Skip to main content
Feature ID: PM-10
Status: ✅ Implemented
Last Verified: 2026-02-22
Spec Reference: PM-10-prior-authorization-management.md
Last Updated: 2026-02-22

Table of Contents


Overview

PM-10 provides prior authorization (PA) request creation and tracking, status lifecycle (draft → submitted → pending → approved/denied/appealed/expired/cancelled), AHCCCS PA rules (e.g. BHRF initial 5 days for urgent), authorization vs. used units/days tracking, concurrent review and denial/appeal workflow, and readiness for FHIR PA API (Da Vinci CRD/DTR/PAS) when payers expose APIs. It depends on PM-01 (patient), PM-02 (payer/auth requirements); integrates with PM-08 (claim scrub auth verification), CL-16 (Da Vinci PAS), and PF-10 (expiration/renewal alerts).

Quick Reference


Integration Points (from Spec)


API / Data Contracts

PM-08 → PM-10: Authorization Verification at Claim Scrub

Pattern: SECURITY DEFINER read
Direction: PM-08 reads pm_prior_authorizations to verify active authorization during claim scrubbing.
Response:
  • If found: claim passes auth check; used_units may be incremented on claim payment.
  • If not found: claim flagged with scrub warning “No active authorization found.”

PM-10 → PM-08: Used Units Update

Pattern: Application-level update
Direction: When a claim referencing a PA is paid (PM-09 payment posting), used_units on the PA is incremented.

CL-16 (Da Vinci PAS): FHIR PA API

Status: 📝 Planned
Pattern: Outbound FHIR R4 API
Direction: PM-10 submits PA request to payer via Da Vinci PAS when payer exposes FHIR API.
Standards:
  • Da Vinci CRD STU 2.0.1: Coverage Requirements Discovery
  • Da Vinci DTR STU 2.0.0: Documentation Templates and Rules
  • Da Vinci PAS STU 2.1: Prior Authorization Support
Contract: TBD per payer API availability. Will map pm_prior_authorizations fields to FHIR Claim resource with use: preauthorization.

Event Contracts

PM-10 → PF-10: Authorization Expiration Alert

Channel: pm_events
Event: prior_auth_expiring
Status: 📝 Planned
Trigger: Cron edge function checks PAs where approved_end_date is within configured alert window (default: 30, 14, 7 days).

PM-10 Status Transition Events

Channel: pm_events
Events: prior_auth_submitted, prior_auth_approved, prior_auth_denied
Status: ✅ Implemented (client-side publishEvent() in usePriorAuthorizationMutation)
Consumers:
  • CL-08 (CDS): Alert clinicians when authorization is approved or denied
  • PM-08: Gate claim submission on active authorization

Security and RLS

  • All access to pm_prior_authorizations and pm_auth_reviews is tenant-isolated via organization_id and RLS.
  • FORCE ROW LEVEL SECURITY enabled on both tables.
  • RLS policies use pm_has_org_access(organization_id, auth.uid()) SECURITY DEFINER helper.
  • pm_auth_reviews INSERT uses pm_prior_auth_can_insert_review(authorization_id, auth.uid()) to validate parent PA org access.
  • UPDATE policies include both USING and WITH CHECK to prevent organization_id mutation.
  • DELETE restricted to pf_is_org_admin(organization_id, auth.uid()).
  • PHI: PA records and clinical justification are PHI; no PHI in logs or external API payloads beyond authorized use.