Skip to content
fonteum
DataAPIRisk SignalsResearchCompareSnapshotsRequest access →

Compliance posture

Methodology · Corrections log · Editorial policy

fonteum

Product

  • Data
  • API
  • Methodology
  • Sources
  • Freshness
  • Citations
  • Moat metrics

For buyers

  • AI agents
  • RAG developers
  • Compliance
  • Researchers
  • Developers

Reference

  • Compare
  • llms.txt
  • Agent card
  • Audit pack
  • Quality scorecard
  • Pilot intake
  • Research
  • Press & media

Sourced from federal agencies. Fonteum, Inc., Delaware C-corp. © 2026.

Request access→
1,322,867 nurse-staffing records · CMS PBJ

Fonteum Research · No Surprises Act

NSA Compliance Leaderboard

Quarterly compliance scores derived from CMS IDR filing data (provider-side) and the CMS MRF non-compliant issuer list (payer-side). All data is federal public domain.

Reviewed by Jennifer Montecillo, MD, medical reviewer. Non-practicing medical reviewer.Last updated 2026-05-24

First issuance pending — the quarterly cron runs on the 15th of March, June, September, and December.

Operator can trigger manually via the Inngest dashboard (function: nsa-compliance-quarterly).

Methodology

Scores derived from CMS public data under the No Surprises Act (Pub. L. 116-260). Provider-side: IDR filing rates from CMS quarterly IDR data. Payer-side: MRF publication status from CMS non-compliant issuer list. Both are federal public domain (US-Government-Works).

Full methodology → · Version: nsa-compliance/v1

Limitations: IDR filing data is aggregate and may not reflect individual dispute outcomes. MRF compliance is based on the CMS non-compliant issuer list; absence from the list does not guarantee full compliance. This index is a research tool, not a legal determination.

Background: surprise billing and the federal response

For most of the last two decades, a patient who did everything right — going to an in-network hospital, choosing an in-network surgeon — could still receive a large bill from an out-of-network clinician they never knowingly selected: the anesthesiologist, the radiologist, the pathologist, the assistant surgeon. Because that clinician had no contract with the patient's health plan, they could bill the patient for the gap between their charge and whatever the plan paid, a practice known as balance billing. Emergencies were worse still, since a patient in crisis has no opportunity to check network status at all. Surprise bills of thousands of dollars were common, and the disputes that produced them were, in effect, pushed onto the patient as the party with the least information and the least leverage.

The No Surprises Act, enacted as Division BB of the Consolidated Appropriations Act, 2021 (Pub. L. 116-260) and effective January 1, 2022, changed the default. For emergency services, for non-emergency services delivered by out-of-network clinicians at in-network facilities, and for air-ambulance transport, the patient is now responsible only for the cost-sharing they would have owed in network. The payment disagreement that remains does not disappear — it moves off the patient's ledger and into a structured process between the provider and the health plan. The implementing rules are spread across three agencies: 29 CFR §2590.716 for the Department of Labor, 45 CFR §149.140 for the Department of Health and Human Services, and 26 CFR §54.9816 for the Internal Revenue Service. That tri-agency structure is why compliance signals for the Act are scattered across multiple federal data releases rather than living in one register.

The mechanism that resolves the remaining dispute is the federal Independent Dispute Resolution process. After a 30-business-day open-negotiation window, either the provider or the plan can escalate to IDR, where a certified IDR entity reviews a single payment offer from each side and selects one of the two as binding. This baseball-style arbitration is deliberate: by forcing each party to name one number that the arbiter must either accept or reject in full, it discourages extreme offers and pulls both sides toward a defensible figure. The qualifying payment amount — roughly, the plan's median contracted rate for the service — is one of the factors the arbiter weighs. CMS publishes the volume of disputes initiated each quarter, and those volumes have run substantially higher than federal agencies projected when the program launched, which is itself a signal that out-of-network payment friction remains widespread.

On the payer side, a parallel set of transparency rules requires health plans and issuers to publish machine-readable files disclosing their negotiated in-network rates and out-of-network allowed amounts in a standardized, automation-friendly format. The intent is to let researchers, employers, and competitors see the price structure that was previously opaque. CMS tracks issuers that fail to publish conforming files, and that non-compliant issuer list is the federal source this leaderboard uses to score MRF compliance. It is important to read that list correctly: it records observed non-compliance, so an issuer's absence from it means no recorded violation for the period rather than an audited attestation of full conformance.

How the nsa-compliance/v1 score is built

The leaderboard combines the two federal signals into a single composite under a pinned methodology version, so that any figure shown here can be reproduced and any change to the method is explicit rather than silent. The provider-side IDR-rate score normalizes dispute volume against claim volume: it is one minus the clamped ratio of average IDR filings per 1,000 claims to a ceiling of 50. An entity at or above 50 filings per 1,000 claims receives a score of 0, and a very low filing rate approaches 1. Normalizing by claim volume is what makes a small group comparable to a large one; without it, raw dispute counts would simply rank entities by size.

The payer-side MRF score is the fraction of an entity's issuers that are in compliance per the CMS non-compliant issuer list. When both an IDR score and an MRF score are available for an entity, the composite is their average; when only one signal exists, the composite is that single score, so an entity is never penalized for the absence of a signal that does not apply to it. The composite then maps to a letter grade — A at 0.90 and above, B at 0.75, C at 0.60, D at 0.45, and F below — purely as a reading aid; the underlying numeric score is the authoritative value and is always shown alongside.

Two data-hygiene rules matter for interpretation. First, entities with fewer than 50 NPIs are flagged as insufficient sample when IDR is their only signal, because a small denominator makes a normalized rate volatile; pure payer entities scored on MRF data alone are not flagged. Second, CMS suppresses small cells in its IDR data using the sentinels "*" and "DS"; the model converts those to null and drops them from averages rather than misreading a suppressed cell as a zero, and MRF rows with no compliance status are excluded from the denominator entirely. These choices are the difference between a score that reflects the data and one that quietly invents it. As stated in the limitations above, the result is a research instrument, not a legal determination: a low score is a prompt to look closer, not a finding of fault.

Frequently asked questions

What is the No Surprises Act and what does it require?
The No Surprises Act is part of the Consolidated Appropriations Act, 2021 (Pub. L. 116-260, Division BB), effective January 1, 2022. It bars balance billing in three situations where a patient cannot reasonably choose an in-network provider: emergency services, non-emergency services delivered by out-of-network clinicians at in-network facilities, and air-ambulance transport. For these services the patient owes only their in-network cost-sharing amount, and the remaining payment dispute between the provider and the health plan is resolved through a federal process rather than billed to the patient. The implementing regulations sit at 29 CFR §2590.716 (Department of Labor), 45 CFR §149.140 (Department of Health and Human Services), and 26 CFR §54.9816 (Internal Revenue Service).
How does the federal Independent Dispute Resolution (IDR) process work?
When a provider and a health plan cannot agree on the out-of-network payment for a protected service, either party may open a 30-business-day negotiation period. If that fails, either side can initiate federal IDR. A certified IDR entity then resolves the dispute using baseball-style arbitration: each party submits a single payment offer, and the arbiter selects one of the two offers as the binding amount rather than splitting the difference. CMS publishes the volume of IDR disputes initiated each quarter, broken out by the initiating party and other dimensions. The provider-side input to this leaderboard is that quarterly IDR filing volume, normalized against claim volume so that entities of different sizes can be compared.
What are machine-readable files (MRFs), and how do they relate to compliance?
Separately from the IDR process, federal transparency rules require health plans and issuers to publish machine-readable files disclosing their negotiated in-network rates and out-of-network allowed amounts in a standardized format. CMS tracks issuers that fail to publish conforming files. The payer-side of this leaderboard scores MRF publication compliance using the CMS non-compliant issuer list: an issuer absent from the list is treated as in compliance for the period, and the score reflects the fraction of an entity's issuers that are in compliance. Because the list captures non-compliance rather than affirmative attestation, absence from it indicates no recorded violation rather than an audited guarantee — a limitation stated openly on the page.
How is the compliance score calculated?
The score is produced by the pinned nsa-compliance/v1 model. The provider IDR-rate score is 1 minus the clamped ratio of average IDR filings per 1,000 claims to a ceiling of 50, so an entity at or above 50 filings per 1,000 claims receives a score of 0 and a very low filing rate approaches 1. The payer MRF score is the fraction of an entity's issuers that are in compliance per the CMS non-compliant issuer list. When both an IDR score and an MRF score are available for an entity, the composite is their average; when only one signal is available, the composite is that single score. Letter grades map the composite: A at 0.90 and above, B at 0.75, C at 0.60, D at 0.45, and F below that.
Why are some entities marked with insufficient sample or a dash?
Entities with fewer than 50 NPIs are flagged as insufficient sample when IDR is their only available signal, because a small denominator makes a normalized filing rate unstable; pure payer entities scored on MRF data alone are not marked insufficient. Separately, CMS suppresses small cells in its published IDR data using the sentinels "*" and "DS". The model converts those sentinels to null and excludes them from averages rather than reading them as zero, and MRF rows with no compliance status are excluded from the denominator. A dash in the grade column means the composite could not be computed from the available, non-suppressed data for that period.
Is this leaderboard a legal determination of compliance?
No. It is a research instrument built from federal public data, not a legal or regulatory finding. IDR filing data is aggregate and does not reflect the outcome of any individual dispute, and MRF status is inferred from the CMS non-compliant issuer list rather than an independent audit. A low score is a signal worth examining, not proof of a violation, and a high score is the absence of recorded problems, not a guarantee of full compliance. The page states these limitations inline so that the figures are read in the right register.
Where does the underlying data come from, and is it free to reuse?
Both inputs are federal public domain (US-Government-Works): the provider-side IDR filing rates come from the CMS quarterly IDR reports, and the payer-side MRF compliance comes from the CMS non-compliant issuer list. The full scored dataset is downloadable as CSV, and the page ships BibTeX, APA, and Chicago citation forms. Because the sources are federal public records, an independent team can pull the same files and reproduce any figure shown here under the pinned methodology version.
How current is the data and how often does it refresh?
The leaderboard recomputes quarterly. The scoring job runs on the 15th of March, June, September, and December, aligned to the cadence on which CMS releases new IDR data. Each computed row carries its issuance period and the methodology version it was scored under, so a reader can tell exactly which federal release a figure reflects rather than relying on a single site-wide freshness claim.

Related research

  • Hospital Margin Gap →

    Hospital financial performance from CMS HCRIS cost reports — the federal filing behind most commercial hospital-finance products.

  • Provider Directory Accuracy →

    How often payer provider directories diverge from the federal NPPES record, measured against the primary source.

  • Anatomy of the NPPES Record →

    A field-by-field read of the federal NPI registry that underpins provider identity across Fonteum's datasets.

  • All Fonteum research →

Cite This Dataset

BibTeX

@dataset{fonteum_nsa_tbd,
  author    = {Fonteum},
  title     = {NSA Compliance Leaderboard},
  year      = {2026},
  publisher = {Fonteum},
  url       = {https://fonteum.com/research/nsa-compliance},
  note      = {Derived from CMS public data. Methodology: nsa-compliance/v1}
}

APA

Fonteum. (2026). NSA Compliance Leaderboard. https://fonteum.com/research/nsa-compliance

Chicago

Fonteum. "NSA Compliance Leaderboard." https://fonteum.com/research/nsa-compliance, 2026.