Prior Authorization for Billing Companies

Prior Authorization for Medical Billing Companies

Short answer

Prior authorization is a clinical, pre-service decision: a practice or its staff contacts the payer before rendering a service and gets approval. Billing companies do not submit those requests. What billing companies own is everything that happens after the appointment — confirming the authorization number exists on the claim, catching mismatches between the approved service and what was actually billed, and working the denials that arrive when something went wrong upstream.

The volume of authorization-related work is substantial. Medicare Advantage insurers processed nearly 53 million prior authorization requests in 2024, denying 7.7 percent of them, according to KFF. The 2026 CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F) shortens payer decision timelines and mandates new FHIR APIs, which will change the upstream process — and therefore the downstream denial patterns billing companies manage.

Sources: KFF Medicare Advantage Prior Authorization 2024; CMS CMS-0057-F fact sheet

---

What prior authorization actually is — and who does it

Prior authorization is a payer's mechanism for reviewing whether a planned service meets coverage criteria before the service occurs. The treating provider — or their office staff — submits the request through a payer portal, fax, phone call, or increasingly an electronic transaction. The payer reviews it and issues an approval, denial, or request for more information.

This is clinical and administrative work that lives entirely within the practice workflow. It happens before the patient visit. It requires clinical documentation, diagnosis rationale, and treating-provider credentials. A billing company that is handed a completed encounter has no practical path to submit a prior authorization retroactively, and payers generally will not accept retroactive submissions.

The billing company's relationship with prior authorization starts when the claim arrives for submission — and the authorization number either is or is not present, and either does or does not match the services billed.

Sources: CMS Prior Authorization API FAQ

---

The administrative burden that creates the denial volume

The scale of prior authorization work across the healthcare system explains why authorization-related denials are a persistent category for billing companies. The AMA's 2025 prior authorization physician survey — administered in December 2024 among 1,000 practicing physicians — found that practices complete an average of 40 prior authorizations per week and spend an average of 13 hours of physician and staff time on them weekly. Two in five physicians employ staff dedicated exclusively to prior authorization. Nearly three in four (74 percent) report that denials have increased over the past five years.

That burden produces errors. When a practice is processing dozens of authorizations per week across multiple payers, each with its own portal, approval identifier format, and scope language, mismatches reach claims at a predictable rate. The authorization number gets omitted from the claim. The approved CPT code differs from what was ultimately billed. The authorization expired between approval and service. Each scenario lands on the billing company as a denial to work.

Sources: AMA 2025 Prior Authorization Physician Survey; AMA press release

---

Authorization-related denial codes billers see most

When a claim is denied for an authorization problem, the payer communicates the reason through a Claim Adjustment Reason Code (CARC) in the X12 835 remittance transaction. CARCs are maintained by the Washington Publishing Company (WPC) on behalf of X12 and updated quarterly. The codes billing companies encounter most often in the authorization category are:

CARC 197 is the most common — it means the payer found no authorization record tied to the submitted code, date of service, and patient plan. CARC 15 typically means an authorization exists but the number on the claim is wrong or does not match the service. CARC 284 and 296 flag scope mismatches: the authorization was approved for a different code or a different rendering provider than what appears on the claim.

Each of these denials requires the billing company to go back to the practice, confirm what the authorization actually covered, and either correct and resubmit or initiate an appeal. None of them can be resolved by the billing company acting alone — the authorization record lives in the payer's system and the practice's workflow.

Sources: X12 Claim Adjustment Reason Codes; WPC CARC reference

---

The 2026 CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F)

CMS published the Interoperability and Prior Authorization Final Rule (CMS-0057-F) on January 17, 2024. It applies to Medicare Advantage organizations, state Medicaid and CHIP fee-for-service programs, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan issuers on the Federally Facilitated Exchanges.

Key provisions and their effective dates:

• January 1, 2026: Impacted payers must issue standard prior authorization decisions within seven calendar days (reduced from 14) and urgent decisions within 72 hours. Payers must also provide a specific reason for any denial, regardless of whether the request came in through a portal, fax, phone, or other channel. Public reporting of prior authorization metrics begins.
• March 31, 2026: First set of public PA performance metrics due.
• January 1, 2027: Full compliance deadline for FHIR-based API implementation. Payers must have a Prior Authorization API, Patient Access API, Provider Access API, and Payer-to-Payer API live in production.

The API requirement is what changes the upstream process for practices. When payers expose FHIR-based prior authorization APIs, EHR systems and dedicated PA platforms can submit and receive decisions programmatically rather than through portals and fax. In theory, this reduces errors in the authorization record — fewer mismatched approval identifiers, fewer missed submissions — which should reduce the downstream denial volume billing companies absorb.

In practice, the transition will take years. CMS issued enforcement discretion in February 2024 for the HIPAA requirement to use the X12 278 standard as part of an electronic FHIR prior authorization process, meaning payers that choose the FHIR path are not required to route through X12 278. The interoperability plumbing is being built during 2025 and 2026, and denial patterns will not shift overnight.

Sources: CMS CMS-0057-F fact sheet; CMS CMS-0057-F main page

---

Gold-carding programs

Gold carding is a practice some payers and states have adopted to reduce prior authorization friction for providers with consistently high approval rates. A provider who has had, typically, 90 percent or more of their authorization requests approved over a qualifying lookback period is exempted from the prior authorization requirement for those services for a period of time.

CMS has encouraged Medicare Advantage plans to implement gold-carding programs voluntarily. At the state level, as of late 2024 at least eight states had passed gold card legislation — including Arkansas, Colorado, Illinois, Louisiana, Michigan, and Texas, among others — though implementation specifics and covered service types vary by state. Texas extended its gold-card lookback period from six months to one year. UnitedHealthcare launched a national Gold Card program in October 2024, requiring a 92 percent approval rate over a two-year lookback.

For billing companies, gold carding matters because it can reduce the authorization-tracking overhead for specific provider-payer combinations. A rendering provider who holds gold card status with a given plan does not need an authorization number attached to covered claims for those services. That means one fewer field to validate before submission — but it also means the billing company needs to know which of their client providers hold gold card status with which payers, and for which codes. That tracking burden falls on the billing company if the practice does not proactively communicate it.

Sources: CMS encouragement of MA gold carding; State gold card legislation overview

---

The multi-practice tracking problem

The upstream authorization process has always been fragmented. Each practice uses a different EHR or practice management system. Each payer has a different portal. Authorization numbers come back in different formats and get stored in different fields — or sometimes just in a notes field, or in a staff member's head. When the claim arrives at the billing company, the authorization context arrives with whatever the practice exported.

Managing one practice through one EHR is hard enough. Managing twenty or fifty practices across different systems multiplies the problem. A billing company with 30 client practices is dealing with 30 different workflows for authorization tracking, 30 different ways an auth number might or might not appear on the superbill or encounter export, and 30 different staff members who may or may not have confirmed authorization status before the appointment.

The practical result: billing companies cannot rely on client practices to deliver clean authorization data. They need a workflow layer that surfaces authorization gaps before submission — flagging claims where a covered service typically requires authorization but no auth number is present — and that routes authorization-related denials into a structured work queue where staff can track the status of the appeal or correction request without losing the thread.

Sources: AMA 2025 Prior Authorization Physician Survey; KFF Medicare Advantage Prior Authorization 2024

---

How Medi handles authorization workflows for billing companies

Medi is a billing-company-first RCM platform. It does not submit prior authorization requests to payers — that work belongs in payer portals, practice EHRs, or a dedicated PA platform. What Medi does is manage the billing-side of the authorization problem.

At the claim level, Medi tracks authorization status as a first-class field. When a claim arrives without an authorization number for a service that typically requires one, the claim surfaces in the pre-submission review queue so staff can resolve it before the claim goes out. When a denial arrives with an auth-related CARC (197, 15, 284, or others), it routes to the per-line denial queue with the denial code, the payer's denial reason, and the claim context already assembled — no manual triage required.

For billing companies managing many practices, this means authorization-related denials are visible across all client practices in a single work queue, not buried in per-practice worklists. Staff working a 197 denial on a client's claim can see the auth status recorded at intake, the denial reason from the ERA, and the resubmission history in one place.

Medi does not replace the authorization submission workflow. It operates on the other side of that boundary — ensuring that what practices submit actually matches what billing companies bill, and that denials get worked, not just logged.

• Denial management workflow guide
• See a demo

---

When Medi is not the right fit

Medi is the wrong tool if your primary problem is authorization submission volume — getting requests to payers faster, auto-populating authorization forms from clinical notes, or tracking payer decisions through a submission platform. That work requires clinical context Medi does not hold.

Purpose-built prior authorization platforms (sometimes called PA automation platforms) focus on the submission side: pulling clinical data from the EHR, submitting via payer portal or API, tracking turnaround times, and escalating stalled requests. Some EHR vendors have built this directly into their workflow. Dedicated vendors — operating at the PA submission layer — are the right fit for that problem.

Medi is the right fit when the authorization submission process is already handled and you need the billing workflow layer: tracking auth status at the claim level, catching mismatches before submission, and working auth denials efficiently across many client practices.

---

Frequently asked questions

Does Medi submit prior authorizations?

No. Medi does not submit prior authorization requests to payers. Prior authorization submission is a pre-service, clinical workflow that requires treating-provider credentials and clinical documentation. It belongs in the practice EHR, a payer portal, or a dedicated PA platform. Medi operates after that step — tracking whether an authorization exists on the claim, flagging mismatches before submission, and routing auth-related denials into a structured work queue.

What is CMS-0057-F?

CMS-0057-F is the 2024 CMS Interoperability and Prior Authorization Final Rule. It applies to Medicare Advantage plans, Medicaid and CHIP programs, and Qualified Health Plans on Federally Facilitated Exchanges. Starting January 1, 2026, covered payers must issue standard prior authorization decisions within seven calendar days and urgent decisions within 72 hours, and must provide specific denial reasons. By January 1, 2027, covered payers must have FHIR-based prior authorization, patient access, provider access, and payer-to-payer APIs live in production. The rule does not directly regulate billing companies — it regulates payers — but it changes the upstream authorization process that billing companies work around.

What denial code means a missing authorization?

CARC 197 — "Precertification/authorization/notification/pre-treatment absent" — is the most common code for a claim denied because no authorization record was found. CARC 15 means an authorization number was submitted but is missing, invalid, or does not apply to the billed service or provider. CARC 284 means the authorization number may be valid but does not match the billed services. These codes are maintained by the Washington Publishing Company (WPC) on behalf of X12 and published at x12.org/codes/claim-adjustment-reason-codes.

What is gold carding?

Gold carding is a payer program that exempts providers with high prior authorization approval rates from the authorization requirement for specific services. Qualification thresholds vary, but a common benchmark is a 90 percent or higher approval rate over a qualifying lookback period. As of late 2024, at least eight states have passed gold card legislation, and some commercial payers — including UnitedHealthcare — have implemented national programs. For billing companies, gold card status on a provider-payer-code combination means claims for those services can go out without an authorization number. Tracking which providers hold gold card status with which payers is part of the pre-submission validation workflow.

How does CMS-0057-F affect the denials billing companies work?

The rule requires payers to provide a specific denial reason for every prior authorization decision starting January 1, 2026, regardless of how the request was submitted. That requirement should produce more specific CARC and denial reason combinations on 835s — giving billing companies more information to work with when a denial arrives. The FHIR API mandate, effective January 1, 2027, is the longer-term change: when authorization requests and decisions flow through structured APIs rather than portals and fax, the authorization number that reaches the claim should be more accurate, which should reduce certain CARC 15 and CARC 197 volumes over time. The transition will be gradual.

Can a billing company appeal an authorization denial?

Yes, and it is often worth doing. KFF found that more than 80 percent of Medicare Advantage prior authorization denials that were appealed were overturned in 2024 — yet only 11.5 percent of denials were appealed. The gap between the overturn rate and the appeal rate represents revenue that practices and billing companies are leaving on the table. A structured denial workflow that tracks auth-related denials, their appeal deadlines, and their resolution status is how billing companies capture that revenue systematically rather than on a case-by-case basis.