Beyond the Compliance Checkbox: Making the Most of CMS's Provider Revalidation Directive

The federal government just handed every state Medicaid director a deadline and a mandate. On April 24, CMS Administrator Dr. Mehmet Oz notified the Medicaid directors and governors of all fifty states that they had 10 days to report to CMS their plans to begin revalidating high-risk providers and 30 days to submit a comprehensive two-year provider revalidation strategy The message was unambiguous: in CMS’s eyes, states own the problem and the solution.

This is not a surprise audit; rather it is, rather, an acceleration of reviews and re-enrollment of providers that have been building for months. It is driven by what CMS describes as "a persistent and growing Medicaid threat posed by sophisticated actors knowingly exploiting" the program's complexity. From Minnesota to New York to California to Florida, enforcement actions have exposed overbilling, phantom claims, identity theft, and falsified records at a scale that demands a systemic response. The question now is not whether states will act, but how.

This Is an OBBB Implementation Moment

In addition to the immediate compliance requirements laid out by Dr. Oz, states that get ahead of this most recent CMS directive are positioning themselves to respond to and implement the additional and significant Medicaid program requirements contained in last year’s One Big Beautiful Bill from a place of strength rather than scramble. States that arrive at OBBB implementation having already built a robust revalidation infrastructure will be better able to demonstrate compliance, protect federal matching funds, and avoid the disruptions to enrollee access that come with reactive audits done under pressure. Governors and Medicaid directors should treat this 30-day window as the first step of a longer OBBB readiness plan rather than a standalone compliance exercise.

Staffing Flexibility Is the Missing Variable 

Every Medicaid administrator knows the real answers to why revalidation backlogs exist: states are overwhelmed. As countless experts have pointed out, many states have fallen years behind on their five-year revalidation schedules simply because they have neither the workforce or technology capacity. The COVID-19 pandemic and the Medicaid unwinding process compounded longstanding staffing pressures, and under-investment in technology has added further challenges.  More than ever before, states must now rapidly develop and implement strategies that enable them to manage administrative weights of Medicaid in the way that best serves beneficiaries and taxpayers alike. And as they face this daunting task, it's important that they be program officials be given the flexibility to access and utilize whichever solutions best tackle their specific environment. 

For example, in virtually every case, state Medicaid directors must have the flexibility to leverage staffing flexibility. Rigid FTE caps, civil service classification barriers, and procurement restrictions that slow contractor engagement and more can all create fraud vulnerabilities when they prevent states from surging capacity in the moments they need it most. That’s why states should use the new CMS directive as grounds to request administrative flexibility from their legislatures and budget offices, and to explore whether independent contractors—the use of which can be scaled up or down as needed,--third-party auditors, and technology-assisted review processes can close the workforce gap faster than traditional hiring pipelines allow.

Technology and Trained Humans: Both Matter

Dr. Oz was explicit at the Politico Health Summit: "Data clues us in to where the fraud is." CMS is instructing states to use advanced technology and data analytics as core tools in their revalidation strategies. This is the right approach given how essential smart technology deployment is to Medicaid program integrity. As CAMI has long argued, automated screening of provider enrollment data, anomaly detection in billing patterns, and cross-referencing against law enforcement databases can flag suspicious actors far faster than manual review alone. But meeting the moment also requires a realistic implementation plan that adequately accounts for technology investments to ensure that the necessary infrastructure is in place. Moreover, technology deployed without the requisite, associated workforce--the trained human component--creates its own risks. Algorithms can miss context, and edge cases require case workers who understand what legitimate provider behavior looks like in specific service categories, particularly in home- and community-based services, which CMS has identified as the highest-risk area in this initiative. States that invest only in software without building a balance of internal and external human expertise will find themselves approving false negatives and generating false positives at scale.  Most importantly, the potential financial penalties states will incur a failure to meet the new requirements will dwarf the investments needed to ensure compliance.

What States Should Do Now 

States serious about responding effectively to this CMS directive should begin with an immediate inventory of providers in high-risk categories, prioritizing those who have not been revalidated in the past 12 months. At the same time, they need to honestly assess current staffing capacity gaps and begin building the case for workforce flexibility tools, including independent contractors and third-party audit firms. The workforce assessment should run parallel to a review of existing technology infrastructure for provider screening and billing anomaly detection. The two-year revalidation strategy states submit to CMS should explicitly tie to OBBB implementation timelines and Medicaid integrity requirements under federal statute, and states should designate a point of contact with CMS within the 10-day notification window to demonstrate good-faith engagement from the start.

The 30-day clock is running. States that treat this as a compliance checkbox will produce paper plans that do not survive contact with the actual fraud landscape. States that treat it as a genuine reform opportunity, with the staffing tools, technology investment, and institutional will to match, can use this moment to build Medicaid programs that are not just cleaner, but are more durable and better positioned to deliver exceptional performance. CAMI has long advocated for program integrity frameworks that use the best available technology, the right workforce models, and the kind of transparent accountability that protects both taxpayers and the Medicaid beneficiaries who depend on these programs. Now is the time to meet that challenge.