CMS Prior Authorization Rule 2026: What Providers Must Do Before the Compliance Deadlines
The CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F) creates the most significant federal changes to prior authorization workflow in two decades, with staged compliance deadlines running through 2027. Decision timeframes compress, denial reason codes become specific, payer PA metrics go public, and FHIR-based PARDD APIs eventually allow real-time PA submission directly from the EHR. Here is the practical checklist by organization type.
Loading audio...

The CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F) creates the most significant federal changes to prior authorization workflow in two decades, with staged compliance deadlines running through 2027. Decision timeframes compress, denial reason codes become specific, payer PA metrics go public, and FHIR-based PARDD APIs eventually allow real-time PA submission directly from the EHR. Here is the practical checklist by organization type.
- CMS-0057-F (finalized January 2024) is the most significant federal PA change in two decades, applying to Medicare Advantage, Medicaid and CHIP (FFS and managed care), and QHP issuers on federal exchanges — not commercial PPO or employer self-funded plans
- Beginning 2026, impacted payers must decide standard PAs within 7 calendar days (down from up to 14 for MA) and expedited PAs within 72 hours — the compression to 7 days is the most operationally significant change
- Every denial must carry a specific reason code that supports appeals and resubmission, and payers must publicly report annual PA metrics (requests, approval/denial rates, appeal overturns, turnaround)
- The FHIR-based PARDD API requirement lands January 1, 2027 — a year after the timeframe rules — so disruption unfolds over two years: adapt to compressed timeframes first, adopt the APIs second
- Faster payer response only helps if the provider can submit faster — a practice taking 3–5 days to gather documentation will still see 10+ day total cycle times, so the rule rewards practices that have already automated
The CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F) creates the most significant federal changes to prior authorization workflow in two decades, with staged compliance deadlines running through 2027. Decision timeframes compress, denial reason codes become specific, payer PA metrics go public, and FHIR-based PARDD APIs eventually allow real-time PA submission directly from the EHR. Here is the practical checklist by organization type.
The CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F), finalized in January 2024, creates the most significant federal changes to prior authorization workflow in two decades. The rule imposes new obligations on impacted payers including Medicare Advantage, Medicaid managed care, CHIP managed care, and qualified health plans on federally facilitated exchanges, with staged compliance deadlines running through 2027.
For providers, the rule is mostly good news. Decision timeframes compress. Denials must include specific reason codes. Payer PA metrics must be publicly reported. And new FHIR-based APIs will eventually allow real-time PA submission directly from the EHR.
But “eventually” is doing work in that sentence. The benefits flow to providers whose workflows can consume faster decisions and the new APIs. Practices still running fax-and-portal submissions will not see most of the improvement, because the bottleneck will shift from payer response time to internal processing time.
This guide covers what the rule requires, the compliance timeline, the API obligations on payers, and a practical checklist of what providers should be doing now by organization type.
What is CMS-0057-F and which payers does it cover?
The CMS Interoperability and Prior Authorization Final Rule, formally known as CMS-0057-F, is a federal rulemaking finalized by the Centers for Medicare & Medicaid Services in January 2024. It applies to a defined set of impacted payers:
- Medicare Advantage organizations
- State Medicaid fee-for-service programs
- State Children's Health Insurance Program (CHIP) fee-for-service programs
- Medicaid managed care plans
- CHIP managed care plans
- Qualified Health Plan (QHP) issuers on federally facilitated exchanges
The rule does not apply directly to commercial PPO plans, employer self-funded plans, or workers' compensation. Many commercial payers are expected to adopt similar mechanisms voluntarily to align workflows, but compliance is not federally mandated.
The rule creates four sets of new obligations: faster decision timeframes, specific denial reason codes, public reporting of PA metrics, and FHIR-based API requirements for PA submission and status tracking.
What are the new prior authorization decision timeframes?
Beginning in 2026, impacted payers must meet new maximum decision timeframes for prior authorizations:
| Request type | Old standard | New CMS-0057-F standard |
|---|---|---|
| Standard (non-urgent) PA | Up to 14 days for MA, varied by Medicaid | 7 calendar days maximum |
| Expedited (urgent) PA | Up to 72 hours for MA | 72 hours maximum |
The standard decision compression from 14 days to 7 days is the most operationally significant change. Practices currently waiting 10 to 14 days for routine PAs on imaging, DME, and certain procedures will see those windows cut roughly in half.
Two practical implications for providers. First, faster payer response only helps if the provider can submit faster. A practice that takes 3 to 5 days to gather documentation and submit will still see 10-plus day total cycle times even with payer compression. Second, “maximum” is a ceiling, not an average. Many payers will continue to respond well inside the maximums, especially for automated submissions through the new APIs.
What does the rule require about denial reason codes?
Under CMS-0057-F, when an impacted payer denies a prior authorization, the denial must include a specific reason code identifying the basis for the denial. The reason must be communicated to the requesting provider in a form that supports appeals and resubmission.
The operational implication is that denial documentation will become more useful for appeals. Practices that have struggled to understand why specific PAs got denied will have machine-readable reason codes to work with. This is particularly useful for PA denial pattern analysis, where understanding root causes drives prevention.
The rule also requires payers to provide the rationale to the requesting provider in a manner that enables resubmission with corrected information when applicable.
What are the public reporting requirements?
Beginning in 2026, impacted payers must publicly report annual metrics on their prior authorization activity. The required metrics include:
- Total PA requests received
- Approval rate
- Denial rate
- Appeals overturned rate
- Average and median decision turnaround times
- Breakdown by service category (e.g., inpatient, outpatient, drugs, imaging)
The reports must be posted publicly, which means provider organizations, contract negotiators, journalists, and researchers will be able to compare payer performance directly. The expected effect is competitive pressure on payers to demonstrate reasonable PA practices, which should benefit providers contracted with consistently slow or denial-heavy payers.
What is the PARDD API and what are the API requirements?
The Prior Authorization Requirements, Documentation, and Decision API (PARDD API) is the FHIR-based API requirement at the center of the rule. It requires impacted payers to implement APIs in three categories:
1. Patient Access API. Patients can access their PA data programmatically via the payer's API. Existing requirement, expanded under CMS-0057-F to include PA decisions and status.
2. Provider Access API. Providers can access PA data for their attributed patients. New obligation.
3. Payer-to-Payer API. When a patient changes plans, the new payer can pull PA data from the previous payer. Enables continuity of care during plan transitions.
The PARDD API specifically supports prior authorization workflow: providers submit PA requests, retrieve status, and receive decisions through standardized FHIR endpoints rather than through proprietary payer portals or fax.
The compliance deadline for the API requirements is January 1, 2027, one year after the decision timeframe requirements. The staged timeline means decision compression starts first, with full API integration phasing in a year later.
For providers, the practical implication is that the workflow disruption from this rule unfolds over two years. The first year is about adapting to compressed timeframes with existing submission methods. The second year is about adopting the APIs as payers expose them.
What should each organization type be doing now?
The compliance checklist varies by organization type because the operational impact depends on the payer mix and PA volume.
Specialty practices (sleep medicine, orthopedics, cardiology, oncology, etc.)
| Action | Priority | Why |
|---|---|---|
| Audit current PA submission turnaround | High | Establish baseline against the new 7-day decision standard |
| Identify top 5 procedures by PA volume | High | Focus automation investment where impact is largest |
| Verify EHR is positioned for FHIR API integration | Medium | Required to consume payer APIs starting 2027 |
| Build documentation templates aligned to medical necessity criteria | Medium | Reduces first-pass denial rate |
| Train coordinators on new denial reason code workflow | Medium | Required for effective appeals and resubmission |
Linear Health completely transformed how we operate. They replaced five disconnected tools we were using to manage referrals, scheduling, and patient outreach.
Primary care groups and FQHCs
| Action | Priority | Why |
|---|---|---|
| Identify Medicaid managed care PA volume | High | FQHCs and primary care groups carry heavy Medicaid PA burden |
| Map current PA workflow to the new timelines | High | Determine whether internal processing time exceeds the new payer windows |
| Evaluate EHR PA integration capabilities | Medium | Most FQHCs use community EHRs with limited PA workflow tooling |
| Plan multilingual member outreach for PA-related delays | Medium | Members in Medicaid populations need plain-language communication about authorization status |
PE-backed multi-site groups
| Action | Priority | Why |
|---|---|---|
| Standardize PA workflow across portfolio companies | High | Variance across acquired practices makes API integration impossible |
| Build centralized PA performance dashboards | High | Required for management visibility and benchmarking |
| Negotiate payer contracts referencing CMS-0057-F transparency data | Medium | Public reporting creates negotiation leverage |
See how PA automation maps to the new CMS requirements
We map prior authorization automation to the new CMS-0057-F timeframes so your internal processing keeps pace with faster payer decisions.
How does CMS-0057-F interact with state-level reforms?
Federal CMS-0057-F operates alongside state-level prior authorization reforms, including gold carding legislation in Texas, Louisiana, and West Virginia, and broader PA reform statutes in dozens of other states. The federal rule does not preempt state requirements that are more stringent.
For multi-state practice groups, the practical implication is that compliance is a multi-layered question: federal CMS-0057-F obligations on impacted payers in all states, plus state-specific obligations that may exceed federal requirements in specific states. The operations team needs visibility into both.
The most common state-level addition is faster decision timeframes for specific procedure categories (e.g., behavioral health, certain medications) and more aggressive gold carding mechanisms. Where state requirements are stricter, the state requirement controls. Our companion piece on gold carding for prior authorization breaks down the state-by-state landscape.
Where regulatory-aligned PA automation fits (and where it does not)
Best fit:
- Practices with significant MA, Medicaid managed care, or QHP exposure
- Specialty practices with high PA volume on procedures affected by the new timeframes
- Multi-state groups managing federal plus state-level compliance
- Organizations with chronic coordinator vacancy or turnover
- Practices preparing for FHIR API integration in 2027
Less ideal fit:
- Practices with payer mix dominated by commercial PPO plans (not federally mandated to comply)
- Practices below 50 PAs per week where the automation business case is marginal
- Organizations without basic EHR integration capability
- Cash-pay or DPC practices not running insurance PA workflows
Get ahead of the CMS-0057-F deadlines
Linear Health automates PA submission, status tracking, and escalation, and is built to consume the FHIR-based PARDD APIs as payers expose them.
Healthcare AI insights, monthly.
Frequently asked questions
When does CMS-0057-F take effect?
Does CMS-0057-F apply to commercial PPO plans?
What is the PARDD API?
Will the new 7-day decision standard apply to all prior authorizations?
Do providers need to upgrade their EHRs to comply with CMS-0057-F?

Sami scaled Simple Online Healthcare to $150M and built a multi-specialty telehealth clinic across 20 specialties and all 50 states. Connect on LinkedIn.






