One of the first questions product teams building in healthcare ask is: which services actually require prior authorization? The honest answer is that it depends on the specific drug or procedure, the payer, the insurance plan type, and sometimes the patient's clinical history. There is no single list that applies universally.
That variability is not a flaw in the system. It reflects the fact that prior authorization requirements are set by each payer based on their own medical policies, which change as new drugs enter the market, new clinical guidelines emerge, and payer cost pressures shift. For health tech teams, the practical consequence is that prior auth requirements need to be treated as dynamic data, not a static lookup table.
What does hold across most payers and plans is a rough taxonomy of the categories most likely to require prior authorization. Understanding where the requirements concentrate helps product teams identify where PA automation has the most impact and where missing it creates the most risk.
Specialty and Brand Medications
Prescription medications are where prior authorization requirements are most common and most consequential. Most payers have formularies that tier medications by cost, and higher-tier specialty drugs almost always require PA before they will be covered.
Biologics and specialty injectables sit at the top of the stack. Medications for conditions like rheumatoid arthritis, multiple sclerosis, inflammatory bowel disease, and certain cancers routinely require prior authorization regardless of payer. These drugs can cost tens of thousands of dollars per year, and payers require clinical justification that the patient meets specific criteria: confirmed diagnosis, documented failure of lower-cost alternatives (step therapy), and sometimes specific lab values or disease severity scores.
Psychiatry medications are a high-frequency prior auth category for behavioral health platforms. Newer antidepressants, ADHD medications, and antipsychotics with brand-name equivalents often require PA, particularly when the prescribing provider wants to start with a non-formulary option. The clinical criteria typically ask whether lower-cost alternatives have been tried and failed, which means the patient's medication history needs to be captured accurately at the time of submission.
GLP-1 medications for weight management and diabetes, including semaglutide-based drugs, currently have extensive prior authorization requirements across most commercial payers. The criteria vary significantly by payer and plan, but generally require a confirmed diagnosis, a documented BMI threshold, and in some cases prior participation in a supervised weight loss program.
Durable Medical Equipment
Durable medical equipment (DME) consistently requires prior authorization for anything beyond basic supplies. CPAP and APAP machines for sleep apnea are among the most common: payers typically require a sleep study confirming the diagnosis, a specific AHI score threshold, and documentation of the prescribing provider. Continuous glucose monitors, powered wheelchairs and scooters, home oxygen equipment, and infusion pumps all fall into the same category.
For health tech platforms working in chronic care, sleep management, or home health, DME prior auth is often the first workflow where automation creates significant leverage. The volume is predictable, the data requirements are well-defined, and the portal submission process follows consistent patterns once you have the right clinical data in hand.
Behavioral Health and Recurring Care
Behavioral health prior authorization has expanded significantly as mental health coverage mandates have broadened what commercial plans are required to cover. The dynamic this creates: more services are technically covered, but payers use prior authorization to manage utilization for anything beyond routine outpatient sessions.
Psychiatry visits and medication management often require PA when they exceed a baseline number of sessions per year, or when the prescribing psychiatrist is not in the payer's preferred network. Intensive outpatient programs, partial hospitalization, and residential treatment almost universally require prior authorization. Applied behavior analysis for autism spectrum disorder requires PA from most payers and involves some of the most complex clinical documentation requirements of any behavioral health service.
Recurring therapy sessions hit PA requirements differently depending on the plan. Some commercial plans authorize a set number of sessions annually and require PA only when that number is exceeded. Others require prior authorization before any ongoing treatment plan, particularly for out-of-network providers. The threshold varies by plan and is not always visible from the eligibility response.
Specialty Referrals and Procedures
Specialist consultations in certain high-cost areas require PA from some payers. Oncology referrals, advanced imaging like MRI and CT scans, sleep studies, cardiac catheterization, and some surgical procedures are the most common. Whether a specific referral requires PA often depends on whether the referring provider is in the same network as the specialist, and whether the service is categorized as elective or urgent by the payer.
For platforms facilitating cross-specialty referrals, this creates a workflow gap. A therapist recommending a sleep study or a primary care provider referring a patient to a weight management program may not know which payer-specific criteria the referral needs to meet for authorization. Platforms that can surface those requirements in context, at the point of referral, reduce the risk of a patient arriving at a specialist appointment only to find the authorization was never obtained.
Why Requirements Vary So Much
The same drug can require prior authorization under one plan and be auto-approved under another. The same procedure can need PA for a commercially insured patient and be exempt for a Medicaid patient in the same state. A medication that required PA last year may be approved without it this year if it moved down the formulary tier.
Three factors drive most of this variation. Payer medical policies set the baseline. The specific plan type adds another layer: self-insured employer plans are governed by the employer's benefit design, which can deviate significantly from the insurer's standard policies. And the patient's coverage tier, deductible status, and network assignment all influence what triggers a PA requirement.
This is why prior authorization requirements cannot be reliably pre-computed. For any specific patient plus drug plus payer combination, the only authoritative source of truth is the payer portal. Platforms that attempt to pre-screen PA requirements using static rule sets will get the edge cases wrong, and the edge cases are where denials happen.
How Prior Auth Actually Flows
Understanding what requires prior authorization is only the first problem. The second is understanding what actually has to happen to submit one. The workflow breaks into two phases.
The pre-submission phase is where most of the complexity lives. Before a submission can be attempted, you need to know which ICD-10 and drug codes apply to the patient and procedure. You need to pull the form questions the payer will ask for that specific drug-payer combination, ideally in a structured schema (FHIR R4 is the standard most platforms target). You need to understand how the payer expects data to be formatted, since field requirements differ across Carelon, UHC, Cigna, and CoverMyMeds. And you need to resolve the provider's NPI and confirm their credentials are active with that payer.
The submission and response phase is more straightforward in concept, harder in practice. The automation navigates the payer portal, fills the form from the structured data collected in pre-submission, and submits. What comes back is a determination: approved, denied, or pended for clinical review. Pended cases require status polling since complex PAs can sit in review queues for hours to days. The final output is a structured result plus, for many payers, a confirmation PDF that can be attached to the patient record.
The reason this matters for product teams is that the pre-submission phase determines whether the submission will pass. A submission that hits the portal with the wrong ICD code, a mismatched drug NDC, or clinical notes that don't match the payer's criteria will either fail silently or trigger a first-pass denial. Getting the pre-submission data right is where the actual work of prior auth automation happens.
What Health Tech Platforms Need to Build For
For platforms that routinely encounter prior authorization, the product requirement is not just triggering submissions. It is collecting the right clinical data at the right moment so the submission can be accurate. PA requirements surface when a provider wants to prescribe, order, or refer. The clinical data required for that PA (diagnosis codes, prior treatment history, lab values, provider credentials) needs to be captured before the provider closes out the encounter, not after the claim comes back denied.
Platforms serving psychiatry, chronic care, sleep management, or specialty referral workflows should treat prior authorization data collection as a first-class requirement in their clinical intake design, not an afterthought bolted onto billing.
For the actual submission layer, prior authorization runs through payer portals, not clearinghouse APIs. Each portal has its own authentication, form structure, and conditional logic. Maintaining integrations across the full payer landscape is an ongoing infrastructure investment. If you want to handle payer portal submissions without building that layer yourself, Simplex provides managed prior auth submission endpoints for the portals your providers are already using.