No Surprises Act Provider Directory Enforcement Guidance for Regulators

Enforcement of the No Surprises Act, Section 116, involves both federal and state regulators. As we work with many of the parties involved, here is an analysis of the various enforcement guidelines and a proposed strategy for all regulators to consider. 

Section 116 of the No Surprises Act (NSA) requires health plans to establish a provider directory verification process and a procedure for removing providers or facilities with unverifiable information. No less than once every 90 days, health plans must verify and update their provider directory database. Within 2 business days of receiving a provider update, health plans are required to update their provider directory database. Within one business day of receiving a request, health plans must respond to calls related to consumer provider directory inquiries.

CMS intends to issue comprehensive rules to implement Section 116 sometime after January 1, 2022. In the interim, health plans are expected to comply with Section 116 with little regulatory implementation information available. In one guidance document, CMS stated that until rulemaking to fully implement Section 116 is finalized, health plans are expected to implement the requirements using a good faith, reasonable interpretation of the statute.”

Enforcement of Section 116 involves both federal and state regulators. Generally, the NSA defers to states to enforce Section 116 for state-regulated, fully insured health plans. The NSA defers to DOL to enforce Section 116 against self-insured, ERISA health plans.

Every state has indicated how it intends to interact with Section 116 in a CMS enforcement survey conducted in 2021. The survey results indicated that 12 states will defer to CMS to enforce Section 116 in their state, 23 states will enforce Section 116 on their own, and 15 states will enter into a collaborative enforcement agreement (CEA) with CMS to enforce Section 116 collaboratively.

States that intend to enforce Section 116 may issue health plan compliance regulations, circulars, advisories, bulletins, other guidance that could differ from what CMS requires. As of March 2022, several states have issued state-specific Section 116 guidance. Most state-specific guidance simply mirrors the requirements in Section 116 and the existing Section 116 guidance issued by CMS. However, some states have issued guidance that goes above and beyond what CMS requires. For example, New York requires that, at least once every 15 days, a health plan must verify and update its provider directory database. In New Hampshire, the state requires health plans to verify and update their provider directories no less than once every 30 days.

Because the NSA builds on similar state laws enacted in 33 states, some states have existing provider directory requirements that are similar to Section 116 that they are building into their enforcement strategy.

Regulators at the federal and state level may be interested in understanding how health plans can demonstrate a good faith compliance effort to implement the requirements set forth in Section 116.

To show compliance with Section 116, health plans may demonstrate to regulators that they have a provider data review workflow that consists of three parts.

The first part is a documented process of including providers in the provider directory that have verified their information consistent with the requirements in Section 116.

The second part involves a documented process to deal with providers who have verified their data, but the data is questionable for some reason, e.g., the provider verifies that it practices at 53 locations. In that case, did the health plan employ a process to flag that questionable information for review and independently verify its accuracy before placing the provider in the directory?

The third part involves a documented process to deal with providers who have not verified their data in 90 days. In that case, did the health plan conduct outreach to determine if the provider is active and work with the provider to verify its information?


With Quest Analytics, you gain an all-in-one solution that elevates you to a higher level of policy advocacy and gives you the ability to clearly demonstrate that you’re shaping the future of healthcare. To learn more, contact us.


Need updated citation
See 42 U.S. Code § 300gg–115
See Requirements Related to Surprise Billing; Part I; 86 Fed. Reg. 36,876 (July 13, 2021)
See 42 U.S.C. § 300gg-23(a)(1); 86 Fed. Reg. at 36,886.
See CAA Enforcement Letters. Accessed on at: https://www.cms.gov/CCIIO/Programs-and-Initiatives/Other-Insurance-Protections/CAA
Under a CEA, the state agrees to seek voluntary compliance from health plans and refer to CMS for possible enforcement action any potential violation for which the state is not able to obtain voluntary compliance.
See DFS Insurance Circular Letter No. 12 (2021), Sec. 3(B). Accessed online at: https://www.dfs.ny.gov/industry_guidance/circular_letters/cl2021_12https://www.dfs.ny.gov/industry_guidance/circular_letters/cl2021_12
See Ins 21-02-AB. Accessed online at: https://www.nh.gov/insurance/media/bulletins/2021/documents/ins-21-102-ab.pdf
Commonwealth Fund, State Balance-Billing Protections (2021). Accessed online at: https://www.commonwealthfund.org/publications/maps-and-interactives/2021/feb/state-balance-billing-protections