chevron-down Created with Sketch Beta.
August 28, 2023

Increased Focus by CMS on Prior Authorizations within Medicare Advantage Organizations

By Amber DePrima and Alex Oliphant

Click here for the audio version of this article

The Centers for Medicare and Medicaid Services (CMS) proposed and finalized revisions to the Medicare Part C and D guidelines in the 2024 Final Rule (88 FR 22120), including new regulations on the prior authorization process. Once these changes go into effect, there will be increased regulatory focus with the possibility of stiffer penalties imposed on Medicare Advantage Organizations (MAOs) by CMS. It is imperative that MAOs proactively address how to assess and prevent inappropriate denials of prior authorizations and adverse CMS audit findings. This article illustrates the prior authorization process and how MAOs can prepare for the forthcoming changes from CMS.


What is Prior Authorization?

Managed care plans, including many MAOs, utilize primary care physicians (PCPs) to act as “gatekeepers” for medical services. Members enrolled in managed care plans, primarily health maintenance organizations (HMOs), who need services from providers or suppliers other than their PCP typically need to obtain approval from their PCP or plan prior to the plan providing reimbursement to the provider for treatment. This is called prior authorization—or preapproval, preauthorization, or precertification.

Prior authorizations allow the member’s PCP to work with the managed care plan to determine if the care proposed is the best option for the needs of the individual patient. Ideally, this permits managed care plans to optimize member outcomes while reducing spending on potentially unnecessary tests, procedures, and treatments. If prior authorization is not obtained prior to services being rendered, services that require prior authorization may not be financially covered by the managed care plan. Each managed care plan develops coverage guidelines and coverage criteria appropriate to their member population within their plan and network.

Why Does This Matter?

MAOs use prior authorizations to improve quality of patient care and ensure members are receiving medically necessary care, while preventing unnecessary health plan spending. “The rationale for prior authorization is to identify and discourage costly low-value services, thereby reducing health care spending without impairing health care quality.” However, some MAOs have been found to deny prior authorization requests inappropriately. CMS consistently conducts audits of MAOs “to measure compliance within the terms of its contract with CMS, specifically requirements associated with access to medical services, drugs, and other enrollee protections required by Medicare.” In an April 2022 Office of Inspector General (OIG) report, the OIG found that CMS cited more than half of audited MAO contracts in 2015 for inappropriately denying prior authorization and payment requests. CMS has also increased penalties for MAO violations that prevent beneficiaries from accessing medically necessary services.

Increased Regulatory Focus

The OIG conducted a study with a sample of 250 prior authorization denials and 250 payment denials issued by 15 of the largest MAOs during the week of June 1–7, 2019. OIG healthcare coding experts and physician reviewers conducted case file reviews on all cases and associated medical records. Of the prior authorization denials they reviewed, they observed that 87% did not meet Medicare coverage rules and would have likely been denied under traditional Medicare. Of the remaining 13% of prior authorization requests that MAOs denied, MAOs allegedly inappropriately denied services due to two primary factors: 1) MAOs applied additional clinical criteria that are not found in the Medicare coverage rules, and 2) MAOs claimed there was insufficient documentation for the prior authorization request that the OIG disagreed with or requested unnecessary documentation. Additionally, the OIG found that 82% of the denials were not consistent with Medicare coverage rules and MAO billing rules, which were mostly caused by human error during manual claims processing reviews and system processing errors. The OIG acknowledged that MAOs reversed some of the denied prior authorization and payment requests that met Medicare coverage rules and MAO billing rules, often when a member or provider appealed or disputed the denial. Other reversals resulted from MAOs identifying their own errors.

The OIG study concluded that, “Denied requests that meet Medicare rules may prevent or delay beneficiaries from receiving medically necessary care and can burden providers.” Additionally, “even when denials are reversed, avoidable delays and extra steps create friction in the program and may create an administrative burden for beneficiaries, providers, and MAOs.”

Following this study, the OIG audited the managed Medicaid prior authorization process of Keystone First, an MAO based in Pennsylvania, by selecting a sample of 100 denied service requests that required a prior authorization. The goal was to determine if Keystone First complied with federal and state requirements. Out of the 100 requests in the sample, the OIG found that 76% were not compliant, with 10% of the total denials relating to overnight care of pediatric skilled nursing service requests.

In December 2022, after reviewing recommendations from the OIG, CMS proposed revisions to their Medicare Part C and D guidelines. These proposed changes were adopted in the 2024 Final Rule. Changes include but are not limited to:

  1. MAOs must comply with Medicare coverage rules under traditional Medicare.
  2. When coverage rules are not fully established under traditional Medicare, MAOs must include current evidence in widely used treatment guidelines or clinical literature when creating internal clinical coverage criteria, and this information must be made publicly available.
  3. Prior authorization policies for coordinated care plans may only be used to confirm the presence of diagnoses or other clinical criteria and/or ensure an item/service is medically necessary.
  4. The plans must provide a minimum 90-day transition period when an enrollee currently undergoing treatment switches to a new MAO plan.
  5. All MAOs must establish a Utilization Management Committee to review policies annually and ensure consistency with traditional Medicare coverage decisions and guidelines.

States have also focused on prior authorization patterns and have passed associated legislation. One such legislative example is a state-mandated bill introduced in California in February 2023. This bill would require an MAO to provide an electronic prior authorization process, as well as a process for annually monitoring prior authorization data points, such as approval, appeal, and denial rates. The bill mandates the MAO must use this data to identify those services, items, or supplies that are regularly approved 95%, and subsequently discontinue the prior authorization process for that service or treatment.

How to Prepare for the Forthcoming Changes from CMS

Once changes go into effect on January 1, 2024, the CMS audit protocols and procedures will be updated with these new regulatory requirements. This ensures that not only will there be increased regulatory focus, but stiffer penalties could be imposed on MAOs based upon findings. Therefore, it is imperative that MAOs proactively address how to assess and prevent inappropriate denials of prior authorizations and adverse CMS audit findings.

Answering the following questions will help MAOs identify where to begin making changes and refinements to their existing processes relating to prior authorization:

  1. What percentage of prior authorization denials have an associated appeal attached to them? Subsequently, how many of these denials were denied due to medical necessity and subsequently reversed after the appeal?
  2. Where does the MAO stand in overturning prior authorizations denials in comparison to the industry?
  3. What would the estimated financial impact be for the prior authorization denials that were determined to be inappropriate?
  4. How many prior authorizations were denied for medically necessary services because providers did not respond with additional documentation? And in those instances, was the requested documentation needed to establish medical necessity?
  5. What would the data look like broken down by specific service types, such as imaging services, stays in post-acute facilities, and injections?

MAOs often review case file samples in mock audits during the years when they do not receive a CMS audit notice but may be focused on a specific time frame (like the OIG study) ranging from a week to a month of data. It may be more insightful to review prior authorization denials by year compared to a more abbreviated time frame. Additionally, it may be beneficial to view specific contracts within that time frame as well.

Regardless of how MAOs take action to understand their prior authorization process, they will ultimately be held liable for not being compliant. Some MAOs are being proactive by revising their prior authorization processes, leading to fewer prior authorizations needed for diagnostic procedures. MAOs are also using artificial intelligence to accelerate the prior authorization decision process. UnitedHealthcare recently announced that it will soon eliminate nearly 20% of existing authorizations by implementing a “gold card” program through which qualifying providers will notify the insurer about pending care rather than request authorization prior to the service. Similarly, Cigna announced that it has removed prior authorization for nearly 500 services and devices since 2020, leaving only 6% of medical services to go through the prior authorization process.


Federal regulators are increasing their focus on MAOs’ alleged use of prior authorization requirements to deny services. In preparation, MAOs can take steps to become better equipped in the event of a CMS prior authorization audit by proactively developing strong prior authorization processes to mitigate the potential financial consequences. The best way to avoid adverse CMS findings and possible subsequent financial burden is preparation and prevention of improper denials of prior authorizations, as well as a strong data collection process. Additionally, as federal and state authorities continue to scrutinize the use of prior authorization by MAOs, the legal and regulatory landscape continues to evolve. Answering the questions raised in this article will be the first step to ensuring members are receiving medically necessary care, while preventing unnecessary health plan spending, as well as being prepared in the event of a CMS audit or other enforcement activity. 

    Amber DePrima

    Berkeley Research Group, Washington, DC

    Amber DePrima is a managing consultant at BRG based in Washington, DC. Her work entails assisting MAOs and their counsel with risk adjustment related projects. Previously, Ms. DePrima worked at an MAO, where she worked on prior authorization audits conducted by CMS. This work included reviewing utilization management and claim denials, collaborating with CMS audits and plan medical directors, and analyzing supporting documentation related to the denials. She can be reached at [email protected].

    Alex Oliphant

    Berkeley Research Group, Washington, DC

    Alex Oliphant is a managing director at BRG based in Washington, DC. He co-leads the Medicare Risk Adjustment practice and assists MAOs with a variety of strategic and compliance focused matters centered around the accuracy of diagnosis code submissions. Mr. Oliphant has also assisted managed care organizations with analyzing claims processing and reporting as well as evaluating the accuracy of claims payments. He can be reached at [email protected]

    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.