US Medical BillingRevenue cycle solutions
Prior authorization

The CMS Interoperability and Prior Authorization rule

The CMS Interoperability and Prior Authorization final rule — identified in agency documents as CMS-0057-F and finalized in early 2024 — is a federal regulation that requires certain government-regulated health plans to streamline prior authorization and share data through standardized electronic interfaces. Issued by the Centers for Medicare & Medicaid Services, it sets decision timeframes, requires payers to give a specific reason when they deny a request, and mandates public reporting of authorization data. It reaches only the payers CMS oversees, however, and its provisions phase in over several years on compliance dates the agency sets.

Updated 7 min read

On this page

Key takeaways

What the rule is

The rule ties two goals together: making health data flow more freely among plans, providers, and patients, and reducing the friction that prior authorization adds to care. Identified in CMS documents as CMS-0057-F and finalized in early 2024, it builds on the agency's earlier 2020 Interoperability and Patient Access rule, which first required certain payers to expose patient data through standardized programming interfaces. The newer rule extends that foundation specifically to the authorization process, obligating covered plans to share requirements electronically, decide requests faster, and report on how they use prior authorization.

Importantly, the rule governs payer behavior rather than the clinical criteria behind any decision. It does not define which services need approval or what counts as medically necessary — those judgments remain with each payer and its policies. What the rule changes is the plumbing and the timeline around the request: how information moves, how quickly a determination must be returned, and what a plan must disclose when it declines a service.

Interoperability vs. the authorization itself

Which payers it applies to

The rule reaches the payers CMS directly oversees. That scope is central to understanding it, because a requirement that binds a Medicare Advantage organization may not apply to a neighboring employer-sponsored plan at all. The categories of impacted payers are:

  • Medicare Advantage organizations
  • State Medicaid and CHIP fee-for-service programs
  • Medicaid and CHIP managed care plans
  • Qualified Health Plan issuers on the Federally-Facilitated Exchanges

Most commercial and self-funded employer plans fall outside the rule's direct authority, though some adopt similar practices voluntarily or under separate state laws. Prescription drugs are also largely excluded from the rule's prior authorization provisions; medication approvals continue to run through pharmacy-benefit processes and other standards. Because the rule's reach varies by payer type and program — and because states may layer their own prior authorization laws on top — the requirements that actually apply should be confirmed against the specific plan and jurisdiction involved. The related articles on prior authorization under Medicare Advantage and under Medicaid describe how each program administers authorization within that framework.

The electronic interfaces it requires

A core mechanism of the rule is a set of application programming interfaces, or APIs, built on the HL7 FHIR standard — a common healthcare data format that lets different systems exchange structured information. Rather than prescribing one vendor's product, the rule requires covered payers to expose data through these standardized interfaces so that the provider and patient applications that connect to them can exchange information in a common format. Four interfaces are central to the rule.

Patient Access API
Lets patients retrieve their own claims, encounter, and — under the newer rule — prior authorization information through an application they choose.
Provider Access API
Shares a patient's data, including prior authorization details, with in-network providers to support care coordination.
Payer-to-Payer API
Moves a member's data, including active prior authorizations, from a former plan to a new one when the patient changes coverage.
Prior Authorization API
A FHIR-based interface intended to tell a provider's system whether a service needs authorization, what documentation is required, and the payer's decision — the technical backbone for electronic prior authorization.

New prior authorization obligations

Beyond data sharing, the rule imposes several operational duties on covered payers. Together they aim to make determinations faster and more transparent, and to give the field data on how often prior authorization is used and upheld.

  • Faster decisions — shorter maximum timeframes for standard and expedited requests than some earlier standards required of the affected programs.
  • Specific denial reasons — when a request is denied, the payer must communicate a specific reason, which supports a cleaner resubmission or appeal.
  • Public reporting — covered payers must post certain aggregated prior authorization metrics, such as approval and denial figures, on their websites.
How the rule frames standard versus expedited prior authorization requests
How the rule frames standard versus expedited prior authorization requests
Request typeWhat it coversHow the rule addresses the timeframe
Standard requestNon-urgent services requested in advanceThe rule sets a maximum decision window for the programs it covers; CMS publishes the specific number of days, which can change over time.
Expedited (urgent) requestSituations in which a delay could seriously jeopardize the patient's health or ability to regain functionThe rule sets a shorter maximum than for a standard request; the exact window is defined by CMS.

These maximum decision windows apply to certain covered programs — such as Medicare Advantage and Medicaid and CHIP fee-for-service and managed care — and were not finalized identically for every payer the rule touches, so the programs affected, the exact figures, and the compliance dates should be confirmed against the current CMS rule. Commercial plans and individual state laws may set different clocks entirely.

Provisions phase in on set dates

What it means for billing operations

For revenue cycle teams working with affected plans, the rule is expected to shift more of the process onto electronic rails. As covered payers stand up their interfaces, a provider's system may be able to learn whether a service needs authorization and what documentation is required without a portal login or fax, and to receive decisions and a distinct authorization number through the same channel. Faster maximum decision windows and specific denial reasons can also compress the time spent chasing status and interpreting vague rejections, which supports tighter tracking of authorization status and deadlines.

The rule does not eliminate the underlying work, however. Teams still confirm whether a service requires review, assemble clinical documentation, and follow the payer's authorization workflow to a decision. Payers not covered by the rule may continue with existing processes, so front-end steps and per-payer verification remain essential regardless of how far electronic exchange advances. In short, the rule reshapes the mechanics and the timelines of prior authorization for a defined set of plans — it does not remove the clinical judgment, the documentation, or the need to match what was approved to what is ultimately billed.

Common questions

Does the CMS rule eliminate prior authorization?

No. It standardizes and speeds parts of the process for covered payers and requires clearer denials, but providers still submit documentation and payers still evaluate each request against their coverage and medical-necessity criteria.

Does the rule apply to commercial or employer health plans?

Not directly. It governs CMS-regulated payers — Medicare Advantage organizations, Medicaid and CHIP programs and managed care plans, and Qualified Health Plans on the Federally-Facilitated Exchanges. Commercial and self-funded employer plans may follow separate state laws or voluntary standards instead.

Does the rule cover prescription drugs?

The prior authorization API and related provisions generally exclude drugs. Medication prior authorization continues to run through pharmacy-benefit processes and other standards.

When do the requirements take effect?

CMS set phased compliance dates, with the decision-timeframe, denial-reason, and reporting provisions beginning on one date and the API requirements on a later one. Because those dates are specific and can shift, the current CMS rule is the authoritative source.

What is the Prior Authorization API meant to do?

It is a FHIR-based interface intended to let a provider's system learn whether a service needs authorization, what documentation is required, and the payer's decision, supporting electronic prior authorization.

Key terms in this article

Defined once, on their own pages.

Authoritative sources

Ready to improve your revenue cycle?

Explore our services and knowledge base to see how we can help.