NCQA Credentialing Requirements

topographic map

One of our goals for our blog is to demystify credentialing so we are creating a series especially for leaders and business process owners who want to gain a deeper understanding of the NCQA standards and credentialing guidelines but don’t have time to wade through 100 pages of regulations. In this series, we’ll break down what you need to know about credentialing, recredentialing and delegated credentialing. In this first installment, we cover organizational requirements, which include your organization’s policies and procedures (CR1). 

Before we dive into the nitty-gritty, it’s worth noting that the simplest way to get 100% credit for credentialing and recredentialing in your next NCQA survey is to delegate to an NCQA-certified CVO such as andros.

Organizational Requirements for NCQA Standards

Policies and Procedures (CR1)

NCQA standards require that all healthcare organizations have a “well-defined credentialing and recredentialing process for evaluating and selecting licensed independent practitioners to provide care to its members” (CR1). In your credentialing process, you will want to define the following sections:

 ID NCQA DefinitionWhat It Means
1The types of practitioners the organization credentials and recredentials.All licensed independent practitioners (LIPs) are required to be credentialed. This includes physicians who are MDs or DOs and advanced-practice nurses (APNs) who practice independently.   Best Practice: Although NCQA audits the credentialing files of LIPs (including MDs, DOs, and APNs), it is highly recommended to credential all practitioners to the same standards. This ensures maximal quality and safety to patients and protects the organization from additional risk.
2The verification sources the organization uses.NCQA standards require that the authorized primary source (e.g., state medical board, DEA, ABMS) be queried to verify the credentials of a provider during the credentialing process. Here’s a handy guide to primary sources.
3The criteria for credentialing and recredentialing.NCQA requires that providers be recredentialed at least once every three years.   Best Practice: Provider organizations should recredential every 24 months. Payers should recredential at least every 36 months.
4The process for making credentialing and recredentialing decisions.Document standards for providers and, importantly, the basis for decision-making so that if a provider is denied from participating in the network, it’s clear why and that it’s not a question of discrimination.   Best Practice: Work with the compliance team to establish baseline criteria. Include specific criteria for licensure, history of disciplinary actions, and malpractice.
5The process for managing credentialing files that meet the organization’s established criteria.Are you required to send all files to the credentialing committee?   Best Practice: For efficiency, set up criteria for what constitutes a “clean file” and designate the medical director or qualified practitioner to approve clean files.
6The process for delegating credentialing or recredentialing.NCQA requires that an organization have proper delegation agreements in place that explicitly dictate the scope of work in the delegated relationship.   Best Practice: To maximize efficiency, consider delegating application processing of primary source verifications (PSVs) to an NCQA-certified CVO.
7The process for ensuring that credentialing and recredentialing are conducted in a non-discriminatory manner.This may seem like common sense these days, but it’s important to document the company’s non-discriminatory policies for network selection.   Best Practice: In addition to the common categories used in non-discrimination policies, such as sex, age, and race, it’s important to state that the plan does not discriminate against providers who have a client base of Medicaid or Medicare patients. All files completed by the CVO are reviewed by the credentialing committee, and providers have the right to be informed of the committee’s decision and, ultimately, to appeal if necessary.
8The process for notifying practitioners if information obtained during the organization’s credentialing process varies substantially from the information they provided to the organization.Document a process to notify providers if the provided information in application forms differs from the primary source. This goal allows practitioners to discover errors and ensures organizations receive truthful attestations from providers.   Best Practice: For efficiency, triage these issues within 30 days of the application submission.
9The process for ensuring that practitioners are notified of the credentialing and recredentialing decision within 60 calendar days of the credentialing committee’s decision.Document a process for notifying the practitioner of the final decision, and have an appeal process for cases in which the organization denies a provider.   Best Practice: Communication has a material impact on provider relations. Notify providers as quickly as possible of both approvals and denials.
10The medical director or other designated physician’s direct responsibility and participation in the credentialing program.NCQA standards require that the organization assign a physician or peer provider to lead the credentialing program.  In addition, the medical director is to call upon a committee of peers with varied professional expertise, enabling the fair and competent evaluation of providers applying for enrollment.
11The process for ensuring the confidentiality of all information obtained in  the credentialing process, except as otherwise provided by law.All provider information is confidential and must be managed securely by a CVO. Only authorized agents such as a CVO may query primary sources on behalf of a health plan and their providers.
12The process for ensuring that listings in practitioner directories and other materials for members are consistent with credentialing data, including education, training, board certification, and specialty.A health plan is required to list the most up-to-date information about the doctors in its network. Provider data must be accurate in order to best serve the members of a health plan.

andros Pro Tips for NCQA Standards:

  • Apply a KISS (Keep It Simple, Stupid) mindset to your policies and procedures documents to avoid over-engineering your documentation.
  • Don’t simply copy the language from NCQA guidelines verbatim. You and your team need to think about the standards and how they apply to your unique organization. Copied-and-pasted content in your documents will raise red flags for NCQA surveyors.
  • Use a version-control process to track dates and times so that it is easy for the surveyor to see that your documentation has been in place for the entire lookback period. (A lookback period is six months for an initial survey and 24 months for renewal surveys.)

NCQA CR 2: Credentialing Committee

NCQA requires that health plans have a “well-defined credentialing and recredentialing process for evaluating and selecting licensed independent practitioners to provide care to its members.” In your credentialing process, you will want to pay close attention to the following sections:

IDNCQA DefinitionWhat It Means
A1The organization must have a credentialing committee that uses participating practitioners to provide advice and expertise for credentialing decisions.    All health plans need a credentialing committee to govern the process of approving or denying enrollment of a physician. The goal of this process is to have the incoming physician peer-reviewed by physicians of similar specialty background. Reviews must take place in real time, in person or using teleconferencing technology; they cannot be conducted by email.
A2 The credentialing committee must review credentials for practitioners who do not meet established thresholds.The committee must be fair and give thoughtful consideration to credentialing data presented on all eligible providers. Credentialing decisions and the reasoning behind those decisions must be carefully documented during the review meeting.    
A3The organization      ensures that files that meet established criteria are reviewed and approved by a medical director or designated physician.A medical director or qualified physician can review and approve clean files. Evidence of review must be documented by a unique electronic identifier or a handwritten signature on paper.
Best Practice: NCQA allows and encourages clean files to be handled in this way to help the organization achieve timely turnaround times


andros Pro Tips:

Timeliness can be an issue because credentialing committees must meet in real time. Therefore, your credentialing department should make it as easy as possible for the credentialing committee to review the necessary files.

  • Don’t burden the credentialing review committee with clean files when a medical director or qualified physician can review and approve these cases. Set up your credentialing committee for success by translating credentialing committee by-laws into actionable malpractice thresholds and organizing providers into tiers for automatic approval or mandatory review.
  • Provide complete verification information to committee members to reduce the back and forth between administrative professionals and the committee. Make sure the information is up to date and comprehensive in order for it to be useful for a committee while it is in session.
  • Systematically record committee decisions to create an auditable record, taking the necessary action to add or remove a provider from a provider roster.

Credentialing Requirements (CR 3)

First, it is important to submit a credentialing application that meets the minimum standards. An application for credentialing must, at minimum, include the following:

  • Factor 1: Reasons for the inability to perform the essential functions of the position the provider is being onboarded to do
  • Factor 2: Lack of present illegal drug use
  • Factor 3: History of loss of license and felony convictions
  • Factor 4: History of loss or limitation of privileges or disciplinary actions
  • Factor 5: Current malpractice insurance coverage (the NCQA requirement is that insurance is current at time of attestation)
  • Factor 6: Current and signed attestation confirming the correctness and completeness of the application


Second, you’ll need to show the surveyors that your organization has a robust program to verify provider’s credentials to demonstrate that you have ensured that “practitioners have the legal authority and relevant training and experience to provide quality care.”

You’re required to verify the following elements:

Verification neededWhat this means                                                                                                                                                                       
LicenseA provider is required to have a valid, current license to practice at the time of the credentialing decision. The medical board for the state in which the practitioner practices is the acceptable primary source to validate this element.
DEA permit or CDS certificateVerification of a current, active DEA or CDS certificate is required to ensure that practitioners can write prescriptions. The organization is required to perform the verification for each state in which practitioner is writing prescriptions and practicing.
EducationThe organization must verify the highest level of education and training. Going from the highest level to the most basic level, board certification, residency, and medical school attendance must be verified. For instance, if a practitioner is board certified, the organization can verify to this level to satisfy NCQA requirements, and no further verification needs to be performed directly with the residency or medical school.
Board certification statusBoard certification is not a requirement for a practitioner to be credentialed. However, the organization is required to verify if the practitioner states that he/she is board certified. Acceptable sources include:
● American Board of Medical Specialties (ABMS)
● Equivalent official display agent (e.g., andros, an official display agent of the ABMS)
● state licensing agency, provided the state performed the primary source verification originally with the specialty board
Work historyThe work history of a provider needs to be verified with a CV or resume provided to the organization. A minimum of five years of work history should be obtained. Employment dates must include month and year. Any gap greater than six months must be explained verbally or in writing. If the gap exceeds one year, the practitioner must provide a written explanation.
MalpracticeMalpractice history up to five years must be obtained, including residency and fellowship. The National Provider Data Bank (NPDB) is the primary source to query to obtain malpractice history.
SanctionsState sanctions, Medicare sanctions, Medicaid sanctions, or restrictions on licensure or limitations in scope of practice need to be checked against primary sources. The NPDB is a recommended primary source that is comprehensive and trusted.

Want to know more about primary source verifications? Check out our article, The ABCs of PSVs.

andros Pro Tip

Application design is important. An application that is easy to read and fill out is essential for providers who are busy with patients and other paperwork. Increase goodwill with your providers by giving them an application that is intuitive and does not require them to answer the same questions (such as their name and address) more than once. They will thank you for providing them with a simplified application. Furthermore, there is an increasing demand for web-based applications. These are easier to fill out than paper or PDF applications, and they decrease total turnaround time. For more information about how andros can help you with your credentialing process, contact us.

CR 4 Provider Application and Attestation:

A complete provider application must include a current and signed attestation from the provider about why they cannot perform certain tasks, a history of loss of medical license, felony convictions and any limitations of privileges or disciplinary actions, as well as current malpractice coverage. The attestation must have been completed within the last 305 days for a CVO and 365 days for a health plan for it to be considered current.

andros Pro Tip: Make sure your provider application is streamlined and easy for providers to complete. No one likes filling out applications that ask for the same information again and again.

andros’s online application asks the provider to give their name, address and work history only once. If a provider’s information is available in CAQH, their data can be automatically imported without further data entry. Even with the attestation questions, andros’s application takes an average of 20 minutes to complete, compared to the 2+ hours it takes to complete paper applications.

Better yet, because our application is online, it requires no data entry on your part — and triggers the primary verifications function immediately, making it possible to complete an application in 5 days or fewer.

CR 5 Initial Sanction Information:

This requires that the credentialing committee receive and review information about each provider from third parties — i.e., the primary sources for sanctions including OIG, FSMB, state licensing boards and NPDB.

andros Pro Tip: Ensure that all the data the review committee needs to make an informed decision is easy to access and understand. andros’s cloud-based platform captures all pertinent primary source verification information, credentialing application data, and any additional attachments such as malpractice facesheets and immunization records. Because all the info is stored in one central location online, the committee review process is streamlined and can be conducted from anywhere.

CR 6 Practitioner Office Site Quality:

This requirement is designed to ensure that a provider’s physical office meets the quality requirements of the plan. The plan needs to identify and then implement a monitoring program that sets standards and thresholds for the following:

  • Adequate accessibility — Are the building and office accessible to patients, including disabled patients?
  • Adequate appearance — Is the office clean? Does it have the appropriate lighting and safety features?
  • Adequate space — Does the office have the appropriate number of waiting rooms and exam rooms?
  • Adequate record keeping — Does the office keep patient files secure, confidential and thoroughly maintained?

When the office does not meet the plan’s predefined requirements in these areas, it is the plan’s responsibility to evaluate the office regularly until it does.

andros Pro Tip: Clarity is key. Make sure your standards for office quality are clear and easily accessible by all the providers in your network.

CR 7 & 8 Recredentialing Verification and Recredentialing Cycle Length:

These criteria ensure that the organization has the appropriate recredentialing process in place. Every 36 months, a provider needs to be recredentialed, which includes receiving current information from third parties about any disciplinary actions occurring since the last credentialing event.

andros Pro Tip: While NCQA requires recrendentialing every 36 months, to stay compliant, ongoing monitoring is required in the interim. andros’s automated monitoring ensures that credentials and data never become invalid. Our management system provides automatic alerts to sanctions, such as instances of malpractice and expiring licenses. Anytime the system detects an issue, it will appear as an alert on the client dashboard. With andros, you will never be in the dark about your providers’ statuses again.

Ongoing Monitoring, CR9

NCQA requires organizations to “conduct ongoing monitoring of practitioner sanctions, complaints and quality issues” and to “take appropriate action when issues are identified.”

Why is ongoing monitoring important?

It is your organization’s responsibility to know the up-to-date status of all your providers, even between credentialing cycles. After you have credentialed providers and before you credential them again, it is important to monitor your providers because patient safety, client care and your reputation are on the line. The three-year cycle for payers and the two-year cycle for provider organizations is a long time; events that negatively reflect on providers and facilities can occur during these time periods. One of our clients described the burden this way: “The last thing I want is for a patient to Google the doctor’s name, and they pull up the sanctions before I’m even aware of them.” We live in the information age and credentialing standards reflect that.

Monitoring for red flags

Federal and State Sanctions

It’s important to know the background of the doctors you are recommending to your patients. Sanctions are one way to know more about your providers. A sanction is considered any penalty, punitive or disciplinary action imposed on providers when they are found in violation of a law or regulation governing the practice of medicine.

How to Monitor Sanctions:

The Office of the Inspector General (OIG), System of Award Management (SAM) and General Services Administration (GSA) keep record of sanctions and publish a list of entities including providers and facilities on a monthly basis. To access them you can Download the file here or search here.

Download the file every month, open the document in your favorite spreadsheet tool and search for the names of each of your providers or search online one at a time.

andros Pro Tip: andros will do this for you and automatically alert you if any of your providers’ names appear.

Between cycles, licensure can change for any practitioner. Expiration as well as adverse events are possible. As a result, licensure needs to be monitored and typically one can accomplish this via the National Practitioner Data Bank, particularly via the continuous query (CQ) option. It is recommended to use the CQ option given any red flag surrounding a license issue will immediately result in a push notification of the alert.

National Practitioner Data Bank
National Practitioner Data Bank (NPDB) is a federally supported and mandated organization that serves as a clearinghouse to collect adverse action and malpractice data reported on health care practitioners. Key data used in ongoing monitoring includes malpractice claims/awards, loss of license or exclusion from participation in Medicare or Medicaid.

NPDB reports data via query or continuous query options. The latter automatically notifies the client and healthcare organization of any red flags and alerts. Examples of data that the NPDB reports includes:

  • Medical malpractice payments
  • Any adverse licensure actions or loss of license
  • Adverse clinical privileging actions
  • Adverse professional society membership actions
  • Any negative action or finding by a State licensing or certification authority
  • Private accreditation organization negative actions or findings against a health care practitioner or entity
  • Any negative action or finding by a Federal or State licensing and certification agency that is publicly available information
  • Civil judgments or criminal convictions that are healthcare-related
    Exclusions from Federal or State health care programs
  • Other adjudicated actions or decisions (formal or official actions, involving a due process mechanism and based on acts or omissions that affect or could affect the payment, provision, or delivery of a healthcare item or service)

Taking appropriate action

It is absolutely necessary to have an internal standard operating procedure to respond to any provider alerts during ongoing monitoring. Credentialing staff and committee should be informed and ready to take action when a situation arises.

If the appropriate response includes removing a practitioner from a roster, the practitioner needs to be immediately notified. He or she has the right to file an appeal for review. In addition, the practitioner can inquire about the reason for the action taken by the health plan or organization. It is crucial to have the steps and actions clearly documented in the credentialing bylaws and standard operating procedures, so that an organization is prepared to take action if something is arises.

Knowing the quality and consistency of your provider network requires good practices for the creation, collection and maintenance of your provider data. Ongoing monitoring for sanctions, disciplinary actions, and licensure are good initial steps to provider data maintenance. If you need help to conduct a provider data quality audit contact us today.

More To Explore

Celebrating #OneTeam: andros Spring MVPs

Celebrating #OneTeam: andros Spring MVPs Each quarter we acknowledge the team members who went above and beyond in their role and who exemplified the andros