What just happened
The CMS prior authorization rules 2026 proposal, formally CMS-0062-P, just rewrote the response-time math for drug approvals across Medicare Advantage, Part D, and Medicaid managed care. Here's the short version before we get into it.
- CMS dropped a proposed rule targeting prior authorization for drugs covered under Medicare Advantage, Part D, and Medicaid managed care. The headline change is hard response-time mandates that compress how long payers can sit on an approval request before it becomes a liability.
- The proposal requires payers to respond to standard prior auth requests within 72 hours and urgent requests within 24 hours, down from the existing 14-day and 72-hour windows respectively. That directly rewrites your intake and escalation workflows.
- Electronic prior authorization (ePA) is being pushed as the enforcement mechanism. Payers must build and expose compliant APIs, but providers who aren't submitting electronically will be the operational bottleneck even if payers comply on paper.
- Transparency requirements are also included: payers must publish prior auth approval and denial rates by drug and service category. Your denial patterns will be benchmarkable against peers for the first time.
- The proposed rule is CMS-0062-P, formally titled the 2026 CMS Interoperability Standards and Prior Authorization for Drugs Proposed Rule. It was released April 10, 2026 and published in the Federal Register on April 14, 2026 under RIN 0938-AV31. The public comment period runs through June 15, 2026. Key dates inside the rule itself: the proposed compliance date for the three NCPDP standards (SCRIPT, Formulary & Benefit, and Real-Time Prescription Benefit) is October 1, 2027. The 24-hour urgent / 72-hour standard decision windows would apply once the rule is finalized and effective, expected sometime in 2027 after CMS reviews comments. This rule sits on top of two earlier ones: CMS-9115-F (the 2020 Patient Access final rule) and CMS-0057-F (the 2024 Interoperability and Prior Authorization final rule, which covered non-drug services). CMS-0062-P extends that framework specifically to drugs covered under pharmacy benefit. Important framing note: this is a proposed rule, not final, and the comment window is still open. Planning posture is "design for it now, expect refinement before enforcement."
Why it matters operationally
The compressed timelines don't just affect payers. They create an upstream crunch on your clinical and coding teams, because an incomplete or miscoded auth request that bounces back eats half your available window before you've even started the clock again.
If your practice or facility is still running prior auths through fax or portal-by-portal manual entry, the new timeline math simply doesn't work. A 72-hour payer window with a 48-hour internal preparation process leaves zero margin for rework.
Health systems with high volumes of specialty drugs (oncology, immunology, behavioral health injectable medications) will feel this first. These are the drug categories most likely to require prior auth and most likely to have complex clinical criteria that trigger back-and-forth.
Billing service providers managing auth workflows on behalf of multiple provider clients face a multiplier problem. One payer API integration failure or one misconfigured drug code now cascades across every client on that payer contract.
Here's a concrete pattern from a multi-specialty group we worked with in late 2025 (Texas, mixed primary care plus behavioral health, roughly 40 providers). They were running about 600 prior auths per month for medications, with an auth-related denial rate of 14%. We dug into the denials and the surprise was that only about 30% of them were actually clinical-criteria denials. The other 70% split into two buckets: auth submitted late and timed out (around 25% of denials), or auth submitted with incomplete or miscoded clinical justification that bounced back for additional information and never got resubmitted in time (around 45% of denials). In other words, the majority of their auth-related revenue loss was internal workflow, not payer behavior. We tracked their internal prep cycle and the average from "order entered" to "complete auth submitted" was 38 hours, with most of the time consumed in clinical documentation pulls and back-and-forth between the prescriber's MA and the auth coordinator. Annualized denial impact at their reimbursement mix was around $1.1M in delayed or written-off revenue, the bulk of it preventable with workflow redesign rather than more clinical staff.
The transparency mandate is underappreciated. Once payer denial rates are public by drug category, providers and BSPs who are getting denied at above-average rates for the same drugs will have nowhere to hide. And neither will payers who are rubber-stamping or systematically stonewalling.
What's the real deadline reality?
The enforcement target is 2027, but the workflow projects required to comply are 6-to-12-month builds. The window to start is now, not after finalization.
CMS proposed rules follow a comment period before finalization. Providers and BSPs who wait for the final rule to begin ePA vendor evaluation, staff retraining, or EHR configuration work will be in implementation mode at the same time enforcement begins. That's the worst possible position.
The risk isn't just regulatory penalty. Under compressed payer timelines, any provider whose internal process can't keep pace will see auth approval delays translate directly into delayed care starts and cash flow disruption as claims pile up in a pending-auth queue.
Medicare Advantage penetration is now above 50% of Medicare enrollees nationally. This rule touches the majority of your Medicare volume, not a niche segment.
Texas is one of the more interesting examples right now. The state passed HB 3459 back in 2021 (the "gold card" law) which exempts physicians with a 90% prior auth approval rate over the prior six months from PA requirements for that specific service. The operational rollout has been slow and inconsistent across payers. More recent activity that's actually moving timelines: California's SB 598 (effective 2024) and the New Jersey prior auth reform (S1255, effective 2024) both impose tighter response windows than the current federal baseline. California requires 72 hours for standard non-urgent and 24 hours for urgent. New Jersey requires payers to honor PA approvals for the duration of the treatment course rather than re-authorizing at arbitrary intervals.
On the payer side, several large MA plans have already started rolling out FHIR-based PA APIs in pilot states ahead of the CMS-0057-F enforcement date of January 1, 2027. UnitedHealthcare and Humana both have provider-facing API documentation published, though clinical workflow integration is uneven. The pattern we're seeing: providers in California, New Jersey, and (soon) Texas-gold-card-eligible specialties are already operating against compressed timelines that preview what the federal rule will mandate nationally. Watching how those markets handle the transition is the closest thing to a real-world preview.
What to do now
Step 1: Audit your current auth submission method by payer and drug category. Pull a 90-day snapshot of prior auth requests segmented by payer, drug/service type, and submission channel (fax vs. portal vs. ePA). You need to know exactly where your manual exposure is concentrated before you can prioritize remediation. Flag every payer where you're submitting via fax or manual portal entry for high-volume drug categories. Those are your highest-risk lanes under the new timeline math.
Step 2: Map your internal prep time honestly. Time-study your actual auth prep workflow from the moment a prescription or order triggers an auth requirement to the moment a complete, coded submission goes out. Most teams that do this for the first time are surprised. Internal prep routinely runs 24-48 hours before the payer clock even starts. Identify which steps involve clinical documentation pulls, which involve coding or criteria matching, and which are pure administrative handoffs. The handoffs are usually where time dies.
We ran a workflow time-study on a behavioral health and SUD organization (mid-size, around 250 monthly medication prior auths primarily for buprenorphine, naltrexone injectable, and a handful of mental health specialty drugs) in early 2026. Average end-to-end prep time was 32 hours per auth, broken down roughly like this: clinical documentation pull and review consumed 8-10 hours (largely waiting for the prescriber to dictate or sign off on the rationale), criteria matching against the specific payer's medical policy ran 4-6 hours (most of it spent looking up the policy version and confirming which dimensions or criteria applied), coding the request with appropriate ICD-10 plus drug-specific modifiers ran 2-3 hours, and administrative submission (portal entry, fax confirmation, follow-up logging) ran 6-8 hours. The handoff between the prescriber's clinical team and the auth coordinator alone consumed an average of 11 hours of calendar time, not active work, just waiting.
Under the new 72-hour standard window, that 32-hour internal prep leaves a 40-hour buffer for the payer to respond, which sounds workable. But it also means any rework loop (incomplete request, requested clarification, re-submission) collapses the buffer to zero. The teams that survive this transition are the ones that drive prep time below 12 hours and eliminate the prescriber-to-coordinator handoff lag entirely.
Step 3: Prioritize ePA implementation for your top 5 payers by auth volume. Don't try to boil the ocean. Identify the five payers representing the largest share of your prior auth volume and confirm whether they have a compliant ePA API available today or a published roadmap. CMS's rule will pressure them to expose APIs, but early movers on the provider side can negotiate integration timelines now. Evaluate whether your EHR has a native ePA module or requires a middleware layer (vendors like Surescripts, CoverMyMeds, and others operate here). The integration complexity varies significantly by EHR.
Step 4: Build a denial-reason tracking layer specifically for auth-adjacent denials. Under the new transparency rules, you'll want to know your denial rate by drug category before payers publish it publicly. Set up a denial classification that distinguishes auth-expired denials, auth-never-initiated denials, and auth-denied-on-clinical-criteria denials. These require completely different remediation paths. If your practice management or RCM platform doesn't support this granularity natively, build it in a spreadsheet now and migrate it when you have the right tooling. Imperfect data beats no data.
Step 5: Assign a named owner for ePA compliance across your organization. This is the step most organizations skip and then regret. Auth reform touches clinical (criteria documentation), coding (drug and procedure codes), IT (EHR integration), and billing (denial follow-up). In most orgs it belongs to everyone and therefore no one. Designate a single person or team with explicit accountability for tracking the rule's finalization, owning the payer-by-payer ePA readiness matrix, and escalating blockers. Give them a reporting line with actual authority.
What's likely to come next?
The trajectory is mandatory electronic, API-driven prior auth across all payer types, with state-level reform setting an even tighter floor in many markets.
This proposed rule is one piece of a larger CMS administrative simplification push that includes the Interoperability and Prior Authorization Final Rule (effective 2026 for most payers) and ongoing FHIR API mandate expansion.
State-level prior auth reform is running in parallel. As of 2024, more than 30 states have enacted or proposed prior auth reform legislation per AMA tracking, and several are setting timelines stricter than the federal proposal. Your compliance planning needs a state-law layer on top of the federal one.
Payers will respond to compressed timelines by investing heavily in AI-driven auto-adjudication. The prior auths that don't get auto-approved will increasingly be the hard ones with incomplete documentation. Your clinical team's documentation quality becomes a direct revenue variable.
We're already doing the analytics layer. Inside Adentris, the billing module's denial management workflow includes auth-specific denial classification. We segment auth-related denials into expired, never-initiated, and clinical-criteria categories at the time of denial ingestion, and route each to a different remediation path. That's live with our existing clients. The data layer is also already feeding the broader denial pattern analysis we run for our RCM clients, so a billing service provider managing auth across multiple facilities can see denial clustering by drug category, by payer, and by referring provider in a single view.
What we're evaluating now is the front-end of the workflow: pre-submission criteria matching that pulls payer medical policy and runs it against the chart at the moment the auth is initiated, before submission. That's harder, because payer policy quality and structure varies wildly. We're not committing to a date. The honest take is that the analytics piece is solved and shipping. The pre-submission AI piece is in the category I described in the previous post about CMS-0057-F: production-ready for narrow, well-documented payer policies, overhyped for the messy long tail. We'll build it where the data supports it and avoid promising what the technology can't honestly deliver yet.
The providers who treat this as a compliance checkbox will barely keep up. The ones who treat it as a workflow redesign opportunity, and get their internal prep time under 12 hours per auth, will outperform peers on both cash flow and care start timelines when enforcement lands.
How Adentris helps
Adentris was built for exactly this kind of operational squeeze. Our denial management workflow already classifies auth-related denials into expired, never-initiated, and clinical-criteria buckets, then routes each to its own remediation path so you can see denial clustering by drug, payer, and referring provider in one view. If you're sizing the gap between your current auth prep cycle and what CMS-0062-P will demand, we can pull the diagnostic in a working session. Book a 30-minute demo and bring a recent denial export.
FAQ
When do the new CMS prior authorization rules take effect?
CMS-0062-P is a proposed rule released April 10, 2026 with a public comment period ending June 15, 2026. The proposed compliance date for the NCPDP standards inside it is October 1, 2027. The 24-hour urgent / 72-hour standard decision windows would apply once the rule is finalized, expected sometime in 2027. CMS-0057-F (the related non-drug rule) has an enforcement date of January 1, 2027.
Does this rule apply to commercial plans?
Directly, no. CMS-0062-P targets Medicare Advantage, Part D, and Medicaid managed care. But commercial payers historically follow CMS lead within 18-24 months, and several states (California, New Jersey, Texas via the gold card law) already impose tighter response timelines on commercial plans. Plan as if commercial alignment is coming.
What's the difference between CMS-0057-F and CMS-0062-P?
CMS-0057-F is the 2024 final rule covering prior authorization for non-drug services (procedures, devices, imaging) and mandates FHIR-based PA APIs. CMS-0062-P extends a similar framework specifically to drugs covered under pharmacy benefit, plus adds NCPDP standard requirements (SCRIPT, Formulary & Benefit, Real-Time Prescription Benefit).
What's the single biggest workflow change providers should make right now?
Drive your internal auth prep time below 12 hours per request and eliminate the prescriber-to-coordinator handoff lag. Most organizations we audit lose more time to internal handoffs than to payer review. Under a 72-hour payer window, you cannot afford a 32-hour internal prep cycle plus any rework loop.
How do I know if my EHR is ePA-ready?
Ask your vendor for two specific things: their FHIR PA API roadmap aligned to the CMS-0057-F January 2027 date, and their NCPDP SCRIPT and Real-Time Prescription Benefit support aligned to the proposed October 2027 date. If they can't give you both with version numbers and target releases, plan on a middleware layer (Surescripts or CoverMyMeds are the two most common) to bridge the gap.
Got a specific auth workflow problem, fax dependency, denial clustering on a particular drug category, or an ePA integration that's stalled? Tell us what you're running into.
