Provider Directory Accuracy Under CMS Rules: What Plans Must Maintain and How Often

The Regulatory Basis: 42 CFR 422.111(h)

Provider directory accuracy is not a best practice — it is a federal regulatory requirement codified at 42 CFR 422.111(h). This section of the Medicare Advantage regulations requires plans to maintain an accurate, complete, and searchable online directory of contracted providers and to make that directory available to current and prospective enrollees at no charge. The regulation was substantially strengthened in the 2017 final rule, which introduced specific enforceable standards around update frequency, data elements, and member-facing display requirements that had previously been left to plan discretion.

The underlying policy rationale is straightforward: a provider directory is the primary mechanism by which a member selects a plan and navigates care within it. If a member chooses a plan because their physician appears in the directory, and that physician has since left the network, the member has been materially misled about the value of their coverage. CMS treats directory inaccuracy not as a quality concern but as a consumer protection and access issue — with corresponding enforcement posture.

Plans operating Medicare Advantage contracts should also be aware that directory accuracy requirements exist at the state level for commercial and Medicaid lines of business, often with different update cadences and data element standards. This article focuses on the MA regulatory framework, but network ops teams managing multi-line books of business should maintain line-of-business-specific compliance matrices.

The 30-Day Update Requirement for Material Changes

42 CFR 422.111(h)(1)(i) requires plans to update their online provider directories within 30 calendar days of receiving information about a material change to a provider's network participation status. CMS defines material changes broadly to include: a provider terminating from the network (voluntary or involuntary), a provider joining the network, a change in the provider's practice location, a change in whether the provider is accepting new patients, and a change in the provider's languages spoken or accessibility accommodations.

The 30-day clock begins when the plan receives notification of the change — not when the plan processes or verifies it. This is an important distinction operationally. If a provider submits a termination letter on March 1, the directory must reflect that termination by March 31, regardless of where the plan's credentialing or provider data team is in the processing workflow. Plans that allow provider data changes to queue in a staging environment for batch processing may routinely miss this window.

In practice, high-performing plans maintain a real-time or near-real-time bridge between their provider credentialing system and their member-facing directory. Changes flagged as material in the credentialing workflow trigger an automated update to the directory feed without requiring manual intervention. Plans using legacy credentialing systems that batch-process changes weekly or biweekly need compensating controls — typically a manual override queue for urgent directory updates — to meet the 30-day standard.

CMS has also made clear that the 30-day requirement applies to information the plan receives through any channel — not just formal credentialing submissions. If a member calls to report that their physician is no longer at a listed address, that call is notice of a potential material change and should trigger a verification and update workflow. Plans should train member services staff to route directory discrepancy reports to provider data operations teams, not simply document them in the member's service record.

CMS Secret Shopper Programs: How Accuracy Is Tested

CMS does not rely solely on plan self-reporting to assess directory accuracy. Since 2016, CMS has conducted an annual provider directory accuracy study in which CMS contractors contact a statistically representative sample of providers listed in MA plan directories and attempt to verify the information displayed. The methodology mirrors what a member would do: call the listed phone number, ask whether the provider is accepting new MA patients, verify the address, and confirm whether the specialty listed matches the provider's actual practice.

The results of these studies are published publicly and have been consistently sobering. Across the studies conducted between 2016 and 2023, CMS found that a meaningful percentage of directory listings contained at least one inaccuracy — the most common errors being incorrect phone numbers, providers no longer at the listed address, and providers listed as accepting new patients who were not. CMS uses these results in plan oversight and they inform enforcement decisions.

Plans should build their own internal secret shopper programs modeled on the CMS methodology. An internal program serves two purposes: it gives the plan an independent view of directory accuracy that supplements attestation-based processes, and it provides documented evidence of proactive compliance effort that can be presented in a CMS audit or enforcement proceeding. A quarterly internal audit covering a random sample of 200-300 directory listings, with results tracked against a target error rate, is a defensible compliance program element.

Error Rate Tolerances and How CMS Calculates Them

CMS has not published a single, bright-line numerical error rate tolerance in its regulations. Instead, CMS evaluates directory accuracy in the context of the plan's overall compliance posture and the nature of the errors found. However, CMS audit guidance and enforcement letters make clear that an error rate above 25% in any single data element category — phone number, address, accepting-new-patients status — is considered a significant compliance deficiency warranting a corrective action plan.

CMS calculates error rates at the listing level: a listing is considered accurate only if all required data elements are correct. A listing with the correct address but an incorrect phone number counts as an inaccurate listing. This means that error rates compound across data elements — a plan with 95% accuracy on each of five data elements independently has a listing-level accuracy rate well below 95%. Plans that set internal targets at the data-element level rather than the listing level may be systematically underestimating their CMS-reportable error rate.

For enforcement purposes, CMS also distinguishes between errors that are directionally harmful to members and those that are merely administrative. A provider listed as accepting new patients who is actually not accepting them is a high-harm error — it causes members to attempt to establish care and be turned away, potentially delaying access. A provider listed at a suite number that has since changed within the same building is a lower-harm error. Corrective action plans typically prioritize the high-harm error categories.

Online vs. Print Directory Requirements

CMS requires MA plans to maintain an online provider directory that is searchable, updated per the 30-day standard, and accessible to members with disabilities in compliance with applicable accessibility requirements. Plans must also provide a printed directory upon request within three business days, at no charge. The print directory does not need to be updated on the same 30-day cycle — CMS recognizes the operational impracticality of continuously reprinting directories — but plans must maintain accurate print copies and track when the directory was last printed.

The online directory has specific display requirements under CMS rules. It must be searchable by provider name, specialty, and location. It must display the provider's address, phone number, specialty, board certification status where applicable, languages spoken, and whether the provider is accepting new patients. For hospital providers, it must display the hospital's Medicare certification status. Plans that display additional fields — group affiliation, telemedicine availability, cultural competency certifications — should ensure those fields are as rigorously maintained as the required fields, since member-reliance on any displayed information can create a directory accuracy compliance exposure.

Mobile directory applications present an additional compliance surface. If a plan offers a mobile app through which members can search for providers, that app is subject to the same accuracy and update requirements as the primary online directory. Plans that maintain separate data feeds for their web directory and their mobile app introduce a synchronization risk — discrepancies between the two can produce compliance findings even when the primary directory is accurate.

Member Harm Standards and When Directory Errors Become Compliance Events

Not every directory error rises to the level of a compliance event that CMS will pursue through formal enforcement. CMS's enforcement focus is on errors that result in or create meaningful risk of member harm. The clearest examples are: a member is denied care because the provider listed as in-network has actually terminated; a member incurs out-of-network cost-sharing because they selected a provider based on an inaccurate directory listing; or a member cannot access a specialist because the only listed specialist in their county is no longer practicing there.

When a member files a grievance or appeal citing a directory inaccuracy as the basis for an access or billing problem, that event elevates the underlying directory error from a data quality issue to a compliance event. CMS monitors plan grievance and appeals data as part of its ongoing oversight function, and patterns of directory-related grievances are a known trigger for focused audits. Plans should have a process for tagging grievances and appeals that have a directory inaccuracy as a contributing factor, and for feeding that information back into the directory update workflow.

CMS can impose civil monetary penalties for persistent directory inaccuracy and can require a corrective action plan that includes third-party auditing of the directory at plan expense. In the most serious cases — typically where directory inaccuracies have contributed to documented member harm at scale — CMS has used intermediate sanctions including enrollment freezes. The enforcement spectrum is wide, but plans should understand that CMS treats directory compliance as a consumer protection priority, not a technical paperwork requirement.

Building a Provider Attestation Process That Keeps Your Directory Current

The most durable mechanism for maintaining directory accuracy is a systematic provider attestation program in which providers themselves confirm the accuracy of their directory listing on a regular cadence. CMS has effectively endorsed this approach by requiring plans to make good-faith efforts to obtain provider attestations and to document those efforts. A well-designed attestation program transfers a portion of the accuracy burden to the provider — the party with first-hand knowledge of their practice status — while creating a documented compliance record for the plan.

Best-practice attestation programs operate on a quarterly cycle for high-volume or high-risk providers (primary care, mental health, OB/GYN) and a semi-annual cycle for lower-risk specialties. Attestation requests should be sent through multiple channels — provider portal, email, fax for practices that lack electronic infrastructure — and should include a pre-populated form showing the current directory listing so the provider is reviewing their actual listing rather than completing a blank form. The pre-populated approach significantly increases response rates and reduces the time providers spend on the attestation.

Plans should define an escalation protocol for providers who do not respond to attestation requests. After two unsuccessful outreach attempts, the provider's "accepting new patients" status should be changed to "unknown" or "call to confirm" in the directory until attestation is received. After a third failed attempt, the plan should consider initiating a site verification call through its provider relations team. Providers who cannot be contacted for attestation over a sustained period may need to be reviewed for network participation status — a provider who is unreachable may no longer be actively practicing.

Attestation data should flow directly into the credentialing system of record, not into a standalone spreadsheet or attestation-only database. When attestation data and credentialing data live in separate systems, synchronization failures are almost inevitable. The credentialing system should be the single source of truth for provider directory data, with the member-facing directory drawing directly from that system in real time or through a tightly controlled nightly feed.