How to Prepare for a CMS Provider Directory Audit
CMS provider directory audits are not a distant regulatory threat — they are a recurring operational reality for Medicare Advantage organizations, with...
By the Provatus Compliance Intelligence Team
CMS provider directory audits are not a distant regulatory threat — they are a recurring operational reality for Medicare Advantage organizations, with escalating financial and reputational consequences for plans that are not continuously ready. The combination of scheduled annual audits and trigger-based targeted reviews means health plan compliance officers, VP Network Management, and Director Provider Relations teams cannot prepare reactively. This guide provides the complete framework for understanding what CMS checks, what data elements must be present and accurate, how to build a pre-audit remediation workflow, what penalties apply when plans fall short, and what technology infrastructure supports defensible, year-round directory compliance.
What CMS Checks During a Provider Directory Audit
During a CMS provider directory audit, surveyors verify that each listed provider is actively contracted, accepting new patients, reachable at the listed phone number, and correctly classified by specialty and network tier. CMS conducts provider directory audits under its Medicare Advantage and Part D audit framework, referencing HPMS audit protocols and 42 CFR §422.111(b)(3). Two audit types apply — routine program audits conducted annually on a rotating subset of MAOs, and targeted audits triggered by beneficiary complaints or data anomalies flagged in MARx or HPMS. Auditors cross-reference directory listings against the plan's credentialing files, CMS PECOS enrollment records, and CAQH ProView data. Discrepancies between any of these sources constitute a findable error in the audit universe. Plans should operate as if an audit could begin at any time — not only when a notification letter arrives.
How Often Does CMS Audit Provider Directories?
CMS audits provider directories on an annual cycle for a rotating subset of Medicare Advantage Organizations, while targeted audits can occur at any point in the contract year. CMS selects MAOs for routine program audits using a stratified sampling methodology — typically auditing 30–40 MAOs per year out of approximately 500+ contract holders. Targeted audits are triggered by beneficiary grievance volume thresholds in HPMS, state insurance department referrals, OIG findings, or significant enrollment growth that outpaces network submissions. CMS issues an audit engagement letter via HPMS typically 2–4 weeks before the audit universe request is due, giving plans limited remediation time. Plans should operate as if an audit could begin at any time — not only when a notification is received. The 2 to 4 week notice window between engagement letter and universe file request leaves almost no runway for plans that have not maintained continuous readiness.
CMS Provider Directory Audit Requirements 2024
CMS provider directory audit requirements in 2024 reflect updated network adequacy standards, expanded behavioral health access rules, and new scrutiny on telehealth provider listings introduced through recent federal rulemaking. The 2024 Medicare Advantage and Part D Final Rule (CMS-4201-F) reinforced requirements under 42 CFR §422.111 for timely directory updates — within 30 calendar days of a provider contract change. CMS added specific audit universe elements for behavioral health specialists listed in directories versus those actively accepting referrals, hospital-based providers listed with correct facility affiliations, and telehealth-only providers flagged with accurate modality designations. CMS's own secret shopper studies in 2023–2024 found error rates exceeding 20% for phone numbers and accepting-new-patients status, which directly informed current audit focus areas. Compliance officers should review updated audit protocols published annually on the CMS HPMS portal.
CMS Provider Directory Accuracy Requirements for Medicare Advantage Plans
A CMS-compliant provider directory for Medicare Advantage plans must include, at minimum, the provider's name, specialty, practice address, phone number, whether they are accepting new patients, and whether they offer non-English language services or accessibility accommodations. This requirement is grounded in 42 CFR §422.111(b)(3) and CMS's Medicare Managed Care Manual Chapter 4. Required data elements include provider full name and credentials, group or practice name, all active practice locations, direct phone number for each location, specialty and board certification status, hospital affiliations, accepting-new-patients indicator, languages spoken, ADA accessibility status, and telemedicine availability. Online directories must be updated within 30 days of any provider change. Paper directories — still required upon request — must be updated at least annually. Distinguishing what CMS requires minimally from what auditors actually cross-verify is essential to building a defensible compliance program.
What Information Must Be Included in a CMS-Compliant Provider Directory
CMS requires that every Medicare Advantage provider directory — online and paper — include specific data fields for each listed provider, and missing or inaccurate fields constitute a compliance deficiency that can generate audit findings. Required fields for individual providers include: legal name and credentials; primary specialty and any subspecialties; every active practice location with street address and suite number; direct-dial phone number per location; current accepting-new-patients status; languages spoken by the provider or available through on-site interpretation; hospital privileges and facility affiliations; and telehealth modality availability with applicable restrictions. Required fields at the plan or directory level include network tier designation per provider, a last-updated timestamp visible to enrollees, and a process for members to report inaccurate information. Inaccuracy in any of these fields is citable by CMS during a program audit, regardless of whether the omission has caused documented member harm.
CMS Provider Directory Audit Checklist for Compliance Teams
A CMS provider directory audit checklist for compliance teams should cover six core areas: data completeness, accuracy verification, update timeliness, network adequacy ratios, delegation oversight, and documentation of remediation efforts. The six checklist domains are: (1) Data Completeness — confirm all required fields are populated for 100% of listed providers; (2) Accuracy Verification — conduct outbound calls or attestation requests to verify phone numbers, addresses, and accepting-status for a statistically valid sample; (3) Update Timeliness — audit the internal change-log to confirm all provider adds, terms, and modifications were reflected within 30 days; (4) Network Adequacy — run time-and-distance standards against the current active roster; (5) Delegation Oversight — confirm delegated credentialing entities are submitting accurate rosters; (6) Remediation Documentation — maintain a dated audit trail of all corrections made. Each domain should correspond to a producible record, not an informal practice.
How to Fix Provider Directory Errors Before a CMS Audit
To fix provider directory errors before a CMS audit, compliance teams should immediately triage errors by severity, prioritize corrections that affect network adequacy calculations or patient access, and document every remediation action with a timestamp. Phase 1 — Triage (Days 1–5): Run a completeness report against all required CMS data fields. Flag records with missing phone numbers, blank accepting-status, or no location data as Priority 1. Phase 2 — Provider Outreach (Days 5–20): Execute a direct verification campaign — phone, portal attestation, or signed attestation form — targeting Priority 1 records first. Log every outreach attempt, response, and correction with date and staff initials. Phase 3 — System Update and Lock (Days 20–30): Push verified corrections to the live directory, run a post-correction quality check, and freeze the directory for a point-in-time snapshot that can be produced as audit evidence. Never delete records without maintaining the pre-correction version.
Penalties for Failing a CMS Provider Directory Audit
Penalties for failing a CMS provider directory audit range from required corrective action plans and civil monetary penalties up to intermediate sanctions including enrollment freezes, depending on the severity and scope of findings. The penalty ladder escalates as follows: Level 1 — Corrective Action Plan (CAP), required for most audit findings, must be submitted within 30–45 days of the audit report and include root cause analysis, remediation steps, and completion timelines. Level 2 — Civil Monetary Penalties, imposed up to $25,000 per enrollee per day for willful or repeated violations under 42 CFR §422.750. Level 3 — Intermediate Sanctions, where CMS can impose an enrollment freeze prohibiting new Medicare Advantage enrollees until the CAP is validated. Level 4 — Contract Termination for sustained non-compliance. CMS publishes enforcement actions publicly, creating reputational risk beyond the regulatory penalties themselves.
CMS Provider Directory Audit Corrective Action Plan Requirements
A CMS provider directory audit corrective action plan (CAP) must be submitted within 30 to 45 calendar days of receiving the final audit report and must include a root cause analysis, specific corrective steps, responsible parties, and measurable completion dates for each cited deficiency. Required CAP components include: (1) Finding Reference — cite the specific audit element and condition; (2) Root Cause Analysis — explain the operational, system, or process failure that produced the deficiency; (3) Corrective Action Steps — list discrete, verifiable actions the plan will take; (4) Implementation Timeline — provide milestone dates, not open-ended commitments; (5) Responsible Party — name the role or department accountable for each step; (6) Validation Method — describe how CMS or the plan will verify completion through re-audit sample, system report, or attestation. CMS reviews and may reject CAPs that lack specificity or realistic timelines, restarting the clock and increasing penalty exposure.
Tools and Software for CMS Provider Directory Compliance
Provider directory management software built for CMS compliance automates the three functions that most frequently generate audit findings: real-time data updates, outbound verification workflows, and audit-ready reporting with timestamped correction logs. Manual spreadsheet-based directory management is the leading operational cause of audit deficiencies given the volume of provider changes a mid-size MAO processes monthly. Key capabilities compliance teams should evaluate in any platform: automated provider outreach and attestation with configurable cadence; field-level validation against CMS-required data elements at point of entry; delegated entity roster ingestion and reconciliation; time-and-distance network adequacy calculations updated against the live roster; audit universe export in CMS-specified formats; and a correction audit trail with user, timestamp, and pre- and post-values preserved. Provatus is purpose-built for health plan compliance teams managing these requirements at scale, with workflows mapped directly to CMS program audit protocols and designed to support continuous, year-round audit readiness.
Frequently Asked Questions
What does CMS check during a provider directory audit?
CMS verifies that listed providers are actively contracted, reachable at the listed phone number and address, correctly classified by specialty, and accurately marked for accepting-new-patients status. Auditors cross-reference the directory against the plan's credentialing files, claims data, and HPMS network submissions to identify discrepancies. Missing required data fields and outdated information are the most common findings.
How often does CMS audit provider directories?
CMS conducts routine program audits annually, selecting 30–40 Medicare Advantage Organizations each year on a rotating basis. Targeted audits can be triggered at any point by beneficiary complaint volume, OIG referrals, or enrollment anomalies. Plans should maintain continuous audit readiness rather than preparing only after receiving an HPMS engagement letter.
What are the penalties for failing a CMS provider directory audit?
Penalties range from a required corrective action plan for standard findings to civil monetary penalties of up to $25,000 per enrollee per day for willful violations under 42 CFR §422.750. Persistent non-compliance can result in an enrollment freeze — stopping new Medicare Advantage enrollment — or contract termination. CMS publishes enforcement actions publicly, creating additional reputational risk.
What information must be included in a CMS-compliant provider directory?
A CMS-compliant provider directory must include each provider's name, credentials, specialty, all active practice addresses, direct phone numbers, accepting-new-patients status, languages spoken, hospital affiliations, ADA accessibility status, and telehealth availability. Online directories must reflect changes within 30 calendar days of any update. Paper directories must be provided upon request and updated at least annually.
How do I fix provider directory errors before a CMS audit?
Triage errors by severity, prioritizing records with missing phone numbers, blank accepting-status, or no location data. Execute a direct provider outreach campaign to verify and correct Priority 1 records first. Log every outreach attempt, correction, and timestamp as audit evidence. Complete a post-correction quality check and preserve a point-in-time snapshot of the corrected directory before the audit begins.
What is a CMS provider directory audit corrective action plan?
A corrective action plan (CAP) is a formal response to CMS audit findings, required within 30–45 days of the final audit report. It must include a root cause analysis, specific corrective steps with responsible parties, implementation milestones, and a validation method. CMS reviews and may reject CAPs lacking specificity, which restarts the response timeline and increases penalty exposure.
What are CMS provider directory accuracy requirements for Medicare Advantage plans?
Under 42 CFR §422.111(b)(3) and CMS Medicare Managed Care Manual Chapter 4, Medicare Advantage plans must maintain provider directories with complete and accurate required data fields, updated within 30 days of any provider change. CMS's own secret shopper studies have found error rates exceeding 20% for phone numbers and accepting-status — the two fields most frequently cited in audit findings.
How do I create a provider directory audit checklist for CMS compliance?
A CMS provider directory audit checklist should cover six domains: data completeness (all required fields populated), accuracy verification (outbound verification of contact and status data), update timeliness (changes reflected within 30 days), network adequacy (time-and-distance standards met), delegation oversight (delegated rosters reconciled), and remediation documentation (timestamped correction audit trail maintained and producible).
See Provatus in action
Upload a sample provider roster and see how Provatus runs ProvataCheck™ 35-point verification across every federal and state compliance feed in under 20 minutes.
Start Free Audit →