Prior authorization workflows vary by an order of magnitude in clinical evidence depth across service categories — a knee MRI is largely criteria-template driven, while an oncology regimen requires multi-drug pathway reasoning across NCCN guidelines and payer compendia. Cohere Health reported 83% auto-approval on its Geisinger deployment in part because it scoped aggressively to high-volume imaging and musculoskeletal first. Trying to one-size a single agent across all categories is the most common cause of stalled rollouts.

The AMA 2024 Prior Authorization Physician Survey found the average physician handles 39 PA requests per week consuming 13 staff hours. Without a measured baseline of volume, first-pass approval rate, and days-to-decision, there is no way to validate the vendor claim of 60–80% auto-approval or attribute ROI. Baselines also reveal whether the cost is in the submission workflow or the appeal workflow — the optimization lever differs.

CMS-0057-F took effect January 1, 2026 and requires impacted Medicare Advantage, Medicaid, and ACA marketplace payers to decision urgent PAs within 72 hours and standard PAs within 7 calendar days, with full FHIR API requirements phasing in by January 1, 2027. Health-system workflows that cannot hit those windows force payers to default-deny or delay care, exposing both sides to CMS scrutiny. Setting an internal SLA tighter than the regulatory floor is the only way to create operational headroom for edge cases.

CMS-0057-F compliance obligations only apply to Medicare Advantage, Medicaid, CHIP, and ACA QHP payers — commercial payers are moving at their own pace and many still require portal or fax. An autonomous workflow that only handles FHIR-based payers leaves a long tail of volume unhandled, while one that tries to automate every portal is a fragile scraper farm. Scoping the payer list honestly up front is the single biggest determinant of realized auto-approval rate.

HIPAA (45 CFR 160/164) and the Security Rule apply to every inference call in a multi-agent PA workflow because each step processes PHI. A single LLM call to a provider without a BAA is a reportable breach under the Breach Notification Rule, and OCR enforcement settlements routinely hit seven figures. Architectures that "just use the OpenAI API" for criteria classification have been the source of several public HIPAA incidents in 2024–2025. The scope boundary must be decided before any agent is coded.

California SB 1120 (signed September 2024, effective January 1, 2025) requires that coverage denials based in whole or part on AI be reviewed by a licensed physician with the authority to overturn the denial, and several other states are following. On the provider side, the analogous risk is an autonomous workflow that forgoes clinician review and submits a criteria determination that harms a patient. Most published Cohere/Geisinger-style successes explicitly keep clinician-in-loop for denials — the 83% auto-approve number reflects the approval path only.

Epic and Oracle Health together cover roughly 70% of US hospital beds, and both expose FHIR R4 endpoints sufficient to power the extraction agent — but the integration path (App Orchard app vs. on-prem FHIR server vs. HL7 v2 gateway) materially changes the build cost and the PHI boundary. Teams that plan for a generic FHIR integration and discover mid-build that their Epic contract requires an App Orchard listing typically lose 3–6 months.

CMS-0057-F mandates FHIR API-based electronic PA for impacted payers with the operational provisions effective January 1, 2026 and the full API obligations effective January 1, 2027. Da Vinci PAS, CRD, and DTR are the HL7 FHIR implementation guides that instantiate the rule — PAS for submission, CRD for coverage discovery at the point of order, DTR for structured documentation templates. A workflow designed only around portal scraping will be obsolete within the life of the build, but a workflow that assumes every payer supports FHIR on day one will fail on commercial volume.