45 CFR 149.410 Compliance: Requirements, Deadlines, and Tools
45 CFR 149.410 is one of the most consequential price transparency regulations in the history of U.S. health insurance — and it is now in full enforcement...
By the Provatus Compliance Intelligence Team
45 CFR 149.410 is one of the most consequential price transparency regulations in the history of U.S. health insurance — and it is now in full enforcement mode. Health plans that have not yet achieved complete compliance face civil monetary penalties of up to $100 per day per affected individual, with no enforcement discretion buffer remaining. This guide is written for health plan compliance officers, VP Network Management, and Director Provider Relations professionals who need both regulatory clarity and operational direction. We cover what 45 CFR 149.410 requires, which plans are covered, how it differs from 45 CFR 149.420, the step-by-step compliance process, enforcement consequences, and what to look for in a compliance tool designed for the demands of this regulation.
What Is 45 CFR 149.410 and Who Does It Apply To
45 CFR 149.410 is the federal price transparency regulation that requires non-grandfathered group health plans and health insurance issuers offering group or individual health insurance coverage to publicly disclose pricing data in machine-readable file formats. This regulation is part of the Transparency in Coverage final rule, jointly issued by HHS, DOL, and Treasury. It applies to non-grandfathered plans in both the individual and group markets, and covers self-funded employer plans as well as fully-insured issuers.
The core obligation is the public posting of three machine-readable files (MRFs): in-network negotiated rates, out-of-network allowed amounts, and prescription drug pricing. These files must be posted on a publicly accessible website updated no less than monthly. The scope of this obligation is broad — if your plan is non-grandfathered and you cover items and services, this rule applies to you. Compliance begins with understanding the specific technical and structural requirements covered in the sections below.
Which Health Plans Are Covered Under 45 CFR 149.410
45 CFR 149.410 applies to non-grandfathered group health plans, self-insured employer-sponsored plans, and health insurance issuers in the individual and group markets — but explicitly exempts grandfathered health plans, excepted benefit plans, and short-term limited-duration insurance. The grandfathered plan exemption requires that a plan have maintained its grandfathered status continuously since March 23, 2010. Self-insured plans carry the same MRF obligations as fully-insured issuers.
Excepted benefits — including standalone dental, standalone vision, and fixed indemnity policies — are carved out of the requirement. Federal government plans and certain church plans may have separate applicability determinations. Plans should document their coverage status determination as the first step in any 45 CFR 149.410 compliance program. Identifying plan type is the threshold determination on which the entire compliance checklist depends. If there is any uncertainty about grandfathered or excepted benefit status, legal counsel should review the determination before compliance posture is established.
Core Compliance Requirements Under 45 CFR 149.410
The core compliance requirements under 45 CFR 149.410 mandate that covered health plans publish three machine-readable files — in-network negotiated rates, out-of-network allowed amounts, and prescription drug pricing — on a publicly accessible website updated no less than monthly. The in-network rate file must include negotiated rates for all covered items and services by provider NPI and billing code. The out-of-network allowed amounts file must reflect historical payments to out-of-network providers.
The prescription drug file requirement was initially delayed and has separate implementation guidance from CMS. All files must be machine-readable in JSON or CSV format per CMS technical guidance. The public posting must be accessible without a login, account creation, or fee — any barrier to access constitutes a compliance failure. Failure to meet these requirements triggers enforcement actions with significant per-day per-individual penalty exposure. The following sections address those enforcement consequences in detail.
45 CFR 149.410 vs. 45 CFR 149.420 — Key Differences
45 CFR 149.410 requires public machine-readable file disclosure of plan-wide pricing data, while 45 CFR 149.420 requires health plans to provide individual members with personalized cost-sharing information through an internet-based self-service price comparison tool. These two sections of the Transparency in Coverage rule address fundamentally different obligations: 149.410 is outward-facing, publishing data for public consumption, researchers, and third-party tools; 149.420 is member-facing, providing personalized real-time cost estimates accessible through a plan portal.
45 CFR 149.420 also mandates an Advance Explanation of Benefits (AEOB) capability — a prospective cost estimate before scheduled care. Both sections fall under the same Transparency in Coverage rule but carry independent compliance obligations and timelines. Plans must satisfy both independently — fulfilling one does not satisfy the other. Compliance programs should track 149.410 and 149.420 as parallel workstreams with distinct technical and operational requirements, separate vendor relationships if needed, and separate audit trails.
How to Comply With 45 CFR 149.410 — Step-by-Step
Complying with 45 CFR 149.410 requires health plans to complete five operational steps: confirm plan coverage status, identify data sources for negotiated rates and allowed amounts, generate machine-readable files in CMS-compliant schema, host files on a publicly accessible URL, and establish a monthly refresh cycle. Coverage determination is Step 1 — verifying that the plan is non-grandfathered and subject to the rule. Data sourcing requires engaging TPAs, PBMs, and network vendors to extract rate data in the required format.
MRF generation must conform to JSON format per CMS technical specifications, which are published and updated on the CMS website. Public hosting is required — plans may self-host or use a vendor-hosted URL, but the link must be publicly disclosed. Monthly refresh is mandatory — stale data constitutes non-compliance regardless of the technical accuracy of the underlying file. The five-step process below is the minimum viable compliance framework. Each step requires a named owner and a documented completion record.
45 CFR 149.410 Compliance Checklist
A complete 45 CFR 149.410 compliance checklist includes confirming plan type exemption status, executing data agreements with TPAs and PBMs, generating and validating in-network and out-of-network MRFs against CMS schema requirements, publishing files at a publicly accessible URL, and maintaining audit-ready documentation of each update cycle. Each item maps to a specific enforcement review element.
The complete checklist:
- Grandfathered plan determination documented in writing
- TPA and PBM data sharing agreements executed with defined data delivery schedules
- In-network file includes NPI, TIN, billing code, rate type, and negotiated rate fields
- Out-of-network file includes billed charges and allowed amounts by billing code
- CMS schema validation completed before posting
- Public URL registered, tested for anonymous access, and confirmed accessible without login
- Monthly update process assigned to a named owner with documented completion dates
- Change log maintained for audit purposes with version control
Plans that cannot demonstrate each item on demand during a regulatory review face enforcement risk. The checklist should be reviewed quarterly and updated whenever CMS issues revised technical specifications.
Delegating 45 CFR 149.410 Compliance to a Third-Party Administrator
Health plans may delegate 45 CFR 149.410 machine-readable file production to a third-party administrator, but the plan retains ultimate legal responsibility for compliance — meaning a TPA's failure to produce accurate or timely MRFs does not shield the plan from enforcement. Delegation is explicitly permitted under the Transparency in Coverage rule, but it requires a written agreement specifying MRF scope, format, update frequency, and delivery mechanism.
Plan sponsors are responsible for monitoring TPA performance and validating output. TPAs typically produce in-network rate files while PBMs handle prescription drug data — plans must coordinate across vendors to ensure all three required MRFs are produced and hosted correctly. Plans should require contractual indemnification provisions and audit rights in any delegation agreement. Regulatory agencies hold the plan — not the TPA — liable for compliance failures, making vendor oversight a core compliance function rather than a secondary concern.
45 CFR 149.410 Enforcement and Penalties for Non-Compliance
Non-compliance with 45 CFR 149.410 can result in civil monetary penalties of up to $100 per day per violation per affected individual, enforced by the Departments of HHS, Labor, and Treasury through their respective jurisdiction over individual market issuers, self-insured plans, and fully-insured group plans. CMS has primary enforcement jurisdiction over individual market issuers and non-federal government plans. DOL enforces against self-insured ERISA plans. Treasury enforces against non-ERISA group health plans.
Enforcement can include corrective action plans (CAPs), public disclosure of violations, and civil litigation. CMS has issued enforcement discretion guidance for early phases, but the full enforcement posture is now active and audit cycles are underway. The original compliance deadline for in-network rate and out-of-network allowed amounts MRFs was July 1, 2022. Prescription drug file requirements have separate phased timelines pending additional CMS guidance.
45 CFR 149.410 Price Transparency Deadlines and Implementation Timeline
The 45 CFR 149.410 machine-readable file deadline for in-network rates and out-of-network allowed amounts was July 1, 2022 — a date that has passed, meaning health plans are currently in active compliance status and subject to full enforcement without an enforcement discretion buffer. Plans that have not yet published compliant MRFs are in violation and accumulating penalty exposure daily.
The prescription drug pricing MRF had its deadline suspended pending further rulemaking as of CMS guidance issued in 2022–2023 — plans should monitor CMS for revised prescription drug file timelines. The 149.420 member-facing cost estimator tool had phased deadlines: January 1, 2023 for 500 shoppable services, January 1, 2024 for all covered services. Retroactive compliance gaps may still be subject to enforcement review. Plans that missed the 2022 deadline should consult legal counsel and engage a remediation timeline immediately. Automated compliance tools can address both historical gaps and ongoing monthly obligations.
Compliance Tools and Software for 45 CFR 149.410
45 CFR 149.410 compliance tools are software platforms that automate machine-readable file generation, schema validation, public hosting, and monthly refresh cycles — reducing the manual burden on health plan compliance teams and decreasing the risk of penalty-triggering errors. The core functional categories of a compliance tool are: data ingestion from TPA and PBM feeds, MRF generation in CMS-compliant JSON format, schema validation against current CMS technical specifications, public hosting at a disclosed URL, and audit logging of every update cycle.
Integration capability is essential — tools must connect to TPA feeds, claims systems, and PBM data sources without requiring manual transformation. Key evaluation criteria include CMS schema version support, update frequency SLA, audit trail documentation, and coverage of both 149.410 and 149.420 obligations. Automated reporting tools reduce the risk of monthly refresh failures, which are among the most common compliance gaps. Cloud-hosted solutions provide the public URL requirement natively. Provatus is designed specifically for the operational needs of health plan compliance officers managing price transparency obligations at scale.
How to Evaluate and Compare 45 CFR 149.410 Compliance Vendors
When comparing 45 CFR 149.410 compliance vendors, health plan compliance officers should evaluate five criteria: CMS schema version currency, TPA and PBM data integration depth, monthly refresh SLA guarantees, audit-ready reporting exports, and coverage of both 149.410 MRF and 149.420 member-facing tool obligations. Schema currency means the vendor proactively tracks CMS technical specification updates and applies them before the next required refresh cycle.
Data integration depth determines whether the tool can ingest feeds from major TPAs without manual transformation. The monthly refresh SLA should be contractually guaranteed with a specific completion window. Audit trail quality means the platform maintains a timestamped log of all file versions for regulatory review on demand. Vendors who cover both 149.410 and 149.420 reduce vendor sprawl and coordination risk. Provatus is a purpose-built solution for health plan price transparency compliance, addressing all five evaluation dimensions for compliance officers managing these obligations across plan types and product lines.
45 CFR 149.410 Compliance for Network Management and Provider Relations Teams
For VP Network Management and Director Provider Relations, 45 CFR 149.410 creates a direct operational obligation: every negotiated rate in every active provider contract must be accurately reflected in the in-network machine-readable file, updated within 30 days of any contract amendment. Provider contract rate data is the source of truth for the in-network MRF — errors in contract management systems propagate into published files and create both compliance gaps and public accuracy problems.
Every provider must be mapped by NPI, TIN, and billing code — missing NPIs are among the most common audit findings. Contract amendments, network terminations, and rate updates trigger a refresh obligation. Provider relations teams should have a defined handoff process to the compliance MRF workflow with documented SLA timelines. Tools that integrate directly with provider contract management systems reduce manual reconciliation errors. This is a cross-functional compliance challenge that requires both network management and compliance operations alignment — and tooling that bridges both disciplines.
Frequently Asked Questions
What is 45 CFR 149.410?
45 CFR 149.410 is a federal regulation under the Transparency in Coverage final rule that requires non-grandfathered group health plans and health insurance issuers to publicly post machine-readable files disclosing negotiated in-network rates, out-of-network allowed amounts, and prescription drug pricing. Files must be updated monthly and accessible without login or fees.
Who does 45 CFR 149.410 apply to?
45 CFR 149.410 applies to non-grandfathered group health plans, self-insured employer plans, and individual and group market health insurance issuers. Grandfathered health plans, excepted benefit plans (such as standalone dental and vision), and short-term limited-duration insurance are exempt from the requirement.
What are the penalties for non-compliance with 45 CFR 149.410?
Penalties for 45 CFR 149.410 non-compliance can reach $100 per day per violation per affected individual. Enforcement is split across HHS, the Department of Labor, and the Treasury depending on plan type. Penalties may also include corrective action plans and public disclosure of violations.
What is the deadline for 45 CFR 149.410 compliance?
The deadline for publishing in-network rate and out-of-network allowed amounts machine-readable files under 45 CFR 149.410 was July 1, 2022. Health plans are now in active enforcement status. The prescription drug pricing file requirement has been delayed pending additional CMS rulemaking guidance.
What is the difference between 45 CFR 149.410 and 45 CFR 149.420?
45 CFR 149.410 requires health plans to publish public machine-readable files with plan-wide pricing data. 45 CFR 149.420 requires plans to provide individual members with personalized cost-sharing estimates through an internet-based self-service tool. Both obligations are independent and must be satisfied separately.
Can a health plan delegate 45 CFR 149.410 compliance to a TPA?
Yes, health plans may delegate machine-readable file production to a third-party administrator. However, the health plan retains ultimate legal responsibility for compliance. A TPA's failure to produce accurate or timely files does not protect the plan from regulatory enforcement. Written delegation agreements with audit rights are strongly recommended.
What files are required under 45 CFR 149.410?
45 CFR 149.410 requires three machine-readable files: (1) an in-network rate file listing negotiated rates by provider NPI, billing code, and rate type; (2) an out-of-network allowed amounts file reflecting historical payment data; and (3) a prescription drug pricing file, which has a suspended deadline pending further CMS rulemaking.
What should I look for in a 45 CFR 149.410 compliance tool?
Key evaluation criteria for a 45 CFR 149.410 compliance tool include: current CMS schema version support, TPA and PBM data integration capability, monthly refresh SLA guarantees, audit-ready reporting with timestamped file logs, and coverage of both 149.410 MRF and 149.420 member-facing tool requirements. Tools that automate the full MRF lifecycle reduce penalty risk significantly.
See Provatus in action
Upload a sample provider roster and see how Provatus runs ProvataCheck™ 35-point verification across every federal and state compliance feed in under 20 minutes.
Start Free Audit →