Directory accuracy isn't optional anymore.
The No Surprises Act, state penalties, and the operational discipline required to keep your directory honest.
Provider directory accuracy has been a CMS concern for years. Plans have been cited for directories that listed providers who had left the network, showed wrong addresses, or included specialists who weren't accepting patients. The enforcement was real but episodic. The No Surprises Act changed the risk profile materially — and many plans haven't fully absorbed what that means for their directory operations.
What the No Surprises Act actually requires
Under the NSA and its implementing regulations, health plans are required to verify the accuracy of provider directory information at least every 90 days. If a member relies on a directory listing to seek care from a provider who turns out to be out-of-network, the plan may be required to cover that care at in-network cost-sharing rates — and if the directory was demonstrably inaccurate, the plan faces civil monetary penalty exposure.
The 90-day verification requirement is not aspirational. CMS expects plans to have a documented process for confirming that every provider in the directory is still contracted, still credentialed, still practicing at the listed location, and still accepting patients of the relevant plan type. A directory that is verified once at go-live and then left to decay does not meet this standard.
State insurance departments have layered their own requirements on top of federal standards. Several states have directory accuracy requirements that are stricter than CMS — more frequent verification intervals, specific notice requirements when a provider leaves the network, and civil penalties for inaccuracies that cause member harm. If you operate in multiple states, you are managing a patchwork of requirements that do not always align.
The operational problem
Directory accuracy fails for predictable reasons. Providers move their practices. Groups merge or split. Physicians retire or reduce their patient acceptance. Hospital affiliations change. Insurance contracts terminate. Each of these events should trigger an update to the directory — but in most organizations, the information path from the event to the directory is not automatic. It depends on someone noticing the change and taking action, which means it often doesn't happen until a member complains or a regulator audits.
The specific errors that appear most frequently in CMS audits:
- Ghost providers: Providers who are listed as participating but whose contracts have terminated — often through practice closure or system acquisition — without the directory being updated.
- Wrong location: Providers who have moved their practice address since the directory was last updated. For specialists, this is common — a physician may have hospital affiliations and multiple outpatient locations, only some of which accept the plan.
- Wrong accepting status: Providers listed as accepting new patients who have closed their panel. This is particularly common in primary care, where panel closure is often informal and not communicated to health plans.
- Wrong phone number: Numbers that have changed, go to a fax, or reach a call center rather than the practice scheduling line. A member who calls an incorrect number and cannot reach the provider effectively has no access, regardless of what the directory says.
Building a verification program that actually works
A functional directory verification program has three components:
Quarterly outreach verification.A systematic process of contacting every provider in the directory — by phone, by secure portal, or through a credentialing data exchange — to confirm that the listed information is current. This doesn't have to be done all at once; you can spread it across the quarter by cohort. What it cannot be is a paper exercise where you send a form and assume silence means accuracy.
Event-triggered updates. A process that captures directory-relevant events in real time: contract terminations, credentialing non-renewals, CAQH address updates, NPI deactivations. Each of these should trigger an automatic directory review, not a weekly batch process. The gap between when a change occurs and when it appears in the directory is your compliance exposure window.
Member feedback integration. Members who call and find that a provider is no longer at the listed address, no longer accepting patients, or no longer in-network are giving you real-time directory audit information. Those complaints should flow back to the directory team as a matter of process, not as an exception.
Your directory is a legal document. If a member relies on it and it is wrong, that is not a member services problem. It is a compliance problem.
Who owns directory accuracy
The reason directory accuracy problems persist is that ownership is genuinely ambiguous in most organizations. IT manages the system. Network management owns the provider relationships. Credentialing owns the underlying provider data. Member services gets the complaints. Compliance owns the regulatory exposure. Without a designated owner who is accountable for the accuracy of what members actually see, the directory becomes everyone's responsibility and nobody's job.
Designating a directory accuracy owner — with the authority to trigger updates across all connected systems, the accountability for the quarterly verification cycle, and the escalation path when a provider update is contested — is the governance decision that enables everything else to work. The technology and the processes can be built. Without ownership, they decay.
Ready to start?
Two weeks. A build plan worth running.
Fixed fee, no commitment past the diagnostic. You walk out with a plan — whether you run it with us or not.
Schedule the diagnostic