By
July 11, 2026
10 min read
Prior Authorization Automation Before the CMS 2027 Deadline



What the CMS 2026-2027 deadlines actually require
If you run a health system, medical group, or payer-facing operation, the compliance clock that matters right now is CMS-0057-F. Standard prior authorization decisions must come back within 7 calendar days starting January 1, 2026, expedited requests within 72 hours, and every denial has to include a specific reason, not a form letter. By January 1, 2027, in-scope organizations need a FHIR-based Prior Authorization API live, along with Payer-to-Payer and Provider Access APIs, and a new electronic-PA measure gets folded into MIPS and Medicare Promoting Interoperability reporting that same year. The CMS fact sheet lays this out plainly, and the final rule text is worth reading if you need the exact scope language for a board memo.
The nuance most buyers miss: this rule applies to Medicare Advantage organizations, Medicaid and CHIP (fee-for-service and managed care), and QHP issuers on the federally-facilitated exchanges. It does not, at least not yet, touch traditional fee-for-service Medicare or most commercial employer-sponsored plans. So if your patient mix skews commercial, you don't get to relax, you get a longer runway before your biggest payers are forced to move, which means you're deciding on your own timeline instead of theirs. That's actually the harder position to be in. Nobody is forcing your hand, so nobody is forcing the budget conversation either.
What manual prior authorization is actually costing you today
The direct cost is staff time, the indirect cost is patient outcomes and physician retention, and both numbers are worse than most executives assume. The AMA's physician survey found that 93% of physicians say prior authorization delays necessary care, and 89% say it contributes to burnout. A more recent AMA survey reported through the American Hospital Association found 32% of physicians now say PA requests are "often or always" denied, up from prior years. That denial rate matters for your business case in a specific way: every denial that gets appealed and eventually approved represents work you did twice, once to submit and once to fight the rejection, for a request that should have cleared the first time.
When we've scoped document-heavy operational work for healthcare and medical-legal clients, the pattern that shows up every time is the same one that drives PA costs: staff spend most of their time re-keying clinical data from an EHR into a payer portal, not making clinical judgments. That's the part worth automating first, and it's also the least controversial part, because nobody argues that a nurse's afternoon is well spent copying diagnosis codes into a web form. For Preferred Med Network, a medical-legal operations client, we automated document intake and case assignment end to end so agents handle the routine flow and escalate only when confidence is low or data is missing, which is roughly the same shape of problem as PA extraction and submission. That engagement is detailed on the case study page, and it saved the client roughly $300K a year, mostly by removing manual document handling rather than by adding anything exotic on the AI side.
Why some "AI prior authorization" is a legal and PR liability, not a solution
There's a hard line between AI that helps a human submit a request faster and AI that decides whether a patient gets care, and vendors selling PA automation don't always draw it clearly. The cautionary tale here is well known in healthcare circles but underused as a decision framework: ProPublica's 2023 investigation found that Cigna's PxDx system let a single physician deny up to 60,000 claims in a month, spending an average of 1.2 seconds per case. A subsequent class-action lawsuit alleged roughly 300,000 claims were denied over a two-month stretch in 2022, and Congress opened an inquiry within months. UnitedHealth's NaviHealth algorithm drew similar scrutiny over post-acute care denials. Neither of these is a story about AI failing technically. Both are stories about AI making a denial decision with no meaningful human review standing behind it, at scale, until regulators and reporters noticed.
The lesson for a health system evaluating PA vendors isn't "avoid AI." It's "know exactly which decision the AI is making." Extracting clinical data from an EHR, matching it to payer criteria, and pre-filling a submission form is a defensible, ROI-positive use of AI with a human approving the final send. Using AI to auto-deny or auto-approve a claim with no clinician review is the exact pattern that generated two of the highest-profile lawsuits in healthcare AI history. If a vendor's pitch doesn't clearly separate the two, ask them to point at the line in their own product where a human signs off before a denial goes out. If they can't show you that line, you've found the liability.
Should you buy a platform or build your own prior-auth automation
Off-the-shelf platforms like Notable Health, Surescripts, and Availity-type tools solve the generic version of this problem well: standard forms, common payer connections, a UI your staff can learn in a week. Where they get expensive is the long tail. Every health system has payer-specific quirks, EHR configurations, and specialty workflows that don't fit the vendor's default templates, and every change to that workflow goes through their roadmap, their release schedule, their support queue. You're renting a decision engine you don't fully control, built on data flows that route through a third party's infrastructure, priced on a subscription that scales with your claim volume forever.
The honest framework we use with clients making this call, the same one we walk through in our medical chronology software guide for a near-identical build-vs-buy decision, comes down to three questions. First, is your PA volume concentrated in a handful of payers and specialties, or spread thin across dozens? Concentrated volume justifies a custom build faster because the ROI compounds on a narrow surface. Second, do you need the audit trail and denial-reason documentation the CMS rule requires to live inside systems you control, for compliance and litigation-defense reasons, or is a vendor's black-box log good enough? Third, is your EHR integration mature enough (real FHIR endpoints, clean data mapping) that a custom build is mostly integration work, not months of data plumbing? If you answer yes to at least two of those, building something you own usually pays back faster than a multi-year subscription, and you're not locked into someone else's product decisions when the 2027 API mandate changes what "compliant" even means.
What has to be true before you automate
Diagnosing the workflow before touching a model is the step vendors skip and buyers regret skipping. Concretely, before any PA automation project starts, three things need to be true. Your EHR and payer connections need to support structured data exchange, not screen-scraping a portal that changes its layout every quarter. You need a clear map of which PA steps are safe to automate outright (clinical data extraction, form pre-fill, status checks) versus which need a human in the loop no matter how confident the system is (final submission, appeals, anything touching a denial). And you need an audit trail architecture that satisfies the CMS denial-reason mandate from day one, because retrofitting compliance logging into a system that's already live is far more expensive than building it in.
This is the same lesson that shows up in what a life sciences POC doesn't prepare you for: a pilot that works on twenty clean test cases falls apart the moment it meets messy real-world payer data, missing fields, or an edge case nobody scoped for. The fix isn't a smarter model, it's scoping the pilot narrow enough that you find those edge cases before you're relying on the system in production. We covered the broader version of this operational shift in our piece on agentic AI in healthcare operations, and prior authorization is the sharpest, most time-boxed version of that argument right now.
Data residency and PHI: why renting a black-box PA engine is the wrong trade
Every prior authorization request carries diagnosis codes, treatment history, and enough clinical detail to reconstruct a patient's condition, which means every PA automation decision is also a PHI-handling decision. Routing that data through a third-party SaaS platform means trusting their retention policy, their subprocessor list, and their breach-notification timeline, on top of trusting their model's accuracy. For a regulated health system, that's a lot of trust to extend to a vendor whose core incentive is claim volume, not your compliance posture.
The alternative worth taking seriously is running the extraction and drafting layer on self-hosted, open-source models on your own infrastructure, with a zero-data-retention policy enforced by architecture rather than a contract clause. This isn't about avoiding AI vendors on principle. It's about matching the sensitivity of the data to the control you have over where it goes, which is the same argument we make in more depth in our LLM security guide for enterprise deployments. For a health system, owning the model deployment means the CMS denial-reason audit trail lives on infrastructure you control, not in a vendor's logs you'd have to subpoena.
What a real pilot-to-production rollout looks like
Start with one payer and one specialty, not an enterprise-wide rollout. Pick the payer-specialty combination with the highest PA volume and the most standardized criteria, automate the extraction and form-fill for that single lane, and measure two numbers against your current baseline: turnaround time and denial rate. If turnaround time drops and denial rate holds steady or improves, you've proven the pattern on a small enough surface that a failure costs you weeks, not a compliance incident.
Only after that first lane is running cleanly for a few months do you add the second payer, the second specialty, the second EHR integration. This is slower than a vendor demo promising enterprise rollout in ninety days, and it's also the difference between a system that's still running in eighteen months and one your staff quietly routes around because it broke on payer number three and nobody trusted it after that. Tie your success metrics directly to what CMS is already going to ask you to report starting 2027: turnaround time and denial-reason completeness. If your pilot improves those numbers, you've built the compliance case and the ROI case with the same data.
If you're working through this decision now, whether to wait for a vendor's roadmap or build something you control before the 2027 deadline forces the issue, this is exactly what a Discovery phase is built to map out, and it's the kind of scoping work behind how we build AI agents for regulated operations. We're happy to compare notes.
Frequently asked questions
What is prior authorization automation and how does it actually work?
It's software that extracts clinical data from an EHR, matches it against a payer's coverage criteria, and pre-fills or submits the PA request electronically instead of a staff member re-keying it into a portal by hand. The defensible version keeps a human reviewing the submission before it goes out; the risky version lets a model make the approve/deny decision with no clinician checking it.
When do payers have to comply with the CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F)?
Standard PA decisions must return within 7 days and expedited ones within 72 hours, with a specific denial reason, starting January 1, 2026. A FHIR-based Prior Authorization API is required by January 1, 2027. It applies to Medicare Advantage, Medicaid/CHIP, and ACA exchange (QHP) issuers, not traditional fee-for-service Medicare or most commercial employer plans.
Can AI legally deny a prior authorization or insurance claim?
Nothing in current law bars AI from assisting a denial decision, but letting a model deny claims with no meaningful clinical review is exactly the pattern that triggered the Cigna PxDx lawsuits and the resulting congressional inquiry. The safe, defensible design keeps a licensed reviewer making and signing the final denial decision, with AI handling extraction and matching only.
Should we buy a prior authorization automation platform or build our own?
Buy when your PA volume is spread thin across many payers and a generic template covers most of your cases. Build when your volume concentrates in a few payer-specialty combinations, when you need the compliance audit trail under your own control, and when your EHR integration is mature enough that a custom build is mostly integration work rather than months of data cleanup.
How much does manual prior authorization really cost a practice or health system in staff time?
The AMA's physician surveys put the burden in outcome terms rather than a single dollar figure: 93% of physicians say PA delays necessary care and 89% say it drives burnout, per AJMC's coverage of the AMA survey. With 32% of requests now "often or always" denied per the 2026 AHA-reported survey, a meaningful share of that staff time goes to appeals on requests that should have cleared the first submission.
Tell us where the manual work hurts
We’ll tell you straight whether AI can fix it, what it costs, and what it should return. Whatever we build, you own.
Tell us where the manual work hurts
We’ll tell you straight whether AI can fix it, what it costs, and what it should return. Whatever we build, you own.
Tell us where the manual work hurts
We’ll tell you straight whether AI can fix it, what it costs, and what it should return. Whatever we build, you own.
By
July 11, 2026
10 min read
Prior Authorization Automation Before the CMS 2027 Deadline



What the CMS 2026-2027 deadlines actually require
If you run a health system, medical group, or payer-facing operation, the compliance clock that matters right now is CMS-0057-F. Standard prior authorization decisions must come back within 7 calendar days starting January 1, 2026, expedited requests within 72 hours, and every denial has to include a specific reason, not a form letter. By January 1, 2027, in-scope organizations need a FHIR-based Prior Authorization API live, along with Payer-to-Payer and Provider Access APIs, and a new electronic-PA measure gets folded into MIPS and Medicare Promoting Interoperability reporting that same year. The CMS fact sheet lays this out plainly, and the final rule text is worth reading if you need the exact scope language for a board memo.
The nuance most buyers miss: this rule applies to Medicare Advantage organizations, Medicaid and CHIP (fee-for-service and managed care), and QHP issuers on the federally-facilitated exchanges. It does not, at least not yet, touch traditional fee-for-service Medicare or most commercial employer-sponsored plans. So if your patient mix skews commercial, you don't get to relax, you get a longer runway before your biggest payers are forced to move, which means you're deciding on your own timeline instead of theirs. That's actually the harder position to be in. Nobody is forcing your hand, so nobody is forcing the budget conversation either.
What manual prior authorization is actually costing you today
The direct cost is staff time, the indirect cost is patient outcomes and physician retention, and both numbers are worse than most executives assume. The AMA's physician survey found that 93% of physicians say prior authorization delays necessary care, and 89% say it contributes to burnout. A more recent AMA survey reported through the American Hospital Association found 32% of physicians now say PA requests are "often or always" denied, up from prior years. That denial rate matters for your business case in a specific way: every denial that gets appealed and eventually approved represents work you did twice, once to submit and once to fight the rejection, for a request that should have cleared the first time.
When we've scoped document-heavy operational work for healthcare and medical-legal clients, the pattern that shows up every time is the same one that drives PA costs: staff spend most of their time re-keying clinical data from an EHR into a payer portal, not making clinical judgments. That's the part worth automating first, and it's also the least controversial part, because nobody argues that a nurse's afternoon is well spent copying diagnosis codes into a web form. For Preferred Med Network, a medical-legal operations client, we automated document intake and case assignment end to end so agents handle the routine flow and escalate only when confidence is low or data is missing, which is roughly the same shape of problem as PA extraction and submission. That engagement is detailed on the case study page, and it saved the client roughly $300K a year, mostly by removing manual document handling rather than by adding anything exotic on the AI side.
Why some "AI prior authorization" is a legal and PR liability, not a solution
There's a hard line between AI that helps a human submit a request faster and AI that decides whether a patient gets care, and vendors selling PA automation don't always draw it clearly. The cautionary tale here is well known in healthcare circles but underused as a decision framework: ProPublica's 2023 investigation found that Cigna's PxDx system let a single physician deny up to 60,000 claims in a month, spending an average of 1.2 seconds per case. A subsequent class-action lawsuit alleged roughly 300,000 claims were denied over a two-month stretch in 2022, and Congress opened an inquiry within months. UnitedHealth's NaviHealth algorithm drew similar scrutiny over post-acute care denials. Neither of these is a story about AI failing technically. Both are stories about AI making a denial decision with no meaningful human review standing behind it, at scale, until regulators and reporters noticed.
The lesson for a health system evaluating PA vendors isn't "avoid AI." It's "know exactly which decision the AI is making." Extracting clinical data from an EHR, matching it to payer criteria, and pre-filling a submission form is a defensible, ROI-positive use of AI with a human approving the final send. Using AI to auto-deny or auto-approve a claim with no clinician review is the exact pattern that generated two of the highest-profile lawsuits in healthcare AI history. If a vendor's pitch doesn't clearly separate the two, ask them to point at the line in their own product where a human signs off before a denial goes out. If they can't show you that line, you've found the liability.
Should you buy a platform or build your own prior-auth automation
Off-the-shelf platforms like Notable Health, Surescripts, and Availity-type tools solve the generic version of this problem well: standard forms, common payer connections, a UI your staff can learn in a week. Where they get expensive is the long tail. Every health system has payer-specific quirks, EHR configurations, and specialty workflows that don't fit the vendor's default templates, and every change to that workflow goes through their roadmap, their release schedule, their support queue. You're renting a decision engine you don't fully control, built on data flows that route through a third party's infrastructure, priced on a subscription that scales with your claim volume forever.
The honest framework we use with clients making this call, the same one we walk through in our medical chronology software guide for a near-identical build-vs-buy decision, comes down to three questions. First, is your PA volume concentrated in a handful of payers and specialties, or spread thin across dozens? Concentrated volume justifies a custom build faster because the ROI compounds on a narrow surface. Second, do you need the audit trail and denial-reason documentation the CMS rule requires to live inside systems you control, for compliance and litigation-defense reasons, or is a vendor's black-box log good enough? Third, is your EHR integration mature enough (real FHIR endpoints, clean data mapping) that a custom build is mostly integration work, not months of data plumbing? If you answer yes to at least two of those, building something you own usually pays back faster than a multi-year subscription, and you're not locked into someone else's product decisions when the 2027 API mandate changes what "compliant" even means.
What has to be true before you automate
Diagnosing the workflow before touching a model is the step vendors skip and buyers regret skipping. Concretely, before any PA automation project starts, three things need to be true. Your EHR and payer connections need to support structured data exchange, not screen-scraping a portal that changes its layout every quarter. You need a clear map of which PA steps are safe to automate outright (clinical data extraction, form pre-fill, status checks) versus which need a human in the loop no matter how confident the system is (final submission, appeals, anything touching a denial). And you need an audit trail architecture that satisfies the CMS denial-reason mandate from day one, because retrofitting compliance logging into a system that's already live is far more expensive than building it in.
This is the same lesson that shows up in what a life sciences POC doesn't prepare you for: a pilot that works on twenty clean test cases falls apart the moment it meets messy real-world payer data, missing fields, or an edge case nobody scoped for. The fix isn't a smarter model, it's scoping the pilot narrow enough that you find those edge cases before you're relying on the system in production. We covered the broader version of this operational shift in our piece on agentic AI in healthcare operations, and prior authorization is the sharpest, most time-boxed version of that argument right now.
Data residency and PHI: why renting a black-box PA engine is the wrong trade
Every prior authorization request carries diagnosis codes, treatment history, and enough clinical detail to reconstruct a patient's condition, which means every PA automation decision is also a PHI-handling decision. Routing that data through a third-party SaaS platform means trusting their retention policy, their subprocessor list, and their breach-notification timeline, on top of trusting their model's accuracy. For a regulated health system, that's a lot of trust to extend to a vendor whose core incentive is claim volume, not your compliance posture.
The alternative worth taking seriously is running the extraction and drafting layer on self-hosted, open-source models on your own infrastructure, with a zero-data-retention policy enforced by architecture rather than a contract clause. This isn't about avoiding AI vendors on principle. It's about matching the sensitivity of the data to the control you have over where it goes, which is the same argument we make in more depth in our LLM security guide for enterprise deployments. For a health system, owning the model deployment means the CMS denial-reason audit trail lives on infrastructure you control, not in a vendor's logs you'd have to subpoena.
What a real pilot-to-production rollout looks like
Start with one payer and one specialty, not an enterprise-wide rollout. Pick the payer-specialty combination with the highest PA volume and the most standardized criteria, automate the extraction and form-fill for that single lane, and measure two numbers against your current baseline: turnaround time and denial rate. If turnaround time drops and denial rate holds steady or improves, you've proven the pattern on a small enough surface that a failure costs you weeks, not a compliance incident.
Only after that first lane is running cleanly for a few months do you add the second payer, the second specialty, the second EHR integration. This is slower than a vendor demo promising enterprise rollout in ninety days, and it's also the difference between a system that's still running in eighteen months and one your staff quietly routes around because it broke on payer number three and nobody trusted it after that. Tie your success metrics directly to what CMS is already going to ask you to report starting 2027: turnaround time and denial-reason completeness. If your pilot improves those numbers, you've built the compliance case and the ROI case with the same data.
If you're working through this decision now, whether to wait for a vendor's roadmap or build something you control before the 2027 deadline forces the issue, this is exactly what a Discovery phase is built to map out, and it's the kind of scoping work behind how we build AI agents for regulated operations. We're happy to compare notes.
Frequently asked questions
What is prior authorization automation and how does it actually work?
It's software that extracts clinical data from an EHR, matches it against a payer's coverage criteria, and pre-fills or submits the PA request electronically instead of a staff member re-keying it into a portal by hand. The defensible version keeps a human reviewing the submission before it goes out; the risky version lets a model make the approve/deny decision with no clinician checking it.
When do payers have to comply with the CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F)?
Standard PA decisions must return within 7 days and expedited ones within 72 hours, with a specific denial reason, starting January 1, 2026. A FHIR-based Prior Authorization API is required by January 1, 2027. It applies to Medicare Advantage, Medicaid/CHIP, and ACA exchange (QHP) issuers, not traditional fee-for-service Medicare or most commercial employer plans.
Can AI legally deny a prior authorization or insurance claim?
Nothing in current law bars AI from assisting a denial decision, but letting a model deny claims with no meaningful clinical review is exactly the pattern that triggered the Cigna PxDx lawsuits and the resulting congressional inquiry. The safe, defensible design keeps a licensed reviewer making and signing the final denial decision, with AI handling extraction and matching only.
Should we buy a prior authorization automation platform or build our own?
Buy when your PA volume is spread thin across many payers and a generic template covers most of your cases. Build when your volume concentrates in a few payer-specialty combinations, when you need the compliance audit trail under your own control, and when your EHR integration is mature enough that a custom build is mostly integration work rather than months of data cleanup.
How much does manual prior authorization really cost a practice or health system in staff time?
The AMA's physician surveys put the burden in outcome terms rather than a single dollar figure: 93% of physicians say PA delays necessary care and 89% say it drives burnout, per AJMC's coverage of the AMA survey. With 32% of requests now "often or always" denied per the 2026 AHA-reported survey, a meaningful share of that staff time goes to appeals on requests that should have cleared the first submission.
Tell us where the manual work hurts
We’ll tell you straight whether AI can fix it, what it costs, and what it should return. Whatever we build, you own.
Tell us where the manual work hurts
We’ll tell you straight whether AI can fix it, what it costs, and what it should return. Whatever we build, you own.
Tell us where the manual work hurts
We’ll tell you straight whether AI can fix it, what it costs, and what it should return. Whatever we build, you own.
By
July 11, 2026
10 min read
Prior Authorization Automation Before the CMS 2027 Deadline



What the CMS 2026-2027 deadlines actually require
If you run a health system, medical group, or payer-facing operation, the compliance clock that matters right now is CMS-0057-F. Standard prior authorization decisions must come back within 7 calendar days starting January 1, 2026, expedited requests within 72 hours, and every denial has to include a specific reason, not a form letter. By January 1, 2027, in-scope organizations need a FHIR-based Prior Authorization API live, along with Payer-to-Payer and Provider Access APIs, and a new electronic-PA measure gets folded into MIPS and Medicare Promoting Interoperability reporting that same year. The CMS fact sheet lays this out plainly, and the final rule text is worth reading if you need the exact scope language for a board memo.
The nuance most buyers miss: this rule applies to Medicare Advantage organizations, Medicaid and CHIP (fee-for-service and managed care), and QHP issuers on the federally-facilitated exchanges. It does not, at least not yet, touch traditional fee-for-service Medicare or most commercial employer-sponsored plans. So if your patient mix skews commercial, you don't get to relax, you get a longer runway before your biggest payers are forced to move, which means you're deciding on your own timeline instead of theirs. That's actually the harder position to be in. Nobody is forcing your hand, so nobody is forcing the budget conversation either.
What manual prior authorization is actually costing you today
The direct cost is staff time, the indirect cost is patient outcomes and physician retention, and both numbers are worse than most executives assume. The AMA's physician survey found that 93% of physicians say prior authorization delays necessary care, and 89% say it contributes to burnout. A more recent AMA survey reported through the American Hospital Association found 32% of physicians now say PA requests are "often or always" denied, up from prior years. That denial rate matters for your business case in a specific way: every denial that gets appealed and eventually approved represents work you did twice, once to submit and once to fight the rejection, for a request that should have cleared the first time.
When we've scoped document-heavy operational work for healthcare and medical-legal clients, the pattern that shows up every time is the same one that drives PA costs: staff spend most of their time re-keying clinical data from an EHR into a payer portal, not making clinical judgments. That's the part worth automating first, and it's also the least controversial part, because nobody argues that a nurse's afternoon is well spent copying diagnosis codes into a web form. For Preferred Med Network, a medical-legal operations client, we automated document intake and case assignment end to end so agents handle the routine flow and escalate only when confidence is low or data is missing, which is roughly the same shape of problem as PA extraction and submission. That engagement is detailed on the case study page, and it saved the client roughly $300K a year, mostly by removing manual document handling rather than by adding anything exotic on the AI side.
Why some "AI prior authorization" is a legal and PR liability, not a solution
There's a hard line between AI that helps a human submit a request faster and AI that decides whether a patient gets care, and vendors selling PA automation don't always draw it clearly. The cautionary tale here is well known in healthcare circles but underused as a decision framework: ProPublica's 2023 investigation found that Cigna's PxDx system let a single physician deny up to 60,000 claims in a month, spending an average of 1.2 seconds per case. A subsequent class-action lawsuit alleged roughly 300,000 claims were denied over a two-month stretch in 2022, and Congress opened an inquiry within months. UnitedHealth's NaviHealth algorithm drew similar scrutiny over post-acute care denials. Neither of these is a story about AI failing technically. Both are stories about AI making a denial decision with no meaningful human review standing behind it, at scale, until regulators and reporters noticed.
The lesson for a health system evaluating PA vendors isn't "avoid AI." It's "know exactly which decision the AI is making." Extracting clinical data from an EHR, matching it to payer criteria, and pre-filling a submission form is a defensible, ROI-positive use of AI with a human approving the final send. Using AI to auto-deny or auto-approve a claim with no clinician review is the exact pattern that generated two of the highest-profile lawsuits in healthcare AI history. If a vendor's pitch doesn't clearly separate the two, ask them to point at the line in their own product where a human signs off before a denial goes out. If they can't show you that line, you've found the liability.
Should you buy a platform or build your own prior-auth automation
Off-the-shelf platforms like Notable Health, Surescripts, and Availity-type tools solve the generic version of this problem well: standard forms, common payer connections, a UI your staff can learn in a week. Where they get expensive is the long tail. Every health system has payer-specific quirks, EHR configurations, and specialty workflows that don't fit the vendor's default templates, and every change to that workflow goes through their roadmap, their release schedule, their support queue. You're renting a decision engine you don't fully control, built on data flows that route through a third party's infrastructure, priced on a subscription that scales with your claim volume forever.
The honest framework we use with clients making this call, the same one we walk through in our medical chronology software guide for a near-identical build-vs-buy decision, comes down to three questions. First, is your PA volume concentrated in a handful of payers and specialties, or spread thin across dozens? Concentrated volume justifies a custom build faster because the ROI compounds on a narrow surface. Second, do you need the audit trail and denial-reason documentation the CMS rule requires to live inside systems you control, for compliance and litigation-defense reasons, or is a vendor's black-box log good enough? Third, is your EHR integration mature enough (real FHIR endpoints, clean data mapping) that a custom build is mostly integration work, not months of data plumbing? If you answer yes to at least two of those, building something you own usually pays back faster than a multi-year subscription, and you're not locked into someone else's product decisions when the 2027 API mandate changes what "compliant" even means.
What has to be true before you automate
Diagnosing the workflow before touching a model is the step vendors skip and buyers regret skipping. Concretely, before any PA automation project starts, three things need to be true. Your EHR and payer connections need to support structured data exchange, not screen-scraping a portal that changes its layout every quarter. You need a clear map of which PA steps are safe to automate outright (clinical data extraction, form pre-fill, status checks) versus which need a human in the loop no matter how confident the system is (final submission, appeals, anything touching a denial). And you need an audit trail architecture that satisfies the CMS denial-reason mandate from day one, because retrofitting compliance logging into a system that's already live is far more expensive than building it in.
This is the same lesson that shows up in what a life sciences POC doesn't prepare you for: a pilot that works on twenty clean test cases falls apart the moment it meets messy real-world payer data, missing fields, or an edge case nobody scoped for. The fix isn't a smarter model, it's scoping the pilot narrow enough that you find those edge cases before you're relying on the system in production. We covered the broader version of this operational shift in our piece on agentic AI in healthcare operations, and prior authorization is the sharpest, most time-boxed version of that argument right now.
Data residency and PHI: why renting a black-box PA engine is the wrong trade
Every prior authorization request carries diagnosis codes, treatment history, and enough clinical detail to reconstruct a patient's condition, which means every PA automation decision is also a PHI-handling decision. Routing that data through a third-party SaaS platform means trusting their retention policy, their subprocessor list, and their breach-notification timeline, on top of trusting their model's accuracy. For a regulated health system, that's a lot of trust to extend to a vendor whose core incentive is claim volume, not your compliance posture.
The alternative worth taking seriously is running the extraction and drafting layer on self-hosted, open-source models on your own infrastructure, with a zero-data-retention policy enforced by architecture rather than a contract clause. This isn't about avoiding AI vendors on principle. It's about matching the sensitivity of the data to the control you have over where it goes, which is the same argument we make in more depth in our LLM security guide for enterprise deployments. For a health system, owning the model deployment means the CMS denial-reason audit trail lives on infrastructure you control, not in a vendor's logs you'd have to subpoena.
What a real pilot-to-production rollout looks like
Start with one payer and one specialty, not an enterprise-wide rollout. Pick the payer-specialty combination with the highest PA volume and the most standardized criteria, automate the extraction and form-fill for that single lane, and measure two numbers against your current baseline: turnaround time and denial rate. If turnaround time drops and denial rate holds steady or improves, you've proven the pattern on a small enough surface that a failure costs you weeks, not a compliance incident.
Only after that first lane is running cleanly for a few months do you add the second payer, the second specialty, the second EHR integration. This is slower than a vendor demo promising enterprise rollout in ninety days, and it's also the difference between a system that's still running in eighteen months and one your staff quietly routes around because it broke on payer number three and nobody trusted it after that. Tie your success metrics directly to what CMS is already going to ask you to report starting 2027: turnaround time and denial-reason completeness. If your pilot improves those numbers, you've built the compliance case and the ROI case with the same data.
If you're working through this decision now, whether to wait for a vendor's roadmap or build something you control before the 2027 deadline forces the issue, this is exactly what a Discovery phase is built to map out, and it's the kind of scoping work behind how we build AI agents for regulated operations. We're happy to compare notes.
Frequently asked questions
What is prior authorization automation and how does it actually work?
It's software that extracts clinical data from an EHR, matches it against a payer's coverage criteria, and pre-fills or submits the PA request electronically instead of a staff member re-keying it into a portal by hand. The defensible version keeps a human reviewing the submission before it goes out; the risky version lets a model make the approve/deny decision with no clinician checking it.
When do payers have to comply with the CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F)?
Standard PA decisions must return within 7 days and expedited ones within 72 hours, with a specific denial reason, starting January 1, 2026. A FHIR-based Prior Authorization API is required by January 1, 2027. It applies to Medicare Advantage, Medicaid/CHIP, and ACA exchange (QHP) issuers, not traditional fee-for-service Medicare or most commercial employer plans.
Can AI legally deny a prior authorization or insurance claim?
Nothing in current law bars AI from assisting a denial decision, but letting a model deny claims with no meaningful clinical review is exactly the pattern that triggered the Cigna PxDx lawsuits and the resulting congressional inquiry. The safe, defensible design keeps a licensed reviewer making and signing the final denial decision, with AI handling extraction and matching only.
Should we buy a prior authorization automation platform or build our own?
Buy when your PA volume is spread thin across many payers and a generic template covers most of your cases. Build when your volume concentrates in a few payer-specialty combinations, when you need the compliance audit trail under your own control, and when your EHR integration is mature enough that a custom build is mostly integration work rather than months of data cleanup.
How much does manual prior authorization really cost a practice or health system in staff time?
The AMA's physician surveys put the burden in outcome terms rather than a single dollar figure: 93% of physicians say PA delays necessary care and 89% say it drives burnout, per AJMC's coverage of the AMA survey. With 32% of requests now "often or always" denied per the 2026 AHA-reported survey, a meaningful share of that staff time goes to appeals on requests that should have cleared the first submission.
Tell us where the manual work hurts
We’ll tell you straight whether AI can fix it, what it costs, and what it should return. Whatever we build, you own.
Tell us where the manual work hurts
We’ll tell you straight whether AI can fix it, what it costs, and what it should return. Whatever we build, you own.
Tell us where the manual work hurts
We’ll tell you straight whether AI can fix it, what it costs, and what it should return. Whatever we build, you own.