PA BridgeResources

Compliance & program leads · 2026-07-02

State UM Statutes vs Federal Floors: Building the Strictest-Rule Engine

The most dangerous sentence in a CMS-0057-F program plan is "we comply with the federal timeframes." The federal rule sets floors — 72 hours for expedited requests, 7 calendar days for standard — and floors are only the answer when nothing underneath you is higher. For any payer with a commercial book, a multi-state footprint, or state Medicaid contracts, something almost always is. State legislatures have spent the last several sessions passing prior authorization reform at a pace that outruns most payers' policy-update processes, and the resulting obligation is not "the federal rule" or "the state rule" — it is the strictest rule that applies to this request, resolved per member, per program, per state, per service, sometimes per submission channel.

That resolution problem is an engineering problem wearing a compliance badge. This article walks through why it cannot be solved with a policy memo, two verified state examples that break naive implementations in instructive ways, the data model that actually works, and the governance required to keep it true after every legislative session.

Why "strictest applicable" is a per-request computation

Consider one mid-market payer with Medicare Advantage, Medicaid managed care in two states, and a commercial HMO book. The same MRI request can carry at least four different clocks depending on who the member is:

  • Medicare Advantage — the CMS-0057-F floors apply directly, and federal law broadly preempts state benefit regulation for MA products, so the state's UM statute generally does not add obligations here.
  • Medicaid managed care — the federal floors apply and the state contract or state Medicaid regulations may be tighter; 42 CFR 438.210 is the federal baseline, but states routinely contract below it. See federal floors vs state contracts for how those layers stack.
  • Commercial / state-regulated plans — CMS-0057-F does not reach this book at all, but the state UM statute reaches it completely, and state clocks are increasingly shorter than the federal ones.
  • QHP on the FFEs — impacted by CMS-0057-F's API provisions but carved out of the federal decision-timeframe requirement, which means the state clock may be the only turnaround rule that binds.

Four lines of business, one service, one state — and the correct deadline differs across all four. Multiply by every state in the footprint and every service category a statute singles out, and a policy binder is no longer a compliance instrument. Only a rule engine is.

Two states that break simple implementations

Texas: the rule that deletes the request. Texas Insurance Code Chapter 4201, Subchapter N — added by HB 3459 (87th Legislature, 2021) and amended by HB 3812 (89th Legislature, 2025) — requires HMOs and insurers to exempt a physician or provider from preauthorization for a particular health care service when, in the most recent one-year evaluation period, the provider submitted at least five eligible requests for that service and at least 90 percent were approved. The insurer must run the evaluation and notify providers; the provider does not have to ask. An exemption can be rescinded only through a retrospective review of a random sample of five to twenty claims showing that fewer than 90 percent met medical-necessity criteria, and per the Texas Department of Insurance's guidance the exemption applies per particular service, not provider-wide. The law does not reach Medicaid or CHIP members.

What this breaks: gold-carding is not a faster clock — it is a rule that removes the authorization requirement entirely, keyed to a provider-service pair, on a statutory evaluation calendar, with statutory rescission conditions. A rule engine that only computes deadlines cannot represent it. The engine has to answer "does this request even exist?" before it answers "when is it due?" — and it has to carry the exemption roster, its evaluation-period provenance, and the notification evidence, because all three are auditable. The operational design of these programs is its own topic — see gold-carding program design.

Washington: a shorter clock with a different trigger. RCW 48.43.830 requires carriers to decide and notify within three calendar days, excluding holidays, for electronic standard prior authorization requests, and within one calendar day for electronic expedited requests — measured from submission of a request that contains the information necessary to make a determination. Nonelectronic requests get five and two calendar days respectively, and if the submission is incomplete the carrier must request the missing information within one calendar day. The Office of the Insurance Commissioner's technical assistance guidance applies these timelines to health plans issued or renewed on or after January 1, 2024, with further electronic prior authorization requirements phasing in through January 1, 2027.

What this breaks: nearly everything a federal-only implementation hard-coded. The unit differs (one calendar day for an expedited request versus the federal 72 hours). The trigger differs (Washington's clock runs from a submission containing the necessary information; the federal clock runs from receipt). The channel matters (electronic and nonelectronic requests carry different deadlines). Even the calendar differs — "excluding holidays" is a third day-counting regime alongside calendar days and business days. A deadline calculator with one clock semantic cannot express this statute, no matter what number you configure into it.

Encoding rules as data, not prose

The workable model treats every regulatory clock as a row, not a paragraph. The minimum viable schema, learned the hard way:

  • Jurisdiction — state, or federal, with explicit precedence rules.
  • Line of business — MA, Medicaid managed care, CHIP, QHP, commercial; the Texas and Washington examples both show LOB carve-outs (Texas excludes Medicaid/CHIP; the federal timeframe excludes QHPs).
  • Service category — statutes increasingly single out categories; your mapping from procedure codes to statutory categories is itself a governed artifact.
  • Clock type — trigger (receipt vs complete information), unit (hours vs calendar days), calendar regime (calendar, business, calendar-excluding-holidays), channel dependence, and whether the deadline covers decision only or decision plus notification.
  • Rule kind — deadline, exemption (gold-card), information-request obligation, notification obligation. Not everything is a clock.
  • Effective-date semantics — calendar date vs plan issue/renewal date; Washington attached by plan year, CMS-0057-F's timeframes by calendar date, and the difference decides which requests each rule governs during transition years.
  • Citation — the statute or regulation section, on the row, so the engine can show its work.

Resolution is then a deterministic function: gather every rule matching the request's jurisdiction, LOB, service category, and channel; apply the strictest; and record which rule won on the request. That last part is the compliance payoff — when a regulator or an auditor asks why a deadline was what it was, the answer is a row with a citation, not a reconstruction. It is also what a UM SLA dashboard needs to display per request if supervisors are going to trust it.

Governance: statutes change on someone else's schedule

A rule table is only as trustworthy as its update process, and state legislatures do not send release notes. The governance layer that keeps the engine honest:

  • Session monitoring with named owners. Every state in the footprint has an owner who tracks enacted UM legislation and files a change request against the rule table — before the effective date, not after the first provider complaint.
  • Versioned rules with effective dating. Rules are never edited in place; they are superseded, so the engine can answer historical questions ("what clock governed this request last March?") — which is exactly what a market-conduct exam asks.
  • Two-party sign-off. Compliance verifies the rule against the statute text; operations verifies the encoded clock semantics match what the floor will actually do. Texas's 2025 amendment — which moved evaluation periods from six months to one year — is a live example of a change that looks small in prose and rewrites an implementation.
  • Test cases per rule. Each row carries scenario tests (a Friday 8 PM electronic expedited request in Washington; a gold-carded provider's sixth request of the year in Texas) that run on every table change. A rule without a failing-case test is a rule nobody has actually thought through.

The maturity test mirrors the one for SLA tooling: can you produce, today, a per-state, per-LOB matrix of every clock and exemption you enforce, with citations and effective dates — and does your UM system demonstrably use that same matrix? If those are two different documents, one of them is wrong, and you don't know which.

Verify state requirements against the statute and regulator guidance directly — for the examples here, Texas Insurance Code Ch. 4201 Subch. N and TDI's exemption FAQ, and RCW 48.43.830 with Washington OIC guidance — and federal floors against the CMS-0057-F rule text (89 FR 8758).