CMS-0057-F Final Rule | Interoperability & Prior Authorization Compliance Guide

What Is CMS-0057-F

A Landmark Rule for Health Plan Interoperability

CMS-0057-F establishes enforceable requirements for impacted payers to implement standards-based FHIR APIs, accelerate prior authorization decisions, and publicly report transparency metrics. It builds upon the 2020 CMS Interoperability and Patient Access final rule and represents the most significant federal push toward real-time health data exchange.

```

👤

Patient Access API

Requires payers to give patients access to claims, clinical data, and prior authorization information through FHIR-based third-party apps of their choice.

HL7 FHIR R4 →

🏥

Provider Access API

Enables in-network providers to retrieve adjudicated claims, encounter data, USCDI clinical data, and prior authorization details for their attributed patients.

New API →

🔄

Payer-to-Payer API

Mandates automated health data exchange when patients change payers, ensuring continuity of care with up to five years of historical data.

5-Year Lookback →

⚡

Prior Authorization API

Streamlines the PA process by enabling providers to electronically determine requirements, query documentation needs, and submit requests from within their EHR.

Da Vinci CRD/DTR/PAS →

```

Who Must Comply

Impacted Payers Under CMS-0057-F

The rule applies to a broad range of payer types across Medicare, Medicaid, CHIP, and the ACA marketplace. Stand-alone dental plans (SADPs) and FF-SHOP issuers are excluded.

Medicare Advantage Organizations

State Medicaid FFS Programs

Medicaid Managed Care Plans (MCOs, PIHPs, PAHPs)

State CHIP FFS Programs

CHIP Managed Care Entities

QHP Issuers on FFEs

Key Dates

Compliance Timeline

CMS finalized a phased compliance schedule. Prior authorization process improvements take effect in 2026, while API development requirements are due in 2027.

✓

January 1, 2026

Prior Authorization Process Requirements

Payers must provide specific denial reasons, respond within mandated timeframes (72 hours urgent / 7 calendar days standard), and publicly report prior authorization metrics. Patient Access API metrics reporting to CMS also begins.

!

January 1, 2027

API Development & Enhancement Deadline

All four FHIR-based APIs must be live: Patient Access API (with PA data), Provider Access API, Payer-to-Payer API, and Prior Authorization API. Applies to MA organizations and state Medicaid/CHIP FFS programs by this date; managed care plans and QHP issuers by rating/plan year beginning on or after this date.

▸

CY 2027 Performance Period

Electronic Prior Authorization Measures

New "Electronic Prior Authorization" measures under the MIPS Promoting Interoperability performance category and the Medicare Promoting Interoperability Program begin. Eligible clinicians, hospitals, and CAHs report a yes/no attestation.

Technical Standards

Required Interoperability Standards

CMS mandates specific HL7 FHIR standards codified at 45 CFR 170.215, aligned with the ONC HTI-1 final rule. Payers may voluntarily adopt newer versions ahead of regulatory updates.

Standard	Specification	Citation
HL7 FHIR	FHIR Release 4.0.1	`45 CFR 170.215(a)(1)`
US Core IG	HL7 FHIR US Core IG STU 3.1.1 (expires Jan 1, 2026)	`45 CFR 170.215(b)(1)(i)`
SMART App Launch	SMART Application Launch Framework IG 1.0.0 (expires Jan 1, 2026)	`45 CFR 170.215(c)(1)`
Bulk Data Access	FHIR Bulk Data Access (Flat FHIR) v1.0.0: STU 1	`45 CFR 170.215(d)(1)`
OpenID Connect	OpenID Connect Core 1.0 (errata set 1)	`45 CFR 170.215(e)(1)`
Content Standard	USCDI v1 (expires Jan 1, 2026) → USCDI v3	`45 CFR 170.213`

Frequently Asked Questions

CMS-0057-F FAQs

Does CMS-0057-F apply to prescription drug prior authorizations?

No. The prior authorization API and process requirements in this rule explicitly exclude drugs of any type — including self-administered, provider-administered, pharmacy-dispensed, and hospital-administered drugs. Prescription and other drug claims data are still shared through the Patient Access API, but the PA workflow provisions do not cover drug authorizations.

What are the mandated prior authorization response timeframes?

Impacted payers (except QHP issuers on the FFEs) must respond to urgent prior authorization requests within 72 hours and standard requests within 7 calendar days. Payers must also include a specific reason when denying a prior authorization request.

How much historical data must be exchanged via the Payer-to-Payer API?

Payers are required to exchange up to five years of patient data when a patient transitions between payers. This was modified from the proposed rule, which would have required the entire patient health record. Five years was deemed sufficient for care continuity and PA continuation.

Can payers request extensions or exemptions?

State Medicaid and CHIP FFS programs may request extensions to the compliance dates or exemptions from certain requirements in specific circumstances. QHP issuers on the FFEs have a separate exceptions process requiring annual CMS approval of a narrative justification. MA organizations do not have an extension pathway.

Does CMS-0057-F apply to Medicare Fee-for-Service?

The rule does not directly mandate Medicare FFS compliance. However, CMS has stated its intention for the Medicare FFS program to be a "market leader on data exchange" and comply with the rule's requirements by the same compliance dates. CMS solicited comments on applying these provisions to Medicare FFS and is considering them for future rulemaking.

Are State-based Exchanges (SBEs) affected?

No. The rule applies to QHP issuers on the Federally-facilitated Exchanges (FFEs). State-based Exchanges on the Federal Platform (SBE-FPs) and State-based Exchanges operating their own platforms (SBEs) are not subject to these requirements, though CMS encourages them to adopt similar policies voluntarily.

CMS-0057-F:
Advancing Interoperability & Prior Authorization