On April 10, CMS released a new proposed rule CMS-0062 with electronic prior authorization for drugs as the centerpiece. Brendan Keeler has an excellent breakdown of both the ePA for drugs component and the ONC certification implications for payer APIs over at Health API Guy. This one is about something else: what the rule means for provider directories and for the payers responsible for them.
To understand what it means, it helps to understand what has already happened in the past months.
The Expanding Regulatory Stack
Two recent milestones set the stage for CMS-0062.
First, CMS-4208-F2, the MA Plan Finder rule, was finalized in September 2025. It established that CMS would use payer Provider Directory APIs (or comparably structured machine-readable files) to update the MA Plan Finder tool, so that Medicare beneficiaries can find plans that include their preferred providers. The technical guidance and implementation timeline for that rule was finalized on February 18, 2026.
Second, also in February 2026, the REAL Health Providers Act was signed into law as part of the CAA 2026. It mandates accuracy audits (methodology forthcoming) of Medicare Advantage provider directories, annual attestation by payers to those results, and public publication of findings.
Put those two together and here is what they mean in practice: beneficiaries will soon be able to compare the accuracy of MA plan directories alongside premiums and drug coverage when choosing a plan. As Defacto has shown in its National Accuracy Report, directory accuracy varies significantly across payers. Some payer directories score as high as 70% accurate, many at 40% or below. When those numbers are public, they will drive consumer behavior and broker recommendations in ways that premiums alone never have.
These APIs are no longer a compliance checkbox. They are essential infrastructure in a regulated health tech ecosystem. That is the context into which CMS-0062 lands.
What the Proposed Rule Adds
The proposed rule requires payers to submit their endpoint data into a centralized location. This is not just Provider Directory APIs, but also Prior Authorization, Patient Access, Provider Access, and Payer-to-Payer APIs. Along with the URLs, payers would need to submit technical documentation and API registration steps.
Acting Administrator of US DOGE Service Amy Gleason has stated publicly that payer endpoints are on the National Provider Directory (NPD) roadmap. The most likely destination for this centralized collection of endpoints and documentation is the NPD itself, where they will be available to query by CMS and others.
The rule also requires API usage metrics reporting. This part deserves attention. An API with minimal or zero usage is a signal or potential indicator of a non-functioning endpoint. Payers and their API vendors will need to ensure their APIs are generating at least a nominal amount of real traffic. Not because CMS will immediately penalize low usage, but because low usage is a potential indicator for non-compliance.
Payers should ask their API vendors (or interop teams) how much usage the API endpoints have received. If the answer is unclear or very low, that is worth addressing before usage metrics begin flowing to CMS. For those payers who are trying to decide whether lack of usage means a) your API is broken, or b) lack of interest – it is most likely (a) your API is broken. Third-party developers actively querying a payer’s API can provide working evidence, something payers may find useful in a world where API usability is part of compliance.
From Checkbox to Regulated Infrastructure
The three new sets of requirements, CMS-4208-F2, the REAL Health Providers Act, and now CMS-0062, are establishing Provider Directory APIs as a foundational part of health tech infrastructure. They are requiring that those APIs be publicly documented and registered, prescribing more explicitly how data should be represented, asserting that they will be used by consumers, and establishing controls around audits and attestations. The Provider Directory API is completing a maturity process that has been underway since CMS-9115-F. As compliance becomes more complete via monitoring and enforcement of these requirements, the number of consumers, payers, providers, and third-parties using the data will increase accordingly.
The ONC Certification Signal
Keeler’s analysis of CMS-0062 surfaces something easy to miss: CMS is considering requiring certification of payer APIs via ONC. There are legitimate questions about statutory authority here, particularly in a post-Chevron regulatory environment. But the idea is consistent with the administration’s approach from the start: APIs are machine-usable interfaces that the government has access to and can programmatically inspect, assess, and enforce. Requiring certification is a natural extension of that posture.
Prediction: Programmatic Enforcement at Scale
The REAL Health Providers Act does not explicitly state that CMS will assess directory accuracy via Provider Directory APIs, but it does not require a lot of imagination to see how CMS could exercise this option.
With every payer’s directory API documented and registered in the NPD, and with National Directory infrastructure capable of querying those APIs at scale, CMS has the means to monitor directory accuracy programmatically. This could occur across every payer, across every directory record, on a continuous basis rather than through periodic ‘secret shopper’ audits. The difference between what exists today and what becomes possible is the difference between a cop with a radar gun and a speed camera. The radar gun catches some speeders, misses most, and creates the kind of episodic enforcement that sophisticated actors learn to work around. The speed camera checks every car and mails the ticket automatically to the address on file. That is the architecture CMS is assembling: not periodic audits of a handful of directory records, but continuous monitoring across every directory record.
There are precedents worth noting in adjacent CMS domains. HEDIS and quality measurement are moving toward digital quality measures, which will push payers from hybrid sample-based measurement to full population measurement. NCQA similarly is moving toward shorter verification windows and a greater emphasis on continuous verification for provider credentials. The logic for to-be-defined REAL Health auditing is similar: if the data is structured and the APIs exist, why sample when you can measure everything?
On a related note, the MA Plan Finder rule explicitly notes that network adequacy (HSD) submissions and submitted directory data do not yet need to align. The possibility that CMS eventually compares those two submissions, and audits the degree of harmonization between them, is not far-fetched.
What Payers Should Do
The comment period for CMS-0062 runs through June 15, 2026. Payers should review the proposed rule and submit comments, particularly on the usage metrics requirements and the ONC certification proposal. CMS held a webinar reviewing the rule on April 16. The recording will be worth finding if the live session was missed.
Beyond the comment period, there are three things worth addressing immediately:
- Confirm that all required APIs exist and are functioning – not just the Provider Directory API, but Prior Authorization, Patient Access, Provider Access, and Payer-to-Payer.
- Work with API vendors to get clear answers on uptime and usage volume. If an endpoint has had very little traffic, look at any issue reports submitted by developers to see if there’s an issue preventing them from using it. Better yet, talk to the developers to see what problems they’re trying to solve and what questions they seek to answer. Identify, understand, and resolve those issues before CMS finds them.
- Understand your directory accuracy. REAL Health Providers will increase transparency on directory accuracy, and MA Plan Finder will expand the usage of your directory data, resulting in tangible business impact (i.e., member enrollment decisions). Building a proactive feedback loop for continuous improvement now is the right posture, and the window for getting ahead is narrowing quickly.
Beyond those three immediate actions, there is a longer arc that the most forward-thinking payers are planning for. What is required is a durable strategy to centralize and master provider data within their organization, and getting the best data from the providers. That means working collaboratively with the largest health systems in the network to determine where the authoritative data lives and building pipelines to get it. Health systems have roster data, credentialing data, and scheduling data. Payers have claims and plan participation data. Neither has the full picture alone, and the current state of most payer-provider data relationships reflects that fragmentation.
The longer-term imperative goes further still. Payers need to invest in their capabilities to better match members to available, nearby, low-cost, high-quality providers. The quintuple aim objectives are reason enough, and building plans that land on differentiated quality outcomes is worthwhile. An equally important motivation is what is becoming visible on the regulatory horizon: provider network data, scheduling and availability data, cost data, and quality data are all becoming more structured, more public, and more cross-queryable. The infrastructure for programmatic enforcement at scale requires CMS to pay attention to these data sets, enforce their availability and usability, and then finally use them. That moment is closer than most payers’ current roadmaps acknowledge. The payers who will navigate it best are the ones who treat directory accuracy (and adjacent data mandates) not as a compliance deliverable, but as a building block for an adaptive provider network.