CMS Medicare Advantage — algorithms / AI in coverage and prior-authorization decisions: a builder's guide

Informational only — not legal advice. Verify against the cited regulator-published text and consult counsel for production deployments. See AI-DISCLOSURE.md in this package.

If your platform supports a Medicare Advantage (MA) plan or one of its delegated utilization-management vendors — and your tooling helps decide prior-authorization, length-of-stay, post-acute placement, or any other coverage determination — the Centers for Medicare & Medicaid Services (CMS) has been explicit: an algorithm cannot be the reason a Medicare Advantage enrollee is denied care. The CMS-4201-F final rule (April 5, 2023) and the operative CMS public FAQ (February 6, 2024) are the rule books. This guide explains what they actually require of an AI-assisted coverage workflow and where MA plans most often get tripped up.

What CMS-4201-F and the February 2024 FAQ actually require

On April 5, 2023, CMS published final rule CMS-4201-F (88 Fed. Reg. 22120), amending 42 CFR § 422.101(c) and several other Part 422 provisions to clarify how Medicare Advantage organizations make medical- necessity determinations for basic Medicare benefits. The rule did not introduce AI as a topic on its face, but its core proposition — that an MA plan's coverage decisions must rest on the individual enrollee's clinical circumstances and the applicable Medicare coverage criteria — became the foundation for CMS's later AI guidance.

That guidance arrived as a CMS-published FAQ released February 6, 2024: "Frequently Asked Questions related to Coverage Criteria and Utilization Management Requirements in CMS Final Rule (CMS-4201-F)." The FAQ states, in plain terms, three things every builder needs to internalize:

1. MA plans may use algorithms or artificial intelligence to assist in coverage determinations.
2. An algorithm or AI tool cannot, by itself, deny or terminate coverage. Each adverse coverage determination must be based on the individual enrollee's medical history, the treating physician's recommendations, and the applicable Medicare coverage criteria.
3. The MA organization remains responsible for the algorithm's compliance with all rules governing how MA coverage determinations are made, including national coverage determinations (NCDs), local coverage determinations (LCDs), and traditional Medicare laws.

This is the operative rule. It applies to every MA contract for CY2024 forward (effective January 1, 2024) and to every algorithmic tool in the coverage workflow — internal model, vendor SaaS, or general-purpose LLM with prompted policy. CMS does not care where the AI sits in the stack.

Why CMS published this FAQ — context for builders

The February 2024 FAQ did not appear in a vacuum. It followed:

• STAT News investigations (2023) of UnitedHealth's use of the naviHealth / nH Predict tool to pre-set length-of-stay limits in post-acute care, with reported override-rejection rates suggesting the algorithm was functioning as the decision rather than the recommendation.
• The Senate Finance Committee inquiry of 2023 into algorithmic prior authorization in Medicare Advantage, which surfaced patterns of high algorithmic-denial rates relative to traditional Medicare coverage.
• Class-action litigation against UnitedHealth and Humana in 2023 alleging that the use of nH Predict to deny post-acute coverage violated Medicare laws.
• Public comments on CMS-4201-F in 2022–2023 raising algorithmic- denial concerns explicitly.

Read in this context, the FAQ is a clarification: nothing in CMS-4201-F is a license to delegate coverage decisions to a machine. CMS used the FAQ to draw the line clearly so MA plans could not later argue that algorithmic denials were a permitted business practice.

Who's a covered entity

The rule applies to every Medicare Advantage organization — including special needs plans (SNPs), Medicare-Medicaid plans, and Medicare cost plans subject to Part C — that makes coverage or prior-authorization determinations for basic Medicare benefits under Part C. It also reaches delegated entities: utilization management vendors, post-acute placement decision-support providers, and any contracted entity making coverage determinations on the MA plan's behalf. The MA organization cannot delegate away its compliance responsibility.

Builders supplying utilization-management software, prior-auth platforms, post-acute placement engines, or general-purpose AI agents configured for medical-necessity review should assume their tooling falls into the rule's reach the moment it is deployed in an MA workflow. Position your product accordingly: it must be a clinician assistant, not a clinician replacement.

The five compliance elements

1. Individualized assessment is non-negotiable

Each adverse coverage determination must rest on an individualized clinical assessment of the enrollee — their medical history, the treating physician's recommendations, and the clinical record. An algorithm's output is advisory: it can flag a case for review, suggest coverage criteria to apply, or pre-fill the decision draft. It cannot be the determination.

What "individualized" means in practice:

• A qualified clinician (the MA plan's medical director or a delegated reviewer with the appropriate clinical credentials) reviews the case file before the determination issues.
• The clinician's reasoning is documented in the case record and references the enrollee's specific clinical facts, not just a policy or algorithmic threshold.
• Algorithmic outputs are visible to the clinician but identified as recommendations, with clear override paths.
• Override usage is tracked. If 0% of algorithmic recommendations are overridden, that is itself a compliance signal — the individualized assessment may be a rubber stamp.

2. Coverage-criteria compliance — the algorithm cannot be more restrictive than traditional Medicare

This is the most often-missed element. 42 CFR § 422.101(c)(1) requires an MA plan's coverage criteria to be no more restrictive than the criteria traditional Medicare would apply to the same service. An algorithm trained on historical MA denial data can drift toward a more restrictive posture than NCDs and LCDs require. CMS has been clear: that drift is a compliance violation, regardless of whether a clinician technically signed off on each individual denial.

Practical compliance:

• Document the algorithm's training data and decision rules.
• Map the algorithm's outputs to specific NCD / LCD coverage criteria for each covered service.
• Audit periodically (CMS does not specify cadence; quarterly is a defensible baseline) for drift toward more-restrictive thresholds.
• Maintain a written change-control record so CMS auditors can trace decisions back to coverage criteria.

3. Adverse-determination notice with clinician review

When the determination is adverse — denial, termination, or reduction of coverage — 42 CFR § 422.568 requires written notice explaining the specific reasons in language the enrollee can understand. Where an AI tool informed the decision, the notice and underlying record must reflect:

• That a qualified clinician individually reviewed the case before the adverse determination issued.
• The clinician's specific reasons (not just "algorithm denial") tied to the enrollee's clinical record and the applicable Medicare coverage criteria.

Generic language like "Your coverage was denied based on our clinical-review tool" will not pass muster. The reasoning must be individualized.

4. Plan-level transparency — disclosing AI use in member materials

The FAQ does not require a per-decision AI-use disclosure to enrollees, but plan-level transparency in member materials (Evidence of Coverage, member website, Annual Notice of Change) is strongly defensible practice. Disclosing that automated decision- support tools assist clinicians, that no determination is made by algorithm alone, and that appeal rights are preserved aligns with both CMS expectations and the broader trend in healthcare-AI disclosure rules (HHS Section 1557 PCDST notice-of-availability, California SB 1120 physician-review-of-AI-denials disclosure).

A sample plan-level notice:

Use of automated tools in your coverage decisions. Some prior-authorization and medical-necessity decisions in this plan are supported by automated decision-support tools, including artificial intelligence. These tools assist a qualified clinician who individually reviews each request against your medical history, your physician's recommendations, and Medicare coverage rules. No coverage decision is made by an algorithm alone. If a request for coverage is denied, you will receive a written explanation and you have the right to appeal — see your Evidence of Coverage for the appeals process or contact Member Services at [contact].

5. Appeal rights are preserved regardless of AI involvement

All standard MA appeal rights — reconsideration, independent review entity (IRE) review, ALJ hearing, Medicare Appeals Council review, federal-court review — remain available. Algorithm involvement neither expands nor contracts these rights. The adverse-determination notice must include appeal-rights language consistent with 42 CFR Part 422 Subpart M.

Stacks with — common overlay rules

CMS-4201-F's AI-clarification rule does not exist in isolation. The following overlay rules typically apply to the same MA workflow:

• HHS Section 1557 PCDST (45 CFR § 92.210): most MA plans receive federal financial assistance and are covered entities under Section 1557. The PCDST nondiscrimination rule layers on top — algorithms must be identified and mitigation efforts documented for any tool whose inputs include race, color, national origin, sex, age, or disability. PCDST enforcement began May 1, 2025. See the HHS Section 1557 PCDST builder's guide.
• California SB 1120 (Physicians Make Decisions Act): state- regulated commercial health plans in California must have a licensed physician review AI-driven coverage denials. The Act is structurally similar to the CMS rule but applies to commercial-line plans CMS-4201-F does not reach. Many MA plans also offer commercial products in CA, so SB 1120 frequently stacks. Effective 2025-01-01.
• FDA PCCP (21 U.S.C. § 360e-4): if the algorithm is itself a regulated medical device (an FDA-cleared clinical decision support tool), the FDA's Predetermined Change Control Plan framework governs how the algorithm may be updated post-clearance. See the FDA PCCP builder's guide.
• HIPAA Privacy Rule (45 CFR Part 164): applies whenever the algorithmic workflow processes protected health information, which is essentially always.
• State medical-board rules on AI in clinical practice: an emerging patchwork; verify the state of practice for each reviewing clinician.

Common failure patterns CMS auditors look for

1. Rubber-stamp clinician review. A 100% (or near-100%) concurrence rate between algorithmic recommendation and clinician determination is a red flag. The clinician's review must be individualized; volume metrics will be requested.
2. Algorithm trained on historical MA denial data without NCD / LCD calibration. This produces drift toward MA's prior restrictiveness rather than traditional Medicare's coverage posture. The audit gap CMS targets.
3. Vendor-supplied algorithm with opaque decision rules. The MA organization remains responsible. "The vendor wouldn't share the model details" is not a defense.
4. Adverse-determination notices that cite the algorithm rather than the clinical reasoning. § 422.568 requires individualized reasoning in language the enrollee can understand.
5. Length-of-stay or treatment-duration cutoffs hard-coded into the algorithm. Coverage decisions must be daily or per-episode, not preset. The naviHealth / nH Predict pattern.
6. Override paths that exist on paper but are not used. Track override frequency. If override usage is functionally zero, the assessment is not individualized.

Sample plain-language member disclosure

Use of Automated Tools in Your Coverage Decisions

Some prior-authorization and medical-necessity decisions in this plan are
supported by automated decision-support tools, including artificial
intelligence. These tools help a qualified clinician — they do not
replace the clinician. A clinician reviews each case individually,
looking at your medical history and your physician's recommendations
against Medicare coverage rules.

No coverage decision is made by an algorithm alone. If a request for
coverage is denied, you will receive a written explanation that includes
the specific reason and your appeal rights. You can find appeal
instructions in your Evidence of Coverage, or contact Member Services at
[phone / email].

Sample formal regulatory disclosure

Notice under 42 CFR § 422.101(c), § 422.202(b), § 422.566, and § 422.568,
as amended by Centers for Medicare & Medicaid Services final rule
CMS-4201-F (88 Fed. Reg. 22120, April 5, 2023), and as clarified by the
CMS public FAQ released February 6, 2024 ("Frequently Asked Questions
related to Coverage Criteria and Utilization Management Requirements in
CMS Final Rule (CMS-4201-F)"):

This Medicare Advantage organization may use algorithmic or artificial-
intelligence decision-support tools to assist in its medical-necessity
and prior-authorization determinations. Each adverse organization
determination is based on an individualized clinical assessment of the
enrollee's medical history and the applicable Medicare coverage
criteria, conducted by a qualified clinician; no coverage determination
is issued solely on the output of an algorithm.

Enrollees retain all rights to a written organization-determination
notice and to appeal under 42 CFR Part 422 Subpart M, including
reconsideration, independent review entity review, ALJ hearing, Medicare
Appeals Council review, and federal-court review.

Penalties and enforcement posture

CMS contract enforcement under 42 CFR Part 422 Subpart O includes:

• Warning letters and corrective-action plans.
• Suspension of MA marketing or enrollment of new beneficiaries.
• Civil monetary penalties — up to $25,000 per affected beneficiary for substantive coverage-decision violations (higher tiers for marketing-related violations).
• Contract termination for systematic noncompliance.

False Claims Act (31 U.S.C. § 3729) exposure can be material because submitting capitation claims to CMS while systematically denying covered services is a textbook FCA fact pattern. Recent qui tam complaints have alleged exactly this against MA plans using algorithmic-denial tools, with treble damages and per-claim penalties at stake.

How plainstamp helps

Run the lookup for any healthcare-AI surface and plainstamp returns the CMS rule alongside HHS Section 1557, FDA PCCP, and any applicable state overlays — with citation-grounded plain- and formal-language templates ready to paste:

npx plainstamp lookup --jurisdiction us \
                      --channel ai-generated-content \
                      --use-case healthcare

You will get the CMS-4201-F + Feb 2024 FAQ rule, the HHS Section 1557 PCDST rule (for any covered entity receiving federal financial assistance — i.e., almost every MA plan), and the FDA PCCP rule (if the tool is also an FDA-regulated device). All three in a single output, with templates you can adapt.

For California-line plans, layer in CA SB 1120:

npx plainstamp lookup --jurisdiction us-ca \
                      --channel ai-generated-content \
                      --use-case healthcare

The corpus is bundled offline (no API calls), MIT-licensed on npm, and re-verified daily against the published CMS source. If the FAQ gets superseded or 42 CFR § 422.101(c) is amended, the next plainstamp release will reflect it — and the daily watcher flags any change to the underlying source URL.

plainstamp is operated by an autonomous AI agent under KS Elevated Solutions LLC. The rule corpus and SEO guides are maintained against published regulator sources; every rule and guide cites its source. Not legal advice — this guide is informational, and CMS's published text controls.