Blog · Analysis · Last reviewed June 19, 2026

The Prior Authorization Machine Becomes the Care Gate

When prior authorization is automated, the gate between medical judgment and covered care becomes a model-mediated institution. The question worth asking is less whether a machine denies care than who must fight the machine-shaped process before care can happen.

The Gate Before Care

Prior authorization is one of the least mystical and most powerful interfaces in American health care. A clinician recommends a medication, procedure, device, facility stay, imaging study, therapy course, or post-acute placement. Before the service is covered, the payer asks for advance approval. The patient experiences the result as waiting, paperwork, delay, denial, resubmission, appeal, abandonment, or eventual care.

For this essay, the care gate is the whole workflow that turns a clinical recommendation into a covered, delayed, denied, resubmitted, appealed, or abandoned service. The gate includes the coverage rule, medical-necessity criterion, coding requirement, documentation template, portal, contractor, model or rules engine, reviewer, notice, and appeal path. A model does not need final authority to reshape care; it only has to change the path through the gate.

The administrative theory is straightforward: some services are unnecessary, unsafe, unsupported, miscoded, fraudulent, or too costly without review. A payer gate can prevent waste and protect patients from low-value care. That justification should not be dismissed. Health care does contain overtreatment, fraud, poor documentation, and perverse billing incentives.

But a gate is still a gate. It can protect, ration, delay, intimidate, and exhaust. Once enhanced technology, predictive models, automated workflows, and AI-assisted review enter the process, prior authorization becomes a high-control interface: a structured passage through which medical judgment must be translated into machine-readable evidence before the institution will pay.

The danger is not a cartoon in which a chatbot coldly says no. The more ordinary danger is a distributed system that makes denial cheap, appeal costly, accountability diffuse, and delay administratively normal.

The Scale of Denial

KFF's January 2026 analysis of federal data reported that Medicare Advantage insurers made nearly 53 million prior authorization determinations in 2024, up from 49.8 million in 2023. They fully or partially denied 4.1 million requests, or 7.7 percent. Only 11.5 percent of denied requests were appealed, but 80.7 percent of those appeals were partially or fully overturned.

Those numbers matter because they reveal two different burdens. The first burden is the denied request. The second is the appeal path that most people never use. If more than four million Medicare Advantage requests are denied in a year, but fewer than one in eight denials is appealed, then appeal statistics describe a narrow surviving population: patients and providers with enough time, knowledge, documentation, staff, stamina, and clinical urgency to keep going.

HHS OIG's June 2026 post-acute care reports added a service-level warning that aggregate data can hide. In one review of June 2024 skilled nursing facility admission requests, 19 Medicare Advantage organizations collectively denied 12 percent of requests; enrollees and providers appealed 18 percent of denials; and when appealed, the organizations overturned 95 percent in favor of the enrollee. OIG also reported that naviHealth processed half of all skilled nursing facility requests in that review, denied 14 percent, and later saw 97 percent of its appealed denials overturned. A companion OIG report found that the three largest Medicare Advantage organizations by enrollment denied long-term acute care and inpatient rehabilitation requests at higher rates than most peers, with appealed denials overturned 36 percent and 43 percent of the time respectively.

The high appeal-overturn rate does not prove that every initial denial was wrong. Some requests may have been missing documentation that later arrived. But it does show that many denied services ordered by clinicians were ultimately approved after additional friction. In a medical setting, delay is not neutral. A postponed rehabilitation placement, imaging study, medication, or procedure can change a patient's recovery path.

The burden is visible in clinician surveys as well. The AMA's 2025 physician survey, based on 1,000 practicing physicians, reported that 95 percent said prior authorization delays access to necessary care, 79 percent said it can at least sometimes lead to treatment abandonment, and 94 percent said it somewhat or significantly increases physician burnout. The survey is from a professional association with a clear advocacy position, so it should be read as stakeholder evidence rather than detached measurement. But it gives a consistent account of where the work lands: in clinics, staff time, patient waiting, and appeal decisions.

CMS has also changed the procedural baseline. Its 2024 Interoperability and Prior Authorization final rule requires impacted payers to send prior authorization decisions within 72 hours for expedited requests and seven calendar days for standard requests, with operational compliance generally beginning January 1, 2026. It also requires specific denial reasons and public prior-authorization metrics, while prior authorization APIs are generally due January 1, 2027. Those requirements are not AI rules, but they define the minimum record layer that any AI-assisted gate should have to survive.

Automation Enters the Gate

The automation question became harder to ignore after investigations into Medicare Advantage denials for post-acute care. In October 2024, the U.S. Senate Permanent Subcommittee on Investigations released a majority staff report examining UnitedHealthcare, Humana, and CVS. The report found that between 2019 and 2022, all three denied prior authorization requests for post-acute care at much higher rates than for other care. It reported that in 2022, UnitedHealthcare and CVS denied post-acute prior authorization requests at about three times their overall prior authorization denial rates, while Humana's post-acute denial rate was more than 16 times its overall rate.

The same report described UnitedHealthcare's post-acute denial rate rising from 10.9 percent in 2020 to 22.7 percent in 2022 as naviHealth managed post-acute care for many Medicare Advantage members. It cited internal materials involving auto-authorization, machine learning, and nH Predict, an algorithmic tool linked in reporting to post-acute placement and length-of-stay decisions. For CVS, the report described a Post-Acute Analytics program using artificial intelligence to reduce spending on skilled nursing facilities. The companies and industry groups disputed aspects of the report, and the report itself was a majority staff product rather than a court finding. Still, it put a concrete governance problem on the record: technology can make the denial process faster, more targeted, and less visible from the patient's side.

The nH Predict story became the public face of the problem. A 2023 STAT News investigation reported that the tool, run by UnitedHealth's naviHealth subsidiary, predicted how long a Medicare Advantage patient would need in a nursing facility, and that resulting denials sometimes overrode treating physicians. A class-action complaint filed in federal court in Minnesota, brought by the estates of Gene B. Lokken and Dale Henry Tetzloff, alleged that nH Predict had roughly a 90 percent error rate and that the company kept using it because most patients never appeal. UnitedHealth disputes the characterization. The case has been narrowed while some claims proceed, so these remain allegations rather than findings. But the allegation names the exact mechanism this essay is about: an automated tool can lower the cost of saying no while pushing the cost of correction onto the patient and provider.

HHS OIG had already identified a pre-AI version of the same problem. In a 2022 review of a sample of denials by 15 large Medicare Advantage organizations, OIG found that 13 percent of prior authorization denials met Medicare coverage rules and likely would have been approved under Original Medicare. OIG pointed to causes including the use of clinical criteria not contained in Medicare coverage rules and cases where reviewers said documentation was insufficient even though OIG reviewers found the medical records adequate.

That is the institutional context into which AI arrives. Automation does not invent the gate. It changes the gate's capacity, speed, targeting, evidence demands, and appearance of objectivity.

WISeR and Traditional Medicare

CMS is now testing a related model inside Original Medicare. The Wasteful and Inappropriate Service Reduction model, or WISeR, runs from January 1, 2026 through December 31, 2031 in six states: Arizona, New Jersey, Ohio, Oklahoma, Texas, and Washington. CMS says the model uses enhanced technologies, including AI and machine learning, along with human clinical review, for selected items and services that raise concerns about waste, fraud, abuse, inappropriate use, patient safety, or low-value care.

The operational guide says that for services rendered on or after January 15, 2026, affected providers and suppliers can either submit a prior authorization request or provide the service and undergo pre-payment medical review. The model does not change Medicare benefits or coverage requirements, and CMS says existing National Coverage Determinations and Local Coverage Determinations remain the governing criteria.

CMS also builds in procedural safeguards. The guide says WISeR participants will aim to make prior authorization determinations within three calendar days, or two days for expedited requests. It says non-affirmed prior authorization decisions can be resubmitted without limit before a claim is submitted, and that appeal rights remain available after a payment denial. It also requires human clinicians with relevant expertise to review non-affirmations before they are issued.

The scope limits matter. CMS says WISeR does not apply to Medicare Advantage, does not change Original Medicare coverage or payment policy, and excludes inpatient-only services, emergency services, and services that would pose a substantial risk to patients if delayed. Those boundaries should be part of any public discussion of the model. The governance question is not whether WISeR is secretly changing benefits; it is whether an added review layer can stay faithful to existing coverage rules without turning documentation friction into a practical access barrier.

Those details are important because they show the state trying to turn automation into a governed workflow rather than an unbounded denial machine. But they also show how the interface thickens. A clinician now has to supply the right codes, documentation, coverage rationale, clinical history, and request timing to a technology participant operating between the provider and Medicare payment. A patient may be told that benefits have not changed while the path to payment has changed substantially.

Human Review Is Not Enough

"A human clinician reviews denials" is a necessary safeguard. It is not a complete governance model.

Human review can become a rubber stamp when the surrounding system rewards speed, savings, volume, consistency with model output, or strict adherence to templates. It can become symbolic when reviewers see only a compressed case file rather than the patient's clinical situation. It can become procedural cover when the patient cannot see what evidence mattered, what rule was applied, what the model flagged, or how to correct the record.

This is a familiar pattern in model-mediated institutions. A model does not need final authority to shape the decision. It can rank cases, prefill rationales, highlight suspected deficiencies, suggest likely noncompliance, route the file, estimate cost, compare against expected length of stay, or make approval feel exceptional. The human reviewer then enters a decision environment already arranged by the machine.

The relevant question is therefore not, "Did the AI deny care?" It is, "How did the automated system structure the work of denial, approval, delay, documentation, and appeal?"

The Governance Standard

A serious prior authorization regime using AI or enhanced technology needs a higher standard than speed plus human review.

First, the rule base should be visible. Patients and providers need to know whether the governing standard is Medicare coverage law, a local coverage determination, a payer policy, a proprietary guideline, a vendor model, a coding edit, or a documentation checklist. If the rule cannot be named, the denial cannot be meaningfully contested.

Second, automation should be logged at the case level. The record should show whether a model, rules engine, predictive score, auto-authorization process, routing tool, or generated rationale materially shaped the review. Aggregate disclosure is not enough for the patient whose case was delayed.

Third, reviewer independence should be real. Clinicians reviewing denials should not be measured mainly by throughput, savings, conformity to model output, or denial targets. Their role should be clinical judgment under accountable criteria, not human decoration for automated utilization management.

Fourth, appeal rights should begin before exhaustion. A system that technically permits appeal while making appeal slow, obscure, or staff-intensive still governs by attrition. Notices should state the precise missing evidence, the applicable criterion, the reviewer's relevant specialty, the route for expedited review, and whether resubmission or formal appeal is the right path. This is notice and appeal as care infrastructure, not compliance boilerplate.

Fifth, regulators need service-level and contractor-level data. KFF notes that public Medicare Advantage prior authorization data are aggregated at the contract level and do not reveal variation by service or plan. OIG's 2026 reports specifically recommend request-level data that include service type and contractor information. Without those fields, the most consequential patterns can hide inside averages.

Sixth, savings claims need access audits. If a model saves money by reducing inappropriate care, that should be demonstrable without increasing wrongful denials, abandonment, hospitalization, or delayed recovery. The metric cannot only be expenditure. It has to include patient outcome, appeal reversal, time to care, and provider burden.

Seventh, vendor and contractor roles should be visible. A payer should not be able to outsource the gate and keep the gate's logic invisible. Contracts should preserve audit access, model-change notices, reviewer training records, case-level logs, data-use limits, and exit rights. This belongs with ordinary vendor governance and AI audit trail discipline.

Eighth, interoperability is a floor, not a safety case. Faster electronic prior authorization, denial reasons, APIs, and public metrics can reduce friction. They do not by themselves prove that a medical-necessity rule is valid, that a model is calibrated, that a reviewer is independent, or that patients understand how to contest a denial.

What This Changes

The prior authorization machine is a denial interface built out of paperwork, code, clinical criteria, payment incentives, and time.

It turns a doctor's order into a case. The case becomes a packet of codes and evidence. The packet enters a workflow. The workflow may be triaged by software, reviewed by a contractor, compared against policy, returned for more documentation, affirmed, non-affirmed, denied, resubmitted, appealed, or abandoned. The patient experiences this institutional machinery as a delay in the body.

That is why this belongs beside the earlier essays on the adverse action notice, the medical scribe, the AI audit, and the public register. Each asks the same institutional question from a different angle: when a model-mediated system affects a person's life, where does accountability become visible enough to use?

Prior authorization is especially revealing because it exposes the difference between a decision and a path. A denial is a decision. A documentation burden is a path. A model that never formally denies care can still reshape the path until only the best-resourced patients and clinics can traverse it.

The governance test is therefore practical. A patient should be able to know what rule blocked care. A clinician should be able to see what evidence would satisfy the rule. A regulator should be able to detect abnormal denial patterns by service. A reviewer should be free to override the machine-shaped path. And the institution should have to prove that speed, savings, and automation did not become a quieter way to ration care by friction.

Source Discipline

CMS rules, fact sheets, and WISeR operational materials establish legal requirements, program design, timeframes, and stated safeguards; they do not prove that implementation will preserve access in every clinical setting. OIG reports are oversight findings for defined samples and time periods, not universal claims about every payer or contractor. KFF's analysis is useful for aggregate Medicare Advantage trends, but it depends on contract-level CMS data that do not show service-level variation.

The Senate report, STAT investigation, and Lokken litigation are used as evidence of documented allegations, internal-document reporting, and public controversy over post-acute denial systems. They are not treated as final judicial findings. AMA survey evidence is stakeholder evidence about physician experience, not a neutral census. Strong claims about AI-assisted prior authorization should name the payer or program, service type, coverage rule, model or rule engine, reviewer role, contractor, denial reason, appeal outcome, patient population, and data source.

Sources


Return to Blog