CMS-0062, Explained: A Plain-English FAQ on the New Proposed Rule for Drug Prior Authorization

On April 10, 2026, CMS released the 2026 CMS Interoperability Standards and Prior Authorization for Drugs Proposed Rule(CMS-0062-P), the next chapter in the federal push to modernize prior authorization. If CMS-0057 was the opening act, CMS-0062 is the follow-through: it extends interoperability and electronic prior authorization requirements to the part of the workflow that was deliberately carved out the first time around: Drugs.

‍

We've pulled together the questions we're already hearing from health plan and PBM operations leaders. Here's a plain-English walkthrough.

‍

1. What is CMS-0062 in one sentence?

It's a proposed rule that extends the electronic prior authorization, interoperability, and transparency requirements from the 2024 CMS final rule (CMS-0057) to include drugs covered under both medical and pharmacy benefits, with most provisions taking effect October 1, 2027.

‍

2. Who is affected?

The proposed rule applies to the same set of "impacted payers" as CMS-0057, plus one new addition:

• Medicare Advantage (MA) organizations.
• State Medicaid and CHIP fee-for-service (FFS) programs.
• Medicaid managed care plans.
• CHIP managed care entities.
• Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs).
• New: Small group market QHP issuers offering plans on the Federally-facilitated Small Business Health Options Program (FF-SHOP).

Separately, the HIPAA-related portions of the rule (the FHIR adoption proposals from HHS) would apply to all HIPAA covered entities, including providers, health plans, and clearinghouses, which exchange prior authorization transactions electronically.

‍

3. How does CMS-0062 relate to CMS-0057?

CMS-0057 (the 2024 final rule) built the prior authorization API infrastructure but explicitly excluded drugs because the standards, processes, and decision timeframes for drug PAs are meaningfully different from those for medical items and services.

‍

CMS-0062 closes that gap. Think of it as the same regulatory blueprint, now extended across the entire prior authorization landscape.

‍

If you're already building toward CMS-0057, the good news is that CMS-0062 reuses much of the same technical foundation.

‍

The catch: it adds new standards, new reporting, and new timeframes on top of it.

‍

4. What does "electronic prior authorization for drugs" actually require?

There are two parallel tracks, depending on how the drug is covered:

‍

For drugs covered under a medical benefit (Part B-style): Impacted payers would have to incorporate coverage and documentation requirements into their existing Prior Authorization API, using the same FHIR-based API built for CMS-0057 beginning October 1, 2027.

‍

For drugs covered under a pharmacy benefit (Part D-style): State Medicaid and CHIP FFS programs, Medicaid managed care plans, CHIP managed care entities, and QHP issuers on the FFEs would be required to support three National Council for Prescription Drug Programs (NCPDP) standards beginning October 1, 2027:

• SCRIPT: for electronic prior authorization requests and decisions.
• Formulary & Benefit (F&B):  for querying formulary information.
• Real-Time Prescription Benefit (RTPB): for real-time coverage determinations.

Medicare Part D sponsors are already required to support these standards; this proposal aligns the rest of the impacted payers with that baseline.

‍

5. What are the new decision timeframes?

CMS is proposing to align drug prior authorization decision timeframes across programs:

‍

State Medicaid FFS programs, Medicaid managed care plans, and CHIP managed care entities:

• Drug requests must be decided within the existing covered outpatient drug timeframe, no later than 24 hours after receiving a request.
• Non-drug items and services must be decided within the existing timeframes: 7 calendar days for standard requests and 72 hours for expedited requests.

State CHIP FFS programs:

• Notice of decision no later than 24 hours after receiving a PA request for any prescription drugs for which Federal Financial Participation (FFP) is available.
  
  • Note: State CHIP FFS programs that fail to meet these timeframes may put their FFP at risk, as CMS compliance is tied to federal matching fund eligibility.

QHP issuers on the FFEs:

• Drug requests: as expeditiously as the enrollee’s health condition requires, but no later than 72 hours for standard requests and 24 hours for expedited requests.
• Non-drug items and services: 7 calendar days for standard requests and 72 hours for expedited requests.

Most of these timeframes are proposed to take effect on October 1, 2027.

‍

6. What changes for denials?

Beginning October 1, 2027, state Medicaid and CHIP FFS programs, Medicaid managed care plans, CHIP managed care entities, and QHP issuers on the FFEs would be required to provide a specific reason for any drug PA denial.

‍

This mirrors the denial communication requirements already in place for non-drug items and services under CMS-0057.

‍

The intent: give providers what they actually need to resubmit or appeal, not just a denial code.

‍

7. What's new on the HIPAA side?

This is one of the more consequential parts of the rule, and it's easy to miss.

‍

HHS is proposing to:

• Adopt the HL7 FHIR standard (and specific FHIR Implementation Guides) as the standard for the HIPAA "referral certification and authorization" and "eligibility for a health plan" transactions related to prior authorization.
• Adopt the HL7 FHIR Da Vinci Clinical Data Exchange (CDex) Implementation Guide as the standard for attachments accompanying prior authorization transactions, supporting C-CDA, PDF, and text files.

Compliance timing:

• ‍24 months after the final rule's effective date for most HIPAA covered entities.‍
• 36 months for small health plans.

Entities that don't engage in electronic prior authorization transactions wouldn't be required to adopt these standards.

‍

8. What about API endpoint reporting?

CMS is proposing that impacted payers report their interoperability API endpoints — along with FHIR capability statement URLs and technical documentation — directly to CMS, which would publish them in a centralized location.

‍

Reporting cadence:

• Existing impacted payers: within 60 days of the final rule's effective date.
• New impacted payers: 60 days before they begin covering patients.
• Updates: within one week of any change.
• Annual verification: Confirmation that all information remains accurate.

Translation: Payer API endpoints become discoverable and accountable in a way they aren't today.

‍

9. What new metrics will payers need to report publicly?

Two layers:

‍

Updates to existing non-drug PA metrics (CMS-0057): Payers would be required to report raw counts, in addition to percentages and new metrics. Reporting deadlines include:

• March 31 of the following year for MA organizations, state Medicaid/CHIP FFS, and QHP FFE issuers.
• 90 days after the rating period for Medicaid managed care and CHIP managed care.

New drug PA metrics: Payers would report drug-specific PA metrics annually on their public websites, beginning in 2028 with 2027 data.

‍

CMS is also proposing new API usage metrics for the Provider Access, Payer-to-Payer, and Prior Authorization APIs, reported to CMS, starting in 2028 with 2027 data.

‍

10. What data has to flow through the Patient Access, Provider Access, and Payer-to-Payer APIs?

CMS is proposing that impacted payers make detailed drug PA information available through these APIs.

‍

For Patient Access and Provider Access APIs, the required data includes:

• Status of the prior authorization.
• Date approved or denied.
• Date or circumstance under which the authorization ends.
• Drug(s) approved (including dosage).
• Specific reason for denial, if applicable.
• Related structured administrative and clinical documentation.

For the Payer-to-Payer API, the required data includes:

• Status.
• Approval date.
• End date or circumstance.
• Drug(s) approved (with dosage).
• Related structured and unstructured documentation (excluding denied requests).

Compliance: October 1, 2027

‍

11. What are the RFIs (Requests for Information) in this rule?

CMS included five standalone RFIs that don't carry compliance obligations but signal where future rulemaking may go:

1. Electronic event notifications (ADT): expanding use, content, and the types of providers/entities that should receive them.
2. Health care cybersecurity resiliency: protecting ePHI and the broader ecosystem from attacks.
3. Improving payer API oversight: including potential use of the ONC Health IT Certification Program.
4. Step therapy: using technology and data sharing (like the Payer-to-Payer API) to streamline determinations.
5. Lab tests and DMEPOS prior authorization: addressing coordination and timing burdens.

If your organization has perspective on any of these, the comment period is the time to weigh in.

‍

12. Is there anything in this rule that isn't about prior authorization?

Yes, one notable item. CMS is proposing to add a definition for "Failure to Report" under the Open Payments program (42 CFR 403.902). This would establish the foundation to impose civil monetary penalties on applicable manufacturers or group purchasing organizations that fail to grant timely access (within 30 calendar days of an audit request) to documents during an Open Payments program audit. Effective on the final rule's effective date.

‍

13. When does this become final?

The proposed rule is open for public comment via the Federal Register. Until CMS publishes a final rule, the timelines and requirements above are subject to change. That said, the major compliance dates currently proposed cluster around October 1, 2027, with HIPAA-related provisions on a 24-month (or 36-month for small plans) clock from the final rule's effective date.

‍

14. What should health plan and PBM operations leaders do right now?

Three honest answers:

‍

One: Don't wait for the final rule to start scoping. Plans that treated CMS-0057 as a one-time compliance project are about to find out why that was the wrong frame. CMS-0062 reuses the same APIs, the same FHIR foundation, and the same general philosophy, but adds new standards (NCPDP SCRIPT, F&B, RTPB), new metrics, and a new compliance clock. The plans that built modular, adaptable infrastructure for CMS-0057 will have a meaningfully easier path. The plans that didn't will be doing it twice.

‍

Two: Map your drug PA workflows now. The medical-benefit-vs-pharmacy-benefit split is doing real work in this rule. If you don't already have clarity on which drugs flow through which workflow, where the handoffs are, and what your existing automation looks like, the operational lift will surprise you.

‍

Three: Treat compliance as the floor, not the ceiling. CMS-0062 sets faster decision timeframes, more transparency, and more public reporting. Hitting those minimums on top of broken or manual processes just means doing the same work under tighter deadlines. The plans that come out of this regulatory wave ahead are the ones using it as a forcing function to fix the underlying operations, not just check the boxes.

‍

How Banjo Health Can Help

CMS-0062 is exactly the kind of regulatory shift Banjo's platform was built for. Our clinical decision tree engine, configurable workflows, and standards-based integrations were designed so our customers can absorb new requirements, like NCPDP SCRIPT support, additional FHIR Implementation Guides, or new drug PA metrics, without rebuilding from scratch.

‍

If you're starting to map out what CMS-0062 means for your operation, we'd love to compare notes.

‍

‍

Source: 2026 CMS Interoperability Standards and Prior Authorization for Drugs Proposed Rule fact sheet, CMS, April 10, 2026.