AI prior authorization: regulatory map and design pattern

Payers use AI to triage prior-authorization requests against medical-necessity criteria, evidence guidelines and member benefit terms. The AI scores requests on likelihood of approval given the documentation provided, routes high-confidence approvals for fast-track and queues complex cases for clinical review. The AI does not, in compliant deployments, deny requests autonomously.

The boundary that matters: AI can recommend approval (low risk if wrong) but should not finalise denial without licensed clinician review. Multiple US enforcement actions and class-action settlements in 2023 and 2024 turned on this distinction.

CMS-0057-F, finalised January 2024, applies to Medicare Advantage, state Medicaid and CHIP managed-care, Medicaid fee-for-service, and federally facilitated marketplace QHP issuers. Key requirements: 72-hour turnaround for expedited prior-authorization decisions, 7-calendar-day for standard, mandatory inclusion of specific reason for denial, and a Prior Authorization API that providers can query electronically [1].

The rule does not regulate AI use directly. CMS's parallel guidance and a January 2024 letter to Medicare Advantage organisations make clear that algorithms or software tools cannot themselves issue denials of medically necessary care. The denial must rest on individual circumstances and licensed clinician judgment.

For European insurers running prior-authorization flows in life and health insurance, Annex III 5(b) of Regulation (EU) 2024/1689 makes risk-assessment and pricing AI high-risk. Authorization is closely adjacent to coverage-and-pricing decisions and supervisors are likely to read 5(b) broadly when authorisation determines actual access to covered services.

If high-risk classification engages, Chapter III obligations apply: risk-management, data governance, technical documentation, logging, transparency, human oversight, accuracy and post-market monitoring. Article 14 human-oversight is the active obligation: authorisation denials must remain a human decision.

An automated denial of healthcare authorization produces legal effects. Article 22 GDPR engages directly. The patient must have access to human intervention, contest, and meaningful information about the logic, significance and envisaged consequences. The 2024 EDPB guidelines and the SCHUFA judgment (C-634/21) extend the perimeter: where a probability score plays a determining role in the final decision, the score itself is an Article 22 automated decision [2].

Special-category processing also engages: prior auth uses Article 9 data (health), and processing requires both Article 6 and Article 9 conditions. Article 9(2)(h) for healthcare provision plus Member State health-insurance law is the typical basis.

Five elements. Pre-approval automation only: AI can fast-track approvals where confidence is high, but cannot deny. Mandatory licensed-clinician review on every potential denial, with the clinician having full medical record and authority to override. Visible reason-for-denial in the patient and provider notice (CMS-0057-F requirement, also good Article 22 practice). Audit log capturing input data, AI score, clinician identity and override events. Performance monitoring including approval-rate parity across demographic groups and clinical specialties.

The most common enforcement risk is policy drift: an automated-approval band that creeps wider over time, or a clinician-review step that becomes rubber-stamping. Both are visible in audit logs if the logs exist; both are invisible if they do not.

Impetora's TRACE methodology covers the four artefacts payers and supervisors examine: a documented intended-purpose statement that keeps AI on the approval side, a clinical-review policy with measurable independence, an audit-log specification and retention plan, and a fairness-monitoring protocol covering protected classes and clinical specialties. Trust covers the contractual layer including processor agreements; Citations and Evidence covers the audit trail.