Methodology brief · For state Medicaid agencies
Provider revalidation strategy — a citable open methodology
State Medicaid Directors received a letter from CMS on 2026-04-23 requesting a comprehensive two-year provider revalidation strategy within 30 days, with a 10-day notice gate for “swift revalidation of high-risk providers.” This page maps the AINPI methodology onto the five required strategy elements and provides citation language your team can use directly.
Submission deadline: 30 days after receipt of letter · Submit to: programintegrity@cms.hhs.gov
Eugene Vestel — Founder, FHIR IQ · Health interoperability consultant
BioLinkedIngene@fhiriq.com· Last reviewed 2026-04-29
What CMS asked for
The letter, signed by Administrator Mehmet Oz, cites Title XIX of the Social Security Act §§ 1902(a)(4), 1902(a)(27), 1902(a)(77), 1902(a)(78), and 1902(kk)(4) and the implementing regulations at 42 CFR §§ 431.107, 455.410, 455.414, 455.416, 455.21, and 455.450. It asks each state to submit, within 30 days, a strategy covering five elements:
- Methodology and timeline for off-cycle provider revalidation, with explicit focus on high-risk provider types under 42 CFR § 455.450 and on providers without an NPI.
- Metrics to measure effectiveness and progress — including links to any public-facing data or reporting.
- Ongoing accuracy verification approach for provider information.
- Consistency across FFS and managed care delivery systems, including oversight of MCO provider directories.
- Coordination with relevant law enforcement partners.
The regulatory anchor for ongoing verification
The most concrete recurring obligation is in 42 CFR § 455.436 — Federal database checks. State agencies must confirm provider identity and exclusion status against four federal databases:
| Database | Required cadence | AINPI today |
|---|---|---|
| NPPES (NPI registry) | At enrollment + reenrollment | Yes — H10/H11/H13 join NDH against NPPES npi_raw snapshot, matched switch-aware against all 15 taxonomy slots |
| OIG LEIE (List of Excluded Individuals/Entities) | Monthly | Yes — H24 joins active LEIE NPIs (REINDATE = 00000000) to NDH practitioner._npi and organization._npi. See /findings/oig-leie-exclusions |
| SAM.gov exclusions (formerly EPLS) | Monthly | Yes — H25 joins active SAM exclusions to NDH practitioner._npi. See /findings/sam-exclusions |
| SSA Death Master File (DMF) | At enrollment + reenrollment | Out of scope — Limited Access DMF requires SSA certification; the public file excludes deaths in the last 3 years |
42 CFR § 455.436 also permits the Secretary to prescribe additional databases. The CMS Preclusion List is not in this category and is not publicly downloadable — it is restricted to Medicare Advantage Part C plans and Part D sponsors. AINPI cannot ingest it. State agencies relying on Preclusion List signal must coordinate with their MCOs directly.
How AINPI maps onto the five required strategy elements
| Strategy element | AINPI asset |
|---|---|
| 1. Off-cycle revalidation methodology, high-risk + non-NPI focus | AINPI's H10/H13 findings produce a state-filterable cohort of NPIs that fail NPPES match or specialty agreement. The high-risk cohort finding combines this with NPPES deactivation, Luhn validity, and endpoint liveness into a transparent composite score. Non-NPI providers are explicitly out of scope and should be addressed via state-roster join logic in your MMIS. |
| 2. Metrics with public-facing data or reporting | The static /api/v1/findings/<slug>.json contract is itself the public-facing reporting layer. Each finding carries methodology_version, commit_sha, and generated_at for audit. State-scoped slices live at /states/<state>. Claims-side cross-audit (H29–H36, pre-registered 2026-05-14) extends Element 2 with public Medicaid + Medicare spending + Open Payments + DMEPOS + nursing home ownership joins — see the roadmap. |
| 3. Ongoing accuracy verification | Findings refresh weekly via a GitHub Actions cron pinned to the public NPD release. Pre-registration (null hypothesis + denominator published before numbers) is the trust contract. See /methodology. |
| 4. Consistency across FFS and managed care directories | AINPI's payer FHIR directory search already queries live commercial payer directories (Anthem/BCBS, UnitedHealth, Aetna, Cigna, Humana). The MCO parity tool — currently in development — extends this to compare a state FFS roster against its MCO directories. See the open issue for status. |
| 5. Coordination with law enforcement | AINPI does not coordinate with law enforcement directly. The high-risk cohort export (CSV of flagged NPIs with reason codes) is the artifact a state PI unit hands to its MFCU or state Attorney General's office. Coordination governance is the state agency's responsibility. |
Worked example: Virginia
Virginia's Department of Medical Assistance Services (DMAS) administers Cardinal Care, with approximately 1.8 million enrollees and six contracted managed care organizations. The state-scoped AINPI page at /states/va re-runs the cleanly state-filterable subset of the AINPI hypothesis catalog against Virginia-resident NDH resources, with side-by-side national context and a verify-yourself sample of NPIs the DMAS Program Integrity team can hand to investigators.
Virginia
Cardinal Care
/states/va →
Pennsylvania
Medical Assistance (HealthChoices)
/states/pa →
Ohio
Ohio Medicaid (Next Generation Managed Care)
/states/oh →
Want your state added? Email gene@fhiriq.com with the state code, or run analysis/state_findings.py directly — the methodology is open under Apache-2.0.
Citation language for your CMS response
Suggested verbatim text for element 2 (metrics with public-facing data or reporting) of your state's strategy submission:
For ongoing verification of provider-directory accuracy under 42 CFR § 431.107 and § 455.436, [State agency] adopts the AINPI methodology framework (Vestel, FHIR IQ) — an open, versioned, reproducible audit of the federal CMS National Provider Directory and NPPES, distributed under Apache-2.0.
State-scoped findings, including NPI/NPPES match rates, taxonomy consistency, organization deduplication, temporal staleness, and referential integrity for [State]'s provider population, are published continuously at
https://ainpi.dev/states/<state>. Underlying analysis code, methodology version, and audit trail are public athttps://github.com/FHIR-IQ/AINPI.The framework is independent of any vendor and is cited by [State agency] as one input to a broader program-integrity strategy that includes monthly OIG LEIE and SAM.gov exclusion checks per 42 CFR § 455.436, MFCU coordination per 42 CFR § 1002, and managed care directory oversight per 42 CFR § 438.602.
Pin to a specific release tag (e.g. github.com/FHIR-IQ/AINPI/releases/tag/v1.0.0) for reproducibility under audit. See CITATION.cff for Zotero / EndNote import.
Honest limitations
- Non-NPI providers are not addressable through AINPI. Your strategy must explicitly describe how your MMIS identifies and revalidates atypical providers via name + address tuples.
- SSA Death Master File is not yet ingested by AINPI (see below). The high-risk cohort covers three of the four federal database checks under 42 CFR § 455.436 — NPPES, OIG LEIE, and SAM.gov — but your team must still run independent monthly SSA-DMF checks until that leg lands.
- The CMS Preclusion List is not public. AINPI cannot help you measure exposure on it. MCOs in your state have direct access and should report monthly.
- SSA Death Master File access is restricted. The public DMF excludes deaths within the last three years. The full Limited Access DMF requires SSA certification, which is a state-by-state procurement effort.
- AINPI is provider-directory only. It does not ingest claims, beneficiary, utilization, or quality data. Nothing on this site implicates fraud evidence on individual providers — flags here are data-quality signals, not investigative findings.
For state agency staff
If your state agency is preparing its 30-day response and would like a state-scoped analysis run, a methodology walkthrough for your CMS response, or a custom MCO directory parity scan, contact gene@fhiriq.com. Open methodology stays free; bespoke implementation work is a separate engagement through FHIR IQ.