Status: ✅ Implemented
Last Verified: 2026-02-22
Spec Reference: PM-10-prior-authorization-management.md
Last Updated: 2026-02-22
Table of Contents
- Overview
- Quick Reference
- Integration Points (from Spec)
- API / Data Contracts
- Event Contracts
- Security and RLS
- Related Docs
Overview
PM-10 provides prior authorization (PA) request creation and tracking, status lifecycle (draft → submitted → pending → approved/denied/appealed/expired/cancelled), AHCCCS PA rules (e.g. BHRF initial 5 days for urgent), authorization vs. used units/days tracking, concurrent review and denial/appeal workflow, and readiness for FHIR PA API (Da Vinci CRD/DTR/PAS) when payers expose APIs. It depends on PM-01 (patient), PM-02 (payer/auth requirements); integrates with PM-08 (claim scrub auth verification), CL-16 (Da Vinci PAS), and PF-10 (expiration/renewal alerts).Quick Reference
Integration Points (from Spec)
API / Data Contracts
PM-08 → PM-10: Authorization Verification at Claim Scrub
Pattern: SECURITY DEFINER readDirection: PM-08 reads
pm_prior_authorizations to verify active authorization during claim scrubbing.
- If found: claim passes auth check;
used_unitsmay be incremented on claim payment. - If not found: claim flagged with scrub warning “No active authorization found.”
PM-10 → PM-08: Used Units Update
Pattern: Application-level updateDirection: When a claim referencing a PA is paid (PM-09 payment posting),
used_units on the PA is incremented.
CL-16 (Da Vinci PAS): FHIR PA API
Status: 📝 PlannedPattern: Outbound FHIR R4 API
Direction: PM-10 submits PA request to payer via Da Vinci PAS when payer exposes FHIR API. Standards:
- Da Vinci CRD STU 2.0.1: Coverage Requirements Discovery
- Da Vinci DTR STU 2.0.0: Documentation Templates and Rules
- Da Vinci PAS STU 2.1: Prior Authorization Support
pm_prior_authorizations fields to FHIR Claim resource with use: preauthorization.
Event Contracts
PM-10 → PF-10: Authorization Expiration Alert
Channel:pm_eventsEvent:
prior_auth_expiringStatus: 📝 Planned
approved_end_date is within configured alert window (default: 30, 14, 7 days).
PM-10 Status Transition Events
Channel:pm_eventsEvents:
prior_auth_submitted, prior_auth_approved, prior_auth_deniedStatus: ✅ Implemented (client-side
publishEvent() in usePriorAuthorizationMutation)
- CL-08 (CDS): Alert clinicians when authorization is approved or denied
- PM-08: Gate claim submission on active authorization
Security and RLS
- All access to
pm_prior_authorizationsandpm_auth_reviewsis tenant-isolated viaorganization_idand RLS. FORCE ROW LEVEL SECURITYenabled on both tables.- RLS policies use
pm_has_org_access(organization_id, auth.uid())SECURITY DEFINER helper. pm_auth_reviewsINSERT usespm_prior_auth_can_insert_review(authorization_id, auth.uid())to validate parent PA org access.- UPDATE policies include both
USINGandWITH CHECKto preventorganization_idmutation. - DELETE restricted to
pf_is_org_admin(organization_id, auth.uid()). - PHI: PA records and clinical justification are PHI; no PHI in logs or external API payloads beyond authorized use.