PCOOB Weekly — April 25, 2026 | Three Federal Clocks, Fifty State Rules

PCOOB Weekly — April 25, 2026 | Issue 2

Three Federal Clocks, Fifty State Rules: The Prior Authorization Paradox Health Plans Cannot Ignore

CMS has built a federal automation mandate, launched an AI pilot in traditional Medicare, and lost a legislative battle to preempt the state laws that directly contradict both.

Independent analysis for U.S. health plan leaders | Payer compliance, operations, oversight, governance

In this edition

01 A governance architecture problem, not a compliance calendar problem 02 The 22-point WISeR approval gap: what the data reveals 03 Three federal signals, 18 state laws: the collision map 04 The federal automation stack: CMS-0057-F, CMS-0062-P, WISeR 05 The state counterforce and the preemption that failed 06 What plans are underestimating: FDR exposure and decision governance

The thesis

The prior authorization system has never been especially coherent. But it has reached a new level of structural contradiction. Health plans now face three distinct federal signals about PA — all pointing toward automation and AI — while 18 states and counting have passed or proposed laws restricting exactly that.

The attempt to resolve this contradiction through a federal preemption play failed, spectacularly, in a Senate vote of 99 to 1. Plans are left to operate in both realities simultaneously.

This is not a compliance calendar problem. It is a governance architecture problem. And the plans that treat it as the former will spend significant money solving the wrong thing.

The architecture question is concrete: in every automated PA workflow the plan or its delegates operate, who owns the adverse decision, what standard governs it, and how does that accountability vary by state and line of business? If the plan cannot answer that question cleanly, the FHIR API is an infrastructure investment without a governance foundation underneath it.

“The API gets the request there faster. The state law determines who — or what — can say no.”

PCOOB Weekly editorial judgment

“Plans that treat this as a compliance calendar problem will spend significant money solving the wrong thing.”

Core thesis, April 25, 2026

The WISeR approval gap — what AI alone produces

62%

84%

In Texas, the CMS WISeR AI pilot approved 62% of prior authorization requests initially. After human clinical review, approval climbed to 84%. The 22-percentage-point gap is not a rounding error. It is a quantified measure of what automated adverse decisions produce when AI alone sets the threshold — and the exact gap state laws across 18 states are designed to prevent.

Compliance Alert

The three-layer federal mandate

Three federal clocks are already running. Most plans have mapped only one.

0057-F

Effective Jan 2026 / API Jan 2027

FHIR-based Prior Authorization APIs required for MA plans, Medicaid MCOs, CHIP entities. 72-hr expedited, 7-day standard PA turnarounds already active as of January 1, 2026.

0062-P

Proposed April 2026 / Comment June 15

Extends FHIR and NCPDP PA framework to drug prior authorizations. Medical-benefit drugs via FHIR. Pharmacy-benefit drugs via NCPDP SCRIPT, F&B, and RTPB standards. Deadline: October 1, 2027.

WISeR

Live Jan 2026 / 6 States / FOIA Suit

CMMI AI prior authorization pilot in traditional Medicare. Vendors paid up to 20% of savings from denied services. Active in AZ, NJ, OH, OK, TX, WA. EFF FOIA lawsuit filed for model documentation.

The three mandates are not coordinated by design. CMS-0057-F is a final rule with operational requirements already in effect. CMS-0062-P is a proposed rule in active comment period. WISeR is a CMMI demonstration with its own governance structure and performance-based vendor incentives.

Plans that have scoped only the CMS-0057-F FHIR API have addressed one-third of the federal PA obligation. The drug PA extension in CMS-0062-P adds pharmacy-benefit workflows many plans have not yet begun to scope. WISeR adds a third layer: AI decision governance in traditional Medicare in the exact states where state-level clinical review requirements also apply.

The comment period for CMS-0062-P closes June 15, 2026. Plans operating in the six WISeR states — Arizona, New Jersey, Ohio, Oklahoma, Texas, and Washington — are simultaneously subject to the CMMI pilot requirements and state laws governing AI adverse decisions. The compliance intersection is active, not theoretical.

Medicare Advantage insurers alone made nearly 53 million prior authorization determinations in 2024. At that volume, even a small calibration difference between automated and clinical-review approval rates generates material appeals exposure.

pcoob_weekly — federal_automation_stack.sh

// Federal PA automation stack — compliance trace

$ audit federal_pa_requirements –all –as-of 2026-04-25

Scanning federal PA mandates…

→

CMS-0057-F (Jan 2024 Final Rule): FHIR PA APIs required by Jan 1, 2027. Operational: 72hr expedited / 7-day standard decisions — live Jan 1, 2026. Applies to MA, Medicaid MCOs, CHIP, QHP on FFE.

→

CMS-0062-P (Apr 14, 2026 Proposed Rule): Drug PA extended to FHIR (medical benefit) + NCPDP SCRIPT / F&B / RTPB (pharmacy benefit). October 1, 2027 deadline. Comment period closes June 15, 2026.

→

WISeR Model (CMMI, Jan 1, 2026): AI-driven PA in traditional Medicare — AZ, NJ, OH, OK, TX, WA. Vendors: up to 20% of denial savings. EFF FOIA suit filed. TX pilot: 62% AI approval → 84% after human review.

→

State counterforce (concurrent): 18 states with active PA legislation since Jan 2025. Arizona requires human verification of PA denials. Maryland: AI claims management oversight. 10 states passed PA reform in 2024.

WARNING: Governance alignment not confirmed across all state-PA-AI intersections.

$ check fdr_delegate_accountability –include-pbm –include-um

# FDR exposure: delegate AI-adverse decisions → plan regulatory exposure

Status: REQUIRES REVIEW

53M

MA prior authorization determinations in 2024 (KFF). At this volume, a 22-point approval gap means tens of millions of additional denials annually in a fully automated system.

States with active PA legislative action since January 2025. Six of those states are also WISeR pilot states.

99-1

Senate vote removing the 10-year state AI law enforcement moratorium from the reconciliation bill. The federal preemption strategy did not survive floor consideration.

20%

Maximum vendor compensation rate for savings generated from denied WISeR services. Performance-based denial incentives embedded in the pilot structure.

The state counterforce

Eighteen states have answered the federal automation signal with their own requirement: a human must verify the decision.

At the same time that CMS has built its federal automation stack, the states have been moving in a different direction. Since January 2025, at least 18 states have taken legislative action on prior authorization. Arizona now requires a human to verify claims denials and rejected PA requests. Maryland established oversight requirements for AI used in claims management. Arizona and Indiana have set PA turnaround requirements that, if missed by the insurer, result in automatic approval.

None of this is necessarily inconsistent with the federal goal of faster PA decisions. But it is directly inconsistent with the idea that AI-driven adverse decisions can stand without human clinical accountability. Plans operating in states with these requirements cannot satisfy them purely by meeting the FHIR API mandates in CMS-0057-F. The API gets the request there faster. The state law determines who — or what — can say no.

The Trump administration understood the tension and attempted to resolve it legislatively. A provision in the House reconciliation bill would have banned enforcement of state AI laws for 10 years. It was removed from the final package by a Senate vote of 99 to 1. The administration has since pursued an executive order directing the establishment of an AI Litigation Task Force and threatening to withhold discretionary federal funding from states with “onerous” AI regulations — but this remains an unsettled legal front, not a resolved one.

Plans cannot wait for that litigation to conclude. State laws are active today. The governance question must be answered in the current regulatory environment — not the one the Trump administration hoped to create.

Compliance insight

Plans operating in Arizona, New Jersey, Ohio, Oklahoma, Texas, and Washington face both the WISeR pilot AI requirements and state-level clinical review mandates simultaneously. These are not separate compliance workstreams. They converge on the same question: who owns the adverse decision.

Operational insight

The PA turnaround mandates from CMS-0057-F create pressure to automate. State laws create pressure to keep a human in the decision loop. Staffing, workflow, and system architecture all need to accommodate both simultaneously — and current PA vendor configurations may not.

FDR / governance insight

PBMs and UM delegates operating AI-driven PA workflows carry regulatory exposure back to the plan. FDR oversight must now verify that delegate decision logic meets state clinical review standards — not just federal API compliance timelines.

Legal / risk insight

The 10-year state AI moratorium was removed 99-1. The executive order is an enforcement threat, not a legal ruling. State laws are the operative compliance environment today and for the foreseeable future.

“

The preemption that failed

“The real problem is decision logic governance. When PA workflows are automated and the system generates a denial recommendation, the legal accountability question is who owned that decision and what standard did they apply.”

PCOOB Weekly — April 25, 2026

The reconciliation bill’s proposed 10-year moratorium on state AI law enforcement was not a minor procedural casualty. It was the administration’s primary legislative strategy for resolving the federal-state AI tension at scale. The 99-1 Senate vote signals broad, bipartisan resistance to preempting state authority over AI governance in healthcare — a signal that the legal landscape will remain fragmented for years.

The executive order creating an AI Litigation Task Force represents a secondary approach: use enforcement pressure and potential federal funding leverage to discourage states from maintaining restrictive AI laws. Whether this succeeds is uncertain and contested. What is certain is that no final legal clarity exists today, and plans that defer governance architecture decisions while waiting for it will face a compressing compliance window.

Plans in WISeR states should note that the pilot’s AI decision framework and the state clinical review requirements are simultaneously active. CMS has not reconciled these two obligations at the plan level. That reconciliation falls to the plan.

Jan 2024

CMS-0057-F final rule published. FHIR PA API compliance set for Jan 2026 (later delayed to Jan 2027).

Jan 2025+

18 states take legislative action on PA. Arizona passes human verification requirement for PA denials.

Jan 1, 2026

CMS-0057-F operational provisions take effect (72hr / 7-day PA turnarounds). WISeR AI pilot launches in 6 states.

2026

Reconciliation 10-year AI moratorium removed 99-1. Trump EO creates AI Litigation Task Force. EFF sues CMS over WISeR.

Apr 14, 2026

CMS-0062-P proposed rule published. Drug PA extended to FHIR/NCPDP framework. Comment deadline: June 15, 2026.

Editorial judgment

What plans are underestimating

The governance gap is not in the FHIR implementation. It is in the decision accountability structure that must govern what the FHIR system does.

Plans have largely parsed this as a dual compliance problem: build the FHIR APIs for CMS, track the state laws separately for legal. That framing will prove insufficient.

The real problem is decision logic governance. When PA workflows are automated and the system generates a denial recommendation, the legal accountability question is who owned that decision and what standard did they apply. In states with human verification requirements, an AI-generated denial without meaningful clinical review is a compliance failure — regardless of how sophisticated the FHIR implementation is.

Plans that use PBMs or utilization management delegates for PA face an added layer. The FDR accountability framework requires plans to ensure their delegates perform to the same standards the plan would apply. If a delegate’s PA workflow generates adverse decisions through AI-only logic that does not meet a state’s clinical review requirement, the plan — not the delegate — bears the regulatory exposure.

There is also a financial variable embedded in the 22-point WISeR approval gap. A PA workflow calibrated for automation rather than clinical accuracy will systematically generate more denials than human review would sustain. That pattern creates appeals volume, regulatory scrutiny, and potential member harm — all of which carry financial and reputational costs that a compliance API project cannot absorb.

Plans cannot wait for federal preemption to clarify the landscape. The reconciliation attempt failed. The executive order is an enforcement threat, not a legal ruling. State laws are active today. The question every plan leadership team should now be asking is not “are we compliant with CMS-0057-F?” but rather “in every state and line of business where we automate a PA decision, who is accountable for that decision, and what standard governs it?”

Until next week, stay briefed.

Cross-functional implications

Why this matters — function by function

Compliance

Two mandates, one decision

CMS-0057-F requires FHIR PA automation. State laws require human clinical review of adverse decisions. Both are active today. Plans must satisfy both without treating them as separate workstreams.

IT / Systems

API compliance is not decision governance

The FHIR implementation gets the PA request processed faster. It does not determine who reviews the denial. System architecture must accommodate both the federal API mandate and state-level decision accountability requirements.

Operations

Speed vs. accountability tension

Federal PA turnaround mandates create pressure to automate. State laws create pressure to retain clinical review. Staffing models, review queues, and workflow designs must accommodate both — by state and by line of business.

Finance

The 22-point gap has a cost

AI-only PA decisions at WISeR approval rates would generate 22 percentage points more denials than clinical review sustains. At 53 million MA PA determinations annually, this is not an abstract variance. It is a driver of appeals cost, regulatory action, and member impact.

FDR / Delegation

Delegate exposure flows back

PBMs and UM vendors using AI-only PA logic in states with clinical review requirements create regulatory liability that returns to the plan. FDR oversight programs must now verify that delegate AI decision logic meets applicable state standards — not just federal API timelines.

Governance

No single owner yet

This issue sits at the intersection of legal, compliance, IT, and clinical operations. Plans where no single governance body owns the federal-state AI PA intersection are the most exposed. Clear ownership and escalation pathways are the first structural requirement.

Questions leaders should ask now

Eight questions your PA governance review should answer

In every automated PA workflow we operate or delegate, who owns the adverse decision — and what standard governs whether that decision required human clinical review?

Have we mapped our PA workflows against the specific state laws in each state where we operate, including Arizona, Maryland, and the six WISeR states?

Is our FHIR PA API implementation connected to a decision governance framework, or only to a technical compliance checklist?

How does our FDR oversight program verify that PBM and UM delegates apply clinically appropriate review standards — not AI-only logic — to adverse PA decisions?

What is our appeals volume trend since January 2026 PA turnaround requirements took effect, and does it reflect the 22-point approval gap the WISeR data suggests?

Does our governance committee have clear ownership of the federal-state AI compliance intersection, or is accountability split between legal, compliance, and IT without a single owner?

If a state attorney general or CMS auditor reviewed our PA denial decisions tomorrow, could we demonstrate that each adverse decision met the applicable clinical review standard for that state?

How are we monitoring CMS-0062-P rulemaking through the June 15 comment period, and do we have a process to assess how the final rule changes our pharmacy benefit PA architecture?

Sources — all claims in this edition

CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F) — CMS.gov

CMS-0062-P Proposed Rule — Federal Register, April 14, 2026

2026 CMS Interoperability Standards and Prior Authorization for Drugs Proposed Rule — CMS Fact Sheet

CMS’ WISeR rollout scrutinized over Medicare prior authorizations — Modern Healthcare

Tech nonprofit sues CMS over Medicare AI prior authorization pilot — Healthcare Dive

Medicare Advantage Insurers Made Nearly 53 Million Prior Authorization Determinations in 2024 — KFF

States pass AI regulations on prior authorization, mental health — Modern Healthcare

Reconciliation bill would ban enforcement of state AI laws for 10 years — Fierce Healthcare

Trump signs executive order to challenge state AI laws — Fierce Healthcare

Final Prior Authorization Rules Look to Streamline the Process, but Issues Remain — KFF