Skip to main content
InsureLytix
Customers
Free readiness checkBook a demo
InsureLytix

Provider directory, FHIR Plan-Net, and network adequacy analytics for U.S. Medicare Advantage plans. CMS-compliant by default.

InsureLytix Inc. · Dover, Delaware

hello@insurelytix.com

Product

  • Provider search
  • FHIR Plan-Net API
  • Network gap analytics
  • All modules

Solutions

  • New & launching plans
  • Small & regional plans
  • Provider-led going payer
  • D-SNP plans
  • Medicare Advantage
  • All solutions

Resources

  • Compliance hub
  • Compliance readiness check
  • Customer stories
  • Blog
  • Network adequacy guide
  • FHIR Plan-Net checklist

Company

  • About
  • Contact
  • Security
  • Sign in

Legal

  • Privacy
  • Terms
  • Cookies
  • Accessibility
HIPAA-aligned CMS-0057-F FHIR R4 Plan-Net Section 508 / ADA
© 2026 InsureLytix Inc.. All rights reserved.
Back to blog
Compliance·6 min read

The No Surprises Act's directory rules, and what slipping them costs

Beyond CMS, the No Surprises Act puts its own clock on health-plan directories: verify every 90 days, update within two business days, answer a member's network question within one. What the rules say, and the penalty exposure when a plan misses.

Published May 8, 2026 · InsureLytix Editorial

When Medicare Advantage teams talk about directory accuracy, they usually mean CMS. But there is a second regime running in parallel for plans subject to it: the No Surprises Act, which built provider-directory obligations directly into federal law and attached a per-day, per-member penalty to getting them wrong. The two regimes overlap in spirit and differ in the specifics, and a plan that engineers for one tends to satisfy the other.

What the directory rules actually require

The directory provisions (codified at 45 CFR §149.310) put concrete clocks on a plan's directory. The core obligations:

  • Verify provider-directory information at least once every 90 days.
  • Process an update within two business days of receiving it.
  • Respond to a member's request about whether a provider is in network within one business day, and retain that communication.
  • Remove a provider from the directory when their information has not been verified within the plan's specified period.

Notice the shape of these. They are not 'keep the directory good.' They are process requirements with timestamps, which means compliance is something you demonstrate with a log, not assert in a policy document.

What it costs to miss

The Act's enforcement framework provides for civil monetary penalties of up to $100 per day for each individual affected by a violation. The headline number is rarely the real exposure; the real exposure is that the violation is multiplied across affected members and days, and that it surfaces through a member complaint at the worst possible moment.

A directory penalty is not a fine you budget for. It is a signal that a process you thought was running was not.

Why it pairs with the CMS work

The No Surprises Act's 90-day verification and the CMS REAL Act 90-day verification point in the same direction; a single continuous verification process can satisfy both. The one-business-day inquiry response is the obligation plans most often have no system for, because it sits between member services and directory operations. Building it once — a reliable way to answer 'is this provider in my network today' and keep the record — closes a gap in both regimes at the same time.

This is general information, not legal advice; whether and how the No Surprises Act applies depends on your plan and lines of business, so confirm with counsel. To see where directory verification sits in your overall readiness, the assessment scores it alongside the CMS requirements.

Ready when you are

Want to talk to the people who built this?

The blog is short. The conversation is longer. We come prepared with your stack in mind.

Book a 30-min demoRun the free readiness check