AHA Comments on CMS’ Interoperability and Prior Authorization Proposed Rule page 1.

AHA Comments on CMS’ Interoperability and Prior Authorization Proposed Rule

June 15, 2026

The Honorable Robert F. Kennedy Jr.
Secretary
Department of Health and Human Services
200 Independence Ave. SW
Washington, DC 20201

Mehmet Oz, M.D.
Administrator
Centers for Medicare & Medicaid Services
7500 Security Boulevard
Baltimore, MD 21244-1850

Thomas Keane, M.D., MBA
National Coordinator for Health Information Technology
Department of Health and Human Services
330 C St. SW, 7th Floor
Washington, DC 20024

Re: CMS0062P, Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Interoperability Standards and Prior Authorization for Drugs for Medicare Advantage Organizations, Medicaid Managed Care Plans, State Medicaid Agencies, Children’s Health Insurance Program (CHIP) Agencies and CHIP Managed Care Entities, and Issuers of Qualified Health Plans on the Federally-Facilitated Exchanges

Dear Secretary Kennedy, Administrator Oz and National Coordinator Keane:

On behalf of our nearly 5,000 member hospitals, health systems and other healthcare organizations, and our clinician partners — including more than 270,000 affiliated physicians, 2 million nurses and other caregivers — and the 43,000 healthcare leaders who belong to our professional membership groups, the American Hospital Association (AHA) appreciates the opportunity to comment on the Centers for Medicare & Medicaid Services’ (CMS’) proposed rule titled “Interoperability Standards and Prior Authorization for Drugs.”

Hospitals and health systems are committed to CMS’ ongoing efforts to reduce administrative burden, advance interoperability and improve patients’ access to timely, medically necessary care. Prior authorization remains one of the most significant administrative challenges facing the healthcare delivery system, consuming substantial clinical and operational resources while frequently interfering with patient care. As prior authorization requirements persist across payers, services and benefit types, providers must navigate complex, fragmented and manual processes that detract from care delivery and strain an already overextended workforce. These long-standing challenges underscore why CMS’ proposed rule is both timely and necessary, offering an opportunity to advance more streamlined, consistent and efficient prior authorization processes across the healthcare system.

While the AHA strongly supports CMS’ goal of modernizing prior authorization and extending interoperability requirements, the effectiveness of these policies will depend on thoughtful implementation that aligns with clinical workflows, ensures consistent payer behavior and meaningfully reduces administrative burden for providers. To that end, we urge CMS, Health and Human Services (HHS) and the Office of the National Coordinator for Health Information Technology (ONC) to adopt the following key policy updates:

  • Ensure timely and consistent prior authorization decisions across all services. CMS should adopt uniform decision timeframes of 72 hours for standard requests and 24 hours for expedited requests across both drug and non-drug items and services to prevent unnecessary delays in care.
  • Strengthen transparency and usability of prior authorization metrics. CMS should require service-level reporting, standardized public posting and centralized access to plan data to ensure that patients, providers and regulators can meaningfully evaluate plan performance.
  • Establish a centralized, standardized repository of payer API endpoints. CMS should require machine-readable, accurate and timely publication of endpoint information to support scalable implementation of electronic prior authorization workflows.
  • Advance a deliberate transition from X12 to FHIR-based prior authorization. HHS should replace the X12 278 transaction with the FHIR-based Prior Authorization API while adopting a phased implementation timeline and ensuring interoperability standards are operationally independent from legacy constructs.
  • Ensure any transition to FHIR-based eligibility transactions is evidence-based and does not disrupt existing workflows. CMS should retain the current 270/271 transaction until FHIR-based alternatives are proven reliable at scale.
  • Promote standardized, predictable documentation workflows for prior authorization. CMS should establish Documentation Templates and Rules (DTR) as the primary documentation approach, limiting reliance on attachment-based processes that increase burden and variation.
  • Strengthen implementation oversight and accountability for payer APIs. CMS should require robust conformance testing, transparency into results and validation of real-world usability to ensure that APIs deliver meaningful operational improvements.
  • Support a staged, coordinated implementation of interoperability standards. CMS and ONC should align compliance timelines, testing readiness and version transitions to prevent fragmentation and ensure consistent adoption across the market.

Thank you for your attention to our comments. We particularly appreciate CMS’ and ONC’s thoughtful proposals to alleviate provider burden and improve patient care and access. We urge CMS to finalize the proposed rule with modifications as recommended above. Our detailed comments are attached. The AHA is pleased to be a resource on these issues and welcomes any opportunity to provide any additional insight that would be helpful to the agency as you plan for future rulemaking. Please contact me if you have any questions, or feel free to have a member of your team contact Andrea Preisler, AHA senior associate director for administrative simplification policy, at apreisler@aha.org.

Sincerely,

/s/

Ashley Thompson
Senior Vice President
Public Policy Analysis and Development

Download the full letter PDF.

Table of Contents

Background

Electronic Prior Authorization for Drugs

Improving Communications and Decision Timeframes for Prior Authorizations

Prior Authorization Metrics

Reporting Payer API Endpoints

Modifications to HIPAA Standards Related to Prior Authorization

Interoperability Standards for APIs.

Required FHIR Standards and Implementation Guides for Prior Authorization

Adoption of Health Information Technology Standards and Incorporation by Reference

Requests for Information

Background

Prior authorization is commonly described by health plans as a utilization management tool intended to ensure that patients receive coverage for care that is medically appropriate and evidence-based. In concept, the AHA recognizes that prior authorization serves a role in supporting appropriate coverage determinations. In practice, however, prior authorization is frequently implemented in ways that delay care, disrupt treatment and impose substantial administrative burden on clinicians and care teams.

Impact of Prior Authorization on Provider Burden and Patient Care

The consequences of these processes extend beyond administrative inefficiency. Providers consistently report that prior authorization delays can postpone diagnoses, interrupt ongoing treatment regimens and create uncertainty for patients and care teams alike. These challenges are exacerbated by inconsistent payer requirements, limited transparency into coverage criteria and a lack of standardized electronic workflows. The resulting delays and disruptions to care are particularly concerning for patients with serious, complex or time‑sensitive medical needs.

Survey data reinforce these experiences. In a national survey of practicing physicians conducted by the American Medical Association, 95% of physicians reported that prior authorization delays access to necessary care, and 79% reported that prior authorization can at least sometimes lead to patients abandoning their recommended course of treatment.[1] In addition, about 1 in 4 physicians reported that prior authorization led to a serious adverse event for a patient in their care, including hospitalization, a life‑threatening event or the need for intervention to prevent permanent impairment or damage.[2] These findings underscore that inefficiencies in prior authorization processes are not solely administrative in nature but also can have significant negative consequences for patients’ health.

Prior authorization also places a heavy burden on clinicians and the healthcare workforce. Physicians and their staff complete, on average, approximately 40 prior authorization requests per physician per week, spending nearly two business days each week on prior authorization‑related activities.[3] Moreover, most hospitals have teams of staff dedicated exclusively to managing prior authorization requirements, and the vast majority of physicians describe the burden associated with prior authorization as high or extremely high.[4],[5] These administrative demands divert time and resources away from direct patient care and contribute to workforce burnout.

Interoperability as a Foundation for Electronic Prior Authorization

A central driver of these burdens is the absence of consistent interoperability across payers, providers and health IT systems. Providers must navigate a patchwork of submission methods, documentation requirements and timelines, many of which continue to rely on manual processes such as phone calls or proprietary payer portals. Even when electronic options are available, they are frequently payer‑specific and poorly integrated into clinical workflows, requiring duplicative data entry and repeated follow‑up that erodes potential efficiencies and increases the likelihood of errors, denials and rework that drive delays and disruptions in needed patient care.

CMS took an important step with the 2024 Interoperability and Prior Authorization final rule, which established new requirements to modernize and streamline prior authorization processes for non‑drug items and services. Because the rule did not extend to drugs, including those covered under a patient’s medical benefit, it left a gap in the administrative simplification framework. The AHA therefore applauds CMS’ proposal to extend interoperability and prior authorization requirements to these drug therapies.

The AHA is particularly focused on the implications for drugs covered under the medical benefit, including chemotherapy, immunotherapy, biologics and other provider‑administered therapies. These treatments are often used to manage serious, complex and life‑threatening conditions and are commonly furnished in hospital outpatient departments, infusion centers and other provider‑based settings. For these patients, timely access and continuity of care are critical; delays in authorization or disruptions mid‑treatment can compromise clinical outcomes, exacerbate patient distress, and undermine carefully coordinated care plans. Providers continue to report significant challenges in obtaining prior authorization for these therapies, including repeated documentation requests, unclear coverage criteria and limited transparency into authorization status.[6] These inefficiencies contribute to delays in the initiation and continuation of care and increase the administrative burden for providers.

These persistent challenges highlight the need for increased efficiency, and the proposed rule’s interoperability provisions could meaningfully improve prior authorization processes. Standardized electronic exchange can reduce the administrative resources spent identifying, assembling, transmitting and re‑transmitting clinical information across multiple systems and payer workflows. However, these policies will only be effective if they are implemented in such a way that aligns with clinical workflows and requires payers to clearly identify, accept, and act upon the information needed to support a prior authorization request. When interoperability is designed thoughtfully, these requirements could reduce the resources that providers spend compiling, submitting, and resubmitting documentation across multiple payer portals and processes, promote more complete submissions at the outset of the request, and support more timely payer determinations.

The AHA appreciates CMS’ continued emphasis on interoperability as a foundational component of administrative simplification and recognizes the coordinated approach reflected in this proposal with the ONC. Interoperability serves as the underlying infrastructure that enables electronic prior authorization to function effectively at scale, supporting consistent information exchange and alignment across payers, providers, technology developers and other stakeholders. Establishing and maintaining this foundation is essential to moving from fragmented, manual processes toward a more reliable and sustainable electronic prior authorization process that supports patient access and care delivery.

Electronic Prior Authorization for Drugs

The AHA commends CMS for proposing to standardize prior authorizations for drugs covered under the medical benefit, addressing a significant gap in prior authorization reform ushered in by the 2024 Interoperability and Prior Authorization final rule. Health plans frequently cover physician-administered and specialty drugs through a patient’s medical benefit, which almost uniformly requires prior authorization for their use. The inefficient application of prior authorization to specialty drugs can be particularly detrimental to patients who rely on these medications to manage and treat complex diseases.

If coverage for these drugs is administered as a medical service, rather than a drug covered under a pharmacy benefit, prior authorization processes should align with those of other medical services. By extending the prior authorization protections established in the 2024 Interoperability and Prior Authorization final rule to these drugs, CMS will help eliminate care delays and coverage interruptions for these patients, while also reducing the enormous administrative burden that their providers face in delivering these therapies.

Improving Communications and Decision Timeframes for Prior Authorizations

Timeframes for Drugs

The AHA supports CMS’ efforts to ensure prompt notification and align prior authorization decision processes, proposing that payers be required to provide notice of drug-related prior authorization decisions within specific timeframes. Specifically, CMS requires Medicaid and Children’s Health Insurance Programs (CHIP) to issue drug prior authorizations within 24 hours and Qualified Health Plans (QHPs) on the Federally Facilitated Exchange to issue drug prior authorizations within 72 hours for standard requests and 24 hours for expedited requests.

Unlike most other transactions between a provider and a health plan, prior authorization has a direct impact on patient care. A prior authorization request is often the final step between a patient and the initiation of their care, making expeditious processing of such transactions extremely important. One challenge to timely adjudication of requests is the lack of an efficient and standard method of delivering the clinical documents necessary to process prior authorizations, often resorting to slow and nondigitized delivery through fax machines and the postal service. These inefficiencies can lead to devastating delays, such as cancer patients anxiously waiting days or even weeks for authorization for chemotherapy drug treatment.

As designed, the prior authorization application programming interfaces (APIs) would reduce the time plans need to process requests, as documentation delivery would be both instantaneous and specifically tailored to plan-specific documentation needs. This should be significantly more efficient than today’s reliance on fax machines, phone calls and portals and should allow health plans to assess quickly whether a request satisfies their medical necessity criteria. We therefore appreciate CMS’ proposal to require timely determinations, and we support the proposed timeframes of 72 hours for standard requests and 24 hours for expedited requests. We also encourage CMS to revisit these requirements as the technology is implemented throughout the industry, as we believe that further reductions in the timeframe may be appropriate once greater efficiencies are realized.

Timeframes for Non-drug Items and Services

CMS proposes that beginning Oct. 1, 2027, QHP issuers on Federally-Facilitated Exchanges be required to provide notice of prior authorization decisions no later than seven calendar days after receiving a standard prior authorization request and no later than 72 hours after receiving an expedited prior authorization request. This extends the application of established prior authorization deadlines for non-drug items and services to QHPs, which were previously exempt from these regulations. Although we support efforts to apply the same timeframe rules to all impacted payers, we believe that seven days for standard requests and 72 hours for expedited requests are insufficient. As noted above, we believe that the Fast Healthcare Interoperability Resources (FHIR) APIs will substantially reduce the time plans need to complete prior authorizations. Accordingly, we recommend that CMS apply the same timeframes proposed for drugs covered under a medical benefit across all medical services specifically requiring 72 hours for standard requests and 24 hours for expedited requests. Such timing requirements should mitigate care delays and support the basic principle that patients should receive timely access to needed healthcare services.

Prior Authorization Metrics

Updated Metrics for Medical Items and Services

The AHA appreciates the additional prior authorization performance metrics for plan reporting that are included in the proposed rule; however, we encourage the administration to take additional steps to improve the granularity and accessibility of prior authorization metrics, particularly given the results of the 2025 plan reporting released earlier this year.

Recently released 2025 prior authorization data required to be publicly posted under the 2024 Interoperability and Prior Authorization final rule underscores the need for greater CMS oversight and additional reforms to ensure meaningful transparency and accountability. In this first release of metrics, plans often reported information aggregated to such a level as to make it virtually impossible to identify any specific services or policies that may be the source of patient and provider accessibility concerns.[7] By relying on these approaches to nominally comply with the 2024 Interoperability and Prior Authorization final rule, plans have effectively obscured the information the rule was intended to make accessible, thereby undermining its purposes and limiting its impact.

Additionally, plans have taken a highly inconsistent approach to where and how they post this data, making it impossible for patients and the general public to use the information in a meaningful way. Specifically, a significant number of plans posted the required data on remote, hidden sections of their website, with plan-specific information buried amidst a voluminous file containing hundreds of other plans. Such obscure posting drastically limits the usefulness of this data, particularly for patients as they attempt to determine appropriate coverage options.

In this rule, CMS proposes four new metrics about prior authorization denials after an extended timeframe and appeals for non-drug items and services and two new metrics about prior authorization approvals after an extended timeframe and appeals for non-drug items and services for expedited prior authorization requests only. Additionally, CMS requires plans to report prior authorization statistics inclusive of total numbers (rather than just percentage values). We believe these additional requirements could improve plan reporting, particularly in areas of appeals where our members frequently cite concerns about inappropriate denials and prolonged delays. However, we urge the agency to take additional measures to ensure that the reported data adequately captures plan performance.

Specifically, to ensure that patients can obtain and utilize meaningful information on plan prior authorization programs as envisioned in the 2024 Interoperability and Prior Authorization final rule, we recommend that CMS reform this process by (1) requiring that plans report all applicable prior authorization statistics at the service level rather than an aggregate level, (2) requiring all plan reports to be posted via link in a standardized, search-engine optimized and clearly identifiable location on the plan’s main website, and (3) posting all plan reports on a centralized CMS platform and providing links to that platform on Medicare Plan Finder and Healthcare.gov so patients can easily access and use the data for cross-plan comparisons during enrollment periods. These changes would materially improve the value of these reports to patients, providers and oversight bodies by ensuring that the information is accessible and provides detailed insight into the impact that plan prior authorization programs have on patient care.

Updated Metrics for Drugs

The AHA supports CMS’ efforts to incorporate drugs covered under Part B into prior authorization reporting requirements established under the 2024 Prior Authorization and Interoperability final rule. These drugs are routinely subject to prior authorization requirements and are often used to treat long-term conditions — the very type of prior authorization reporting that would prove important and beneficial for those enrolling in coverage while potentially receiving drug therapies. In fact, such information may be even more important, as the Office of the Inspector General of the Department of Health and Human Services (HHS) cited infusion drugs as often being inappropriately denied by Medicare Advantage plans.[8]

Although we support CMS’ inclusion of these therapies in reporting requirements, we stress the importance of collecting information at the specific drug level (rather than in aggregate). This information will help patients and policymakers ensure that payers are not inappropriately limiting access to specific therapies. Additionally, we encourage CMS to standardize reporting location and consider hosting a centralized hub of insurer reports on these processes, as recommended in detail above.

Reporting Payer API Endpoints

The AHA supports CMS’ proposal to require impacted payers to report and publish all API endpoints for interoperability APIs and associated technical information. Successful provider operation of CMS’ interoperability framework requires transparent and reliable access to payer endpoint information. Hospitals’ ability to use electronic prior authorization, retrieve coverage and clinical information, and access data through required APIs depends on consistent and accurate endpoint discovery. Without a centralized and authoritative mechanism for identifying payer endpoints, hospitals and their technology partners must rely on fragmented and manual processes that undermine the efficiency and reliability of electronic workflows.

Providers routinely interact and must establish connectivity with numerous public and commercial payers. Absent centralized endpoint reporting, hospitals and vendors are often forced to locate endpoint information across payer websites and documentation that vary widely in format and completeness. These processes frequently require manual intervention and ongoing monitoring for changes. CMS’ proposal to collect and centrally publish payer endpoint information would significantly improve implementation efficiency and reduce duplicative efforts across the healthcare system. This proposal appropriately recognizes that interoperability depends not only on the adoption of technical standards, but also on the practical ability of providers and their technology partners to discover and connect to payer systems in a predictable and scalable manner.

To realize the benefits of a centralized payer API endpoints repository, the AHA urges CMS to specify a consistent publication format. Endpoint information should be made available in a machine‑readable format that supports automated access by health IT systems. Static or inconsistent publication methods would limit the usefulness of the centralized resource and perpetuate the manual discovery processes this proposal is intended to address. CMS should therefore commit to publishing endpoint information in a structured format that enables programmatic access and supports efficient integration into provider and vendor systems.

The AHA also emphasizes the importance of timeliness and accuracy in the publication of endpoint information. The effectiveness of a centralized resource will depend on CMS’ ability to reflect updates promptly and ensure that reported information remains current. Delays in publication or reliance on outdated information would diminish the value of the registry and introduce additional operational challenges. We encourage CMS to establish clear expectations for how quickly reported updates will be made available, and the agency should consider appropriate mechanisms to promote the accuracy and reliability of reported endpoints, including verification that reported information is accessible and consistent with payer implementation in practice.

Additionally, we support CMS collecting standardized information on payer authentication requirements. Authentication approaches materially affect the time and resources required to establish functional API connections. Greater transparency would support more efficient implementation and reduce delays in achieving operational electronic workflows. Furthermore, we encourage CMS to design the endpoint reporting infrastructure with sufficient flexibility to accommodate future expansion, including the potential inclusion of additional payer types should interoperability requirements be extended through future rulemaking.

Ultimately, the AHA considers centralized payer API endpoint reporting as essential infrastructure for the success of CMS’ interoperability and prior authorization policies. With modifications to ensure machine‑readable publication, timely updates and validated endpoint functionality, this proposal can meaningfully reduce administrative burden and support more consistent and effective electronic data exchange across the healthcare system.

Modifications to HIPAA Standards Related to Prior Authorization

Replacing X12 278 with FHIR Prior Authorization API

The AHA strongly supports the goal of modernizing HIPAA Administrative Simplification standards for prior authorization by transitioning away from the ASC X12N 278 transaction and toward HL7 FHIR-based approaches. In 2023, the AHA urged CMS to leverage its authority under HIPAA to permit the use of FHIR-based APIs for prior authorization transactions without the requirement to translate between FHIR and the X12 278 standard, noting the potential enhanced efficiencies of using FHIR from end to end.[9] As such, we appreciate CMS’ attention to this matter, and we urge finalization of this proposal. Importantly, CMS’ proposal would apply across the full HIPAA-covered entity landscape, rather than being limited to the payers CMS defines as “impacted payers” for purposes of the interoperability API requirements. As a result, it has the potential to promote broader market alignment and address long-standing fragmentation that has hindered the adoption of streamlined electronic prior authorization to date.

As this change is enacted, the AHA urges HHS to ensure that any HIPAA mandate is implemented in a manner that promotes true administrative simplification. In particular, the AHA is concerned that a prior authorization implementation that continues to depend materially on legacy X12 constructs could perpetuate complexity rather than reduce it. For example, due to HIPAA constraints, the Prior Authorization Support implementation guide (PAS IG) was intentionally designed as a wrapper and mapping layer for the X12 278. PAS continues to rely on X12 data elements and semantics. If HHS intends to replace X12N 278 as the HIPAA standard, we urge the department to ensure that the resulting HIPAA requirements can be implemented based on the FHIR specification and the implementation specifications adopted by the HHS secretary without requiring reliance on proprietary materials to interpret core transaction expectations. Therefore, the AHA urges HHS to ensure that any version mandate of PAS be operationally independent from X12 278 functions to support the goal of streamlining workflows and achieving meaningful prior authorization automation.

CMS impacted payers and their vendors have been preparing for interoperability API requirements for several years. By contrast, many other health plans, intermediaries and technology partners that support prior authorization workflows across the broader market have not had the same lead time or infrastructure investments. A single compressed compliance window risks creating avoidable disruption and could drive short-term reversion to manual processes. That outcome would be directly contrary to the purpose of this proposal. Provider adoption will ultimately depend on the functionality, reliability and workflow integration of FHIR-based solutions; a rushed rollout of immature or operationally burdensome tools risks stymying utilization and undermining the intended benefits of standardization.

Accordingly, the AHA recommends that HHS adopt a staged transition strategy that preserves a clear endpoint while providing a realistic runway. Specifically, HHS should require plans to support and enable providers to use either current processes or the FHIR-enabled transaction while implementation scales, similar to enforcement discretion for covered entities implementing an all-FHIR-based prior authorization process. The AHA recommends that HHS expressly extend and operationalize this flexibility through Dec. 31, 2028, and set a mandatory compliance date for FHIR-based prior authorization transactions of Jan. 1, 2029. This approach maintains an unambiguous direction of standards implementation and encourages early adoption by entities that are ready, while preventing disruption for entities that require additional time to implement responsibly.

The AHA further urges HHS to use the transition period to monitor readiness across the industry. During this time, HHS should evaluate whether adoption is occurring across non-impacted health plans and intermediaries, whether conformant modules are available and deployed at scale by health IT vendors, and whether hospitals and clinicians experience new costs or workflow disruptions attributable to the transition. HHS should issue additional guidance or make targeted adjustments based on findings from this monitoring before the mandate becomes effective to ensure successful implementation.

Additionally, the AHA requests that HHS address clearinghouse and intermediary impacts more directly. Nearly all hospitals and health systems rely on clearinghouses, revenue cycle partners and other intermediaries to facilitate administrative transactions, including components of the prior authorization workflow. If these entities are not prepared to support FHIR-based transactions in a timely manner, hospitals may face increased administrative burden and workflow disruption even if they are otherwise ready to exchange prior authorization information electronically. We encourage HHS to ensure that clearinghouses and intermediaries have clear implementation guidance, access to testing resources and sufficient lead time under the staged approach. Importantly, the AHA requests that HHS monitor the implementation for inappropriate cost shifting via new intermediary fees that would increase provider resource burden and undermine the administrative simplification objectives of this proposal.

Finally, we recommend that HHS maintain an appropriately focused scope in this rulemaking. HHS has requested comments on broader alternatives that would extend FHIR standards beyond prior authorization. Hospitals are concerned that expanding scope beyond prior authorization at this stage would increase implementation complexity and introduce additional uncertainty during a major standards transition. HHS should finalize this action as a prior authorization-focused replacement of X12N 278. As such, we recommend that the department evaluate additional transaction types through subsequent rulemaking once the prior authorization transition is operational and stable.

HHS proposes, as an alternative, to extend FHIR standards to all referral certification and authorization transactions, not just prior authorization. The AHA supports this expansion as a logical next step in advancing administrative simplification and promoting more consistent, interoperable workflows across the HIPAA transaction landscape. These use cases fall within the scope of the implementation guides and, if implemented effectively, have the potential to further reduce burden and improve coordination of care. We encourage HHS to advance this expansion in a way that promotes consistent implementation across the market and supports reliable, end-to-end adoption.

Eligibility Transaction

The AHA appreciates CMS’ continued focus on improving administrative processes that support prior authorization and other coverage‑related functions. As part of this effort, CMS proposes to adopt FHIR standards under HIPAA for prior authorization eligibility requirements, essentially replacing the existing X12 eligibility transaction within the prior authorization workflow. Hospitals urge CMS to approach eligibility‑related changes with caution to ensure that any transition meaningfully reduces administrative burden and does not disrupt mission‑critical eligibility verification processes.

Providers rely extensively on the HIPAA‑adopted X12 270/271 Health Care Eligibility Benefit Inquiry and Response transaction to verify coverage and benefits prior to furnishing care. The 270/271 transaction is deeply embedded in hospital revenue cycle operations, clearinghouse infrastructure and payer systems, and it supports high‑volume, real‑time and batch eligibility inquiries at scale. When implemented consistently, the 270/271 transaction enables providers to confirm coverage and benefit parameters that are essential to downstream administrative and clinical workflows.

While the AHA is not categorically opposed to transitioning eligibility transactions to FHIR as part of a broader modernization effort, we are not convinced that the replacement of the 270/271 transaction at this time would reduce burden or improve operational performance. The industry would not be looking to move away from the X12 270/271 transaction if it were functioning optimally as intended, and this should inform both the urgency and the design of any transition. However, hospitals’ reliance on the eligibility transaction cannot be overstated, and even modest instability or inconsistency can create significant downstream disruption for providers and their patients. We encourage CMS to consider whether the 270/271 transaction could be bolstered through updates or operating rules to enable the exchange of essential information necessary for the FHIR prior authorization transactions, thereby keeping eligibility consistent across all transactions and preventing any potential disruptions. CMS should therefore refrain from mandating replacement of the 270/271 transaction for prior authorization purposes until FHIR‑based eligibility standards have been proven reliable at scale and thoroughly tested across a wide range of real‑world payer, provider, vendor and clearinghouse environments. Any transition away from the 270/271 transaction must be carefully sequenced, evidence‑based and supported by robust testing and validation.

At the same time, hospitals recognize the potential long‑term value of enabling a fully end‑to‑end FHIR-based prior authorization workflow inclusive of all component transactions, including eligibility, coverage discovery, documentation and authorization submission and response. This rulemaking proposal was likely prompted by the shortcomings of the X12 270/271 transaction, which should serve as a cautionary lesson that adopting a new standard does not, by itself, guarantee consistent or burden-reducing implementation. CMS and industry must be equally committed to ensuring that any FHIR-based replacement is implemented uniformly and effectively, not merely adopted on paper. When FHIR‑based eligibility standards are sufficiently mature, stable and proven in practice, aligning eligibility with the broader FHIR prior authorization process could offer meaningful benefits. However, that outcome depends on a clear demonstration that FHIR‑based eligibility can meet or exceed the reliability, scalability and performance of the existing 270/271 transaction without increasing provider burden.

CDex for Prior Authorization Attachments

The AHA supports CMS’ proposal to adopt the HL7 FHIR Da Vinci Clinical Data Exchange (CDex) Implementation Guide to support the transmission of clinical attachments necessary for prior authorization review. Addressing attachments is essential to achieving meaningful prior authorization reform, as requests for additional clinical documentation remain a primary driver of delay, duplication and administrative burden across prior authorization workflows.

At the same time, the AHA emphasizes that Documentation Templates and rules (DTR) should remain the primary and preferred mechanism for satisfying prior authorization documentation requirements, and that the FHIR Questionnaire-based approach enabled by DTR should generally be sufficient to meet payer information needs. DTR is, by definition, designed to structure, collect and transmit documentation requirements in a consistent manner that can be integrated directly into clinical and administrative workflows. When implemented as intended, DTR reduces ambiguity regarding required documentation, limits unnecessary follow‑up requests and supports documentation being completed once and reused across transactions. Hospitals caution against approaches that routinely require use of both DTR and CDex for the same prior authorization request, as parallel documentation pathways reduce efficiency and increase administrative burden.

CDex may play an important role in circumstances where relevant clinical information exists outside structured data elements or where additional clinical context supporting DTR information is necessary. However, absent clear direction, some payers may rely on CDex attachment‑based requests where DTR questionnaires would be sufficient, effectively reintroducing unstructured documentation practices within a FHIR‑based framework.

Successful prior authorization reform requires consistent, predictable documentation workflows across payers. Operationalizing workflows that vary by payer significantly diminishes the efficiencies and burden reduction these policies are intended to achieve. If some payers primarily rely on DTR while others default to CDex attachments, providers will be required to maintain multiple documentation pathways, train staff on payer‑specific processes and build conditional logic into health IT systems. Such variation perpetuates fragmentation and administrative complexity, rather than advancing standardization and automation. Accordingly, CMS should establish clear documentation workflows aligned across payers, with DTR serving as the standard documentation mechanism and CDex reserved for limited, well‑defined use cases. CMS should discourage payer‑specific divergence in documentation approaches and avoid policies that implicitly permit attachment‑based workflows to substitute for DTR processes as a matter of routine.

Additionally, the AHA reiterates that attachment standards must reflect real‑world hospital workflows. The collection and submission of documentation are frequently handled by clinical support staff, utilization management teams or centralized prior authorization units — not solely by ordering clinicians. Both DTR and CDex implementations should support asynchronous, team‑based workflows and allow documentation to be gathered, supplemented and submitted outside of clinician ordering processes. Policies that assume documentation is generated exclusively within clinician ordering workflows risk increasing clinician burden and detracting from patient care.

Finally, the AHA encourages CMS to clearly articulate that prior authorization attachment requests must be clinically appropriate and limited to information necessary to complete medical necessity determinations. While CDex enables more structured exchange, it should not become a mechanism for expanding documentation demands and creating additional, unnecessary administrative burden.

Interoperability Standards for APIs

The AHA appreciates CMS’ continued focus on advancing electronic prior authorization and recognizes the value of converting previously recommended FHIR implementation guides into binding requirements. Standardization is necessary to reduce longstanding procedural variation that forces hospitals, health systems and clinicians to navigate disparate portals, proprietary workflows and inconsistent documentation requirements across multiple payers. CMS’ proposal to elevate the Da Vinci Coverage Requirements Discovery (CRD), DTR and PAS IGs from recommended to required for the Prior Authorization API, and to similarly require implementation guides for the other payer APIs, represents a meaningful step toward a more consistent interoperability environment. In order to ensure the practical usability of the standards, we encourage CMS to take additional steps toward consistent implementation.

Standardization of the exchange format alone does not address the substance of the prior authorization requirements transmitted through these implementation guides. A payer may fully conform to CRD, DTR and PAS while continuing to apply overly complex, duplicative or clinically inappropriate criteria. Accelerating the exchange of such requirements does not reduce the burden. The AHA continues to emphasize that prior authorization processes must be grounded in transparent, evidence-based criteria and that improved data exchange alone is insufficient to achieve this objective.

The AHA urges CMS to distinguish between technical conformance and operational usability when defining and determining compliance. CMS’ proposal assumes a level of maturity and coordination across payers, health IT developers and intermediaries that has yet to be demonstrated in practice. These entities remain at different stages of readiness, and provider organizations are downstream recipients of the resulting gaps. As demonstrated in prior implementation efforts, permitting responses that technically satisfy implementation guide requirements but fail to advance actual workflow can undermine reform goals. API functionality must support real-world clinical procedures, including clear identification of prior authorization requirements at the point of care, structured and actionable documentation requirements, and timely, meaningful responses that can be used without redirecting providers to external systems.

The success of these proposals also depends on consistent payer implementation. Variation in payer behavior has historically been a primary driver of administrative burden, and the adoption of standards alone will not resolve this issue without enforceable accountability. CMS currently encourages, but does not require, conformance testing and reporting. The AHA finds voluntary approaches to be insufficient and recommends that CMS require robust conformance testing, transparency into results and mechanisms for trading partners to validate interoperability prior to implementation.

Required FHIR Standards and Implementation Guides for Prior Authorization

The AHA supports CMS’ objective of advancing standardized, electronic prior authorization through the use of the HL7 Da Vinci IGs for CRD, DTR and PAS. These frameworks offer a pathway to more integrated and efficient prior authorization processes by embedding functionality directly within clinical systems. CMS’ determination that these guides have reached sufficient maturity to require represents an important step forward and reflects the evolution of the interoperability landscape.

CMS’ proposal highlights the importance of alignment across stakeholders. While payers are required to implement the Prior Authorization API, the availability of essential supporting EHR functionality will depend on deployment timelines governed by ONC certification and vendor readiness. If payer systems are operational in advance of provider-facing capabilities, hospitals and clinicians will have limited ability to leverage these tools and will remain reliant on existing workflows. The AHA therefore urges CMS to coordinate closely with ONC to ensure that implementation timelines are aligned and that the necessary infrastructure is available across the industry.

In addition, the proposed rule does not sufficiently address how providers should proceed when electronic prior authorization transactions break down. Given the complexity of the interoperability environment, failures are likely during implementation and may persist where readiness remains uneven. CMS should establish clear expectations for fallback processes that minimize duplicative data entry, maintain continuity of care and do not reintroduce administrative burden that these policies are intended to eliminate.

Finally, CMS’ request for comments on regulatory streamlining raises important considerations. The AHA supports efforts to reduce unnecessary complexity where use case implementation guides incorporate underlying standards. However, any such approach must clearly define conformance expectations to avoid ambiguity that could lead to inconsistent implementation across payers and other stakeholders.

Adoption of Health Information Technology Standards and Incorporation by Reference

The AHA supports ONC’s proposal to adopt updated implementation guide versions and incorporate them by reference, as these standards form the technical foundation necessary for CMS interoperability requirements to function as intended. Prior experience has demonstrated that locking in outdated versions results in misalignment across payers and health IT systems, leading to interoperability failures and degraded workflows. Updating to the most current versions helps mitigate this risk.

However, the proposed versioning framework does not sufficiently address how transitions between implementation guide versions will be managed across the industry. While the shift to an “unexpired version” lifecycle and the establishment of expiration dates represent a necessary improvement over fixed versioning, they do not ensure that payers, vendors and intermediaries adopt updated standards in a coordinated manner.

As a result, there is a significant risk that different entities will operate on different versions at the same time, creating mismatches that disrupt prior authorization processes. This is an inherent characteristic of a decentralized interoperability environment in which stakeholders make independent implementation decisions. To address this gap, CMS and ONC should establish a predictable and coordinated transition schedule for implementing updated FHIR standards rather than immediate replacement of preceding versions.

The AHA believes that a transition schedule should specify that any voluntary early adoption of updated versions be conditioned on maintaining compatibility with the existing required version for the duration of the transition period. This approach allows stakeholders to implement updated standard versions according to system readiness while ensuring continued information exchange and protecting providers from the effects of misaligned adoption.

More broadly, CMS and ONC should provide coordinated guidance that clearly aligns overlapping compliance timelines and establishes a predictable cadence for future updates. Without such coordination, version changes may introduce unnecessary complexity and contribute to implementation instability, ultimately undermining the effectiveness of these policies.

ONC Alignment with FHIR-Based Electronic Prior Authorization Standards

The AHA supports alignment between CMS policy requirements and ONC certification criteria for FHIR-based electronic prior authorization. Consistency across these frameworks is essential to ensure that standards required for payer APIs are supported by certified capabilities within provider systems. This alignment must extend beyond identification of standards to include coordinated implementation timelines, testing readiness and version management. Differences between CMS compliance requirements and ONC certification availability risk creating gaps in functionality that limit providers’ ability to utilize required APIs. The AHA urges CMS and ONC to provide coordinated guidance to ensure that certified capabilities supporting CRD, DTR and PAS are available and deployable in alignment with payer implementation timelines. Alignment is also necessary to ensure consistency in how standards are interpreted and implemented across the industry. As implementation guides evolve, coordination between CMS and ONC will be critical to maintaining interoperability and ensuring that version transitions do not introduce fragmentation or disruption to provider workflows.

Requests for Information

Direct Data Entry Methods

The AHA steadfastly supports moving the industry towards standardized transactions and eliminating the use of inefficient, idiosyncratic payer portals. As established in the HIPAA regulations, providers benefit from being able to perform the same task in the same manner across the multitude of payers with whom they interact. As a result, we are generally supportive of the industry transitioning away from a direct data entry framework.

However, CMS must approach the elimination of portal-based transactions carefully. Although portal-based transactions are not the optimal method of completing administrative transactions, they are nonetheless a popular process used by several industry participants to complete essential billing functions. Often, providers turn to direct data entry when they do not have the resources or staffing to support implementation and incorporation of technology-driven standards. Particularly as the agency names newer, more technologically advanced standards, CMS must be careful not to force their use on providers who may face difficulties in supporting corresponding systems or vendor support.

The AHA believes that the efficiency of a standard transaction will drive industry uptick, and that a forced elimination of portals would be unnecessary if the standards achieve their intended efficiencies. Indeed, we have seen incredible progress in industry use of many transactions without regulatory elimination of direct data entry, including the electronic standard claim transaction currently used by approximately 98% of the industry.[10] As a result, we do not believe that CMS should pursue eliminating the ability for a provider to utilize a plan’s portal at this time. Instead, efforts should focus on improving the benefits of current transactions and eliminating technological and fiscal barriers that may prevent some participants from utilizing.

Electronic Event Notifications for Value-based Care and Care Coordination

In the proposed rule, CMS requests input on promoting interoperability and increasing the electronic exchange of information between hospitals and other provider types. The agency notes that it adopted hospital Conditions of Participation (CoPs) in 2020 that require hospitals to send electronic notifications of admissions, discharges and transfers (ADTs) to a patient’s primary care physician, practice group or other entities identified by patients as primarily responsible for his or her care. Hospitals also are required to make reasonable efforts to send electronic ADT notifications to post-acute care providers. Among other questions, the agency asks whether it should modify or expand the existing CoPs to encourage or require sharing of electronic notifications with post-acute care providers, accountable care organizations and other entities such as EMS providers.

The AHA fully supports efforts to improve the ability of hospitals, health systems and other providers to share information that is useful in ensuring patients receive safe and efficient care. However, the AHA strongly opposes the use of additional CoPs as a means to increase interoperability among healthcare providers. As the AHA noted when CMS proposed to adopt the ADT requirements, CMS’ CoPs are not designed to promote the adoption of either health IT standards or data interoperability.

In fact, CMS already has a statutorily mandated program — the Promoting Interoperability Program — that both in name and by design is intended to advance interoperability and data exchange. To be sure, we have urged CMS to achieve a careful balance of burden and value in the Promoting Interoperability regulatory approach to ensure the program is sustainable for hospitals. However, using regulatory programs with differing incentive and enforcement approaches — such as the Promoting Interoperability Program and CoPs — on the same topic could add further burden and confusion to hospitals. Furthermore, we believe that improvements in interoperability are more closely tied to technological capacity than to regulatory mandates targeting a single provider type.

Data from the ONC indicate that the percentage of hospitals routinely providing electronic notification to patients’ primary care providers upon emergency department entry increased from 39% in 2012 to 70% in 2019. This dramatic increase took place well before the CoP was in place and is especially relevant in understanding whether expanding the CoP for sharing data with post-acute care providers would achieve its objective. Indeed, in the proposed rule itself, CMS acknowledges that differences in data exchange between hospitals and other provider types are driven in part by limited exchange capabilities among those providers. These differences stem primarily from the exclusion of post-acute care and other providers from the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009’s incentives to adopt certified EHR technology. This has resulted in a varied landscape of EHR technology in post-acute care and other healthcare settings. Many providers have been able to successfully incorporate health IT with higher levels of sophistication, including certified EHR technology. However, others are using technologies with fewer capabilities for digital exchange. Post-acute care providers also experience significant shortages of health IT professionals, raising the concern about whether there would be a sufficient number of health IT professionals to implement new requirements for post-acute providers.

Effective information exchange requires two-way capability; imposing one-sided requirements on hospitals will not resolve interoperability challenges if other entities lack the ability to receive or use the information. CMS should work collaboratively with all provider types to ensure system-wide readiness before introducing additional regulatory obligations. The agency should also carefully consider patient preferences, as well as privacy and security concerns, in any expansion of information-sharing requirements.

Increasing Healthcare Resiliency

Cybersecurity is critical to ensuring that hospitals can provide safe, high-quality care to their communities. Hospitals and health systems have invested billions of dollars and taken many steps to protect patients and defend their networks from cyberattacks that can disrupt patient care and erode privacy by the loss of personal healthcare data. Even with significant investment, the healthcare ecosystem continues to defend against unprecedented cyberthreats. According to the HHS Office of Civil Rights, the number of individuals impacted by healthcare data breaches increased from 27 million in 2020 to a staggering 259 million in 2024.[11] In 2024, the Change Healthcare ransomware attack alone resulted in the theft of over 190 million Americans’ personal health information — the largest healthcare data breach in history. The attack caused significant disruption to care delivery across the nation. Hospitals also suffered significant financial impact due to the disruption of claims processing and payment.

The AHA has long been committed to helping hospitals and health systems with efforts to mitigate cybersecurity threats and bolster cybersecurity resiliency. Working closely with our federal partners, including the FBI, HHS, the Cybersecurity and Infrastructure Security Agency (CISA) and many others, we strive to help hospitals defend against attacks from both criminal and nation-state-sponsored adversaries. The AHA has also worked with the Health Sector Coordinating Council (HSCC) and the Health-Information Sharing and Analysis Center (H-ISAC) to build trusted relationships and channels for the mutual exchange of cyber threat information, develop risk mitigation practices, conduct regional field ransomware attack exercises and share lessons learned from ransomware attacks.

In this context, the AHA offers CMS, ONC and HHS several regulatory policy recommendations to help support hospitals and health systems’ cybersecurity resiliency:

  • Retain 13 privacy and security Health IT Certification Criteria since these requirements provide a floor for developer security standards.
  • Withdraw the Biden administration’s proposed “HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information,” which would impose infeasible requirements and could introduce security risks.
  • Strengthen federal HIPAA preemption to mitigate the patchwork of state-level privacy and security policies.
  • Apply consistent privacy and security standards to third-party vendors as covered entities and business associates, given the prevalence of hacking incidents targeting non-hospital healthcare providers, including third-party service and software providers.
  • Support cybersecurity resilience for rural and underserved areas.

Below are our specific recommendations:

Retain Privacy and Security Health IT Certification Criteria

In the HTI-5 (Health Data, Technology and Interoperability: ASTP/ONC Degregulatory Actions to Unleash Prosperity) proposed rule, ONC proposed to remove all 13 privacy and security certification criteria and the associated Privacy and Security Certification Framework as of the final rule's effective date. The agency stated that privacy and security requirements are diverting financial resources and efforts from innovative solutions that can address threats faced by healthcare providers.

The AHA reiterates our concerns that the proposed removal of all privacy and security certification criteria has risks that outweigh potential benefits; we recommend the agency retain them. [12] The AHA supports the administration’s goals of reducing barriers to data interoperability and fostering innovation to support better health outcomes. We recognize the pivotal role that health technology plays in care delivery today and its potential to transform the patient and provider experience in the future. At the same time, this innovation should be balanced with reasonable policies that protect sensitive patient data and ensure security and privacy. The privacy and security criteria provide baseline security requirements for vendors.

We are concerned that removing the privacy and security criteria would inappropriately shift risk and cost to providers. Developers may impose additional fees for these features since they would be considered “add-on” services. Instead of saving costs and reducing the burden, the costs and burden would shift to end users.

ONC also asserts that privacy and security criteria have been widely adopted. This may be true for existing certified health IT products, but it may not be true for new entrants and future certified technologies. Baseline privacy and security criteria provide a foundation for security for all health IT products used across the healthcare ecosystem. The AHA has long supported secure-by-design principles and the HHS Cybersecurity Performance Goals. The current privacy and security certification criteria are aligned with these guiding frameworks to ensure that essential features are integrated before the products are developed.

Withdraw 2024 HIPAA Security Rule Proposals

Health data privacy and security are essential for patient safety and quality of care. HIPAA provides sound foundational standards for privacy, security and breach notification. The AHA has consistently advocated that HIPAA regulations focus on the law’s original purpose — protecting health information — while achieving an appropriate balance of regulatory burden and value.

For this reason, the AHA continues to urge HHS to withdraw the Biden administration’s proposed “HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information” as we commented in the Request for Information from HHS on Artificial Intelligence.[13] This HIPAA security rule included several technically infeasible and misguided policies that would fail to strengthen protections for health information while penalizing hospitals for issues beyond their control. For example, the rule would require full restoration of electronic information systems and data within 72 hours of a cybersecurity incident. This arbitrary timeframe would be infeasible in particularly complex cyberattacks. Furthermore, it may have the unintended consequence of increasing risk by requiring hospitals to bring systems online before they can complete a full threat assessment and isolate their exposure to further attacks. The timeframe also does not take into consideration the fact that third parties will likely refuse to reconnect to a victim organization until they are able to provide a letter attesting that their systems are safe. This third-party reconnection is critical to the full restoration of an organization’s systems. These rules also place the onus for ensuring cybersecurity on hospitals rather than the broader ecosystem.

Most protected health information (PHI) data breaches reported to OCR were the result of hacking incidents targeting nonhospital healthcare providers, including third-party service and software providers. Cybersecurity standards must address the full spectrum of stakeholders that collect, hold or transmit personal health information. The AHA does not support proposals for mandatory cybersecurity requirements levied on hospitals as if they were at fault for hackers’ success in perpetrating a crime. Instead, the AHA supports voluntary consensus-based cybersecurity practices such as the HHS cybersecurity performance goals.

Strengthen Federal HIPAA Preemption

While HIPAA generally preempts contrary state law, there are specific exceptions to that preemption that have enabled a plethora of differing state laws that bear on health data privacy. The current approach to preemption has burdened hospitals and health systems with a myriad of overlapping legal requirements, raising compliance costs and diverting limited resources that could otherwise be used on patient care. In addition, the patchwork of state and federal health information privacy requirements remains a significant barrier to the robust sharing of patient information necessary for coordinated clinical treatment. For instance, it makes it much more challenging for providers to use a common electronic health record that is a critical part of the infrastructure necessary for effectively coordinating patient care and maintaining population health. It also impedes the development and deployment of artificial intelligence tools, as data drives algorithmic validity.

We encourage HHS to work with Congress to address this issue and enact a full HIPAA preemption provision. HIPAA is more than sufficient to protect patient privacy and, if interpreted correctly, strikes the appropriate balance between health information privacy and valuable information sharing. Varying state laws only add costs and create complications for hospitals and health systems. As such, the AHA reiterates its long-standing recommendation that Congress strengthen HIPAA preemption.

Apply the Same Privacy and Security Standards for Third-party Applications That Hold/Process PHI as Covered Entities and Business Associates

Most PHI data breaches reported to OCR were the result of hacking incidents targeting nonhospital healthcare providers, including third-party service and software providers. With the rise in third-party vendor PHI data breaches, it is essential that entities that hold or process PHI and are not currently covered by HIPAA be subject to the same privacy and security standards. There is currently an asymmetry where these actors may benefit from the use of health-related information but do not bear downside risk for inappropriate disclosures. They are not similarly incentivized to undertake the same levels of data protection and verification. As such, providers and covered entities then bear disproportionate risk for activities outside their control. Furthermore, as both “actors” under information blocking and “covered entities” under HIPAA, providers may bear disproportionate risk in balancing interoperability and privacy demands.

The AHA recommends that third-party entities that collect, hold or transmit PHI should be held to the same standards and accountability as covered entities and business associates. Third parties also should be accountable for the privacy and security of data they pull from covered entities and business associates.

Support Cybersecurity Resilience for Rural and Underserved Areas

Rural hospitals can face unique risks, challenges and impacts when defending against cyberattacks. Rural hospitals are geographically remote, located in nonmetropolitan counties and may be well over 100 miles from the nearest hospital. Ransomware attacks, which result in diverting patients and ambulances, can create delays in the provision of critical healthcare services, which can elevate the risk of a negative outcome for the patient.

Rural hospitals can also face financial, human and technical resource challenges, which can affect the ability to respond to the increased cyber threat environment. Most rural hospitals operate on very thin financial margins or negative margins, with 48% of rural hospitals operating at a financial loss in 2023.[14] Limited financial resources can impede rural hospitals’ ability to obtain the latest and most advanced cybersecurity technologies to defend and monitor hospital networks 24/7 and to replace aging third-party technology not built to the most up-to-date security standards, such as medical devices. Lack of financial resources has also inhibited rural hospitals’ ability to recruit and retain cybersecurity professionals, who are in great demand in higher-paying urban areas, other sectors and government agencies.

We encourage ONC to work with other agencies and Congress to support rural and underserved areas to address cybersecurity resilience. For example, we support the development of workforce training programs to address the challenges of small and rural facilities. We also support workforce grant and retention efforts, with a particular focus on the retraining of veterans.

Improving Implementation of Payer API Technology

The AHA appreciates the opportunity to respond to the RFI regarding ways to improve the implementation and oversight of payer API technology. As noted extensively throughout our comments, providers strongly support CMS’ goal of advancing interoperability to reduce administrative burden, improve care coordination and ensure timely access to medically necessary care. However, experience with existing interoperability requirements demonstrates that technical adoption alone is insufficient to deliver meaningful operational benefit without stronger implementation guardrails, accountability mechanisms and alignment across the industry.

Providers increasingly rely on payer APIs — particularly the Prior Authorization, Provider Access and Patient Access APIs — to integrate coverage discovery, documentation requirements and authorization workflows into clinical and revenue cycle operations. Unfortunately, inconsistent payer implementation, uneven conformance to implementation guides, the proliferation of supplemental guides and a lack of transparency regarding endpoint functionality limit the real‑world effectiveness of these tools. We are concerned that some payer APIs may technically satisfy regulatory requirements while they fail operationally, forcing hospital staff to revert to portals, fax or manual follow‑up, and thereby undermining the administrative simplification goals of these policies.

Therefore, the AHA encourages CMS to distinguish between technical conformance and practical usability when evaluating payer API compliance. APIs that technically conform to implementation guides but return incomplete information, nonactionable responses or indefinite “pended” statuses do not reduce burden and, in fact, increase it. CMS should define compliance to require that payer APIs return actionable coverage requirements, specific documentation criteria, clear submission pathways and final determinations within required decision timeframes.

To ensure these outcomes, the AHA urges ONC to establish a formal payer API certification or validation program, analogous to ONC’s Health IT Certification Program for certified electronic health record technology. Voluntary testing and payer self‑attestation have proven insufficient to ensure that payer APIs are production‑ready, consistently implemented and operationally usable by hospitals and health systems. A formal certification or validation framework should include mandatory conformance testing using designated tools, public reporting of results and verification that APIs function reliably in real‑world clinical and administrative workflows prior to deployment. Without enforceable certification requirements, hospitals will continue to bear the downstream operational and financial consequences of payer APIs that comply with regulatory requirements while failing to deliver improved functionality and operational efficiency.

In addition, we encourage CMS to leverage API usage and performance data as an active oversight tool rather than a passive reporting exercise. Measuring whether APIs exist is insufficient. When upstream interoperability fails, providers must create workarounds because patient care cannot wait. When APIs are implemented inconsistently, hospitals must absorb the disruption to protect patient access and continuity of care. Therefore, it is critical that assessing payer API technology not simply be a “check-the-box” exercise but instead must include assessments evaluating whether payer APIs are in fact displacing manual processes and improving efficiencies in prior authorization and other administrative workflows. Public, payer‑level reporting of API usage and transaction success metrics would promote accountability and enable hospitals and regulators to identify underperforming payers. Adoption, not simply availability, must be the benchmark for success. Without these safeguards, payer APIs risk becoming compliance artifacts rather than functional tools that meaningfully reduce burden and improve patient care.

Step Therapy

The AHA appreciates CMS’ request for information regarding step therapy and the role that increased interoperability and data sharing could play in improving step therapy processes. Providers support policies that promote clinically appropriate, evidence‑based prescribing while reducing unnecessary administrative burden and ensuring timely access to care. Although step therapy may be used as a utilization management tool, current practices too often undermine continuity of care, delay treatment and impose significant operational burdens on providers and patients.

As CMS recognizes, step therapy protocols that are not grounded in strong clinical evidence or that are applied inflexibly can disrupt patient care, particularly when patients are required to retry medications that were previously ineffective or poorly tolerated. These challenges are compounded by the absence of standardized, transparent medical necessity criteria, which vary widely across payers and are often inaccessible to providers at the point of care. As a result, providers must navigate opaque and inconsistent requirements and submit duplicative documentation even when medical necessity is well established.

CMS has taken important steps to advance transparency and administrative simplification through its authority to require standardized APIs for prior authorization and data exchange. While CMS may not have authority to mandate specific medical necessity criteria, the AHA strongly supports efforts to enable the healthcare industry to coalesce around shared, evidence‑based medical necessity criteria for step therapy. CMS‑regulated APIs can play a critical enabling role by making step therapy requirements and associated medical necessity criteria available in structured, machine‑readable formats, allowing providers to understand coverage requirements in advance and reduce avoidable delays in care.

Improved interoperability can also support more consistent and efficient exception processes. When medical necessity criteria are clearly defined, transparent and electronically accessible through prior authorization and payer‑to‑payer APIs, payers can more readily evaluate whether a patient has already failed, not tolerated or is clinically inappropriate for a required first‑step therapy. This approach would support greater consistency and appropriate automation of determinations while preserving clinical judgment and timely access to medically necessary treatments.

The AHA strongly supports the use of payer‑to‑payer data exchange to promote continuity of care when patients transition between health plans. Patients who are stable on a medication or who have already satisfied step therapy requirements under a prior payer should not be required to repeat step therapy solely due to a change in coverage. When prior determinations and supporting clinical information are exchanged electronically, new payers can more readily honor prior decisions without requiring providers to resubmit documentation or attestations. Furthermore, if a patient’s clinical record indicates that a particular step is clinically inappropriate due to past experience, clinicians should not be required to obtain preliminary plan approval before prescribing the alternative therapy.

Interoperable data exchange should enable new payers to access relevant historical information, including prior step therapy determinations, documented treatment failures, adverse reactions and evidence of clinical stability. CMS should encourage policies that presume continuity of care and rely on electronically exchanged information for a clinically reasonable transition period, particularly when medical necessity has already been established. Establishing a minimum timeframe during which prior determinations are honored would further reduce treatment disruptions and administrative burden.

Although technology has the potential to improve step therapy information exchange, it is important to note that many plan processes are inherently at odds with the delivery of optimal medical care. In particular, many plans create step therapy requirements to incentivize the utilization of contractually favored drug regimens or therapies, regardless of whether the treating provider believes it to be the most appropriate treatment. Delays stemming from such policies unfortunately cannot be eliminated simply through improved technology. Therefore, we encourage CMS and HHS to create patient protections associated with the plan application of step therapy, including requirements that any step therapy program be primarily grounded in patient safety, does not increase the risk of negative health outcomes and has a clearly defined mechanism for bypassing step therapy if the patient’s medical status necessitates such action.

  1. [1] https://www.ama-assn.org/system/files/prior-authorization-survey.pdf
  2. [2] Ibid.
  3. [3] Ibid.
  4. [4] Ibid.
  5. [5] Examples provided by AHA member hospitals.
  6. [6] https://oig.hhs.gov/documents/evaluation/3150/OEI-09-18-00260-Complete%20Report.pdf
  7. [7] https://www.kff.org/quick-take/insurers-prior-authorization-data-offers-little-insight-into-what-gets-approved-or-denied/
  8. [8] https://oig.hhs.gov/documents/evaluation/3150/OEI-09-18-00260-Complete%20Report.pdf
  9. [9] https://www.aha.org/lettercomment/2023-10-27-aha-urges-cms-finalize-improving-prior-authorization-processes-proposed-rule
  10. [10] https://www.caqh.org/insights/index-report
  11. [11] https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
  12. [12] https://www.aha.org/system/files/media/file/2026/02/aha-comment-health-data-technology-and-interoperability-astp-onc-deregulatory-actions-to-unleash-prosperity-proposed-rule-letter-2-27-2026.pdf
  13. [13] https://www.aha.org/system/files/media/file/2026/02/aha-response-to-hhs-rfi-on-ai-in-health-care-letter-2-23-2026.pdf
  14. [14] AHA analysis of RAND Hospital Cost Report data
Download the Letter PDF
AHA Comments on CMS’ Interoperability and Prior Authorization Proposed Rule page 1.

Key Resources

Related Resources

AHA Center for Health Innovation Market Scan
CMS Announces First HealthTech Ecosystem Tools
Public
Letter/Comment
AHA Comments on TEFCA Individual Access Procedure
Public
Advisory
CMS Proposes Electronic Prior Authorization Requirements for Prescription Drugs to Improve Access and Reduce Administrative Burden
Member
Letter/Comment
AHA Comments on ONC Core Data for Interoperability Draft
Public
AHA Center for Health Innovation Market Scan
HIMSS 2026 Insights: How to Thrive in a Rapidly Changing Field
Public
Letter/Comment
AHA Responds to ASTP/ONC RFI on Diagnostic Imaging Interoperability
Public