What states should know before submitting their Medicaid verification plan

Frank Fox
Healthcare Lead at Plaid

On April 21, Centers for Medicare and Medicaid Services (CMS) Administrator Dr. Mehmet Oz directed all 50 states to submit plans within 30 days for how they'll verify Medicaid providers in "high-risk areas." The directive is intentionally open: no prescribed template, no fixed definition of 'high-risk,' no mandated methodology. States that come to the table with a rigorous, well-reasoned approach will shape what good looks like, both for their own programs and for the broader federal framework that follows.

The directive has been building for some time. In 2025, CMS suspended $5.7 billion in suspected fraudulent Medicare payments and stopped over $1.5 billion in suspected fraudulent Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS) billing. Earlier this year, CMS deferred $259.5 million in federal Medicaid matching funds to Minnesota over unsupported or potentially fraudulent claims, published its Comprehensive Regulations to Uncover Suspicious Healthcare (CRUSH) initiative signaling a shift from "pay and chase" to pre-payment fraud prevention, and imposed a nationwide moratorium on new DMEPOS supplier enrollment.

States that move thoughtfully, addressing root causes rather than layering on controls, will be better positioned in the oversight environment that follows.

What the mandate calls for, and where it has limits

The CMS letter asks states to confirm that enrolled providers are legitimate, qualified, and accurately represented in enrollment data, with particular emphasis on providers without a National Provider Identifier (NPI) and those not screened within the past 12 months. Credential revalidation is the right foundation: providers whose licenses have lapsed, whose locations are unverifiable, or who lack valid NPIs represent a real vulnerability.

But CMS itself acknowledged in the letter that revalidation is "just one component of a broader program integrity framework" and that screening alone may not catch every instance of fraud, particularly where providers are technically qualified. The harder-to-detect pattern is an individual who fabricates or borrows an identity, passes credential screening, and links a bank account to receive Medicaid payments they aren't entitled to. Standard revalidation wasn't designed to catch that. 

Credential and identity checks are necessary, but stopping funds from reaching bad actors before a payment moves requires going a step further: confirming that the account designated to receive Medicaid payments actually belongs to the person who enrolled.

What a strong verification plan includes

Credential revalidation as the foundation. Confirming that enrolled providers hold valid licenses, operate at verifiable locations, and have active NPIs is the foundation of what CMS is requesting. States should have processes to verify this at enrollment and revalidate on a defined schedule, with more frequent cycles for high-risk provider categories.

Identity verification as a necessary additional layer.  Synthetic identities, built specifically to pass standard database checks, are one of the fastest-growing fraud vectors in financial services. Confirming the identity of an individual provider, including detecting synthetic or fabricated identities, requires more than a database lookup. Combining document verification, device and biometric checks, and database cross-referencing confirms that the identity belongs to a real person, not a synthetic or stolen one.

Bank account to identity matching as an additional check.  A strong plan should verify that the bank account designated to receive Medicaid payments is held by the same individual whose identity was verified at enrollment. When a provider links their personal bank account, that process can directly confirm that the account and the identity match, and that the person enrolling has legitimate access to the account receiving funds.

This process can also surface behavioral signals that are only visible at network scale: accounts opened shortly before enrollment, the same device used across multiple provider applications, or activity patterns consistent with a bad actor rather than someone with a legitimate financial relationship to the account. No single state enrollment system can generate these signals on its own. 

Risk stratification.  The most rigorous controls should be reserved for the highest-risk categories: DMEPOS suppliers, home health agencies, hospice providers, and personal care services have each drawn sustained federal enforcement attention.

Where Plaid fits

Plaid's network helps consumers connect more than 500 million bank accounts to 12,000+ financial institutions and 7,000+ apps to obtain financial services. That scale gives states access to identity and account signals that no single enrollment system can generate on its own, particularly for detecting synthetic identities and confirming that an enrolling individual controls the account designated for payment.

HealthEquity, one of the country's largest health savings account (HSA) administrators, uses Plaid to verify identities and bank accounts for members making ACH payments and transfers. In the words of their Chief Security Officer: "Plaid helps ensure the right person is securely connected to the right account." That same infrastructure, built to stop account takeover and synthetic identity fraud in healthcare finance, maps directly to the provider enrollment challenge states are now being asked to solve.

Plaid's tools are designed to layer into existing enrollment workflows, complementing the credential and licensure checks that form the core of state revalidation programs, not replacing them.

Fraud prevention in government payments is an area where financial infrastructure can make a real difference. We're already working with healthcare organizations on these challenges. States have until May 22 to define what strong looks like—we're ready to connect to help get them there.