Your doctor says you need an MRI, a specialty drug, or a procedure. Then someone says: "We have to get it authorized first." Days pass. Maybe weeks. That waiting room limbo is prior authorization — your insurer requiring approval before certain care, or it won't pay.
Why does it exist? The payer's stated reason: making sure expensive care is medically necessary and matches your plan's rules before money moves. The lived experience for many patients: delay, opaque denials, and your doctor's staff re-faxing the same forms. Both are real. Prior authorization is one of the most complained-about processes in American healthcare — by patients and physicians — which is why federal rules finally targeted it.
What actually happens behind the scenes: your doctor's office assembles evidence (your diagnosis, history, what was tried first) and sends it to your payer. Historically that meant faxes, phone calls, and portals — every payer different. The payer's reviewers check it against coverage policy and answer: approved, denied, or "send more information."
What changed, and when:
- Since January 2026 (for Medicare Advantage and Medicaid/CHIP plans): decision clocks are law — generally 72 hours for urgent requests and 7 calendar days for standard ones — and denials must come with a specific reason, not just a code. Payers also began publicly reporting their approval, denial, and turnaround numbers (first reports were due March 31, 2026).
- By January 1, 2027: those payers must run prior authorization through standard FHIR APIs — the request, the evidence, and the status all machine-readable — and your own plan's app-accessible records must show your prior-auth status.
What this doesn't change: prior authorization still exists, payers still decide, and a technically compliant API can still sit atop a slow review process. What it does change is visibility and plumbing — your status becomes something you (and your doctor's software) can look up rather than wait to hear about, and delays become measurable and public.
The plumbing standard behind that machine-readable request is called PAS (Prior Authorization Support). Testing whether a PAS request is well-formed — before it ever carries real patient data — is exactly what this site's Validation Workbench does, using synthetic examples only.