Prior Authorization Provisions Implementation Timelines: Update
Background
In 2024, we shared details of an Informational Bulletin (CIB) issued by the Centers for Medicaid and CHIP Services (CMCS) intended to provide states and the Centers for Medicare & Medicaid Services (CMS) tools to improve monitoring and strengthen oversight of managed care organizations (MCOs) in CMCS. The guidance comes amid growing issues driven by high rates of prior authorization (PA) denials. Medicaid MCO denial rates are far greater than those reported by Medicare Advantage plans. Additionally, there are comparatively low rates of appeals as reported by the Office of Inspector General (OIG). These factors could hinder access and potentially diminish the quality of health and human services programs for Medicaid members.
Changes Coming Soon
The Interoperability and Patient Access final rule (CMS-0057-F) includes several provisions that impact Medicaid and CHIP managed care plans. States should consider writing these provisions into their MCO contracts, including reporting to, and monitoring by, the state, along with explicit information about repercussions for non-compliance.
Some key provisions in the final rule related to PA requirements for MCOs must be implemented for rating periods starting on or after January 1, 2026, while others must be implemented for rating periods starting on or after January 1, 2027. Although these requirements are new to Medicaid and CHIP, similar requirements have been in place in Medicare Advantage for some time, and Myers and Stauffer has worked closely with CMS for the past 15 years to assist with monitoring PA compliance within the federal managed care program. In this update, we break down the requirements by implementation date to help you prepare.
PA Provisions with an implementation date beginning January 1, 2026
Beginning on or after January 1, 2026, managed care plans must:
- Provide standard prior authorization decisions within seven days. MCOs must provide standard PA decisions within state-established timeframes that cannot exceed seven calendar days for non-expedited matters; a reduction by half from the current requirement of 14 calendar days. A recent KFF article found that at least 18 states will need to update standard timeframe requirements. There are several other factors states must consider to ensure plan compliance, such as:
- What is the health plan’s strategy to ensure compliance and how do they plan to modify staffing and processes?
- Does the health plan have a vendor for certain prior authorization decisions? How are they monitoring compliance of their downstream entities?
- Provide a specific reason for every denial to the provider. Managed care plans must provide specific denial reasons to providers. While the provider community may understand technical language used by health plans, beneficiaries require a different approach, a 2024 MACPAC report identified that beneficiaries are experiencing barriers to care due to unclear and difficult to understand denial notice language, noting that managed care plans acknowledged this as a challenge. A 2023 OIG report found that 89% of Medicaid enrollees do not appeal denials.
States should include contract language to ensure denial reasons and appeal rights are clear to both the providers and beneficiaries. A best practice is to establish a process for the state to review MCO model letter language. Periodic monitoring and auditing should be conducted to ensure approved model letters are used appropriately.
- Post annual prior authorization metrics on the payer’s public website. The information posted by the MCO must include a list of all items and services requiring prior authorization as well as metrics such as the percentage of requests approved, denied, approved after appeal, and the average time between submission and decision. The state should have a monitoring plan to ensure these metrics are reported to the state timely and accurately.
As states begin to collect PA data and managed care plans begin to report metrics on their public websites, CMCS stated that CMS will also be updating the fields required by the Managed Care Program Annual Report (MCPAR). Further, CMS identified data resulting from the MCPAR and other sources, “…will allow CMS to generate and analyze state-specific and nationwide data across all managed care programs and requirements. Along with assessing compliance with managed care statutory and regulatory requirements, CMS will use this data to identify areas for improvement and target technical assistance to help states improve their managed care programs and plan performance.”
PA Provisions with an implementation date beginning January 1, 2027
Beginning on or after January 1, 2027, managed care plans must have a Prior Authorization Application Programming Interface (API). This prior authorization API is intended to reduce provider burden, inefficiencies in the prior authorization process, and unnecessary delays in patient care, and is expected to achieve the following objectives:
- Identify all covered services that require prior authorization.
- Specify the documentation requirements for prior authorization approval.
- Enable prior authorization requests and responses to be exchanged, including authorization dates for approved requests, rationale for denied requests, and requests for more information.
In finalizing their proposed rule, CMS extended the deadline related to prior authorization API requirements from 2026 to 2027. This extension provides payers with additional time to implement the APIs, collaborate with Electronic Health Records (EHR) vendors to support appropriate connections for their providers, and develop outreach materials. While the prior authorization API requirements will not be effective until rating periods starting on or after January 1, 2027, early preparation and coordination will support effective implementation and ensure the intended benefits are realized. States with a significant number of rural providers should consider additional measures, such as stakeholder engagement, to address concerns about technology adoption. These efforts can aid in developing and reviewing outreach materials, ensuring the implementation successfully streamlines the prior authorization process.
In Conclusion
These impending requirements are key drivers for positive change, improved programs, increased transparency, greater accountability, and stewardship of taxpayer dollars across the county. And while they may seem complex, they are manageable, especially with an experienced and knowledgeable partner who can provide the technical consulting and guidance needed to enact these changes and monitor compliance.
At Myers and Stauffer, we make it our daily mission to assist the state agencies that support these vital programs and the populations they serve. If you would like more information about how we can assist with your state’s monitoring and reporting of MCOs’ PA denials, please contact one of our managed care partners listed below.
In the process of enhancing access to care, it’s essential to consider the accompanying risks. Because there is increased pressure to reduce services requiring PA and improve denial rates, program integrity issues may arise. We can aid states in striking the right balance between member access and maintaining program integrity oversight.
