Current Policies for Prior Authorization: Why They’re Likely Changing in 2023

The Centers for Medicare and Medicaid Services (CMS) has a massive impact on healthcare. They are responsible for offering health coverage to over 100 million people and oversee Medicare, Medicaid, the Children's Health Insurance Program (CHIP), and the Health Insurance Marketplace. In 2023, they proposed changing the current policies for prior authorization. The new policies aim to address the current issues with prior authorization to improve patient care and reduce the burden on providers and payers. Read on for the full picture.

{{toc}}

Current policies used for prior authorization

Insurance companies use prior authorization to determine how medically necessary a treatment or medication is and whether or not they will cover it. While this cost-control process can help keep insurance premiums down, the current prior authorization policies can create a heavy workload for payers and providers and make access to care more difficult for patients.

The current policies also make it difficult for patients to know which services require prior authorization. Because payers have unique requirements for prior authorizations, there is little payer-to-payer data exchange. Patients have to constantly seek prior authorizations if they change plans often. Additionally, the current policies have limited requirements for the time frames in which decisions need to be made, the reporting of prior authorization data, and how the data is shared between payers, providers, and patients.

Why are policies for prior authorization changing in 2023?

Prior authorization can be a significant barrier to receiving care. According to a 2021 American Medical Association survey, 93% of physicians reported care delays while waiting for health insurers to authorize care. These delays can lead to unnecessary pain or prolonged discomfort for patients. The same study also found that 82% of patients who abandoned treatment did it due to health insurance authorization issues, and 34% of physicians reported that issues with prior authorization caused serious health events for their patients, with some as serious as death. The same survey showed that physicians completed an average of 41 prior authorizations per week, and 40% of physicians have staff members who work exclusively on prior authorizations.

Another report by the Department of Health and Human Services Office of the Inspector General revealed that Medicare Advantage Plans improperly applied Medicare coverage rules to deny 13% of prior authorization requests and 18% of payments. In some cases, prior authorizations or other documents supporting the payment were ignored. Additionally, a Kaiser Family Foundation analysis found that out of 2 million denied requests (6% of the total 35 million requests submitted in 2021),11% were appealed, and 82% were overturned. These concerning numbers raise questions about the validity of many initial denials and if healthcare was provided when it should have been.

Because of these statistics and firsthand experiences with the process, many in the medical field have been advocating for changes to current prior authorization practices and reducing the number of prior authorizations required for services. According to the AMA, nearly 120 physician organizations strongly support the proposed reforms to the Medicare prescription drug benefit and Medicare Advantage plans. In a letter to a CMS administrator, physician organizations expressed gratitude for the proposal and urged the agency to implement proposed reforms to address the inappropriate utilization of prior-authorization requirements.

These new policies may be able to mitigate these issues by streamlining the processes, reducing delays in care, improving the accuracy of decisions regarding the necessity of medical services, and ensuring patients can receive the care they need in a timely and appropriate manner.

Who are these new policies targeting?

According to the Federal Register, the proposed rule introduces new requirements for several healthcare programs and plans, including Medicare Advantage organizations, state Medicaid and CHIP fee-for-service programs and managed care plans, and Qualified Health Plan issuers.

The proposed changes would enhance the electronic exchange of healthcare data and streamline prior authorization processes while promoting CMS's priority for interoperability in the healthcare market.

In addition, the proposed rule would introduce a new measure for eligible hospitals, critical access hospitals, and clinicians eligible for Merit-based Incentive Payment Systems (MIPS) under the Medicare Promoting Interoperability Program and the Promoting Interoperability performance category of MIPS. These policies would reduce the burden on payers and providers while improving patient access to health information, which is crucial for delivering high-quality care.

How the new CMS policies would change prior authorization

CMS's new policies would change many parts of prior authorization, such as how health data is shared and payer, provider, and patient processes, to create a more efficient system that creates a better patient experience.

Standardize the interface for prior authorization

In the proposed rule for changing current CMS requirements for prior authorization, CMS considered feedback regarding the desire for interoperability. As part of the new policy, affected payers would need to use health information technology standards relevant to Application Programming Interface (API) requirements to streamline the prior authorization process. For context, APIs facilitate interoperability by enabling smooth communication and information exchange among distinct software programs. These standards include the HL7 Fast Healthcare Interoperability Resources (FHIR) standard, the HL7 FHIR U.S. Core Implementation Guide, and the HL7 SMART Application Launch Framework Implementation Guide.

The new policies also attempt to streamline processes by requiring affected payers to establish and sustain an FHIR API for Prior Authorization Requirements, Documentation, and Decision (PARDD API). The PARDD API would simplify the prior authorization process by automatically determining whether prior authorization is even required for a service or item. It would also integrate the identification of payers' prior authorization requirements and documentation, as well as information about requests and decisions, into a provider's workflow while complying with HIPAA standards.

The policies also mandate that impacted payers make information pertaining to prior authorization requests and decisions for items and services (excluding drugs) available to patients within one business day of the payer receiving the prior authorization request or another type of status change. This information must be made accessible via the Patient Access API.

For most new policies, implementation will not happen until 2026. CMS believes three years will be ample time to recruit and train personnel, modernize or construct APIs, and revise operational procedures as outlined in these proposals. They also believe this timeline should provide sufficient opportunity for the affected payers to assess their eligibility for participation in the API proposals and to compile the essential paperwork to petition for an extension, exemption, or exception.

Require payers to give status of prior authorizations to providers

While existing regulations require that Medicaid managed care plans and CHIP managed care entities provide denial notice to providers, the new rule would address the information gap between payers and providers in Medicare Advantage plans since the current policies only require payers to inform the patient. Under the proposed policy changes, affected payers would be obligated to give the status of prior authorizations to the relevant healthcare provider, including whether the request was approved, denied, or needed further information. This information must also clearly explain the specific reason for any denial.

The proposed changes can enhance transparency, alleviate burdens, and enhance efficiencies for both payers and providers.

Enforce quicker time frames for payers to make prior authorization decisions

The policy changes would also reduce the time frame payers have to make prior authorization decisions and provide notice to beneficiaries. Medicare Advantage organizations, applicable integrated plans, Medicaid FFS programs, and CHIP FFS programs would need to provide notice of prior authorization decisions within seven calendar days for standard requests or as soon as the patient's health condition requires. For expedited requests, Medicaid FFS and CHIP FFS programs must provide notice within 72 hours unless state law requires a shorter minimum time frame.

One thing to note is that CMS is not suggesting that payers must approve a prior authorization request if they cannot meet the required decision time frame. If a payer does not meet the deadline for approval, providers must contact them to check on the request's status and the reason for the delay.

Require payers to report prior authorization data every year

CMS believes that making prior authorization decision data publicly available would increase transparency and help consumers make informed decisions when comparing healthcare plans. New policies would require payers to report prior authorization data every year, including:

• The items and services that require prior authorization
• The percentage of standard prior authorization requests approved, denied, or approved after the appeal
• The percentage of expedited prior authorization requests that were approved and denied
• The percentage of prior authorization requests for which the review time frame was extended and the request was approved
• The average and median time that passed between a request's submission and the standard prior authorization determination
• The average and median time that passed between a request's submission and the expedited prior authorization decision

Electronic access to patient information

Since patients often receive care from multiple providers, their health records can become fragmented and locked away in separate data systems. This means providers may struggle to get a complete picture of the patient's care history, and patients may forget or be unable to provide important information to their provider. To address this issue, the 2020 CMS Interoperability and Patient Access final rule required impacted payers to share certain patient information, such as patient claims, encounter data, and some clinical data, with patients via accessible health apps. The new policies add to the 2020 proposal by requiring that payers provide more information on prior authorizations as well as an annual report on how patients use the health apps.

Require payers to implement a standardized interface for providers

These changes would also require payers to make patient data directly available to providers via a standardized interface for providers. This would decrease the burden on patients to remember and accurately relay their health information to a provider during an appointment. However, payers would need to allow patients to opt out via the FHIR API.

Under this policy change, providers could request and obtain access to their patients' information for treatment purposes, such as care coordination, using their electronic health record, practice management system, or other technology solutions. The provider would securely access the patient's data through an FHIR API using at least one of these systems, not through their own health app. The data would be transmitted from the payer to the provider's EHR or practice management system, enabling providers to integrate the patient's data into their records. This has the potential to improve patient data access by building upon their current systems and procedures while maintaining the privacy and security of patient information.

Require payers to standardize payer-to-payer data exchange

It's no secret that collecting and aggregating patient data can lead to more coordinated care and better decisions. Since healthcare payers usually maintain long-term relationships with patients, they are uniquely positioned to gather and consolidate patient data over long periods. The new CMS policies would require payers to use a payer-to-payer data exchange standard to share patient data, like prior authorization decisions. However, a patient would need to opt-in to approve their data being exchanged between payers. This policy change might prevent patients from needing a new prior authorization if they change their health plan since their new payer would now have access to their prior authorization data from their old payer.

Requests of information from payers

In CMS's proposal, there are five different requests for information on the exchange of data. These requests were also included in the original 2020 proposal. Still, many asked CMS for more time to answer, so they also included it in the newest policy proposal.

Social risk factor data

Social risk factors, including homelessness, food insecurity, insufficient access to transportation, and limited health literacy, can result in unfulfilled social needs, which can directly affect an individual's physical, psychosocial, and functional well-being. Because these social risk factors significantly impact patient health, utilization, and outcomes, addressing these factors is crucial for the overall health of the healthcare system. CMS continues to seek information on the obstacles the healthcare industry encounters in adopting industry standards as well as opportunities to speed up the implementation of data collection standards concerning social risk factor data. Much of the data is unstandardized and out of date and could benefit from interoperability.

Digital sharing of behavioral health data

Behavioral health providers use Electronic Health Records at a much lower rate than other healthcare providers. Because of this, CMS also issued a request for more information on a possible solution. Figuring out how to best facilitate the digital sharing of behavioral health information among behavioral health providers and other healthcare providers is a priority and is another example of how increased data sharing might have a significant effect on patient outcomes.

Digital sharing of information within Medicare's fee-for-service system

Preferably, Health IT and the digital sharing of information would simplify the process of exchanging information between ordering and rendering providers or suppliers. However, resolving the inconsistency and lack of standardized Health IT systems for exchanging medical documentation will likely take some time. Because of this, CMS issued a request for more information on this topic and wanted feedback on how Medicare FFS can best facilitate advancements in the exchange of medical documentation among providers, suppliers, and patients.

Another priority is to get more information on how to effectively transfer health data to providers or suppliers in a consistent manner and how to help providers or suppliers submit medical documentation to CMS via Health IT and avoid denied claims or improper payments.

The compatibility of different systems and streamlining the approval process for maternal health

Because of the current maternity care crisis in the U.S., CMS initially published its Cross-Cutting Initiative: CMS Maternity Care Action Plan in 2022. They identified gaps in maternity care, such as coverage and access to care, data, quality of care, workforce, and social support. CMS is also working on data collection efforts to analyze key demographics and identify disparities in maternal care or outcomes. They believe that Health IT, data sharing, and interoperability are crucial for enhancing maternal health outcomes. This idea is supported by studies that have indicated that technology and telehealth can effectively reduce racial disparities in health care, like blood pressure ascertainment. CMS is still interested in better understanding this topic and requested information on how prior authorization processes have impacted maternal healthcare for patients in CMS programs.

Promoting the progress of the Trusted Exchange Framework and Common Agreement (TEFCA)

By enabling exchange within TEFCA, health plans could also bolster the proposed rule for data exchange between payers using FHIR APIs. This rule would require payers to provide beneficiary information to other plans when patients switch their coverage. Health plans participating in exchange under TEFCA could easily locate other plans with information about a recently covered beneficiary and securely request the information, which would need to be shared per the proposed rules for payer-to-payer data exchange. To compile more information on how to promote TEFCA, CMS issued a request for more information in the proposal. Some of the areas of doubt were how CMS should approach encouraging payers to enable exchanges under TEFCA and what the concerns are regarding the possible requirements for enabling the exchange.

Current concerns and uncertainties regarding the proposed prior authorization policies

While these proposed policies have received praise for addressing the challenges of prior authorization, there are still some key issues and concerns regarding these new policies and the effects they could have on payers, providers, and patients.

The impact of electronic standards on patient experience

One uncertainty regarding the proposed prior authorization policies is how implementing new electronic procedures will impact a patient's experience with obtaining healthcare services and health information. While the reduced administrative burden for providers is surely a benefit of the proposed policies, there are still concerns about whether adopting technologies that minimize provider burden will actually translate to an improved patient experience or if it will just transfer the burden to patients. Improved patient experience is a primary goal of these prior authorization policy changes, so if the new electronic procedures create a negative effect, they may be counterproductive.

Another concern is that while the proposed policy requires payers to allow patients to use health apps to access their information, there is no rule that they have to make these apps available. This means incentives may be needed to encourage payers to make the apps available.

Increased security risks for patient data due to electronic standards

Another concern regarding these new policies is the security risks of more patients being available electronically. There is always a risk of security breaches, compromised data confidentiality, and inappropriate use of the data, so ensuring these policy changes do not create information security problems is of utmost concern.

The reality is that while all payers must be HIPAA-compliant, third-party applications might not have equally strict legal protections. The goal is to find a balance between enhancing access to information for better care and increasing patient awareness of costs and coverage while curbing the possibility of misuse for other purposes. These concerns will need to be watched by HIPAA and the Federal Trade Commission, and Food and Drug Administration, who will need to continue to regulate health apps to ensure proper security measures are put in place.

Other alternatives exist to approach administrative burden with prior authorization

While API technology is one solution to administrative issues with prior authorization, there may be other alternatives. Reducing old, burdensome processes like phone calls, fax machines, and mail will likely improve efficiency, but another solution might be the use of "gold carding." Gold carding utilizes information regarding a provider's historical compliance with prior authorization requests and usage patterns for specific services to minimize the number of prior authorization requests required. Providers who meet the standards would be free from some prior authorization requirements, reducing the need for prior authorization for prescribed treatments.

Are the new requirements for prior authorization annual reporting good enough?

While the proposed policies aim to improve the authorization problems, some are concerned about whether the new requirements for prior authorization annual reporting will be useful enough to make a difference.

Some believe that standardized mechanisms for reporting data may be more effective in enabling regulators and the public to evaluate how the prior authorization process functions across payers. One example is if services subject to prior authorization were put in a standard location on a payer's website or posted by CMS.

Another concern is whether the prior authorization data that payers are required to report (like denials and reasons for denials) will be enough to determine if prior authorization is an obstacle to receiving care and whether additional data will be needed to make this decision.

Ramifications of having API requirements that don't apply to all payers

While implementing similar standards across plans is likely necessary to establish a more interconnected health system, CMS's proposal will not affect everyone, like the 150 million Americans with employer-sponsored coverage. The decision to implement these standards would be up to employers and issuers handing out the employer coverage, but standards like allowing opt-ins and opt-outs for patients to control their data will not be required. The policy changes would also not apply to traditional Medicare, as it generally doesn't use prior authorizations.

Criteria used to determine prior authorizations are not addressed by the proposal

Another concern regarding the proposal is that it does not cover the criteria payers use to arrive at prior authorization decisions, which may be as important as revamping the prior authorization process. What is included in the proposal is a Medicare Advantage regulation aimed at addressing the standards governing the criteria used to make coverage decisions, including prior authorization.

A step forward for prior authorization policies

The proposed changes to the current policies for prior authorization could potentially improve access to care and enhance patient outcomes while reducing administrative burdens for healthcare providers. However, there remain concerns and uncertainties regarding the impact of new electronic processes on patient experiences and how the changes impact healthcare providers and payers.

Nevertheless, the changes represent a significant step toward modernizing the prior authorization process and aligning it with the goal of providing high-quality, efficient, and patient-centered care.

‍