CMS Prior Authorization and AI: How Three Federal Rules Are Reshaping Utilization Management

Why Prior Authorization Is a Federal AI Policy Flashpoint

Prior authorization is the administrative mechanism by which insurers require clinicians to obtain approval before delivering certain services, medications, or procedures. In Medicare Advantage, that mechanism now operates at a scale that makes it one of the most consequential — and contested — administrative processes in American healthcare.

Medicare Advantage plans processed approximately 53 million prior authorization requests in 2024, with a denial rate of 7.7 percent. Of those denials that were appealed, 80.7 percent were ultimately overturned — a figure that suggests the initial review process is generating a substantial volume of decisions that do not hold up to scrutiny. That overturn rate is not a minor calibration problem. It is evidence of systematic initial over-denial at scale.

AI has entered this environment as both a proposed solution and a recognized risk. Payers have adopted algorithmic tools to accelerate PA decision-making, reduce administrative costs, and flag low-value care requests. Critics — including patient advocacy organizations, the American College of Physicians, and members of Congress — have argued that these same tools can embed and amplify the patterns driving inappropriate denials, particularly for older, sicker, and lower-income beneficiaries.

Between 2023 and 2025, the Centers for Medicare and Medicaid Services responded with three distinct regulatory instruments. Each addresses a different dimension of the problem. Together, they constitute what this analysis treats as a deliberate, if still evolving, federal strategy to introduce AI and electronic automation into prior authorization while establishing — with varying degrees of rigor — the conditions under which that automation is permissible.

Regulatory Instrument 1 — CMS-4201-F: Guardrails on AI in Medicare Advantage Prior Authorization

CMS-4201-F was finalized in April 2023 and took effect for the 2024 plan year. Its primary target is Medicare Advantage plans that use algorithmic or AI-assisted tools in their prior authorization processes. The rule does not ban AI use in PA — it sets behavioral guardrails on how AI-assisted decisions may be made and what human review must accompany them.

The rule's core requirements operate at two levels. First, it requires that PA decisions be based on the same clinical criteria that apply under traditional Medicare — meaning an MA plan cannot use an AI model trained on more restrictive criteria to deny services that would be covered under fee-for-service. Second, it mandates that decisions account for the individual patient's circumstances, not solely population-level algorithmic outputs.

Critically, the rule prohibits AI from serving as the sole basis for an adverse prior authorization decision. Any denial must involve clinician review. This requirement was intended to prevent the scenario — documented in investigative reporting and OIG findings — in which algorithmic denial tools were generating adverse decisions at rates far exceeding what clinical review would produce, without meaningful human oversight.

• PA decisions must be based on clinical criteria consistent with traditional Medicare coverage standards.
• Decisions must account for the individual patient's specific clinical circumstances.
• AI may not be the sole basis for an adverse PA determination — clinician review is required.
• The rule applies to Medicare Advantage plans; it does not directly regulate the AI vendors supplying tools to those plans.

CMS-4201-F also included a requirement that MA plans conduct and document health equity analyses of their PA processes — examining whether denial patterns differed across demographic groups in ways that could indicate algorithmic disparities. This provision was intended to create a structured accountability mechanism for AI-driven PA.

What CMS-4201-F does not do is equally important to understand. The rule does not require MA plans to disclose which AI system they use, how that system weights clinical criteria, or what its denial rate is by service category. It does not set a minimum clinician review standard beyond the requirement that a clinician be involved. And it does not create a direct enforcement mechanism against AI vendors — only against the MA plans that deploy their tools.

Regulatory Instrument 2 — CMS-0057-F: Mandating the Electronic Infrastructure for Prior Authorization

Where CMS-4201-F regulates how AI may be used in prior authorization decisions, CMS-0057-F operates at a different level entirely: it mandates the electronic infrastructure through which PA decisions flow. Finalized in January 2024, the rule requires covered payers to implement four FHIR R4 application programming interfaces that enable electronic PA exchange between payers, providers, and patients.

The rule applies across a broader payer universe than CMS-4201-F. It covers Medicare Advantage, Medicaid managed care organizations, CHIP, and Qualified Health Plans sold on the federal and state exchanges. Traditional Medicare fee-for-service is not covered by this rule — that context is addressed separately through the WISeR Model.

The compliance timeline is staged. Operational mandates — including the 72-hour urgent and 7-day standard PA decision timelines, specific denial reason requirements, and public metrics reporting obligations — took effect January 1, 2026. Full FHIR API compliance is required by January 1, 2027.

The four FHIR R4 APIs required under CMS-0057-F include a Patient Access API, a Provider Access API, a Payer-to-Payer Data Exchange API, and a Prior Authorization API. The Prior Authorization API is the most directly relevant to AI: it is the channel through which electronic PA requests are submitted, adjudicated, and returned — and it is the data environment within which AI-assisted review tools will increasingly operate.

CMS-0057-F does not itself govern AI. It does not restrict how payers may use algorithmic tools within the electronic PA environment it creates. What it does is establish the data substrate — standardized, machine-readable, auditable — that makes AI-assisted PA technically feasible at scale and that creates the transaction records necessary for future oversight, if CMS or Congress chooses to mandate it.

Regulatory Instrument 3 — The WISeR Model: AI-Assisted Prior Authorization in Traditional Medicare FFS

The WISeR Model — Wasteful and Inappropriate Service Reduction — represents a qualitatively different kind of federal action. Published in the Federal Register in July 2025 and effective January 1, 2026, WISeR is the first CMS program to directly deploy AI-assisted prior authorization review in traditional Medicare fee-for-service. It is not a guardrail on private payer behavior. It is CMS itself using AI as an active participant in PA review.

The model operates in six states and covers more than fifteen service categories. Participating entities — which may include health plans, provider organizations, or other entities meeting CMS participation criteria — use an AI-assisted workflow to review PA requests for services in scope. CMS provides the AI infrastructure; participants integrate it into their review processes.

The payment model structure is central to the policy debate surrounding WISeR. Participants are compensated based on a share of averted expenditures — meaning they receive a portion of the savings generated when AI-assisted review results in a service not being authorized. Patient advocates and the American College of Physicians have argued that this structure creates a direct financial incentive to deny or delay care, regardless of clinical appropriateness.

• Geographic scope: six states (specific states designated in the Federal Register notice).
• Services in scope: more than fifteen service categories subject to AI-assisted PA review.
• AI role: active review tool within the PA workflow, not merely a data exchange infrastructure.
• Payment structure: participant compensation tied to a share of averted expenditures.
• Effective date: January 1, 2026.

The scale context for WISeR matters. Traditional Medicare fee-for-service processed approximately 625,000 prior authorization reviews in 2024, at a denial rate of 22.9 percent. That is a small fraction of the MA PA volume. WISeR will substantially expand the PA universe in participating states — applying AI-assisted review to a population that previously had minimal PA exposure. The clinical and equity implications of that expansion are not yet documented.

Comparing the Three Instruments: Regulatory Theory, Scope, and AI Role

The three instruments are not redundant. They represent three distinct federal theories of how to address AI in prior authorization, operating in parallel across different payer contexts, with different enforcement mechanisms and different roles assigned to AI. Understanding how they differ is essential to understanding what the federal framework actually requires — and what it leaves unaddressed.

The most important distinction is between CMS-4201-F and WISeR. CMS-4201-F constrains what private payers may do with AI they have chosen to deploy. WISeR involves CMS itself deploying AI and compensating participants based on the outcomes of that deployment. These are categorically different regulatory postures — one is oversight, the other is direct operation.

CMS-0057-F sits between them. It does not regulate AI directly, but it creates the electronic infrastructure through which AI-assisted PA will increasingly flow. The FHIR APIs it mandates produce structured, machine-readable transaction records — the data environment that makes AI-assisted review technically tractable and that, in principle, makes algorithmic auditing possible if CMS or Congress creates the requirement to do it.

Unresolved Policy Tensions Across the Framework

None of the three instruments fully resolves the core policy tensions that motivated federal action on prior authorization in the first place. Five tensions in particular cut across the framework and are likely to define the policy debate through 2026 and into 2027.

AI Transparency

None of the three rules require payers or program participants to disclose which AI system is being used in PA review, how that system weights clinical criteria, what its training data consisted of, or what its denial rate is by service category or demographic group. CMS-4201-F requires that decisions be based on appropriate clinical criteria, but it does not require that the algorithmic methodology producing those decisions be disclosed to providers, patients, or regulators in any structured form.

This transparency gap is not a minor technical oversight. Without disclosure of the AI system and its operational parameters, it is not possible for a provider to meaningfully contest an AI-assisted denial, for a researcher to audit denial patterns, or for a regulator to determine whether the clinical criteria requirement is being honored in practice.

Financial Conflict of Interest in WISeR

The WISeR payment model — compensating participants on a share of averted expenditures — has drawn criticism from patient advocacy organizations and the American College of Physicians precisely because it creates a structural financial incentive to deny or delay services. The incentive exists regardless of whether the AI-assisted review is clinically appropriate. A participant that uses AI to deny a service that would have been appropriate receives the same financial reward as one that correctly identifies low-value care.

CMS has framed WISeR as a model for reducing wasteful and inappropriate services. Critics have argued that the payment design conflates cost reduction with appropriate care, and that without robust appeals monitoring and independent clinical review of denied services, the model cannot distinguish between the two.

Health Equity

The June 2025 non-enforcement of the CMS-4201-F health equity analysis requirement removed the primary regulatory safeguard against AI-driven disparities in Medicare Advantage prior authorization. MA plans are no longer required to examine whether their AI-assisted PA processes produce differential denial rates across demographic groups.

WISeR has no comparable equity monitoring requirement identified in its Federal Register notice. The public metrics reporting requirement under CMS-0057-F creates the potential for equity analysis — if CMS or researchers use the published data to examine denial rates by beneficiary characteristics — but the rule does not mandate that payers conduct or publish equity analyses themselves.

The result is a framework that has simultaneously expanded AI's role in PA review and weakened the primary mechanism for detecting whether that expansion is producing disparate outcomes.

Provider Administrative Burden

Electronic PA through FHIR APIs reduces some of the fax-and-phone friction that has made prior authorization one of the most time-consuming administrative processes in clinical practice. AMA survey data has consistently documented that PA compliance consumes substantial physician and staff time per week — time that is not recovered simply by making the submission process electronic.

Electronic PA changes the channel of the request; it does not change the clinical workload of documenting medical necessity, responding to additional information requests, or managing the appeals process when AI-assisted initial review produces a denial. For practices with high PA volume, the net administrative burden reduction from CMS-0057-F compliance may be modest.

Appeals Accuracy and Systematic Over-Denial

The 80.7 percent MA appeal overturn rate is the most direct evidence that the current PA review process — with or without AI — is generating a substantial volume of initial decisions that do not reflect appropriate clinical criteria. None of the three regulatory instruments directly addresses this metric. CMS-4201-F requires clinician review of adverse decisions but does not set a standard for what that review must accomplish. CMS-0057-F requires public metrics reporting but does not set a maximum acceptable denial rate or overturn rate. WISeR has no published appeals monitoring framework.

Open Questions for 2026–2027

The three-instrument framework described in this article is a snapshot of a policy environment that is actively evolving. Several questions remain genuinely unresolved as of mid-2026, and their answers will determine whether the federal strategy on AI and prior authorization produces the access and efficiency improvements CMS has described — or whether it amplifies the problems it was designed to address.

• Congressional action on PA legislation: Pending prior authorization legislation — including bills modeled on the Improving Seniors' Timely Access to Care Act — would codify some CMS-4201-F requirements into statute and extend them to traditional Medicare. Whether Congress acts in the 119th session remains an open question.
• WISeR expansion: CMS has not announced criteria for expanding WISeR to additional states or service categories. Early outcome data — if CMS publishes interim performance reports — will be the primary basis for any expansion decision. As of publication, no such data is publicly available.
• Health equity analysis reinstatement: The June 2025 non-enforcement of the CMS-4201-F health equity requirement could be reversed by a future administration or codified into regulation. It could also be replaced by a different equity monitoring framework. Neither outcome is currently proposed.
• FHIR API compliance readiness: The January 2027 API compliance deadline under CMS-0057-F is the next major implementation milestone. Whether payers — particularly smaller Medicaid managed care organizations and QHP issuers — will achieve full FHIR R4 compliance on schedule is uncertain. CMS has not signaled enforcement flexibility for the API deadline.
• AI-specific guidance for WISeR participants: The Federal Register notice establishing WISeR does not provide detailed guidance on how participants must document AI-assisted review decisions, what appeals rights apply to WISeR-reviewed services, or how CMS will audit the clinical appropriateness of AI-assisted denials. Additional sub-regulatory guidance may be issued as the model matures.
• AI transparency requirements: No current federal rule requires payers to disclose the AI systems used in PA review. Whether CMS, ONC, or Congress will establish AI disclosure requirements — analogous to the FDA's transparency expectations for AI-enabled medical devices — is an open legislative and regulatory question.

The federal framework on AI and prior authorization is more developed than it was two years ago, and less developed than its proponents would like. CMS has articulated a theory of action across three instruments, but the enforcement mechanisms, equity safeguards, and transparency requirements that would make that theory verifiable in practice remain incomplete. The policy debate is not over whether AI will be used in prior authorization — it will be, and at increasing scale. The debate is over the conditions under which that use is accountable to the patients and providers it affects.