In this episode, we break down the new CMS-0057-F Final Rule and what it means for Medicare Advantage plans. From faster prior authorization decisions to mandatory FHIR-based APIs, we cover the biggest changes, the 2026–2027 compliance deadlines, and the operational and technical steps plans need to take. Whether you're on the product, compliance, or engineering team, this is your guide to understanding what’s coming—and how to stay ahead of it.
%20(1).png)
CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F) – finalized on January 17, 2024 – introduces significant new requirements for MA organizations. This rule aims to improve health information exchange and streamline prior authorization, building on CMS’s 2020 interoperability rulecms.govcms.gov. MA plans (along with Medicaid, CHIP, and exchange issuers) must implement FHIR-based APIs and meet new prior authorization standards to reduce patient and provider burdencms.govcms.gov. Below is a structured overview of key changes, timelines, system requirements, and compliance implications for MA plans.
Faster Turnaround Times: Beginning in 2026, MA plans must adjudicate prior authorizations much faster. The rule requires decision responses within 72 hours for expedited (urgent) requests and within 7 calendar days for standard (non-urgent) requestscms.gov. (Previously, MA organizations had up to 14 days for standard requests, so the new 7-day limit is roughly half the old timeframecms.gov.) These deadlines apply regardless of submission method (API, fax, phone, etc.) and are intended to ensure timely care – “when a doctor says a patient needs a procedure, it is essential that it happens in a timely manner”cms.gov.
Denial Rationales: Starting in 2026, every PA denial must include a specific reason for the decisioncms.gov. Plans must provide clear, detailed explanations for any refusal, whether the request came via portal, fax, email, mail, or phonecms.gov. This requirement (which excludes Part D drug authorizationscms.gov) improves transparency and helps providers/patients understand what’s needed for approval if they choose to resubmit or appealcms.gov. MA plans are already subject to issuing written denial notices under existing rules; the new policy reinforces that a “sufficiently specific” reason must be communicated for each denialaahd.usaahd.us.
Electronic Prior Authorization (ePA): The rule mandates a move toward fully electronic prior auth processes. By January 1, 2027, MA organizations must implement a FHIR-based Prior Authorization API that supports end-to-end electronic PA transactionscms.gov. Through this API, providers will be able to: check if an item/service requires authorization, retrieve the payer’s documentation requirements, submit PA requests electronically, and receive responses and status updates in real-timecms.govmindk.com. The API must return the outcome (approved, denied with reason, or request for more information) along with any applicable timeframe for an approval’s validitycms.gov. This ePA capability is expected to streamline workflows and prevent avoidable delays in carecms.gov. To encourage adoption, HHS is exercising enforcement discretion on the HIPAA-mandated X12 278 transaction – meaning if a plan uses the FHIR PA API, they will not be penalized for not also using the X12 278 formatcms.govcms.gov. (Plans may implement FHIR alone, or FHIR alongside X12, under this flexibilitycms.gov.)
Public Transparency of PA Outcomes: CMS-0057-F introduces new transparency obligations. MA plans must publicly report prior authorization metrics annually by posting them on their websitecms.gov. At a minimum, plans must disclose aggregate statistics such as: the list of all services/items that require PA, approval and denial rates for standard and expedited requests, approvals after appeal, the percentage of requests that received extensions, and the average and median turnaround times for decisions (for both standard and expedited requests)aahd.usaahd.us. These data must be reported at the contract level for MA and updated by March 31 each year (with the first report due by March 31, 2026)cms.gov. Publicly posting these metrics allows beneficiaries and providers to compare how plans perform on prior auth and holds plans accountable for timely, appropriate utilization managementcms.govaahd.us.
(Note: The prior authorization provisions of this rule apply to medical services/items. Prior auth for Part D prescription drugs is excluded from the above requirements, unless a plan voluntarily includes drugs in its API data.)cms.gov
A cornerstone of CMS-0057-F is the requirement for MA payers to enhance and expand digital data sharing via standardized APIs. By January 1, 2027, four APIs must be implemented and maintained by MA organizations to enable seamless exchange of data among patients, providers, and other payerscms.govcms.gov:
Patient Access API (Enhanced): MA plans have already implemented a Patient Access API under the 2020 CMS rule, allowing members to retrieve claims and certain clinical data. The new rule expands the Patient Access API to include prior authorization information (excluding drug PAs) by 2027cms.gov. This means patients will be able to see their pending and active prior authorizations and related information through any third-party app of their choice, giving them greater insight into how coverage decisions affect their carecms.gov. In addition, CMS will begin collecting data on how these APIs are used: starting January 1, 2026, MA plans must report annual Patient Access API usage metrics to CMS (e.g. number of unique patients using the API)cms.gov.
Provider Access API (New): To improve care coordination, MA organizations must implement a Provider Access API that lets in-network providers retrieve patient data (with patient permission) at the point of carecms.gov. Through this API, a treating provider can query the MA plan’s records for a patient’s recent claims and encounters (excluding payment info), relevant clinical data defined in the USCDI v1 dataset (e.g. problem lists, meds, lab results), and prior authorization history for that patientcms.gov. This is intended to support value-based care and give providers a more complete picture of the patient’s history. Plans are required to establish an “attribution” mechanism to identify which patients are under the care of which providers (e.g. PCP assignments or treatment relationships) and only allow data sharing in those casescms.gov. Importantly, patients must be given an opt-out choice – an MA plan must inform members in plain language about the benefits of sharing their data with providers and allow them to decline sharing if they wishcms.gov. The Provider Access API (along with patient education and opt-out processes) must be live by January 1, 2027cms.gov.
Payer-to-Payer API (New): To promote continuity of care when beneficiaries move between plans, MA organizations must support a Payer-to-Payer data exchange API by 2027cms.govcms.gov. When an MA enrollee switches to a new health plan (or has concurrent coverage with another payer), this API allows the transfer of up to 5 years of the patient’s data to the new plan upon the patient’s requestcms.gov. The data to be exchanged includes prior claim/encounter data (excluding financial info like cost-sharing), the patient’s clinical data (USCDI elements), and prior authorization recordscms.gov. This ensures that a new insurer can quickly access the enrollee’s history and active authorizations, reducing the need for duplicative tests or restarting authorizations. The payout is patient-mediated: the sending payer can only share data if the patient opts in (gives permission) for the exchangecms.gov. MA plans must provide clear educational resources to members explaining this opt-in process and its benefitscms.gov.
Prior Authorization Support API (New ePA API): As noted above, MA plans must implement a Prior Authorization API to facilitate electronic prior auth transactions by January 2027cms.gov. This API must be populated with the plan’s list of services/items that require prior auth and the specific documentation requirements for each (e.g. required clinical criteria or forms)cms.govmindk.com. Providers will use it to electronically submit PA requests with supporting documentation and receive responses. The API must automatically communicate the outcome: approve (with details on duration/expiry of the authorization), deny (with a detailed denial reason), or request additional information from the providercms.gov. By digitizing the PA workflow, this aims to reduce phone/fax burden and speed up decisions. Medicare FFS has piloted a similar FHIR-based PA system, and CMS expects MA plans to realize similar efficiencies with this requirementcms.gov. (Again, drug prior auths under Part D are excluded from the mandate to use this APIcms.gov.)
Standards and Data Formats: All the above APIs must conform to HL7 FHIR® Release 4.0.1 standards and relevant implementation guides. The rule specifies use of the United States Core Data for Interoperability (USCDI) v1 as the baseline data set for clinical data, and requires compliance with technical specs such as the HL7 FHIR US Core Implementation Guide 3.1.1, the HL7 SMART on FHIR OAuth2 framework, FHIR Bulk Data Access (for exchanging large data sets, as in payer-to-payer transfers), and OpenID Connect for secure authenticationcms.gov. These standards ensure that the APIs are secure and interoperable across all payers and providers. MA plans will likely need to adopt or upgrade to vendor solutions that support these FHIR standards for exposing claims and clinical data.
(Note: CMS has staggered these API requirements to give payers additional time. Originally proposed for 2026, the final rule pushed most API compliance deadlines to January 1, 2027 after considering public commentscms.govcms.gov.)
CMS-0057-F has two main phases for MA plan compliance:
By January 1, 2026 – Operational PA Reforms Begin: Most prior authorization process improvements take effect at the start of 2026. As of Jan 1, 2026, MA organizations must be adhering to the new PA decision timeframes and denial reasoning requirementscms.govcms.gov. This means all standard PA requests received on or after that date should be decided within 7 days (or 72 hours if expedited). Also by 2026, plans need to have updated their communications so that any PA denial issued provides a specific explanationcms.gov. Public reporting of PA metrics also starts in 2026 – impacted payers need to collect 2025 data (or initial data) and publish the first set of required prior authorization metrics by March 31, 2026cms.gov. Additionally, reporting to CMS on Patient Access API usage will commence: beginning in 2026, plans must annually submit data to CMS on how their enrollees are using (or not using) the Patient Access APIcms.gov. In summary, 2025 should be used to prepare internal processes and data collection so that by the first quarter of 2026, the plan is meeting the new PA rules and able to report the necessary statistics.
By January 1, 2027 – API Technology in Production: An additional year is given for the interoperability tech deployments. By Jan 1, 2027, all impacted MA plans must have the required APIs up and running (Patient Access API augmented with PA data, Provider Access API, Payer-to-Payer API, and the Prior Auth support API)cms.govcms.gov. This deadline aligns with the 2027 plan year and reflects a one-year extension from the original proposal (CMS moved it to 2027 to accommodate implementation challengescms.gov). Different payer types have slight variations in compliance dates (for example, state Medicaid agencies can request an extension, and QHP issuers on federal Exchanges may apply for hardship exceptions)mindk.com. However, for MA organizations no special extensions are anticipated – January 2027 is the firm date for having all interoperability and prior auth APIs in place. Leading up to this, CMS expects plans to be building and testing these systems throughout 2025-2026.
(Additional context: The rule explicitly excludes QHP issuers on the federal Exchanges from the PA turnaround mandate (72h/7d) due to those plans operating under different conditionscms.gov. But MA plans are subject to that mandate. Also, note that separate from this rule, CMS’s Contract Year 2024 MA rule introduced other PA-related requirements (like continuity of care for active authorizations when patients switch MA plans)aahd.us. Compliance teams should integrate both sets of changes into their 2024-2026 planning.)
To comply with CMS-0057-F, MA organizations will need to undertake both IT system upgrades and operational process changes.
IT Systems and APIs: Plans must invest in their technology infrastructure to support the secure HL7 FHIR APIs mandated by the rule. This likely involves working with health IT developers or internal engineering teams to build out new interfacesmindk.com. Key technical tasks include:
Deploying FHIR servers and API endpoints that can serve the required data (claims, encounter, clinical, PA data) in the correct formats. This means mapping internal data to FHIR resources (e.g., Coverage, Claim, Encounter, Patient, ProcedureRequest/PA request resources) according to the specified implementation guides.
Implementing identity and consent management capabilities. For example, the Provider Access API will require a system to attribute patients to authorized providers and enforce patients’ opt-out preferencescms.gov. The Payer-to-Payer API needs a way to capture a member’s opt-in consent and authenticate requests from the new payer. All APIs must use OAuth 2.0/OpenID Connect standards for securitycms.gov, so plans will need to ensure they have a robust authorization server and protocols for third-party app access.
Integrating data sources: MA payers will need to aggregate data from siloed systems – claims adjudication systems, care management systems, and possibly external clinical data sources – into one interoperable data layermindk.com. For instance, to populate USCDI clinical data via API, the plan might consume Admission/Discharge/Transfer (ADT) feeds or Continuity of Care Documents from providers, or use data acquired through risk adjustment submissions. Ensuring that this data is available and up-to-date in the API will be a new challenge.
Testing and compliance with standards: The rule references specific versions of standards (FHIR R4, US Core IG v3.1.1, etc.), so IT teams must ensure their implementation adheres to these. Conformance testing with reference implementations or participation in interoperability “connectathons” may be necessary to validate that, for example, another payer can successfully query the Payer-to-Payer API or a provider’s EHR can connect to the Prior Auth API.
Vendor coordination: Many MA plans rely on third-party vendors or platform solutions for interoperability (for instance, existing Patient Access API solutions through HIT vendors). Plans will need to coordinate with such vendors to upgrade functionality (e.g., adding PA data to patient API, or deploying the new provider and PA APIs). Contracting and development for these enhancements should begin well in advance of 2027.
Operational Processes and Training: Alongside technical changes, MA organizations must update their business processes and train staff to meet the rule’s requirements:
Utilization Management Workflow: Plans will have to adjust internal PA workflows to guarantee the new turnaround times are met. This may involve automating certain review steps, adding clinical staff to process requests faster, or using decision-support tools to quickly approve requests that meet criteria. Plans should implement internal monitoring so that if a PA request is nearing its deadline, it is escalated. (Under MA rules, failing to issue a timely decision is treated as an adverse determination that the patient can appealaahd.us, so compliance is critical.)
Denial Notices and Communications: MA compliance teams must revise template language for PA denial letters (and electronic responses) to ensure a clear “specific reason for denial” is includedcms.gov. Staff (or automated systems) generating these responses will need training on including relevant details, such as citing the medical necessity criteria or missing info that led to denialaahd.usaahd.us. This change should be operational by 2026, across all channels (written notice, provider portals, etc.).
Data Reporting & Analytics: To fulfill the metric reporting requirements, plans need to establish processes to track each prior auth request and outcome. This means capturing data like timestamps (to compute decision turnaround time), whether an extension was taken, final decision (approved/denied), and if denied, whether it was overturned on appeal. Plans should set up an analytics pipeline to aggregate these stats annually and publish them publicly. Similarly, tracking Patient Access API usage requires instrumentation in the API platform (e.g., counting unique patient API tokens used, etc.) and a process to submit these numbers to CMS. Compliance teams will need to coordinate with IT and data analytics departments to produce these reports accurately and on time.
Member and Provider Outreach: The new interoperability features will only achieve their purpose if used. Plans should develop educational materials for members and network providers about the changescms.govcms.gov. For example, members will need to know that they can use third-party apps to access their data (and now see PA information), that their doctors may be able to pull in their records electronically (and that they can opt out of sharing if concerned), and that when they switch plans they can ask for their data to transfer. Providers will need training on how to initiate electronic PAs via their EHR or portal and how to query the plan’s API for patient data. Provider relations teams might work with EHR vendors (through the HL7 Da Vinci network, for instance) to integrate the plan’s PA API into the providers’ systems. Early communication in 2025–2026 can ensure a smoother rollout by 2027.
Policy Updates and Documentation: MA plans should update internal policies and manuals to reflect these requirements (for instance, updating the UM program description to note the 7-day/72-hr decision rule and the provision of denial reasons). They should also update their public-facing documents or websites to list all services requiring prior auth (the rule doesn’t explicitly mandate a static list on the website, but making this available via the PA API is requiredcms.gov, and many plans may choose to post a list online for transparency). Ensuring consistency between what the API exposes and what is in member/provider documentation is important.
In short, compliance will require a multidisciplinary effort: IT teams building the technical infrastructure, operations teams reengineering workflows, and compliance officers ensuring all regulatory boxes are checked. Plans that start these efforts early (e.g., in 2024 and 2025) will be better positioned to meet the deadlines and potentially even derive competitive advantage from improved servicesmindk.com.
CMS-0057-F places a strong emphasis on transparency and data sharing. MA plans will be subject to new reporting obligations:
Annual Public PA Metrics: As noted, by March 31 each year (starting 2026) plans must post certain aggregated prior authorization metrics on a publicly accessible websitecms.gov. For MA organizations, the data should be reported at the contract level (covering all plans under that contract)aahd.us. The required metrics include, at minimum: the list of items/services that require prior auth; the number and rate of standard PA requests approved, denied, and ultimately approved after appeal; the number and rate of expedited requests approved and denied; the share of requests that had extended review time; and the average and median processing times for standard and expedited requestsaahd.usaahd.us. CMS may provide a template or guidelines, but plans should be prepared to calculate these values from their 2025 data onward. Publishing this information allows beneficiaries, providers, and regulators to compare how different MA plans handle prior authorization, shining a light on any overly burdensome practicescms.gov.
Patient Access API Usage Reports to CMS: In addition to public reporting, MA plans must report Patient Access API usage data to CMS annually (this is a new requirement not present in the 2020 rule). Starting in 2026, plans will need to send metrics such as the number of unique patients who used the API, the number of data requests, etc., to CMS for program oversightcms.gov. This will help CMS gauge how effectively patients are using their data access rights. Plans may need to build logging and analytic functions into their API platforms in 2025 to gather these stats. While not public, these reports are mandatory and likely subject to audit.
Documentation Requirements via API: The rule requires plans to make documentation guidelines for PAs available electronically. Concretely, the Prior Auth API must convey what documentation or criteria are needed for each service (for example, if a certain clinical assessment or lab result is required)cms.gov. This effectively forces plans to clearly define their PA requirements and share them with providers upfront, reducing the back-and-forth. While this is fulfilled through the API, plans should also ensure their internal policy libraries and any provider manuals are up to date and aligned with the information in the API. In other words, providers should not be surprised by any “hidden” PA requirement – it needs to be documented and exposed.
Public Posting of Educational Resources: Another implicit documentation requirement is patient education around the new APIs. The rule mandates that plain-language explanations be provided to patients about how their data will be shared and their right to opt out or in for the Provider Access and Payer-to-Payer exchangescms.govcms.gov. MA plans will need to create these materials (e.g., web pages or mailed notices) and ensure they are easily accessible. While not a metric, failure to adequately inform patients could undermine the interoperability goals.
By increasing reporting and information-sharing, CMS is pushing MA plans toward greater accountability. Compliance teams should set a calendar reminder for these annual postings and submissions, and ensure the data is reviewed for accuracy (since it will be visible to the public and CMS). Inaccurate or misleading reporting could itself become a compliance issue.
CMS-0057-F does not stipulate brand-new penalties in the text of the rule; however, MA organizations remain subject to CMS’s existing enforcement framework for regulatory non-compliancemindk.com. Key points regarding compliance and potential risks include:
No “Automatic” Penalty for Late PA Decisions: Unlike some state laws that deem an authorization automatically approved if the insurer misses the deadline, CMS stopped short of imposing an auto-approval penalty in this rule. CMS “is not requiring that a payer automatically approve a PA request if they miss the required timeframe,” noting they did not believe that approach was practicalaahd.us. Instead, if an MA plan fails to meet the 7-day/72-hour decision timeframe, the existing MA rule applies: the lack of response is treated as a denial by default (failure to provide timely organization determination), which means the enrollee can appeal to the next levelaahd.us. In effect, the plan loses its chance to decide and must potentially defend the denial in an appeal. Chronic lateness could also draw scrutiny in CMS audits.
CMS Enforcement Tools: For Medicare Advantage specifically, CMS can leverage corrective action plans (CAPs), civil monetary penalties (CMPs), or even suspension of enrollment or other sanctions if a plan fails to meet regulatory requirements. The interoperability and PA rule will be enforced as part of CMS’s regular oversight of MA contractsmindk.com. For example, CMS could require a non-compliant MA organization to submit a CAP detailing how it will fix issues (such as inadequate API functionality or non-adherence to PA timeframes). In serious cases, monetary penalties could be imposed per violation, in line with existing Part C enforcement regulations. While the rule itself doesn’t set specific fines for, say, missing the 2027 API deadline, plans risk CMS compliance actions or contract sanctions if they do not implement the required APIs and processesmindk.com.
Monitoring and Complaint Mechanisms: CMS has signaled it will closely monitor implementation of this rulemindk.com. Beneficiaries, providers, and other stakeholders will have channels (e.g., 1-800-MEDICARE, or CMS complaint websites) to report if an MA plan is not providing the access or timeliness promised. For instance, if providers find that an MA plan’s Prior Auth API is not working or the plan is routinely taking longer than 7 days on standard requests, they can alert CMS. Such patterns could trigger audits or investigations. Additionally, since plans must publicly post their PA metrics, outliers (e.g., a plan with an unusually high denial rate or slow turnaround) will be evident and may invite reputational risk or further review.
Reputational and Market Risks: Beyond formal penalties, non-compliance carries business risks. MA plans compete on quality and member satisfaction. If a plan fails to meet these new standards, it could impact its Star Ratings or member retention indirectly. Slow prior authorizations and poor transparency can lead to member and provider dissatisfaction, which in turn could harm a plan’s reputation. Conversely, plans that excel in compliance may market their more “hassle-free” prior authorization process as a differentiator. Over the long term, CMS’s emphasis on data sharing suggests that plans not embracing interoperability could be left behind in value-based care initiatives.
In summary, while CMS-0057-F does not enumerate specific fines for each requirement, MA plans should treat these requirements as mandatory. CMS can enforce them using the full range of tools available under the MA program, from oversight and technical assistance up to monetary penalties and enrollment sanctions for willful or repeated failuresmindk.commindk.com. The safest course is proactive compliance – not only to avoid penalties but to improve care coordination and stay aligned with federal healthcare modernization efforts.
Prior Authorization Turnaround: Implement processes to issue PA decisions within 7 calendar days (standard requests) and 72 hours (expedited requests) by January 1, 2026cms.gov. (Ensure tracking so that any request exceeding these limits is treated as a denial and forwarded to appeals per MA rules.)
Denial Notices: Update templates and train staff so that every PA denial includes a specific reason for the decision (in plain language) starting in 2026cms.gov. This applies to all denial communications (letters, portal messages, etc., excluding Part D drug PAs).
Public PA Metrics Reporting: Establish a system to collect required prior auth data in 2025. Publish the first annual PA metrics report by March 31, 2026 on the plan’s websitecms.gov. Include all required metrics (e.g. PA volume, approval/denial rates, turnaround times) and update this data each year.
CMS API Usage Reporting: Instrument the Patient Access API platform to gather usage statistics. Submit Patient Access API usage metrics to CMS annually starting 2026 (per CMS guidance)cms.gov.
FHIR API Development: Plan, budget for, and implement the following APIs by Jan 1, 2027:
Patient Access API (v2): Include adjudicated prior authorization information in the existing patient API data setcms.gov.
Provider Access API: Enable in-network providers to retrieve patients’ claims, encounters, USCDI clinical data, and PA records via FHIR (with patient opt-out)cms.govcms.gov.
Payer-to-Payer API: Facilitate transfer of the last 5 years of data (claims, USCDI data, PA info) to other payers upon member request (patient opt-in required)cms.govcms.gov.
Prior Authorization Support API: Provide a FHIR-based electronic PA submission and response mechanism, including a comprehensive list of services requiring PA and documentation needscms.gov.
Standards Compliance: Verify that all APIs conform to HL7 FHIR R4 standards and incorporate required data fields. Use USCDI v1 for clinical data and implement recommended IGs (HL7 US Core, SMART on FHIR auth, Bulk Data, etc.)cms.gov. Ensure security protocols (OAuth2/OpenID Connect) are in place for patient and provider access.
Patient Consent and Education: Develop an opt-in/opt-out consent management process for data sharing. Provide patients with easy-to-understand notices about: how their data can be shared with providers (and how to opt out)cms.gov, and how it can move with them to a new insurer (opt-in)cms.gov. Prepare educational materials (FAQs, web content, call center scripts) to support these choices by 2026.
Internal Training: Train customer service, utilization management, and IT support staff on the new APIs and PA rules. Ensure teams know how to handle provider inquiries about the APIs, assist patients with accessing their data, and uphold the shorter PA timeframes and new denial reason policies.
Systems Integration Testing: Before 2027, test the new APIs with external partners. For example, work with some network providers to pilot the Prior Authorization API through their EHR, and test data exchange with a cooperating payer for the Payer-to-Payer API. Resolve any interoperability issues ahead of the compliance date.
Monitoring and Compliance Oversight: Set up ongoing oversight to monitor compliance (e.g. periodic audits of PA turnaround times, API uptime, data accuracy in API payloads, etc.). Be prepared to address any compliance gaps promptly via corrective action. Staying on top of these requirements will help avoid corrective action plans or penalties from CMSmindk.com and ensure a smooth experience for members and providers.
Sources:
Centers for Medicare & Medicaid Services (CMS), Interoperability and Prior Authorization Final Rule Fact Sheetcms.govcms.govcms.govcms.govcms.gov
CMS News Release, “CMS Finalizes Rule to Expand Access to Health Information and Improve the Prior Authorization Process”cms.govcms.gov
CMS Interoperability Regulations (CMS-0057-F) – Final Rule text and guidancecms.govcms.govcms.gov
MindK, CMS-0057-F: What It Means for Payors (analysis of enforcement and compliance)mindk.commindk.com
Powers Pyles Sutter & Verville PC, Summary of Advancing Interoperability and Improving PA Processes Final Rule (detailed rule breakdown)aahd.usaahd.usaahd.us
Learn how Case Health AI can help implement AI Agents into your organization.
