CMS Proposes Sweeping Expansion of Health Care Interoperability and Prior Authorization Requirements

April 21, 2026

CMS Proposes Sweeping Expansion of Health Care Interoperability and Prior Authorization Requirements.

Samuel Dennis Mkrtchian King & Spalding + Follow Contact LinkedIn Facebook X ;) Embed

On April 10, 2026 (and officially published in the Federal Register on April 14, 2026), CMS published a proposed rule that would expand electronic prior authorization requirements, modernize HIPAA transaction standards, and strengthen Open Payments program enforcement. The proposed rule builds on the 2024 CMS Interoperability and Prior Authorization final rule and affects a broad range of regulated entities, including Medicare Advantage (MA) organizations, state Medicaid and Children's Health Insurance Program (CHIP) fee-for-service (FFS) programs, Medicaid and CHIP managed care plans and entities, and qualified health plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs).

CMS’s proposed rule would require health insurers participating in federal programs to make electronic prior authorization available for prescription drugs, require those insurers to make prior authorization decisions within shorter timeframes, and replace existing technology standards with updated standards designed to enable faster processing of prior authorization requests. The following summarizes the major proposals and technical requirements set forth in the proposed rule.

• Electronic Prior Authorization for Drugs. CMS proposes to require impacted payers to support electronic prior authorization for all drugs that require prior authorization, using two separate sets of standards depending on whether the drug is covered under a medical benefit or a pharmacy benefit. For drugs covered under a medical benefit, impacted payers would be required to incorporate coverage and documentation requirements into their existing prior authorization application programming interface (API), which uses Health Level Seven (HL7) Fast Healthcare Interoperability Resources (FHIR) based standards. For drugs covered under a pharmacy benefit, state Medicaid and CHIP FFS programs, Medicaid managed care plans, CHIP managed care entities, and QHP issuers on the FFEs would be required to support the National Council for Prescription Drug Programs (NCPDP) SCRIPT, Formulary & Benefit, and Real-Time Prescription Benefit standards. MA organizations are excluded from the pharmacy benefit drug requirements because Medicare Part D already uses these NCPDP standards. CMS proposes an October 1, 2027 compliance date for both sets of requirements.
• Shortened Prior Authorization Decision Timeframes. CMS proposes to shorten the timeframes within which QHP issuers on the FFEs must make prior authorization decisions. For non-drug items and services, QHP issuers on the FFEs would be required to send notice of their decision for standard prior authorization requests no later than 7 calendar days and for expedited requests no later than 72 hours. These timeframes generally align with those finalized for other impacted payers in the 2024 CMS Interoperability and Prior Authorization final rule. For drugs, CMS proposes to require QHP issuers on the FFEs to provide notice of their prior authorization decision no later than 72 hours for standard requests and no later than 24 hours for expedited requests. CMS also proposes that state CHIP FFS programs must make prior authorization decisions for prescription drugs for which the state receives federal financial participation no later than 24 hours, replacing current requirements that cover both drugs and non-drug items and services. CMS proposes an October 1, 2027 compliance date for these requirements.
• Expansion to Small Group Market QHP Issuers on FF-SHOPs. CMS proposes to extend all existing and newly proposed interoperability and prior authorization requirements to issuers offering small group market QHPs on the Federally-facilitated Small Business Health Options Program (FF-SHOP) Exchanges. Previously, these requirements applied only to individual market QHP issuers on the FFEs. Small group market QHP issuers would be required to implement and maintain the Patient Access, Provider Access, Payer-to-Payer, and Prior Authorization APIs, as well as comply with prior authorization decision timeframe and electronic prior authorization for drugs requirements. CMS proposes compliance dates of October 1, 2027 for requirements that newly apply to both small group and individual market QHP issuers, and compliance dates beginning in 2028 for proposals related to reporting API usage metrics and publicly reporting prior authorization metrics for drugs.
• Reporting of Payer API Endpoints. CMS proposes to require impacted payers to report their API endpoints for each required API to CMS for publication in a centralized directory. An API endpoint is the specific web address through which electronic systems connect and exchange data, and in this context, the digital location where providers can submit prior authorization requests or request patient data from a payer's system. CMS states that a centralized directory would be necessary to unlock the full potential of its electronic data exchange policies and reduce administrative burden. New impacted payers would be required to report this information no later than 60 days before they begin covering patients. Payers must update reported information within one week of any changes and verify it at least once every 12 months. CMS also proposes that impacted payers report associated supporting documentation, such as URLs to authorization and authentication protocols, implementation details, and API registration information.
• Updates to APIs and API Usage Metrics. CMS proposes updates to the Patient Access, Provider Directory, Provider Access, and Payer-to-Payer APIs, including requiring impacted payers to add information about prior authorizations for drugs to the Patient Access and Provider Access APIs, with a proposed compliance date of October 1, 2027. CMS also proposes new prior authorization metrics, including metrics on denials, approvals following extensions, and appeals for both drug and non-drug prior authorizations. Impacted payers would be required to publicly post these metrics beginning in 2028 for data from the 2027 reporting period. Additionally, CMS proposes to adjust Patient Access API usage metrics reporting deadlines: Medicaid managed care plans and CHIP managed care entities would report to the state no later than 90 days after the end of each rating period, and QHP issuers on the FFEs would report to CMS in the form and manner and within the timeframes specified by the Secretary, aligned with the QHP certification process.
• Open Payments Civil Monetary Penalties for Audit Non-Compliance. CMS proposes to create a new definition of “failure to report” under the Open Payments program that includes a reporting entity's failure to provide documents requested by CMS during an audit within 30 calendar days of the date of the audit request. CMS states that this proposal is a direct response to entities refusing to comply with audit requests, which CMS characterizes as thwarting its oversight efforts. Each document requested but not provided within the specified timeframe would constitute a separate violation subject to civil monetary penalties (CMPs). CMS uses the median per-record knowing “failure to report” CMP amount of approximately $77,371 to calculate anticipated penalties for non-compliant entities.
• FHIR Adopted as HIPAA Standard for Prior Authorization. HHS proposes to replace the existing X12N 278 transaction standard with FHIR-based standards for prior authorization-related transactions. This would mark the first time that FHIR standards have been adopted as a HIPAA standard. HHS also proposes to adopt the Da Vinci Clinical Data Exchange (“CDex”) Implementation Guide as the HIPAA standard for attachments to prior authorization transactions. The proposed compliance date is 24 months after the effective date of a final rule for most HIPAA covered entities, and 36 months for small health plans. During the transition period, HHS anticipates that HIPAA covered entities, as agreed to by trading partners, could use either the existing X12N standards or the new FHIR standards, consistent with HHS's previously announced enforcement discretion.
• ONC Standards Updates. On behalf of HHS, the Office of the National Coordinator for Health Information Technology (ONC) proposes to adopt updated versions of certain health IT standards and specifications, including updated versions of FHIR Implementation Guides supporting the Prior Authorization, Coverage Requirements Discovery, Documentation Templates and Rules, and Clinical Data Exchange functions. ONC also proposes adding expiration dates to currently adopted standard versions to facilitate the transition to updated versions. The full text of the proposed rule is available here. Interested parties may submit comments on the proposed rule within 60 days of its publication in the Federal Register.

;) ;) Report

Related Posts

• FTC Announces Final Rule Sweeping Consumer Digital Health Tech Under the Health Breach Notification Rule
• A Pandemic Silver Lining: FDA’s New Guidance on Using Digital Health Technologies for Clinical Investigations
• FDA Tackles Digital Health Software Devices with New Pre-Certification Review Plan

Latest Posts

• CMS Proposes Sweeping Expansion of Health Care Interoperability and Prior Authorization Requirements.
• FDA Reminds Sponsors and Researchers to Disclose Clinical Trial Results to ClinicalTrials.gov See more »

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Attorney Advertising.

©
King & Spalding

Written by:

King & Spalding Contact + Follow Samuel Dennis Mkrtchian + Follow more less

PUBLISH YOUR CONTENT ON JD SUPRA

• ✔ Increased readership
• ✔ Actionable analytics
• ✔ Ongoing writing guidance Join more than 70,000 authors publishing their insights on JD Supra

Start Publishing »

Published In:

APIs + Follow Centers for Medicare & Medicaid Services (CMS) + Follow Children's Health Insurance Program (CHIP) + Follow Digital Health + Follow Health Insurance Exchanges + Follow Health Insurance Portability and Accountability Act (HIPAA) + Follow Medicaid + Follow Medicare Advantage + Follow Prior Authorization + Follow Regulatory Requirements + Follow Health + Follow Insurance + Follow Science, Computers & Technology + Follow more less

King & Spalding on:

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra: Sign Up Log in ** By using the service, you signify your acceptance of JD Supra's Privacy Policy.* - hide - hide