The Interoperability and Prior Authorization Final Rule requires health plan payers to implement four FHIR APIs, reform prior authorization timelines, and publicly report approval metrics. Here's what you need to know.
CMS estimates roughly 365 payer organizations are directly impacted. The rule applies to any organization that administers benefits under these federal programs.
All MA organizations offering Part C coverage must comply with API and prior authorization requirements.
Managed care plans under Medicaid and CHIP, including both FFS programs and managed care entities.
State CHIP FFS programs and CHIP managed care entities fall under the same compliance mandates.
Qualified Health Plan issuers on the Federally Facilitated Exchanges, excluding standalone dental and SHOP issuers.
CMS structured the rule with two major milestones: operational changes first, API mandates second. The clock is running.
CMS mandates four FHIR R4 APIs that together create a comprehensive interoperability framework. Each API must be live by January 1, 2027.
Enhanced from CMS-9115-F. Must now include prior authorization data (excluding drugs) — status, dates, approved items, and denial reasons — accessible via member-facing apps.
FHIR R4 SMART on FHIR Claims + PA DataNew API giving in-network providers access to their patients' claims, encounters, clinical data, and prior authorization information. Supports individual and bulk access.
FHIR R4 Bulk FHIR Provider DirectoryEnables data exchange when members switch plans. Claims, encounters, and USCDI data with service dates within five years. Members must opt in; payers must provide educational resources.
FHIR R4 USCDI Opt-In ConsentMust publish covered items/services requiring PA, identify documentation requirements, and support electronic request/response workflows. CMS allows all-FHIR or FHIR+X12 278 under enforcement discretion.
FHIR R4 Da Vinci PAS X12 278 OptionalBeyond the APIs, CMS-0057-F introduces operational mandates that change how payers handle prior authorization day-to-day.
Urgent requests: 72 hours. Standard requests: 7 calendar days. CMS noted this represents a 50% improvement for some payers.
Every denial must include a clear, specific explanation — regardless of whether the request came via portal, fax, email, or phone. No more generic denials.
Payers must report and publicly publish prior authorization volume, approval rates, denial rates, and average turnaround times. Performance becomes visible to everyone.
HHS announced enforcement discretion allowing payers to use an all-FHIR prior auth workflow instead of the X12 278 standard — a significant flexibility for modern platforms.
Payers must track and report to CMS how many members actively use the Patient Access API and how frequently — ensuring adoption, not just availability.
Payers must develop and distribute educational resources to both members and providers about the new APIs, data exchange capabilities, and opt-in/opt-out processes.
Cloud Health Office is a vendor-neutral compliance layer that sits on top of your existing core admin system — QNXT, Facets, HealthEdge, Amisys — and delivers the FHIR APIs, X12 EDI, and prior authorization automation CMS-0057-F requires. No migration. No downtime.
See how it worksBuilt by Aurelianware · Kubernetes-Native · HIPAA Compliant · BSL 1.1