The CMS prior authorization rule 2026, formally the Interoperability and Prior Authorization Final Rule (CMS-0057-F), sets new decision timelines, denial-transparency requirements, and data-exchange APIs for federally regulated payers. Beginning in 2026, impacted payers other than Qualified Health Plan issuers on the federally facilitated exchanges must send prior authorization decisions within 72 hours for expedited requests and 7 calendar days for standard requests, and all impacted payers must give a specific reason when they deny a request. By January 1, 2027, these payers must also operate a Prior Authorization API so providers can check requirements and submit requests electronically. Impacted payers include Medicare Advantage organizations, Medicaid and CHIP programs, and the Qualified Health Plan issuers noted above. This guide covers what changes, who it covers, and the phased effective dates.
What is the CMS prior authorization rule 2026 (CMS-0057-F)?
CMS-0057-F is the CMS Interoperability and Prior Authorization Final Rule, finalized in January 2024. It has three main parts: faster decision timelines, more transparency on denials, and a set of application programming interfaces (APIs) that move prior authorization and patient data between payers, providers, and patients. According to the CMS press release announcing the rule, the goal is to shorten wait times, improve communication, and reduce the administrative work that prior authorization creates for practices. The rule does not eliminate prior authorization. It changes how quickly payers must respond and how much they must explain, and it standardizes the electronic path for submitting and checking requests.
Who does the interoperability and prior authorization final rule apply to?
The rule regulates payers, not providers directly, though its effects reach any practice that bills the covered plans. The CMS fact sheet for CMS-0057-F lists the impacted payers as Medicare Advantage organizations, state Medicaid and CHIP fee-for-service programs, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan issuers on the federally facilitated exchanges. Commercial and employer-sponsored plans outside those categories are not bound by the rule, so a practice will see the new timelines apply to some payers and not others. That split is worth mapping before 2026, because your staff will need to know which denials now carry a stated reason and which requests can move through an API.
What are the new prior authorization decision timelines under CMS-0057-F?
The rule sets two response windows. Per the CMS fact sheet, impacted payers other than Qualified Health Plan issuers on the federally facilitated exchanges must send decisions within 72 hours for expedited (urgent) requests and within 7 calendar days for standard (non-urgent) requests. These windows are shorter than the timelines many affected plans used before, and they begin in 2026. Alongside the timelines, impacted payers must include a specific reason when they deny a request, regardless of whether the decision arrives by portal, fax, email, mail, or phone. That denial-reason requirement is designed to help practices correct and resubmit a request rather than guess at what the payer needs. Note that these two provisions do not apply to prior authorization for drugs.
See where an AI agent fits in your operation.
Book a demoWhat does the Prior Authorization API require, and when do the dates take effect?
The rule requires impacted payers to build a Prior Authorization API using the HL7 FHIR standard. In practice, the API lets a provider system identify whether a service needs prior authorization, see the documentation the payer requires, and submit the request electronically with the decision returned in a structured format. The compliance date for the Prior Authorization API and the other API provisions is January 1, 2027, according to the CMS fact sheet. Several transparency provisions land earlier: the denial-reason requirement and the shorter decision timelines begin in 2026, and impacted payers must publicly post aggregated prior authorization metrics, starting with calendar year 2025 data by March 31, 2026. The phased schedule means the operational changes for practices arrive in 2026, while the electronic submission pathway follows in 2027.
How does Flexbone help practices operate under the CMS prior authorization rule 2026?
Flexbone builds voice and workflow automation for the prior authorization work that stays manual even as payers add APIs. Our prior authorization automation submits requests, checks status, and records the outcome, and it captures the standardized denial reasons the rule now requires so your team can resubmit against a clear payer response rather than a vague one. Because payer readiness will vary through the 2026 and 2027 phase-in, the same workflow can place a status call to a plan that has not yet exposed an API and file structured data to one that has. We take an audit-first approach: every request and decision is logged so you can trace what was submitted, when, and why a payer responded as it did. The platform is HIPAA compliant and aligned with SOC 2 controls, and a person reviews clinical and medical-necessity decisions before anything goes to the payer. For a step-by-step view of the submission path itself, see our guide to electronic prior authorization.
When do the CMS-0057-F deadlines take effect for practices?
The practical timeline is staggered. In 2026, watch for shorter payer decisions (72 hours expedited, 7 calendar days standard) and specific denial reasons from impacted payers, plus the first public metrics for calendar year 2025 posted by March 31, 2026. In 2027, the Prior Authorization API becomes the standard electronic route for checking requirements and submitting requests, with a compliance date of January 1, 2027. A useful preparation step is to inventory which of your payers are impacted, confirm how each returns denial reasons today, and decide where automation should handle submission and status so staff time moves to the clinical review the rule still leaves to people. To see how Flexbone fits your prior authorization workflow, book a demo.