinated care, enhanced data security and broader adoption beyond impacted payers, with compliance dates set for 2027.

Prior Authorization API - Streamlining Decision Processes: Formerly known as PARDD (Prior Authorization Request and Decision), this API will automate the processes of determining whether PA is needed (Coverage Requirements Discovery), determining what information is needed to process an approved PA (Documentation Templates and Rules) and coming to an expedited determination (Personal Assistance Services). Impacted payers must also provide explicit reasons for denial reasons. The final rule sets specific standards, including the United States Core Data for Interoperability (USCDI) and HL7 FHIR Release 4.0.1, and recommends implementation guides to ensure a standardized approach.

Key Prior Authorization Provisions & Enforcement - A Paradigm Shift

An essential aspect of the final rule is its requirement that impacted payers reduce response times to PA requests. The general timeframes are seven days for standard requests for most impacted stakeholders and 15 days for standard requests for CHIPs. Payers must respond to expedited requests within 72 hours of receipt.

In addition to these narrow response windows, the rule aims to improve transparency with a requirement that plans include specific reasons for their denials. It also addresses accountability by mandating that impacted payers publicly report PA metrics on their websites beginning January 1, 2026. Additionally, the rule expands access to authorization information through adopted APIs like Provider Access, Patient Access and Payer-to-Payer, as mentioned above.

Healthcare stakeholders impacted by the final rule should also consider that Health and Human Services has introduced enforcement discretion for organizations opting for a FHIR-only solution, exempting them from certain Health Insurance Portability and Accountability Act (HIPAA) requirements. Entities covered by HIPAA that implement an all-FHIR-based Prior Authorization API will not face enforcement under HIPAA Administrative Simplification, providing flexibility for compliance.

As healthcare continues to evolve, this final rule sets the stage for a transformative journey, urging stakeholders to embrace the power of APIs and standardized data exchange for a future of enhanced healthcare accessibility and efficiency.

Reading the Tea Leaves: A Strategic Perspective

Once deciphered, the intricate language of the CMS final rule reveals a strategic path that not only mirrors the agency’s present mindset but also indicates the trajectory it and partnering organizations like the Office of the National Coordinator for Health IT are charting for future regulations. It’s essential for stakeholders to interpret these regulatory tea leaves so they can strategically navigate this changing landscape.

Stakeholders should pay particular attention to the fact that CMS has explicitly acknowledged the complexity surrounding medical benefit drugs, which led to its exclusion of drugs in the final rule. However, the forward-looking tone in the explanation and consideration that went into that decision suggests a commitment by CMS to resolving these complexities in future updates, making drug inclusion part of future PA requirements a potential focal point.

The flexibility granted in API implementation is another pivotal move that should be considered strategically, with an eye to future industry advancements. The decision not to enforce the use of the X12 278 standard for entities opting for an all-FHIR approach in the Prior Authorization API allows room for innovation. This approach not only champions the adoption of modern and efficient technologies, but also aligns with healthcare’s diverse technological ecosystem, fostering flexibility and adaptability.

Furthermore, the rule’s reference to a National Directory of Healthcare Providers & Services hints at a concerted effort by regulatory bodies to improve the ease with which stakeholders can locate and access verified end points. It indicates a move toward a more interconnected and transparent network where accurate and up-to-date provider information is readily available, thereby facilitating efficient communication and overall healthcare delivery.

The CMS final rule serves as scaffolding for upcoming regulations designed to further elaborate on and extend the principles established by these and previous rules. This foundational framework, indicated by the commitment to assess prior authorization transaction standards and to delve into further components of medical care, such as drugs covered under the medical benefit, underscores a continuous effort to enhance healthcare interoperability. This approach not only sets the stage for future advancements but also ensures that the evolution of healthcare regulations remains dynamic and responsive to the needs of the ecosystem.

Strategic Considerations for Compliance Excellence

As stakeholders embark on the compliance journey, strategic decisions loom large. Opting for a mere "check the box" approach may be shortsighted when building the required APIs which, if developed strategically, are poised to unlock operational efficiencies that could result in real savings and competitive advantages. The rule isn't just about technology; it's a convergence of business process transformation to support patient care and policies that advance patient-centered efforts and technology adoption, the whole of which demands a holistic understanding.

Prioritizing business transformation including process considerations, partner requirements, employee education and data governance is crucial. Compliance extends beyond deadlines, after all. It’s about solving business problems, enhancing timeliness and fostering data fluidity in healthcare operations. We urge payers, providers and health IT vendors to consider the advantages of implementing APIs for efficient and immediate data exchange, both internally and externally, setting a course for future innovations in healthcare technology.

Ready to Take the Next Step?

The CMS Interoperability and Prior Authorization Final Rule marks a transformative step toward a more interconnected healthcare landscape. Register for our webinar on March 6 to listen to our experts provide a more in-depth overview and analysis of the rule. Prefer a one-on-one discussion? Reach out to Point-of-Care Partners (POCP) at kim.boyd@pocp.com or brian.dwyer@pocp.com.

Stay tuned for more detailed explorations and projections from POCP related to this regulation and future policy activities in the dynamic healthcare technology space.