A 20-clinic provider group cut prior-auth turnaround from 4 days to 6 hours and redeployed 5 FTEs to higher-value work

The prior-auth team had 8 FTEs whose entire job was logging into payer portals, requesting authorizations, checking status, and re-keying decisions into the EMR and practice management system. Each auth took an average of 22 minutes of human time to shepherd through.

Median turnaround from auth request to patient-treatment-approved was 4 business days. For elective specialties (PT, behavioral health, certain imaging), this routinely meant patients rescheduling or canceling appointments while waiting on coverage decisions. Revenue impact was real, but the bigger problem was clinical: patients with mental-health needs were dropping off care because of wait times.

Compliance was layered on top. Everything PHI-touching needed audit logs, retention controls, and access-restricted handling. Two prior automation vendors had bailed on the project saying it was 'too hard' — neither understood HIPAA enough to design controls that satisfied the privacy officer.

Two weeks of discovery, including time with the privacy officer to understand the controls envelope. We found that 5 payers accounted for 78% of prior-auth volume. Three of those five had modern eligibility + authorization APIs (via Availity and Change Healthcare); the other two only had portal access.

The auth checklist itself was deterministic for ~85% of cases — straightforward CPT codes, common ICD-10 diagnoses, in-network providers. The remaining 15% genuinely needed clinical-judgment review and would always need a human.

The path forward: automate the deterministic 85% via APIs (and RPA where APIs didn't exist), route the 15% to the existing team's queue, and rebuild the audit-trail layer to satisfy the privacy officer. Everything would run inside the group's own AWS account on n8n; no PHI would touch our infrastructure.

A 7-week engagement: 1 week discovery + privacy review, 4 weeks build, 1 week UAT with the prior-auth lead, 1 week phased rollout. Total project cost: $42,600. The build cleared the group's privacy officer review on the first pass.

API integrations for the three payers with modern interfaces: eligibility check on every new auth, authorization submission, status polling every 15 minutes, decision retrieval, automated push back to Athenahealth + the practice management system. Audit log entries get created at every PHI touch.

RPA-based workflows for the two payer portals without APIs. We use headless browser automation running inside their AWS environment with rotating credentials managed through their secrets store. Slower than API but reliable; we built defensive selectors and a Slack alert if a portal layout changes.

An exception queue surfaces the 27% of auths that genuinely need human review (clinical judgment, atypical CPT codes, unusual ICD pairs). The prior-auth team's interface for those is a clean Athenahealth-adjacent view; they no longer have to log into anything else.

Median prior-auth turnaround: 4 days → 6 hours. For the 73% of auths that go through the auto-decision path, the median is 90 minutes from request to decision. Patient delay incidents — defined as a scheduled appointment requiring reschedule or cancellation because coverage wasn't yet approved — dropped 81%.

Five of the eight prior-auth FTEs were redeployed: two to a new patient advocacy function, two to denial-management (where the financial leverage is much higher), one to a credentialing role. None were laid off. The COO's quote: "This is the first automation rollout in our organization that the affected team is openly grateful for."

Audit + compliance posture also improved. The privacy officer can now run a complete chain-of-custody report on any PHI access in 30 seconds; previously it took the IT team 2-3 hours per audit request. Vanta evidence collection for SOC 2 type II preparation got 60% faster because of the structured logs.