Are you deployed in production today?

Buyers should require the vendor to name the customers, regulatory programs, or commercial contexts where the system is in production. Pilots and roadmap commitments do not count as production deployments.

Are you a CMS WISeR Participant?

Six CMS WISeR Participants are publicly named. Buyers should ask which state and Medicare Administrative Contractor (MAC) jurisdiction the vendor operates in. 'WISeR-positioned' and 'WISeR Participant' are not the same thing.

Does your system ever issue a clinical coverage denial without licensed physician review?

Federal law requires physician review of any adverse coverage determination on clinical grounds. Buyers should ask whether this is enforced architecturally or through configuration policy, and ask separately how administrative non-affirmations (enrollment gaps, duplicates, frequency limits) are routed and whether that pathway is configurable.

Is citation per-criterion, per-determination, or document-level?

Per-criterion citation — where each coverage policy criterion is independently supported with bound evidence — is the standard CMS validated under WISeR. Buyers should request a sample audit artifact from a production case to confirm the granularity.

Are workflows on a shared agent substrate?

'Integrated platform' can mean common branding over separately-built products, or genuine substrate sharing. Buyers should ask at the data-model level whether prior authorization, utilization management, payment integrity, and risk adjustment workflows share the same agents and audit ledger.

How many patents have you filed on the architecture?

The public filing record is verifiable through USPTO databases. Vendors positioning on AI capabilities without IP backing have shorter-horizon competitive moats.

What is your CMS-0057-F deployment status?

Buyers should ask whether the vendor is in production at a named payer, in build, or on roadmap. If in production, the named payer should be specified.

Do you support pharmacy benefit prior authorization at sub-second response?

CMS-0062-P's October 2027 deadline requires a distinct architecture from medical prior authorization, including NCPDP SCRIPT integration. Most medical PA vendors do not have a pharmacy ePA product.

What does the audit trail look like at the determination level?

Buyers should ask whether the audit trail is tamper-evident, cryptographically signed, and reconstructable to the exact rule pack version in effect at the moment of each determination.

What independent third-party validations exist?

Buyers should ask for citations to specific analyst sources: Gartner, Everest Group, NelsonHall, KLAS, or Black Book, with specific category and date.

Can modules be deployed individually or only as a full platform?

Modular procurement matches modular budgets. Buyers should ask what a phased adoption looks like technically, and which modules can be deployed independently.

What is the three-year total cost of ownership?

The headline subscription number is not the TCO. Buyers should request inclusive figures covering integration, customization, training, and ongoing tuning across a three-year window.

Buyer Framework · 2026

AI prior authorization is now buyable. Here's how to evaluate it.

A framework for evaluating AI prior authorization platforms in 2026. Coverage policy assessment versus care allocation. Per-criterion citation versus document-level summary. Physician review enforced architecturally versus enforced by configuration. The twelve questions every payer should ask every AI PA vendor — with the standards CMS validated under WISeR as the reference.

Jump to the twelve questions Request the full vendor comparison

PART 1 · THE CATEGORY

Coverage policy assessment is not care allocation.

This distinction is not semantics. It is the legal and architectural foundation on which the entire AI PA category stands — and where several large payers have already encountered serious regulatory and legal exposure.

Governing principle

Utilization management organizations determine coverage — whether a requested service is covered under the applicable benefit design, NCD, LCD, or payer policy, given the documentation submitted. They do not determine care. The decision about whether a patient needs a specific treatment is a clinical judgment made by a licensed physician. These are not the same function, and conflating them is how large payers have found themselves defending AI systems in federal court.

What AI does — coverage policy assessment

Reads coverage policy criteria (NCD, LCD, payer benefit design)
Reads submitted clinical documentation
Maps documentation to each criterion independently
Flags gaps and surfaces evidence per criterion
Produces a structured, per-criterion analysis with citations
Presents that analysis to a licensed physician for review and determination

What AI must not do — care allocation

Determine whether a patient needs a specific treatment
Issue an adverse clinical coverage determination without physician review
Substitute for the clinical judgment of a licensed physician

These functions belong exclusively to a licensed physician of the same specialty. Federal law, not vendor policy.

Administrative non-affirmations: a distinct and configurable category

A separate category of non-affirmations is purely administrative — duplicate requests, frequency-limit conflicts, incorrect billing units, enrollment gaps, coverage exclusions. These are administrative coverage issues, not clinical determinations. The legal requirements that apply to clinical adverse determinations do not apply here.

A well-designed AI PA platform publicly documents and enforces this architectural separation. Clinical non-affirmations always route to a licensed physician. Administrative non-affirmations can flow through a configurable pathway: payers elect human-in-the-loop administrative review or automated determination based on their own operational model and risk tolerance. Buyers should ask vendors how each pathway is routed and whether the routing is configurable, code-level, or policy-level.

PART 2 · THE REGULATORY WINDOW

Five regulatory events in 2026 reshape what compliant PA infrastructure means.

A platform purchased today is purchased against this calendar. Each event changes the disclosure surface, the audit standard, or the technical requirements.

Status	Event	What changes
Live	CMS WISeR Jan 1, 2026	First federal validation of commercial AI-assisted coverage policy assessment for Medicare PA. Six WISeR Participants across AZ, NJ, OH, OK, TX, WA. Production data is publicly reportable under federal SLA standards.
Active	CMS-0057-F Mar 31, 2026	Public PA-metrics reporting now active. Payers publish denial rates, turnaround times, and appeal-overturn rates in machine-readable form. Vendor performance becomes externally measurable for the first time.
9 Months	FHIR PA API Jan 1, 2027	All payers must expose FHIR-compliant PA APIs. Platforms designed against this deadline as a foundational requirement avoid migration; platforms retrofitting do not.
17 Months	Pharmacy ePA (CMS-0062-P) Oct 1, 2027	Drug PA under NCPDP SCRIPT at sub-second response. A distinct architecture from medical PA. Most medical PA vendors do not have a pharmacy ePA product.
Ongoing	State AI Laws 2025–2026	Multiple states have codified the standards validated under WISeR: physician review of every adverse clinical coverage determination, per-criterion citation, no automated clinical denial. These can be satisfied structurally or by policy documentation.

Why this moment is different

Before 2026, vendor performance claims were largely self-reported and unverifiable. CMS WISeR changed that: production metrics are now publicly reportable under federal SLA standards. CMS-0057-F changed that further: payer-level denial rates, turnaround times, and appeal-overturn rates are now mandated public data. A vendor decision made today is made knowing that performance will be visible. The era of unverifiable efficiency claims is over.

PART 3 · THE TECHNICAL DIFFERENTIATOR

Citation architecture is the most important technical signal in the AI PA market in 2026.

Most vendors describe their systems as producing "auditable" decisions. Few disclose whether that evidence is bound at the document level, the determination level, or the criterion level. The distinction is material, and CMS WISeR validated one particular standard.

Document-level

Identifies relevant source documents

A reviewer can see that clinical notes were considered — but cannot see which criterion was or was not met, or which passage was cited for each criterion. Weakest form for audit defense.

Per-determination

Evidence for the overall decision

A reviewer can see the general clinical rationale but cannot reconstruct which criterion was evaluated against which evidence independently. Adequate for many commercial contexts; insufficient for CMS WISeR and most state AI law requirements.

Per-criterion

Each criterion independently bound

Each coverage policy criterion is evaluated independently. Each criterion produces its own evidence citation chain — the specific passage from submitted documentation, bound to the criterion text, source document, and evaluation agent. This is the standard CMS validated under WISeR.

How do you verify per-criterion citation in a sales process?

Ask for a sample audit artifact from a production case. An auditor should be able to reconstruct exactly which criterion was at issue and what the evidence showed, criterion-by-criterion. If the artifact you receive shows document IDs and a clinical narrative but does not show evidence bound to each individual criterion, the system is not producing per-criterion citation regardless of marketing language.

PART 4 · PHYSICIAN REVIEW

"Enforced architecturally" and "enforced by configuration" are not the same thing.

Federal law requires physician review of any adverse clinical coverage determination. Every vendor will affirm compliance. The question is how the compliance is implemented — and whether a configuration change, a flag toggle, or a different deployment mode can produce a clinical denial without a physician in the loop.

What "enforced architecturally" should mean

The system has no technical pathway to issue a clinical adverse determination without physician sign-off. Not "the workflow is configured to require it" — the code itself cannot bypass it. Every non-affirmation on clinical grounds routes through the review queue. No configuration, no override, no exception.

How to verify in due diligence

Ask the vendor to produce, in writing, the answer to this question: "Is there any deployment configuration, customer flag, escalation path, or operating mode in which an adverse clinical coverage determination can be issued without licensed physician sign-off?" If the answer is anything other than "no," the system is enforcing physician review by policy, not architecture. That is a meaningfully different compliance posture under audit and under state AI laws.

What productivity gains the architecture enables

When the system has no clinical-denial path, the physician's time is spent on judgment rather than on reading and organizing unstructured documentation. The agent does the analytical preparation — per-criterion mapping, evidence binding, gap identification — and the physician makes the determination. Production deployments under CMS WISeR have measured 42% clinician productivity gains under this architecture, with non-affirmation review compressing from 70 minutes to under 6 minutes per case.

PART 5 · THE TWELVE QUESTIONS

Twelve questions every payer should ask every AI PA vendor.

The standard is evidence — a sample audit artifact, a production metric reported under regulatory oversight, a public patent filing. Descriptions of capabilities do not substitute for evidence of capabilities.

#	Question	What to look for
1	Are you deployed in production today?	Name the customers, regulatory programs, or commercial contexts. Pilots and roadmap commitments do not count.
2	Are you a CMS WISeR Participant?	Six participants are publicly named. Ask which state and MAC. "WISeR-positioned" and "WISeR Participant" are not the same thing.
3	Does your system ever issue a clinical coverage denial without licensed physician review?	Federal law requires physician review of any adverse coverage determination on clinical grounds. Ask whether this is enforced architecturally or through configuration policy. Ask separately how administrative non-affirmations (enrollment gaps, duplicates, frequency limits) are routed and whether that pathway is configurable.
4	Is citation per-criterion, per-determination, or document-level?	Show a sample audit artifact from a production case. Per-criterion citation — each coverage policy criterion independently supported — is the standard CMS validated under WISeR.
5	Are workflows on a shared agent substrate?	"Integrated platform" can mean common branding over separately-built products, or genuine substrate sharing. Ask at the data-model level.
6	How many patents have you filed on the architecture?	Public filing record only. Vendors positioning on AI without IP backing have shorter-horizon competitive moats.
7	What is your CMS-0057-F deployment status?	In production at a named payer, in build, or on roadmap? If in production, name the payer.
8	Do you support pharmacy benefit PA at sub-second response?	CMS-0062-P's October 2027 deadline requires a distinct architecture from medical PA. Most PA vendors do not have a pharmacy ePA product.
9	What does the audit trail look like at the determination level?	Tamper-evident? Cryptographically signed? Reconstructable to the exact rule pack version in effect at the moment of each determination?
10	What independent third-party validations exist?	Gartner, Everest Group, NelsonHall, KLAS, Black Book — with specific category and date.
11	Can modules be deployed individually or only as a full platform?	Modular procurement matches modular budgets. Ask what a phased adoption looks like technically.
12	What is the three-year total cost of ownership?	Including integration, customization, training, and ongoing tuning. The headline subscription number is not the TCO.

Standalone print-friendly version of the twelve questions →

PART 6 · ARCHITECTURE IP

A 12-patent stack covering every critical technical element.

HIP One's architecture is protected by 12 filed and pending U.S. patent applications. The public patent record is verifiable through USPTO databases.

PA8-Core

Agent Architecture

Core multi-agent orchestration framework for coverage policy assessment.

PA8-Deploy

Multi-Stakeholder Deployment

Architecture for deploying across multiple payer and provider contexts.

PA1

Document Processing

Unstructured document ingestion, extraction, and structuring.

PA2

Criteria Decomposition

Per-criterion decomposition of NCD/LCD/payer policy and independent evidence binding.

PA-GATE

Pre-Screening

Administrative and eligibility pre-screening before clinical agent engagement.

PA-LLM

PHI Security

PHI-safe large language model integration for clinical document processing.

PA-RX

Pharmacy Benefit

Pharmacy ePA architecture for sub-second response — addressing CMS-0062-P October 2027 deadline.

PA-OAP

Outcome Attestation

Outcome attestation and post-determination audit trail architecture.

PA16

Ambient Integration

Integration architecture for ambient clinical AI into the PA workflow.

PA-CTX

Context Management

Multi-turn clinical context management across concurrent assessments.

PA-MKT

Marketplace Distribution

Architecture for marketplace-distributed PA agents (Microsoft, AWS, GCP, Salesforce).

PA-META

Meta-Builder Substrate

Institutional knowledge corpus, seven-layer taxonomic scaffold, and Builder abstraction structurally invariant to human-or-AI Builder identity.

Full patent portfolio detail →

PART 7 · SOURCES & METHODOLOGY

What this framework is built on.

Primary sources

CMS Innovation Center WISeR Model overview at cms.gov/priorities/innovation/innovation-models/wiser. CMS-0057-F Final Rule (effective January 1, 2026; FHIR API compliance January 1, 2027). CMS-0062-P Proposed Rule (published April 14, 2026; pharmacy ePA October 1, 2027 deadline). Novitas Solutions MAC JL provider portal.

Industry analyst sources

Gartner Market Guide for Intelligent Prior Authorization (February 12, 2026, ID G00803711). Everest Group Healthcare Payer Intelligent Operations PEAK Matrix Assessment 2026. NelsonHall NEAT Evaluation 2026. Black Book Research RCM rankings.

Independent research

Peterson Health Technology Institute, April 2026 report on administrative AI cost claims and efficiency outcomes. KFF (Kaiser Family Foundation), Total Medicare Beneficiaries state indicator.

Genzeon production data

CMS WISeR Q1 2026 metrics reported under federal SLA standards: 12,609 PA cases, 309 pre-payment claims reviewed, 100% three-day TAT compliance, 90% of cases assessed within one business day since April 2026, sub-3-minute median decision latency, 42% clinician productivity gain, 70%+ affirmation rate (May 2026), 85% provider portal adoption. Documented at genzeon.one/wiser.

This is not legal, financial, regulatory, or procurement advice

This framework reflects publicly available materials reviewed through May 20, 2026. It is intended to support buyer evaluation of AI prior authorization platforms. Buyers should pair this with their own legal, compliance, and procurement processes.

Want the full vendor comparison?

The companion whitepaper to this framework includes a six-vendor comparison grid across seven evaluation criteria — CMS production status, WISeR Participant status, CMS-0057-F disclosure level, citation granularity, coverage breadth, physician review enforcement, and published patent stack. The comparison is available as a gated PDF.

Request the vendor comparison whitepaper For payers

Talk to the team

Federal production proof. Per-criterion citation. 12-patent architecture. Buyable today.

If you are a payer evaluating AI prior authorization platforms, the CMS WISeR deployment is what production looks like at federal SLA standards. We're happy to talk about what that means for yours.

Talk to the team See the WISeR deployment