In late April 2026, CMS Administrator Dr. Mehmet Oz sent letters to the governors of all 50 states with a direct and time-sensitive demand: conduct a swift revalidation of high-risk Medicaid providers and submit a comprehensive two-year provider revalidation strategy within 30 days. The letter was unambiguous about the urgency. Corrupt individuals and organizations masquerading as healthcare providers are defrauding Medicaid of billions of dollars each year, diverting resources away from the low-income seniors, children, and disabled individuals the program exists to serve. States were also told that failure to respond within 10 business days would be factored into federal assessments of fraud likelihood in their programs.
The directive placed particular emphasis on providers without a National Provider Identifier (NPI), a class of enrollees that CMS has identified as especially vulnerable to fraud because of less rigorous enrollment and billing requirements. For state Medicaid administrators, this is not a vague policy signal. It is a federal compliance requirement with a defined clock. The challenge is that most states do not have a rapid, scalable process to verify the identity and credentials of thousands of providers in a matter of weeks, not fiscal years.
State Medicaid agencies have long relied on paper-based revalidation processes, periodic site visits, and manual cross-referencing of enrollment records against licensure databases. These methods were adequate for a slower-paced compliance environment. They are not adequate for what CMS is now asking. A letter-and-response workflow that takes weeks per provider, repeated at scale across tens of thousands of enrollees, cannot produce the swift, decisive action the federal government has requested. Minnesota’s response to similar pressure earlier this year required deploying 168 state employees for unannounced site visits across 5,800 high-risk providers. That model is resource-intensive, inconsistent, and difficult to sustain.
The other gap is identity itself. Traditional enrollment processes verify paperwork; they do not robustly verify the person. A fraudulent actor can submit a falsified license, a spoofed NPI, or a fabricated organization address and pass a document review process that has no biometric or authoritative database check behind it. States that continue to rely on documentation-only revalidation are not solving the fraud problem. They are producing compliance artifacts while the underlying vulnerability remains. What this moment requires is an approach grounded in verified digital identity, not just verified documents.
RavenTek’s approach to this challenge centers on integrating high-assurance identity verification directly into the provider enrollment and revalidation workflow, using ID.me as the trusted identity layer. Rather than bolting on a new tool, the goal is to make verified identity the foundation of the entire revalidation process. When a provider is required to re-enroll or revalidate, they complete an IAL2-certified identity proofing process that confirms not just their government-issued ID, but their National Provider Identifier, DEA number, and professional credentials against authoritative federal records. The result is a verified, portable digital credential that can be checked and re-authenticated across multiple state and federal portals without repeating the process from scratch. States like Arizona have already moved in this direction, requiring all users of the AHCCCS Medicaid provider portal to verify through ID.me before accessing sensitive member management functions. That model works, and it scales.
Critically, ID.me already holds an active contract with CMS to serve as the identity verification and sign-in platform for Medicare.gov, effective early 2026. That relationship means the integration patterns, federal certifications, and data exchange protocols are already established with the agency sending Alabama and every other state this directive. RavenTek’s value is in helping state agencies navigate that infrastructure quickly and configure it correctly for their specific Medicaid environments, including their existing Medicaid Management Information Systems. States receive 90 percent federal financial participation for approved MMIS enhancements, meaning the cost to build this capability is largely federally reimbursable. The path forward is not as expensive or as time consuming as many agencies assume, and the compliance clock is already running.
State Medicaid agencies responding to the CMS directive this quarter should take four specific steps. First, map your current provider enrollment data to identify all enrollees without an NPI; this cohort is CMS’s explicit priority and must be the first segment addressed. Second, assess your current provider portal authentication and determine whether your existing MMIS infrastructure can support an ID.me integration or requires a middleware layer. Third, engage with the ID.me Network to understand the pre-built healthcare provider verification workflow, which cross-checks NPI, DEA, and medical license data in minutes rather than days. Fourth, document your revalidation timetable and technology approach now, so that the response to CMS’s 10-business-day notification requirement reflects a credible, technology-enabled commitment rather than a process-only placeholder.
RavenTek works alongside agencies at every stage of Medicaid program integrity maturity, from initial assessment of current enrollment data gaps to full deployment of identity verification infrastructure and compliance reporting. We understand the federal regulatory landscape, the CMS compliance expectations, and the technology ecosystem required to meet them with confidence.
