InsureLytix
Back to blog
Compliance·6 min read

The No Surprises Act's directory rules, and what slipping them costs

Beyond CMS, the No Surprises Act puts its own clock on health-plan directories: verify every 90 days, update within two business days, answer a member's network question within one. What the rules say, and the penalty exposure when a plan misses.

Published May 8, 2026 · InsureLytix Editorial

When Medicare Advantage teams talk about directory accuracy, they usually mean CMS. But there is a second regime running in parallel for plans subject to it: the No Surprises Act, which built provider-directory obligations directly into federal law and attached a per-day, per-member penalty to getting them wrong. The two regimes overlap in spirit and differ in the specifics, and a plan that engineers for one tends to satisfy the other.

What the directory rules actually require

The directory provisions (codified at 45 CFR §149.310) put concrete clocks on a plan's directory. The core obligations:

  • Verify provider-directory information at least once every 90 days.
  • Process an update within two business days of receiving it.
  • Respond to a member's request about whether a provider is in network within one business day, and retain that communication.
  • Remove a provider from the directory when their information has not been verified within the plan's specified period.

Notice the shape of these. They are not 'keep the directory good.' They are process requirements with timestamps, which means compliance is something you demonstrate with a log, not assert in a policy document.

What it costs to miss

The Act's enforcement framework provides for civil monetary penalties of up to $100 per day for each individual affected by a violation. The headline number is rarely the real exposure; the real exposure is that the violation is multiplied across affected members and days, and that it surfaces through a member complaint at the worst possible moment.

A directory penalty is not a fine you budget for. It is a signal that a process you thought was running was not.

Why it pairs with the CMS work

The No Surprises Act's 90-day verification and the CMS REAL Act 90-day verification point in the same direction; a single continuous verification process can satisfy both. The one-business-day inquiry response is the obligation plans most often have no system for, because it sits between member services and directory operations. Building it once — a reliable way to answer 'is this provider in my network today' and keep the record — closes a gap in both regimes at the same time.

This is general information, not legal advice; whether and how the No Surprises Act applies depends on your plan and lines of business, so confirm with counsel. To see where directory verification sits in your overall readiness, the assessment scores it alongside the CMS requirements.

Ready when you are

Want to talk to the people who built this?

The blog is short. The conversation is longer. We come prepared with your stack in mind.

Book a 30-min demoRun the free readiness check