HHS Proposes new Prior Authorization Rule
On December 10, the U.S. Department of Health & Human Services (HHS) released a Proposed Rule with the goal of “making the prior authorization process less burdensome for payers and providers, and in turn, avoiding care delays for patients.” In addition, HHS proposes to build on the Interoperability Rule released in May 2020 by significantly expanding the circumstances under which healthcare payers must make data available in a standardized fashion via Application Programming Interfaces (APIs.)
The Proposed Rule would apply to the following “impacted payers”:
- Medicaid and CHIP programs, including both fee-for-service programs and managed care plans.
- Qualified health plans offered on the Federally Facilitated Exchanges (FFE QHPs). Unlike the Interoperability Rule, the Proposed Rule would notaffect Medicare Advantage plans or commercial plans offered on State-Based Exchanges.
If finalized, the Proposed Rule would take effect in 2023, and could require impacted payers to make significant updates to their existing technology and prior authorization procedures.
HHS has solicited public comments on all aspects of the Proposed Rule, and also on a variety of other issues related to prior authorization procedures. Comments are due by January 4, 2021. This timeline is significantly shorter than is typical for proposed rules, and suggests that the Trump Administration may be hoping to finalize the rule before President Trump leaves office.
What Are the Proposed Rules Regarding Prior Authorization?
If finalized as proposed, the following requirements would apply starting in 2023 with respect to prior authorization procedures for all services except prescription drugs. HHS has proposed to allow exemptions or extensions, however, for impacted payers that meet certain requirements.
- Electronic requests and responses. Medicaid, CHIP and FFE QHPs would be required to implement APIs that: (1) allow providers to identify in advance each payer’s prior authorization requirements, including the list of services that require prior authorization and the documentation needed to request it; and (2) offer a HIPAA-compliant mechanism for providers to electronically send prior authorization requests and receive responses through the provider’s electronic health record (EHR) platform.
- Tighter time frames. Medicaid and CHIP (but not FFE QHPs) would be subject to stricter time frames for responding to prior authorization requests. Specifically, Medicaid and CHIP payers would be required to provide notice of prior authorization decisions:
- For expedited decisions, no later than 72 hours after receiving a request (consistent with existing standards for Medicaid managed care and CHIP);
- For standard decisions, no later than seven days after receiving a request (down from the current limit of 14 days in Medicaid managed care and CHIP).
- Reasons for denials. When denying prior authorization, Medicaid, CHIP and FFE QHPs would be required to provide a specific reason for the denial (e.g., a determination that necessary documents were missing, the service was not medically necessary or the patient has exceeded applicable service limits).
- Increased transparency.
- Information on pending and approved prior authorization requests would need to be made available to patients and providers through the Patient and Provider Access APIs (described below).
- Impacted payers would be required to publish certain prior authorization data, including the list of services that are subject to prior authorization, the payer’s average and median response times for prior authorization requests, and the percentage of requests that were denied or approved, as well as information on appeals and extensions of time.
How Does the Proposed Rule Interact With the May 2020 Interoperability Rule?
- Enhanced Requirements for the Patient Access API.The Interoperability Rule requires payers to make various types of clinical, claims and encounter data available to patients through a “Patient Access API.” The Proposed Rule would add new requirements for these Patient Access APIs, which are generally consistent with HHS’s existing guidance regarding API development and procedures for vetting the security of third-party apps that patients might use to access their data. In addition, the rule would require impacted payers to report quarterly on certain metrics regarding API data requests.
- Two New APIs for Data Exchange.Over and above the Patient Access API, HHS proposes to require that Medicaid, CHIP and FFE QHPs implement a Payer-to-Payer APIto facilitate data transfers when a patient switches payers, and a Provider Access API that allows providers to access data on their patients in real time.