CMS-0057-F brings massive changes to the US healthcare. Our team has looked at the new CMS Interoperability and Prior Authorization Final Rule published on January 17, 2024. The regulation aims to make health information more accessible, and easier to exchange.
To better understand what this means for the industry, we interviewed the people who manage patient records. After explaining the Rule in plain words, we’ll dive into the meat and potatoes—the new APIs necessary for compliance and an actionable timeline for payors.
Table of contents:
- What is CMS-0057-F? Who is subject to it?
- How to comply with CMS-0057-F?
- Implement new and updated APIs by 2027
- Change your prior authorization process by 2026
- Potential state extensions and exceptions
- CMS-0057-F enforcement and oversight
- Strategic implications for insurance companies
- Takeaways and timelines for payors
Who is subject to CMS-0057-F?
CMS-0057-F is the latest regulation released by the US Centers for Medicare & Medicaid Services (CMS) on Jan. 17, 2024. It aims to make prior authorization more transparent for patients and less painful for physicians. It also focuses on breaking silos to improve medical data sharing.
- Medicare Advantage (MA) organizations.
- State Medicaid fee-for-service (FFS) programs and Medicaid managed care plans.
State CHIP FFS programs and CHIP managed care entities. - Qualified Health Plan (QHP) issuers on the Federally-Facilitated Exchanges (FFEs) (excluding stand-alone dental plans and Small Business Health Options Program issuers).
These payors must meet new interoperability and prior authorization requirements by specific deadlines. We’ll look at these requirements and deadlines in the next chapter.
How to comply with CMS-0057-F?
Now, let’s proceed to the technical means by which payors must comply with the CMS-0057 Final Rule.
Implement new and updated APIs by 2027
The final rule establishes four APIs that insurers must implement or enhance by January 1, 2027 (or rating/plan years beginning on or after January 1, 2027).
Here’s what you need to know about them, straight from a developer of interoperability solutions for the healthcare industry.
#1 Patient access API
Payors must include prior authorization info in the claims/encounter and clinical data they already share with patients.
#2 Provider access API
Insurers must develop a new API for in-network providers. This API will give them access to patient data, such as claims, prior authorizations, and clinical data.
Starting with Jan. 1, 2027, providers will be able to see relevant data without duplicating requests or forcing patients to manage paper records.
Keep in mind that this data will be subject to patient opt-out.
#3 Payor-to-payor API
The Rule defines what happens when John Doe moves from one insurer to another. The payor-to-payor API must support exchange of up to five years of a patient’s data. This includes certain prior authorization information.
If John has two or more payors at the same time, these payors must share fresh data at least quarterly. If the John gives the permission, that is.
#4 Prior authorization API
The fourth and final API streamlines the workflow so that providers can:
- Check if a service or item requires prior authorization.
- Retrieve documentation requirements.
- Submit the request.
The Final Rule excludes prior authorizations for drugs. However, plans can voluntarily include them. These APIs will improve health data exchange among payors, providers, and patients while reducing administrative burden. We’ll discuss each of them in greater detail in our follow-up articles.
But does this mean you can wait till the next to start with CMS-0057-F compliance?
Well, not exactly.
Change your prior authorization process by 2026
Even before the APIs go live in 2027, payors will have to change the way they handle prior authorization requests.
Decrease your turnaround times
The main change is that payors now have to follow tight deadlines for prior authorization:
- 7 calendar days or less for standard requests.
- 72 hours for expedited requests (or faster if the patient’s condition requires).
These deadlines hold true whether the request comes by email or any other means.
Provide specific denial reasons
For each denied request, the insurer must issue a written notice to the provider. This notice must include a clear, specific reason for the denial.
This change will reduce appeals by helping providers and patients understand the decision.
Report metrics to the public
Another important change states that to improve transparency, insurers must publicly post aggregated prior authorization stats:
- Number of approvals.
- Denial numbers.
- Average time for decisions, etc.
Report the usage of patient access API
Insurers must also begin reporting certain metrics on Patient Access API usage to CMS (for example, how many patients are actively using the API).
Starting with Jan. 1, 2026, these requirements apply regardless of whether the request arrives through the new API or more traditional methods.
Potential state extensions and exceptions
State Medicaid & CHIP FFS Programs may request an extension for the 2027 API requirements. They might need additional time due to unique funding cycles or procurement constraints.
QHP Issuers on the FFEs may apply annually for an exception. For this, they need to demonstrate the inability to meet certain requirements without major hardship.
CMS-0057-F enforcement and oversight
The Rule doesn’t specify penalties. Each CMS program can select from a number of enforcement actions depending on the payor’s history and status in the program.
- Medicare Advantage Plans: CMS can use existing enforcement pathways (for example, corrective action plans or monetary penalties).
- Medicaid and CHIP: States are responsible for their managed care plan compliance. CMS will review this through contract approvals and oversight.
- QHPs on FFEs: CMS can use compliance reviews, civil monetary penalties, and other levers.
Expect CMS to monitor the Rule implementation closely. Beneficiaries, providers, and others can report noncompliance via existing complaint channels.
Strategic implications for insurance companies
Here’s what this all means for the industry players.
Rethink IT Infrastructure & budgeting
Insurers must upgrade or replace existing systems to develop secure HL7 FHIR-based APIs.
This may require coordination with health IT vendors, internal engineering teams, and third-party healthcare software developers.
Focus on operational and staff training
A key implication of the new changes is that providers must invest in training customer service and claims-processing staff. They’ll have to adjust to major changes in processes, including:
- Shorter authorization timelines.
- New API-based workflows.
Educate members and providers
Plans must develop strategies to inform both enrollees (patients) and network providers:
- How to access and use the new APIs
- How to opt-out (if applicable)
- Details of the revised prior authorization procedures.
Integrate claims and clinical data
Patient Access API and Payor-to-Payor API will include prior authorization data.
This requires you to integrate clinical documentation, claims, and authorizations—often stored in separate systems—into a unified exchange format.
Improve transparency and speed
CMS-0057-F introduces shorter turnaround times and public reporting. Plans must, therefore, have the capacity and workflows to meet deadlines without reducing accuracy.
Those who struggle to meet the new standards risk reputational harm and potential enforcement actions.
Gain a competitive advantage
Plans that comply early or exceed CMS requirements will offer a better experience for patients and providers. The sooner you start, the better you can position yourself as a leader in satisfaction and provider engagement.
Takeaways
The final rule continues CMS’s efforts to break down data silos, improve care coordination, and reduce provider/patient burden. Under CMS-0057-F, insurers must modernize their electronic data exchange and prior authorization processes, accelerate decision timelines, and heighten transparency.
Here’s what the new Interoperability and Prior Authorization Final Rule timeline looks like:
- Immediate priority (2025): audit your current processes. Prepare for the changes to turnaround times, public reporting, and denial notifications according to the CMS Prior Authorization Rules. Start educating providers and members. Select the vendor to implement the required APIs.
- Mid-term focus (2026): start early. Build or upgrade interoperable FHIR APIs for patients, providers, and payor-to-payor data exchange. Provide CMS with aggregated, de-identified data on patient API usage.
- Long-term goals: prepare for a future where real-time data sharing is the norm.
Collectively, these changes aim to reduce administrative overhead, bolster patient-centered care, and foster a more interoperable, data-driven ecosystem.
For many payors, adopting FHIR-based API will require cooperation with third-party vendors and API developers. MindK has been building custom solutions and APIs for the healthcare industry since 2009. If you want to prepare for this data-driven future, don’t hesitate to contact us for a free non-binding consultation with MindK experts.
