Get started
  • Article
  • 3 min read

September 1, 2026: The Attestation Deadline No MA CEO Can Afford to Miss

John Muehling

John Muehling

CEO and Founder, Datagence

Isometric illustration on a deep navy background. A translucent glowing cyan hourglass sits atop a layered cyan foundational structure, with sand partway through its fall. A clock face is integrated into the top layer of the foundation, showing the time 11:59. To the right of the hourglass, a red warning element labeled "CRITICAL DEADLINE" with an X mark signals time pressure. A warm amber thread emerges from the underside of the foundation and trails down and to the lower left, representing the data provenance line running through the foundation.

If you are the CEO, CFO, or COO of a Medicare Advantage organization, you are going to personally sign something in less than four months. I want to make sure you know exactly what you are signing.

On September 1, 2026, CMS requires every MA organization to complete a formal attestation in the Health Plan Management System certifying that your plan’s provider directory information is, in the exact regulatory language, “accurate, complete, and truthful at the time of the attestation to the best information, knowledge, and belief of the MA organization.”

That attestation must be signed by a CEO, CFO, or COO. It cannot be delegated to compliance staff, network operations, or data management teams. It is a personal declaration by a C-level executive.

Why this attestation is different

Most attestations a health plan executive signs in a given year are internal-facing or narrow in scope. This one is different in three ways.

  • The scope is enormous. The attestation covers every provider, facility, address, specialty, NPI, and network relationship your plan has published through its data feeds to CMS. For a mid-size MA plan, that can mean tens of thousands of individual provider records, each of which has to be accurate at the moment you sign.
  • The visibility is public. Starting in October 2026, the data you attested to will appear on Medicare Plan Finder. Beneficiaries, journalists, plaintiffs’ firms, and state attorneys general will be looking at the same records you signed off on.
  • The enforcement is already operational. CMS will suppress your provider directory on Medicare Plan Finder if you fail to complete the attestation, if your files fail validation, or if your data quality issues exceed a published threshold. Suppression during AEP is a competitive hit that is difficult to quantify but easy to feel.

What “best information, knowledge, and belief” actually means

It is worth spending a minute on that phrase, because it is doing a lot of work in the regulation.

“Best information, knowledge, and belief” is the language courts use to distinguish an affirmative representation from a good-faith estimate. It is not a perfection standard. But it does require that the signatory have actual information on which to base the attestation, which means an organized, documented, recent assessment of the data your plan is publishing.

If a signatory completes the attestation without that underlying evidence package, they are signing on faith in their own org chart. And if a ghost-network lawsuit emerges in 2027 alleging misrepresentation, that attestation is now in the record.

The defense of that signature is materially stronger when the plan can produce three artifacts: a dated third-party readiness assessment, a documented remediation record, and a provenance log tracing every record back to its authoritative source.

The operational reality most plans face

Most MA plans today are running directory maintenance on roster-plus-spreadsheet workflows. Delegated credentialing files come in as PDFs and Excel files. Provider updates flow through email. Address corrections sit in ticket queues. The data feeding the FHIR API was assembled from a dozen upstream sources of varying currency, none of which have been reconciled in a systematic way.

That workflow cannot produce an evidence package that supports a CEO’s signature under an “accurate, complete, and truthful” standard. Not at 30-day update cadence. Not at 85% accuracy. Not for a CMS validation that runs daily during the May 4 through August 31 testing window.

Three things every MA plan should be doing this month

  • Run a baseline assessment against the CMS Technical Implementation Guide for Supplying MA Provider Directory Data for Use in MPF. Not against the NPD, against the CMS-4208-F2 submission requirements, because that is what validation actually checks.
  • Stand up a continuous, automated directory maintenance workflow that can hit 30-day update cadence by the testing window. Many plans will discover that their current workflow physically cannot meet that cadence at scale, regardless of how much effort goes in.
  • Build the evidence log. The attestation is a point-in-time signature. The defense of that signature is a continuous record.

If your plan has not started any of these three, September is closer than it looks.

A direct offer

Datagence built Polus™ HCP for exactly this seam: the reconciliation, identity resolution, and provenance work that turns a directory file into an attestation a C-level executive can sign with confidence. We have packaged that work into a Readiness Assessment that produces, in two to three weeks, the dated baseline document the attestation defense actually requires.

If you would rather not wait for the next article, I read every message that comes to my personal inbox: [email protected]. Send me a short note, and we will set up a conversation.

If you want to dive deeper:

Share
Connect

Have a data initiative? We’re here to help.

Let's brainstorm