Familiarity with prior authorization (PA) and the role it plays in health care has grown significantly in recent years. A relatively simple process on its face, PA requires providers to submit clinical documentation to the patient’s health plan for coverage review before treatment can begin. These workflows remain largely manual, even in today’s digital-forward health care systems, with providers often filling out paper forms and faxing the PA requests to the required party. Often disparagingly referred to as the “fax and fatigue” model, PA is slow and administratively burdensome, yet simultaneously vital for ensuring certain treatments are necessary and cost-effective. In an attempt to streamline the authorization process, the Centers for Medicare and Medicaid Services (CMS) issued the 2026 Interoperability Standards and Prior Authorization for Drugs Proposed Rule (CMS-0062-P). While the agency is pursuing a widely supported goal, there are many complicating regulatory and operational factors that will determine the rule’s success and practical impact on the health care industry.

The recently published 173-page document builds upon several existing final rules to require Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) fee-for-service programs, Medicaid and CHIP managed care plans, and certain Qualified Health Plan (QHP) issuers to implement various Application Programming Interfaces (APIs), collectively defined as “interoperability APIs.” Generally speaking, APIs are the sets of protocols and tools which enable distinct software applications to communicate with one another. In health care, “interoperability APIs” – as envisioned by CMS – act as digital bridges between patients, providers, payers, and medical record keepers, allowing for real-time transmission of clinical and administrative information.

A 2024 final rule (CMS-0057) established API-based interoperability and PA requirements for payers covering non-drug items and services (such as surgeries and durable medical equipment); CMS-0062 proposes that the same federally regulated payers must also support electronic prior authorization (ePA) for drugs and biologics and implement many similar health information technology (health IT) data standards to enhance interoperability. On the front end, the proposed API standards would enable clinicians using electronic health records (EHRs) or administrative staff using management software to check whether PA is required, complete the necessary documentation, and submit authorization requests and receive decisions. On the back end, the proposed standards would allow payers – such as state Medicaid programs – to verify medical necessity and issue decisions without having to wait for manual faxes or clinician phone calls, facilitating rapid two-way data exchange.

These proposals sound promising on paper and indeed, if executed properly, could greatly improve the current PA process for drugs and accelerate the speed of clinical decision-making and care. It is critical to note, however, that the proposed transition involves a staggering number of moving parts, with changes fundamentally altering the technology stacks of organizations across the health care sector. As health IT experts point out, CMS-0062 only adds to an increasingly dense list of existing regulations that impact various types of insurance and drug coverage transactions, raising legitimate questions of whether such changes truly support the “Administrative Simplification” initiative being advertised. To provide context for some of those conversations, let’s briefly analyze two of the most significant technical requirements in the rule.

First, CMS-0062 proposes two separate ePA workflows for drugs and biologics depending on the type of the patients’ insurance benefit. For drugs and biologics covered under a medical benefit – typically those administered by physicians in a clinical setting – CMS proposes that providers and impacted payers use PA APIs built on the Fast Healthcare Interoperability Resources (FHIR) data standard, and specifically the Da Vinci Project API implementation guides for each step of the of the PA workflow. Meanwhile, for drugs and biologics covered under a pharmacy benefit – usually dispensed at retail or specialty pharmacies and self-administered – CMS proposes requiring providers and all impacted payers to support three National Council for Prescription Drug Programs (NCPDP) standards, including the Real-Time Prescription Benefit standard to support PA decisions. The proposed bifurcated data standards – FHIR-based API and NCPDP-based API – designed to mitigate administrative burden and speed up decision making ultimately creates issues in determining which ePA track to follow, with the answer contingent on the specific benefit design of each impacted provider. As CMS and others point out, any attempts to solve this routing problem come with their own problems, not least of which is potentially undermining the large-scale interoperability goals the rule aims to achieve.

Second – and perhaps more important – through CMS-0062, the Department of Health and Human Services proposes to adopt the FHIR standard and certain FHIR implementation guides as a HIPPA Administrative Simplification standard, elevating FHIR above the existing X12N 278 standard for prior authorization transactions across all HIPPA-covered entities (i.e. providers and payers). On top of changing the HIPPA compliance burden throughout the health care sector, this proposal would solidify two different standards for attaching clinical documentation to PA and insurance claim transactions. Although the rule proposes impacted payers adopt FHIR’s CDex implementation guide (IG) for PA attachments, it would still support X12 IGs as the HIPPA standard for insurance claims attachments, despite both types of transactions using the same sensitive patient information. There are practical reasons for these two standards, but the divergence inherently contributes to more complicated workflows and greater compliance costs.

Important questions about implementation and compliance have yet to be answered. Stakeholders can engage in public comment and respond to CMS’ Requests for Information, particularly on key areas such as API extensions, health IT certification, and payer-to-payer transactions involving step therapy. The culmination of these efforts may meaningfully contribute to a faster, more seamless PA process across federally regulated payers, though the sheer scale and rapidly approaching effective date of these changes may hamper the full realization of the benefits purported by the rule.