No Surprises Act

No Surprises Act Penalties: Provider Directory Compliance Guide

The No Surprises Act transformed provider directory compliance from a regulatory best-practice into a federally enforced financial liability. Plans that...

By Provatus Compliance Intelligence Team ·
No Surprises Act Penalties: Provider Directory Compliance Guide

By the Provatus Compliance Intelligence Team

The No Surprises Act transformed provider directory compliance from a regulatory best-practice into a federally enforced financial liability. Plans that maintain incorrect provider directory listings now face civil monetary penalties of up to $100 per day per affected enrollee under 45 CFR §150.315 — a per-enrollee calculation that compresses ordinary compliance failures into six- or seven-figure exposure events. Beyond regulatory fines, the Act's member hold-harmless provision creates a direct claims liability whenever a member relies on an inaccurate in-network listing and receives out-of-network care. For health plan compliance officers, VP Network Management, and Director Provider Relations teams, understanding the penalty structure, the patient rights framework, and the operational compliance requirements is essential to managing both the regulatory and financial dimensions of directory accuracy.


What the No Surprises Act Requires for Provider Directories

The No Surprises Act requires health plans and issuers to maintain accurate, publicly accessible provider directories that include specific data elements for every covered provider and facility. Under 45 CFR §149.410, plans must include: the provider's name, specialty, medical group affiliations, facility name, address, telephone number, digital contact information, and whether the provider is accepting new patients. Directories must clearly indicate whether each provider is in-network for a specific plan or product — not just for the issuer broadly. Both online and paper directory formats are subject to these requirements, though online directories carry additional real-time accuracy obligations. Plans must note language accessibility services where applicable. Data must be presented in a manner allowing enrollees and prospective enrollees to identify whether a specific provider participates in their plan before receiving care. Failure to maintain these required data elements constitutes a directory violation subject to CMS civil monetary penalties.

Which Providers and Facilities Must Be Listed

Provider directories under the No Surprises Act must include all participating providers and facilities with whom the plan has a network agreement, including facility-based physicians whose network status patients are unlikely to verify independently. This requirement is particularly significant for emergency departments, surgical centers, and hospitals where patients may see multiple providers in a single visit — some in-network, some not. Plans must list attending physicians, anesthesiologists, radiologists, pathologists, and other facility-based specialists if those providers are under a network contract. Air ambulance service providers that participate in a network must also be included. For each listed provider, the directory must clearly indicate the specific plan or product through which participation applies, since a provider may be in-network for one product and out-of-network for another offered by the same issuer. Omitting any category of participating provider exposes the plan to directory inaccuracy claims and civil monetary penalties.


No Surprises Act Penalties for Incorrect Provider Directory Listings

Health plans that maintain incorrect provider directory listings under the No Surprises Act face civil monetary penalties of up to $100 per day for each individual who is affected by a directory inaccuracy. CMS has authority under 45 CFR §150.315 to impose these penalties on non-grandfathered group health plans and health insurance issuers in the individual and group markets. The $100-per-day figure accrues per affected enrollee — meaning a single inaccurate listing for a provider serving hundreds of members can rapidly compound into six-figure exposure. Penalties apply when a plan lists a provider as in-network when they are not, fails to remove a departed provider within the required timeframe, or omits a required data element for a covered provider. CMS may also refer violations to the Department of Labor or state insurance regulators for additional enforcement action. Repeated or systemic violations may trigger corrective action plans in addition to monetary penalties.

CMS Enforcement Actions Against Health Plans

CMS enforces No Surprises Act provider directory requirements through a combination of complaint-driven investigations, market conduct examinations, and proactive audits of health plan directory data. When a complaint is filed — by a patient, provider, or state — CMS initiates a review of the plan's directory practices, including data sources, update protocols, and verification procedures. If a violation is confirmed, CMS may issue a notice of proposed penalty, require a corrective action plan, or both. In states that have adopted their own No Surprises Act enforcement frameworks, state insurance commissioners may conduct parallel investigations under state market conduct authority. For self-funded ERISA plans, the Department of Labor has concurrent enforcement jurisdiction alongside CMS. Enforcement transparency is a stated CMS priority — the agency has indicated it will publish enforcement actions to incentivize broader plan compliance. Health plans should treat directory accuracy as an active regulatory compliance function with documented audit trails, not a data management task.


Provider Directory Update Frequency Requirements Under the No Surprises Act

The No Surprises Act requires health plans to update their online provider directories within two business days of receiving information that a provider's network status has changed. This 48-hour update window applies to both additions and removals — when a provider terminates their network contract or a new provider joins, the online directory must reflect that change within two business days of the plan being notified. For paper directories, plans must provide enrollees with an updated directory upon request and must note on any printed directory the date through which the information is accurate. Plans are also required to verify provider information at least every 90 days by reaching out to each provider to confirm continued participation, contact details, and whether they are accepting new patients. The 2-business-day update requirement and the 90-day verification cycle are independent grounds for CMS penalty assessment — failing either without having failed the other still constitutes a compliance violation.

How to Comply With No Surprises Act Provider Directory Rules

Complying with No Surprises Act provider directory rules requires health plans to implement a structured data governance program that covers intake, verification, publication, and audit of provider network information on an ongoing basis. Four operational components are required: first, a contractual intake workflow capturing all required directory data elements at the point of credentialing or contracting; second, a scheduled 90-day provider outreach cycle — via attestation portal, phone, or digital survey — to confirm continued participation and current practice details; third, a change management protocol that routes provider termination or update notices into the directory system within the 2-business-day window required by regulation; fourth, an audit log documenting each update, verification attempt, and directory publication event to demonstrate regulatory good faith during a CMS examination. Plans relying on static, manually updated directories are structurally unable to meet these standards at scale and should evaluate automated provider data management solutions.


No Surprises Act Effective Date and Implementation Timeline

The No Surprises Act took effect on January 1, 2022, for plan years beginning on or after that date, with provider directory requirements and associated penalty authority active from the first day of implementation. The law was enacted as part of the Consolidated Appropriations Act of 2021, signed December 27, 2020, giving plans and issuers approximately 12 months to build compliance infrastructure. CMS issued two interim final rules in 2021 — the first in July covering balance billing protections and directory requirements, the second in September covering the independent dispute resolution process and good faith estimate obligations. A final rule addressing additional transparency requirements was finalized in 2022. Provider directory accuracy requirements, including the 2-business-day update standard and 90-day verification cycle, were operative from January 1, 2022. There was no grace period for directory compliance — plans were expected to meet the data accuracy standards from day one of enforcement, reflecting the regulatory priority CMS placed on directory accuracy.


Patient Rights Related to Provider Directory Accuracy

Under the No Surprises Act, patients who rely on a health plan's provider directory to select what they believe is an in-network provider are entitled to in-network cost-sharing protections — even if that provider is actually out-of-network — if the directory was inaccurate at the time of scheduling. This held-harmless protection applies when the member can demonstrate they selected the provider based on the directory listing and had no independent notice that the provider was out-of-network at the time of scheduling. The financial burden then falls entirely on the health plan: the plan must pay the provider at an in-network rate or negotiate, absorb the difference, and cannot retroactively bill the member out-of-network amounts. This is distinct from the Good Faith Estimate requirement, which applies to uninsured and self-pay patients and requires providers to furnish anticipated cost estimates before scheduled services. Directory inaccuracy claims generate direct financial liability for plans; Good Faith Estimate violations generate penalty liability for providers.


What Health Plans Should Do Now to Reduce Penalty Exposure

Health plans that want to reduce No Surprises Act penalty exposure should treat provider directory accuracy as a continuous compliance function — not a one-time data project — supported by documented workflows and audit-ready records. Core operational priorities are: maintaining a verified roster of all participating providers with complete required data elements; running a structured 90-day outreach cycle with documented attestation results; enforcing a 2-business-day SLA for processing any change to provider network status; and retaining evidence of each update and verification event. Manual processes — spreadsheets, disconnected credentialing systems, informal provider outreach — create compliance gaps that compound quickly across large networks. Plans managing hundreds or thousands of provider relationships need technology infrastructure that automates outreach, tracks response rates, and flags stale records before they become violations. Provatus is purpose-built for this compliance function, providing health plans with the provider data management tools needed to meet No Surprises Act directory accuracy standards and document compliance for CMS review.

Frequently Asked Questions

What are the penalties for incorrect provider directory listings under the No Surprises Act?

Health plans face civil monetary penalties of up to $100 per day for each individual affected by an incorrect provider directory listing. CMS imposes these penalties under 45 CFR §150.315. Because the penalty accrues per affected enrollee per day, a single inaccurate listing for a widely used provider can result in substantial aggregate liability.

How often must provider directories be updated under the No Surprises Act?

Online provider directories must be updated within 2 business days of receiving information that a provider's network status has changed. In addition, health plans must verify provider information at least every 90 days by contacting providers to confirm participation, contact details, and patient acceptance status.

What information must be included in a provider directory under the No Surprises Act?

Required data elements include: provider name, specialty, medical group affiliations, facility name, address, phone number, digital contact information, network status for each specific plan product, and whether the provider is accepting new patients. Facility-based providers such as anesthesiologists and radiologists must also be listed if they hold network contracts.

When did the No Surprises Act take effect?

The No Surprises Act took effect on January 1, 2022, for plan years beginning on or after that date. The law was enacted December 27, 2020, as part of the Consolidated Appropriations Act of 2021. Provider directory requirements and CMS penalty authority were active from January 1, 2022, with no grace period for compliance.

Who enforces the No Surprises Act provider directory requirements?

CMS has primary enforcement authority for fully insured individual and group market plans. The Department of Labor has concurrent jurisdiction for self-funded ERISA plans. States that have enacted conforming legislation may enforce requirements through their insurance commissioner's market conduct authority. CMS can issue civil monetary penalties and require corrective action plans.

What happens if a patient uses an incorrect provider directory to choose a doctor?

Patients who rely on an inaccurate directory to select what they believe is an in-network provider are entitled to in-network cost-sharing rates, even if the provider is out-of-network. The health plan must absorb the financial difference and cannot bill the patient at out-of-network rates when the error is due to a directory inaccuracy.

How is the No Surprises Act provider directory requirement different from the Good Faith Estimate requirement?

Provider directory requirements apply to health plans and protect insured patients from surprise bills caused by inaccurate network information. Good Faith Estimates apply to providers and facilities, requiring them to give uninsured or self-pay patients a cost estimate before scheduled services. Both reduce surprise billing but operate under different rules and target different parties.

What is the 90-day verification requirement under the No Surprises Act?

Health plans must contact every participating provider at least once every 90 days to verify that their directory information is accurate, including network participation status, contact details, and whether they are accepting new patients. Failure to complete this verification cycle is an independent basis for CMS penalty assessment, regardless of whether a patient complaint has been filed.

See Provatus in action

Upload a sample provider roster and see how Provatus runs ProvataCheck™ 35-point verification across every federal and state compliance feed in under 20 minutes.

Start Free Audit →