Health Article

Prior Authorization for the Win

How Insurance Payers Should Respond to CMS’s Final Rule

February 13, 2024

Key Takeaways

  • CMS’s final rule should prompt a complete process transformation that turns prior authorization from a burdensome hurdle into a transparent, easy-to-navigate, and easy-to-understand step in each patient’s healthcare journey.
  • Insurance payers that help members and providers more effectively navigate the prior authorization process will benefit from higher CMS Star Ratings, improved member/provider retention, and lower administrative costs. Those that don’t will suffer the consequences.
  • Leveraging artificial intelligence is at the heart of the process transformation because it can both facilitate automation and enhance member experience. Effectively employing AI can reduce compliance costs for insurance payers, while also helping to guide members and providers through the prior authorization process in an efficient and culturally sensitive manner.
  • The success of CMS’s final rule depends critically on the willingness of members to have their healthcare data shared electronically among payers and providers. Clearly explaining what data are shared, under what circumstances, and how it will help coordinate their care is essential to building members’ trust in the electronic exchange of healthcare data.
  • Member and provider experience should be insurance payers’ North Star. All departments should collaborate in designing a seamless healthcare journey for plan members and associated providers, minimizing friction and frustration and maximizing satisfaction.

In January CMS released its “Interoperability and Prior Authorization Final Rule” (CMS-0057-F).  According to CMS, the rule has two related goals: to improve the electronic exchange of healthcare data and to streamline the prior authorization (PA) process. The rule applies to Medicare Advantage organizations, state Medicaid programs, CHIP programs, and Qualified Health Plan issuers on the Federally Facilitated Exchanges, which is to say that most insurance payers with government plans will be affected. Most of the rule’s provisions related to the PA process will become effective on January 1, 2026, while most of its interoperability provisions will become effective a year later on January 1, 2027.

At first glance, the rule’s requirements may seem like little more than another IT systems exercise, and some insurance payers will be tempted to just check the relevant boxes and move on. That would be a mistake. Those payers that seize the opportunity the rule presents to transform prior authorization from a burdensome hurdle into a transparent, easy-to-navigate, and easy-to-understand step in each patient’s healthcare journey stand to reap considerable benefits, including higher CMS Star Ratings, improved member/provider retention, and lower administrative costs. Those that don’t will suffer the consequences.

In a previous issue brief, we discussed the critically important goals that prior authorization is meant to advance, including cost control, quality assurance, and patient safety, as well as how and why the current PA process often ends up failing members and providers. In this follow-up issue brief, we take a closer look at the final CMS rule, what’s at stake for insurance payers, and how they should respond to maximize the potential benefits for both their own organizations and their stakeholders.

What’s at Stake

In responding to CMS’s final rule, insurance payers face a choice. They can use the rule as a springboard for rethinking the entire PA process so that it is less burdensome and better aligned with member and provider needs. Or they can take a minimalist approach that meets the rule’s technical requirements while leaving the current inefficient PA process largely in place. While some payers may be tempted to take the minimalist approach, that would be a mistake. Much is at stake:

CMS Star Ratings. An inefficient PA process gives rise to unnecessary complications in denials and appeals, frustrating and alienating members. This, in turn, can result in lower CMS Star Ratings. Can your organization afford this blow to its public rating and reputation?

Member/Provider Retention. The PA process, when overly burdensome, can contribute to provider burnout, degrading the effectiveness of health plan networks. It can also adversely affect membership retention. Is this a risk your organization is willing to take?

Administrative Costs. Providers often incorrectly pursue a PA when one is not required, increasing the workload for call centers. Conversely, when a PA is required but overlooked, it increases the workload for utilization management departments. Both scenarios inflate administrative costs. Is this an expense your organization is ready to shoulder?

If these risks and costs are unacceptable to your organization, then a more thoughtful and thorough approach to compliance with CMS-0057-F is advisable.  In fact, it is a business imperative.

How Payers Should Respond

The CMS final rule has seven main provisions. The first four seek to enhance data exchange and interoperability by requiring impacted payers to add information about PAs to their Patient Access APIs (Application Programming Interfaces), while also establishing and maintaining a separate Provider Access API, a separate Payer-to-Payer API, and a separate Prior Authorization API. The fifth provision specifies changes to the rules governing PAs; the sixth is designed to encourage providers to use Prior Authorization APIs; and the seventh deals with API standards and implementation guidelines.

For each provision, we discuss the rule’s requirements, then suggest concrete action steps that payers can take to adapt, respond, and thrive in the evolving healthcare ecosystem.


The CMS final rule requires impacted payers to add information about PAs to their Patient Access APIs. According to CMS, the provision is designed to help members understand the PA process and its impact on their care. While this sounds straightforward, a minimalist approach to compliance is unlikely to yield the desired results. According to a 2017 United HealthCare Consumer Sentiment Survey, only 9 percent of Americans understand all four of the following common health insurance terms: health plan premium, health plan deductible, out-of-pocket maximum, and co-insurance.  Effectively communicating information about PAs, and especially denials, will be even more challenging than communicating basic health plan information.

Action Steps:

  • Use generative AI to help members navigate your Patient Access API and supply simplified explanations to questions they may have about their PAs. Ensure that the AI functions well in all languages relevant to your plan’s membership. While an AI-enabled Patient Access API cannot substitute for your call center, it can greatly reduce staff burdens while improving member experience.


The CMS final rule requires impacted payers to establish and maintain a Provider Access API through which member health data, including information about PAs, can be shared with in-network providers with whom members have a treatment relationship. According to CMS, the provision is designed to both improve care coordination and to help facilitate the shift to value-based payment arrangements. While the Provider Access API has the potential to advance these goals, integrating it into the workflow of the Electronic Health Record (EHR) systems that providers use will be challenging. Members also have the right to opt out of having their health data shared through the API, and some may be reluctant to participate.

Action Steps:

  • Begin by conducting a pilot with a limited number of network providers to determine the best ways to encourage widespread adoption and successful utilization of the API. Track adoption and utilization rates among the pilot participants, analyze key metrics (such as turnaround times and case resolution rates), and make adjustments as necessary in an iterative process as learning progresses. Once your targets have been met with pilot participants, go live with the other providers in your network. While this approach to compliance will require significant up-front investment, that investment will more than pay for itself over time.
  • Build members’ confidence in the API by clearly explaining to them what health data will be shared, under what circumstances, and how it will help coordinate their care. Enlist your network providers, whom members may be more inclined to trust, to assist in this educational outreach.


The CMS final rule requires impacted payers to establish and maintain a Payer-to-Payer API through which member health data, including information about PAs, can be shared with other payers. For data to be transferred, member permission must be obtained. According to CMS, the provision is designed to help ensure continuity of care when members change health plans.  The challenge here is that some payers may be reluctant to facilitate the exchange of member data with other payers, some of which may be their direct competitors. This concern is largely unfounded, since the required exchange of data excludes sensitive business information like provider remittances and member cost-sharing. Nonetheless, payers may want to proceed cautiously in implementing the provision.

Action Steps:

  • Conduct a pilot that is restricted to adjacent, noncompetitive payers (such as behavioral health plans) with which your members are most likely to interact. Once the Payer-to-Payer API has been tested with this group, it can be extended to other payers. There are two advantages to this approach. The first is that, by initially focusing on those payers where care coordination is most critical, you will improve member experience and thus increase the likelihood of member retention. The second is that you may be able to identify and avoid potential pitfalls before you go live with all payers, including those with which you are in direct competition.
  • To encourage your members to share their health data, implement a program of educational outreach similar to the one suggested above for the Provider Access API.


The CMS final rule requires impacted payers to establish and maintain a Prior Authorization API. This API must include documentation requirements for PA approval and support all steps in the PA process, including initial requests, approvals, denials, requests for further information, and resubmissions. The Prior Authorization API clearly has the potential to improve communication with providers and members. But as with the Provider Access API, its integration with providers’ EHR systems presents a major challenge.

Action Steps:

  • To encourage widespread provider adoption and successful provider utilization, begin by conducting a pilot similar to the one suggested above for the Provider Access API. Providers that are engaged in alternative payment models may be the best candidates for this pilot, since they may be more willing to undertake the upgrades to EHR systems, changes in workflows, and staff training that using the API will require.
  • To facilitate member adoption and ensure satisfactory member experience, your utilization management team (and especially those involved in the PA process) should partner with your member experience team to conduct a pilot with a representative group of members. The goal is to ensure that the API is easy to navigate and answers questions in a way that members find easy to understand before going live with your entire membership. As with the Patient Access API, generative AI solutions can be leveraged to optimize member experience.


The CMS final rule includes three changes designed to improve the PA process:

a. Prior Authorization Decision Timeframes. Impacted payers will now be required to deliver notifications of decisions on standard PA requests within seven calendar days. The turnaround for urgent PA requests remains 72 hours.

b. Denial Reason. Impacted payers must now electronically provide specific reasons for PA denials.

c. Prior Authorization Metrics. Impacted payers must publicly report certain PA metrics on their websites, including the percent of PA requests that are approved and denied and the average and median time required for processing standard and urgent PA requests.

Action Steps:

  • Conduct a functional assessment of your existing IT toolsets and dedicated staff resources to determine whether they can effectively and efficiently execute the provision’s requirements. If the assessment reveals a capability gap, identify what mix of software upgrades or extensions, new technology modules, and/or staff reconfiguration will allow you to achieve compliance with the lowest up-front investment cost and the lowest ongoing maintenance cost.


To encourage providers to use electronic PA processes, the CMS final rule creates a new reporting measure for MIPS-eligible (Merit-Based Incentive Payment System) clinicians and hospitals, as well as eligible Critical Access Hospitals (CAHs). Providers that select this measure must attest annually whether they have requested at least one PA during the performance period via a Prior Authorization API using data from a Certified Electronic Health Record Technology (CEHRT). This provision presents a valuable opportunity for providers to step up and help reduce the administrative burden of PAs.

Action Steps:

  • If providers have not already done so, they should develop a detailed plan aimed at allowing their organization to begin making routine (if not exclusive) use of electronic PA processes within the shortest possible timeframe. In developing and implementing the plan, they should closely follow CMS-recommended Implementation Guides.
  • To initiate the journey, providers could begin by identifying a few types of common PA requests, such as those for routine endoscopies, then conduct a pilot that measures the value (in terms of time or money saved) of integrating those requests with their EHR systems.


The CMS final rule specifies the required interoperability standards for the various APIs. It also recommends the use of specific Implementation Guides, but does not make their use mandatory. While some flexibility in implementation may be necessary, it also complicates compliance and may make the standardization of technologies and processes across different payers more challenging.

Action Steps:

  • Insurance payers should identify the most important provider partners in their networks and collaborate closely with them in implementing API interoperability standards. While it may not be feasible to ensure perfect interoperability across the entire payer universe, it is certainly possible for payers to achieve it within their own provider galaxy.


CMS’s Interoperability and Prior Authorization Final Rule presents some daunting challenges for insurance payers. But it also presents a tremendous opportunity for them to create significant value for both their own organizations and their stakeholders. Seizing that opportunity demands that they look beyond the rule’s technical requirements and embark on a complete process transformation in how they approach prior authorization. This transformation will require rethinking existing practices and leveraging technologies like AI to make prior authorization more efficient and user-friendly. Above all, it will require a relentless focus on what must be payers’ North Star: improving member and provider experience.

To make the most of the opportunity and unlock its full potential, finding the right partner is vital. Contact us at to learn more about how Terry Health applies its process management, data science, compliance, and change management expertise to help organizations thrive in today’s evolving healthcare ecosystem.