For the first time, payers must publicly post data on how often they deny prior authorization requests, how quickly they process them and how often denials are overturned on appeal. The first reports are due March 31 under a rule CMS finalized in 2024.
Five things to know:
1. CMS finalized the Interoperability and Prior Authorization Rule in January 2024, building on a 2020 interoperability rule that established the underlying data exchange framework. The regulations apply to Medicare Advantage plans, state Medicaid and CHIP fee-for-service programs, Medicaid managed care plans, CHIP managed care entities and carriers on the federal ACA exchange.
2. Payers must publish aggregated prior auth metrics on their public websites annually. The first set, covering calendar year 2025, is due March 31. The required metrics include approval rates, denial rates, decision turnaround times and appeals outcomes for medical items and services, with drugs excluded. MA plans report at the contract level, state Medicaid and CHIP programs report at the state level; and managed care plans and exchange plans report at the plan or carrier level.
3. Starting in 2026, most payers were required to begin issuing decisions on standard prior auth requests within seven calendar days and on urgent requests within 72 hours, down from a previous standard of up to 14 days. The timeline requirements apply to MA, Medicaid and CHIP plans, but not to ACA plans. When denying a request, payers must provide a specific reason and communicate that through portal, fax, email, mail or phone.
4. The public reporting mandate arrives after years of mounting frustration over prior auth from providers. The average medical practice completed 39 prior authorizations per physician per week in 2024, with physicians and staff spending about 13 hours weekly on paperwork, according to an AMA survey. In MA alone, insurers fully or partially denied 4.1 million prior auth requests, or 7.7% of the total, in 2024, according to KFF data. More than eight in ten appeals were ultimately overturned. In June 2025, roughly 50 insurers pledged voluntary commitments to streamline the process.
5. The rule’s API requirements take effect in 2027. At that point, payers must expand their existing patient access APIs to include prior auth data, launch a provider access API allowing in-network providers to retrieve patient claims and clinical data, stand up a payer-to-payer API to transfer records when patients switch plans, and implement a prior auth API that can receive and respond to requests electronically. Separately, the industry’s 2025 voluntary pledge calls for at least 80% of electronic prior auth approvals to be processed in real time by next year.
At the Becker's 5th Annual Fall Payer Issues Roundtable, taking place November 2–3 in Chicago, payer executives and healthcare leaders will come together to discuss value-based care, regulatory changes, cost management strategies and innovations shaping the future of payer-provider collaboration. Apply for complimentary registration now.
