CMS Is Publishing Your Provider Directory: Publicly, Daily, and by Name
A new CMS rule is making Medicare Advantage provider directory accuracy public, measurable, and a C-suite responsibility. Here's what plans need to know before the September 2026 deadline.
- 1 CMS will publicly display MA provider directory data submitted by plans through Medicare Plan Finder.
- 2 Beginning in 2027, CMS plans to transition fully toward FHIR-based provider directory submissions.
- 3 CMS validates technical formatting and refresh cadence, but plans remain responsible for underlying provider data accuracy.
- 4 Executive attestation requirements formally elevate provider directory accuracy into a C-suite accountability issue.
- 5 CMS retains authority to suppress provider directories from Medicare Plan Finder if validation thresholds or technical requirements are not met.
Why This Rule Matters
For decades, provider directory accuracy has been one of healthcare's most persistent and under-solved problems. Plans know their directories degrade quickly. Regulators know beneficiaries are harmed when they can't find in-network care. And yet the structural incentives to fix the problem at its root have never quite aligned.
A rule finalized by CMS last September and detailed in a technical implementation guide published this past February represents a meaningful shift in that dynamic. By requiring every Medicare Advantage (MA) plan to submit standardized provider directory data for public display on Medicare Plan Finder, CMS is doing something it hasn't done effectively before: making the accuracy of MA provider directories visible, measurable, and directly consequential for plans.
It's worth understanding not just what the rule requires, but also what it signals about where CMS is taking provider data accountability over the next several years.
What the Rule Actually Requires
The operational requirements of CMS-4208-F2 are worth examining closely because they represent a meaningful elevation in the standards applied to MA provider directories.
Plans must host provider directory data at publicly accessible URLs in either machine-readable JSON or FHIR-based API formats and maintain that data on an ongoing basis. CMS requires directories to be updated within 30 days of any change, and the agency's daily crawl is designed to enforce that cadence.
Every provider record must include a lastUpdatedOn timestamp that CMS uses to verify compliance with refresh requirements.
The data model itself is highly specific. Every provider record must:
Link to a unique MA plan using CMS contract/plan/segment IDs
Use NUCC taxonomy codes for specialty classification
Follow distinct schema requirements for facilities versus individual providers
Plans choosing the FHIR pathway must conform to the PDex Plan-Net Implementation Guide version 1.2.0.
Perhaps the most consequential requirement is the attestation process. Each year, the CEO, CFO, or COO of the MA organization must personally certify through HPMS that submitted provider directory data is “accurate, complete, and truthful.”
For contract year 2027, that attestation deadline is September 1, 2026.
CMS is also explicit about the limits of its oversight. The agency will validate whether submitted files conform to technical specifications and whether directories are refreshed on schedule. It will not validate whether the underlying provider data is actually accurate. That responsibility remains with the plan.
The Accountability Gap This Rule Exposes
The distinction between technical validation and actual provider data accuracy is the crux of what makes this rule both important and demanding.
CMS can confirm:
A provider record exists
The file structure conforms to specifications
Required fields are present
Directories are refreshed within required timelines
CMS cannot confirm:
Whether the provider is actively practicing at the listed location
Whether the listed phone number is operational
Whether the provider is accepting new patients
Whether the provider is genuinely accessible to members
The “ghost network” problem — where directories contain providers who are not meaningfully accessible to members — is not something formatting compliance alone can solve.
CMS Validates | Plans Remain Responsible For |
|---|---|
File formatting compliance | Whether providers are actively practicing |
Submission cadence | Whether providers are accepting patients |
Presence of required fields | Accuracy of phone numbers and locations |
Technical schema conformity | Network participation accuracy |
lastUpdatedOn timestamps | Real-world provider accessibility |
This is precisely what CMS's attestation requirement is designed to address. By requiring a named executive to personally certify directory accuracy, the rule creates organizational accountability for a problem that has historically been diffuse enough to avoid clear ownership.
Plans can no longer treat provider directory accuracy as a back-office data management task. It is now, formally, a C-suite responsibility.
For MA plans with strong provider data practices, this rule is largely an affirmation of work already underway. For plans that have relied on periodic updates and reactive corrections, the combination of continuous monitoring and executive attestation represents a meaningful operational shift.
There is also a direct business consequence worth understanding: CMS retains the authority to suppress a plan's provider directory from Medicare Plan Finder if data quality issues exceed published thresholds or if fatal validation errors occur.
For plans navigating open enrollment, that is not merely a compliance issue. It is a material operational and market risk.
How Candor Approaches the Provider Data Accuracy Problem
Candor Health has been working on the provider data accuracy problem that exists beneath CMS format validation requirements.
The platform continuously verifies provider directory data at the record level, confirming that providers are:
Reachable
Actively practicing
Correctly attributed to networks and locations
Accurately reflecting accepting status
The verification timestamps Candor generates align directly with the lastUpdatedOn field CMS requires in submitted provider records, giving MA plans a more credible compliance artifact than a purely self-reported timestamp.
We've been in conversations with MA plan partners about this exact operational challenge since the rule was finalized, and our interpretation of the technical guidance is consistent: the accuracy gap that CMS explicitly leaves in plans’ hands is the gap organizations will increasingly need to operationalize internally.
For executives preparing to sign attestations certifying that provider directory data is accurate and truthful, independently verified provider data creates a more defensible operational foundation for that certification.
What’s Next
The testing period for contract year 2027 opens in May 2026, giving plans a window to validate both their JSON or FHIR infrastructure and their underlying provider data quality processes before production deployment begins in October.
Milestone | Date |
CMS technical implementation guide published | February 2026 |
Testing period opens | May 2026 |
Executive attestation due | September 1, 2026 |
Production go-live begins | October 2026 |
FHIR-only submissions begin | 2027 |
Beyond the immediate implementation timeline, Phase Three of the initiative — CMS’s National Provider Directory built on FHIR APIs — will be worth watching closely.
As CMS develops that infrastructure, the provider data MA plans are submitting today will likely become inputs into a much broader interoperability framework. Plans that establish strong provider data governance and verification practices now will be materially better positioned as that landscape evolves.
The broader takeaway is straightforward: CMS is building a National Provider Directory, and MA plans are its data source.
That means provider directory quality is no longer simply an internal operational concern. It is becoming part of a federal interoperability infrastructure that regulators, beneficiaries, and the broader healthcare market will increasingly rely on.
Organizations that invest in getting that data right will have a meaningful long-term advantage over those treating compliance as the finish line.
Standardize provider roster ingestion, reduce reconciliation overhead, and improve provider directory reliability with Candor Health.
Sury Agarwal is on a mission to transform how healthcare organizations access, manage, and trust provider data. Candor’s AI-powered platform supports payers, digital health companies, and provider groups with care navigation, referral management, network strategy, and regulatory compliance. Sury brings 12+ years of experience tackling complex data challenges. Previously, he was VP of Engineering and part of the founding team at Moat, which was acquired by Oracle for $850M in 2017. He is a Cornell University graduate.
More Posts
Finding the Right Doctor Is a Data Problem in Disguise
The Overlooked Bottleneck of Provider Data Accuracy
Provider Data Accuracy Without Compromising Network Adequacy