CMS Provider Directory Update Requirements: The Complete Compliance Guide
CMS provider directory update requirements are among the most operationally demanding compliance obligations facing Medicare Advantage and Medicaid managed...
By the Provatus Compliance Intelligence Team
CMS provider directory update requirements are among the most operationally demanding compliance obligations facing Medicare Advantage and Medicaid managed care organizations today. Accuracy standards, update timelines, required data elements, and proactive verification obligations all carry enforcement consequences — and the regulatory landscape differs meaningfully between program types. Health plan compliance officers who manage these requirements manually, or who rely on a single compliance template across multiple product lines, face structural gaps that surface during audits. This guide maps every material requirement, distinguishes between Medicare Advantage and Medicaid standards, explains what CMS auditors actually examine, and provides an actionable framework for building and operating a provider directory management program that sustains compliance year-round.
What CMS Requires in a Provider Directory
A CMS-compliant provider directory must include the provider's name, practice location, phone number, specialty, board certification status, medical group affiliations, facility affiliations, languages spoken, and whether the provider is currently accepting new patients. These requirements apply across Medicare Advantage (governed by 42 CFR §422.111) and Medicaid managed care (42 CFR §438.10). Both online and print directories must contain this data, and online directories are subject to stricter real-time accuracy standards.
CMS requires that information be presented in plain language and accessible formats. NPI (National Provider Identifier) is a required element for provider-level entries. Accuracy standards — not just completeness — determine compliance standing. A directory that contains all required fields but lists incorrect phone numbers or wrong accepting-patients status is non-compliant. Understanding the full scope of what must be both present and accurate is the foundation of any defensible directory management program.
Required Data Elements by Provider Type
CMS distinguishes between individual provider directory entries and facility-level entries, with each requiring a distinct set of data elements. For individual providers: name, NPI, specialty, group affiliations, office address(es), phone number, languages spoken, telehealth availability, and new patient acceptance status. For facilities and groups: facility name, address, phone, type of facility, and services available.
CMS finalized expanded telehealth listing requirements and plans must indicate whether a provider offers virtual visits. Cultural and Linguistic Competency fields — languages spoken and accessibility accommodations — are required under CMS equity initiatives updated through recent rulemaking cycles. Missing any required element on even a single entry constitutes a directory inaccuracy under CMS audit methodology. The threshold for triggering corrective action is not a wholesale directory failure — it is a measurable error rate in a sampled universe. Compliance begins with complete, accurate data at the individual record level.
How Often CMS Requires Provider Directory Updates
CMS requires Medicare Advantage plans to update their online provider directories within 30 calendar days of receiving a provider change notification, and to conduct a full directory review at least monthly. This 42 CFR §422.111(h) standard applies to individual provider changes — new address, panel closure, termination, license status change — and the broader monthly audit cycle is an independent obligation, not a substitute for the 30-day change window.
Print directories must be updated at least annually and made available upon request within 3 business days. The 2024 CMS Medicare Program final rules have maintained and in some areas tightened these timelines, particularly for online directory accuracy. "Update" encompasses both adding newly contracted providers and removing providers who have terminated or lost their license. Provider removals are among the most frequently missed update obligations and a primary source of ghost network conditions that CMS auditors identify through PDV protocol testing.
Medicare Advantage vs. Medicaid — Update Timeline Differences
Medicaid managed care organizations must update their provider directories within 30 days of a provider change under 42 CFR §438.10, though some state Medicaid agencies impose stricter timelines that plans must also satisfy. The federal floor is 30 days from receipt of a change notification, but California, New York, Texas, and other states require online directory updates within 5–15 business days.
Triggering update events include new provider contracts, contract terminations, address or practice location changes, and panel closure or reopening. Unlike Medicare Advantage, Medicaid directory requirements are also subject to state-specific audit triggers and EQRO (External Quality Review Organization) review processes. CHIP-funded plans are subject to similar federal directory standards. Plans operating in multiple states must maintain a compliance matrix tracking both federal and state-level deadlines simultaneously — a single national update schedule will not achieve multi-state compliance.
CMS Provider Directory Compliance Penalties
CMS can impose civil monetary penalties (CMPs) of up to $100 per member per day for Medicare Advantage plans found to have materially inaccurate provider directories, with repeated violations escalating to enrollment sanctions or contract termination. The three primary penalty pathways are: (1) CMPs under 42 CFR §422.760 for MA plans; (2) corrective action plans (CAPs) issued following audit findings; and (3) network adequacy non-compliance resulting from inaccurate directory data — which can trigger separate sanctions.
CMS's Program Audit process specifically includes a Provider Directory Review module that samples directory entries and flags error rates above defined thresholds. High directory error rates can cascade into network adequacy findings, since "ghost networks" — directories listing providers who are unavailable or not actually contracted — are treated as both a directory accuracy violation and a network access violation. The financial and operational exposure compounds when directory deficiencies produce network adequacy findings in the same audit cycle.
What CMS Looks for in a Provider Directory Audit
During a CMS Program Audit, reviewers sample provider directory entries and attempt to verify accuracy by contacting providers directly — checking whether the listed phone number reaches the office, whether the provider still accepts the plan, and whether they are accepting new patients. Auditors check: contact information accuracy, accepting new patients status, network participation status, and specialty accuracy.
CMS has historically flagged error rates above 25% as requiring immediate corrective action, though thresholds are applied contextually. CMS issues audit protocols publicly and plans can use these protocols to self-audit proactively — this is one of the most effective pre-audit preparation strategies available. Auditors cross-reference directory data against the plan's credentialing files, CMS PECOS enrollment records, and CAQH ProView data. Discrepancies between any of these sources constitute findable errors in the audit universe.
How to Update a Provider Directory to Comply with CMS Regulations
To update a provider directory in compliance with CMS regulations, health plans must establish a continuous verification workflow that captures provider changes at the source, validates data within the 30-day regulatory window, and documents every update with a timestamped audit trail. The four operational steps are: (1) Intake — establishing a dedicated provider change notification channel (provider portal, fax, phone, API); (2) Verification — confirming changes via provider attestation or direct outreach before publishing; (3) Publication — pushing verified updates to both online and print directory data sources; (4) Audit Trail — logging the date of notification, verification, and publication for every change.
CMS requires plans to conduct proactive outreach — not just reactive updates — by verifying provider information at least every 90 days for Medicare Advantage. Plans are responsible for accuracy regardless of whether providers initiate change notifications. The reactive-only model is insufficient for compliance; proactive verification is an independent regulatory obligation that requires a separate workflow and documented cadence.
Provider Attestation and Outreach Requirements
CMS requires Medicare Advantage plans to proactively contact providers to verify directory information at least every 90 days, with plans documenting each outreach attempt and the provider's attestation response. This proactive verification requirement means plans must demonstrate, during an audit, that every directory entry was either verified within the past 90 days or updated based on an inbound provider notification.
Attestation can occur via signed forms, portal confirmation, or recorded verbal confirmation with a timestamp, but CMS expects documentation of the method used. Failed outreach attempts must also be logged — CMS accepts documented failed outreach (three unreturned contacts) as evidence of good-faith compliance effort, though it may trigger additional review. Automation tools are increasingly essential to managing outreach at scale across large provider networks; manual attestation management at 90-day cycles is not operationally sustainable for most plans.
Regulatory Framework — Key Rules and Citations
The primary regulatory authority for CMS provider directory requirements comes from 42 CFR §422.111 (Medicare Advantage), 42 CFR §438.10 (Medicaid Managed Care), and the annual CMS Call Letters that update and clarify standards each plan year. Specifically: 42 CFR §422.111(h) governs MA directory content and update frequency; 42 CFR §438.10(h) governs Medicaid managed care directory standards; and 42 CFR §457 governs CHIP plans.
The CMS Managed Care Final Rule (2016, updated through subsequent rulemaking) established the baseline framework that remains in force. CMS Annual Call Letters — issued each spring for the following plan year — frequently update directory requirements, and 2024 guidance reinforced real-time online accuracy expectations. NCQA accreditation standards for directory accuracy (CR 7) align with but are sometimes more stringent than the CMS federal floor. Provatus monitors regulatory updates to ensure clients maintain current compliance posture as CMS rules evolve across plan years.
Building a CMS-Compliant Provider Directory Management Program
An effective CMS-compliant provider directory management program combines written policies and procedures, a defined outreach and attestation workflow, data governance controls, and — for plans with large networks — technology that automates verification and update cycles. The four pillars of a mature program are: (1) Policy — documented update procedures, escalation paths, and roles/responsibilities; (2) Process — the intake-verify-publish-log cycle; (3) Data governance — source-of-truth database management, data validation rules, and exception handling; (4) Technology — platforms that automate provider outreach, track attestation status, flag overdue verifications, and generate audit-ready reports.
Manual processes become untenable above approximately 500 providers in-network, making automation a compliance necessity rather than a convenience for mid-to-large health plans. Provatus supports health plans in building and operationalizing these programs, with workflows mapped to CMS program audit protocols and state-specific compliance requirements. Contact Provatus to learn more about building a directory management program calibrated to your network and regulatory obligations.
Frequently Asked Questions
How often does CMS require provider directory updates?
CMS requires Medicare Advantage plans to update online provider directories within 30 calendar days of receiving a provider change notification, and to proactively verify provider information at least every 90 days. Print directories must be updated annually. Medicaid managed care plans face the same 30-day federal window under 42 CFR §438.10, though individual states may impose stricter timelines.
What information must be included in a CMS provider directory?
A CMS-compliant provider directory must include the provider's name, specialty, board certifications, practice location(s), phone number, group and facility affiliations, languages spoken, accessibility accommodations, whether the provider offers telehealth, and whether they are currently accepting new patients. NPI numbers are also required. These standards apply to both Medicare Advantage (42 CFR §422.111) and Medicaid managed care (42 CFR §438.10) directories.
What are the penalties for CMS provider directory non-compliance?
CMS can impose civil monetary penalties (CMPs) of up to $100 per member per day for Medicare Advantage plans with materially inaccurate directories. Repeated or severe violations can result in corrective action plans, enrollment freezes, or contract termination. Inaccurate directories can also trigger network adequacy violations if they create "ghost network" conditions — listing providers who are not actually available to members.
What are the Medicare Advantage provider directory update requirements?
Medicare Advantage plans must update online provider directories within 30 days of any provider change, conduct proactive outreach to verify all directory entries at least every 90 days, and make print directories available within 3 business days of member request. Requirements are codified in 42 CFR §422.111(h) and clarified annually through CMS Call Letters. Online directories must reflect real-time accuracy.
What are the Medicaid provider directory update deadline requirements?
Under 42 CFR §438.10, Medicaid managed care organizations must update provider directories within 30 days of a provider change notification. States can impose stricter timelines — some require weekly or near-real-time online updates. Medicaid plans are also subject to EQRO review of directory accuracy and state-specific audit standards that vary by state Medicaid agency.
What does CMS look for in a provider directory audit?
CMS auditors sample directory entries and verify accuracy by directly contacting providers — checking whether phone numbers are correct, whether the provider still participates in the plan, and whether they are accepting new patients. Auditors check specialty accuracy, address accuracy, and telehealth availability. Error rates above defined thresholds trigger corrective action requirements. Plans should use CMS's published audit protocols to self-audit proactively.
What is a "ghost network" in a provider directory?
A ghost network occurs when a health plan's provider directory lists providers who are unavailable, not accepting new patients, or not actually contracted with the plan. CMS treats ghost networks as both a directory accuracy violation and a network adequacy failure. Enforcement has increased in recent years, with state regulators and CMS both imposing penalties on plans found to have systematically inaccurate directories.
What is the CMS provider directory accuracy standard for 2024?
For 2024, CMS maintains the requirement that online provider directories reflect accurate information within 30 days of a provider change, with plans demonstrating proactive 90-day verification cycles. The 2024 CMS guidance reinforced real-time online directory accuracy expectations and continued emphasis on telehealth listing requirements and cultural/linguistic competency fields. NCQA CR 7 standards, which many accredited plans must also meet, impose comparably rigorous accuracy benchmarks.
See Provatus in action
Upload a sample provider roster and see how Provatus runs ProvataCheck™ 35-point verification across every federal and state compliance feed in under 20 minutes.
Start Free Audit →