The Centers for Medicare & Medicaid Services (CMS) finalized the Interoperability and Prior Authorization Final Rule, CMS-0057-F, on January 17, 2024. The rule targets 2 persistent problems in U.S. healthcare: slow prior authorization processes and fragmented data exchange between payers, providers, and patients. The preparation window for the two major compliance milestones, January 1, 2026, and January 1, 2027 are already closing.
This blog breaks down exactly what CMS-0057-F requires, when it applies, and how health plans must be prepared
What Does CMS-0057-F Require and Who Does It Apply To?
CMS-0057-F requires impacted health plans to streamline prior authorization processes and implement 4 HL7 FHIR R4-compliant APIs to enable real-time, standards-based data exchange across payers, providers, and patients.
Which Health Plans Are Impacted by CMS-0057-F?
CMS-0057-F applies to 4 categories of payers:
- Medicare Advantage (MA) organizations
- Medicaid Managed Care plans
- Children’s Health Insurance Program (CHIP) plans
- Qualified Health Plans (QHPs) on Federally Facilitated Exchanges (FFEs)
Compliance is federally mandated for all 4 payer types. Non-participating or commercial-only plans are not directly covered, but payers that operate across multiple plan types must meet requirements for each applicable line of business.
What Are the 2 Core Pillars of CMS-0057-F?
CMS-0057-F is built on 2 reform pillars:
1. Prior Authorization Reform
CMS-0057-F reduces standard PA response times to 7 calendar days and urgent requests to 72 hours. Payers must provide specific written denial reasons for every rejected request and publicly report PA performance metrics, including approval rates, denial rates, and turnaround times by March 31, 2026.
2. Interoperability via FHIR APIs
CMS-0057-F mandates 4 HL7 FHIR R4-compliant APIs. Patient Access, Provider Access, Payer-to-Payer, and Prior Authorization. This is to replace fragmented, fax-based workflows with real-time, standards-based electronic data exchange between payers, providers, and members by January 1, 2027.
These 2 pillars are interdependent. The Prior Authorization API, for example, feeds decisions into the Patient Access and Provider Access APIs creating a connected, real-time data ecosystem that replaces fax-based workflows.
What Are the CMS-0057-F Compliance Deadlines for 2026 and 2027?
CMS-0057-F sets 2 compliance deadlines: January 1, 2026, for operational prior authorization reforms, and January 1, 2027, for full FHIR API implementation.
By January 1, 2026, all impacted payers must meet 3 operational mandates. Standard prior authorization requests must receive a response within 7 calendar days, down from the previous 14-day window. Expedited or urgent requests must be resolved within 72 hours. For every rejected PA request, payers must provide a specific, written denial reason regardless of how the request was originally submitted.
There is an additional reporting deadline to keep in mind. By March 31, 2026, health plans must publicly post prior authorization performance metrics covering calendar year 2025. This includes the total volume of PA requests received, approval and denial rates, average decision turnaround times, appeals outcomes, extended review counts, and annual Patient Access API usage metrics submitted directly to CMS.
What Must Health Plans Implement by January 1, 2027?
By January 1, 2027, all 4 FHIR APIs must be live and production-ready:
- Prior Authorization API supports electronic PA requests, decisions, and denial communications. Key data includes covered services list, documentation requirements, and approval/denial status.
- Patient Access API gives members access to health data via third-party apps. Key data includes claims, encounters, USCDI clinical data, and PA status (excluding drugs).
- Provider Access API lets in-network providers retrieve member data for treatment purposes. Key data includes claims, encounters, USCDI elements, and PA information. Provider-patient attribution is required.
- Payer-to-Payer API enables data exchange when a member switches health plans. Key data includes up to 5 years of claims, encounters, USCDI data, and PA history.
All 4 APIs must adhere to HL7 FHIR Release 4.0.1 (R4) standards and align with U.S. Core Data for Interoperability (USCDI) Version 3 data elements. CMS recommends specific HL7 Implementation Guides (IGs), including Da Vinci CRD, DTR, and PAS for prior authorization workflows, and CARIN Blue Button for patient claims access. Note that QHP issuers on FFEs are exempt from prior authorization turnaround time requirements but must still meet all 4 API mandates.
How Should Health Plans Prepare for CMS-0057-F Compliance?
Health plans must begin CMS-0057-F preparation immediately and build FHIR infrastructure, establish governance frameworks, and align internal teams across IT, compliance, clinical operations, and legal.
What Are the Key Steps to Achieve CMS-0057-F Compliance?
There are 6 preparation steps health plans must prioritize:
- Audit current PA workflows and identify manual bottlenecks, paper-based processes, and X12 278 transaction dependencies that require translation to FHIR
- Assess existing API infrastructure. Evaluate readiness against HL7 FHIR R4 standards and identify gaps in Patient Access API coverage
- Build or upgrade to FHIR-native solutions. Implement modular, FHIR-compliant platforms capable of supporting all 4 required APIs without full system replacement
- Establish consent, identity, and access governance. The Provider Access and Payer-to-Payer APIs require verifiable consent capture, patient opt-out management, provider-patient attribution lists, and auditable access logs
- Prepare public metrics reporting infrastructure. PA reporting data must be captured and structured well before the March 31, 2026, reporting deadline
- Train internal teams and utilize management staff, IT support, provider relations, and member services, all of which require role-specific training on new workflows and tools
What Are the Risks of Non-Compliance with CMS-0057-F?
Failure to meet CMS-0057-F deadlines carries 3 categories of risk:
- CMS enforcement measures, including penalties or funding restrictions for non-compliant plans
- Last-minute remediation efforts are significantly more costly than phased, proactive implementation
- Loss of provider network trust and member confidence in plans that cannot deliver timely authorizations or transparent data access
What Is the Biggest Compliance Mistake Health Plans Make?
The most common CMS-0057-F compliance mistake is treating the 2027 API deadline as the starting point rather than the finish line. Health plans that delay infrastructure assessment and API development until 2026 risk missing deadlines under load, facing data gaps in required reporting, and scrambling to establish governance frameworks that take months to build properly.
CMS does not require a full system replacement to comply. Modular, FHIR-native solutions can integrate with existing claims and utilization management systems while reducing cost and implementation risk without rebuilding core infrastructure.
Conclusion
CMS-0057-F is not a surface-level policy update. It demands operational rewiring, new APIs, faster timelines, transparent reporting, and cross-system data exchange at scale. Health plans that treat 2026 and 2027 as fixed endpoints, rather than milestones in an active build process, face the highest compliance risk.
The plans that begin now, auditing workflows, building FHIR-compliant infrastructure, and establishing governance, position themselves not just to meet federal mandates but to lead on interoperability, provider trust, and member experience in the years ahead.
To comply better with the updated policies, consult an experienced medical billing company to avoid additional hassles and focus entirely on your primary practice.
FAQs
Q: What is CMS-0057-F?
A: CMS-0057-F is the CMS Interoperability and Prior Authorization Final Rule, finalized January 17, 2024, which requires impacted health plans to implement 4 FHIR APIs and reform prior authorization workflows by 2026–2027.
Q: Who must comply with CMS-0057-F?
A: Medicare Advantage organizations, Medicaid Managed Care plans, CHIP plans, and Qualified Health Plans on Federally Facilitated Exchanges must comply with CMS-0057-F.
Q: What happens if a health plan does not comply with CMS-0057-F?
A: Non-compliant health plans risk CMS enforcement actions, funding restrictions, costly remediation, and reputational harm with providers and members.
