The 2026 CMS Final Rule: Three Changes That Will Cost Plans Real Money

Every year, the CMS Final Rule lands with a thud and network teams spend a week sorting out what actually changed. Most provisions are incremental. Some years, though, a handful of changes carry genuine financial exposure — the kind that CFOs should be tracking as operational cost items, not compliance footnotes.

2026 is one of those years. Three provisions in particular are going to cost plans real money: enhanced telehealth counting requirements, tightened appointment wait-time standards, and new provider directory attestation mandates. Here's what changed, what it costs to comply, and what happens if you don't.

1. Enhanced Telehealth Counting Requirements

What changed: CMS has tightened the criteria under which telehealth providers can be counted toward network adequacy calculations. The previous standard allowed plans significant latitude in counting telehealth capacity as equivalent to in-person access. The 2026 rule requires that telehealth providers counted toward adequacy thresholds demonstrate actual utilization rates — defined as having delivered at least 20 billable telehealth encounters to MA enrollees in the prior 12 months — not merely that a telehealth contract exists. Ghost providers count for nothing.

What it costs to comply: Plans that padded rural and frontier county adequacy with telehealth contracts they knew weren't being utilized are facing a reckoning. The remediation path has two branches, neither cheap. Option one: recruit and credential real in-person providers to close gaps — expect $50,000 to $150,000 in recruitment, contracting, and credentialing costs per county cluster with meaningful gaps, depending on specialty and geography. Option two: invest in making your telehealth relationships operationally real — that means onboarding support, member communication, referral workflow integration, and monitoring infrastructure. Plan for $30,000 to $80,000 in technology and operations spend to get a dormant telehealth arrangement to the utilization threshold, with ongoing maintenance costs of $15,000 to $40,000 annually per specialty line.

What happens if you don't: Telehealth providers that don't meet the utilization threshold are stripped from your adequacy calculations. If that removal creates gaps below CMS thresholds, you're in deficiency — triggering a corrective action timeline, a potential enrollment freeze in affected service areas, and civil monetary penalties that start at $25,000 per beneficiary per day for material violations. Plans that depended heavily on telehealth paper coverage should treat this as a priority audit item for Q2.

2. Tightened Appointment Wait-Time Standards

What changed: CMS has moved from a self-attestation model for appointment wait-time compliance toward a hybrid validation approach. Plans must now submit a statistically valid sample of appointment wait-time data — collected via member survey, provider attestation, or third-party audit — rather than simply certifying compliance. For primary care, the standard remains 15 days for non-urgent appointments. For behavioral health and specialist care, the 2026 rule adds a 30-day hard cap for non-urgent specialists and a 10-day cap for urgent behavioral health. Both are now subject to the same documentation requirement.

What it costs to comply: Building a defensible appointment wait-time monitoring infrastructure from scratch is a meaningful investment. Plans relying on annual paper surveys will need to move to continuous or quarterly sampling. Third-party vendors offering appointment access monitoring typically price at $120,000 to $280,000 annually for a mid-size MA plan, depending on service area breadth and specialty scope. Plans that build in-house will spend comparably on FTE, tooling, and provider outreach. The behavioral health piece carries additional cost — identifying which network providers have actual open panels for new MA patients (as opposed to contracted providers who stopped accepting new patients two years ago) requires active outreach and regular reverification. Budget $40,000 to $90,000 in operational cost annually for a meaningful behavioral health access monitoring program.

What happens if you don't: Member grievances related to appointment access are now a direct regulatory feed. CMS cross-references grievance data against plan attestations, and discrepancies are treated as potential misrepresentations. Plans with a pattern of access complaints and a compliance attestation on file face both the underlying deficiency finding and potential civil fraud exposure. More immediately: Stars. Access and complaints metrics account for a non-trivial portion of the Star Ratings calculation, and plans that move from 4 to 3.5 Stars lose meaningful quality bonus revenue — often $50 to $100 per member per year at scale.

3. New Provider Directory Attestation Requirements

What changed: CMS's 2026 rule establishes a 48-hour provider directory update standard with enhanced attestation requirements. Plans must now attest, at the time of submission, that each provider's directory record has been verified within the prior 180 days through direct provider contact — not through data feeds, NPI registry cross-checks, or enrollment data alone. The rule also mandates that plans document and retain the verification source, method, and date for each record. This is an audit-ready evidentiary standard, not a process standard.

What it costs to comply: The documentation burden here is significant and scales with network size. A plan with 5,000 unique provider records needs a reverification cadence touching roughly 830 providers per month to maintain 180-day currency. At an average of 12 to 20 minutes per outreach-and-documentation cycle (accounting for voicemail, callbacks, and data entry), that's 160 to 280 staff hours per month — $60,000 to $130,000 annually in labor cost at fully burdened rates, before technology. Provider directory management platforms that automate outreach, track response rates, and generate audit-ready logs run $80,000 to $200,000 per year for mid-size plans. Plans that aren't using purpose-built tools will find the manual burden unsustainable.

What happens if you don't: CMS has made clear that inaccurate provider directory data is a patient safety issue, not just an administrative one. Members who rely on a directory to find an in-network provider, then discover that provider has retired or stopped accepting their plan, face real harm. Enforcement history shows that directory accuracy deficiencies are increasingly treated as a pattern — one finding opens the door to a broader audit of your verification processes. Plans that cannot produce the required documentation for a reasonable sample of records during a HPMS audit should expect a corrective action plan, public disclosure, and penalties that compound quickly.

None of these three changes are impossible to comply with. All three are expensive to comply with correctly. The CFOs and COOs who treat compliance investment as a cost of avoiding a larger cost — enforcement, Stars penalties, enrollment freezes — are the ones who won't be surprised by the bill when it comes.