No Surprises Act

Provider Directory Accuracy Penalties: Federal vs. State Rules

Provider directory accuracy enforcement operates across a layered regulatory landscape where federal law sets a floor and states routinely build well above...

By Provatus Compliance Intelligence Team ·
Provider Directory Accuracy Penalties: Federal vs. State Rules

By the Provatus Compliance Intelligence Team

Provider directory accuracy enforcement operates across a layered regulatory landscape where federal law sets a floor and states routinely build well above it. Health plans face three distinct penalty regimes simultaneously — CMS enforcement under Medicare Advantage and No Surprises Act frameworks, state insurance department action under state-specific directory laws, and contractual liquidated damages for Medicaid managed care organizations. For compliance officers navigating multi-state, multi-product plan operations, understanding exactly which standard applies to which product line, how fines are calculated, and what the ghost network enforcement landscape looks like is not optional background knowledge — it is the foundation of defensible compliance program design. This guide maps every material federal and state penalty exposure for provider directory inaccuracy and explains what the real financial risk looks like beyond the fine amounts themselves.


Federal Penalties for Inaccurate Provider Directories

Federal penalties for inaccurate provider directories can reach up to $25,000 per plan per year under CMS Medicare Advantage regulations, with additional per-beneficiary civil monetary penalties available under the No Surprises Act enforcement framework. CMS regulatory authority covers MA and Medicaid managed care provider directories through 42 CFR §422.111 and §438.10 respectively. CMS typically escalates through a structured sequence: Corrective Action Plan, then intermediate sanctions, then civil monetary penalties. The No Surprises Act, effective January 2022, requires health plans to update online provider directories within 2 business days of receiving provider information changes and to verify directory information at least every 90 days. NSA penalty exposure extends beyond regulatory fines: insurers that fail to remove an incorrect provider entry and a member relies on that entry for care may be required to hold the member harmless at in-network cost-sharing — a financial liability that often exceeds any regulatory fine in aggregate claims impact.

CMS Provider Directory Requirements for Medicare Advantage Plans

CMS requires Medicare Advantage organizations to maintain accurate, complete online provider directories under 42 CFR §422.111(b)(3), with enforcement escalating from corrective action plans to intermediate sanctions including civil monetary penalties of up to $25,000 per plan per year. The governing regulatory authority for penalties is 42 CFR §422.752. CMS conducts program audits that score directory accuracy — plans scoring below threshold trigger immediate CAP requirements. CMS's 2023–2024 audit data identified provider directory deficiencies as a top-cited finding category across Medicare Advantage organizations. Intermediate sanctions can include suspension of marketing and enrollment — operationally more damaging than fines alone because they prevent member growth for the duration of the sanction. Medicare Advantage plans face federal-only oversight; ACA Marketplace plans face a hybrid federal and state enforcement model that compounds compliance obligations differently.

No Surprises Act Provider Directory Accuracy Requirements

The No Surprises Act requires health plans to update provider directory information within 2 business days of a provider's status change and to verify all directory entries at least every 90 days — with the financial penalty for non-compliance being member hold-harmless obligations in addition to regulatory fines. The regulatory basis is the Interim Final Rule Parts I and II under 45 CFR §149.410 for non-grandfathered group and individual plans. The 2-business-day update window applies to both online and print directory channels. The hold-harmless mechanism is the key financial risk: if a member relies on an inaccurate directory entry and receives care from an out-of-network provider, the plan must cover the care at in-network cost-sharing rates and cannot count it toward out-of-network cost-sharing accumulations. This actuarial exposure dwarfs per-instance regulatory fines at scale. CMS and state insurance commissioners share enforcement authority for fully insured commercial plans.


State vs. Federal Provider Directory Compliance Rules

State provider directory compliance rules frequently exceed federal minimums, and health plans operating across multiple states must comply with whichever standard is stricter — creating a compliance matrix where California, New York, and Illinois impose requirements that go materially beyond CMS and No Surprises Act baselines. Federal law sets a floor; states retain authority to impose stricter requirements for fully insured commercial and Medicaid managed care products regulated at the state level. ERISA self-funded plans are generally preempted from state directory mandates — a critical distinction for plans managing multiple product lines under one operational umbrella. Update frequency variation by state can be significant: some states require real-time or weekly updates versus the federal 90-day floor. State insurance departments conduct proactive directory audits in some jurisdictions and rely on complaint-driven enforcement in others. Plans with multi-state footprints must operationalize the most restrictive applicable standard per state-product combination — a single national update schedule will systematically under-comply in higher-requirement states.

Which States Have the Strictest Provider Directory Accuracy Laws

California, New York, Illinois, and Texas are consistently identified as states with the strictest provider directory accuracy laws, imposing update frequencies, verification standards, and per-violation penalties that exceed federal No Surprises Act requirements. California DMHC regulations require health plans to update directories within 5 business days of a change and have issued fines exceeding $1 million in enforcement actions tied to directory inaccuracy and ghost networks. New York Department of Financial Services requires quarterly network adequacy certifications with directory accuracy as a component and has pursued enforcement actions under Insurance Law §3217-a. Illinois requires online directory updates within 2 business days and mandates that consumers be notified proactively if a listed provider is no longer in-network — a consumer protection provision that goes beyond federal disclosure requirements. Texas TDI requires directory updates within 10 business days but imposes tiered penalties for systematic inaccuracy. State laws apply to fully insured products only; ERISA plans are federally preempted from these state-level obligations.

Provider Directory Update Frequency Requirements by State

Federal law requires health plans to update provider directories within 2 business days of a status change and verify all entries every 90 days, but more than a dozen states impose shorter update windows or continuous verification requirements that supersede the federal baseline. A structured comparison reveals the compliance variance: at the federal level, the NSA requires 2 business days for updates with 90-day verification. California requires 5 business days for updates with quarterly verification for some products. New York requirements vary by product line with quarterly adequacy certification. Illinois requires 2 business days. Texas requires 10 business days. Florida requires updates "promptly" as defined by OIR guidance at approximately 15 days. The gap between federal and state requirements is highest for Medicaid managed care, where CMS §438.10 verification requirements and state Medicaid agency contracts stack independently. Plans with multi-state footprints must operationalize the most restrictive applicable standard per state-product combination.


How Much Can Insurers Be Fined for Provider Directory Errors

Insurer fines for provider directory errors range from $100 per member per day under state enforcement frameworks to multi-million dollar settlements in ghost network cases — with the actual financial exposure for most health plans being far larger from member hold-harmless obligations and class action liability than from regulatory fines alone. State fines typically run $100 to $500 per violation per day, with some states imposing per-member-affected calculations. CMS Medicare Advantage sanctions reach up to $25,000 per plan per year for directory violations as a standalone, with higher exposure when bundled with network adequacy deficiencies. Medicaid managed care plans face state Medicaid agency liquidated damages under managed care contracts — these contractual penalties can reach $10,000 to $50,000 per audit finding depending on the state and contract terms. The largest financial exposure pathway for most plans is not the regulatory fine but the combination of member hold-harmless liability and class action tort exposure associated with ghost network conditions.

Consequences of Ghost Networks in Insurance Provider Directories

Ghost networks — provider directories that list clinicians who are not actually accepting new patients, are no longer in-network, or never participated in the network — expose health plans to regulatory fines, state attorney general enforcement, class action lawsuits, and CMS contract termination. Ghost networks create the appearance of adequate provider access while members face significant barriers to care. State insurance departments and AGs have pursued ghost network enforcement under consumer protection statutes — not just insurance regulations — which expands the liability surface beyond standard regulatory channels. The New York AG's 2016 ghost network investigation of major insurers established significant enforcement precedent. The NSA creates a new federal hook: a ghost network entry that causes a member to seek care they believe is in-network triggers the hold-harmless obligation. Mental health parity intersection is an additional exposure: ghost networks in behavioral health directories carry additional liability under MHPAEA, where federal and state regulators have become increasingly aggressive.

Medicaid vs. Commercial Plan Provider Directory Penalties

Medicaid managed care plans face a dual penalty structure for provider directory inaccuracy — regulatory sanctions from state Medicaid agencies under 42 CFR §438.10 and contractual liquidated damages that can exceed $50,000 per audit deficiency finding — making Medicaid directory compliance materially higher-risk than commercial plan compliance. State Medicaid agencies conduct periodic network adequacy and directory accuracy reviews — findings feed into contract performance scorecards affecting capitation rate negotiations and contract renewal. Liquidated damages in most Medicaid MCO contracts are pre-negotiated contractual penalties per violation per day, not discretionary regulatory fines, providing less flexibility for plans to negotiate after the fact. Commercial fully insured plans face state insurance department fines plus NSA hold-harmless exposure. Self-funded ERISA plans face federal-only exposure under DOL, HHS, and Treasury enforcement of NSA, with state fines generally preempted. A plan operating Medicaid plus commercial plus self-funded products simultaneously faces three distinct penalty regimes requiring separate compliance tracking and documentation.


The Real Cost of Non-Compliance: Beyond the Fine

The true cost of provider directory non-compliance extends well beyond regulatory fines — health plans face member hold-harmless obligations, balance billing liability, class action exposure, CMS audit sanctions, and competitive damage from public enforcement actions. The hold-harmless exposure is quantifiable: if 1,000 members per year rely on inaccurate directory entries and receive out-of-network care, the cost-sharing differential between in-network and out-of-network rates can represent millions in unbudgeted claims costs depending on plan structure. CMS audit findings are public documents — directory deficiency citations appear in CMS audit reports that brokers, employers, and state regulators review when evaluating plan relationships. State insurance department consent orders related to directory accuracy are also public record. Media coverage of ghost networks has become a mainstream consumer story, with national outlets covering behavioral health ghost network enforcement with increasing frequency. Reputational damage from a publicized enforcement action can suppress enrollment growth for multiple contract years.


Building a Directory Accuracy Compliance Program

A defensible provider directory compliance program requires three operational components: a continuous verification workflow that meets the most restrictive applicable state update frequency per product line, a systematic provider outreach and attestation process documented for audit purposes, and real-time exception alerting when directory data falls outside accuracy thresholds. The compliance gap for most health plans is structural — they rely on point-in-time audits rather than continuous monitoring, which creates recurring accuracy failures between audit cycles. Required program elements include: data ingestion from multiple sources (provider enrollment, credentialing, claims, NPPES); automated discrepancy detection; provider outreach and attestation workflows with documented timestamps; a state-specific rules engine that applies the correct update frequency and penalty thresholds by product and state; and an audit trail for regulatory examination. Provatus is purpose-built for health plan compliance officers managing multi-state, multi-product directory accuracy obligations, providing the technology infrastructure that operationalizes all five program elements at scale.

Frequently Asked Questions

What are the federal penalties for inaccurate provider directories?

Federal penalties for provider directory inaccuracy include civil monetary penalties up to $25,000 per plan per year under CMS Medicare Advantage rules, and member hold-harmless obligations under the No Surprises Act when inaccurate entries cause members to unknowingly receive out-of-network care. CMS can also impose intermediate sanctions, including suspension of marketing and enrollment, which carry greater operational impact than financial penalties alone.

How much can insurers be fined for provider directory errors?

Insurer fines for provider directory errors range from $100 to $500 per violation per day under state insurance department frameworks, up to $25,000 per plan per year under CMS Medicare Advantage regulations, and $10,000 to $50,000 per audit deficiency under Medicaid managed care contracts. Multi-million dollar enforcement actions have been issued in states like California for systematic directory inaccuracy and ghost network violations.

What are the No Surprises Act provider directory accuracy requirements?

The No Surprises Act requires health plans to update provider directory information within 2 business days of receiving notice of a provider status change and to verify all directory entries at least every 90 days. If a member relies on an inaccurate directory entry, the plan must cover that care at in-network cost-sharing rates and hold the member harmless for any balance billing — creating significant financial exposure beyond regulatory fines.

Which states have the strictest provider directory accuracy laws?

California, New York, Illinois, and Texas are consistently the strictest states for provider directory accuracy. California's DMHC requires updates within 5 business days and has issued fines exceeding $1 million for ghost network violations. New York requires quarterly network adequacy certifications. Illinois mandates 2-business-day updates and proactive member notification when a provider leaves the network.

What is a ghost network in health insurance?

A ghost network is a provider directory that lists clinicians who are not actually available, not accepting new patients, or no longer participating in the health plan's network. Ghost networks expose health plans to state attorney general enforcement, class action lawsuits, CMS audit sanctions, and — under the No Surprises Act — member hold-harmless obligations for any care a member sought based on the inaccurate listing.

What are the provider directory requirements for Medicaid managed care plans?

Medicaid managed care plans must comply with 42 CFR §438.10, which requires accurate provider directories updated within state-specified timeframes, plus individual state Medicaid agency contract requirements. Penalties include both regulatory sanctions and contractual liquidated damages that can reach $50,000 per audit deficiency finding — making Medicaid directory compliance structurally higher-risk than commercial plan compliance.

How often must health plans update their provider directories?

Under the No Surprises Act, health plans must update online provider directories within 2 business days of receiving provider status changes and verify all entries every 90 days. However, state requirements vary: Illinois requires 2-business-day updates; Texas allows 10 business days; California requires 5 business days. Plans must comply with whichever standard — federal or state — is most restrictive for each product type and state.

Are self-funded ERISA plans subject to state provider directory accuracy laws?

Self-funded ERISA plans are generally preempted from state provider directory accuracy laws and face only federal enforcement under the No Surprises Act, enforced by HHS, DOL, and Treasury. Fully insured commercial plans, however, face both federal and state requirements — and must comply with the stricter of the two. This distinction makes product-type identification essential for building a compliant directory program.

See Provatus in action

Upload a sample provider roster and see how Provatus runs ProvataCheck™ 35-point verification across every federal and state compliance feed in under 20 minutes.

Start Free Audit →