Medicaid Managed Care

Medicaid Managed Care Provider Directory Requirements: The Complete Compliance Guide

Medicaid managed care provider directory compliance sits at the intersection of federal regulation, state contract requirements, and network adequacy...

By Provatus Compliance Intelligence Team ·
Medicaid Managed Care Provider Directory Requirements: The Complete Compliance Guide

By the Provatus Compliance Intelligence Team

Medicaid managed care provider directory compliance sits at the intersection of federal regulation, state contract requirements, and network adequacy standards — a multilayered obligation where non-compliance can trigger corrective action plans, financial penalties, and contract termination. For MCO compliance officers, VP Network Management, and Director Provider Relations teams, the governing federal framework under 42 CFR 438.10 establishes a floor that many states have significantly raised. This guide provides the complete regulatory framework, required data elements, update frequency obligations, state-specific requirements, and operational program design that Medicaid managed care organizations need to maintain defensible directory compliance across the full scope of their state and federal obligations.


Federal Regulatory Framework for Medicaid Managed Care Provider Directories

Federal requirements for Medicaid managed care provider directories are established primarily under 42 CFR 438.10, the CMS regulation governing member information and provider directory standards for managed care organizations (MCOs), prepaid inpatient health plans (PIHPs), and prepaid ambulatory health plans (PAHPs). CMS requires MCOs to maintain a provider directory that is publicly accessible online and available in print upon request. The rule applies to all states operating Medicaid managed care programs under §1932 or §1915(a)/(b) waiver authority. States must incorporate these standards into their contracts with MCOs. The directory must distinguish between providers accepting new patients and those who are not. These federal standards establish the minimum compliance floor — individual states routinely layer additional obligations that exceed the federal requirements in update frequency, required data elements, and accuracy thresholds.

What Is 42 CFR 438.10 and Why It Governs Provider Directories

42 CFR 438.10 establishes the minimum federal standards for member information that all Medicaid managed care entities must meet, including provider directory content, format, accessibility, and update frequency. Promulgated under the 2016 Medicaid Managed Care Final Rule (81 FR 27498), effective July 5, 2016, it applies to MCOs, PIHPs, and PAHPs — not fee-for-service Medicaid. The regulation requires directories to be posted online in a machine-readable format and made available in print within five business days of a member request at no cost. It requires culturally and linguistically appropriate formats consistent with §438.10(d) thresholds — populations where 5% or more speak a non-English language trigger translated materials. States are responsible for ensuring MCO contracts enforce these requirements and may add stricter standards. CMS uses this regulation as the baseline floor — states routinely layer additional obligations on top through their managed care contracting processes.


Required Information in a Medicaid Managed Care Provider Directory

A Medicaid managed care provider directory must include, at minimum, the provider's name, address, telephone number, specialty, whether the provider is accepting new patients, and whether the provider offers services accessible to individuals with physical disabilities — as required under 42 CFR 438.10(h). Required elements per 42 CFR 438.10(h)(1) include: name, address, phone, specialty, cultural and linguistic capabilities, whether accepting new patients, and for hospitals, any distinguishing institutional characteristics. For mental health and substance use disorder providers, parity compliance may require additional directory specificity. Provider type coverage must include primary care providers, specialists, hospitals, pharmacies, mental health providers, and federally qualified health centers. Group practice listings must identify individual practitioners within the group — aggregate group data does not satisfy audit scrutiny. NPI inclusion is increasingly required by state contracts, though not explicitly mandated in the federal rule text.

Online vs. Print Provider Directory Requirements

Medicaid managed care organizations are required to maintain a publicly accessible online provider directory and must provide a print version to any member who requests one within five business days at no cost, per 42 CFR 438.10(h)(2). The online directory is the primary compliance vehicle — it must be updated in real time or near-real time and reflect current network status. Machine-readable format (JSON or XML) is required to support data interoperability, increasingly aligned with No Surprises Act and CMS Interoperability Rule expectations. Print directories are permissible as a static snapshot but must clearly indicate the date of publication and direct members to the online version for current information. Members with disabilities or limited English proficiency must be offered accessible formats, including alternative languages consistent with §438.10(d) thresholds. Plans must document requests for print directories and track fulfillment timelines for audit readiness.

Medicaid Managed Care Provider Directory Accuracy Standards

Medicaid managed care provider directory accuracy standards require that all listed providers are currently contracted, actively practicing at the listed location, and accepting new Medicaid patients — inaccurate directories that list unavailable providers are commonly referred to as "ghost networks." CMS and state Medicaid agencies treat accuracy as a condition of network adequacy — a directory listing phantom providers does not constitute a compliant network. Accuracy validation typically requires plans to contact providers proactively on a quarterly outreach basis to confirm directory data. Provider attestation processes — where providers verify their own data — are a recognized compliance mechanism but must be documented. OIG reports from 2014 and 2023 found significant inaccuracy rates in both Medicaid and Marketplace directories. State contracts increasingly specify numeric accuracy thresholds — often 95% — verified through secret shopper audits or provider outreach data, creating a measurable compliance target beyond simply maintaining a directory.


How Often Medicaid Managed Care Provider Directories Must Be Updated

Under 42 CFR 438.10(h)(1)(i), Medicaid managed care organizations must update their online provider directories within 30 calendar days of receiving updated provider information — though many states mandate faster update windows as a condition of their MCO contracts. The federal floor is 30 calendar days from receipt of a change notification. Many states — including California, New York, Texas, and Florida — require online directory updates within 5 to 15 business days of a contract or demographic change. Triggering update events include new provider contracts, contract terminations, address or practice location changes, and panel closure or reopening. MCOs must establish a provider data intake process that captures these changes systematically — ad hoc reporting is insufficient for audit defense. Network adequacy standards under 42 CFR 438.68 are directly tied to directory accuracy; an outdated directory that misrepresents network coverage is a network adequacy violation, not merely a directory error.

Provider Directory Compliance as a Network Adequacy Indicator

Medicaid managed care provider directory compliance and network adequacy are legally interrelated obligations — CMS and state Medicaid agencies use directory accuracy as primary evidence that an MCO's contracted network meets 42 CFR 438.68 time-and-distance and appointment availability standards. 42 CFR 438.68 requires MCOs to meet state-established network adequacy standards for provider type, specialty, and geographic accessibility. Provider directories serve as the auditable record demonstrating that required provider types are available in the network — if directory data is stale or inaccurate, the MCO cannot demonstrate adequacy. States must submit Access Monitoring Review Plans (AMRPs) to CMS under 42 CFR 438.66, often relying on directory-sourced data. CMS's 2024 Medicaid Access Rule (CMS-2442-F) added new network adequacy monitoring requirements that further elevate the importance of clean, timely provider data. Plans should treat directory management not as an administrative function but as a network adequacy compliance function with board-level oversight.


Penalties and Enforcement for Inaccurate Medicaid Provider Directories

Penalties for inaccurate Medicaid managed care provider directories range from corrective action plans and financial penalties to enrollment freezes and contract termination — enforcement authority is shared between CMS and state Medicaid agencies depending on the violation type. CMS holds ultimate authority but delegates primary enforcement to state Medicaid agencies through the managed care contract framework. State enforcement tools include corrective action plans, liquidated damages clauses (typically $25,000 to $100,000 per violation depending on state), enrollment sanctions, and contract non-renewal. CMS can impose intermediate sanctions under 42 CFR 438.702, including civil monetary penalties and suspension of new enrollments, for serious or repeated violations. OIG investigations and Medicaid fraud control unit referrals are possible when directory inaccuracies are linked to fraudulent billing or access-to-care harm. State attorneys general have pursued enforcement actions — most prominently in California, New York, and New Jersey — citing consumer protection statutes in addition to Medicaid regulatory violations.

State-Specific Medicaid Managed Care Provider Directory Requirements

State-specific Medicaid managed care provider directory requirements frequently exceed the federal floor established by 42 CFR 438.10, with states imposing shorter update timelines, higher accuracy thresholds, additional required data elements, and more frequent provider outreach cycles. California DHCS requires directory updates within 5 business days of a change and mandates quarterly provider outreach with documented attestation. New York OMIG and DOH require inclusion of languages spoken by provider staff and mandate secret shopper audit readiness with 95%+ accuracy targets. Texas HHSC requires monthly online directory refresh cycles and provider panel data cross-referenced against managed care encounter data. Florida AHCA requires NPI-level directory data and cross-validation against Medicaid provider enrollment files. Plans operating in multiple states must maintain a compliance matrix tracking each state's specific directory obligations — a single national template will not achieve multi-state compliance. State requirements are embedded in MCO contracts and subject to renegotiation at each contract renewal cycle.


Building a Compliant Provider Directory Management Program

A compliant Medicaid managed care provider directory management program requires four integrated operational components: systematic provider outreach and attestation, a defined data intake and update workflow, a multi-state compliance tracking framework, and documented audit-readiness processes. Provider outreach cadence requires minimum quarterly contact with all network providers to verify name, address, phone, specialty, panel status, and accessibility features — documented with timestamps. Data intake means any provider-initiated change must flow through a documented intake process with SLA-based update windows tied to state contract requirements. For plans operating in multiple states, a living compliance matrix must map each state's specific obligations including update frequency, accuracy threshold, required data elements, and enforcement exposure. Audit readiness requires directory snapshots archived at regular intervals with provider contact logs, attestation records, and exception reports as primary evidence in state audits. Manual spreadsheet-based directory management is structurally unable to meet real-time update requirements at scale. Provatus provides the technology infrastructure that operationalizes all four components for Medicaid MCO compliance teams.

Frequently Asked Questions

What are the federal requirements for Medicaid managed care provider directories?

Federal requirements for Medicaid managed care provider directories are established under 42 CFR 438.10, which requires MCOs to maintain a publicly accessible online directory updated within 30 calendar days of receiving changes, provide print copies within five business days upon request, and include required data elements such as provider name, address, phone number, specialty, accessibility features, and whether the provider is accepting new patients.

How often must Medicaid managed care provider directories be updated?

Under 42 CFR 438.10, online Medicaid managed care provider directories must be updated within 30 calendar days of receiving updated provider information. Many states impose stricter timelines — typically 5 to 15 business days — through MCO contract requirements. Triggering events include new contracts, terminations, address changes, and panel status changes.

What information must be included in a Medicaid managed care provider directory?

A Medicaid managed care provider directory must include each provider's name, address, telephone number, specialty, cultural and linguistic capabilities, whether the provider is accepting new patients, and accessibility features for individuals with physical disabilities. For hospitals, distinguishing institutional characteristics are also required. Many states mandate additional elements such as NPI numbers and languages spoken by staff.

What is 42 CFR 438.10 and what does it require?

42 CFR 438.10 is the federal regulation governing member information requirements for Medicaid managed care organizations, including provider directory standards. It requires MCOs to maintain accurate, publicly accessible online directories, provide print versions on request within five business days, and offer materials in accessible formats. It applies to MCOs, PIHPs, and PAHPs participating in state Medicaid managed care programs.

What are the penalties for inaccurate Medicaid managed care provider directories?

Penalties for inaccurate Medicaid managed care provider directories include corrective action plans, financial penalties ranging from $25,000 to $100,000 per violation depending on state, enrollment freezes, and contract termination. CMS can impose intermediate sanctions under 42 CFR 438.702, including civil monetary penalties and suspension of new enrollments, for serious or repeated violations.

What is a ghost network in Medicaid managed care?

A ghost network refers to a Medicaid managed care provider directory that lists providers who are not actually available to members — either because they are not accepting new patients, no longer contracted, or not reachable at the listed location. Ghost networks violate federal accuracy standards under 42 CFR 438.10 and are a primary CMS and state Medicaid enforcement priority.

How do state Medicaid provider directory requirements differ from federal rules?

State Medicaid managed care provider directory requirements frequently exceed the federal floor set by 42 CFR 438.10. States may impose shorter update timelines (as fast as 5 business days), higher accuracy thresholds (95%+), additional required data elements such as NPI numbers or languages spoken, and mandatory quarterly provider attestation. These requirements are embedded in MCO contracts and vary significantly by state.

How does provider directory accuracy relate to network adequacy compliance?

Provider directory accuracy is directly tied to Medicaid managed care network adequacy compliance under 42 CFR 438.68. CMS and state Medicaid agencies use directory data as primary evidence that an MCO's network meets time-and-distance and appointment availability standards. An inaccurate directory that lists unavailable providers constitutes a network adequacy violation, not merely a recordkeeping error.

See Provatus in action

Upload a sample provider roster and see how Provatus runs ProvataCheck™ 35-point verification across every federal and state compliance feed in under 20 minutes.

Start Free Audit →