PA BridgeResources

Compliance & program leads · 2026-07-02

Delegation Oversight After CMS-0057: Your Vendors' Data Is Now Your Compliance

Most impacted payers do not perform all of their own utilization management. Imaging goes to a radiology benefit manager. Behavioral health runs through a carve-out vendor. Dental and vision ride on specialty plans with their own review shops. Musculoskeletal, genetic testing, and post-acute care each have their own delegated UM ecosystems. For years, the practical compliance posture toward those vendors was a delegation agreement, an annual audit, and a quarterly report nobody read closely.

CMS-0057-F ends that posture, not by regulating delegates directly but by ignoring them. Every obligation in the rule — the 72-hour and 7-calendar-day decision timeframes that took effect January 1, 2026, the specific-denial- reason requirement, the public metrics report first due March 31, 2026, and the January 1, 2027 API stack — attaches to the impacted payer. If your radiology benefit manager blows the clock, you blew the clock. If its denial letters say "not medically necessary" with nothing else, your denial-specificity compliance is the one that failed.

The regulatory chassis was always there

None of this required new delegation law, because the accountability language already existed. For Medicaid managed care, 42 CFR 438.230 requires that, notwithstanding any subcontract, the MCO "maintains ultimate responsibility" for complying with its state contract — and that every subcontract specify the delegated activities and reporting responsibilities, provide for revocation or other remedies for unsatisfactory performance, and preserve audit rights for the state, CMS, and the HHS Inspector General for ten years. On the Medicare side, 42 CFR 422.504(i) does the same for first tier, downstream, and related entities: ultimate responsibility stays with the MA organization, contracts must specify delegated activities and reporting, and performance must be monitored on an ongoing basis.

What CMS-0057-F changed is the content flowing through that chassis. "Ultimate responsibility" used to mean responsibility for a process — did the delegate have licensed reviewers, criteria, appeal handling. Now it also means responsibility for data products: a public metrics report that aggregates the delegate's decisions, a Prior Authorization API that must answer for the delegate's service categories, and a Patient Access API that must show members the status of an authorization your organization never touched.

Three obligations that now run through your delegates

The public metrics report. The metrics payers must post annually — approval and denial percentages, appeal overturns, extension usage, and average and median decision times — are computed across the payer's prior authorization volume, not the payer's in-house volume. If imaging is 30 percent of your PA requests and it lives at an RBM that reports monthly summary counts instead of per-request timestamps, you cannot compute a median decision time that includes it, and an aggregate that quietly excludes your highest-volume delegated category is not the report the rule describes. Our breakdown of the metrics themselves goes through each element; the delegation angle is simpler — every element requires per-request, per-event data from every entity that decides authorizations under your contract.

Decision timeframes. The 2026 clocks are indifferent to internal routing. A request received by your intake vendor on Friday and forwarded to the behavioral carve-out on Monday has been running since Friday. That makes "receipt" a defined term you and every delegate must share, and it makes the delegate's turnaround SLA a compliance parameter rather than a service-quality preference. A delegate SLA equal to the regulatory limit is already a design error, because it leaves zero margin for routing, rework, and notification.

The 2027 APIs. The Prior Authorization API must cover the payer's covered items and services — including the ones a delegate reviews — and the Patient Access API must expose prior authorization status and decisions to members. Both consume authorization data continuously, which a quarterly delegate report cannot feed. Architecturally this pushes toward one consolidated authorization store with delegate feeds arriving at operational latency; the design case is made in the canonical auth record essay.

What the delegation agreement has to say now

Treat the next amendment cycle as the enforcement moment. The terms worth fighting for:

  • Event-level data supply. Status changes (received, pended, decided, notified), timestamps for each, decision outcome, units approved versus requested, and the specific denial reason as structured text — delivered at operational latency, not month-end. Name the format and transport.
  • Shared definitions. When does the clock start (delegate receipt or payer receipt)? What counts as a decision (determination made or notice sent)? What is an extension versus a new request? If the agreement does not define these, the payer's metrics and the delegate's metrics will disagree, and only one of you signs the public report.
  • Identifier discipline. The delegate's authorization number must map deterministically to yours, or claims matching and API lookups fail quietly for years.
  • Timeliness feeds and breach notice. The delegate reports its own turnaround distribution and flags at-risk requests before breach, not after. You cannot fix a 72-hour miss you learn about in a monthly summary.
  • Remedies with teeth. The revocation-or-remedies clause required by 42 CFR 438.230 and 422.504(i) should enumerate data-supply failures as performance failures, not just clinical-quality ones.

NCQA oversight, redirected at data

If your plan holds NCQA accreditation, the delegation- oversight machinery is familiar: evaluate the delegate before delegation begins, take regular performance reporting, evaluate the delegated program annually, audit files where denials and appeals are delegated, and act on identified deficiencies — with streamlined credit when the delegate holds its own NCQA accreditation or certification for the activity. That framework was built to test whether the delegate runs a sound UM process.

The move for 2026 is to point the same machinery at data fidelity. A predelegation evaluation should now test whether the candidate can produce per-request timestamps and structured denial reasons in your format — a vendor that cannot demonstrate that in diligence will not develop it under contract pressure. Annual file audits should reconcile the delegate's file against the feed the delegate sent you: same received date, same decision date, same outcome, same reason. Divergence there is not a paperwork finding; it is an error bar on your published metrics.

The audit trail a regulator will actually ask for

When a state Medicaid agency or CMS reviewer pulls a delegated authorization, the trail must answer: when was the request received (and by whom), when did the decision clock start under your documented definition, who made the determination and with what credential, what criteria were applied, when was the provider notified and through what channel, and how this request was counted in the public metrics. Half of those facts live in the delegate's system. The delegation agreement's audit clause has to guarantee you can produce them on your timeline — the regulator's request lands on you, and "we've asked the vendor" is not a response that ages well.

There is also a quieter sequencing point. Delegation agreements amend on renewal cycles measured in years, and vendor data-feed development takes quarters. A payer that waits for the 2027 API deadline to discover its dental vendor cannot supply per-request status events has no contractual lever left to pull in time. The amendment conversation, the feed specification, and the first reconciliation run all belong in this year's plan, not next year's remediation.

The uncomfortable summary for compliance leads: delegation used to move work out; CMS-0057-F makes the data flow back in, on your clock, under your name. Vendors that treat their decision data as proprietary exhaust are now a compliance risk you are choosing annually at renewal.

Verify delegation and oversight specifics against 42 CFR 438.230, 42 CFR 422.504(i), the CMS-0057-F rule text (89 FR 8758), and current NCQA delegation standards for your accreditation year — the NCQA oversight requirements and timeliness standards are revised regularly.