What is the MPF Provider Directory requirement?
Most Medicare Advantage (MA) payer roadmaps for 2026 are organized around CMS-0057-F: Patient Access, Provider Access, Payer-to-Payer, and Prior Authorization, with a federal API compliance date of January 1, 2027.
Sitting alongside that work — under a different rule with earlier dates — is the Medicare Plan Finder (MPF) Provider Directory submission. It is frequently confused with the Provider Directory API. It isn't the same thing.
CMS-4208-F2 (final rule, Federal Register, September 19, 2025) codified new requirements at 42 CFR § 422.111(m). Each MA organization must:
- Make in-network provider and facility data available to CMS for online publication on Medicare Plan Finder (medicare.gov).
- Submit it in one of two CMS-specified formats — machine-readable JSON or FHIR-based JSON Bundles — published at a public URL that CMS crawls daily.
- Update the data within 30 days of becoming aware of a change.
- Annually attest in HPMS — signed by the CEO, CFO, and/or COO — that the submitted data is accurate, complete, and truthful.
Who the rule impacts in practice
Formally, the rule applies to MA organizations offering plans available for individual enrollment with provider networks. Employer Group Waiver Plans (EGWPs, also referred to as "800-series" plans), which are not offered for general Medicare enrollment, fall outside the MPF visibility scope under existing CMS waivers. Plans without provider networks are not in scope, since there is no directory to publish.
Operationally, the rule pulls together work that often spans multiple teams:
- MA organizations, who hold the regulatory obligation and the attestation signature.
- Network and provider data teams, who own the source-of-truth provider records that feed the directory.
- IT and FHIR platform teams, who build, host, and maintain the public submission endpoint.
- Compliance and executive leadership, who must trust the data before signing the annual HPMS attestation.
How CMS consumes the data
CMS does not query the payer's FHIR API. CMS crawls a publicly accessible URL that the MA organization registers in HPMS, downloads a JSON manifest, retrieves the files it lists, validates them, and ingests the data into MPF. The hosting layer must support unauthenticated access, HEAD requests with ETag and Last-Modified headers, and conditional GET (304 Not Modified).
URLs are registered per CMS contract number, not per product. An MA organization with DSNP, MAP, and MSA plans under a single H-number registers one URL covering all of them; the plan and segment IDs are included in each record, not in the path.
Two submission paths: JSON or FHIR
Phase Two of the rollout (CY 2027) offers a choice:
- Machine-readable JSON — files conforming to a CMS specification adapted from the QHP Marketplace machine-readable file format (CMS-9944-F).
- FHIR-based JSON — Bundles conforming to the HL7 Da Vinci PDex Plan-Net Implementation Guide v1.2.0 (FHIR R4), covering seven resource types:
InsurancePlan,Location,Organization(Network, Facility, Payer),OrganizationAffiliation,Practitioner,PractitionerRole.
CMS designates the machine-readable JSON option as temporary. FHIR is the long-term standard, aligned with the future National Provider Directory (Phase Three).
CMS-4208-F2 compliance timeline
February 2026: HPMS API URL fields opened
MA organizations can begin registering their API or file URLs in HPMS. Updated technical guidance was published on February 18, 2026 (distributed via HPMS, not posted publicly on cms.gov).
May 4 – August 31, 2026: plan testing window
CMS crawls and validates registered URLs daily. This is the period to confirm hosting, manifest correctness, schema conformance, and field coverage.
September 1, 2026: CY 2027 attestation due in HPMS
The CEO, CFO, and/or COO signs the annual attestation that the directory data is accurate, complete, and truthful. This is the binding internal deadline.
September 18, 2026: production-ready URLs target
By this point, the registered URLs must serve final, validated CY 2027 data.
October 1, 2026: production release of CY 2027 MPF
Beneficiaries begin to see the new directory data on medicare.gov ahead of the Annual Enrollment Period, which begins October 15.
How this differs from the Provider Directory API
The Provider Directory API — established under CMS-9115-F and in production for MA organizations since 2021 — is a queryable public FHIR endpoint that members and apps consume directly. The MPF submission is a static data feed that CMS pulls.
| Provider Directory API (CMS-9115-F) | MPF Provider Directory (CMS-4208-F2) | |
|---|---|---|
| Access model | Queryable FHIR API | Static files at a public URL |
| Consumer | Members and third-party apps | CMS crawler |
| Auth | Public, no auth | Public, no auth |
| Status | Live since 2021 for MA orgs | New requirement — first attestation Sept 1, 2026 |
The same Plan-Net IG can serve both, but the operational surfaces are different.
The binding deadline: September 1, 2026
The forcing function is HPMS attestation on September 1, 2026 — not the October 1 production go-live. Attestation is signed personally by the CEO, CFO, and/or COO, which moves data-quality validation, vendor readiness, and the internal sign-off chain back into the August window.
CMS may suppress an MA organization's data on Medicare Plan Finder if the annual attestation is not completed, the registered endpoint fails CMS validation, or data-quality issues exceed CMS-published thresholds. Suppression during the October 15 – December 7 Annual Enrollment Period means beneficiaries cannot see the plan's provider network when comparing options on medicare.gov — a direct enrollment risk in the channel where most Medicare beneficiaries shop plans.
How We Can Help
Implementing the MPF submission pipeline typically requires handling Plan-Net conformance, file generation, hosting constraints, and auditability.
Payerbox includes tooling for the MPF Provider Directory FHIR submission path:
- PDex Plan-Net IG v1.2.0 conformance for
InsurancePlan,Organization,Location,Practitioner,PractitionerRole, andOrganizationAffiliation. - Data export and Bundle generation to produce per-contract
Bundlefiles of typecollectionwith the requiredmeta.lastUpdatedsemantics. - Public hosting layer with
HEAD/ETag/Last-Modified/ conditional GET support, matching CMS validation requirements. - 30-day refresh pipelines with audit trails to support the annual attestation.
Reach out to review your MPF readiness and align it with your broader CMS-0057-F roadmap.
