The CMS Interoperability and Prior Authorization rule
The CMS Interoperability and Prior Authorization final rule — identified in agency documents as CMS-0057-F and finalized in early 2024 — is a federal regulation that requires certain government-regulated health plans to streamline prior authorization and share data through standardized electronic interfaces. Issued by the Centers for Medicare & Medicaid Services, it sets decision timeframes, requires payers to give a specific reason when they deny a request, and mandates public reporting of authorization data. It reaches only the payers CMS oversees, however, and its provisions phase in over several years on compliance dates the agency sets.
Updated 7 min read
On this page
Key takeaways
- CMS-0057-F is a federal rule finalized in 2024 that targets prior authorization burden and payer-to-payer data sharing.
- It applies to CMS-regulated payers — Medicare Advantage, Medicaid and CHIP programs and managed care plans, and Qualified Health Plans on the federal exchanges — not most commercial or employer plans.
- It requires FHIR-based APIs (Patient Access, Provider Access, Payer-to-Payer, and a Prior Authorization API) plus faster decisions and specific denial reasons.
- Its requirements phase in on CMS-set compliance dates, and prescription drugs are largely excluded from its prior authorization provisions.
- Specific timeframes and effective dates come from CMS and change over time, so the current rule text is the authoritative source.
What the rule is
The rule ties two goals together: making health data flow more freely among plans, providers, and patients, and reducing the friction that prior authorization adds to care. Identified in CMS documents as CMS-0057-F and finalized in early 2024, it builds on the agency's earlier 2020 Interoperability and Patient Access rule, which first required certain payers to expose patient data through standardized programming interfaces. The newer rule extends that foundation specifically to the authorization process, obligating covered plans to share requirements electronically, decide requests faster, and report on how they use prior authorization.
Importantly, the rule governs payer behavior rather than the clinical criteria behind any decision. It does not define which services need approval or what counts as medically necessary — those judgments remain with each payer and its policies. What the rule changes is the plumbing and the timeline around the request: how information moves, how quickly a determination must be returned, and what a plan must disclose when it declines a service.
Interoperability vs. the authorization itself
Which payers it applies to
The rule reaches the payers CMS directly oversees. That scope is central to understanding it, because a requirement that binds a Medicare Advantage organization may not apply to a neighboring employer-sponsored plan at all. The categories of impacted payers are:
- Medicare Advantage organizations
- State Medicaid and CHIP fee-for-service programs
- Medicaid and CHIP managed care plans
- Qualified Health Plan issuers on the Federally-Facilitated Exchanges
Most commercial and self-funded employer plans fall outside the rule's direct authority, though some adopt similar practices voluntarily or under separate state laws. Prescription drugs are also largely excluded from the rule's prior authorization provisions; medication approvals continue to run through pharmacy-benefit processes and other standards. Because the rule's reach varies by payer type and program — and because states may layer their own prior authorization laws on top — the requirements that actually apply should be confirmed against the specific plan and jurisdiction involved. The related articles on prior authorization under Medicare Advantage and under Medicaid describe how each program administers authorization within that framework.
The electronic interfaces it requires
A core mechanism of the rule is a set of application programming interfaces, or APIs, built on the HL7 FHIR standard — a common healthcare data format that lets different systems exchange structured information. Rather than prescribing one vendor's product, the rule requires covered payers to expose data through these standardized interfaces so that the provider and patient applications that connect to them can exchange information in a common format. Four interfaces are central to the rule.
- Patient Access API
- Lets patients retrieve their own claims, encounter, and — under the newer rule — prior authorization information through an application they choose.
- Provider Access API
- Shares a patient's data, including prior authorization details, with in-network providers to support care coordination.
- Payer-to-Payer API
- Moves a member's data, including active prior authorizations, from a former plan to a new one when the patient changes coverage.
- Prior Authorization API
- A FHIR-based interface intended to tell a provider's system whether a service needs authorization, what documentation is required, and the payer's decision — the technical backbone for electronic prior authorization.
New prior authorization obligations
Beyond data sharing, the rule imposes several operational duties on covered payers. Together they aim to make determinations faster and more transparent, and to give the field data on how often prior authorization is used and upheld.
- Faster decisions — shorter maximum timeframes for standard and expedited requests than some earlier standards required of the affected programs.
- Specific denial reasons — when a request is denied, the payer must communicate a specific reason, which supports a cleaner resubmission or appeal.
- Public reporting — covered payers must post certain aggregated prior authorization metrics, such as approval and denial figures, on their websites.
| Request type | What it covers | How the rule addresses the timeframe |
|---|---|---|
| Standard request | Non-urgent services requested in advance | The rule sets a maximum decision window for the programs it covers; CMS publishes the specific number of days, which can change over time. |
| Expedited (urgent) request | Situations in which a delay could seriously jeopardize the patient's health or ability to regain function | The rule sets a shorter maximum than for a standard request; the exact window is defined by CMS. |
These maximum decision windows apply to certain covered programs — such as Medicare Advantage and Medicaid and CHIP fee-for-service and managed care — and were not finalized identically for every payer the rule touches, so the programs affected, the exact figures, and the compliance dates should be confirmed against the current CMS rule. Commercial plans and individual state laws may set different clocks entirely.
Provisions phase in on set dates
What it means for billing operations
For revenue cycle teams working with affected plans, the rule is expected to shift more of the process onto electronic rails. As covered payers stand up their interfaces, a provider's system may be able to learn whether a service needs authorization and what documentation is required without a portal login or fax, and to receive decisions and a distinct authorization number through the same channel. Faster maximum decision windows and specific denial reasons can also compress the time spent chasing status and interpreting vague rejections, which supports tighter tracking of authorization status and deadlines.
The rule does not eliminate the underlying work, however. Teams still confirm whether a service requires review, assemble clinical documentation, and follow the payer's authorization workflow to a decision. Payers not covered by the rule may continue with existing processes, so front-end steps and per-payer verification remain essential regardless of how far electronic exchange advances. In short, the rule reshapes the mechanics and the timelines of prior authorization for a defined set of plans — it does not remove the clinical judgment, the documentation, or the need to match what was approved to what is ultimately billed.
Common questions
Does the CMS rule eliminate prior authorization?
No. It standardizes and speeds parts of the process for covered payers and requires clearer denials, but providers still submit documentation and payers still evaluate each request against their coverage and medical-necessity criteria.
Does the rule apply to commercial or employer health plans?
Not directly. It governs CMS-regulated payers — Medicare Advantage organizations, Medicaid and CHIP programs and managed care plans, and Qualified Health Plans on the Federally-Facilitated Exchanges. Commercial and self-funded employer plans may follow separate state laws or voluntary standards instead.
Does the rule cover prescription drugs?
The prior authorization API and related provisions generally exclude drugs. Medication prior authorization continues to run through pharmacy-benefit processes and other standards.
When do the requirements take effect?
CMS set phased compliance dates, with the decision-timeframe, denial-reason, and reporting provisions beginning on one date and the API requirements on a later one. Because those dates are specific and can shift, the current CMS rule is the authoritative source.
What is the Prior Authorization API meant to do?
It is a FHIR-based interface intended to let a provider's system learn whether a service needs authorization, what documentation is required, and the payer's decision, supporting electronic prior authorization.
Key terms in this article
Defined once, on their own pages.
Continue learning
Where to go next on prior authorization and the systems around it.
Electronic prior authorization
How FHIR-based interfaces move authorization requests and decisions between systems.
Prior authorization under Medicare Advantage
How MA organizations administer authorization within federal rules.
Prior authorization under Medicaid
How state Medicaid programs and managed care plans handle authorization.
What is prior authorization?
The foundational concept the rule is built to streamline.
CMS
The agency that issued the rule and administers Medicare and Medicaid.
Authoritative sources
- Centers for Medicare & Medicaid Services (CMS) (opens in a new tab)
Federal agency that issued the Interoperability and Prior Authorization final rule and administers Medicare and Medicaid.
- CMS Medicare Learning Network (MLN) (opens in a new tab)
CMS educational booklets and fact sheets explaining program rules and requirements.
- Healthcare Financial Management Association (HFMA) (opens in a new tab)
Professional body publishing guidance on revenue cycle and payer policy.
