The CMS Network Adequacy Attestation Process: What Plans Must Certify

The Legal Weight of the CMS Network Adequacy Attestation

The network adequacy attestation filed through HPMS is not an administrative checkbox — it is a legal certification made by an authorized officer of the plan under the regulatory authority of 42 CFR 422.116 and the plan's Medicare Advantage contract with CMS. By signing the attestation, the authorized officer certifies that the information submitted in the network adequacy filing is accurate and complete to the best of their knowledge, that the plan's contracted network meets all applicable CMS adequacy standards, and that the plan has a documented process for maintaining and monitoring network adequacy throughout the contract year.

The legal consequences of a false attestation are significant. CMS treats material misrepresentations in the network adequacy attestation as contract violations subject to enforcement under 42 CFR 422.756, which authorizes intermediate sanctions and civil monetary penalties. In cases involving willful or knowing misrepresentation, the False Claims Act may also apply, with potential exposure to treble damages and exclusion from federal health programs. These are not theoretical risks — CMS has pursued enforcement actions against MA plans for network adequacy attestation inaccuracies, and the combination of regulatory penalties and reputational consequences can be existential for smaller plans.

The practical implication is that the attestation process must be treated with the same rigor as any other legal certification filed with a federal regulator. The authorized officer who signs the attestation must have genuine confidence in the accuracy of the data underlying it, based on documented review of that data by qualified network operations staff. An attestation signed without a documented review process — or based on data that has not been independently verified against the credentialing system of record — creates legal exposure for the signing officer individually as well as for the organization.

What the HPMS Attestation Covers

The HPMS network adequacy attestation covers three substantive areas. First, it certifies the accuracy of the provider data uploaded to HPMS: that the providers listed are contracted with the plan, that their specialties and locations are correctly identified, that their participation start dates are accurate, and that their panel status reflects their actual willingness to accept new plan members. Second, it certifies that the plan's contracted network meets CMS time-distance adequacy standards in all counties included in the plan's service area for all required specialty categories. Third, it certifies that the plan has the operational infrastructure to maintain network adequacy throughout the contract year — specifically, a monitoring program and a process for filing amendments when adequacy-threatening changes occur.

The provider data certification is the most granular and most operationally demanding component. Plans must upload complete, accurate provider data for every contracted provider in every service area county, including NPI, specialty taxonomy code, practice location address (not just the provider's primary office, but all locations where they see the plan's members), participation start date, and accepting-new-patients status. Errors in any of these fields affect not just the directory compliance posture but the adequacy calculation itself, since HPMS uses these fields to determine whether a provider counts toward adequacy and at which geographic location.

The infrastructure certification is the component that plans most often underestimate. Certifying that the plan has a monitoring program requires that the monitoring program actually exist in a documented and operational form before the attestation is signed — not as a planned future initiative, but as a functioning process with assigned ownership, documented procedures, and a record of prior execution. Plans that are simultaneously building their monitoring program and filing their attestation are certifying the existence of something that does not yet exist in the form they are describing, which creates the same legal exposure as a data accuracy misrepresentation.

Authorized Officer Requirements: Who Can Sign

CMS requires that the network adequacy attestation be signed by an authorized officer of the plan — defined in the MA contract as an individual who has the legal authority to bind the organization to the representations made in the attestation. In practice, this means a C-suite officer (CEO, COO, CMO, or CFO) or a senior vice president with explicit delegated authority from the board or executive leadership. A director or manager-level employee cannot be the signing officer for the attestation, regardless of how knowledgeable they are about the underlying network data.

The authorized officer requirement exists precisely because the attestation carries legal weight. CMS wants to ensure that the certification is made by someone who has organizational accountability for its accuracy — not simply a staff member who processed the HPMS upload. In the event of a subsequent compliance finding, the identity of the attestation signatory is a material fact in determining whether the organization acted in good faith and what level of organizational awareness existed at the time the certification was made.

Plans should maintain a clear delegation of authority framework that specifies who is authorized to sign CMS attestations, how that authority is documented, and what the process is if the designated authorized officer is unavailable at the time the attestation window closes. The authorized officer cannot simply designate a subordinate at the last minute without documented authority — an attestation signed by someone outside the defined authority framework may be treated as procedurally deficient by CMS, and remediating a deficiency of this type during the bid deadline period is operationally disruptive.

Common Attestation Errors That Trigger Deficiency Notices

CMS issues deficiency notices when submitted attestation data contains errors that either undermine the accuracy of the underlying adequacy calculation or reveal process failures in the plan's compliance program. The most common trigger is provider data inaccuracies that affect the adequacy count: providers listed with incorrect specialty taxonomy codes, providers whose practice locations do not match NPPES records, and providers listed as accepting new patients who have informed the plan or CMS's secret shopper program that they are not accepting new patients. Each of these errors affects the adequacy score directly and, if material to the adequacy determination in a county, may result in a finding that the plan's attestation was inaccurate.

The second most common trigger is the inclusion of providers whose participation agreements were not fully executed at the time of the attestation. CMS has been explicit that providers whose credentialing is not complete, whose agreements have not been countersigned by both parties, or whose participation start dates fall after the plan year start date should not be included in the adequacy submission. Plans that include pipeline providers to bolster their adequacy count and are subsequently found to have included providers who did not actually participate in the plan as of the attestation date face both an adequacy deficiency and a data accuracy violation.

Attestation errors related to county coverage are a third significant category. Plans sometimes include or exclude counties from their HPMS service area in ways that do not match their CMS-approved service area as defined in their contract. Including a county that is not in the approved service area inflates the adequacy analysis with data CMS does not recognize; excluding a county that is in the approved service area creates a gap that CMS will flag as an incomplete submission. Plans should reconcile their HPMS service area configuration against their current CMS contract county list before loading provider data to avoid this category of error entirely.

Provisional vs. Final Attestation: Key Distinctions

CMS's HPMS process for network adequacy submissions distinguishes between a provisional filing — data uploaded and adequacy checks run, but not yet formally attested — and the final attestation — the signed legal certification that the submission is complete and accurate. Plans can and should use the provisional filing phase to identify and correct errors before the authorized officer signs the final attestation. The HPMS adequacy checks run automatically against uploaded provider data and flag deficiencies, taxonomy mismatches, and geographic coverage gaps; these flags are visible to the plan in the provisional phase and provide an opportunity for correction.

The practical implication is that plans should plan for at least two rounds of HPMS data loading before the final attestation is signed. The first round loads the complete provider dataset and generates the automated adequacy check output. The plan then reviews the output, corrects identified errors (data mapping issues, taxonomy corrections, panel status updates), and loads a revised dataset. Only after the revised dataset passes all automated checks — or after the plan has documented its response to each flagged deficiency — should the authorized officer sign the final attestation.

Plans that go directly from initial data load to final attestation without a provisional review phase forgo the opportunity to catch and correct errors that the HPMS automated checks would have identified. This increases the probability that the final attestation certifies inaccurate data, which creates the remediation and enforcement exposure described above. The additional time required for a provisional review — typically five to seven business days — is a worthwhile investment against the cost of a post-submission deficiency finding.

Post-Submission Attestation Corrections

CMS allows plans to submit corrections to the network adequacy filing after the initial attestation, subject to procedural requirements and timing constraints. Minor corrections — correcting a provider's address, updating a taxonomy code, adding a provider whose credentialing completed after the initial submission — can typically be submitted as amendments to the HPMS filing without requiring a new full attestation, provided the corrections do not materially change the adequacy determination for any county-specialty combination.

Material post-submission corrections — those that reveal a county-specialty deficiency that was not disclosed in the original attestation, or that remove a significant number of providers from the adequacy count — are treated differently. These corrections may require a formal amendment filing with accompanying documentation, a revised attestation signed by the authorized officer, and in some cases an explanation of why the original attestation contained inaccurate data. Plans that discover material errors in their submission should contact their CMS Regional Office immediately rather than attempting to correct the errors silently through the HPMS amendment process, as proactive disclosure is a mitigating factor in enforcement proceedings.

The timing of post-submission corrections matters significantly. Corrections filed before the bid deadline have a different regulatory posture than corrections filed after the plan has received its contract approval. Pre-deadline corrections are generally treated as part of the normal submission review process; post-approval corrections may require formal contract modification and trigger a more detailed compliance review. Plans should set an internal deadline for identifying all material corrections at least four weeks before the bid deadline to maximize the window for pre-deadline resolution.

How Blueprint's Audit Trail Supports Attestation Confidence

The authorized officer who signs the network adequacy attestation needs to have documented assurance that the underlying data is accurate — not simply an assertion from the network operations team that everything looks good. Blueprint's audit trail provides that documented assurance by recording every change to the provider dataset, every adequacy calculation run, and every exception disposition from the initial gap analysis through the final HPMS data upload.

The audit trail captures the specific data points that matter most for attestation confidence: for each contracted provider, it records the date the participation agreement was fully executed, the date credentialing was completed, the date panel status was last confirmed through attestation, and the date the provider's record was last verified against NPPES. This documentation directly addresses the most common categories of attestation error — unexecuted agreements, incomplete credentialing, and unverified panel status — by making those conditions visible before the attestation is signed rather than after a deficiency notice is received.

Blueprint also generates an attestation readiness report that summarizes, at the county-specialty level, the adequacy score, the number and identity of providers contributing to that score, the date of the last data verification for each contributing provider, and any exceptions or caveats. This report is designed to be reviewable by the authorized officer in advance of signing — providing a single document that supports an informed attestation decision rather than requiring the signing officer to navigate raw HPMS output or spreadsheet data they may not be equipped to interpret. When the attestation is eventually challenged in an audit, the Blueprint audit trail and attestation readiness report constitute contemporaneous documentation of the plan's compliance process — the most valuable evidence a plan can have in that situation.