Robert Hall

What the New Prior Authorization Final Rule Means for Physical Therapists in Private Practice

Recent changes in federal law regarding Medicare Advantage and other plan prior authorization rules hold the promise to ease paperwork burdens within the physical therapy community. These changes, designed to regulate and streamline the prior authorization process, aim to strike a balance between controlling costs and ensuring patients receive medically necessary care. In this blog entry, specific aspects of the rule and the implications of its changes on physical therapy private practices will be explored. 

On January 17, 2024, the Centers for Medicare & Medicaid Services (CMS) released a final rule that will

require many payers to automate their prior authorization processes.

Besides outlining new requirements, exceptions to the requirements, and implementation deadlines, it also adds a new electronic prior authorization measure that clinicians must report as part of the Merit-based Incentive Payment System (MIPS) Promoting Interoperability Category.

The final rule is available here.

A CMS fact sheet on the final rule is available here.

An APTA News article on the final rule is available here.

Key Points

  • Impacted Payers: Payers subject to the rule include Medicare Advantage (MA) and Medicare Advantage/ Medicare Part D (MA-PD) plans, state Medicaid and Children’s Health Insurance Program (CHIP) fee-for-service (FFS) programs, Medicaid managed care plans and CHIP managed care entities, and Qualified Health Plan (QHP) issuers on the Federally Facilitated Exchanges (FFEs).

  • Prior Authorization: The rule outlines new timeframes for prior authorization decisions even though some stakeholders had called for quicker turnaround times, especially for urgent requests. CMS also now requires that impacted payers must provide a specific reason for denied prior authorization decisions and must also publicly report specified prior authorization metrics on their website. These requirements are effective beginning January 1, 2026.

  • APIs: CMS finalized proposals to require impacted payers to implement and maintain “Application Programming Interfaces” (APIs) to improve patient access to data, to facilitate care coordination among providers, and to support care continuity. These requirements must be met by January 1, 2027. Exceptions to this deadline are available to some plans.

  • New Provider Requirements: CMS created new electronic prior authorization measures for MIPS effective for the 2027 performance periods.

  • Timeline: The rule’s API requirements will take effect on January 1, 2027 (a one-year implementation delay from what was proposed). Prior authorization process changes and timeframe requirements begin in 2026. Impacted payers must report required prior authorization metrics by March 31, 2026.

  • Provider Savings: CMS estimates that this rule will result in at least $16 billion in savings, primarily for providers, over 10 years.

  • Not Addressed: The requirements in the rule do not apply to employer-sponsored insurance plans or Medicare FFS. CMS also did not address payers’ use of algorithms or artificial intelligence (AI) to make prior authorization decisions.

Timeframes for the Prior Authorization Process

Except for QHP issuers on the FFEs, payers must respond to prior authorization requests within certain timeframes. Impacted payers would have 72 hours to respond to expedited requests, unless a shorter minimum timeframe is established under applicable state law, and seven calendar days for standard requests, with the possibility of an extension of up to 14 days in certain circumstances.

With respect to QHP issuers on the FFEs, CMS explained that it did not change timeframes for prior authorization processes because existing regulations applicable to individual health insurance issuers require issuers to meet minimum internal claims and appeals standards. CMS explained that QHP issuers on the FFEs are currently required to provide notification of a plan’s benefit determination within 15 days for standard authorization decisions and within 72 hours for expedited requests, which CMS stated is consistent with the requirements for other payers affected by this final rule.

Requirements for the Prior Authorization Process

The rule finalizes general requirements for the prior authorization process. Beginning in 2026, certain payers must provide a specific reason for denied prior authorization decisions. When denial information is sent to a provider by any communication method, including existing notices, the content of a denial should be sufficiently specific to enable a provider to understand why a prior authorization has been denied and what actions must be taken to resubmit or appeal.

Reporting Requirements

CMS also finalized a requirement for impacted payers to report certain aggregated metrics about prior authorization by posting them on the payer’s website. Impacted payers must make annual reports on all of the following:

  • A list of all items and services that require prior authorization.

  • The percentage of standard prior authorization requests that were approved, aggregated for all items and services.

  • The percentage of standard prior authorization requests that were denied, aggregated for all items and services.

  • The percentage of standard prior authorization requests that were approved after appeal, aggregated for all items and services.

  • The percentage of prior authorization requests for which the review timeframe was extended and the request was approved, aggregated for all items and services.

  • The percentage of expedited prior authorization requests that were approved, aggregated for all items and services.

  • The percentage of expedited prior authorization requests that were denied, aggregated for all items and services.

  • The average and median time that elapsed between the submission of a request and a determination by the payer, plan or issuer, for standard prior authorizations, aggregated for all items and services.

  • The average and median time that elapsed between the submission of a request and a decision by the payer, plan or issuer, for expedited prior authorizations, aggregated for all items and services.

After considering commenters’ feedback suggesting more granularity in MA prior authorization data reporting, CMS finalized that MA organizations must report data at the contract level rather than the organization level as proposed. CMS finalized, as proposed, that state Medicaid and CHIP FFS programs will report at the state level, Medicaid managed care plans and CHIP managed care entities will report at the plan level, and QHP issuers on the FFEs will report at the issuer level.

CMS signaled its willingness to explore further reporting requirements in future rulemaking, such as service-specific and demographic data, publication of the data on a central website for comparative purposes, and requirements on the format of the reporting to make the data easy to understand and accessible.  

By March 31, 2026, MA organizations at the contract level, state Medicaid and CHIP FFS programs at the state level, Medicaid managed care plans and CHIP managed care entities at the plan level, and QHP issuers on the FFEs at the issuer level must post the required metrics on their websites annually.

APIs

Key Components: CMS finalized proposals to require impacted payers to implement and maintain APIs to improve patient access to data, to facilitate care coordination among providers and to support care continuity. The requirements for the Patient Access, Provider Access, Payer-to-Payer and Prior Authorization APIs must be implemented by January 1, 2027, a year later than CMS originally proposed.

Prior Authorization API

The final rule requires impacted payers to implement and maintain a Prior Authorization API.

Under the rule, the Prior Authorization API must:

  • Be populated with the payer’s list of covered items and services (excluding drugs) that require prior authorization;

  • Be able to identify all documentation required for approval of any items or services that require prior authorization;

  • Support a HIPAA-compliant prior authorization request and response; and 

  • Communicate whether the payer approves the prior authorization request (and the date or circumstance under which the authorization ends), denies the prior authorization request (with a specific reason) or requests more information.