Table of Contents

Abstract

Why this is the moment regulation accidentally built infrastructure

The prior auth stack nobody asked for but everyone needs

CRD, DTR, PAS and what each layer actually does

Fax machines, X12 278, and the orchestration tax

State laws are turning UM into an SLA business

Continuity of care is a state machine problem pretending to be a policy

AI in UM, or why the sole decider framing is the wrong one

Where the venture dollars land in PA infrastructure

Price transparency graduates from PDF dumps to a computation layer

The pricing graph and why 835 data is the anchor

ERISA litigation turns pricing data into evidence

AEOB pushes pricing into the exam room

The normalization problem that eats naive analyses

Business models in transparency 2.0

Closing thoughts on programmable healthcare

Abstract

Two regulatory vectors are quietly converging into something much bigger than either one looks on its own.

- Prior auth is being refactored from a fax-and-phone labor pile into FHIR-native API infrastructure, driven by AHIP and BCBSA commitments, CMS-0057-F, ONC certification criteria, HL7 Da Vinci, and a growing stack of state SLA laws.

- Price transparency is moving from estimated allowed amounts and chargemaster math to actual paid percentiles derived from 835 ERA data, which turns compliance files into a bidirectional pricing graph.

- ERISA fiduciary litigation (Lewandowski, Navarro) is converting that pricing graph from optional analytics into discoverable evidence, which forces employers to actually use it.

- AEOB under the No Surprises Act pushes pricing upstream into clinical ordering workflows, where it starts behaving like a decision engine rather than a retrospective report.

- Net result: medical necessity becomes programmable, pricing becomes executable, and a handful of orchestration, compute, and audit layers become venture-scale infrastructure opportunities.

Why this is the moment regulation accidentally built infrastructure

Healthcare usually gets infrastructure by accident. Someone writes a rule, a bunch of lawyers interpret it, a bunch of engineers go build to the lowest-effort reading of that interpretation, and ten years later the industry wakes up and realizes a new substrate exists. That is roughly what is happening right now across two completely different regulatory tracks that are starting to rhyme.

On one side, prior auth is getting dragged out of fax hell by a combination of voluntary payer commitments, federal interoperability rules, and increasingly assertive state SLA laws. On the other, price transparency has spent five years being a joke about unreadable JSON dumps and is finally shifting toward actual paid percentiles that reflect real money that changed hands. Both tracks were sold as compliance exercises. Both are quietly turning into market infrastructure that vendors, providers, payers, and employers will build entire businesses on top of.

The common thread is that regulators keep mandating structured, machine-readable disclosures of things that used to live in PDFs, policy manuals, or somebody’s head. Once those disclosures exist in enough volume and enough structure, they stop being filings and start being computable substrates. Computable substrates get products built on them. Products attract capital. Capital attracts talent. Eventually what looked like a compliance cost center becomes a transaction layer, and the economics of the whole adjacent market get rewritten. That is the lens worth keeping in mind for the rest of this essay.

The prior auth stack nobody asked for but everyone needs

Commercial prior auth has always been a great example of Conway’s law applied to healthcare. The org chart of utilization management (nurse reviewers, medical directors, BPO call centers, fax intake teams, delegated UM vendors) produced a transaction topology that looks exactly like that org chart. Fax in, portal in, phone in, nurse review, medical director escalation, letter out, appeal loop, repeat. The technology budget mostly went to making that labor pile slightly less painful rather than replacing it.

That is finally breaking, and not because anybody had a technological epiphany. It is breaking because the payer associations publicly boxed themselves in. AHIP and BCBSA issued commitments pointing at a FHIR-based framework for electronic prior auth by the start of 2027, with at least 80 percent of electronic approvals with complete clinical documentation answered in real time. The 2026 commitments already in motion include reduced PA scope, 90-day continuity of care when patients switch plans, clearer explanations of decisions, and medical review of clinically non-approved requests. That is not a federal rule for the full commercial market, but when plans covering close to 270 million lives publicly line up behind the same operational targets, vendors and providers effectively have to build for it. The alternative is being the one EHR or clearinghouse that cannot ingest the standard flow, which is a short path to losing deals.

Meanwhile the federal rails are converging on the same stack. CMS-0057-F requires impacted payers to expose prior auth through FHIR APIs and supports operational changes around turnaround times and data exchange. ONC’s HTI-1 certification criteria explicitly cover provider-side prior auth APIs for Coverage Requirements Discovery, Documentation Templates and Rules, and Prior Authorization Support. The CMS rule is narrower in scope than the commercial market, but the ONC certification criteria apply to certified health IT, which is basically everybody who matters on the provider side. So even where the payer mandate does not reach, the provider stack is being nudged toward CRD, DTR, and PAS. Commercial infrastructure piggybacks on that whether the commercial payer loves it or not.

The baseline is still genuinely primitive, which is why the opportunity is so large. CAQH reports that only about 35 percent of prior authorizations are processed electronically, and a striking 9 percent of surveyed organizations say they could support an ePA API by the 2027 target. Blue plans themselves acknowledge that nearly half of PA requests are still coming in by fax or phone. CAQH estimates that full adoption of the electronic standard could save the industry on the order of 515 million dollars a year and cut about 14 minutes per authorization. Those are the kinds of gaps that create new categories of company, not just feature upgrades inside existing ones.

CRD, DTR, PAS and what each layer actually does