CMS-0057-F is a federal rule that forces certain insurance plans to decide prior auth requests faster, explain their denials in plain detail, and by 2027 plug into a standard digital pipe so your doctor can submit requests straight from their software. The first clocks started January 1, 2026. The deeper plumbing arrives January 1, 2027. The single biggest category of insurance in the country, the plan you get through your job, isn't covered at all.

If "prior authorization" already sounds like a foreign language, start with our medical billing 101 and insurance 101 issues, then come back. We'll wait.

Quick cast, in case you're new.

Biscuit is a corgi who sprained his right ankle chasing a squirrel a few issues back (code S93.401A, if you were taking notes).

Dr. Singh is his doctor.

Sage is the border collie who runs Dr. Singh's front office and fights with insurers for a living.

Otis is a French bulldog who reviews prior auth requests at Biscuit's insurance plan, a fictional Medicaid managed care plan we call Pawferred Health.

It’s Wednesday morning. Dr. Singh presses on Biscuit's ankle. Biscuit winces. Dr. Singh frowns and says the four words that start the whole story.

"We need an MRI."

Biscuit knows the drill. Before the MRI can happen, his insurance has to agree in advance that it's medically necessary and worth paying for. That agreement is the prior authorization. He knows it takes a while. What he doesn't know is that the rules changed in January, and for the first time, the insurance company is the one watching the clock.

Before we go back to the story, let’s dive a little bit deeper into what this CMS ruling is, who it covers and how it affects you.

On January 17, 2024, CMS, the federal agency that runs Medicare and Medicaid, finalized a rule named CMS-0057-F. It does two things. The first lands in 2026: covered insurers have to decide prior auth faster, explain their denials in detail, and post their prior auth metrics publicly every year (the first reports were due March 31, 2026). The second lands January 1, 2027: they have to build standardized digital connections (called APIs) between their systems and your doctor's software. If you read our [payer policy] issue, this is the rule that finally puts a deadline on the part of the system that used to run on "we'll get back to you."

Before we follow Biscuit's MRI, answer the only question that matters first: does this reach your insurance? Find your plan.

The rule changes two sets of things. Some are happening now, in 2026. The rest is new technology that has to be ready by 2027. The rest of this issue is just these changes happening to Biscuit the corgi.

Happening now (2026): Three changes to how your plan has to handle a request:

Coming in 2027 four new APIs: First, what's an API? It's a way for two computer programs to talk to each other. Instead of a person logging into a website to check something, one program just asks another and gets a reply, with no person in the middle. The rule makes insurers build four of these. Each one connects two different people.

Dr. Singh writes the MRI order and hands it to Sage. Old way, Sage logs into Pawferred's portal, hunts for Biscuit's history, and rekeys it. New way, one of the 2027 APIs (the Provider Access API) lets her pull Biscuit's payer-held records straight into her own system. The labs Pawferred already has. The prior auth from his ER visit. Less re-faxing the same chart the insurer already owns.

Sage submits. A clock starts at Pawferred. Under the old Medicaid managed care standard, a decision could take up to 14 days. Now Otis has 7 calendar days for a standard request and 72 hours for an urgent one (source: CMS). Not business days. Calendar days. The clock doesn't care whether the request came by fax, portal, or Sage reading the form out loud over the phone.

The request itself rides another 2027 piece, the Prior Authorization API. Before Sage submitted anything, it could tell her two things she used to dig for: whether the MRI needed prior auth at all, and the exact documents to attach. Then it carried the request and Otis's answer back through the same pipe, instead of the old mess of portals and PDFs.

Here's what changes Otis's job. If he denies, he now has to name the specific clinical reason. Not "lacks medical necessity" with nothing attached (source: CMS). The actual criterion Biscuit's chart didn't meet. A vague denial used to be almost impossible to appeal. A specific one hands Sage and Dr. Singh something to push on.

And there's a scoreboard now. Pawferred has to publicly report its prior auth stats every year: approval rates, denial rates, decision times. The first reports were due March 31, 2026 (source: CMS).

Zoom out from the ankle.

The 2027 half is what insiders are losing sleep over. In 2024, only 35% of medical prior auths were fully electronic, and the average portal request ate 16 minutes (source: 2024 CAQH Index).

After January 2027, covered insurers have to expose all of this through standardized FHIR connections, the same plumbing across every payer, so the whole back-and-forth runs software to software instead of a human logging into ten different portals. CMS is also nudging adoption with a new measure that asks clinicians and hospitals to attest they sent at least one prior auth through the API. Sounds minor. It's the lever that gives a health system a reason to lean on Epic, Athena, and its RCM vendors to actually build this, instead of leaving it on a roadmap forever. And the Patient Access API means Biscuit himself will eventually open his plan's app and see "MRI auth: approved, valid until June 30" instead of calling to ask.

Fair question, because it's the load-bearing piece and nobody explains it. FHIR (pronounced "fire," which is the most exciting thing about it) is an agreed-on format for health data. Think of it as a standard plug. Right now, every connection between a doctor's software and a payer's system is a custom one-off, a different adapter for every payer. FHIR is the plug they all agree to use, so any doctor's system can talk to any payer's without building a new adapter each time. The clinical data moving through it follows a shared list too, called USCDI, so "your records" means the same set of fields at every plan instead of a different shape from each one.

On top of FHIR sit three pre-built recipes for prior auth, the Da Vinci guides. One checks whether a service needs auth (CRD). One collects the exact documents required (DTR). One submits the request and carries the answer back (PAS). That's the "does this need auth, what docs, here's the request" chain from Otis's desk, with its real names.

Friday afternoon, three days after Sage hit send, Pawferred approves the MRI. Biscuit's booked for Tuesday. Under the old timeline he'd likely still be waiting.

This rule speeds the decision up and drags it into the open. The insurer still decides what's covered, off the same medical policy it used in December, and CMS didn't touch that. What CMS touched is everything around the decision. Right now, the call comes faster, in writing, with a real reason for a no, and the plan's whole track record gets posted in public once a year. By 2027 it goes further. The plan has to publish, up front, which services even need prior auth and what documents they take, instead of leaving the office to find out by getting denied. And the stuff that used to be scattered across portals, faxes, and PDFs lands in one place a provider can reach.

That's the real shift, and it's bigger than it sounds. A denial you can see and pull the paper on is one you can fight. Otis can still say no. He just has to say it faster, in writing, and in public, where anyone can count how often he does.

This is the part to read twice. Three moves, each with a reason.

If you're a patient: pull your insurance card and match it to the list above. If you're covered and waiting on an auth, count the days. Seven calendar, or 72 hours urgent. Past that with no answer is a rule violation worth a phone call.

If you run a clinic or billing desk: build the deadline into your work queue so the system flags a late payer instead of your staff guessing when to follow up. And start routing the new specific denials by reason: resubmit with the missing document, appeal, or fix the code, instead of calling to ask what "not medically necessary" meant this time. (Past a couple of staff, the hard part is keeping everyone on the same current rules for each payer, which is the specific job Converus does in one place.) Doctors still average 39 prior auths a week and 13 hours on them (source: AMA 2024). The clock helps. The volume is still brutal.

That's CMS-0057-F. The countdown is already running on Otis's desk.

That's issue one. Hit reply — I read everything, and the best questions become the next lesson.

— Shivang

Names note: All insurance companies and clinics in pre·imbursed are fictional. We use made-up names so we can teach honestly without dragging any real company.

For readers who want to dig deeper, here's every source linked in the body of this issue: