No Surprises Act 90-Day Provider Directory Update: What Health Plans Must Know

By the Provatus Compliance Intelligence Team

The No Surprises Act's provider directory requirements introduced a new layer of federal compliance obligation on top of existing CMS Medicare Advantage and state insurance rules — one with a direct financial liability mechanism that goes beyond regulatory fines. The 90-day verification cycle and the 2-business-day update window for network status changes are not aspirational standards; they are operationally enforced requirements with penalty exposure that compounds per enrolled member per day of non-compliance. For health plan compliance officers, VP Network Management, and Director Provider Relations teams, understanding the precise mechanics of these obligations — who is covered, what clock starts when, what happens when a member relies on an incorrect listing — is the foundation of building a defensible directory compliance program. This guide covers the full regulatory framework and operational compliance requirements.

---

What Is the No Surprises Act 90-Day Directory Update Requirement?

The No Surprises Act requires health plans and health insurance issuers to update their provider directories within 90 days of receiving information about a change in a provider's network participation status. The statutory source is Section 116 of the No Surprises Act, codified under PHSA Section 2799B-8 and corresponding DOL and Treasury regulations. This requirement applies to both online and print directories and covers group health plans, health insurance issuers in the group and individual markets, and Federal Employees Health Benefits carriers. The 90-day clock begins when the plan receives notice — not when the change becomes effective. The 2021 interim final rule and subsequent 2024 CMS guidance establish the regulatory anchors for this requirement. Health plans must also maintain a process for providers to submit directory updates, which feeds directly into verification obligations and must be clearly published for provider access.

Which Provider Directory Information Must Be Accurate Under the No Surprises Act?

Under the No Surprises Act, health plans must ensure their provider directories include accurate information on network participation status, provider specialty, practice location, phone number, and whether the provider is accepting new patients. Directories — both online and paper-based — must reflect these data elements at the individual provider level, not just the practice or facility. Online directories must be searchable and publicly accessible without requiring plan enrollment. The 2024 CMS enforcement guidance clarified that "directory accuracy" encompasses real-time or near-real-time online updates, while print directories must carry a notice directing enrollees to verify status before scheduling. CMS has flagged accepting-new-patients status as a frequent accuracy failure point in audits. Provider specialty data tied to billing codes and NPI taxonomy is cross-referenced by regulators, making taxonomy accuracy a parallel compliance obligation that directory teams must track alongside demographic data fields.

Does the 90-Day Rule Apply to All Health Plans?

The No Surprises Act 90-day directory update requirement applies to most group health plans and health insurance issuers in the individual and group markets, including self-funded employer plans and FEHB carriers — but grandfathered health plans are generally exempt. Self-insured ERISA plans are subject to the rule under DOL jurisdiction, while fully insured plans fall under state and federal co-enforcement. Short-term limited duration insurance plans are also exempt. Grandfathered plan status must be maintained and documented — plans that have made significant benefit or cost-sharing changes may have lost grandfathered status and thereby become subject to NSA directory requirements. CMS handles oversight of issuers in states without substantial enforcement authority, while state insurance commissioners enforce in states with approved programs. Compliance officers should audit their plan type classification annually to confirm which obligations apply to each product line.

---

Penalties for Not Updating Your Provider Directory Within 90 Days

Health plans that fail to update their provider directory within the 90-day window required by the No Surprises Act face civil monetary penalties of up to $100 per day for each individual affected by the inaccurate listing. CMS has authority under 45 CFR Part 150 to impose these penalties, and accrual begins at the point of violation — not at the point of a complaint. The compounding risk is significant: a single provider listed incorrectly across thousands of enrollees creates a per-enrollee-per-day exposure that can rapidly reach six or seven figures. If an enrollee relies on an incorrect directory listing and receives care from a provider they believed was in-network, the plan may be required to apply in-network cost-sharing regardless of the provider's actual network status. CMS-initiated audits are proactive; complaint-triggered investigations are reactive — both can result in penalty assessment. State regulators may impose additional penalties separately and simultaneously with federal enforcement.

What Happens When a Member Uses an Incorrectly Listed Provider?

If a member receives care from a provider listed incorrectly as in-network in a health plan's directory, the No Surprises Act requires the plan to hold the member harmless — meaning the plan must apply in-network cost-sharing rates, even if the provider is actually out-of-network. This reliance protection applies when the member can demonstrate they selected the provider based on the directory listing and had no independent notice that the provider was out-of-network at the time of scheduling. The financial burden falls entirely on the health plan: the plan must pay the provider at an in-network rate or negotiate, absorb the difference, and cannot retroactively bill the member out-of-network amounts. This creates dual exposure — penalty liability to regulators and financial liability to members and providers simultaneously. CMS FAQ guidance issued in August 2022 specifically addressed directory-reliance scenarios. Documented complaints from members are one of CMS's primary audit triggers for directory accuracy investigations.

---

How Health Plans Must Comply With the 90-Day Directory Update Rule

To comply with the No Surprises Act 90-day directory update requirement, health plans must establish a documented intake-to-publication workflow that begins the moment a provider submits a change in network participation status. The required workflow elements include: (1) a clearly published process for providers to submit updates (required by statute); (2) a timestamped intake system that starts the 90-day clock; (3) internal routing to credentialing and directory teams; (4) review and publication to online and print directories within the 90-day window; and (5) confirmation sent back to the provider. Compliance officers should maintain an audit log showing the date each change was received, reviewed, and published. Plans using delegated entities — TPAs, vendor directories — remain responsible for compliance and must contractually require vendors to meet the same standards. CMS may request documentation of this process during an audit, making workflow records an essential compliance artifact, not an optional internal tracking mechanism.

Provider Directory Verification Process Under the No Surprises Act

The No Surprises Act requires health plans to establish a verification process that proactively confirms provider directory information is accurate — not just a reactive system that waits for providers to submit changes. CMS guidance specifies that plans should implement regular outreach to providers to confirm their network participation status, location, and accepting-new-patient status. While the regulation does not mandate a specific verification frequency beyond the 90-day update window, best practice and the standard implied by CMS audit expectations is quarterly attestation outreach. The verification process should include: automated data-match checks against NPPES for NPI-level accuracy; outbound provider attestation requests; exception flagging for non-responders; and escalation protocols. Plans must be able to demonstrate this verification cadence to regulators. Providers who do not respond to verification outreach should be flagged as unverified in the directory — unverified status itself carries disclosure obligations that compliance teams must manage.

Compliance Checklist — 90-Day Directory Update Requirements

Health plan compliance officers should use the following checklist to confirm their organization meets the No Surprises Act's 90-day directory update obligations:

• Published process exists for providers to submit directory updates
• Intake system timestamps every provider change notification
• Internal workflow routes changes to credentialing and directory teams within 5 business days
• Online directory is updated within 90 days of change notification
• Print directory carries notice directing members to verify online
• Delegated entity contracts include NSA directory compliance language
• Quarterly NPPES data-match is conducted and documented
• Audit log of all received, reviewed, and published changes is maintained
• Member complaint tracking system flags directory-reliance complaints
• Annual plan-type classification review confirms NSA applicability

Each checklist item should correspond to a documented policy, system record, or vendor contract clause — not an informal practice.

---

No Surprises Act Provider Directory Update Guidance From CMS

CMS has issued several rounds of guidance on No Surprises Act provider directory requirements, beginning with the October 2021 Interim Final Rule and extended through 2024 rulemaking that clarified enforcement expectations for health plans. The October 2021 IFR (86 FR 55980) established the 90-day update requirement and baseline directory accuracy standards. August 2022 CMS FAQs addressed directory-reliance protections for enrollees and clarified cost-sharing hold-harmless rules. 2023 CMS Enforcement Guidance confirmed that complaint-driven audits will include directory accuracy as a primary review category. The 2024 Final Rule strengthened data integrity expectations and aligned directory standards with the Transparency in Coverage rule's machine-readable file requirements. Compliance officers should monitor the CMS No Surprises Act implementation page for updated FAQs. State-specific guidance may supplement federal minimums in states with approved enforcement programs, requiring compliance teams to track both federal and state guidance cycles.

---

Technology and Operational Tools for No Surprises Act Directory Compliance

Health plans managing No Surprises Act 90-day directory update compliance at scale require technology capable of timestamping provider change notifications, routing updates through credentialing workflows, and maintaining a defensible audit trail for CMS review. Manual spreadsheet-based directory management is no longer viable for plans with networks of more than a few hundred providers — the volume of provider data changes creates a compliance gap that compounds penalty exposure daily. Key capabilities to evaluate in directory management platforms include: automated NPI-level data ingestion from NPPES; provider self-service attestation portals; 90-day SLA tracking with escalation alerts; real-time directory publishing APIs; audit-ready change logs with timestamps and user records; and delegated entity data feeds with contractual SLA enforcement. Provatus helps health plans operationalize these requirements with purpose-built provider data management tools designed for compliance officers managing network accuracy at scale across all applicable regulatory frameworks.