Experience continuous third-party risk monitoring in action    Reserve your spot

Get a Demo

The No Surprises Act was signed into law in 2020, took effect in January 2022, and has been generating litigation, rulemaking disputes, and compliance headaches ever since. Four years in, the federal IDR portal received nearly 1.2 million cases in just the first half of 2025.

Significant provisions remain partially implemented. Court rulings have created genuine uncertainty around how IDR awards get enforced. And health plans are still fielding member complaints that a fully functioning compliance program should have prevented.

The law's intent was straightforward: remove patients from billing disputes they never chose to be part of. The operational reality has proven considerably more complicated.

Here is where the requirements stand in 2026, what remains unresolved, and what your team needs to address before enforcement catches up.

What the No Surprises Act Actually Prohibits

The law restricts when out-of-network providers can bill patients beyond their in-network cost-sharing amounts. Three core prohibitions define its scope:

  • Emergency services: Patients cannot be charged more than in-network cost-sharing for emergency care, regardless of whether the provider or facility is in their plan's network
  • Non-emergency services at in-network facilities: Out-of-network ancillary providers including anesthesiologists, radiologists, pathologists, neonatologists, and assistant surgeons cannot balance bill patients at an in-network hospital or ambulatory surgical center unless the patient provides clear written consent well in advance
  • Air ambulance services: Out-of-network air ambulance providers are covered; ground ambulance services remain excluded, though several states have moved independently to close that gap

The notice-and-consent exception is narrow. It cannot be used for emergency care or the ancillary specialties listed above. When it does apply, consent must be obtained before the service is rendered. Retroactive consent does not satisfy the requirement.

Which Health Plans and Providers Must Comply

The NSA applies to group health plans, individual and group health insurance, and Federal Employees Health Benefits plans. It does not apply to Medicare, Medicaid, Medicare Advantage, TRICARE, VA health care, or Indian Health Services.

Covered

Not Covered

Employer group health plans (insured and self-insured)

Medicare and Medicare Advantage

Individual and group health insurance

Medicaid

ACA marketplace plans

TRICARE, VA, Indian Health Services

FEHB plans

Ground ambulance services

One critical nuance: Self-insured employer plans are subject to federal law but exempt from state insurance regulation. State surprise billing laws, regardless of how strong, do not extend to self-insured plans. For plans managing a self-insured book of business, the federal NSA is effectively the only framework that applies.

Provider Directory Requirements Under the No Surprises Act

The NSA established specific standards for how health plans must maintain provider directories. The obligations are operational, not just aspirational:

  • Verify every provider listing at least once every 90 days
  • Update directory information within two business days of receiving a change notification from a provider
  • Remove providers who do not respond to verification outreach rather than leaving unverified records in place
  • Respond to member inquiries about a provider's network participation status within one business day

The 90-day verification cycle is the standard most plans underinvest in. Running it as an annual or quarterly batch process does not satisfy the requirement. Each provider record needs to be tracked individually against its verification window, with proactive outreach before the deadline passes.

The infrastructure this requires is meaningfully different from what most plans currently operate, and it is one of the most common gaps CMS identifies in compliance reviews.

The Independent Dispute Resolution Process Explained

When a plan and an out-of-network provider cannot agree on payment after a 30-business-day open negotiation period, either party can initiate the federal Independent Dispute Resolution process. A certified IDR entity reviews payment offers from both sides and selects one, using the Qualified Payment Amount (the median in-network rate for the relevant service in the geographic area) as a central reference point. The decision is binding and payment must be made within 30 calendar days.

In practice, IDR has become a significant operational burden. Providers and plans submitted nearly 1.2 million cases to the federal IDR portal in just the first half of 2025, almost 40% more than in the prior six months. Research published in Health Affairs estimated the process generated approximately $5 billion in additional costs across its first three years of implementation. Compounding this, about 20% of disputes submitted in the first half of 2025 were ultimately ineligible for IDR, adding processing volume without producing legitimate resolutions.

Enforcement of IDR awards has also become legally uncertain. The Supreme Court declined in early 2026 to review a Fifth Circuit ruling that IDR awards are not enforceable through civil litigation, leaving administrative penalties as the primary mechanism. A bipartisan bill proposing financial penalties for late IDR payments has been introduced but not yet enacted.

Where Federal and State Enforcement Overlap

Federal law sets the floor. State surprise billing laws are preserved as long as they do not prevent the application of a federal requirement. In practice, fully insured plans may be subject to both federal and state obligations simultaneously, with the stricter standard governing.

For self-insured plans, that layering does not apply. Because they fall under ERISA rather than state insurance law, self-insured employer plans are bound only by the federal NSA requirements regardless of the state in which their members receive care. For fully insured plans operating across multiple states, monitoring both federal rules and evolving state standards as a unified compliance function is now standard practice, not optional.

The Provider Directory Update Obligation Most Plans Underestimate

Of all the NSA's operational requirements, the directory update obligation is the one with the widest gap between what the rule requires and what most plans actually do.

Two timelines define it: 90 days for proactive verification of every record, and two business days to reflect any change a provider reports. Both require infrastructure that most plans have not fully built.

Proactive verification at 90-day intervals means tracking where every provider record sits in its verification window and ensuring outreach happens before the window closes. The two-business-day update requirement means that when a provider notifies the plan of a location change, specialty update, or network departure, that information must propagate to the directory the same week. Neither timeline is compatible with batch processes, manual spreadsheets, or systems that are not connected to the directory platform in real time.

How the No Surprises Act Connects to CMS-4208-F2 and the REAL Health Providers Act

The NSA established the provider directory accuracy standards that Medicare-specific rules have since extended.

The 90-day verification cycle introduced for commercial plans was later codified into Medicare Advantage requirements under the REAL Health Providers Act, signed February 3, 2026.

CMS-4208-F2, effective for Plan Year 2027, created the submission infrastructure that makes MA directory data publicly visible on Medicare Plan Finder, raising the stakes for accuracy in a public-facing context.

For plans managing both commercial and MA business, these three frameworks now operate in parallel, each with distinct timelines and enforcement mechanisms. For a full breakdown, see our Medicare Advantage provider directory requirements guide and our guide to surprise billing prevention.

PRIME® by Atlas Systems is built for this model: It maintains plan-to-provider data relationships in real time, automates normalization of delegated roster files, and ensures that directory records reflect current contract status before a member ever relies on them.

For plans managing both commercial and Medicare Advantage business, PRIME® supports the unified data infrastructure that the NSA, CMS-4208-F2, and the REAL Health Providers Act now collectively demand.


See how PRIME® supports No Surprises Act compliance. Get a demo today!

FAQs

What does the No Surprises Act require from health plans?

Plans must limit patient cost-sharing to in-network amounts for emergency services, covered non-emergency ancillary services at in-network facilities, and air ambulance from out-of-network providers. They must maintain accurate provider directories with 90-day verification cycles and two-business-day update timelines, supply Good Faith Estimates for uninsured patients, and participate in the federal IDR process when payment disputes with out-of-network providers cannot be resolved through open negotiation.

Does the No Surprises Act apply to Medicare Advantage plans?

No. The NSA applies to group health plans, individual and group health insurance, and FEHB plans. Medicare Advantage plans are excluded because MA carries its own separate billing protections. However, the 90-day provider directory verification standard the NSA established for commercial plans was extended to MA through the REAL Health Providers Act, effective plan year 2028.

What is the 90-day provider directory update requirement under the No Surprises Act?

Every provider listing must be actively verified at least once every 90 days. When a provider notifies the plan of a change, the directory must be updated within two business days. Providers who do not respond to verification outreach must be removed from the directory rather than left in place as unverified records.

What happens if a health plan violates No Surprises Act regulations?

Violations can result in civil monetary penalties of up to $10,000 per incident, federal audits, and corrective action plans. Enforcement is tightening as regulators work through their backlog of unfinished rulemaking. Plans without operational infrastructure to support continuous directory verification face increasing exposure as enforcement activity grows.

How does the No Surprises Act interact with state surprise billing laws?

Federal law is the floor. State laws imposing the same or stricter requirements on fully insured plans are generally preserved unless they prevent application of a federal provision. Self-insured employer plans are governed by ERISA and exempt from state insurance laws entirely, making the federal NSA their only governing framework regardless of where members receive care.

 
In this blog

Jump to section

    Learn how to continuously monitor vendor risks and make fast, audit-ready risk decisions

    Join Live ComplyScore® Demo
    Ebook poster

    Related Reading

    Blogs

    Medicare Advantage Provider Directory Requirements: What Health Plans Must Know in 2026

    Medicare Advantage Provider Directory Requirements: What Health Plans Must Know in 2026

    Blogs

    Surprise Billing in Healthcare: Why Inaccurate Provider Data Is Still the Root Cause

    Surprise Billing in Healthcare: Why Inaccurate Provider Data Is Still the Root Cause

    Blogs

    CMS-4208-F2: What Medicare Advantage Plans Must Do Before October 2026

    CMS-4208-F2: What Medicare Advantage Plans Must Do Before October 2026

    Blogs

    REAL Health Providers Act: What MA Plans Must Do Before 2028

    REAL Health Providers Act: What MA Plans Must Do Before 2028

    Blogs

    Provider Network Analytics: Transform Data Into Network Intelligence

    Provider Network Analytics: Transform Data Into Network Intelligence

    Blogs

    Provider Data Governance Framework: Roles, Rules & Enforcement

    Provider Data Governance Framework: Roles, Rules & Enforcement

    Blogs

    Ghost Networks: An Industry Problem Hiding in Plain Sight

    Ghost Networks: An Industry Problem Hiding in Plain Sight

    Blogs

    How Modern Payer Operations Turn Data Chaos Into Competitive Advantage

    How Modern Payer Operations Turn Data Chaos Into Competitive Advantage

    Blogs

    CMS CAHPS Compliance & Reporting: Audit Readiness and Bonus Payments

    CMS CAHPS Compliance & Reporting: Audit Readiness and Bonus Payments

    Blogs

    CMS Provider Directory Requirements: Your Compliance Guide

    CMS Provider Directory Requirements: Your Compliance Guide

    Blogs

    CMS Regulations in Healthcare: Key Guidelines for Providers and Hospitals

    CMS Regulations in Healthcare: Key Guidelines for Providers and Hospitals

    Blogs

    What Is the CAHPS Patient Satisfaction Survey?

    What Is the CAHPS Patient Satisfaction Survey?

    Blogs

    Complete Guide to Delegated Credentialing

    Complete Guide to Delegated Credentialing

    Blogs

    Bi-Directional Provider Data Exchange: Benefits and Use Cases

    Bi-Directional Provider Data Exchange: Benefits and Use Cases

    Blogs

    Data Challenges in Healthcare: Why Health Plans Can't Afford Inaccurate Provider Information

    Data Challenges in Healthcare: Why Health Plans Can't Afford Inaccurate Provider Information

    Blogs

    Best Provider and Physician Engagement Strategies

    Best Provider and Physician Engagement Strategies

    Blogs

    Fast Provider Onboarding: Reduce Credentialing Delays

    Fast Provider Onboarding: Reduce Credentialing Delays

    Blogs

    No Surprises Act Provider Directory Requirements Explained

    No Surprises Act Provider Directory Requirements Explained

    Blogs

    Choosing a Provider Data Management Tool: 2026 Buyer's Guide

    Choosing a Provider Data Management Tool: 2026 Buyer's Guide

    Blogs

    Why Provider Enrollment Takes So Long and How to Fix It

    Why Provider Enrollment Takes So Long and How to Fix It

    Blogs

    Vendor Credentialing by State: The Complete Guide for Compliance

    Vendor Credentialing by State: The Complete Guide for Compliance

    Blogs

    AI for Provider Networks: From Data Overload to Intelligent Action

    AI for Provider Networks: From Data Overload to Intelligent Action

    Blogs

    2026 Network Adequacy Requirements: What Health Plans Must Know

    2026 Network Adequacy Requirements: What Health Plans Must Know

    Blogs

    Audit Readiness: Key Components, Benefits, and Best Practices

    Audit Readiness: Key Components, Benefits, and Best Practices

    Blogs

    Physician Burnout: Causes and How to Prevent It

    Physician Burnout: Causes and How to Prevent It

    Blogs

    Credentialing Turnaround Time: Best Strategies for Faster Approvals

    Credentialing Turnaround Time: Best Strategies for Faster Approvals

    Blogs

    How Provider Relationship Management Improves Healthcare Outcomes

    How Provider Relationship Management Improves Healthcare Outcomes

    Blogs

    Simplified SNP MOC Provider Training with Atlas Systems

    Simplified SNP MOC Provider Training with Atlas Systems

    Blogs

    The 10 Best Medical Credentialing Companies in 2026

    The 10 Best Medical Credentialing Companies in 2026

    Blogs

    Provider Network Management for Payers: Fix Data, Reduce Risk, Cut Costs

    Provider Network Management for Payers: Fix Data, Reduce Risk, Cut Costs

    Blogs

    Healthcare Compliance Software: Top Tools, Features, and Benefits

    Healthcare Compliance Software: Top Tools, Features, and Benefits

    Blogs

    What Are the Compliance Differences Between GDPR and HIPAA?

    What Are the Compliance Differences Between GDPR and HIPAA?

    Blogs

    Healthcare Compliance Program: Stark Law Risks & OIG Guidance

    Healthcare Compliance Program: Stark Law Risks & OIG Guidance

    Blogs

    How Credentialing Automation Eliminates Manual Provider Work

    How Credentialing Automation Eliminates Manual Provider Work

    Blogs

    What Is CVO Credentialing? Benefits, Process & Automation

    What Is CVO Credentialing? Benefits, Process & Automation

    View all blogs