Denial patterns differ materially between professional (837P) and institutional (837I) claims — institutional denials skew toward medical necessity and DRG downcoding, while professional denials cluster on coding specificity and prior auth. A single model trained across all claim types averages away the segment-specific signal. Emergency department and ancillary claims also carry No Surprises Act balance-billing exposure that changes the cost function for a false-negative denial prediction.

Denial behavior varies by payer more than by any other single feature — the same CPT/ICD-10 combination that one payer routinely pays will reliably deny at another. Auburn Community Hospital's documented greater-than-10x ROI on denial prediction came from payer-specific learning, not a generic model. A generic national model trained on an average payer mix is systematically wrong for any specific facility because payer contract terms are the signal.

HFMA / Crowe LLP estimated US payers denied $262B in claims in 2022, and Kaufman Hall survey data puts denial impact at 1–3% of net revenue for most health systems. Without a dollar-denominated baseline, denial-prevention programs tend to optimize on denial count, which misprices the P&L impact — high-dollar DRG denials are worth disproportionately more attention than high-volume low-dollar professional denials. At $57.23 average rework cost per denial (Premier / Aptarro 2023, up 31% from $43.84 in 2022), even the administrative cost alone justifies a measured baseline.

CMS-0057-F formally begins phasing in January 1, 2026, including electronic prior authorization API requirements with decision-response time limits (72 hours standard / 7 days for standard requests in some contexts). The pre-submission denial check is a different latency problem — it runs inside the coder's workflow and needs to be fast enough not to break their flow, or it is simply turned off. Matching the latency budget to the actual human workflow is the single most predictive factor in whether the model gets used.

HIPAA Privacy and Security Rules (45 CFR Parts 160 and 164) apply any time identifiable PHI is processed, and OCR enforcement has consistently treated ML training data as in-scope when it contains names, dates of service, MRNs, or other Safe Harbor identifiers. The Change Healthcare 2024 breach — 100M+ records — illustrates the downside of scope that extends into a concentrated cloud vendor. De-identification under 164.514 Safe Harbor materially reduces scope but must be done correctly (all 18 identifiers removed, no re-identification risk) or it provides no protection.

CMS-0057-F requires impacted payers (Medicare Advantage, Medicaid, CHIP, QHP on the exchanges) to implement FHIR-based Prior Authorization API, Patient Access API, Provider Access API, and Payer-to-Payer API, with denial transparency requirements beginning to phase in on January 1, 2026. Providers interoperating with these APIs must be able to ingest structured denial reasons and prior auth decisions, and denial prediction models that do not exploit the new structured signal are leaving a measurable accuracy lift on the table. The rule also shortens standard prior auth decision timeframes, changing the cost of a slow denial model.

Integration surface dominates delivery risk in revenue cycle AI. Epic and Oracle Health (Cerner) are the dominant EHR-integrated billing platforms and are increasingly bundling commodity denial AI natively, which both defines the baseline competitive bar and determines the integration path (Epic App Orchard, Oracle Health Millennium open platform, etc.). Post-Change-Healthcare, many providers have deliberately diversified clearinghouses to Waystar or Availity — the current integration mix is often a live migration in progress rather than a steady state.