Three things happened in the first 90 days of 2026 that should not have happened together.
The CMS Innovation Center launched WISeR, a six-year Medicare pilot that puts prior authorization in front of traditional Medicare fee-for-service for the first time. Vendors selected for the pilot are paid a percentage of the savings from requests they decline.
The CMS-0057-F final rule’s first operational compliance window opened, requiring impacted payers to decide urgent prior authorization requests in 72 hours, standard requests within seven calendar days, and to publicly report their PA metrics by March 31.
Washington, Texas, and Arizona all had laws in force saying AI alone cannot deny a medical necessity request.
Read those three together and you get a regulator that demands transparency in commercial PA, a regulator that prohibits sole-AI denials at the state level, and a regulator that pays its own vendors a cut of the denials they drive in Medicare. Same regulator.
On March 27, 2026, the Electronic Frontier Foundation filed a FOIA lawsuit in federal court asking CMS for the WISeR vendor contracts, the payment arrangements, and the data-sharing agreements. CMS acknowledged the original FOIA request in February and then went past the 20 business day statutory window without producing a single record. EFF is asking a judge to compel disclosure.
That is the setting. Here is the mechanics.
What WISeR actually does
WISeR stands for Wasteful and Inappropriate Service Reduction. The model’s performance period runs January 1, 2026 through December 31, 2031 in six states: Arizona, New Jersey, Ohio, Oklahoma, Texas, and Washington. Medicare Administrative Contractors and selected WISeR vendors began accepting prior authorization requests on January 5, 2026. Services furnished on or after January 15, 2026 that fall within the model’s scope must clear review.
The model targets what CMS calls “high-risk” Medicare Part B services, including skin and tissue substitutes, electrical nerve stimulators, and knee arthroscopy for osteoarthritis. The review uses AI and machine learning support. Vendors are compensated as a percentage of the observed cost savings tied to requests that were reviewed but did not result in a paid claim.
This is the first time traditional Medicare has had a prior authorization program with teeth. For Medicare Advantage, prior authorization has been standard for years and has been the subject of ongoing HHS-OIG oversight. Traditional fee-for-service Medicare beneficiaries could historically get services ordered by their physician with no payer review at the front door.
That door just changed.
What CMS-0057-F demands
While WISeR was spinning up, the other side of CMS kept executing the Interoperability and Prior Authorization final rule. The January 1, 2026 operational deadlines took effect on schedule. Impacted payers (Medicare Advantage organizations, state Medicaid fee-for-service and managed care, CHIP, and QHP issuers on the federally facilitated exchanges) must now deliver expedited PA decisions within 72 hours and standard decisions within seven calendar days. They must provide specific reasons for denials. They must publicly report aggregate PA metrics by March 31 of each year, starting with calendar year 2025 data reported by March 31, 2026.
By January 1, 2027, those same payers must operate FHIR-based APIs for Prior Authorization (PAS), Coverage Requirements Discovery (CRD), Documentation Templates and Rules (DTR), Provider Access, and Payer-to-Payer data exchange.
Compare the two regimes. In the commercial and Medicare Advantage worlds, CMS is demanding that PA be faster, better explained, more transparent, and API-accessible. In fee-for-service Medicare, CMS is rolling out its own PA program where vendors earn more when they decline more.
The state laws cutting the other way
In 2025 and 2026, the state legislatures that matter for multi-state payers have moved in one direction on AI. Washington’s SB 5395 prohibits carriers from using AI as the sole basis to deny prior authorization and requires a licensed practitioner to make the determination. Texas, Arizona, and Maryland have parallel statutes. Colorado has a similar law with implementation pushed to June 2026.
Duration-of-authorization laws are a newer front. Virginia HB736, signed by Governor Abigail Spanberger on April 6, 2026, sets minimum durations of six months for initial prior authorizations and twelve months for continuations. Kentucky HB176 passed on April 13, 2026 with a gold-card framework that exempts qualifying providers entirely.
A commercial payer operating in Washington and running a WISeR contract for services rendered in Washington has to route two different patient populations through two different decision architectures. One of those populations is protected by state law from sole-AI denial. The other is inside a federal pilot where vendors are paid a percentage of denials.
The UnitedHealth docket in context
The April 29 deadline for UnitedHealth to produce tens of thousands of documents about nH Predict in Barrows v. UnitedHealth is about to give the compliance community its first detailed look at how a commercial payer’s denial algorithm operates in practice. That production is not about WISeR. The comparison will be inescapable. Plaintiff’s bar will read nH Predict discovery, read the CMS-0057-F metrics reports posted for calendar year 2025, and look for payers whose denial rates and overturn rates suggest a similar algorithmic pattern.
The metrics-disclosure regime is not just a transparency exercise. It is a target list.
What to watch over the next ninety days
Four things.
-
The EFF v. CMS docket. A ruling compelling CMS to release WISeR vendor contracts would be the first public look at how a federal PA contractor is actually paid for denials.
-
The nH Predict production on April 29. Whatever lands in plaintiffs’ hands that day is going to shape every payer’s AI-use policy for the next 18 months.
-
The CY2025 metrics reports posted under CMS-0057-F. Every published payer is now benchmarkable. Every unpublished or machine-unreadable payer is now identifiable.
-
State legislative motion on duration and gold card. Virginia and Kentucky signaled that PA duration is the next fight. Expect copycat bills in the remaining session states this spring.
Compliance teams have one clear task right now. Map your plan’s WISeR exposure, your CMS-0057-F reporting posture, and your state-by-state AI-in-PA compliance. The three regimes were not designed together. You are the one who has to operate them together.
Sources