2026 CMS Interoperability Standards and Prior Authorization for Drugs Proposed Rule

2026 CMS Interoperability Standards and Prior Authorization for Drugs Proposed Rule

The Centers for Medicare & Medicaid Services (CMS) continues its efforts to improve prior authorization so patients and providers can benefit from a more expeditious, transparent, and reliable process. Today, CMS released the 2026 CMS Interoperability Standards and Prior Authorization for Drugs proposed rule (CMS-0062-P).

This proposed rule builds on the 2020 CMS Interoperability and Patient Access final rule and the 2024 CMS Interoperability and Prior Authorization final rule , which together require Medicare Advantage (MA) organizations, state Medicaid and Children's Health Insurance Program (CHIP) fee-for-service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs) (collectively "impacted payers") to implement Patient Access, Provider Directory, Provider Access, Payer-to-Payer, and Prior Authorization Application Programming Interfaces (APIs) (collectively "interoperability APIs"). In this rule, CMS is proposing to add small group market QHP issuers offering plans on the Federally-facilitated Small Business Health Options Program (FF-SHOP) as an impacted payer subject to the interoperability requirements of the previous rules and these proposals.

While the prior authorization requirements in the 2024 final rule focused on non-drug items and services, the 2026 CMS Interoperability Standards and Prior Authorization for Drugs proposed rule extends many of those requirements to cover prior authorizations for drugs. Specifically, CMS now proposes to require impacted payers to support electronic prior authorization, to make decisions on requests within shorter timeframes that align CMS programs, and to increase transparency for the prior authorization of drugs. In addition, CMS is proposing to require impacted payers to update health information technology (health IT) standards and to report interoperability API endpoints and API usage metrics to CMS.

Furthermore, under the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Department of Health and Human Services (HHS) is proposing to adopt certain Health Level Seven ® (HL7 ® ) Fast Healthcare Interoperability Resources ® (FHIR ® ) standards and implementation specifications for transactions related to prior authorizations. These HHS proposals would apply to all HIPAA covered entities (health care providers, health plans, and health care clearinghouses) that electronically exchange prior authorization requests and decisions for items and services.

Electronic Prior Authorization for Drugs

The 2024 final rule requires impacted payers to implement and maintain a Prior Authorization API to facilitate electronic prior authorization for non-drug items and services. CMS now proposes to require impacted payers to incorporate coverage and documentation requirements into those APIs to support the electronic prior authorization of drugs covered under a medical benefit beginning October 1, 2027. Aligning the technology and standards for all items, services, and drugs covered under a medical benefit would streamline the prior authorization process for providers and patients, enable real-time data exchange, improve electronic documentation submission, and accelerate payers' ability to make decisions.

CMS is also proposing to require that state Medicaid and CHIP FFS programs, Medicaid managed care plans, CHIP managed care entities, and QHP issuers on the FFEs support electronic prior authorization for drugs covered under a pharmacy benefit, which aligns with existing requirements for Medicare Part D sponsors. Specifically, CMS is proposing to require those impacted payers to support three National Council for Prescription Drug Programs (NCPDP) standards-the SCRIPT, Formulary & Benefit (F&B), and Real-Time Prescription Benefit (RTPB) standards-beginning October 1, 2027. The proposed standards allow providers to query formulary information, determine real-time coverage information, and exchange electronic prior authorization requests and decisions for drugs.

HIPAA Administrative Simplification: Adoption of the FHIR Standard for Prior Authorization Related Transactions

HHS is proposing to modify the current HIPAA Administrative Simplification standards for dental, professional, and institutional transactions related to prior authorization. Specifically, HHS is proposing to adopt the FHIR standard and certain FHIR implementation guides (IGs) as the standards for the "referral certification and authorization" and the "eligibility for a health plan" transactions related to prior authorization. Alternatively, we propose to also adopt the FHIR standard and applicable FHIR IGs to also include transactions for referral certifications. These modifications would improve transparency for patients, streamline provider workflows, increase transaction speed and accuracy, and reduce costly administrative inefficiencies.

HHS also proposes to adopt the HL7 FHIR Da Vinci Clinical Data Exchange (CDex) IG as the standard for attachments accompanying prior authorization transactions. The CDex IG is used to exchange files in various formats such as Consolidated Clinical Document Architecture (C-CDA) documents, PDF, and text files. This flexibility allows documents containing relevant patient data to be shared seamlessly across health IT systems. The CDex IG also allows health plans to be explicit with the data they are requesting, which would help health care providers avoid spending time gathering and sending more information than necessary.

HHS proposes that HIPAA covered entities (health care providers, health plans, and health care clearinghouses) that engage in those electronic transactions would be required to comply with these proposals no later than 24 months after the final rule's effective date. Small health plans would have 36 months after the final rule's effective date to comply with these proposals. HIPAA covered entities who do not engage in electronic prior authorization transactions would not be required to adopt these standards.

Payer Reporting of API Endpoints and Associated Information

CMS is proposing to require impacted payers to report their API endpoints for each of the interoperability APIs for CMS to publish in a centralized location. In addition, CMS is proposing to require impacted payers to submit to CMS a direct URL to their interoperability APIs' FHIR capability statements and URL(s) with required technical documentation-about authorization and authentication protocol and implementation details and API registration information-for each of their interoperability APIs.

CMS is proposing that existing impacted payers report this required information to CMS no later than 60 days after the effective date of a final rule and that new impacted payers report this information no later than 60 days before they begin covering patients under the applicable CMS program. In addition, impacted payers would be required to update the information within one week of any changes and verify that the reported information is still correct at least annually.

Alternatively, CMS is proposing that impacted payers report the proposed information for each interoperability API using the National Directory of Healthcare Providers & Services (NDH) IG Endpoint Profile resources.

HHS Adoption of Updated Health IT Standards and Specifications

This proposed rule includes proposals from the Office of the National Coordinator for Health Information Technology (ONC) to adopt updated versions of certain health IT standards and specifications on behalf of HHS related to the interoperability APIs. Adopting these updated versions would support the continued development of a nationwide health IT infrastructure and ongoing federal alignment of standards for interoperability and health information exchange. In addition, ONC proposes that certain currently adopted versions of the proposed standards in 45 CFR 170.215 would expire on January 1, 2028.

Updates to Standards and IGs for Interoperability APIs

CMS proposes to cross-reference versions of the required standards adopted by the Secretary in 45 CFR 170.215. This would allow industry to move to newer versions of the required standards (see the 2024 final rule fact sheet for a list of required standards), as adopted by ONC, rather than necessitating additional CMS rulemaking. In addition, impacted payers would have the flexibility to use updated versions of the required standards under the following conditions: (1) the updated version of the standard is required by other applicable law or the updated version of the standard is not prohibited under other applicable law, (2) the National Coordinator has approved the updated version for use in the ONC Health IT Certification Program, and (3) the updated version does not disrupt an end user's ability to access the data required to be available through the API.

In addition, building upon the 2024 final rule and in conjunction with the ONC proposals, CMS is proposing to require impacted payers to use a set of currently recommended IGs, as applicable to each of the interoperability APIs. Impacted payers' interoperability APIs would be required to conform with the proposed, additional IGs beginning October 1, 2027. Requiring these IGs would promote interoperability by further aligning industry standards and best practices for how patient data should be structured and exchanged.

Specifically, CMS is proposing to require impacted payers to use versions of the below IGs that are currently recommended under the 2024 final rule:

• HL7 FHIR CARIN Consumer Directed Payer Data Exchange (CARIN IG for Blue Button^®) IG, Version 2.0.0-STU 2, proposed to expire on January 1, 2028, or Version 2.2.0-STU 2.2* ^[1]
• HL7 FHIR Da Vinci-Payer Data Exchange (PDex) IG, Version 2.1.0-STU 2.1
• HL7 FHIR Da Vinci-Payer Data Exchange (PDex) US Drug Formulary IG, Version 2.0.1-STU 2*, proposed to expire on January 1, 2028, or Version 2.1.0-STU 2.1*
• HL7 FHIR Da Vinci-Payer Data Exchange (PDex) Plan Net IG, Version 1.1.0-STU 1.1 US*, proposed to expire on January 1, 2028, or Version 1.2.0-STU 1.2*
• HL7 FHIR Da Vinci-Coverage Requirements Discovery (CRD) IG, Version 2.0.1-STU 2*, proposed to expire on January 1, 2028, or Version 2.2.1-STU 2.2*
• HL7 FHIR Da Vinci-Documentation Templates and Rules (DTR) IG, Version 2.0.1-STU 2*, proposed to expire on January 1, 2028, or Version 2.2.0-STU 2.2*
• HL7 FHIR Da Vinci-Prior Authorization Support (PAS) IG, Version 2.0.1-STU 2*, proposed to expire on January 1, 2028, or Version 2.2.1-STU 2.2*

CMS is also requesting comments on the following IGs for consideration in future rulemaking:

• HL7 FAST Security for Scalable Registration, Authentication, and Authorization Release (FAST Security IG), Version 2.0.0-STU 2​
• HL7 FHIR Da Vinci Member Attribution (ATR) List IG, Version 2.1.0-STU 2.1​
• HL7 FHIR Da Vinci Clinical Data Exchange (CDex) IG, Version 2.1.0-STU 2.1​

For a complete list of required standards and proposed IGs, please refer to the proposed rule here: www.federalregister.gov

Improving Communications and Decision Timeframes for Prior Authorizations

Timeframes for Prior Authorization Decisions

Prior Authorizations for Drugs

To ensure prompt notification and align prior authorization decision processes across different CMS programs, CMS proposes that certain payers be required to provide notice of drug-related prior authorization decisions within specific timeframes.

• To align patient protections and create consistent requirements across the Medicaid and CHIP programs, state Medicaid FFS programs, Medicaid managed care plans, and CHIP managed care entities would be required to make prior authorization decisions for all drugs within a timeframe that aligns with existing decision timeframe requirements for covered outpatient drugs (no later than 24 hours after receiving a prior authorization request) or items and services (7 days for standard requests, 72 hours for expedited requests).
• State CHIP FFS programs would be required to provide notice of a prior authorization decision no later than 24 hours after receiving a prior authorization request for any prescription drugs for which Federal Financial Participation (FFP) is available.
• QHP issuers on the FFEs would be required to provide notice of a prior authorization decision to the requesting provider as expeditiously as the enrollee's health condition requires, but no later than 72 hours after standard prior authorization requests and no later than 24 hours for expedited prior authorization requests for all drugs.

CMS proposes compliance dates beginning October 1, 2027 for these decision timeframe proposals. Shortening and aligning decision timeframes for prior authorization across CMS programs could improve timely access to medications, which is essential for maintaining health and preventing complications in these populations.

Prior Authorization for Non-Drug Items and Services

Under this proposed rule, CMS is proposing that beginning October 1, 2027, QHP issuers on the FFEs be required to provide notice of prior authorization decisions to the requesting provider for non-drug items and services as expeditiously as the enrollee's health condition requires, but no later than seven calendar days after receiving a standard prior authorization request and no later than 72 hours after receiving an expedited prior authorization request. This proposal would align prior authorization decision timeframe requirements for QHP issuers on the FFEs with those that finalized for other impacted payers under the 2024 final rule and should mitigate administrative burden with consistent requirements across impacted payers.

Expanding Communication of Prior Authorization Denials for Drugs

CMS proposes that beginning October 1, 2027, state Medicaid and CHIP FFS programs, Medicaid managed care plans, CHIP managed care entities, and QHP issuers on the FFEs be required to provide providers with a specific reason for denying prior authorization requests for any drugs. These proposals would improve communication between payers and providers when a prior authorization request is denied, align prior authorization requirements across payers, and support providers by giving them the information they need to resubmit or appeal prior authorization denials.

Prior Authorization Metrics

New and Updated Prior Authorization Metrics for Non-Drug Items and Services

The 2024 final rule requires that impacted payers annually report prior authorization metrics for non-drug items and services on their public websites. CMS is proposing to add requirements for impacted payers to report the numeric counts in addition to percentages for certain existing metrics, as well as for impacted payers to publicly report additional prior authorization metrics on non-drug items and services. These proposed requirements would begin on the effective date of the final rule.

The proposed reporting deadlines vary by payer type:

• MA organizations, state Medicaid and CHIP FFS programs, and QHP issuers on the FFEs would be required to report by March 31 of the following year.
• Medicaid managed care plans and CHIP managed care entities would be required to report no later than 90 days after the end of each rating period.

See the proposed rule for more information on new metrics proposed as well as proposed updates to current metrics.

CMS is also proposing that Medicaid managed care plans and CHIP managed care entities report prior authorization metrics for non-drug items and services finalized in the 2024 final rule, as well as prior authorization metrics for non-drug items and services introduced in this proposed rule at both the program and plan levels.

Other impacted payers' reporting levels would not change:

• MA organizations would still report at the MA contract level,

• State Medicaid and CHIP FFS programs would still report at the state level, and

• QHP issuers on the FFEs would still report at the issuer level.

New Prior Authorization Metrics for Drugs

In addition, CMS proposes to require impacted payers to annually report prior authorization metrics for drugs on their public websites. The proposed compliance dates for reporting these new metrics are in 2028 for data from the 2027 reporting period, with specific deadlines and reporting level varying by payer type, as described in the "New and Updated Prior Authorization Decision Metrics for Non-Drug Items and Services" section above. See section II.C.7. of the proposed rule for more information on the specific metrics proposed for impacted payers.

Publicly reporting these data would provide transparency and accountability in payer prior authorization processes across drugs and non-drug items and services. The additional metrics for non-drug items and services would provide context that would make existing metrics both more complete, as well as useful to the public. Making these data available should build trust with patients and providers and showcase commitment to improving services.

API Usage Metrics (Provider Access, Payer-to-Payer, and Prior Authorization APIs)

Under the 2024 final rule, CMS requires that impacted payers annually report certain Patient Access API usage metrics to CMS. CMS is now proposing that impacted payers also annually report certain Provider Access, Payer-to-Payer, and Prior Authorization APIs usage metrics to CMS. Please refer to the Proposed Metrics Updates document for a full list of the new metrics.

CMS proposes to require impacted payers to submit these metrics beginning in 2028 with data from the 2027 reporting period. Reporting these metrics would offer valuable insight into how the APIs are being used, who is using them, and whether data are flowing as intended. This information will enable CMS to identify potential issues and target areas for improvement.

New Proposed Reporting Levels and Deadlines for API Usage Metrics

Proposed reporting requirements for Provider Access, Payer-to-Payer, and Prior Authorization API usage metrics vary by payer type in both reporting level and deadline:

• MA organizations: Contract level, by March 31 each year

• Medicaid and CHIP FFS: State level, by March 31 each year

• Medicaid managed care plans and CHIP managed care entities: Plan and program levels, no later than 90 days after the end of each rating period. (Note: Medicaid managed care plans and CHIP managed care entities would be required to report API usage metrics to states.)

• QHP issuers on the FFEs: Issuer level, by the FFE QHP certification deadline in the subsequent year.

Updates to Patient Access, Provider Access, and Payer-to-Payer APIs

CMS is proposing a new requirement for impacted payers to make detailed information about prior authorization requests and decisions for all drugs available through the Patient Access, Provider Access, and Payer-to-Payer APIs.

For the Patient Access and Provider Access APIs, this would include, as applicable:

• The status of the prior authorization,
• The date the prior authorization was approved or denied,
• The date or circumstance under which the authorization ends,
• The drug or drugs approved (including dosage),
• A specific reason the request was denied (if applicable), and
• Related structured administrative and clinical documentation submitted by a provider.

For the Payer-to-Payer API, the required information would include:

• The status of the prior authorization,
• The date the prior authorization was approved,
• The date or circumstance under which the authorization ends,
• The drug or drugs approved (including dosage), and
• Related structured and unstructured administrative and clinical documentation submitted by a provider, excluding denied prior authorization requests.

Impacted payers would be required to comply with this proposal beginning October 1, 2027. This proposal aims to ensure that patients, providers, and payers have consistent and comprehensive access to prior authorization information, improving transparency and care coordination.

Open Payments Program Proposal

Section 1128G of the Social Security Act and implementing regulations require "applicable manufacturers" and "applicable group purchasing organizations" (GPOs) to annually submit certain payments or transfers of value made during the previous calendar year to specified "covered recipients," originally defined as physicians and teaching hospitals. CMS is proposing to add a definition for "Failure to Report" in 42 CFR 403.902, which would be foundational to enabling us to impose a civil monetary penalty (CMP) on applicable manufacturers or GPOs if either of those entities fail to grant timely access (within 30 calendar days of the audit request) to documents for the purposes of an Open Payments program audit authorized by 42 CFR 402.912(e)(2). CMS proposes this new requirement to begin on the effective date of the final rule.

Requests for Information (RFIs)

This proposed rule includes five standalone RFIs that are distinct from the policy proposals. CMS will collect public responses to these RFIs to analyze and determine steps the agency can take to improve related issues in the health care industry.The RFIs are as follows:

Electronic Event Notifications for Value-Based Care and Care Coordination

Electronic event notifications (often referred to as admission, discharge, and transfer, or "ADT" notification) are valuable tools for coordinating care in the modern health care environment, and CMS seeks comments on ways to improve this process with expanded use and content of ADT notifications. CMS solicits comments on the types of providers or other entities that should receive ADT notifications, along with technical approaches that are currently in use or that could be used for patient event notifications. CMS also seeks comments on health IT certification criteria for notification capabilities and strengthening enforcement of ADT notification requirements.

Increasing Health Care Resiliency

Hacking, ransomware, and other cybersecurity attacks on health care systems and electronic protected health information (ePHI) present an ever-increasing threat. These attacks have already caused, and could continue to cause, significant disruption to the health care industry, potentially resulting in significant harm to patients, providers, payers, and the health care ecosystem at large. CMS seeks feedback on opportunities to strengthen, protect, and increase the resiliency of our health care system in cybersecurity spaces to prevent and better handle future threats. Additionally, CMS would like to hear about existing standards and technologies, as well as the current role of point-to-point connections within the health care system.

Improving Implementation of Payer Application Programming Interface Technology

Monitoring compliance and technical conformance with standards is critical to effective interoperability within the health care ecosystem based on the API requirements that CMS has established for impacted payers. CMS is seeking comments on steps that we could take to improve oversight of payer APIs, for instance, through strengthening testing and transparency requirements. CMS is also exploring opportunities to leverage existing programs, such as the ONC Health Information Technology (IT) Certification Program, to help ensure that API technology used by payers meets the technical requirements CMS establishes.

Step Therapy

CMS also seeks comments on ways to streamline the step therapy process through technology and data sharing (such as the Payer-to-Payer API) to allow payers access to historical patient information. CMS seeks comment on how technology may facilitate step therapy determinations and improve current step therapy processes. This includes the role of technology in evaluating and applying step therapy use criteria and how payers evaluate and honor step therapy use criteria from other payers.

Laboratory Tests and Durable Medical Equipment, Prosthetics, Orthotics, and Supplies Items

Prior authorization requirements from health insurers for laboratory tests and Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS) items have emerged, in some instances, as a barrier to care and coverage that impacts both patients and providers. The primary issues associated with prior authorization for laboratory tests and DMEPOS items are coordination between providers and laboratories or DMEPOS suppliers and the length of time approval takes for tests and equipment. CMS solicits public comments on how prior authorization for laboratory tests and DMEPOS items impact patient care and provider burden and what can be done to mitigate that burden.

The proposed rule is available for public comment at: www.federalregister.gov

To view the Press Release, please visit: https://www.cms.gov/newsroom/press-releases/cms-proposes-major-reforms-speed-up-patient-access-drugs-increase-transparency-reduce-administrative .

###