Establish a provider data management system that tracks every contracted provider's last verification date; the NSA requires health plans to verify all directory entries at least every 90 days.
Build an outreach workflow: send automated requests (email, portal, or API call to credentialing system) to each provider asking them to confirm or update name, specialty, address, phone, and network participation status.
Set a response deadline of fewer than 90 days from the last verification to allow time for follow-up; remove providers who do not respond within the plan-defined window from the public directory.
Process confirmed updates within two business days of receipt as required by the NSA; update both the online and print directory data sources simultaneously.
Log every verification transaction with provider NPI, verification date, method, and outcome; this audit trail is required for regulatory examinations and CMS enforcement.
Trigger an out-of-cycle verification whenever a provider submits a data change or when a credentialing event (recredentialing, termination, privilege change) occurs.
Known gotchas
The 90-day requirement applies to all contracted providers regardless of whether the relationship is direct or indirect (delegated); delegated entities must meet the same cadence.
If a provider fails to respond within your defined window, the plan must remove them from the directory — leaving unverified providers listed exposes the plan to NSA enforcement penalties.
MA, Marketplace, and Medicaid programs each have their own enforcement authority under the NSA; a single compliance program must satisfy all applicable regulators, not just CMS.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp