Left Arrow
Blog

The No Surprises Act Audit Checklist: Are Your Directories Ready?

Varun Krishnamurthy
January 2, 2026

Since the No Surprises Act (NSA) took effect in January 2022, keeping your provider directories accurate became federal law. 

Imagine this: A major health insurance company gets a call from CMS requesting an audit of its provider directories. Within hours, their team discovers that 40% of their provider data is outdated. The phone numbers lead nowhere, and the addresses point to empty buildings. 

The result? Massive penalty exposure, network disruption, and compliance issues that could have been prevented.

Inaccurate directories can trigger regulatory audits, hefty fines, and serious operational issues.

This guide provides a complete, practical NSA audit checklist for health plans, provider groups, and Management Services Organizations (MSOs). This checklist will help you prepare for and pass an NSA audit.

What are the No Surprise Directory Requirements?

Incorrect directories lead to surprise medical bills for patients. In fact, Health Affairs conducted a survey of privately insured mental health patients. The study revealed that 44% of patients used a mental health provider directory, and 53% of them encountered provider inaccuracies. Even worse, those who encountered directory inaccuracies were four times more likely to receive a surprise outpatient out-of-network bill. Hence, there is a need for accurate directories. 

The Centers for Medicare & Medicaid Services (CMS) has set clear expectations for provider directory accuracy under the NSA. Here's what you need to know: 

What CMS expects from you

The NSA includes specific provider directory requirements to ensure patients have access to accurate information about their healthcare providers. 

These requirements are enforced by the CMS and apply to all providers and healthcare facilities participating in group or individual health plans.​

how cms evaluates provider directories during a no surprise act audit

Directory requirements

Under the NSA, providers and health plans must:

  • Verify and update provider directory information at least every 90 days
  • Update directories within 2 business days of receiving updated provider information
  • Remove providers from the directory if their information cannot be verified or if they are no longer participating in the network
  • Respond to patient inquiries about a provider’s network status within one business day

Required Information

The provider directory must include:

  • Provider’s full legal name and National Provider Identifier (NPI)
  • All practice addresses where the provider sees patients
  • Phone numbers for appointments and general inquiries​
  • Current status regarding acceptance of new patients
  • All specialties and sub-specialties
  • Insurance plans that the provider participates in
  • Hospital affiliations and group practice associations

Providers and plans must maintain timestamped validation records and detailed change logs for every provider in their network to demonstrate compliance with these requirements. 

Printed directories must also include the date of printing and a statement directing patients to the most current online version.

What are the common causes of incorrect provider directories?

Research shows that 40% to 60% of provider directories contain inaccuracies at any given time. This means that more than half of your directory could be wrong right now.

Common problems include:

  • Outdated information that hasn't been checked in months: Providers move, change phone numbers, or update their patient acceptance status without telling you
  • Unverified third-party data: You receive information from various sources, but who verifies its accuracy?
  • Data scattered across multiple systems: Your credentialing system says one thing, your claims system says another, and your public directory shows something completely different
  • Provider non-responsiveness: You reach out for verification, but providers don't respond. What then?
  • Inconsistent update schedules: Some providers are checked monthly, while others haven't been verified in a year
  • Missing documentation: This is the big one. Even if your data is perfect, if you can't prove you verified it, you fail the audit

What happens during an NSA audit

When CMS or state regulators come knocking, here's what they typically request:

  • First, they want a comprehensive directory accuracy report showing the current status of all provider information
  • Then they ask for your last four verification cycles. That’s a full year of logs showing every verification attempt, successful or not
  • Auditors examine evidence of your provider outreach attempts. They want to see emails sent, calls logged, and portal submissions recorded
  • They check your documentation of corrections and how quickly you fix errors. They measure your time-to-update metrics against the 2-business-day requirement
  • Finally, they conduct random sampling across different provider types. They might check 50 primary care doctors, 30 specialists, and 20 behavioral health providers. If patterns of inaccuracy emerge in any category, you're in trouble

The NSA audit checklist: Your step-by-step guide

Now let's get into the detailed checklist that will help you prepare for and pass an NSA audit. This is a practical, actionable guide you can start using today.

Step 1: Validate your data sources

Start by listing every source of provider data in your organization. This includes CAQH ProView, the National Plan and Provider Enumeration System (NPPES), provider self-attestation forms, your electronic health records system, HR databases, and contracting systems.

Next, identify which data points each source controls. For example, CAQH might be your primary source for credentials and education, while your contracting database holds network participation details.

Check for conflicting data across these systems. If CAQH says Dr. Smith works at 123 Main Street, but your claims system shows 456 Oak Avenue, which one is right? More importantly, which one appears in your public directory?

Confirm whether you have a single source of truth, one system that serves as the master record for each data element. Without this, you're guaranteed to have inconsistencies.

Finally, ensure you have access to real-time updates from external sources such as the NPI registry. Provider licenses, sanctions, and other information can change daily.

This is where automated solutions like Assured unify data from CAQH, NPPES, payors, and credentialing files into unique provider profiles, removing conflicts and creating that single source of truth.

Step 2: Confirm your 90-day verification process

Document your 90-day verification policy in writing. Auditors will ask to see it. Your policy should clearly state how you track which providers need verification each cycle.

Define your outreach methods. Will you contact providers via email, phone, SMS, or through a provider portal? Most successful organizations use multiple channels to improve response rates.

Make sure you're capturing timestamps for every verification attempt and completion. A simple "verified" checkbox isn't enough. You need the date, time, method, and who performed the verification.

Most importantly, maintain evidence of provider confirmations. When Dr. Jones confirms her information is current, keep that email, portal submission, or call recording. This proof is your audit lifeline.

Automated platforms handle this by initiating verification cycles automatically, sending configurable reminders, and maintaining built-in proof-of-verification logs that auditors love.

Step 3: Validate all required NSA directory fields

Create an internal checklist for each category of required information:

  • Core Identity Information: Verify legal names exactly as they appear on licenses. Check every NPI against the NPPES database. Confirm all credentials (MD, DO, NP, PA, etc.) are current and properly displayed. Validate taxonomy codes to ensure specialties are accurately represented
  • Practice Location Details: Verify primary and secondary practice addresses down to the suite number, as this is a common failure point in audits. Use geocoding to validate that addresses actually exist. Confirm on-site hours for each location. Don't assume all locations have the same schedule
  • Contact Information: Check that phone numbers are working and reach the correct department. Verify separate numbers for direct lines, the general office, and appointment scheduling. Confirm fax numbers if still used. Note telehealth availability, as this became a necessity during COVID and remains essential
  • Network Participation Status: The "accepting new patients" field is an NSA priority. This must be accurate and current. List all insurance plans accepted at each location. Include network tier levels where applicable. Patients need to know if a provider is in-network, out-of-network, or somewhere in between
  • Group and Facility Connections: Document group practice names and relationships. List health system affiliations clearly. Verify current hospital privileges. Pay special attention to behavioral health network connections, which often have unique requirements
  • Provider Disclosures: Check for any sanctions against the provider. Verify current license status in all states where they practice. Confirm the DEA registration status for providers who prescribe controlled substances

Pre-built field validation rules and automated flags for missing or inconsistent information can catch these issues before they become audit problems.

Step 4: Assess your provider outreach and response workflow

Document how many times you attempt to reach each provider during verification. Set clear rules for days between attempts, and don't wait weeks between tries.

Create a process that ensures compliance with the 2-business-day update rule. When information comes in on Monday, it must be in directories by Wednesday, the close of business.

Establish a mechanism to track non-responsive providers. After three attempts with no response, what happens? Can you suspend their listing? Remove them from directories? Your policy needs to address this.

Build an escalation path for critical updates. If a provider suddenly closes their practice or loses their license, you need a fast-track process to update directories immediately.

Provider portals that allow easy self-service updates, combined with automated escalations for non-responsive providers and direct synchronization to directories after approval, can transform this process from a compliance burden to a smooth operation.

Step 5: Assess the timeliness of updates

Measure exactly how long it takes to update provider data after receiving new information. Track this for different types of changes:

  • Practice address changes
  • Accepting new patients' status updates
  • Phone number modifications
  • Facility affiliation changes

Compare your actual performance against the NSA's 2-business-day requirement. If you're consistently missing this deadline, you need to identify and fix the bottlenecks.

Real-time updates that flow automatically from provider submissions to published directories eliminate manual delays and ensure compliance with timing requirements.

Step 6: Review data accuracy and quality controls

Implement duplicate provider profile detection. Nothing fails an audit faster than having the same provider listed multiple times with different information.

Cross-check NPIs against practice locations to ensure providers are only listed where they actually practice. Use automated address validation through USPS or similar services to catch typos and formatting errors.

Run consistency checks across all systems. If your claims data shows Dr. Anderson hasn't seen patients at a location in six months, why is she still listed there in your directory?

Establish a clear error resolution workflow. When inconsistencies are found, who investigates? Who makes the final decision? How is the correction documented?

Maintain complete audit trails for every change. Auditors want to see not just what changed, but when, why, and who approved it.

Machine-learning tools can automatically detect duplicates, flag errors, and maintain comprehensive audit histories, reducing manual work while improving accuracy.

Step 7: Analyze your directory publishing process

Count how many directories you maintain, whether in web, print, PDF, or mobile app. Each one needs to be accurate and synchronized.

Determine if publishing is automated or manual. Manual processes introduce delays and errors. Document your quality review process before each publish. Someone should verify a sample of changes before they go live.

Establish and document your refresh cycles. Weekly? Biweekly? Daily? Whatever your schedule, it must be consistent and documented.

Step 8: Confirm enterprise-wide governance

Define clear data ownership roles. Who "owns" provider data in your organization? Who's responsible for accuracy? These roles must be documented and communicated.

Assign a compliance manager specifically for NSA requirements. This person should monitor regulatory updates and ensure your processes stay current.

Create service level agreements (SLAs) for responding to provider updates. For example: "All provider submissions receive initial review within 4 hours during business days."

Conduct annual training for credentialing and provider relations teams. Everyone touching provider data needs to understand NSA requirements.

Schedule internal audits quarterly, not just annually. Regular self-audits catch problems before regulators do.

Enterprise workflow automation libraries with role-based permissions help enforce governance policies consistently across your organization.

Common NSA Audit Failures and How to Avoid Them

Understanding where others fail can help you succeed. Here are the most common problems we see:

  1. Conflicting Information Across Systems: This happens when different departments maintain their own provider databases without synchronization. The solution is establishing a centralized source of truth that all systems reference
  2. Missing Documentation: Organizations often have accurate data, but can't prove they verified it. Auditors fail you on poor evidence, not necessarily bad data. The fix is maintaining detailed logs of every verification attempt and completion
  3. Provider Outreach Gaps: Non-responsive providers remain in directories unverified for months. You need clear policies for multiple outreach attempts and consequences for non-response
  4. Slow Update Turnaround: Even with correct data, slow updates violate the 2-business-day rule. Automation is the only reliable way to meet this requirement consistently
  5. Reliance on Manual Processes: Spreadsheets and outdated credentialing platforms create high error rates and audit risks. Modern automated systems are essential for NSA compliance

Building your NSA-Ready directory management

Think of directory management as a journey through four levels:

Level 1:  Manual and Reactive: You're using spreadsheets, conducting ad-hoc verifications, and missing audit trails. This is where most organizations start, but staying here guarantees audit failure.

Level 2: Partially Automated: You have some automation, but gaps remain. Verification cycles are inconsistent, and data conflicts persist between systems.

Level 3: Standardized and Proactive: You have defined workflows, conduct quarterly audits, and sync multiple systems regularly. This is the minimum for NSA compliance.

Level 4: Fully Automated and Audit-Ready: This is the gold standard. You have end-to-end automation, including automated 90-day verifications, centralized provider profiles, real-time change detection, complete audit logs, and automatic directory synchronization.

One way to achieve full automation for audit readiness is by using software like Assured. These tools automate the entire directory management process, keeping your directories accurate and preventing surprise bills or NSA non-compliance.

How Assured keeps you 100% audit-ready

Assured is an AI-powered credentialing and payer enrollment software. The platform helps you with NSA compliance and transforms your directory management from a risk into a competitive advantage. 

Here's exactly how each Assured feature works to protect you from NSA audit failures:

1. Automated 90-Day verification

Assured automates the provider verification cycle, scheduling and tracking reverifications every 90 days. The system maintains a rolling calendar, sending reminders before the deadline and supporting multi-channel outreach (email, SMS, portal notifications) to ensure providers respond promptly. 

If a provider does not respond, the system escalates with reminders and alerts provider relations teams, helping organizations prove outreach attempts and maintain compliance.​

2. Self-service provider portal

Providers can log in to update their information, upload documentation, and confirm accuracy digitally. The portal tracks all changes, maintains a history of verification actions, and ensures a complete audit trail with timestamps and digital signatures for every update.​

3. Real-time data synchronization

Assured integrates with authoritative sources, including NPPES, CAQH, state licensing boards, and DEA databases, to synchronize provider data in real time. This ensures that directories reflect the most current information, reducing inconsistencies and manual errors.​

4. Directory publishing automation

The platform automates directory updates across all channels (web, mobile, print, partner feeds), ensuring that changes are published within the required 2-business-day window for NSA compliance.​

5. Role-based governance and compliance controls

Assured enforces role-based access, allowing different teams to manage only their respective areas (credentialing, network operations, compliance). Approval workflows are built for critical updates, and all changes are logged with detailed audit documentation, including before/after values and timestamps.​

6. Continuous monitoring and analytics

The platform offers dashboards that track compliance metrics, alert teams to approaching deadlines, and generate automated compliance reports for audits. Assured also regularly monitors provider data for accuracy and flags missing or inconsistent information.​

7. End-to-end workflow automation

Assured connects credentialing, enrollment, and directory management to ensure seamless data flow between processes. This reduces delays and errors, and supports automated updates for license renewals, credentialing, and network status changes.​

Get started with Assured today

Being "directory-ready" is an ongoing role that requires constant attention. Start by assessing your current directory state against this checklist. Identify your biggest gaps and address them. 

Remember that automation can reduce your audit risk while freeing your team to focus on strategic administration and patient care rather than manual data management.

Assured can eliminate a majority of audit risks. But whether you automate or improve your manual processes, the important thing is to start now. Every day you wait increases your audit exposure. Book a demo to see how Assured can help you get audit-ready.

Frequently Asked Questions

1. What happens if my directory fails an NSA audit? 

If your directory fails an NSA audit, it can result in monetary penalties, corrective action plans, increased oversight, and potential exclusion from federal programs. The severity depends on the extent of non-compliance.

2. What qualifies as "verification" under NSA rules? 

Verification under NSA rules requires direct confirmation from the provider or their authorized representative that the information is current and accurate. Passive methods like claims analysis don't count.

3. How often should I audit my provider directory? 

There’s no specific frequency for auditing your provider directory. While NSA requires 90-day verifications, best practice is monthly internal audits with comprehensive quarterly reviews.

4. Which fields are mandatory in an NSA-compliant directory? 

The mandatory fields for an NSA-compliant directory include: Name, NPI, addresses, phone numbers, accepting new patients status, specialties, plan participation, and affiliations are all required.

5. How do payors and provider groups differ in their obligations? 

Both providers and payers must keep accurate directories. However, payers usually have broader networks, which require more complex verification processes, while provider groups have more direct control over their provider information.

6. How does automation reduce directory errors? 

Automation reduces directory errors by ensuring consistent verification schedules, maintaining complete audit trails, and enabling real-time updates that would be impossible to achieve manually.

Table of contents:

Example H2
Example H3
Written By:
Varun Krishnamurthy
LinkedIn Icon

Varun is the CEO and co-founder of Assured, a technology-first platform that streamlines provider licensing, credentialing, and payer enrollment. The idea for Assured grew out of his experience building Dawn Health, a virtual sleep clinic acquired in 2023. There, he saw just how much administrative overhead slows down healthcare. Drawing on his engineering background, Varun set out to fix the problem—using AI to automate the most tedious, manual parts of provider onboarding. Today, Assured helps healthcare organizations reduce paperwork, speed up credentialing, and get providers in front of patients faster.

Get started

Slash onboarding time from months to days

Automated credentialing, licensing, and payer enrollment — all in one system.

Book a demo
Task management interface showing urgent provider tasks: Add missing five-year work history assigned to Alice Smith, RN, expired due 1/2/2025; Upload renewed DEA certificate assigned to Michael Johnson, PT, due in 2 days; and Complete CAQH attestation assigned to Emma Brown, NP, due in 5 days.

Related reading

Assured raises $6M for AI-native network management that gets providers seeing billable patients faster

Rahul Shivkumar
September 15, 2025

Top 7 Healthcare Provider Network Management Solutions You Need to Know

Rahul Shivkumar
August 29, 2025

How to Fix Healthcare Provider Data Compliance Issues with Automated Real-Time Monitoring

Varun Krishnamurthy
August 8, 2025
interface-icon-arrow-right-x-small