Prior Authorization Automation: The Complete Technical Guide (CMS 2026 + FHIR + AI Agents)

Prior authorization is the single most expensive administrative transaction in US healthcare. It costs $11.06 per transaction (CAQH Index), consumes 14 hours per week per physician (AMA), forces 34% of practices to hire dedicated staff, and delays care for 94% of patients. The system is fundamentally broken.

But March 2026 marks a turning point. The CMS-0057-F final rule now mandates that payers respond to standard prior authorization requests within 7 calendar days, provide specific denial reasons, and begin public reporting of PA metrics. By January 2027, all affected payers must have operational FHIR-based Prior Authorization APIs.

This guide covers everything health system CTOs and engineering teams need to know: the CMS mandate, the Da Vinci FHIR implementation guides (CRD, DTR, PAS), how to architect an AI-powered prior auth agent, the FHIR resources involved, EHR integration patterns, clinical NLP for data extraction, state AI oversight laws, and the build-vs-buy decision framework.

1. The Prior Authorization Crisis: By the Numbers

Prior authorization was originally designed as a cost-containment tool. Payers require providers to obtain pre-approval before delivering certain services, medications, or procedures. In theory, it prevents unnecessary spending. In practice, it has become a $54.6 billion annual administrative burden that delays patient care and drives physician burnout.

The Data That Forced CMS to Act

The numbers are staggering, and they come from authoritative sources that CMS cited when finalizing the rule:

• $11.06 per transaction (CAQH Explorations 2024): The average cost of a single prior authorization transaction, including provider and payer administrative effort. Fully electronic transactions cost $3.22, meaning manual processing costs 3.4x more.
• 14 hours per week (AMA Prior Authorization Survey 2024): The average time physicians and their staff spend on prior authorization activities per week. That is nearly two full business days every week spent on paperwork instead of patient care.
• 34% hire dedicated staff (AMA 2024): More than a third of physician practices have hired staff whose sole job is to manage prior authorizations. At an average salary of $45,000-$55,000 per FTE, this represents a significant unfunded mandate on providers.
• 94% report care delays (AMA 2024): Nearly all physicians say prior authorization delays necessary patient care. Among those, 80% report that delays sometimes lead to patients abandoning treatment.
• 35+ million PA requests annually (AHIP estimates): The sheer volume of prior authorization requests across Medicare Advantage, Medicaid, and commercial plans creates a massive administrative overhead for both sides.
• 82% partially automatable (CAQH): The industry's own analysis shows that the vast majority of prior authorization transactions could be automated if standardized electronic workflows were adopted.

The Human Cost

Behind every statistic is a patient waiting for care. The revenue cycle management bottleneck created by prior authorization has measurable clinical consequences:

• 33% of physicians report that prior authorization has led to a serious adverse event for a patient in their care (AMA 2024)
• 25% of physicians report prior authorization has led to a patient's hospitalization
• Average time to appeal a denial: 30-90 days, with complex cases extending to 270+ days
• Physicians spend more time on prior auth than they do on continuing medical education

2. CMS-0057-F: The FHIR Prior Authorization Rule Explained

On January 17, 2024, CMS published the Interoperability and Prior Authorization Final Rule (CMS-0057-F), codified at 89 FR 8758. This is the most significant regulatory action on prior authorization in a decade, and it fundamentally changes how payers must handle prior auth requests.

Who Is Affected

The rule applies to:

• Medicare Advantage (MA) organizations
• State Medicaid and CHIP Fee-for-Service programs
• Medicaid managed care plans
• CHIP managed care entities
• Qualified Health Plan (QHP) issuers on Federally Facilitated Exchanges

Notably, traditional Medicare Fee-for-Service is not subject to this rule, nor are commercial plans outside the Exchanges. However, many commercial payers are voluntarily adopting the FHIR API requirements to stay competitive.

Implementation Timeline

Date	Requirement	Impact
January 1, 2026	Specific denial reasons required; public reporting begins	Payers must explain why a request was denied, not just that it was
March 31, 2026	First annual PA metrics report due	Approval rates, turnaround times, appeal outcomes become public
January 1, 2027	FHIR APIs must be operational	Patient Access, Provider Access, Payer-to-Payer, and Prior Authorization APIs live
CY 2027	MIPS Electronic Prior Authorization measure	Clinicians incentivized to use FHIR-based PA submission

Response Timeline Mandates

This is the most operationally impactful change. Payers must now respond to prior authorization requests within:

• 72 hours for urgent (expedited) requests
• 7 calendar days for standard (non-urgent) requests

These timelines represent a dramatic tightening from current practice, where responses can take weeks or even months. Payers that fail to respond within the timeline will face regulatory scrutiny and public reporting of their turnaround metrics.

The Four Required FHIR APIs

The rule mandates four HL7 FHIR APIs that payers must implement, as detailed in our CMS and ONC healthcare regulations 2026 guide:

1. Patient Access API: Allows patients to see their prior authorization status, decisions, and history through third-party apps
2. Provider Access API: Gives in-network providers access to claims, encounter data, and prior authorization details for their patients
3. Payer-to-Payer API: Enables data transfer when patients switch plans (within 5 years of data, patient opt-in required)
4. Prior Authorization API: The centerpiece — payers must publish their list of covered items/services requiring PA, documentation requirements, and accept electronic PA submissions

Public Reporting Requirements

Starting March 31, 2026, payers must publicly report on their website:

• Prior authorization approval and denial rates by service category
• Average turnaround time for PA decisions
• Appeal outcomes and overturn rates
• Volume of PA requests processed

This transparency requirement is powerful. For the first time, providers and patients can compare payer PA performance. Health plans with poor metrics will face market and regulatory pressure to improve.

3. Da Vinci Implementation Guides: CRD, DTR, and PAS

The CMS rule points to HL7 Da Vinci Implementation Guides as the technical standard for FHIR-based prior authorization. Three IGs work together as a pipeline, referenced in our FHIR US Core implementation guide:

Step 1: Coverage Requirements Discovery (CRD)

CRD answers the question: “Does this order require prior authorization?”

CRD operates as a CDS Hooks service embedded in the clinical workflow. When a clinician places an order, books an appointment, or signs a prescription, a CDS Hook fires to the payer's CRD service.

Supported CDS Hooks:

• order-select — Fires when a clinician selects an order (early warning)
• order-sign — Fires when the order is signed (decision point)
• appointment-book — Fires when scheduling a procedure
• encounter-start — Fires at the beginning of a clinical encounter

What CRD Returns (CDS Cards):

• Whether prior authorization is required, not required, or conditionally required
• What documentation the payer needs
• Alternative services that might not require PA (formulary alternatives, first-line therapies)
• Coverage information updates and patient cost estimates
• A link to launch DTR for documentation capture when needed

{
  "cards": [
    {
      "summary": "Prior Authorization Required for MRI Lumbar Spine",
      "detail": "Aetna requires PA for CPT 72148. Documentation needed: clinical notes, prior conservative treatment evidence.",
      "indicator": "warning",
      "source": { "label": "Aetna Coverage Rules" },
      "links": [
        {
          "label": "Complete Documentation (DTR)",
          "url": "https://payer.example.com/dtr/launch?context=pa-mri-lumbar",
          "type": "smart"
        }
      ],
      "suggestions": [
        {
          "label": "Alternative: CT Lumbar Spine (no PA required)",
          "actions": [{ "type": "update", "resource": "ServiceRequest" }]
        }
      ]
    }
  ]
}

Step 2: Documentation Templates and Rules (DTR)

DTR answers the question: “What clinical documentation does the payer need, and can we auto-fill it from the EHR?”

When CRD identifies that documentation is needed, DTR launches as a SMART on FHIR application (or native EHR functionality) that:

1. Retrieves payer-specific Questionnaires — FHIR Questionnaire resources with embedded CQL (Clinical Quality Language) logic
2. Auto-populates from EHR data — CQL expressions query the EHR's FHIR API to pre-fill diagnosis codes, lab results, medication history, and clinical observations
3. Prompts only for missing data — The clinician only sees fields that couldn't be auto-filled, minimizing the documentation burden
4. Produces a QuestionnaireResponse — The completed form becomes a FHIR resource that feeds directly into PAS

The auto-population capability is key. In a well-implemented DTR system, 60-80% of documentation fields can be pre-filled from existing EHR data. This transforms a 20-minute manual form-fill into a 2-minute clinician review-and-attest workflow.

Four System Types Defined in DTR:

• Light DTR EHR — EHR handles rendering; limited auto-population
• Full DTR EHR — EHR natively renders questionnaires with CQL execution
• SMART DTR Client — Third-party SMART app handles DTR workflow
• DTR Payer Service — Payer's server that hosts questionnaires and CQL logic

Step 3: Prior Authorization Support (PAS)

PAS answers the question: “How do we submit the PA request and track its outcome in FHIR?”

PAS is the submission and response layer. It defines:

• $submit operation — Provider sends a PAS Request Bundle (Claim + supporting resources) to the payer or an intermediary
• $inquire operation — Provider can check the status of a pending PA request
• X12 278 mapping — The intermediary can translate FHIR to X12 278 if the payer's backend requires it (though CMS enforcement discretion allows all-FHIR exchange)
• ClaimResponse — Payer returns the authorization decision: approved, denied, or pended (requires additional information)
• Task-based follow-up — For pended requests, FHIR Task resources manage the back-and-forth communication

POST [base]/Claim/$submit
Content-Type: application/fhir+json

{
  "resourceType": "Bundle",
  "type": "collection",
  "entry": [
    {
      "resource": {
        "resourceType": "Claim",
        "status": "active",
        "type": {
          "coding": [{
            "system": "http://terminology.hl7.org/CodeSystem/claim-type",
            "code": "professional"
          }]
        },
        "use": "preauthorization",
        "patient": { "reference": "Patient/123" },
        "provider": { "reference": "Practitioner/456" },
        "insurer": { "reference": "Organization/aetna-01" },
        "insurance": [{ "coverage": { "reference": "Coverage/cov-789" } }],
        "item": [{
          "sequence": 1,
          "productOrService": {
            "coding": [{
              "system": "http://www.ama-assn.org/go/cpt",
              "code": "72148",
              "display": "MRI Lumbar Spine w/o Contrast"
            }]
          },
          "quantity": { "value": 1 }
        }],
        "supportingInfo": [{
          "sequence": 1,
          "category": { "coding": [{ "code": "questionnaire-response" }] },
          "valueReference": { "reference": "QuestionnaireResponse/dtr-completed-form" }
        }]
      }
    }
  ]
}

4. Building an AI Prior Authorization Agent

An AI-powered prior authorization agent automates the end-to-end workflow: extracting clinical data from the EHR, matching it against payer policies, assembling the submission packet, submitting via PAS, tracking the response, and managing appeals when denied.

Architecture Overview: Six-Stage Pipeline

Stage 1: EHR Data Extraction

The agent begins by pulling all relevant clinical data for the patient and the ordered service using FHIR R4 APIs:

# Extract clinical data for PA request
GET /fhir/Patient/123
GET /fhir/Condition?patient=123&clinical-status=active
GET /fhir/MedicationRequest?patient=123&status=active
GET /fhir/Observation?patient=123&category=laboratory&date=ge2025-01-01
GET /fhir/Procedure?patient=123&date=ge2024-01-01
GET /fhir/DocumentReference?patient=123&type=clinical-note&date=ge2025-06-01
GET /fhir/Coverage?patient=123&status=active

For systems like Epic, this uses the Epic on FHIR APIs with SMART on FHIR authorization. For Oracle Health (Cerner), the Millennium FHIR R4 API. Each EHR vendor has specific scopes and data availability that the agent must handle.

Stage 2: Clinical NLP Processing

Unstructured clinical notes contain critical information for medical necessity arguments. The AI agent uses clinical NLP to extract:

• Named entities: diagnoses, medications, procedures, anatomical locations
• Temporal relationships: “conservative treatment for 6 weeks with no improvement”
• Medical necessity indicators: “failed physical therapy,” “progressive neurological deficit”
• ICD-10 and CPT mapping: converting narrative text to standardized codes

class ClinicalNLPProcessor:
    def extract_pa_evidence(self, clinical_notes, pa_context):
        # 1. Entity extraction (diagnoses, treatments, outcomes)
        entities = self.ner_model.extract(clinical_notes)

        # 2. Temporal reasoning (treatment timelines)
        timeline = self.temporal_parser.build_timeline(entities)

        # 3. Medical necessity classification
        necessity_score = self.necessity_classifier.score(
            diagnosis=entities.primary_diagnosis,
            requested_service=pa_context.current_order,
            prior_treatments=timeline.conservative_treatments,
            clinical_indicators=entities.severity_markers
        )

        # 4. Code mapping (NLP text -> ICD-10/CPT)
        icd_codes = self.code_mapper.map_diagnoses(entities.diagnoses)
        cpt_code = self.code_mapper.map_procedure(pa_context.current_order)

        return PAEvidence(
            diagnosis_codes=icd_codes,
            procedure_code=cpt_code,
            medical_necessity_score=necessity_score,
            supporting_timeline=timeline,
            extracted_entities=entities
        )

Stage 3: Policy Matching

Every payer has different rules for what requires prior authorization and what clinical criteria must be met. The agent maintains a policy knowledge base:

• LCD/NCD lookup: Medicare Local and National Coverage Determinations
• Commercial payer medical policies: Aetna, UnitedHealthcare, Cigna, Anthem, etc.
• Clinical guidelines: InterQual, MCG (Milliman Care Guidelines), Hayes
• Formulary data: For medication PAs, checking step therapy requirements

Using RAG (Retrieval-Augmented Generation), the agent retrieves the relevant policy sections and evaluates whether the clinical evidence meets the payer's criteria. This is where LLMs with medical knowledge add the most value — they can reason across policy language and clinical data in ways that rule-based systems cannot.

Stage 4: Packet Assembly

The agent constructs the PAS Request Bundle conforming to the Da Vinci PAS profiles:

• Builds the Claim resource with the correct type, use (preauthorization), and service items
• Attaches QuestionnaireResponse from DTR (or the agent's own form completion)
• Includes all referenced resources: Patient, Practitioner, Coverage, Organization, ServiceRequest, Encounter
• Attaches supporting clinical documents: relevant notes, lab results, imaging reports as DocumentReference resources
• Validates the bundle against PAS profiles before submission

Stage 5: Submission and Tracking

The agent submits via the PAS $submit operation and enters a tracking loop:

async def submit_and_track(pas_bundle):
    # Submit the bundle
    response = await fhir_client.post(
        "/Claim/$submit",
        body=pas_bundle
    )

    claim_response = parse_claim_response(response)

    if claim_response.outcome == "complete":
        if claim_response.disposition == "approved":
            return AuthorizationResult(
                status="approved",
                auth_number=claim_response.preAuthRef,
                valid_through=claim_response.preAuthPeriod.end
            )
        else:
            return AuthorizationResult(
                status="denied",
                reasons=claim_response.errors
            )

    # Pended - poll via $inquire
    while claim_response.outcome == "queued":
        await asyncio.sleep(3600)  # Check hourly
        claim_response = await fhir_client.post(
            "/Claim/$inquire",
            body={"identifier": claim_response.id}
        )

        # Check for CommunicationRequest (additional info needed)
        comm_requests = await check_communication_requests(claim_response)
        if comm_requests:
            await handle_additional_info_requests(comm_requests)

    return parse_final_result(claim_response)

Stage 6: Appeal Management

When a request is denied, the agent analyzes the denial reason and determines the best appeal strategy:

• Missing information: Re-gather and resubmit with additional clinical evidence
• Medical necessity dispute: Compile stronger clinical argument with peer-reviewed literature citations
• Coding error: Correct ICD-10/CPT codes and resubmit
• Peer-to-peer review: Schedule and prepare the physician for the P2P call with the payer's medical director
• External review: Escalate to independent review organization (IRO) when internal appeals are exhausted

5. FHIR Resources for Prior Authorization

Understanding the key FHIR resources is essential for implementing Da Vinci PAS. Here is how each resource maps to the prior authorization workflow:

Claim (PAS Request)

The Claim resource is repurposed for prior authorization by setting use: "preauthorization". Key fields:

{
  "resourceType": "Claim",
  "status": "active",
  "type": {
    "coding": [{
      "system": "http://terminology.hl7.org/CodeSystem/claim-type",
      "code": "professional"
    }]
  },
  "use": "preauthorization",
  "patient": { "reference": "Patient/pat-001" },
  "created": "2026-03-19",
  "provider": { "reference": "PractitionerRole/pr-001" },
  "insurer": { "reference": "Organization/payer-001" },
  "priority": { "coding": [{ "code": "normal" }] },
  "insurance": [{
    "sequence": 1,
    "focal": true,
    "coverage": { "reference": "Coverage/cov-001" }
  }],
  "item": [{
    "sequence": 1,
    "productOrService": {
      "coding": [{
        "system": "http://www.ama-assn.org/go/cpt",
        "code": "27447",
        "display": "Total Knee Arthroplasty"
      }]
    },
    "diagnosisSequence": [1],
    "servicedDate": "2026-04-15"
  }],
  "diagnosis": [{
    "sequence": 1,
    "diagnosisCodeableConcept": {
      "coding": [{
        "system": "http://hl7.org/fhir/sid/icd-10-cm",
        "code": "M17.11",
        "display": "Primary osteoarthritis, right knee"
      }]
    }
  }]
}

ClaimResponse (PAS Response)

The payer returns a ClaimResponse with the authorization decision:

{
  "resourceType": "ClaimResponse",
  "status": "active",
  "type": { "coding": [{ "code": "professional" }] },
  "use": "preauthorization",
  "patient": { "reference": "Patient/pat-001" },
  "created": "2026-03-20",
  "insurer": { "reference": "Organization/payer-001" },
  "outcome": "complete",
  "disposition": "Approved",
  "preAuthRef": "PA-2026-0319-7842",
  "preAuthPeriod": {
    "start": "2026-03-20",
    "end": "2026-06-20"
  },
  "item": [{
    "itemSequence": 1,
    "adjudication": [{
      "category": { "coding": [{ "code": "submitted" }] },
      "reason": {
        "coding": [{
          "code": "AR",
          "display": "Approved as Requested"
        }]
      }
    }]
  }]
}

Task (PA Status Tracking)

For pended requests, the Task resource manages the ongoing communication:

• status: requested, received, accepted, in-progress, completed, failed
• intent: order
• requester: the provider organization
• owner: the payer organization
• reasonReference: link back to the original Claim

CommunicationRequest (Additional Information)

When the payer needs additional information to make a decision, they create a CommunicationRequest specifying exactly what documents or data points are needed. The AI agent can automatically respond to many of these requests by querying the EHR for the requested information.

6. Integration with Major EHRs

Implementing prior auth automation requires deep integration with EHR systems. Here is how the major vendors handle it:

Epic

Epic's prior authorization module integrates with Da Vinci through:

• Epic on FHIR APIs for clinical data access (R4, including US Core profiles)
• CDS Hooks support for CRD integration (order-select, order-sign hooks)
• SMART on FHIR app launch for DTR questionnaire rendering
• Payer Platform for direct electronic PA submission
• Charge Router for identifying PA requirements during order entry

Epic's api/FHIR/R4/ endpoint supports the key resources: Patient, Condition, MedicationRequest, ServiceRequest, Coverage, and DocumentReference. The agent authenticates via SMART on FHIR backend services (client credentials grant).

Oracle Health (Cerner)

Oracle Health's Millennium platform supports:

• Millennium FHIR R4 API with comprehensive clinical resource support
• CDS Hooks integration through Oracle's CDS framework
• SMART on FHIR launch context for third-party DTR applications
• PowerChart integration for surfacing PA requirements in the physician workflow

Cross-EHR Considerations

Building a prior auth agent that works across EHR systems requires handling:

• Scope variations: Epic uses patient/*.read scopes; Oracle Health uses system/*.read for backend access
• Data availability: Not all clinical data is exposed via FHIR. Some EHRs require proprietary APIs for certain data types
• Terminology differences: The same clinical concept may be coded differently across systems
• Launch context: SMART on FHIR launch parameters vary by EHR vendor

7. AI for Clinical Data Extraction

The most impactful application of AI in prior authorization is extracting structured evidence from unstructured clinical notes. Approximately 80% of clinical data exists as free text, and this is exactly the data that supports medical necessity arguments.

NLP Pipeline for Prior Auth Evidence

A production clinical NLP pipeline for prior authorization includes:

1. Document Classification: Identify which notes are relevant (progress notes, operative reports, radiology reports)
2. Section Segmentation: Parse clinical notes into sections (History of Present Illness, Assessment, Plan)
3. Named Entity Recognition (NER): Extract diseases, medications, procedures, lab values, vital signs
4. Relation Extraction: Connect entities (“patient failed metformin 1000mg BID for 3 months”)
5. Temporal Reasoning: Build treatment timelines (“conservative therapy January-March 2026 with no improvement”)
6. Medical Necessity Scoring: Evaluate whether extracted evidence meets payer criteria

LLM + RAG for Policy Interpretation

Large Language Models combined with Retrieval-Augmented Generation are particularly effective for:

• Policy document parsing: Extracting specific coverage criteria from dense policy manuals (LCD/NCDs, commercial medical policies)
• Evidence-to-criteria matching: Determining whether a patient's clinical history satisfies payer-specific requirements
• Appeal letter generation: Drafting clinically accurate appeal letters that cite relevant guidelines and patient-specific evidence
• P2P preparation: Generating talking points for peer-to-peer review calls

8. Compliance: State AI Oversight Laws

As AI adoption in prior authorization accelerates, states are passing laws to ensure human oversight of automated clinical decisions. Health system CTOs must design AI agents that comply with these emerging requirements:

Texas HB 1709 (Effective September 2025)

• Requires human review of any AI-generated prior authorization denial before it is issued
• The reviewing physician must be licensed in the same specialty as the treating physician
• Applies to all health plans and utilization review agents operating in Texas
• Payers must disclose when AI was used in making a PA decision

Arizona SB 1253 (Effective 2025)

• Prohibits insurers from using AI as the sole basis for denying a prior authorization request
• Requires clinical peer review by a licensed physician before any AI-recommended denial is finalized
• Mandates transparency: patients must be told if AI was involved in the decision

Maryland (SB 601)

• Requires insurers to ensure AI tools used in utilization review are regularly validated for accuracy and fairness
• Mandates disclosure of AI use in PA decisions
• Requires an appeals process that includes human physician review

Emerging Trends Across States

Colorado, California, New York, and Illinois have all introduced legislation addressing AI in healthcare decisions. The common themes are:

• Human-in-the-loop requirement: AI can recommend but cannot make final denial decisions without physician review
• Transparency mandates: Patients and providers must be informed when AI is used
• Specialty matching: The reviewing physician must have relevant clinical expertise
• Audit trail requirements: AI decision logs must be maintained and available for regulatory review
• Bias monitoring: Regular assessment of AI tools for demographic or diagnostic bias

What This Means for AI Agent Architecture

Any AI prior auth agent deployed in production must include:

class ComplianceLayer:
    # Ensure AI PA decisions comply with state oversight laws.

    def process_decision(self, ai_recommendation, patient_state):
        # Route AI decisions through required human review.
        state_rules = self.get_state_rules(patient_state)

        if ai_recommendation.action == "deny":
            if state_rules.requires_human_review:
                # Route to physician reviewer
                return self.create_review_task(
                    recommendation=ai_recommendation,
                    required_specialty=state_rules.specialty_match,
                    disclosure_required=state_rules.transparency_mandate
                )

        # Log AI involvement for audit trail
        self.audit_log.record(
            decision=ai_recommendation,
            ai_model_version=self.model_version,
            patient_state=patient_state,
            applicable_laws=state_rules.citations
        )

        return ai_recommendation

9. Build vs Buy Analysis

The build-vs-buy decision for prior auth automation depends on your organization's scale, technical capability, and strategic priorities.

When to Build

• Large health systems (500+ beds) with dedicated engineering teams
• Organizations with unique payer mix or specialty-specific PA requirements
• Those wanting to own the IP and build competitive advantage through proprietary AI
• Systems already invested in FHIR infrastructure (Da Vinci IGs, SMART on FHIR)
• Budget: $800K-$1.5M Year 1 for a 4-6 person engineering team, 12-18 months to MVP

When to Buy

• Mid-size practices and hospitals (50-500 beds) without deep FHIR expertise
• Organizations needing fast time-to-value (3-6 month deployment)
• Those wanting pre-built payer integrations (350+ payer network out of the box)
• Systems prioritizing compliance out of the box (SOC 2, HIPAA, state law compliance)
• Budget: $200K-$500K Year 1 for licensing plus integration costs

The Hybrid Approach (Recommended)

Most health systems benefit from a hybrid strategy:

1. Buy the PA automation platform for payer connectivity, rules engine, and submission workflow
2. Build custom clinical NLP tailored to your specialty mix and documentation patterns
3. Build EHR-specific integrations that leverage your existing Epic/Oracle Health infrastructure
4. Build the AI appeal engine that uses your organization's historical denial data to optimize appeal strategies

Vendor Landscape

Category	Key Vendors	Approach
End-to-End PA Platforms	Olive AI, Cohere Health, Rhyme	Full PA workflow from EHR to payer
FHIR Infrastructure	Smile CDR, Health Gorilla, 1up Health	FHIR server + Da Vinci IG support
Clinical NLP	AWS HealthLake, Google Cloud Healthcare, Azure Health	Entity extraction + code mapping
Clearinghouses	Availity, Change Healthcare, Waystar	Payer connectivity + X12 278
EHR-Native	Epic Payer Platform, Oracle Health PA Module	Built-in EHR PA workflows

10. Frequently Asked Questions

What is the CMS-0057-F prior authorization rule and when does it take effect?

CMS-0057-F is the Interoperability and Prior Authorization Final Rule requiring affected payers (Medicare Advantage, Medicaid, CHIP, QHP issuers) to implement FHIR-based Prior Authorization APIs, respond to standard PA requests within 7 calendar days and urgent requests within 72 hours, provide specific denial reasons, and publicly report PA metrics. Operational provisions began January 1, 2026, with FHIR API requirements effective January 1, 2027.

How do the Da Vinci CRD, DTR, and PAS implementation guides work together?

The three Da Vinci IGs form a pipeline: CRD (Coverage Requirements Discovery) uses CDS Hooks to alert clinicians at the point of order entry whether prior authorization is required. DTR (Documentation Templates and Rules) launches FHIR Questionnaires that auto-populate from EHR data to capture required documentation. PAS (Prior Authorization Support) submits the complete PA request as a FHIR Bundle and returns the payer's authorization decision as a ClaimResponse. Together, they enable fully electronic, standards-based prior authorization.

Can AI fully automate prior authorization decisions, or is human review still required?

AI can automate the data extraction, documentation assembly, policy matching, and submission steps. However, multiple states (Texas HB 1709, Arizona SB 1253, Maryland SB 601) now require human physician review before any AI-generated denial is issued. The recommended architecture uses AI for the heavy lifting (80-90% of the workflow) while routing denial recommendations through a physician reviewer to comply with state oversight laws.

What FHIR resources are used for prior authorization?

The key FHIR R4 resources in the Da Vinci PAS IG are: Claim (with use “preauthorization”) for the PA request, ClaimResponse for the payer's decision, Bundle (collection type) to package the transaction, Task for tracking pended requests, CommunicationRequest for additional information requests, and ServiceRequest/MedicationRequest for the ordered services. Supporting resources include Patient, Practitioner, Coverage, Organization, and DocumentReference.

What does a prior auth automation implementation cost and how long does it take?

Building in-house typically costs $800K-$1.5M in Year 1 with a 12-18 month timeline to MVP. Buying a commercial platform costs $200K-$500K in Year 1 with a 3-6 month deployment timeline. Most organizations benefit from a hybrid approach: buy the PA automation platform for payer connectivity and rules, build custom clinical NLP and EHR-specific workflows. ROI typically reaches 3-5x within 18 months through reduced staff costs, faster authorization turnaround, and fewer denied claims.