This week’s compliance landscape features three developments with significant operational implications: a CMS initiative accelerating the January 1, 2027 deadline for electronic prior authorization that requires immediate action from providers and EHR vendors alike, a sweeping OIG overhaul of Corporate Integrity Agreements that introduces AI oversight requirements and mandatory board compliance expertise, and a new OIG audit placing office-based peripheral vascular procedures squarely in the crosshairs of federal enforcement.

Table of Contents

CMS Pushes Electronic Prior Authorization Into the Final Stretch — January 2027 Is Closer Than It Looks

On May 13, 2026, CMS announced the next phase of its Electronic Prior Authorization Acceleration initiative, adding 30 healthcare organizations, including health systems, EHR developers, physician practices, and digital health developers, as early adopters working to resolve technical and workflow barriers ahead of the January 1, 2027 deadline. The announcement builds on last year’s landmark pledge by major health plans and signals that CMS views the runway to implementation as functionally closed.

Key Details

The prior authorization system CMS is replacing is costly and broken. Estimates suggest requesting prior authorizations costs providers $20 to $50 per hour and takes an average of 13 hours per week, meaning for each provider, that’s approximately $34,000 and 700 hours of administrative time each year that could otherwise be used to take care of patients.

The industry is already moving. Leading health plans announced in April that they eliminated 11% of prior authorizations across a range of medical services, representing 6.5 million fewer prior authorizations for patients, with other plans rapidly scaling standardized processes and reducing requirements.

The regulatory framework underpinning the January 2027 deadline is firm. As of January 1, 2026, impacted payers across Medicare Advantage, Medicaid, CHIP, and Marketplace plans are already required to send prior authorization decisions within 72 hours for expedited requests and 7 calendar days for standard requests. What goes live on January 1, 2027 is the electronic prior authorization API layer, meaning payers must implement and maintain FHIR-based APIs enabling real-time electronic exchange with provider systems. CMS projects these policies will reduce burden on patients, providers, and payers, saving approximately $15 billion over 10 years.

The early adopter organizations joining the initiative now include major names already committed on the payer side: Aetna, Blue Shield of California, Cambia Health Solutions, Cigna, Elevance Health, Highmark Blue Shield, Horizon Blue Cross Blue Shield of New Jersey, Humana, and UnitedHealthcare.

CMS is also proposing to extend electronic prior authorization requirements to prescription drugs. A proposed rule released April 10, 2026 would require impacted payers to incorporate drug coverage and documentation requirements into the existing Prior Authorization APIs beginning October 1, 2027, aligning the technology and standards for all items, services, and drugs covered under a medical benefit.

What this Means for You

The payer API deadline of January 1, 2027 is a payer obligation, but it only delivers value to providers if the provider’s EHR has built a compatible integration on the other end. A payer’s API going live means nothing to a provider whose EHR vendor has not built the corresponding workflow to send prior authorization requests through that API and receive decisions back. This is the operational gap that will determine whether the January 2027 mandate actually changes anything at the practice level.

Contact your EHR vendor now and ask specifically whether they are building an integration with payer prior authorization APIs, and if so, when it will be available for testing and production use. Ask whether this work is included under your current contract and pricing, or whether it requires an additional agreement. If your vendor has no roadmap for this integration, you will not be able to use the new payer APIs through your EHR when they go live, and the administrative burden of the current paper-based process will continue. CMS strongly encourages providers to take an active role in advancing electronic prior authorization by participating in FHIR API testing with their EHR vendor and payer partners, noting that early testing and collaboration is essential to ensure seamless real-world implementation.

Frequently Asked Questions

What is the January 1, 2027 electronic prior authorization deadline and who does it apply to? The deadline requires Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) fee-for-service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs) to have implemented and maintained FHIR-based Prior Authorization APIs enabling electronic exchange of prior authorization requests and decisions with provider systems. The deadline applies to payers, but providers need their EHR vendor to build compatible integrations in order to actually use those payer APIs.

What should providers do to prepare for electronic prior authorization? The most important step is confirming with your EHR vendor that they have a plan to build FHIR API integrations compatible with payer prior authorization systems. Providers should also review their contracts to confirm whether this work is covered, and consider participating in early testing. CMS’s Electronic Prior Authorization overview page includes resources and guidance for providers preparing for the transition.

OIG Overhauls Corporate Integrity Agreements, Adding AI Oversight Requirements and Mandatory Board Compliance Experts

The HHS Office of Inspector General has unveiled a modernized framework for Corporate Integrity Agreements, the compliance oversight agreements that OIG negotiates with healthcare organizations as part of civil fraud settlements. As reflected in a recently executed CIA with Recovery Center of USA, LLC, the new framework introduces three significant expansions: mandatory independent board compliance experts, IT expertise requirements on compliance committees, and formal generative AI oversight obligations, all of which signal what OIG now expects from healthcare compliance governance more broadly.

Key Details

A CIA is the mechanism through which OIG agrees not to seek an organization’s exclusion from Medicare, Medicaid, and other federal health care programs as part of a civil settlement. Historically lasting five years, CIAs commonly impose compliance program obligations including the appointment of a compliance officer, mandatory training, auditing requirements, and the engagement of an Independent Review Organization (IRO) to conduct periodic reviews. The new framework expands significantly on these components.

The most critical update is the appointment of a board compliance expert. On a case-by-case basis, OIG may now require healthcare entities with a Board of Directors (like Recovery Center) to retain an independent compliance expert with experience in federal healthcare program compliance requirements. This expert, if ordered, would review the effectiveness of the organization’s compliance program and prepare a written report of findings to be included with the annual submission to OIG. The Board may be required to formally respond to the expert’s findings.” As the IRO is an independent entity, adding an independent expert component would ensure yet another level of objectivity while the CIA is in place.

In a nod to the rapidly evolving technology landscape, OIG introduced specific CIA provisions regarding generative AI: compliance committees must now include IT expertise, new CIAs include a formal definition of generative AI, and specific reporting requirements regarding its organizational use are now standard.

OIG also broadened its definition of a “Disclosure Program” to encompass any report made to the compliance department through any channel, not just a dedicated hotline, reflecting the reality of how employees actually raise compliance concerns in modern organizations.

What this Means for You

Even organizations not currently under OIG investigation should treat these CIA changes as a preview of what OIG considers a mature compliance program. CIA requirements have historically served as a leading indicator of OIG’s compliance expectations across the industry, not just for entities under settlement. The introduction of mandatory board compliance experts and generative AI reporting requirements reflects where OIG believes healthcare governance accountability now needs to sit.

Larger organizations that could plausibly face OIG settlement negotiations should begin identifying potential board compliance expert candidates now. These individuals must be independent of the organization and have substantive expertise in federal healthcare program compliance. Additionally, every organization should assess whether its compliance committee includes members with IT and AI expertise, and whether its existing policies address the organization’s use of generative AI tools in clinical, billing, or administrative workflows. Waiting until settlement negotiations to address these gaps is significantly more expensive than building them into existing governance structures proactively.

Frequently Asked Questions

What is a Corporate Integrity Agreement and when does OIG require one? A Corporate Integrity Agreement is a binding compliance oversight agreement between a healthcare organization and OIG, typically entered into as part of a civil fraud settlement. In exchange for agreeing to CIA obligations, OIG agrees not to seek the organization’s exclusion from Medicare, Medicaid, and other federal health care programs. CIAs typically last five years and are tailored to address the specific compliance failures at issue in the underlying settlement.

What is a board compliance expert under the new CIA framework? A board compliance expert is an independent individual with expertise in compliance with federal healthcare program requirements who may be required under OIG’s updated CIA framework to review the effectiveness of the organization’s compliance program, prepare a written report of findings, and have that report formally addressed by the board in each annual OIG submission.

OIG Flags Office-Based Peripheral Vascular Procedures as a High-Risk Fraud Area — With Stunning Individual Provider Examples

In a May 2026 report, OIG identified the office-based laboratory (OBL) setting for peripheral vascular procedures, including angioplasty, stent placement, and atherectomy, as a high-risk area for Medicare fraud, waste, and abuse. The report analyzed billing trends from 2019 through 2023 and referred identifying information on specific flagged physicians to CMS for follow-up. CMS concurred with OIG’s recommendations and has committed to both enhanced monitoring and follow-up with program integrity contractors.

Key Details

Medicare Part B paid over $1 billion in 2022 for peripheral vascular procedures intended to relieve leg pain due to the narrowing or blockage of arteries. For years, interest holders have raised concerns about potential overuse of these procedures, as professional guidelines recommend that conservative treatments such as medication and lifestyle changes be tried first.

The shift toward the office-based setting is the core compliance concern. From 2019 through 2023, while the overall rate and total Medicare payments for these procedures declined, the percentage performed in OBLs rose from 37.8% to 46.5%, and by 2023 OBLs received 57% of all Medicare payments for these procedures. The financial incentive driving this shift is significant: Medicare Part B payments to physicians are higher when they perform peripheral vascular procedures in office-based laboratories compared to other settings, because OBL physicians receive both the professional and facility payment in a single reimbursement.

The individual provider examples in the report are striking. During 2023, just 26 physicians, representing 1% of the more than 2,000 physicians who billed for OBL procedures, accounted for 61% of the $105 million in potentially problematic payments. Most were interventional radiologists, vascular surgeons, or cardiologists. In one case, a physician received over $5 million from Medicare in 2023 for treating approximately 100 patients, nearly all of whom received tibial procedures. In another, a physician averaged 7 procedures per patient, with one patient receiving 24 procedures in a single year.

What this Means for You

OIG’s referral of specific physicians to CMS, combined with CMS’s concurrence on both recommendations, makes clear that this is not a theoretical compliance risk. Providers who perform peripheral vascular procedures in office-based laboratories should treat this report as a direct enforcement signal and conduct a proactive self-audit before CMS or its program integrity contractors initiate contact.

Specifically, analyze your claims data against the four measures OIG used to flag potentially improper billing: the rate at which you bill tibial procedures for Medicare patients, your average number of procedures per patient, the complexity of procedures billed per surgical session as measured by average RVUs, and the percentage of your patients who were treated for early-stage PAD. Any pattern that resembles the outliers identified in the report warrants immediate review and documentation of medical necessity.

Equally important: ensure that patient records for every peripheral vascular procedure document what conservative treatments, specifically medication management and lifestyle modification, were attempted before surgical intervention. For early-stage PAD patients in particular, the absence of this documentation is precisely what OIG’s methodology flags as potentially improper, regardless of whether the procedure itself was clinically appropriate.

Frequently Asked Questions

Why does Medicare pay more for peripheral vascular procedures performed in office-based laboratories? When a physician performs a peripheral vascular procedure in an office-based laboratory rather than a hospital outpatient department or ambulatory surgical center, Medicare reimburses both the professional fee and the facility fee in a single combined payment to the physician. In other settings, the facility fee goes to the facility. This consolidated payment structure results in meaningfully higher total reimbursement for the same procedure performed in an OBL.

What are the four billing measures OIG used to identify potentially improper peripheral vascular procedure claims? OIG flagged physicians based on four criteria: billing tibial procedures for at least 95% of Medicare patients, billing a high average number of peripheral vascular procedures per Medicare patient, frequently billing for more complex procedures per surgical session as reflected in average RVUs, and billing a high percentage of patients with early-stage PAD. Providers whose billing patterns align with any of these measures should conduct an immediate self-audit and review their OIG report findings against their own claims data.

Healthcare compliance regulations move fast. Check back every Wednesday for the developments that impact your healthcare business.

Have a question about how these developments affect your organization?