CMS Prior Authorization Rule 2026: What Providers Must Do Before the Compliance Deadlines

The CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F), finalized in January 2024, creates the most significant federal changes to prior authorization workflow in two decades. The rule imposes new obligations on impacted payers including Medicare Advantage, Medicaid managed care, CHIP managed care, and qualified health plans on federally facilitated exchanges, with staged compliance deadlines running through 2027.

For providers, the rule is mostly good news. Decision timeframes compress. Denials must include specific reason codes. Payer PA metrics must be publicly reported. And new FHIR-based APIs will eventually allow real-time PA submission directly from the EHR.

But “eventually” is doing work in that sentence. The benefits flow to providers whose workflows can consume faster decisions and the new APIs. Practices still running fax-and-portal submissions will not see most of the improvement, because the bottleneck will shift from payer response time to internal processing time.

This guide covers what the rule requires, the compliance timeline, the API obligations on payers, and a practical checklist of what providers should be doing now by organization type.

What is CMS-0057-F and which payers does it cover?

The CMS Interoperability and Prior Authorization Final Rule, formally known as CMS-0057-F, is a federal rulemaking finalized by the Centers for Medicare & Medicaid Services in January 2024. It applies to a defined set of impacted payers:

• Medicare Advantage organizations
• State Medicaid fee-for-service programs
• State Children's Health Insurance Program (CHIP) fee-for-service programs
• Medicaid managed care plans
• CHIP managed care plans
• Qualified Health Plan (QHP) issuers on federally facilitated exchanges

The rule does not apply directly to commercial PPO plans, employer self-funded plans, or workers' compensation. Many commercial payers are expected to adopt similar mechanisms voluntarily to align workflows, but compliance is not federally mandated.

The rule creates four sets of new obligations: faster decision timeframes, specific denial reason codes, public reporting of PA metrics, and FHIR-based API requirements for PA submission and status tracking.

What are the new prior authorization decision timeframes?

Beginning in 2026, impacted payers must meet new maximum decision timeframes for prior authorizations:

The standard decision compression from 14 days to 7 days is the most operationally significant change. Practices currently waiting 10 to 14 days for routine PAs on imaging, DME, and certain procedures will see those windows cut roughly in half.

Two practical implications for providers. First, faster payer response only helps if the provider can submit faster. A practice that takes 3 to 5 days to gather documentation and submit will still see 10-plus day total cycle times even with payer compression. Second, “maximum” is a ceiling, not an average. Many payers will continue to respond well inside the maximums, especially for automated submissions through the new APIs.

What does the rule require about denial reason codes?

Under CMS-0057-F, when an impacted payer denies a prior authorization, the denial must include a specific reason code identifying the basis for the denial. The reason must be communicated to the requesting provider in a form that supports appeals and resubmission.

The operational implication is that denial documentation will become more useful for appeals. Practices that have struggled to understand why specific PAs got denied will have machine-readable reason codes to work with. This is particularly useful for PA denial pattern analysis, where understanding root causes drives prevention.

The rule also requires payers to provide the rationale to the requesting provider in a manner that enables resubmission with corrected information when applicable.

What are the public reporting requirements?

Beginning in 2026, impacted payers must publicly report annual metrics on their prior authorization activity. The required metrics include:

• Total PA requests received
• Approval rate
• Denial rate
• Appeals overturned rate
• Average and median decision turnaround times
• Breakdown by service category (e.g., inpatient, outpatient, drugs, imaging)

The reports must be posted publicly, which means provider organizations, contract negotiators, journalists, and researchers will be able to compare payer performance directly. The expected effect is competitive pressure on payers to demonstrate reasonable PA practices, which should benefit providers contracted with consistently slow or denial-heavy payers.

What is the PARDD API and what are the API requirements?

The Prior Authorization Requirements, Documentation, and Decision API (PARDD API) is the FHIR-based API requirement at the center of the rule. It requires impacted payers to implement APIs in three categories:

1. Patient Access API. Patients can access their PA data programmatically via the payer's API. Existing requirement, expanded under CMS-0057-F to include PA decisions and status.

2. Provider Access API. Providers can access PA data for their attributed patients. New obligation.

3. Payer-to-Payer API. When a patient changes plans, the new payer can pull PA data from the previous payer. Enables continuity of care during plan transitions.

The PARDD API specifically supports prior authorization workflow: providers submit PA requests, retrieve status, and receive decisions through standardized FHIR endpoints rather than through proprietary payer portals or fax.

The compliance deadline for the API requirements is January 1, 2027, one year after the decision timeframe requirements. The staged timeline means decision compression starts first, with full API integration phasing in a year later.

For providers, the practical implication is that the workflow disruption from this rule unfolds over two years. The first year is about adapting to compressed timeframes with existing submission methods. The second year is about adopting the APIs as payers expose them.

What should each organization type be doing now?

The compliance checklist varies by organization type because the operational impact depends on the payer mix and PA volume.

Specialty practices (sleep medicine, orthopedics, cardiology, oncology, etc.)

“The new rules speed up payer decisions. Practices still running manual submissions won't see the benefit because the bottleneck just moves to the provider side. The rule rewards practices that have already automated.”

Primary care groups and FQHCs

PE-backed multi-site groups

How does CMS-0057-F interact with state-level reforms?

Federal CMS-0057-F operates alongside state-level prior authorization reforms, including gold carding legislation in Texas, Louisiana, and West Virginia, and broader PA reform statutes in dozens of other states. The federal rule does not preempt state requirements that are more stringent.

For multi-state practice groups, the practical implication is that compliance is a multi-layered question: federal CMS-0057-F obligations on impacted payers in all states, plus state-specific obligations that may exceed federal requirements in specific states. The operations team needs visibility into both.

The most common state-level addition is faster decision timeframes for specific procedure categories (e.g., behavioral health, certain medications) and more aggressive gold carding mechanisms. Where state requirements are stricter, the state requirement controls. Our companion piece on gold carding for prior authorization breaks down the state-by-state landscape.

Where regulatory-aligned PA automation fits (and where it does not)

Best fit:

• Practices with significant MA, Medicaid managed care, or QHP exposure
• Specialty practices with high PA volume on procedures affected by the new timeframes
• Multi-state groups managing federal plus state-level compliance
• Organizations with chronic coordinator vacancy or turnover
• Practices preparing for FHIR API integration in 2027

Less ideal fit:

• Practices with payer mix dominated by commercial PPO plans (not federally mandated to comply)
• Practices below 50 PAs per week where the automation business case is marginal
• Organizations without basic EHR integration capability
• Cash-pay or DPC practices not running insurance PA workflows

Frequently asked questions

When does CMS-0057-F take effect?
The decision timeframe requirements take effect in 2026. The API requirements (PARDD API) take effect on January 1, 2027. The staged timeline gives payers and providers a phased implementation runway.

Does CMS-0057-F apply to commercial PPO plans?
No. The rule directly applies to Medicare Advantage, Medicaid managed care, CHIP managed care, and qualified health plans on federally facilitated exchanges. Commercial PPO plans and employer self-funded plans are not federally required to comply, though many are expected to adopt similar mechanisms voluntarily.

What is the PARDD API?
The Prior Authorization Requirements, Documentation, and Decision API is a FHIR-based API requirement under CMS-0057-F that impacted payers must implement by January 1, 2027. It enables providers to submit PA requests, retrieve status, and receive decisions through standardized API endpoints rather than proprietary payer portals or fax.

Will the new 7-day decision standard apply to all prior authorizations?
The 7-calendar-day maximum applies to standard (non-urgent) PAs from impacted payers. Expedited (urgent) PAs have a 72-hour maximum. Specific exemptions and state-level variations may apply.

Do providers need to upgrade their EHRs to comply with CMS-0057-F?
No. The rule places obligations on impacted payers, not directly on providers. However, providers who want to take full advantage of the new PARDD API will need EHR or PA automation platforms that can consume FHIR-based PA workflows. Practices on legacy systems will see less benefit from the rule.