A single outdated phone number or incorrect network status in a provider directory can trigger a compliance violation, a patient billing dispute, or both. The no surprises act provider directory requirements place direct obligations on health plans and providers to keep directory information accurate, verified, and current, with specific deadlines that leave little room for error. For healthcare vendors whose tools touch provider data inside EHR systems like EPIC, understanding these requirements isn't optional; it's foundational to building compliant products.

The core mandate breaks down into two critical cycles: health plans must verify provider directory data every 90 days, and updates to directory information must be reflected within two business days of receiving changes. These timelines affect how data flows between providers, payers, and the systems that connect them, including the SMART on FHIR applications that healthcare vendors deploy through platforms like VectorCare to integrate directly with EPIC workflows.

This guide covers what the No Surprises Act actually requires for provider directories as of 2026, who carries which obligations, and how the verification and update timelines work in practice. Whether you're a digital health company building tools that surface provider information or a vendor managing referral and network data inside clinical workflows, you'll walk away with a clear picture of what compliance looks like and where your product fits into it.

Why these directory rules exist

Provider directories have a long history of containing inaccurate information. Before the No Surprises Act took effect, patients routinely used directory listings to confirm a provider was in-network, scheduled an appointment, received care, and then received a bill they never expected. The core problem was straightforward: directories weren't updated regularly enough, and no federal standard existed to force health plans or providers to fix that.

The phantom network problem

The term "phantom network" describes a directory that lists providers who are no longer participating in a plan, have wrong contact details, or whose network status changed months earlier. Studies from the Government Accountability Office and state insurance departments consistently found error rates exceeding 50% in commercial plan directories, and patients had no reliable mechanism to verify what they were looking at before receiving care.

A directory that appears accurate but reflects data from six months ago gives patients false confidence and zero protection at the point of service.

When patients chose a provider based on a listing that turned out to be wrong, they had little recourse. Cost-sharing protections did not apply to out-of-network services, so a patient who believed they were seeing an in-network specialist could end up facing the full out-of-network rate. That financial exposure is exactly what the no surprises act provider directory requirements were designed to close.

What Congress required and why the timelines matter

Congress passed the No Surprises Act as part of the Consolidated Appropriations Act of 2021, with key provisions taking effect on January 1, 2022. The law recognized that surprise billing wasn't just a problem at the moment of care; it started with the information patients used to make decisions before they ever walked through a door. Fixing that meant creating mandatory verification cycles and requiring fast updates when data changed.

The 90-day verification requirement forces health plans to actively confirm provider information rather than rely on providers to self-report changes whenever they get around to it. The two-business-day update rule creates a hard deadline once a change is reported. Together, these two requirements shift the burden from patients discovering errors after the fact to health plans preventing them in advance. For vendors building tools that surface or manage provider network data inside clinical systems, this shift means your product design needs to account for data freshness and update velocity as direct compliance inputs, not secondary concerns.

Who must comply and key definitions

The no surprises act provider directory requirements apply broadly across the healthcare ecosystem, but the obligations are not identical for every entity. Understanding who carries which responsibilities helps you identify exactly where your product or workflow needs to meet federal standards.

Entities subject to directory obligations

Group health plans and health insurance issuers offering coverage in the individual and group markets carry the primary compliance burden under the No Surprises Act. This includes fully insured and self-funded plans, and it extends to coverage sold through the ACA marketplace as well as employer-sponsored plans. Federal employee health benefit plans and certain grandfathered plans have separate regulatory treatment, so you should confirm the specific plan type before applying these rules.

Providers and facilities also carry obligations. Participating providers, participating emergency facilities, and their group practices must notify health plans of changes to their participation status, practice location, or contact information. That notification triggers the health plan's two-business-day update clock. If your product manages provider data or facilitates network enrollment, you are sitting directly inside this notification pipeline.

Key definitions that drive compliance

Several terms determine whether a specific situation falls under these rules. A "participating provider" is any physician, facility, or other provider who has a contract with a health plan to furnish covered services at a negotiated rate. "Provider directory" refers to any public-facing or plan-administered listing of participating providers, whether it appears online, in print, or through an API-connected tool.

Getting the definitions right matters because the update and verification timelines only apply once a provider crosses into "participating" status under a specific plan contract.

Core terms to keep straight:

• Participating provider: A clinician or facility contracted with a health plan at a negotiated rate
• Participating emergency facility: An emergency department or independent freestanding emergency department with an active plan contract
• Provider directory: Any public or plan-administered network listing, including digital and API-served formats

The 90-day verification and 2-day update rules

The no surprises act provider directory requirements set two distinct timelines that work together. The 90-day cycle is proactive: health plans must reach out to every participating provider at least once every 90 days to confirm their information is still accurate. The two-business-day rule is reactive: once a plan receives a change notification from a provider, that update must appear in the directory within two business days.

How the 90-day verification cycle works

Health plans must contact each participating provider or facility and confirm current network participation status, practice location, and contact details. If a provider does not respond to a verification attempt, the plan must remove that provider from its public-facing directory within the same 90-day window. This creates a meaningful incentive for providers to respond promptly, because silence results in removal, not continuation.

A provider who misses a verification window may disappear from patient-facing directories until they confirm their information, which can disrupt patient scheduling and referral workflows.

Plans must also maintain documentation of their verification attempts, including dates of outreach and responses received. For vendors building tools that surface network data inside clinical systems like EPIC, this documentation requirement means the underlying data your product relies on should carry timestamps and verification status indicators.

How the 2-business-day update rule works

When a provider notifies a health plan of a change, the plan has two business days to reflect that change in its provider directory. This applies to changes in participation status, practice address, phone number, and whether a provider is accepting new patients. Providers themselves trigger this clock by submitting the notification, so the rule creates a shared responsibility between the provider reporting the change and the plan processing it on time.

How to run a compliant provider directory process

Running a compliant process means building systematic workflows rather than relying on ad hoc outreach or manual tracking. If your product interfaces with provider network data inside clinical systems, your architecture needs to support the two core compliance cycles: verification every 90 days and updates within two business days.

Build a verification tracking system

Your verification system needs to log every outreach attempt with a timestamp, record provider responses, and flag non-responders before their 90-day window closes. This is not just good practice; it is the documentation your organization must produce during an audit. Automated scheduling and response tracking reduce the risk of missing a provider within a large network.

If you manage provider data inside an EHR-integrated tool, your system should surface verification status and expiration dates as data fields, not as notes in a separate spreadsheet.

A simple tracking structure should capture the date of last verification, method of contact, response status, and the next verification due date. Building this into your FHIR data model from the start is far easier than retrofitting it after deployment.

Define your update intake process

Incoming provider change notifications must route to a team or system that can process and publish updates within two business days, without manual bottlenecks or approval delays that slow down that clock. Your intake process should include a clear escalation path for high-volume change periods.

Defining ownership over each step of the update pipeline prevents situations where a notification sits in a shared inbox past the deadline. Meeting the no surprises act provider directory requirements depends on both cycles working reliably together, so a verification program that catches changes and an update pipeline that processes them on time create a defensible, documented compliance posture.

Audit readiness, penalties, and member protections

When federal regulators review whether a health plan or vendor is meeting the no surprises act provider directory requirements, they look for documented processes, not just intent. Audit readiness means your organization can produce verification logs, update timestamps, and change notification records on demand, without scrambling to reconstruct them from memory or scattered files.

What penalties look like

Health plans that fail to meet directory accuracy standards face civil monetary penalties under the No Surprises Act. The Department of Health and Human Services can impose fines of up to $100 per day per violation, and each affected member can represent a separate violation. That math scales quickly across a large plan with thousands of participating providers.

A single provider whose status isn't updated within two business days can generate a fine that compounds daily until the directory reflects the correct information.

Both failure to complete the 90-day verification cycle and failure to publish updates within the two-business-day window trigger this penalty structure. Vendors whose tools manage or serve provider directory data inside clinical systems need to understand that their product's data latency can directly contribute to a health plan's violation count.

Member protections that ride on your data

Patients rely on directory accuracy to make care decisions that carry real financial consequences. When a member selects a provider based on a listing that turns out to be wrong, federal law requires the health plan to apply in-network cost-sharing even if the provider was actually out of network, as long as the member relied on the directory in good faith.

Your product's ability to surface accurate, verified, and timely provider information inside EPIC workflows directly determines whether patients receive the financial protection the law intends them to have. Treating data freshness as a compliance input, rather than a secondary concern, keeps both your product and your health plan partners on the right side of those member protections.

Next steps

The no surprises act provider directory requirements are not going away, and the enforcement environment heading into 2026 gives health plans and their vendor partners less room to treat compliance as a future project. Your immediate priority is to audit your current provider data processes against the 90-day verification cycle and two-business-day update rule, identify where gaps exist, and close them with documented, repeatable workflows.

Building or updating a SMART on FHIR application that surfaces provider network data inside EPIC requires an architecture that supports real-time data freshness and verification tracking from the start. Retrofitting those capabilities after deployment costs far more time and money than designing them in upfront. If your product touches provider directories inside clinical workflows, the compliance infrastructure underneath that data is as important as the user interface above it. Deploy a compliant SMART on FHIR app with VectorCare and get your integration built and listed in the EPIC Showroom in weeks, not months.