For the first time, health insurers must publicly disclose how often they deny prior authorization requests. They must also share how quickly they process those requests and how often patients win on appeal. The first reports, covering calendar year 2025, are due March 31. CMS finalized this requirement in January 2024, marking a major shift toward payer accountability.
What the New CMS Rule Requires
CMS finalized the Interoperability and Prior Authorization Rule in January 2024. It builds on a 2020 interoperability rule that established the foundational data exchange framework. Together, these regulations push health insurers toward greater transparency in prior authorization decisions. Previously, payers faced no obligation to disclose denial data publicly. Now, that changes.
Why This Rule Matters
This mandate directly responds to years of provider frustration. Consequently, it forces insurers to make their prior auth practices visible to the public. The goal is clear: reduce delays, improve accountability, and ultimately protect patients from unnecessary care denials.
Which Health Plans Must Comply
The rule covers a broad range of payers. Specifically, it applies to:
- Medicare Advantage (MA) plans
- State Medicaid and CHIP fee-for-service programs
- Medicaid managed care plans
- CHIP managed care entities
- Carriers on the federal ACA exchange
Together, these plans cover tens of millions of Americans. However, it is worth noting that standalone ACA marketplace plans face fewer of the timeline requirements under this rule.
Key Metrics Payers Must Report
Payers must publish aggregated prior authorization metrics on their public websites each year. The required data covers approval rates, denial rates, decision turnaround times, and appeals outcomes. Notably, drugs are excluded from reporting. Only medical items and services fall under this mandate.
How Reporting Works by Plan Type
Reporting requirements vary by plan type. MA plans report data at the contract level. State Medicaid and CHIP programs report at the state level. Meanwhile, managed care plans and exchange carriers report at the plan or carrier level. This structure ensures that data reflects the right level of granularity for each type of insurer.
Faster Decision Timelines Starting 2026
Starting in 2026, payers must make prior authorization decisions faster. For standard requests, the new deadline is seven calendar days. For urgent requests, payers must respond within 72 hours. This replaces the previous standard, which allowed up to 14 days.
These timeline requirements apply to MA, Medicaid, and CHIP plans. However, they do not extend to ACA plans. Additionally, when payers deny a request, they must now provide a specific reason. Furthermore, they must communicate that decision through one of five channels: portal, fax, email, mail, or phone.
What Faster Timelines Mean for Providers
Shorter decision windows benefit providers directly. Physicians spend less time waiting and more time treating patients. Moreover, patients avoid delays in care that can worsen outcomes. The seven-day standard is therefore not just a compliance target — it is a patient safety measure.
The Scale of the Prior Authorization Problem
This public reporting mandate arrives after years of mounting frustration. In 2024, the average medical practice completed 39 prior authorizations per physician per week, according to an AMA survey. Physicians and staff spent about 13 hours weekly managing prior auth paperwork. That is time taken directly away from patient care.
Denial and Appeal Data Tell a Revealing Story
The numbers in Medicare Advantage are striking. Insurers fully or partially denied 4.1 million prior authorization requests in 2024 — roughly 7.7% of all requests — according to KFF data. Furthermore, more than eight in ten appeals were ultimately overturned. This reversal rate raises serious questions about the accuracy of initial denials. In response, approximately 50 insurers voluntarily pledged in June 2025 to streamline the prior auth process.
What the 2027 API Mandate Means
The rule’s API requirements take effect in 2027. At that stage, payers must expand their patient access APIs to include prior authorization data. They must also launch a provider access API, allowing in-network providers to retrieve patient claims and clinical data. Additionally, payers must build a payer-to-payer API to transfer records when patients switch plans. Finally, they must implement a prior auth API capable of receiving and responding to requests electronically.
The Industry’s Voluntary Pledge Goes Further
Separately, the 2025 industry pledge sets its own target. It calls for at least 80% of electronic prior auth approvals to be processed in real time by 2026. Together, the regulatory mandate and voluntary commitments push the industry toward a faster, more connected, and more transparent prior authorization system.
