Compliance leads & UM analytics · 2026-07-02
The Prior-Auth Metrics CMS Makes You Publish: What's in the Report, and Where the Definitions Bite
Of everything in CMS-0057-F, the public metrics requirement got the least engineering attention and may carry the most reputational consequence. The APIs got the budget; the 72-hour clock got the operational urgency. But the metrics requirement is the one that puts your prior authorization performance on the open internet, in a format designed to be compared, annually, forever.
The first reports came due March 31, 2026. If yours shipped via spreadsheet heroics, this article is the checklist for making year two systematic — and for understanding where the definitional choices you barely noticed in year one can bite.
What the requirement actually is
CMS-0057-F requires impacted payers — Medicare Advantage organizations, Medicaid and CHIP programs (fee-for-service and managed care), and QHP issuers on the FFEs — to post specified aggregate prior authorization metrics publicly on their websites, updated annually, with the first posting due by March 31, 2026 for data from the prior year. Drugs are excluded, as they are from the rule's PA provisions generally.
The reported categories (verify exact specifications against the rule text for your payer type — the regulatory citations differ per program) cover ground like:
- the list of items and services that require prior authorization;
- the percentage of standard requests approved and denied;
- the percentage of standard requests approved after appeal;
- the percentage of requests where the decision timeframe was extended;
- the percentage of expedited requests approved and denied;
- average time to decision for standard and expedited requests.
Notice what that list is: a compact, public scorecard of exactly the things providers complain about — how much you gatekeep, how often you say no, how often your "no" doesn't survive appeal, and how long you take. That is by design. The rule's authors chose transparency as the enforcement mechanism for behavior the timeframes alone can't regulate.
The denominator problem
Every metric above is a fraction, and every fraction has a denominator someone had to define. This is where reports diverge from reality — and where two payers with identical operations can publish very different numbers.
What is a "request"? Does a submission that failed intake validation — a 278 rejected with an AAA code for a bad member ID, a portal submission missing required fields — count as a request received? There's a defensible logic to excluding administrative rejections (no reviewable request ever existed) and a defensible logic to including them (the provider experienced a denial-shaped event). What is not defensible is deciding implicitly, differently, per system. Whichever posture you take, write it down, apply it identically in the public report and your operational dashboards, and be ready to explain it.
Withdrawals and duplicates. Providers withdraw requests; intake channels create duplicates (the same authorization requested by portal and fax and 278 is a classic). Deduplication rules move both the numerator and denominator of your approval rate. Duplicate-collapsing logic is analytics work nobody glamorizes, and it materially changes published numbers.
Partial approvals. A request approved for 8 of 12 visits, or certified at a different level of care (HCR A2 or A6 in EDI terms) — approved, denied, or both? The honest answer is "partially denied, with appeal rights on the delta," but your report has two buckets. Whatever mapping you choose, the appeal-overturn metric will interact with it: partials that get appealed and fully approved look like overturned denials, which is exactly what they are.
When is a decision "made"? Decision-communicated versus decision-recorded can differ by days when letters batch overnight or a delegate syncs weekly. Average decision time is only as honest as those timestamps — and the same clock-start and clock-stop discipline your SLA dashboard uses must govern the published averages, or the two will eventually contradict each other in public.
Delegation: your numbers include their numbers
If radiology PA runs through a benefit manager and behavioral health through another, the public report still describes your members' experience — which means delegate data flows into your published metrics. Three problems follow. Delegates' status vocabularies differ (their "pended," "closed," "administratively denied" must map into your canonical definitions, not sit beside them). Their data arrives on their schedule (a delegate that reports monthly makes your March 31 deadline a February data-cutoff negotiation). And their definitional choices — what they count as a request — silently become yours unless your delegation agreements specify the definitions. Updating those agreements to include metrics data-supply obligations, definitions included, is unglamorous 2026 work that prevents a 2027 scramble.
Who reads this — and what they compare
Assume three audiences beyond CMS. Regulators and auditors, who can now cross-reference your published timeliness against complaint patterns and, for MA, against audit findings. Journalists and researchers, for whom a standardized annual dataset across payers is raw material — high denial rates and high appeal-overturn rates are a story that writes itself. Competitors and provider networks, who will benchmark; a hospital system negotiating contracts now has your approval rates and decision times in hand.
The appeal-overturn rate deserves special respect. Of all the published numbers, a high percentage of denials reversed on appeal is the most damaging, because the plain reading — the initial determinations were wrong — is usually the correct one. If year one showed a high overturn rate, the response isn't presentation, it's root cause: which service categories, which criteria, which reviewers or delegates, and what would have to be true at initial review for those approvals to happen the first time. That analysis, not the report itself, is where the requirement earns its keep.
A definitions checklist to write down this quarter
Before the next reporting cycle, the analytics owner and the compliance owner should co-sign a one-page definitions document answering, at minimum:
- Request: what events enter the denominator — and specifically whether administrative rejections, withdrawn requests, and duplicates are in or out, with the deduplication rule spelled out.
- Denial: how partial approvals are bucketed, and whether administrative closures (never-completed requests) count as denials.
- Decision time: the clock-start timestamp (receipt, by channel), the clock-stop timestamp (decision recorded vs. communicated), and how extensions and pends appear in the average.
- Appeal outcome: what counts as overturned — full reversals only, or partial relief too — and the lookback window linking appeals to their original determinations across year boundaries.
- Scope: which lines of business and which delegates are inside each published figure, and how drug-related requests are excluded.
Version the document, date it, and reference it in the published report's methodology note. When a regulator, journalist, or plaintiff's expert asks how a number was computed — and one eventually will — the difference between a documented, consistently applied definition and a shrug is the difference between a methodology discussion and a credibility problem.
Making year two systematic
The pipeline you want is boring: versioned metric definitions (in a repo, with change history), one computation path that feeds both the public report and internal dashboards, delegate feeds contractually specified and validated monthly rather than annually, and a dry-run report generated quarterly so that March is a publication step instead of a project. Payers that treat the public metrics as an annual scramble will keep publishing numbers they discover at the deadline. Payers that treat them as a continuously computed product get something better than compliance: they find out about their own problems before the public does.
Verify the exact metric specifications, payer-type citations, and current guidance against the CMS-0057-F rule text and CMS FAQs — reporting details have nuances per program that a summary can't carry.