CMS-0057-F
The 2024 CMS Interoperability and Prior Authorization final rule was released by CMS on January 17, 2024 and published in the Federal Register on February 8, 2024 (89 FR 8758). It builds on CMS-9115-F by mandating three new FHIR APIs, extending Patient Access with prior-authorization data, and introducing prior-authorization decision-time SLAs and metric reporting.
APIs in scope
| API | Payerbox doc |
|---|---|
| Patient Access (prior-auth data addition) | Patient Access |
| Provider Access | Provider Access |
| Payer-to-Payer | Payer-to-Payer |
| Prior Authorization API (PAS) | PAS |
Compliance timeline
| Requirement | Effective date |
|---|---|
| Prior-authorization decision timeframes (7-day standard / 72-hour expedited) | January 1, 2026 |
| Specific denial-reason notifications | January 1, 2026 |
| First public prior-auth metrics report (covering CY 2025) | March 31, 2026 |
| Patient Access, Provider Access, Payer-to-Payer, Prior Authorization APIs in production | January 1, 2027 |
For Medicaid managed care plans and CHIP managed care entities, the API deadlines apply to the rating period beginning on or after January 1, 2027. For QHP issuers on the FFE, they apply to the first plan year beginning on or after January 1, 2027.
Patient Access — prior-authorization data extension
Adds prior-authorization request status and decision data to the data set already returned by the Patient Access API under CMS-9115-F. Excludes drug prior authorizations.
| Property | Value |
|---|---|
| Compliance date | January 1, 2027 |
| Update SLA | No later than one business day after the payer receives the prior-auth event |
| Retention | PA data must remain accessible through the API for at least one year after the last status change |
| Data classes | ExplanationOfBenefit (PDex Prior Authorization profile, use=preauthorization) |
CFR sections amended are the same as the original Patient Access citations.
Provider Access API
System-to-system FHIR API that lets an in-network provider with a treatment relationship to a payer's member pull that member's clinical, claims, encounter, and prior-authorization data in bulk. Member opt-out applies.
| Property | Value |
|---|---|
| Compliance date | January 1, 2027 |
| Response time | Within one business day of an authenticated request |
| Authentication | SMART Backend Services (asymmetric JWT) |
| Consent model | Opt-out (member-driven; payer-wide, not per-provider) |
| Member-education requirement | Plain-language opt-out materials on the payer's public website |
Citations
| Payer type | CFR section |
|---|---|
| Medicare Advantage | 42 CFR 422.121 |
| Medicaid FFS | 42 CFR 431.61 |
| Medicaid MCO | 42 CFR 438.242 |
| CHIP FFS | 42 CFR 457.731 |
| CHIP MCO | 42 CFR 457.1233 |
| QHP on FFE | 45 CFR 156.222 |
Payer-to-Payer API
System-to-system FHIR API a member's new payer uses to pull the member's clinical, claims, encounter, and prior-authorization data from a former or concurrent impacted payer. Member opt-in applies.
| Property | Value |
|---|---|
| Compliance date | January 1, 2027 |
| Request timeline | New payer requests data within one week of identifying the previous or concurrent payer |
| Response time | Within one business day of an authenticated request |
| Authentication | SMART Backend Services |
| Consent model | Opt-in (one-time member authorization to enable payer-to-payer data exchange, revocable at any time) |
| Data window | Date-of-service within five years of the request, with the January 1, 2016 floor from the original rule |
Only impacted payers are required to participate. If a member's previous or concurrent coverage was with a non-impacted payer, that payer is not obligated to send data.
Citations
| Payer type | CFR section |
|---|---|
| Medicare Advantage | 42 CFR 422.121 |
| Medicaid FFS | 42 CFR 431.61 |
| Medicaid MCO | 42 CFR 438.242 |
| CHIP FFS | 42 CFR 457.731 |
| CHIP MCO | 42 CFR 457.1233 |
| QHP on FFE | 45 CFR 156.222 |
Prior Authorization API (PAS)
FHIR API a provider uses to (a) query whether prior authorization is required for an item or service, (b) discover the payer's documentation requirements, and (c) submit and receive prior-auth requests and decisions. Excludes drugs.
| Property | Value |
|---|---|
| API compliance date | January 1, 2027 |
| Decision SLA — standard | 7 calendar days |
| Decision SLA — expedited (urgent) | 72 hours |
| Specific denial-reason notification | Required regardless of submission channel |
| Authentication | SMART Backend Services |
The 7-day / 72-hour timeframes and denial-reason rules took effect January 1, 2026, ahead of the API itself.
Citations (PAS API itself)
| Payer type | CFR section |
|---|---|
| Medicare Advantage | 42 CFR 422.122 |
| Medicaid FFS | 42 CFR 431.80 |
| Medicaid MCO | 42 CFR 438.242 |
| CHIP FFS | 42 CFR 457.732 |
| CHIP MCO | 42 CFR 457.1233 |
| QHP on FFE | 45 CFR 156.223 |
The 7-day / 72-hour decision timeframes live in separate operational sections: 42 CFR 422.568, 422.570, 422.631 (MA); 42 CFR 438.210 (Medicaid MCO); 42 CFR 440.230 (Medicaid FFS services); 42 CFR 457.495 and 457.1230 (CHIP).
Reporting
CMS-0057-F requires impacted payers to publish annual prior-authorization metrics on their public website by March 31 each year, covering the prior calendar year. First report due March 31, 2026 (covering CY 2025). See Reporting.