Kaiser Family Foundation
February 21, 2023
By Kaye Pestaina , Justin Lo , Karen Pollitz , and Rayna Wallace
The Center for Medicare and Medicaid Services (CMS) has issued a proposed rule designed to address the administrative hassles of prior authorization by requiring certain payers to implement an automated process, meet shorter time frames for decision making, and improve transparency. The proposal applies to payer processes mainly in public programs, with more limited application to health insurance marketplaces and no requirements on employer-sponsored coverage. The proposal launches the government’s next step in addressing a longstanding goal to improve health care administration through “interoperable” systems based on the use of standardized protocols for payers and providers across federal health programs. As CMS seeks input on this proposal (as well as five separate requests for information and a separate proposal on prior authorization standards and coverage criteria for Medicare Advantage plans), we can expect that prior authorization and improved data sharing in health care will be front and center in upcoming policy discussions.
What is in the new prior authorization proposal and whom does it apply to?
Insurers use prior authorization to reduce payments for care that is not medically necessary or appropriate, which in turn helps to keep premiums down. However, prior authorization has come under increasing scrutiny for creating unnecessary burdens for providers, plans, and patients. Patients can find it challenging to know what services require prior authorization, the process and criteria plans use to make a prior authorization coverage decision, and whether providers are giving the needed information to a plan to determine coverage. Inefficient processes can delay decisions and consequently access to care, increasing health risks to patients. Improper denials may increase patient out-of-pocket costs or cause patients to abandon care. The process itself may have a chilling effect on individuals seeking out care and providers recommending it.
While some exceptions apply, CMS proposes to add new requirements for the prior authorization process and new timeframes for decision-making that apply to Medicare Advantage plans, Medicaid managed care plans, Medicaid fee-for-service (FFS) plans, Children’s Health Insurance Program (CHIP) managed care and fee-for-service arrangements, and Qualified Health Plans (QHP) on the federally facilitated health insurance marketplace (i.e., healthcare.gov). These payers (essentially insurers and, for Medicaid FFS, states) would have to meet new prior authorization rules that would apply to all items and services except prescription drugs. Most rules would not become effective until 2026. The major changes proposed include requiring these payers to:
Implement a standardized interface for prior authorization. CMS proposed to require affected payers to use a specific Application Programming Interface (API) to allow for more streamlined prior authorization processes. The specific API is called the “Fast Healthcare Interoperability Resources® (FHIR) Prior Authorization Requirements, Documentation, and Decision API” (or PARDD API). APIs generally are procedures that allow different software programs to communicate and share information. The PARDD API would be used to request and obtain information from plans and providers to automate the prior authorization process. Patients could also have access to this information about prior authorization requests and decisions.
Give information to providers about prior authorization status. Impacted payers would be required to send to the relevant provider information on whether a prior authorization request was approved, denied, or whether more information is needed. This information would have to include the specific reason for a denial. Currently some of the affected payers are only required to provide this information to the patient, but these rules would require all affected payers to notify the provider as well. For example, while current Medicaid managed care rules require provider notice, there are not equivalent rules for Medicare Advantage plans.
Provide shorter timeframes for making prior authorization decisions and notice of the decision to patients. Proposed rules would provide shorter timeframes for payers to make a prior authorization decision and provide notice to beneficiaries, aligning this timeframe across certain payers. For instance, timeframes for a standard prior authorization decision notice for Medicare Advantage plans and Medicaid managed care plans would shorten from 14 calendar days to 7 calendar days. No changes are proposed to equivalent timeframes for QHPs on the federal exchange (these would stay at 15 calendar days).
Publicly report specific prior authorization metrics annually. To provide more information about how prior authorization is used, impacted payers would be required to disclose annually on their website a list of all services requiring prior authorization and specific aggregated metrics. Metrics would include, among other items, the percentage of prior authorizations that were approved and denied, the percentage of prior authorization requests approved after appeal, and the average time for a prior authorization determination. The proposal does not require any specific format for the disclosure and none of the metrics call for specifics on the types of health care items and services approved and denied.
What other items are included in the proposal?
The proposal builds on earlier rulemaking, including a May 2020 final rule on interoperability and a now withdrawn interoperability regulation from December 2020. Generally, the proposal would require the information access rules described below to apply to Medicare Advantage plans, Medicaid managed care plans, Medicaid FFS plans, CHIP managed care and FFS arrangements, and Qualified Health Plans (QHP). In certain circumstances, state Medicaid and CHIP FFS programs and QHP issuers can apply for an exception from having to comply.
Patient information access. The May 2020 final rule required that certain payers allow patient electronic access to their own claims and encounter data (as well as some clinical data) through a standardized interface. This was designed to allow patients to share data with their providers and other payers via a health app. The new proposal adds requirements to include information about prior authorization and a requirement to annually report to CMS data about how patients use this Patient Access API.
Provider information access. To support care coordination, CMS proposes requiring affected payers to implement a standardized provider access interface. Providers could then obtain claims and encounter information about patients while they are enrolled in plans from the payer. The proposal also includes making available historic prior authorization decisions, which may reduce the likelihood of ordering duplicate or misaligned services and provide a more complete picture of a patient’s care. Payers must give patients the ability to opt out if they do not want their information exchanged via this interface.
Payer-to-payer data exchange. CMS proposes to change existing requirements that allow the exchange of certain patient information between different payers. In its new iteration, affected payers would be required to use a specific payer-to-payer data exchange standard. This would allow payers to exchange patient information including prior authorization decisions from a patient’s prior health insurer. This, for example, might reduce the burden when a patient must get a new prior authorization because they had to change health plans. The proposal does not include data sharing between payers of provider remittances and enrollee cost sharing, stating that this is “often considered proprietary” and would have limited impact on care. Also, instead of an opt out, the patient must affirmatively opt in to have their data exchanged between payers.
Five Requests for Information. Included in the proposal are five separate Requests for Information that request feedback on data information exchange:
- development of standards for exchange of data on social risk factors (social determinants of health such as housing and food security);
- use of APIs to facilitate electronic exchange of data for behavioral health services, a segment of health care that has lagged behind in electronic data exchange;
- electronic exchange of information in traditional Medicare with non-hospital providers (such as suppliers of durable medical equipment);
- improvement of prior authorization processes in maternal health across the care continuum, including the process for obtaining obstetric ultrasound and the use of a single authorization when a pregnant individual changes health plans; and
- methods to increase adoption of the Trusted Exchange Framework, a set of principles for guiding data exchange policies and practices.
What are some of the key policy issues?
CMS estimates that the proposed APIs and other changes will create administrative efficiencies that could save providers more than $15 billion over 10 years (2026 to 2035). The use of new technology to streamline processes could carry both benefits and burdens. Key issues to evaluate include:
- How will new electronic processes affect the patient experience in accessing care and information about cost and coverage? One policy issue implicated in these rules is whether reduced administrative burdens for providers means a better experience for patients. Are consumers able to take advantage of new technologies easily or will this create new action items that they will have to undertake on their own for the first time? Will patients without access to information through these proposed APIs be at a disadvantage under a new “modernized” prior authorization system? CMS does propose to require affected payers to provide educational materials to consumers about the new API functionality. Also, while the rules will require payers to allow consumers to use health apps to access their own information, there is no requirement to make these apps available. What incentive do payers and third-party developers have to offer these tools to consumers and encourage their use? Despite the potential for positive impact from automation through electronic processes, payers and providers have been slow to take up even the existing electronic data standard (ASC X12N 278) that might improve prior authorization processes.
- What are the risks to patients once more of their data is available electronically? As more patient data is accessible electronically via health apps, risks increase of security breaches, compromised confidentiality of health information, and inappropriate use of patient data for marketing. While payers are subject to HIPAA privacy protections, once information is in the hands of a third-party application developer, it may not have the same federal legal protections. Additionally, other federal rules prohibit providers and other entities from blocking consumer access to certain clinical information. There may be tension between the goal of broader access to information to improve care and patient knowledge of costs and coverage and the risk of inappropriate use for other purposes. These issues will likely be taken into consideration as HIPAA and other federal privacy protections are potentially revised and updated, and oversight of health apps by the Federal Trade Commission and the Food and Drug Administration moves forward.
- In addition to API technology, are there other ways to address administrative problems concerning prior authorization? Movement away from reliance on manual processes for prior authorization (phone, fax mail) will likely improve speed and coordination, but there may be additional ways to address prior authorization challenges. For example, the CMS proposal also seeks input on the use of “gold carding” designed to reduce the amount of prior authorization requests overall. Gold carding uses data about a provider’s record for compliance with prior authorization requests in the past and their patterns of utilization of specific services. Providers who meet threshold standards may be designated as gold card providers and exempt from some or all prior authorization requirements, resulting in the services they prescribe being subject to prior authorization less often.
- How useful is the structure of new transparency reporting to provide accessible and actionable information about prior authorization? One area to evaluate is whether standardized mechanisms and formats for reporting data are more useful for regulators and the public to assess how prior authorization is working across payers. Are there alternative disclosure mechanisms to this CMS proposal to require non-standardized information be placed on each insurer website? For example, it may be easier to compare the types of services subject to prior authorization by payer if payers provide the information in a standardized format and in a standard location on an insurer website or publicly posted by CMS, though this would be more prescriptive. Another issue is the level of aggregation of the data payers must report about prior authorization, and whether it is enough to make an objective assessment about whether the prior authorization process is a barrier to receipt of specific types of care. Similar questions apply for existing ACA transparency reporting, which indicates that for plans offered on HealthCare.gov, roughly 9% of these marketplace plan denials for in-network claims relate to prior-authorization or referrals but with no other detail explaining differences in denial rates for this reason among plans, or the nature of claims subject to such denials.
- What are the consequences of having API standards that do not apply to all payers? The promise of a more connected health system will likely require similar standards across plans, but the proposal does not reach the more than 150 million Americans in employer-sponsored coverage. While nothing prevents employers and issuers from adopting the same efficiencies and standards for employer coverage voluntarily, currently they can do this without a requirement to add consumer protections such as opt ins or opt outs for patients to control the disclosure of information or without requirements for patient education about how their data is used. Also, the proposal does not apply to traditional Medicare – which generally does not use prior authorization — but CMS has included in one of the new RFI’s questions about current and future use of APIs for this population to streamline the exchange of information for care coordination and other processes.
- To what extent are the coverage criteria used to make prior authorization decisions a barrier to receipt of medically necessary care, and what would be the cost implications of changing or regulating those criteria? This proposal does not address the criteria used by payers to make prior authorization determinations. These issues could prove to be just as important as efforts to improve the efficiency of the prior authorization process. CMS has proposed a Medicare Advantage regulation to address and change standards about the criteria used to make coverage decisions, including prior authorization. For example, CMS has proposed to clarify that Medicare Advantage plans must follow the same coverage guidelines that traditional Medicare uses to make medical necessity decisions. In addition, plans can only use internal or proprietary clinical criteria for medical necessity decisions if they are based on evidence-based guidelines made publicly available to CMS, enrollees, and providers. Any loosening of prior authorization criteria would increase access to care, but also potentially have cost and premium implications.
The Medicaid and CHIP Payment and Access Commission (MACPAC) recently started work on a new project examining denials and appeals in Medicaid managed care. In 2023, the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) is expected to release findings from audits conducted to determine whether Medicaid managed care organizations were in compliance with federal requirements when issuing denials of requested care that required prior authorization.
A recent KFF analysis of Medicare Advantage plans shows how widely prior authorization is used. In 2021 alone, Medicare Advantage plans made 35 million requests for prior authorization. As the federal government starts to assess how prior authorization is used across a broader set of health insurance plans, we might see changes and broader oversight concerning this longstanding and common insurance practice.
Read More on Kaiser Family Foundation.