On January 17, 2024, the Centers for Medicare & Medicaid Services (CMS) released the CMS-0057-F Final Rule, bringing major changes to how prior authorizations are handled and how health information is shared. This rule requires health plans to respond to prior authorization requests within specific timeframes, provide clear reasons for denials, publicly report certain metrics, and adopt standardized FHIR-based APIs to improve data exchange.
It applies to Medicare Advantage, Medicaid, CHIP, and Qualified Health Plans on the Federally Facilitated Exchanges. In simple terms, it pushes the healthcare system toward faster decisions, better transparency, and more connected technology.
What Is the CMS-0057-F Final Rule?
The CMS-0057-F final rule is formally titled the Interoperability and Prior Authorization Final Rule. CMS finalized it on January 17, 2024, and the regulations became effective on April 8, 2024.
Its primary goal is to enhance the electronic exchange of health information and streamline prior authorization across various healthcare programs, as outlined in the official Federal Register notice.
Who Does It Apply To?
The CMS-0057-F final rule applies to a broad set of impacted payers, including:
- Medicare Advantage (MA) organizations
- State Medicaid fee-for-service (FFS) programs
- State Children’s Health Insurance Program (CHIP) FFS programs
- Medicaid managed care plans
- CHIP managed care entities
- Qualified Health Plan (QHP) issuers on Federally-Facilitated Exchanges (FFEs)
In total, approximately 365 Medicare Advantage organizations, State Medicaid and CHIP FFS programs, managed care plans, and QHP issuers are legally obligated to comply.
Why CMS Created the CMS-0057-F Final Rule
Prior authorization has long been one of healthcare’s most frustrating pain points. In 2024, only 35% of health plans used fully electronic prior authorization processes. Providers most often submitted requests through payer portals, a process averaging 16 minutes per transaction. Complex requirements and slow turnaround times meant approvals could take days or even weeks, delaying patient care and burning out clinical staff.
CMS projects that the changes introduced through the CMS-0057-F final rule will save approximately $15 billion over ten years by reducing administrative inefficiencies and accelerating electronic processing.
The Prior Authorization Problem in Numbers
The scale of the prior authorization burden is staggering. The 2024 CAQH Index reported that prior authorization alone costs the healthcare system billions annually in administrative overhead. Providers have long demanded faster decisions, clearer denial reasons, and electronic workflows replacing faxes and phone calls.
The CMS-0057-F final rule is the federal government’s most comprehensive answer yet to those demands.
Two Critical Compliance Deadlines: 2026 and 2027
The CMS-0057-F final rule establishes a two-phase compliance timeline. Understanding the difference between the two milestones is essential for planning.
January 1, 2026: Operational Requirements Begin
The first major compliance milestone focuses on the prior authorization process itself. Starting January 1, 2026, impacted payers must:
- Respond to expedited prior authorization requests within 72 hours
- Respond to standard prior authorization requests within 7 calendar days
- Provide specific, detailed reasons for any denied prior authorization decision
- Begin reporting annual Patient Access API usage metrics to CMS
These response time requirements represent a 50% improvement for payers who previously operated under 14-day standard timelines. The denial transparency requirement is equally important; payers must now explain denials clearly, regardless of how the request was submitted: phone, fax, portal, or API.
Additionally, payers must publicly report prior authorization metrics beginning March 31, 2026, covering calendar year 2025. Required metrics include approval and denial rates, appeals outcomes, extended reviews, and average decision times.
January 1, 2027: Full API Implementation Required
The second milestone brings full technical compliance. By January 1, 2027, impacted payers must have implemented and made operational four FHIR-based APIs:
- Patient Access API: Expanded to include prior authorization information (excluding drugs), giving patients full visibility into their authorization history and current status
- Provider Access API: Allows in-network providers to retrieve claims, encounter data, USCDI data elements, and prior authorization details for patients they are treating
- Payer-to-Payer API: Enables data exchange between payers when a patient switches insurance plans, ensuring continuity of care and eliminating data silos
- Prior Authorization API: Lists covered items and services, outlines documentation requirements, and supports electronic submission and response, including approval dates, denial reasons, and requests for additional information
CMS initially planned these APIs for January 1, 2026, but extended the deadline to January 1, 2027, to give payers additional time for implementation, EHR vendor collaboration, and outreach.
CMS-0057-F Final Rule: Compliance Deadline Summary
| Requirement | Effective Date | Who Is Affected | Action Required |
|---|---|---|---|
| Expedited PA Decision: 72 hours | January 1, 2026 | MA, Medicaid, CHIP, QHP payers | Workflow redesign |
| Standard PA Decision: 7 calendar days | January 1, 2026 | MA, Medicaid, CHIP, QHP payers | Process acceleration |
| Specific denial reasons are required | January 1, 2026 | All impacted payers | Documentation update |
| Public PA metrics reporting | March 31, 2026 (covering 2025) | All impacted payers | Reporting system build |
| Patient Access API (expanded) | January 1, 2027 | All impacted payers | FHIR API development |
| Provider Access API | January 1, 2027 | All impacted payers | FHIR API development |
| Payer-to-Payer API | January 1, 2027 | All impacted payers | FHIR API development |
| Prior Authorization API | January 1, 2027 | All impacted payers | FHIR API development |
The Four FHIR APIs
The CMS-0057-F final rule builds on the 2020 CMS Interoperability and Patient Access Final Rule (CMS-9115-F). That earlier rule established the original Patient Access API. CMS-0057-F now expands that foundation significantly.
All four mandated APIs must adhere to USCDI Version 3 and HL7 FHIR Release 4.0.1 standards. Here is what each API accomplishes in practice.
1. Patient Access API (Expanded)
The Patient Access API was originally required under CMS-9115-F. The CMS-0057-F final rule now requires payers to add prior authorization information to the data accessible through this API.
This means patients can see the full picture of their care, including what was approved, what was denied, why it was denied, and what the approval dates were. The rule requires these records to be updated within 1 business day of any status change. Active prior authorizations must be included, as well as any that had a status change in the past year.
2. Provider Access API
This new API enables in-network providers to retrieve patient data for treatment purposes. It supports both individual and bulk access, allowing providers to pull claims data, encounter history, USCDI data elements, and prior authorization details.
The Provider Access API aligns with CMS’s broader shift to value-based care by streamlining data sharing between providers and payers. Patients must have the option to opt out, and they must be notified of this choice.
3. Payer-to-Payer API
When a patient switches insurance plans, due to a job change, open enrollment, or other life event, their prior authorization history has historically been lost. The Payer-to-Payer API solves this.
Payers must exchange patient data, including claims, encounter data, USCDI elements, and prior authorization details when a member moves between plans. This exchange happens at the member’s request, and members must receive educational materials about opting in.
4. Prior Authorization API
This is the centerpiece of the CMS-0057-F final rule’s technical requirements. The Prior Authorization API must support all of the following:
- Checking whether a specific item or service requires prior authorization
- Surfacing documentation requirements for a given authorization request
- Electronic submission of prior authorization requests
- Electronic responses, including approvals with dates, denials with reasons, and requests for more information
The ANSI X12 278 standard continues to be supported for back-end transmission, but FHIR standards are the focus going forward.
Impact on MIPS-Eligible Clinicians and Hospitals
The CMS-0057-F final rule extends beyond payers. It also introduces a new Electronic Prior Authorization measure for clinicians and hospitals reporting under federal quality programs.
New Electronic Prior Authorization MIPS Measure
CMS introduced a new measure under the Promoting Interoperability performance category of the Merit-based Incentive Payment System (MIPS). This measure requires MIPS-eligible clinicians, eligible hospitals, and critical access hospitals to report a yes/no attestation on their use of electronic prior authorization processes.
This new measure takes effect starting with the calendar year 2027 performance period and EHR reporting period. It is designed to encourage providers to adopt the electronic workflows that payers are simultaneously being required to build.
What This Means for Healthcare Providers
While the CMS-0057-F final rule primarily targets payers, it creates significant ripple effects for providers. Practices and health systems need to prepare for new technology, new workflows, and new opportunities.
Accessing the Provider Access API
To take advantage of the Provider Access API, practices must be able to interact with payers’ new APIs. This requires technology upgrades, workflow adjustments, and staff training.
The payoff is significant: providers gain real-time access to patient data, including prior authorization history, reducing the back-and-forth that currently consumes hours of staff time every week.
Eliminating Manual Prior Authorization Workflows
The Prior Authorization API is designed to replace faxes and phone calls with electronic workflows. Practices that fully adopt it can check authorization requirements, submit requests, and receive decisions in minutes instead of days.
For revenue cycle teams, this is transformative. Fewer delays mean faster care delivery, less administrative burden, and fewer claim denials tied to authorization issues.
Improved Denial Management
One of the most immediate benefits of the CMS-0057-F final rule for providers is improved denial transparency. Starting January 1, 2026, payers must provide specific reasons for every denied prior authorization decision.
Clear denial reasons allow billing teams to resubmit or appeal faster and more effectively. They also surface patterns that can drive upstream process improvements.
Challenges and Risks of Non-Compliance
Meeting the requirements of the CMS-0057-F final rule is federally mandated for impacted payers. Non-compliance carries real consequences.
Regulatory Risk
Failure to meet CMS-0057-F deadlines may result in regulatory action, penalties, and reputational damage with state regulators. CMS’s enforcement posture on interoperability has strengthened significantly in recent years.
Operational and Technical Challenges
Implementing FHIR-based APIs is complex and costly, especially for smaller payers or providers lacking dedicated IT resources. Technical integration requires aligning claims systems, clinical data platforms, provider directories, and access control infrastructure.
Data privacy risks increase with expanded sharing. Organizations must implement robust consent management, identity verification, access logging, and revocation processes.
Exclusions to Be Aware Of
The CMS-0057-F final rule explicitly excludes drug prior authorizations from some provisions, including the Prior Authorization API and expanded Patient Access API requirements. This is an important gap for organizations managing pharmacy benefits.
How Providers Can Prepare for CMS-0057-F
Whether your organization is a payer, provider, or billing service, preparation for the CMS-0057-F final rule should already be underway. Here are the key action steps.
Step 1: Conduct a Gap Assessment
Before implementation comes honest evaluation. Assess where your organization currently stands against the five core requirements: FHIR APIs, prior authorization turnaround times, denial transparency, data interoperability, and reporting.
Step 2: Build a Cross-Functional Task Force
CMS-0057-F compliance is not an IT project alone. It requires alignment across Compliance, IT, Utilization Management, Clinical Operations, Provider Relations, Legal, and Reporting teams. Create a dedicated task force with clear ownership.
Step 3: Prioritize 2026 Operational Changes
The January 1, 2026, deadline for process changes is imminent. If your organization has not already redesigned prior authorization workflows to meet the 72-hour and 7-day turnaround requirements, this must be the immediate priority.
Step 4: Begin FHIR API Development Now
The 2027 API deadline requires building, testing, and deploying four separate FHIR-based endpoints at production scale. Organizations that delay this work risk scrambling in late 2026. Begin development, secure implementation guides, and test with representative EHR and provider systems.
Step 5: Prepare for Public Metrics Reporting
Beginning with data due March 31, 2026, payers must publicly post prior authorization metrics, including total requests, approval/denial rates, and average processing times. Establish internal reporting infrastructure and governance now.
Benefits When Fully Implemented
When the CMS-0057-F final rule reaches full implementation, the benefits for patients, providers, and payers are substantial.
- For Patients: Greater transparency about their prior authorization status, the ability to carry their health data when switching plans, and faster access to necessary care.
- For Providers: Electronic workflows replacing faxes and phone calls, real-time patient data access, clearer denial reasons, and reduced administrative burden.
- For Payers: Streamlined processes, reduced back-and-forth with providers, improved member satisfaction, and a more data-driven approach to utilization management.
- For the System: An estimated $15 billion in savings over ten years, better care coordination, and a healthcare ecosystem built on interoperable, accessible data.
We Are Here To Simplify Billing For You
The CMS-0057-F final rule is one of the most transformative regulatory changes in healthcare data management in years. It does not just ask payers to do things faster; it asks the entire healthcare system to become more transparent, more connected, and more accountable.
It can feel complicated, but you don’t have to figure it out alone. We help practices handle prior authorizations, improve workflows, and stay compliant. Save time, reduce claim denials, and keep your revenue on track.
Contact us to get your free billing audit today and see how Philadelphia medical billing can make your billing easier and more efficient.
Frequently Asked Questions
Will CMS fine payers for missing 2026 deadlines?
CMS can impose civil monetary penalties up to $100/day per violation after notice. States oversee Medicaid/CHIP enforcement, prioritizing patient harm cases first. (27 words)
How does CMS-0057-F affect Medicare Part D drugs?
Drugs are excluded from new PA APIs but must follow 72-hour expedited timelines. Pharmacy Benefit Managers handle separate electronic prior authorization starting in 2028 per separate CMS rules.
Can patients sue over slow prior authorizations?
No private right of action exists, but patients can file complaints with CMS or state insurance departments. Advocacy groups track violations for class-action potential on denial patterns.
Does the rule require EHR upgrades for providers?
No federal mandate, but MIPS clinicians attesting “yes” to electronic PA need FHIR-compatible EHRs by 2027. CMS offers hardship exceptions for small practices unable to comply.
What PA metrics must payers publish publicly?
Approval/denial rates, appeal overturn rates, average decision times by type, and % requests with extensions. Data covers the full calendar year, posted by March 31 annually on payer websites