Back to Articles

CMS Is Publishing Your Provider Directory: Publicly, Daily, and by Name

A new CMS rule is making Medicare Advantage provider directory accuracy public, measurable, and a C-suite responsibility. Here's what plans need to know before the September 2026 deadline.

Sury Agarwal
Sury Agarwal
· 8 mins read · March 2026
CMS Is Publishing Your Provider Directory: Publicly, Daily, and by Name
Dive deeper into this article with AI
Key Takeaways
  • 1 CMS will publicly display MA provider directory data submitted by plans through Medicare Plan Finder.
  • 2 Beginning in 2027, CMS plans to transition fully toward FHIR-based provider directory submissions.
  • 3 CMS validates technical formatting and refresh cadence, but plans remain responsible for underlying provider data accuracy.
  • 4 Executive attestation requirements formally elevate provider directory accuracy into a C-suite accountability issue.
  • 5 CMS retains authority to suppress provider directories from Medicare Plan Finder if validation thresholds or technical requirements are not met.

Why This Rule Matters

For decades, provider directory accuracy has been one of healthcare's most persistent and under-solved problems. Plans know their directories degrade quickly. Regulators know beneficiaries are harmed when they can't find in-network care. And yet the structural incentives to fix the problem at its root have never quite aligned.

A rule finalized by CMS last September and detailed in a technical implementation guide published this past February represents a meaningful shift in that dynamic. By requiring every Medicare Advantage (MA) plan to submit standardized provider directory data for public display on Medicare Plan Finder, CMS is doing something it hasn't done effectively before: making the accuracy of MA provider directories visible, measurable, and directly consequential for plans.

It's worth understanding not just what the rule requires, but also what it signals about where CMS is taking provider data accountability over the next several years.

What the Rule Actually Requires

The operational requirements of CMS-4208-F2 are worth examining closely because they represent a meaningful elevation in the standards applied to MA provider directories.

Plans must host provider directory data at publicly accessible URLs in either machine-readable JSON or FHIR-based API formats and maintain that data on an ongoing basis. CMS requires directories to be updated within 30 days of any change, and the agency's daily crawl is designed to enforce that cadence.

Every provider record must include a lastUpdatedOn timestamp that CMS uses to verify compliance with refresh requirements.

The data model itself is highly specific. Every provider record must:

  • Link to a unique MA plan using CMS contract/plan/segment IDs

  • Use NUCC taxonomy codes for specialty classification

  • Follow distinct schema requirements for facilities versus individual providers

Plans choosing the FHIR pathway must conform to the PDex Plan-Net Implementation Guide version 1.2.0.

Perhaps the most consequential requirement is the attestation process. Each year, the CEO, CFO, or COO of the MA organization must personally certify through HPMS that submitted provider directory data is “accurate, complete, and truthful.”

For contract year 2027, that attestation deadline is September 1, 2026.

CMS is also explicit about the limits of its oversight. The agency will validate whether submitted files conform to technical specifications and whether directories are refreshed on schedule. It will not validate whether the underlying provider data is actually accurate. That responsibility remains with the plan.


The Accountability Gap This Rule Exposes

The distinction between technical validation and actual provider data accuracy is the crux of what makes this rule both important and demanding.

CMS can confirm:

  • A provider record exists

  • The file structure conforms to specifications

  • Required fields are present

  • Directories are refreshed within required timelines

CMS cannot confirm:

  • Whether the provider is actively practicing at the listed location

  • Whether the listed phone number is operational

  • Whether the provider is accepting new patients

  • Whether the provider is genuinely accessible to members

The “ghost network” problem — where directories contain providers who are not meaningfully accessible to members — is not something formatting compliance alone can solve.

CMS Validates

Plans Remain Responsible For

File formatting compliance

Whether providers are actively practicing

Submission cadence

Whether providers are accepting patients

Presence of required fields

Accuracy of phone numbers and locations

Technical schema conformity

Network participation accuracy

lastUpdatedOn timestamps

Real-world provider accessibility

This is precisely what CMS's attestation requirement is designed to address. By requiring a named executive to personally certify directory accuracy, the rule creates organizational accountability for a problem that has historically been diffuse enough to avoid clear ownership.

Plans can no longer treat provider directory accuracy as a back-office data management task. It is now, formally, a C-suite responsibility.

For MA plans with strong provider data practices, this rule is largely an affirmation of work already underway. For plans that have relied on periodic updates and reactive corrections, the combination of continuous monitoring and executive attestation represents a meaningful operational shift.

There is also a direct business consequence worth understanding: CMS retains the authority to suppress a plan's provider directory from Medicare Plan Finder if data quality issues exceed published thresholds or if fatal validation errors occur.

For plans navigating open enrollment, that is not merely a compliance issue. It is a material operational and market risk.


How Candor Approaches the Provider Data Accuracy Problem

Candor Health has been working on the provider data accuracy problem that exists beneath CMS format validation requirements.

The platform continuously verifies provider directory data at the record level, confirming that providers are:

  • Reachable

  • Actively practicing

  • Correctly attributed to networks and locations

  • Accurately reflecting accepting status

The verification timestamps Candor generates align directly with the lastUpdatedOn field CMS requires in submitted provider records, giving MA plans a more credible compliance artifact than a purely self-reported timestamp.

We've been in conversations with MA plan partners about this exact operational challenge since the rule was finalized, and our interpretation of the technical guidance is consistent: the accuracy gap that CMS explicitly leaves in plans’ hands is the gap organizations will increasingly need to operationalize internally.

For executives preparing to sign attestations certifying that provider directory data is accurate and truthful, independently verified provider data creates a more defensible operational foundation for that certification.


What’s Next

The testing period for contract year 2027 opens in May 2026, giving plans a window to validate both their JSON or FHIR infrastructure and their underlying provider data quality processes before production deployment begins in October.

Milestone

Date

CMS technical implementation guide published

February 2026

Testing period opens

May 2026

Executive attestation due

September 1, 2026

Production go-live begins

October 2026

FHIR-only submissions begin

2027

Beyond the immediate implementation timeline, Phase Three of the initiative — CMS’s National Provider Directory built on FHIR APIs — will be worth watching closely.

As CMS develops that infrastructure, the provider data MA plans are submitting today will likely become inputs into a much broader interoperability framework. Plans that establish strong provider data governance and verification practices now will be materially better positioned as that landscape evolves.

The broader takeaway is straightforward: CMS is building a National Provider Directory, and MA plans are its data source.

That means provider directory quality is no longer simply an internal operational concern. It is becoming part of a federal interoperability infrastructure that regulators, beneficiaries, and the broader healthcare market will increasingly rely on.

Organizations that invest in getting that data right will have a meaningful long-term advantage over those treating compliance as the finish line.


Frequently Asked Questions
Q
When is the CMS executive attestation deadline?
A
For contract year 2027, the executive attestation deadline is September 1, 2026.
Q
What submission formats does CMS currently allow?
A
CMS currently allows machine-readable JSON and FHIR-based API submissions, though the agency plans to move fully toward FHIR beginning in 2027.
Q
Does CMS validate whether provider directory data is actually accurate?
A
No. CMS validates technical formatting requirements and refresh cadence, but plans remain responsible for the underlying accuracy of provider data.
Q
What happens if a provider directory fails CMS validation requirements?
A
CMS may suppress a plan’s provider directory from Medicare Plan Finder if fatal validation errors occur or if published data quality thresholds are exceeded.
Q
What is the PDex Plan-Net Implementation Guide?
A
The PDex Plan-Net Implementation Guide is the FHIR specification MA plans must follow when publishing provider directory data through CMS-approved APIs.

Ready to fix provider data at the source?

Standardize provider roster ingestion, reduce reconciliation overhead, and improve provider directory reliability with Candor Health.

Sury Agarwal
Written by
Sury Agarwal
Chief Executive Officer

Sury Agarwal is on a mission to transform how healthcare organizations access, manage, and trust provider data. Candor’s AI-powered platform supports payers, digital health companies, and provider groups with care navigation, referral management, network strategy, and regulatory compliance. Sury brings 12+ years of experience tackling complex data challenges. Previously, he was VP of Engineering and part of the founding team at Moat, which was acquired by Oracle for $850M in 2017. He is a Cornell University graduate.

More Posts
Making Healthcare Search More Reliable

Making Healthcare Search More Reliable

Provider search is broken in ways that are easy to overlook until they affect patient outcomes. Today, most patients begin their healthcare journey online, yet many still struggle to confidently identify the right provider, verify insurance coverage, or determine whether appointment availability is actually current. When directories contain outdated network participation, incomplete specialty information, or inaccurate availability, even well-designed search experiences begin to break down.
Julianne Zech
Julianne Zech
April 2025
Building Inclusive Healthcare for LGBTQ Communities

Building Inclusive Healthcare for LGBTQ Communities

For many LGBTQ individuals, finding healthcare is not simply about locating the nearest provider. It often involves determining whether care will feel safe, respectful, and affirming before an appointment is ever scheduled. Yet most provider search experiences offer very little visibility into that reality. Discriminatory laws, culturally incompetent providers, and gaps in provider directory data continue to create significant barriers to equitable healthcare access for LGBTQ communities. The result is not only delayed care, but measurable downstream health consequences. Research consistently shows that LGBTQ individuals are more likely than their peers to delay medical care due to fears of discrimination — a pattern directly linked to worsening health outcomes and reduced continuity of care.
Julianne Zech
Julianne Zech
January 2025
Improving Healthcare Interoperability with Accurate Provider Data

Improving Healthcare Interoperability with Accurate Provider Data

Real-World Solutions for Records Requests and Patient Referrals
Rob Nolan
Rob Nolan
January 2025