Swift Revalidation of High-Risk Medicaid Providers, National Directory, and Payer APIs

On April 23, 2026, CMS Administrator Dr. Mehmet Oz sent letters to every governor and state Medicaid director, directing states to conduct a swift revalidation of high-risk Medicaid providers and to submit a comprehensive two-year provider revalidation strategy. You can read the State Medicaid Director letter here.

Dr. Oz led with the problem: “Corrupt individuals and organizations masquerading as health care providers are defrauding Medicaid, and American taxpayers, of billions of dollars each year.” He gave the States 10 business days to notify CMS of their intent, and 30 days to submit the full strategy. Both deadlines have now passed.

The letter describes the problem and prioritized focus areas (e.g., providers without NPIs, providers with less rigorous enrollment requirements), but leaves strategy and solutioning to the states and agencies. This piece explores how states are responding and considers solutions that could be implemented to address the problem.

How States Are Responding

A handful of states have published their strategies; the June 5 deadline has passed and all 50 submissions theoretically exist at CMS, but most states have not voluntarily posted their documents. What’s visible is a patchwork of press releases, newsletter announcements, and a few full PDFs.

The states that have published give us clues to implementation approaches:

  1. Texas submitted its strategy on June 5 and posted the full PDF. Texas identified 7,507 providers across four high-risk groups: those with time-limited enrollments, those with manually elevated risk levels, those with special review indicators, and 5,821 providers with data discrepancies such as incorrect revalidation dates or miscategorized risk levels. Texas is investing $23 million in a PEMS system redesign targeting August 2027, including direct PECOS integration for real-time Medicare cross-checks. Texas currently issues “Atypical Provider Identifiers” to providers who lack NPIs, but only 31 providers statewide are enrolled this way.

  2. North Dakota published its strategy. ND focused on three categories: Qualified Service Providers (personal care workers), NEMT providers, and 1915(i) HCBS providers. ND is requiring individual workers in these categories to obtain NPIs and affiliate with their employing agency effective July 1, 2026 for NEMT and January 1, 2027 for QSPs. ND also launched an online directory in 2025 updated nightly from its enrollment system and requires its single MCO, BCBSND, to reconcile its directory against state enrollment files weekly. ND is requesting enrollment moratoriums in its highest-risk counties while it cleans up existing records.

  3. Minnesota is effectively ahead of all other states, having already been forced into a corrective action plan by CMS after $243.8 million in potentially fraudulent payments were identified. That plan includes 17 elements: a pause on new provider enrollment in 13 high-risk service categories, off-cycle revalidation of 5,500+ providers, in-person site visits, fingerprint checks, and expanded pre-payment claims analytics.

  4. Missouri published next steps for off-cycle revalidation through its MMAC division, prioritizing providers without NPIs in Phase I ending October 1, 2026.

  5. Georgia announced vendor solicitation for a comprehensive pre- and post-payment review operation, identifying ABA therapy and structured family caregiving as high-risk categories, with new prior authorization and supervision requirements taking effect in coming months.

  6. South Dakota submitted its strategy and expanded its provider risk categorization framework, though the full document has not been publicly posted.

Among the few strategies published, there are several approaches that could be implemented across all states: increased enumeration of atypical providers, prioritizing certain provider types for off-cycle revalidation, infrastructure overhauls and data clean-up, and piggy-backing off of Medicare provider screening infrastructure.

What else could CMS, State Medicaids, and MCOs do?

The Oz letter and the State Medicaid responses may not have considered the current state of data and the future opportunities afforded by mandatory APIs and emergent data infrastructure (i.e., National Provider Directory). These are strategies they could consider given the quickly evolving data landscape.

1. Provider Directory APIs: State Medicaids and MCOs should finally comply

Every MCO and State Medicaid is required by CMS to publish a FHIR Provider Directory API as part of Final Rule CMS-9115. If these APIs were universally available, accessible, and complete – they would be an invaluable tool for transparency and for monitoring each Medicaid and MCO network for providers at high risk of fraud. Incomplete compliance means comprehensive use of these APIs is not yet possible.

CMS maintains a public endpoint directory for state Medicaid agency FHIR Provider Directory APIs. It is the closest thing to a national compliance tracker for state Medicaid APIs, and it demonstrates that not all state Medicaids comply. Some states have not published endpoints at all. Among those that have, common problems include missing NPI fields even for providers who have them, and spotty or absent use of PractitionerRoles.  

For Medicaid MCOs, the situation is worse. MCOs are required under CMS-9115 to publish provider directory APIs, but there is no public registry of which MCOs have complied, no automated conformance testing, and no penalty structure for non-publication or non-conformance. Deputy Administrator and Chief Product Officer of the CMS Office of Health Technology and Health Products Amy Gleason has indicated that payer endpoints are part of the National Directory roadmap, once provider endpoints are addressed. CMS’s initial releases of National Directory data sets have included provider endpoints, and weekly working group meetings have been covering payer endpoints as a topic, so this may be coming in the near future. Payer endpoints in the National Directory would lead to increased enforcement for Medicaid MCOs and state agencies regarding their Directory APIs, and increased availability of Directory APIs affords more opportunity for monitoring networks for fraud.

CMS-0062-P, a proposed rule still under consideration, would require payers to report their FHIR endpoint URLs to a centralized registry. If finalized, that registry could finally give CMS and the public a complete map of who has published APIs and how to access their endpoints. State Medicaids and their MCO contractors may be explicitly required to publish to that same registry and held to conformance standards.

The value of compliant directory APIs for program integrity is not that directory errors are themselves evidence of fraud. What directory data provides is a map of which providers are enrolled in Medicaid and participating in MCO networks. That map, when cross-referenced against other data sets (e.g., claims, exclusion lists, and the National Director) becomes a powerful tool for identifying anomalies that warrant investigation. 

2. Continuous Exclusion Monitoring v. Directory Comparisons

Most states check providers against OIG exclusion lists, SAM.gov, and state exclusion databases at enrollment and at five-year revalidation. But the exclusion lists themselves run more frequently than five-year revalidation, and so there is often a gap between exclusion list updates and Medicaid checks against those lists.

The opportunity is straightforward: state Medicaids, MCOs, and their supporting vendors could run their active provider rosters against exclusion lists on a continuous basis — weekly, or even daily for high-risk provider types — and take swifter action when a provider needs to be disenrolled mid-cycle. The directory API layer combined with increased enumeration of atypical providers (more on this later) makes this practical. A functioning FHIR provider directory gives you the active NPI roster; exclusion lists give you the disqualification signal. Connecting those two data sources continuously is operationally achievable today.

As the CMS National Provider Directory matures, the cross-referencing opportunity expands. Medicaid enrollment rosters checked against NPD data (i.e., anomalies or discrepancies between Medicaid enrollment data and NPD data, checks against primary sources that NPD has integrated with). The NPD is still early in its implementation and development, so state agency directors and their technology architects should seek to engage in early design and roadmap discussions to prioritize those capabilities that can support monitoring.

3. More Frequently Release Claims Data, and Cross Reference with Directories

In early 2026, CMS released an unprecedented volume of Medicaid claims data — over 270 million payment records from 2018 through 2024. Researchers and journalists immediately began identifying patterns consistent with fraud: billing volumes statistically implausible for the provider type, geography, and service category.

Recent cases demonstrate the power of analytics on similar claims datasets at scale. The DOJ’s 2026 National Health Care Fraud Takedown charged 455 defendants in $6.5 billion in alleged false claims, identified through anomalous billing pattern detection. The Wall Street Journal’s investigation into ABA therapy identified a single Indiana provider billing $29 million for 84 patients through analysis of claims records. Both illustrate the same principle: access to Medicaid claims data at scale makes fraud visible and addressable.

This should be done systematically and continuously, not as a one-time release. The insights multiply when claims are cross-referenced with directories. A provider billing at anomalous volumes who is also inconsistently represented across payer directory APIs and the National Directory should be investigated. This kind of multi-source, continuous analytics is what the combination of functioning directory APIs and claims data makes possible.

If claims data were released continuously and paired with a public bounty program, anyone with analytical capability could surface suspected fraud for investigation. Designing such a program would require guardrails against dart-throwing and false reporting; one mechanism would be a nominal filing cost, essentially requiring reporters to place a considered bet rather than a speculative one, improving signal quality and reducing noise.

4. Incentivize MCOs to Proactively Find and Report Fraud

MCOs shouldn’t be left out of this bounty model. MCOs have a structural advantage: they see claims, directories, and billing patterns in real time, before CMS releases the data publicly. They are the best-positioned entities in the Medicaid ecosystem to identify fraud early. In practice, they have little financial incentive to do so. Reporting fraud creates administrative work, network disruption, and potential member access issues. The current structure rewards compliance with mandatory reporting obligations, not proactive detection.

A percentage-of-recovery bounty model (structurally similar to the False Claims Act qui tam provisions or the contingency arrangements CMS uses with Recovery Audit Contractors) would change that calculus. Several states already operate informal “finders keepers” policies on recovered funds. Georgetown’s Center for Children and Families has noted that MCO fraud referrals to MFCUs have been increasing and that contractual requirements to refer are working — and could be “further enhanced by incentives.” Formalizing and scaling that approach through managed care contracts is a near-term policy option, not a distant one.

The downstream effect is that MCOs would also have a financial incentive to invest in systematic fraud detection tooling: directory accuracy monitoring, exclusion list cross-referencing, claims anomaly detection. That effectively creates an incentive for MCOs to invest in robust provider data infrastructure.

5. Mandatory NPIs for All Medicaid Providers, With a Streamlined On-Ramp and NUCC Expansion

The Oz letter identifies providers without NPIs as presumptively high-risk. Some states are contemplating increased requirements for enumeration where Medicaid payments would not be possible without NPIs.

The practical objection is real: many legitimate Medicaid-covered service categories have historically operated outside of NPPES. Personal care attendants, NEMT drivers, peer support specialists, doulas, home modification contractors, and other community-based providers either lack applicable NUCC taxonomy codes or have found the NPPES application too confusing to navigate. Both problems need to be solved together.

On the taxonomy side, CMS would need to work with NUCC to expand coverage for atypical provider categories. The taxonomy infrastructure was built for the clinical workforce and has significant gaps for community-based and social services providers. A dedicated atypical/community services taxonomy branch — covering personal care, NEMT, peer support, housing support, and related categories — would need to be expanded upon, which NUCC can do but would require time and industry collaboration.

On the enrollment side, CMS controls NPPES and could redesign the experience for atypical providers without legislation: a separate pathway triggered by service category, plain-language taxonomy selection, EIN and state Medicaid enrollment number as primary identifiers, and same-day or next-day NPI issuance for straightforward cases. Identity verification at the IAL2 level would enable secure remote enrollment without in-person appearance, critical for the distributed HCBS workforce. CMS already uses IAL2 standards in other contexts, most notably the ACA Enhanced Direct Enrollment pathway. As enumeration functionality may migrate from NPPES into the National Provider Directory, modern IAL2 verification could be incorporated to add a layer of identity proofing.

6. Long-term: Move Toward Continuous Credentialing

The legacy five-year revalidation cycle cannot keep up with the pace of fraud among high risk providers. NCQA has already moved towards more frequent verification checks for commercial plans. Its 2025 credentialing standards update, effective July 1, 2025, mandated monthly monitoring of license status, OIG exclusion list status, and SAM.gov checks as a standing requirement between recredentialing cycles. The shift from periodic workload spikes to continuous compliance is already underway among commercial payers.

A single five-year review can be augmented with ongoing automated monitoring: licensure status updated monthly from state licensing boards, exclusion list status monitored continuously, directory API presence and consistency tracked in near-real-time. This would be a waypoint towards a future of complete, continuous credentialing. The vision of continuous credentialing is possible in the future, but the primary sources (e.g., state licensing boards, specialty boards, medical schools, and malpractice insurance carriers) are largely not making their data available in structured or publicly accessible ways.

That said, innovators in the space are increasingly aggregating primary source data to enable closer-to-real-time credentialing. There has been some discussion among working group members that the National Provider Directory connect directly to primary sources rather than relying on ad hoc checks against them.

How Medicaid Efforts Align with Medicare and the National Directory

Efforts by Medicaids and MCOs to respond to Dr. Oz’s request for swifter revalidation aren’t useful for just Medicaid and just the fraud prevention use case. The same investments that improve Medicaid program integrity also serve Medicare Advantage network oversight and the National Provider Directory build-out.

MA plans are already required to publish FHIR directory APIs, and CMS is actively using that data to support beneficiaries in shopping for health plans and may eventually use it to assess directory accuracy. As Medicaid and MCO directory APIs come online and improve in quality — driven by enforcement pressure from the revalidation mandate — the aggregate quality of the national provider data ecosystem improves. The MA directory API mandate, the Medicaid revalidation push, the NPD build-out, and the CMS-0062-P endpoint registry proposal are all expressions of the same underlying bet: that provider data, if made machine-readable and continuously maintained, can do things that manual and periodic review processes cannot.

The Oz letter and the request for swifter revalidation complement Medicare directory efforts and broader National Directory infrastructure build-out. State agencies and MCOs should consider the policy and data infrastructure recommendations that, when implemented, would support swifter validation. Those investments will not only address the fraud use cases, but address a wider range of consumer access (provider search, care navigation, plan selection), interoperability (consumer data access), and administrative workflow (payer-to-payer data exchange, prior authorization) use cases that the National Directory is targeting.