Jacob Nardini
← All articles

Prior Auth's Regulatory Clock Is Ticking — For Payers and Providers

June 2026 · Healthcare

Prior authorization has been healthcare's most-hated workflow for a generation. Staff manually check each payer's idiosyncratic requirements, compile clinical documentation from half a dozen places in the chart, submit by fax or portal, and then spend days chasing a status that arrives — when it arrives — with no warning. The AMA's annual survey puts hard numbers on the misery: physicians and their staff spend around 13 hours a week on prior authorization, roughly two full business days, handling something like 39 or 40 requests per physician per week. Four in ten practices employ staff who do nothing but prior auth.

That much has been true for years. What's different in 2026 is that the regulatory environment has finally put a clock on it — and the clock runs against both sides of the transaction at once. That's the part most people miss, and it's what makes this the most time-sensitive AI opportunity in healthcare operations right now.

The burden isn't just administrative — it's clinical

It would be easy to file prior auth under "annoying paperwork," but the survey data makes clear it's a patient-safety issue. In the AMA's most recent figures, 93% of physicians said prior authorization delays necessary care, 82% said it can lead patients to abandon treatment entirely, and more than one in four reported that prior auth had led to a serious adverse event — a hospitalization, permanent harm, or worse — for a patient in their care. The overwhelming majority say it contributes to burnout, and nearly three-quarters say denials have only risen over the past five years.

That clinical weight matters for how you scope an AI project here, because it tells you where the value is and where the danger is. The pain is real and measurable, which makes the workflow fundable. But the same stakes that make it worth fixing are exactly why the fix has to keep a clinician in control of every actual decision. Hold that tension; it's the whole article.

Which specialties feel it most

The burden isn't evenly distributed, and that's useful, because it tells you where a focused project pays off first. A handful of specialties carry the heaviest authorization load. Oncology is the sharpest case: regimens lean on expensive biologics and advanced diagnostics that payers almost always review, and here a delay isn't merely an inconvenience — even a one-to-three-week wait to start guideline-based treatment is associated with worse disease control and lower survival, which is about as high as the stakes get for what is, on paper, a paperwork problem. Advanced imaging — MRI, CT, PET — generates enormous authorization volume because it's routinely flagged for cost-based review, so the bottleneck there is throughput more than complexity. Orthopedics and cardiology sit in between, with high volumes of procedures and devices that demand documentation-heavy submissions. Behavioral health is its own quiet crisis: prior authorization has been linked to treatment interruptions and higher relapse among psychiatric and substance-use patients, populations for whom a gap in care is especially dangerous.

For an operations leader, the practical implication is to start where the volume and the pain concentrate. A pipeline scoped to one high-PA service line — imaging, say, where the requests are numerous and relatively patterned — proves the model and banks real capacity before you extend it to the messier, higher-judgment specialties. The worst version of this project tries to cover every specialty and every payer at once. The best version earns its credibility on a narrow, high-volume slice first.

The new rules of the game

The CMS Interoperability and Prior Authorization Final Rule — CMS-0057-F, published in early 2024 — is the forcing function. It applies to Medicare Advantage plans, Medicaid and CHIP (both fee-for-service and managed care), and qualified health plans on the federal exchanges, which together cover a large share of the country. It lands in two waves, and both are close.

The first wave is already here. As of January 1, 2026, affected payers must decide expedited prior authorization requests within 72 hours and standard requests within seven calendar days — the standard window cut in half from the old fourteen-day maximum — and they must give a specific reason for every denial, regardless of how the request came in. Payers also have to begin publicly reporting their prior authorization metrics, with the first reporting due by spring 2026. That last requirement is quietly the sharpest: approval rates, denial rates, and decision times are about to become visible, comparable, and embarrassing for laggards.

The second wave lands January 1, 2027, when the rule's FHIR-based API requirements take effect. Affected payers must stand up a set of standardized interfaces — including a dedicated Prior Authorization API that lets a provider's system ask, electronically, whether an authorization is required, learn exactly what documentation is needed, and exchange the request and decision without a fax machine in sight. Done right, this makes prior authorization machine-readable end to end. CMS estimates the rule will save providers and payers on the order of $15 billion over ten years.

Put the two waves together and you get a roughly 18-month window in which both sides of the transaction urgently need new capability:

Where AI fits — and where it shouldn't

For the specialties that carry the heaviest authorization load — oncology, advanced imaging, orthopedics, behavioral health, cardiology — the assistive playbook is clear and, importantly, doesn't require touching a coverage decision:

The metrics are concrete and already meaningful to an operations leader: prior authorization turnaround time, staff hours per authorization, and the no-auth denial rate that bleeds revenue downstream when care is delivered without an approval on file. Vendors report large reductions on all three; treat those figures as illustrative rather than guaranteed, and measure your own.

What AI must not do is make the authorization decision. Coverage determinations are under intense regulatory and public scrutiny, and automated denial-making is precisely the use case regulators are now fencing off. CMS has clarified that a Medicare Advantage plan cannot deny care on medical-necessity grounds based on an algorithm that ignores a patient's individual circumstances; California's "Physicians Make Decisions Act," effective at the start of 2025, requires that a licensed clinician — not software alone — make any medical-necessity denial, and other states are following. The high-profile lawsuits over payers' own denial algorithms are the cautionary tale the whole industry is watching. The bright line is clean: AI is on solid ground for assembly, retrieval, and tracking; it is legally and ethically fraught the moment it makes the call. The well-designed systems keep clinical judgment human and make everything around it fast.

Building for the API future

It's tempting to treat the 2027 API mandate as the payers' problem — they're the ones who have to stand up the interfaces. But the providers who benefit most will be the ones who restructured their own side to exploit them. A Prior Authorization API that can tell you electronically, in something close to real time, whether an authorization is required and exactly what documentation it needs is only valuable if your systems can ask the question and assemble the answer automatically. If your requirement-checking and documentation-gathering are still manual, the API just moves the fax online.

So the work for the next eighteen months isn't "wait for the APIs." It's to build the structured layer that will plug into them: a clean, current map of payer requirements; automated retrieval of clinical documentation from the EHR; and status tracking that can consume an electronic decision instead of a portal refresh. Organizations that do this arrive at the 2027 deadline able to flip a switch, while those that waited are still hand-keying their way through the transition. And the same structured layer pays off immediately — long before any API exists, it cuts turnaround and staff hours under today's manual process. That's the rare modernization where the interim state and the end state both deliver, which is exactly why it rewards starting now instead of at the deadline.

The payer's side of the clock

It's worth dwelling on the payer angle, because it's where a lot of the near-term demand actually sits. A utilization-management team that comfortably met a fourteen-day standard does not automatically meet a seven-day one, let alone 72 hours for urgent cases, with the same headcount and the same manual intake. The options are more staff, restructured shifts, or automation of the parts that don't require clinical judgment — triage, requirement-matching, documentation intake, and the routing that gets a complete file in front of a reviewing clinician faster.

And the public reporting raises the cost of getting it wrong. When decision times and denial rates become comparable across plans, slow becomes a number a regulator, an employer group, and a competitor can all see. That combination — a hard operational deadline plus public scorekeeping — is exactly the kind of pressure that turns a "someday" modernization project into a funded one with a sponsor and a date.

Where to start

If you're a provider, pick one high-volume, high-PA service line and instrument the current process before you change anything — capture today's turnaround time, staff hours per authorization, and no-auth denial rate, because those are the numbers that will justify the build and, later, prove it worked. Then deploy the assistive layer on that one line: requirement checklists, documentation retrieval, pre-populated drafts, automated status tracking. Measure for a quarter. If turnaround and staff hours drop while the no-auth denial rate holds or improves, you extend to the next specialty; if they don't, you've learned it cheaply on a contained scope.

If you're a payer, the sequencing is similar but the clock is louder. Model your current decision times against the seven-day and 72-hour requirements, find where the manual review queue actually backs up, and automate the non-clinical front end — intake, requirement-matching, completeness checks — so that complete, well-organized files reach a reviewing clinician faster. In both cases the principle is identical: automate the assembly and the tracking, keep the clinical decision firmly human, and let the metrics earn each next phase of the build rather than betting the whole budget up front.

An 18-month window

Regulatory deadlines have a way of converting interesting-someday projects into funded-now ones, and this one has a particularly clean logic. The organizations that build structured prior authorization workflows over the next year and a half will meet the 2027 API mandate as a milestone rather than a scramble — and along the way they'll have banked eighteen months of recovered staff capacity, faster turnaround, and lower no-auth denial rates. The ones that wait will be retrofitting under a deadline while their competitors are already running.

The reassuring part, for an operations leader weighing the risk, is that none of this is frontier technology. Document retrieval, requirement-matching, and status automation are mature; the hard part was never the model. It's the disciplined, unglamorous work of mapping each payer's requirements, wiring the pipeline to the EHR, keeping a clinician firmly in the decision seat, and earning the staff's trust. Do that, and the most-hated workflow in healthcare becomes one of the cleaner wins available — fast where it should be fast, human where it has to be human, and, for once, ahead of the clock instead of behind it.