Most Medicare Advantage teams know their provider directories are far from perfect. Records get patched before audits, outreach runs on annual cycles, and the work gets done well enough to satisfy internal benchmarks.
What CMS-4208-F2 changes is the audience.
Starting with Plan Year 2027, your directory data will not just live in your systems. It will be what CMS uses to show beneficiaries which doctors are in your network when they compare plans on Medicare Plan Finder. That raises the stakes considerably, and it means the way most plans have been managing this work is no longer sufficient.
Here is what the rule actually requires, where the operational gaps are showing up, and what your team needs to do before October 2026.
What CMS-4208-F2 Actually Requires
Finalized September 19, 2025 and applicable from January 1, 2026, CMS-4208-F2 amends 42 CFR 422.111 with four core obligations for all MA organizations:
|
Requirement
|
What It Means
|
|
Submit directory data to CMS
|
Make in-network provider and facility data available for publication on Medicare Plan Finder
|
|
30-day update window
|
Update your directory within 30 days of becoming aware of any provider change
|
|
Annual attestation
|
Attest in HPMS that submitted data is accurate and complete
|
|
CMS-specified format
|
Submit via a publicly accessible API endpoint registered in HPMS
|
One important clarification: CMS did not finalize the proposal requiring plans to certify that directory data matches network adequacy filings. That proposal was withdrawn, not relaxed. Auditors will still flag inconsistencies between the two datasets.
How CMS Will Collect and Display This Data
CMS is rolling this out in three phases.
Phase One (CY 2026): CMS partnered with SunFire Matrix, Inc. as an interim solution to populate the 2026 Medicare Plan Finder. Your network data on this year's Plan Finder came from that vendor.
Phase Two (CY 2027): Beginning October 1, 2026, CMS will ingest provider data directly from MA plans' own publicly accessible directory APIs. For Plan Year 2027, CMS accepts either a FHIR-based JSON API or a machine-readable JSON file. The JSON file option is temporary. All plans are expected to transition to FHIR APIs in future phases.
Phase Three (Future): CMS has begun developing a National Provider Directory built on FHIR infrastructure, designed to serve as shared connective tissue across payers, providers, and data networks.
The critical timeline for your team:
- By February 2, 2026: Register your API endpoint in HPMS
- May 4 to August 31, 2026: CMS testing window; daily data validation begins
- September 1, 2026: Attestation deadline in HPMS
- October 15, 2026: Annual Enrollment Period opens
Two Data Gaps Most Plans Have Not Fixed
Many MA organizations assumed their existing FHIR infrastructure, maintained since July 2021, would carry them through CMS-4208-F2. In practice, two structural gaps are surfacing consistently.
Gap 1: Missing contract-plan-segment IDs
Each MA plan must now be associated with a combined Contract/Plan/Segment identifier. For example, Contract Plan Segment: H9995 003 001 will appear as “H9995003001.” CMS needs this identifier to map provider data to specific plans within Plan Finder. This requirement did not exist under earlier interoperability rules, which means it frequently does not exist in current implementations.
Gap 2: Provider linkage stops at the network, not the plan
CMS requires a traceable relationship from the MA plan to its specific network, and from that network down to individual providers. In many current FHIR implementations, the relationship ends at the network level.
A provider may be correctly tied to a network, but if that network is not clearly linked to a specific MA plan with its contract-plan-segment ID, CMS validation will fail. This is one of the most common structural problems in existing implementations, and it has direct consequences for Plan Finder visibility.
What Suppression Actually Means for Enrollment
Suppression is CMS's enforcement mechanism, and its timing makes it consequential. According to the CMS Technical Implementation Guide, CMS may suppress a plan's provider directory from Medicare Plan Finder when:
- The plan fails to complete the HPMS attestation by September 1, 2026
- Data quality issues exceed CMS's published threshold
- The registered endpoint fails validation during testing
When a plan is suppressed, beneficiaries on Medicare Plan Finder during AEP cannot see that plan's provider network. For someone deciding whether their doctor is in network before enrolling, that absence effectively removes the plan from consideration. The AEP runs October 15 through December 7, 2026. A suppression event during that window is not a recoverable situation for plans in competitive markets.
CMS-4208-F2 and the REAL Health Providers Act: Two Rules, One Data Problem
These two regulations address the same root problem from different angles, on different timelines.
| |
CMS-4208-F2
|
REAL Health Providers Act
|
|
Finalized / Signed
|
September 19, 2025
|
February 3, 2026
|
|
Primary obligation
|
Submit directory data to CMS for Plan Finder
|
Verify, maintain, and publicly score directory accuracy
|
|
Key deadline
|
September 1, 2026 attestation; October 1, 2026 AEP
|
Plan year 2028 compliance; 2029 public scores
|
|
Enforcement
|
Directory suppression on Plan Finder
|
Cost-sharing liability; public accuracy score
|
CMS-4208-F2 creates the submission pipeline. The REAL Health Providers Act, signed as part of the Consolidated Appropriations Act, 2026, governs the quality of what flows through it. MA organizations must now verify every provider record at least every 90 days. Unverified records must carry an explicit data-unverified indicator. When a provider leaves the network, their listing must be removed within five business days.
Starting with plan year 2028, plans must conduct an annual accuracy analysis and submit the score to HHS. By 2029, CMS will publish those scores publicly, and plans must display them prominently on their own directories. The data you submit for Plan Finder under CMS-4208-F2 will eventually carry a public accuracy rating next to it.
This matters now because 58% of members have found at least one error in provider directories, whether a wrong phone number, incorrect address, or outdated patient acceptance status. That is the baseline CMS is working from, and the baseline your accuracy score will be measured against.
A Practical Readiness Checklist for Your Team
Before the May testing window opens, your team should be able to answer yes to all of the following.
Technical infrastructure
- Provider directory API endpoint registered in HPMS
- Endpoint is publicly accessible and configured for daily crawling
- Submission format confirmed as FHIR-based JSON API or machine-readable JSON file
Data structure
- Contract-plan-segment IDs defined for every MA plan
- Clear plan-to-network-to-provider data relationships in place
Operational timelines
- 30-day update cycle tracked for all provider changes
- September 1, 2026 attestation deadline confirmed with executive leadership
REAL Act readiness
- 90-day verification cycle infrastructure in place or in development
- Process to flag and label unverified provider records
- Capability to remove departed providers within five business days
PRIME® by Atlas Systems is built to manage this infrastructure: maintaining plan-to-provider data relationships, running continuous monitoring against active rosters, and keeping directory records current at the pace these regulations now demand.
See how PRIME® supports MA directory compliance. Get a demo today!
FAQs
What is CMS-4208-F2 and who does it apply to?
CMS-4208-F2 is a final rule published September 19, 2025, requiring all Medicare Advantage organizations to submit in-network provider and facility data to CMS for publication on Medicare Plan Finder, beginning with Plan Year 2027. It applies to every MA organization, regardless of size or market.
What happens if a Medicare Advantage plan fails CMS validation under CMS-4208-F2?
CMS can suppress that plan's provider directory from Medicare Plan Finder. During the Annual Enrollment Period, suppression means beneficiaries cannot see your network when comparing plans, creating a direct enrollment risk. Suppression lifts the day after the issue is resolved, but any gap during AEP is difficult to recover from.
What is the difference between CMS-4208-F and CMS-4208-F2?
CMS-4208-F was published April 15, 2025 and finalized several provisions from the December 2024 proposed rule. The provider directory formatting requirement for Plan Finder was not included in that rule. CMS-4208-F2, published separately on September 19, 2025, finalized that remaining provision to give MA plans maximum lead time before Plan Year 2027.
Can MA plans use a JSON file instead of a FHIR API to comply with CMS-4208-F2?
Yes, for Plan Year 2027. CMS accepts both a machine-readable JSON file and a FHIR-based JSON API. The JSON file option is a temporary accommodation modeled after the Marketplace format. Plans will need to transition to FHIR APIs in subsequent phases, as Phase Three of this initiative is built entirely on FHIR infrastructure.
How does CMS-4208-F2 relate to the REAL Health Providers Act?
CMS-4208-F2 establishes the submission requirement: your directory data feeds Medicare Plan Finder. The REAL Health Providers Act sets the accuracy standards that determine whether what you're submitting is reliable enough to hold up publicly. Meeting the submission deadline while continuing to manage directory data reactively is not a viable long-term position under either rule.
.png?width=869&height=597&name=image%20(5).png)
-1.png?width=486&height=315&name=IDC%20Banner%20(1)-1.png)
.png?width=300&height=175&name=Rectangle%2034624433%20(2).png)
Provider Data Management
Provider-Payer Connect
Provider Credentialing
Provider Compliance Monitoring
Provider Directory Fulfillment
.webp)
.png)
.webp)