CMS Is Publishing Your Provider Directory
Publicly, Daily, and by Name.
For decades, provider directory accuracy has been one of healthcare's most persistent and under-solved problems. Plans know their directories degrade quickly. Regulators know beneficiaries are harmed when they can't find in-network care. And yet the structural incentives to fix the problem at its root have never quite aligned.
A rule finalized by CMS last September and detailed in a technical implementation guide published this past February represents a meaningful shift in that dynamic. By requiring every Medicare Advantage (MA) plan to submit standardized provider directory data for public display on Medicare Plan Finder, CMS is doing something it hasn't done effectively before: making the accuracy of MA provider directories visible, measurable, and directly consequential for plans.
It's worth understanding not just what the rule requires, but also what it signals about where CMS is taking provider data accountability over the next several years
The Context: CMS Is Building a National Provider Directory, and MA Plans Are Its Foundation
To appreciate the significance of this rule, it helps to understand what CMS is constructing—and why MA plans sit at the center of it.
CMS has long articulated a vision for a single, authoritative National Provider Directory; a centralized source of truth that beneficiaries, plans, and providers could all rely on. That vision is now actively in motion, with CMS having moved from policy discussion into active development and early prototyping. This is not a distant dream; it is a project already underway.
What makes the MA provider directory rule so significant is how these two efforts connect. CMS does not intend to build the National Provider Directory by collecting data independently. Instead, it plans to feed the directory using the FHIR-based APIs that MA plans are now required to publish and maintain. The MA plan submissions aren't a stopgap—they are the architecture. CMS has stated explicitly that the National Provider Directory, once fully implemented, will consume MA plan FHIR APIs and feed that data to Medicare Plan Finder.
The implication for MA plans is more consequential than a simple compliance requirement: your provider directory data is becoming foundational infrastructure for a federal system. Starting in 2027, FHIR will be the only accepted submission format as CMS phases out machine-readable JSON and moves toward a fully interoperable national directory. Whatever data quality problems exist in your directory today will flow directly into that system—publicly visible, updated daily, and attached to your organization's name.
What the Rule Actually Requires
The operational requirements of CMS-4208-F2 are worth examining closely, because they represent a meaningful elevation in the standards to which MA plans are held.
Plans must host their provider directory data at publicly accessible URLs, in either machine-readable JSON or FHIR-based API files, and keep that data current. CMS requires directories to be updated within 30 days of any change, and its daily crawl is designed to enforce that cadence. Every provider record must carry a lastUpdatedOn timestamp that CMS uses to verify compliance with the refresh requirement.
The data model itself is specific. Every provider record must be linked to a unique MA plan using CMS's contract/plan/segment ID format. Specialty must be expressed using NUCC taxonomy codes, and facilities and individual providers have distinct schema requirements. Plans choosing the FHIR path must conform to the PDex Plan-Net Implementation Guide, version 1.2.0.
Perhaps most consequential is the attestation requirement. Each year, the CEO, CFO, or COO of the MA organization must personally certify in HPMS that the submitted provider directory data is "accurate, complete, and truthful." For contract year 2027, that attestation is due September 1, 2026.
CMS is also transparent about what it will and won't do. The agency will validate that submitted files conform to technical specifications and that directories are being refreshed on schedule. It will not validate whether the underlying data is actually accurate. That responsibility remains squarely with the plan.
The Accountability Gap This Rule Exposes
The distinction between format validation and accuracy validation is the crux of what makes this rule both important and demanding.
CMS can confirm that a provider record exists, is formatted correctly, and was updated within 30 days. It cannot confirm that the provider at the listed address is actually practicing there, accepting new patients, or reachable at the listed phone number. The “ghost network” problem—directories populated with providers who aren't genuinely accessible to members—is not something format compliance alone can solve.
This is precisely what CMS's attestation requirement is designed to address. By requiring a named executive to personally certify directory accuracy, the rule creates organizational accountability for a problem that has historically been diffuse enough to avoid clear ownership. Plans can no longer treat provider directory accuracy as a back-office data management task. It is now, formally, a C-suite responsibility.
For MA plans with strong provider data practices, this rule is largely an affirmation of work already underway. For plans that have relied on periodic updates and reactive corrections, the continuous monitoring requirement, combined with personal executive attestation, represents a meaningful operational shift.
There is also a structural consequence worth understanding: CMS retains the authority to suppress a plan's provider directory from Medicare Plan Finder if data quality issues exceed published thresholds or if fatal validation errors occur. For a plan navigating open enrollment, this is a material business risk, not merely a compliance finding.
How Candor Approaches This Problem
Candor Health has been working on the provider data accuracy problem that sits beneath this rule—and that CMS's format validation cannot solve on its own.
Our platform continuously verifies provider directory data at the record level, confirming that providers are reachable, actively practicing, correctly attributed to the appropriate networks and locations, and accurately reflecting their accepting status. The verification timestamps we generate align directly with the lastUpdatedOn field CMS requires in every submitted record, giving MA plans a credible, independently verified compliance artifact rather than a self-reported timestamp.
We've been in conversations with MA plan partners about exactly this use case since the rule was finalized, and our read of the technical guide is consistent: the accuracy gap that CMS explicitly leaves in plans' hands is the gap Candor is designed to close. For an executive preparing to sign an attestation certifying that their directory is accurate and truthful, independently verified provider data helps make that signature defensible.
What’s Next
The testing period for contract year 2027 opens in May 2026, giving plans a window to validate their JSON or FHIR infrastructure and surface data quality issues before production goes live in October. The attestation deadline of September 1, 2026 creates a natural milestone for organizations to have their data quality processes in place well before they're required to certify accuracy under their own names.
Beyond the immediate implementation, Phase Three of this initiative—CMS's National Provider Directory built on FHIR APIs—will be worth monitoring closely. As CMS develops that infrastructure, the data that MA plans are submitting today will likely become inputs into a much larger interoperability framework. Plans that build strong provider data practices now will be better positioned as that landscape evolves.
The broader takeaway is this: CMS is building a National Provider Directory, and MA plans are its data source. That means the quality of your provider directory data is no longer just an internal operational matter, it is the raw material for a federal interoperability system that regulators, beneficiaries, and the broader market will rely on. Organizations that invest in getting that data right will have a meaningful and lasting advantage over those that treat compliance as the finish line.
Candor Health is a provider data intelligence platform helping payers, health systems, and healthcare IT companies solve provider data accuracy at scale. Learn more at candorhealth.com.
More Posts
Redefining How Care is Found: A Smarter and Simpler Search
Building Inclusive Healthcare for LGBTQ Communities
Improving Healthcare Interoperability with Accurate Provider Data
