How prior authorization works
Prior authorization is a payer requirement that the provider obtain pre-service approval for specific procedures, drugs, or imaging studies. The process: provider submits a PA request (often via fax, payer portal, or X12 278 transaction); payer reviews against medical necessity criteria and either approves, denies, or requests more information; an approved PA generates an authorization number that must be billed on the claim. CMS's January 2024 Final Rule (CMS-0057-F) requires impacted payers to respond to expedited PA requests within 72 hours and standard requests within 7 calendar days, effective January 1, 2026 for some entities and January 1, 2027 for others.
- PA = payer pre-service approval for specific services
- X12 278 is the EDI transaction for PA requests
- CMS Final Rule: 72 hours expedited, 7 days standard
- Without approved PA, claim denies CARC 197
The Prior Authorization Process, Explained
By MedPrecision Operations Team · Published
Prior authorization is the payer process most likely to delay care, drag down clean claim rate, and burn out front-office staff. The American Medical Association's 2023 PA survey reported physicians spent an average of 12 hours per week on prior authorization tasks and that 24% of physicians reported PA-related serious adverse patient events. The CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F), issued January 2024, sets new payer response time standards effective in 2026 and 2027 — and changes some of the operational dynamics this guide describes.
What Prior Authorization Actually Is
Prior authorization (also called precertification, preauthorization, or prior approval) is a payer's requirement that a provider obtain pre-service approval before delivering specific services. The payer reviews the planned service against its medical necessity criteria — typically Milliman Care Guidelines (MCG), InterQual, or proprietary medical policy — and either approves, denies, or requests additional documentation. An approved PA generates an authorization number that must be included on the resulting claim, usually in Loop 2300 REF*G1 of the 837P (or in Box 23 of the paper CMS-1500). Without an approved PA on file before the date of service, the claim is denied with CARC 197 (precertification/notification absent) and is generally not appealable to the patient under most contracts — the provider absorbs the loss.
The CMS Final Rule (CMS-0057-F)
The CMS Interoperability and Prior Authorization Final Rule, issued January 17, 2024, applies to Medicare Advantage organizations, Medicaid managed care plans, CHIP managed care plans, state Medicaid and CHIP fee-for-service programs, and Qualified Health Plan issuers on the federally-facilitated exchanges. The rule requires impacted payers to respond to expedited prior authorization requests within 72 hours, standard requests within 7 calendar days, provide a specific reason for any denial, build and maintain a FHIR-based Prior Authorization API, and publicly report PA metrics annually starting in 2026. Compliance dates are January 1, 2026 for the operational requirements (response times, denial reasons, public metrics) and January 1, 2027 for the FHIR API. Notably, the rule does not apply to commercial group plans not on the federal exchanges — many large commercial payers remain governed only by state-level prompt-decision laws.
The X12 278 Transaction
The X12 278 is the EDI transaction standard for prior authorization request and response, defined under HIPAA at 45 CFR 162.1302. The 278 Request carries patient identifiers, ordering provider NPI, rendering provider NPI, requested service (CPT/HCPCS), diagnosis codes, and supporting clinical information. The 278 Response returns approval, denial, or pended status with a certification number when approved. Despite being a HIPAA-mandated standard, real-world adoption is uneven — many payers still require fax submissions, web portal entry, or proprietary forms, and a significant share of PAs are still processed manually rather than through the 278. The CMS Final Rule's FHIR API requirement (effective 2027) is intended to replace the 278 with a more modern standard for the impacted payers, but the 278 remains the formal HIPAA requirement until then.
Which Services Typically Require PA
PA requirements vary by payer but cluster around predictable service categories. Advanced imaging — CT, MRI, PET, nuclear medicine — is required by nearly all commercial payers and Medicare Advantage plans, typically via radiology benefits managers like eviCore, AIM Specialty Health, or HealthHelp. Elective surgical procedures including joint replacement, spinal fusion, bariatric surgery, bunionectomy, and most cosmetic procedures. High-cost specialty drugs (biologics, infusions, oncology drugs). Genetic testing, particularly multi-gene panels and pharmacogenomic testing. Behavioral health services above specific thresholds (60-minute psychotherapy CPT 90837 for some payers, intensive outpatient programs, partial hospitalization). Durable medical equipment over specific dollar thresholds. Certain physical therapy regimens beyond a specific number of visits. Medicare Fee-for-Service has historically required PA for fewer services than commercial payers but has been expanding the list — the 2024 rule expanded PA requirements for hospital outpatient department services.
The Operational Workflow That Works
Practices that clear PAs reliably operate the same workflow. At scheduling, the front-office staffer or scheduler runs a benefits check (270/271 or payer portal) that returns whether PA is required for the planned service. If PA is required, the request is submitted through the payer's preferred channel within 24 hours of scheduling — earlier is better because elective procedures should be scheduled with PA already in hand. Submitted PAs are tracked in a dashboard with the request date, expected response date, and current status. Pended PAs (payer requested more information) are worked daily until cleared. When the PA is approved, the authorization number is captured in the practice management system attached to the encounter. Every claim that requires a PA is checked against the captured authorization number before submission. Practices that miss any step in this chain — most commonly the capture step — produce a measurable CARC 197 denial pattern.
Why Prior Authorizations Fail
Five failure patterns produce most CARC 197 denials. First, the PA was never requested — usually because the scheduling team did not check whether the service required PA. Second, the PA was requested but not yet approved when the service was delivered, and the payer denied it on adjudication despite the pending status. Third, the PA was approved for a different CPT code than what was ultimately performed (frequently in surgery — the planned procedure differs from the documented procedure). Fourth, the PA expired before the service date — most PAs are valid for 60-90 days. Fifth, the PA number was not captured on the claim, even though it was approved. The fifth failure is the most preventable and the most common — the data exists, it just didn't flow to the 837. A claim scrubbing edit that flags PA-required CPT codes without an authorization number on the claim eliminates this failure entirely.
Appeals and Peer-to-Peer Review
When a PA is denied, the provider has two recovery pathways. First, the formal appeal — submit additional documentation to the payer and request reconsideration. Appeals follow the payer's published timeline, which under the CMS Final Rule must be 30 days for Medicare Advantage standard external review, with most commercial appeal timelines in the same range. Second, peer-to-peer review — the ordering physician speaks directly with the payer's medical director to discuss medical necessity. Peer-to-peer is often the faster and higher-yield path for clinically complex cases; many payers will reverse the denial during the call. The AMA's 2023 PA survey reports peer-to-peer recovery rates around 50-65% for surgical and imaging cases. The downside is the physician time cost — typically 15-30 minutes per case, plus scheduling overhead.
Common Questions
Common questions about the prior authorization process explained (2026).
Get a Free Billing Audit
Our billing specialists can walk you through this and more.
Get a Free Billing Audit arrow_forwardWhat is the difference between prior authorization and precertification?
The terms are functionally interchangeable in U.S. medical billing. Prior authorization, precertification, preauthorization, and prior approval all refer to the same process: a payer requirement that a provider obtain pre-service approval before delivering a specific service. Different payers use different terms — Aetna and many BCBS plans say 'precertification,' UnitedHealthcare and Cigna say 'prior authorization,' Medicare uses 'prior authorization' formally. The HIPAA EDI standard transaction is the X12 278, regardless of what the payer calls it. CARC 197 (precertification/notification absent) covers all of these scenarios on a denial. The only meaningful distinction in some contexts is 'notification' — some payers require the provider to notify them of a service in advance without a formal approval step, which is technically different from prior authorization but produces the same denial code on a claim.
How long does prior authorization take?
Standard prior authorization response times historically range from 3 to 14 business days for non-urgent requests and 24 to 72 hours for urgent or expedited requests. The CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F), effective January 1, 2026 for impacted payers, sets a federal floor of 72 hours for expedited requests and 7 calendar days for standard requests. The rule applies to Medicare Advantage, Medicaid managed care, CHIP managed care, and Qualified Health Plans on the federal exchanges. Commercial group plans not covered by the rule remain governed by state prompt-decision laws, which vary widely — some states require 5 business days for standard requests, others have no specific timeline. Submitting PA requests as far in advance of the planned service as possible is the most reliable mitigation; elective surgery PAs should be filed within 24 hours of scheduling.
What happens if I deliver a service without prior authorization?
If a service required prior authorization and the PA was not obtained before delivery, the claim will be denied with CARC 197 (precertification/notification absent). Under most payer contracts, the practice cannot bill the patient for the denied amount because the patient was not informed in advance that the service was non-covered absent PA. The practice absorbs the entire loss as a write-off. Some payers allow retroactive PA in limited circumstances — typically when the service was emergent or when extraordinary circumstances prevented advance request — but retroactive PA is rare and not reliable. The operational rule is simple: never deliver a service flagged as PA-required without an approved authorization number on file. If the PA was requested and is still pending, postpone the elective service rather than proceeding and absorbing the denial risk.
Does Medicare require prior authorization?
Traditional Medicare Fee-for-Service has historically required prior authorization for fewer services than commercial payers and Medicare Advantage. CMS has been expanding the list — current Medicare FFS PA requirements include certain power mobility devices under 42 CFR 410.38, certain non-emergent ambulance transports, certain hospital outpatient department services added under the 2020 final rule (cervical fusion with disc removal, implanted spinal neurostimulators, vein ablation, and others), and home health services in specific demonstration regions. Medicare Advantage plans, in contrast, regularly impose PA requirements similar to commercial plans, and the CMS Interoperability and Prior Authorization Final Rule (effective 2026 for impacted payers) applies fully to MA. A practice billing both Traditional Medicare and Medicare Advantage cannot assume the same PA rules apply — they don't.
What is a peer-to-peer review and when should I request one?
A peer-to-peer review is a phone discussion between the ordering physician and the payer's medical director or designated reviewing physician about medical necessity for a denied prior authorization or appeal. Peer-to-peer is typically requested after a PA has been denied and before pursuing a formal external appeal. The AMA's 2023 prior authorization survey reports peer-to-peer recovery rates in the 50-65% range for surgical and imaging cases, making it one of the higher-yield denial recovery pathways. Request peer-to-peer when the denial is for a clinically complex case where the medical necessity argument requires physician-to-physician dialogue rather than just submitting documentation. Standard documentation appeals work better for clear-cut documentation gaps; peer-to-peer works better for cases where reasonable physicians could disagree on the medical necessity threshold.
Should we outsource prior authorization?
Outsourcing PA work is one of the most defensible specific outsourcing decisions available to a practice — the work is high-volume, time-consuming, and produces measurable revenue impact when handled well. The American Medical Association's 2023 survey reports physicians spend 12 hours per week on PA-related tasks and 88% of physicians report PA burdens as 'high' or 'extremely high.' Specialty PA work for advanced imaging, surgical procedures, and high-cost specialty drugs requires understanding payer-specific medical policy, the radiology benefits manager landscape (eviCore, AIM, HealthHelp), and the documentation standards each payer's medical director uses. A specialized PA team with these skills typically produces faster turnaround, higher first-pass approval rates, and lower CARC 197 denial volume than a general front-office staffer juggling PAs alongside other duties. Most practices that outsource PA report measurable reduction in time-to-approval and a 2-4 percentage point improvement in clean claim rate within 90 days.
Related Services
Related Specialties
Stop Losing Hours to Prior Authorization
MedPrecision's PA team handles the full workflow — eligibility check, submission, follow-up, peer-to-peer scheduling, capture into your PMS — so your front office gets its time back.