On February 25, 2026, the Trump Administration announced a package of enforcement actions that few health plan leaders could afford to ignore. The launch of a Request for Information under a new initiative called CRUSH: Comprehensive Regulations to Uncover Suspicious Healthcare. 

CRUSH signals about where federal compliance expectations are heading for health plans over the next two to three years. This article examines that trajectory and its operational implications. 

What Is CMS CRUSH? A Definition 

CRUSH stands for Comprehensive Regulations to Uncover Suspicious Healthcare. It is CMS's framework for expanding and standardizing its fraud, waste, and abuse enforcement capabilities across Medicare, Medicare Advantage, Medicaid, CHIP, and the Health Insurance Marketplace. Launched in February 2026 as a Request for Information, it covers thirteen regulatory topic areas and is expected to be followed by a formal proposed rule later this year.

What distinguishes CRUSH from prior anti-fraud efforts is its reach. The RFI asks for input on provider enrollment, ownership verification, Medicare Advantage oversight, AI-assisted coding, beneficiary protections, Marketplace integrity, and Medicaid oversight. It examines every part of the system where data inconsistencies enable improper payments.

For health plans, the most consequential aspect of the CMS CRUSH rule 2026 is not the enforcement language. It is the compliance infrastructure the initiative will require. CRUSH anti-fraud rulemaking is, at its foundation, a data accountability initiative. CMS is building the regulatory tools to identify gaps between what plans report and what beneficiaries encounter. Plans with fragmented, inconsistent, or stale provider data will find those gaps difficult to close under heightened scrutiny. 

CMS CRUSH as a Standardized Reporting Framework 

CMS CRUSH rule 2026 will establish standardized reporting requirements for provider network and directory information across health plans. When CMS receives data in a consistent format from every plan, it gains the ability to compare submissions across organizations, identify discrepancies between what plans report and what members encounter, and flag anomalies that would otherwise go undetected in a fragmented reporting environment. 

The data elements involved will be familiar to health plan teams. Provider participation status, specialty, practice location, and whether the provider is accepting new patients are all standard fields. What changes under CMS anti-fraud rulemaking is the level of accountability attached to that data. Submissions become comparable across plans. Discrepancies become visible at scale. What was once an internal data quality problem, becomes a compliance exposure that can be measured, benchmarked, and actioned by regulators. 

This shift has direct operational consequences. An outdated directory, a provider record that shows active in one system and inactive in another, or a roster that has not been reconciled in sixty days: each of these was manageable as a back-office maintenance issue. Under a standardized reporting regime, each one carries compliance weight. 

Health plan leaders should understand CRUSH not only as an anti-fraud measure, but as an initiative that will fundamentally change the scrutiny applied to provider data submissions. This is why Medicare Advantage provider data compliance has shifted from an operational concern to a regulatory priority. Provider data infrastructure, which many plans have historically managed as an operational cost center, now sits at the center of compliance. 

Where CMS CRUSH Hits Health Plans: Three Converging Pressure Points 

CMS CRUSH rule 2026 spans the full healthcare system, but several of its focus areas converge directly on Medicare Advantage provider data compliance obligations. Three deserve particular attention. 

1. Provider Directory Accuracy: From Member Experience Problem to Compliance Liability 

Provider directory accuracy has been a known industry challenge for years. What CRUSH anti-fraud rulemaking changes is the regulatory consequence attached to that challenge.

Starting January 1, 2026, Medicare Advantage organizations are required to submit provider directory data directly to CMS for publication in Medicare Plan Finder and to update it within 30 days of any change. Plans must attest annually to the accuracy of submitted data. CMS has stated explicitly that it views directory inaccuracies as potentially misleading marketing, and it uses directory audits, data validation, and secret shopper surveys as core compliance monitoring tools. 

The scale of the accuracy problem across the industry tells its own story and the numbers from three independent sources tell a consistent one. 

These figures describe an industry-wide problem. Under CRUSH, CMS fraud waste abuse rule, standardized submissions will make it visible to CMS across every plan at once. Ghost networks health plans have struggled to address for years will now become visible to CMS at scale through pattern analysis of standardized submissions. The compliance risk attached to directory inaccuracy is growing sharply, and the window to address it proactively is narrowing. 

There is also a legal dimension. MAOs certify that data submitted to CMS for payment is accurate. Submission of inaccurate data can trigger civil liability under the False Claims Act. The line between poor data hygiene and actionable non-compliance is thinner than many compliance teams assume. 

2. Medicare Advantage Oversight: Broader Scrutiny on Operations

The AHA's response to the CRUSH RFI made a notable point: Medicare Advantage organizations should not be able to evade federal oversight by treating compliance with Medicare coverage rules as a private payment matter. The AHA's position tracks where the regulatory debate is heading. CMS and OIG are signaling that MAO compliance programs will be scrutinized more closely. 

OIG's February 2026 Industry Segment-Specific Compliance Program Guidance for Medicare Advantage sets a new baseline for what internal compliance programs must include. MAOs are expected to certify data accuracy, monitor risk adjustment submissions, and proactively identify and return overpayments. For health plans working through the specifics of Medicare Advantage provider data compliance, False Claims Act exposure applies where those obligations are not met. 

3. AI-Enabled Upcoding: A Problem That Now Has a Dollar Figure 

CRUSH's RFI specifically asks how CMS should address artificial intelligence in medical coding. The timing reflects new evidence. In March 2026, Blue Health Intelligence, the research partner of the Blue Cross Blue Shield Association, published findings that gave the upcoding concern a concrete scale.

The analysis found that hospitals using AI ambient listening tools showed sharp increases in high-complexity coding with no corresponding increase in care intensity, a pattern consistent with upcoding. BCBSA has since called on CMS to require pre-deployment testing, post-deployment governance programs, and standardized disclosure requirements for AI tools used in coding or claims processes. 

The implications for health plans run in two directions. Plans need to review AI-generated codes arriving from providers in their networks, and they need to govern AI tools operating within their own organizations before CMS sets those governance requirements through rulemaking. 

The Common Thread: Fragmented Provider Data Infrastructure 

Each of the compliance pressures described above connects back to the same operational reality. Health plans typically manage provider data across multiple disconnected systems. Credentialing runs through one workflow. Directory updates run through another. Roster management sits in a third system. Compliance reporting draws from all of them, often with inconsistencies that no single team has clear ownership over. 

Fragmented data was a manageable back-office inconvenience when regulatory scrutiny was modest. It becomes a structural compliance vulnerability under CRUSH anti-fraud rulemaking. Plans cannot report cleanly to CMS when the underlying data environment is inconsistent. They cannot maintain accurate directories when provider status changes are slow to propagate across systems. They cannot respond confidently to a regulator if their teams are uncertain which record is authoritative.

Stale records accumulate when updates in one system do not automatically flow to others. Manual reconciliation processes introduce errors and fall behind during high-volume periods. Audit responses require assembling data from multiple sources, which takes time and creates exposure when records conflict. CRUSH, the CMS fraud waste abuse rule does not create these problems. It creates the conditions under which they become much harder to manage quietly. 

What Health Plan Leaders Should Do Before the Rule Is Final 

1. Assess Your Provider Data Infrastructure Now 

The CMS CRUSH proposed rule has not yet been published. The gap between the RFI and the final rule represents one of the few opportunity health plans will have to fix infrastructure problems before they become compliance violations. An honest assessment of where provider data lives, how it is maintained, how errors are detected, and how long they take to correct is the necessary starting point. 

2. Close the Gap Between Credentialing, Directories, and Rosters 

Provider directory accuracy depends on all three systems staying aligned; it is the same fragmentation that produces ghost networks, and health plans cannot easily defend during a CMS audit. It represents a structural risk under any standardized reporting regime. Reducing the number of places where key data fields can be edited independently, and building automated synchronization where possible, directly reduces the inconsistency that CMS CRUSH rule 2026 will surface. 

3. Build AI Governance Before Regulators Define It for You 

BCBSA's formal request to CMS on AI governance requirements signals where rulemaking is heading. Health plans that already have documented oversight programs for AI tools influencing coding, prior authorization, and network decisions will be better positioned than those assembling a response after the rule lands. 

4. Prepare for Continuous Verification, Not Periodic Reporting 

Quarterly verification cycles satisfy the current regulatory floor. The CRUSH anti-fraud rulemaking initiative is being built around an assumption of near-real-time data accuracy. Plans that shift their data governance from periodic batch updates to continuous monitoring will find compliance easier to maintain and easier to demonstrate. 

How HiLabs Addresses These Challenges 

HiLabs built the MCheck® platform to address the provider data accuracy problems that  CRUSH will put under direct regulatory scrutiny. Each capability maps to one of the structural gaps described in this article. 

• MCheck Provider Data Accuracy scans thousands of public and private data sources using proprietary R3 scoring, reliability, relevance, and recency to assess the quality of every provider data point in real time. The platform continuously adapts as provider information changes, which means provider directory accuracy reflects the current status rather than the last batch update. The output is validated, high-confidence data that compliance and network teams can act on without manual verification loops. 

• MCheck NetworkIQ combines compliance and network strategy in a single platform. It directly addresses the ghost networks health plans struggle to eliminate without disrupting adequacy. A pre-configured rules engine tracks CMS and state adequacy requirements in real time, ghost providers are eliminated through what-if scenario modeling without disrupting network adequacy, and audit submissions are generated as pre-built CMS HSD and state-compliant outputs. Beyond compliance, NetworkIQ runs payer-versus-payer competitive analysis, forecasts the financial impact of provider turnover and contract terminations, and scores providers across clinical, claims, member, and pricing data, giving network teams the intelligence to build a better network, not just report on the current one. 

• MCheck Roster Automation fully automates roster workflows from intake through validation to downstream load, with built-in reconciliation workflows for flagging and correcting exceptions. It standardizes 260+ provider data elements across any file format using configurable business rules, and processes updates end-to-end in under 48 hours, keeping plans within No Surprises Act requirements without adding operational headcount. 

   

For health plans working toward the accuracy and audit-readiness that CMS CRUSH rule 2026 will require, these results reflect what a move from periodic data maintenance to continuous provider data governance looks like in practice. 

The Compliance Window Is Narrower Than It Looks 

CMS CRUSH is still in the Request for Information phase, which means health plans have time to get ahead of it. This window will close. CMS has signaled its intent to move to a proposed rule, and the enforcement actions taken on February 25, 2026 made clear that the administration is not waiting for final rulemaking to act.

The 2025 enforcement numbers tell the story of what CMS can do under its current authority: billions in suspended payments, thousands of revocations, and hundreds of millions in Medicaid fund deferrals.⁵ The CMS fraud waste abuse rule will expand that authority considerably. 

Health plans that use this window to strengthen Medicare Advantage provider data compliance, close the gap between credentialing and directory systems, and establish documented AI governance programs will be in a very different position than those that wait for the final rule. Provider directory accuracy is no longer a quality metric. It is a compliance input. The plans that treat CRUSH anti-fraud rulemaking as a data infrastructure problem, and address it while the rule is still taking shape, are buying something more durable than compliance. They are building the operational foundation to demonstrate it. 

Sources 

1. Defacto Health, National Provider Directory Accuracy: July 2025 Report, July 29, 2025. Independent audit of 124 payer provider directories using consensus algorithms calibrated against CMS-style secret shopper phone audits. https://defacto.health/2025/07/29/national-provider-directory-accuracy-july-2025-report/ 

2. OIG, Many Medicare Advantage and Medicaid Managed Care Plans Have Limited Behavioral Health Provider Networks and Inactive Providers, October 2025. Data Brief: Many Medicare Advantage and Medicaid Managed Care Plans Have Limited Behavioral Health Provider Networks, OEI-02-23-00540 

3. American Journal of Managed Care, Persistence of Provider Directory Inaccuracies After the No Surprises Act, November 2024. https://www.ajmc.com/view/persistence-of-provider-directory-inaccuracies-after-the-no-surprises-act 

4. Blue Health Intelligence / Blue Cross Blue Shield Association, New BCBSA Research Shows AI Billing Raises Health Care Costs, March 2026. Analysis of Q2 2022 through Q1 2025 commercial claims data. https://www.bcbs.com/about-us/association-news/new-bcbsa-research-on-ai-hospital-billing-driving-higher-health-care-costs 

5. CMS enforcement metrics, 2025; Medical Economics, CMS Launches Three-Pronged Plan to CRUSH Health Care Fraud, March 4, 2026. https://www.medicaleconomics.com/view/cms-launches-three-pronged-plan-to-crush-health-care-fraud