Healthcare Credentialing Program Design FAQ — Your Questions Answered
Last updated: April 2026
Detailed answers to the most critical questions about building a compliant credentialing program — from federal requirements and NCQA benchmarks to shadow accreditation, delegation agreements, and the build-vs.-buy decision. These answers are informed by 25+ years of IHS credentialing consulting experience and current 2025 NCQA standards.
What Is a Credentialing Program?
What is a healthcare credentialing program and which organizations need one?
A healthcare credentialing program is the structured system an organization uses to verify provider qualifications through primary source verification, monitor ongoing compliance against exclusion databases, and make enrollment or retention decisions through a formal credentialing committee. It is not optional — it is a regulatory requirement for any organization that contracts with, employs, or delegates to healthcare providers.
Organizations that need credentialing programs include Medicaid MCOs (required by federal law under 42 CFR 438.214), IPAs seeking delegated credentialing contracts from health plans, state Primary Care Associations forming Clinically Integrated Networks, FQHCs under HRSA Section 330 funding requirements, new health plan market entrants building operations before launch, and Prepaid Health Plans subject to state Medicaid managed care mandates.
The scope of this requirement is enormous: 72% of all Medicaid beneficiaries are enrolled in managed care plans, and 26 states legally require NCQA Health Plan Accreditation for Medicaid participation — meaning MCOs in those states must maintain credentialing programs that comply with NCQA standards whether or not they hold the formal accreditation seal.
What is the difference between credentialing, privileging, and provider enrollment?
Credentialing verifies that a provider's qualifications — medical education, residency, board certifications, state licenses, DEA registrations, work history — are authentic and current through primary source verification directly with issuing bodies. This is the verification infrastructure that IHS designs.
Privileging determines the specific clinical services a provider is authorized to perform at a particular facility, based on training, experience, and competency evaluation. This is primarily a hospital and facility function governed by medical staff bylaws.
Provider enrollment registers a provider with insurance payers so they can bill for services rendered. This is the administrative process of joining a payer network. Credentialing delays in the enrollment process cost $6,000 to $8,000 per provider per month in lost revenue, and specialists can lose up to $15,000 per day in deferred billing.
What is primary source verification (PSV) and what counts as a primary source?
Primary source verification is the process of confirming a provider's credentials directly with the original issuing body rather than relying on copies, self-attestation, or secondary databases. Under 2025 NCQA standards effective July 1, 2025, all PSVs must be completed within 120 days of credentialing committee review (health plan track) or 90 days (CVO track).
Primary sources include: medical schools and universities for education verification, residency programs for training verification, specialty boards (ABMS member boards) for board certification, state medical boards for license status, the DEA for controlled substance registrations, and the National Practitioner Data Bank (NPDB) for adverse action history. CAQH ProView, with over 4.8 million provider records and approximately 80% of U.S. physicians maintaining profiles, serves as a widely accepted credentialing data repository.
What are the elements of a compliant credentialing program?
A compliant credentialing program requires these documented, operational components: primary source verification protocols with step-by-step instructions for each verification source within the 120-day window; a credentialing committee with clinical representation meeting at least quarterly with documented minutes; continuous monitoring policies for monthly OIG LEIE, SAM, NPDB, and state exclusion list checks; non-discriminatory practices policy with mandatory application form language; Information Integrity policy governing audit trails, role-based access, and annual staff training; delegation agreements covering all 11 NCQA evaluation elements (if outsourcing any functions); updated practitioner applications with demographic fields and non-discrimination attestation; recredentialing cycle documentation ensuring compliance with 36-month timelines; sanction escalation protocols with 1-business-day and 5-business-day requirements; and annual internal audit plans.
Each of these elements must be documented, operational, and generating audit evidence — not just written as policies. State auditors and health plan delegation reviewers require proof that these elements function in practice, not just on paper.
What is the difference between a credentialing program and a Credentials Verification Organization (CVO)?
A credentialing program is the internal infrastructure your organization operates to verify, monitor, and govern provider credentials. A CVO is an external entity that performs primary source verification as a service for other organizations. You can have a credentialing program without a CVO (doing all verification internally), use a CVO for PSV while maintaining internal governance, or outsource more extensively to a certified CVO.
The critical distinction: even if you outsource PSV to a CVO, your organization retains ultimate accountability for credentialing compliance. Your delegation agreement must explicitly cover all 11 NCQA evaluation elements, and you must conduct ongoing oversight of the CVO's performance. If the CVO fails to verify something correctly, your organization bears the regulatory consequence. For organizations considering the CVO path, IHS also provides NCQA CVO Certification consulting.
What is shadow accreditation in healthcare credentialing?
Shadow accreditation is the practice of building a credentialing program that operationally mirrors NCQA or URAC accreditation standards without applying for the formal survey and seal. Organizations adopt the same PSV protocols, committee structures, monitoring frequencies, escalation workflows, and documentation requirements that formally accredited entities use — making the program audit-ready for state Medicaid reviews and health plan delegation audits — while avoiding the approximately $30,000 NCQA survey fee [citation needed].
This approach is economically rational for organizations that need compliance but do not need the accreditation seal for contractual or regulatory reasons. IHS is the only consulting firm that explicitly names and delivers the shadow accreditation approach. Every program we design is architecturally ready for conversion to formal accreditation if the organization later decides to pursue it, because the 6-month look-back period of documented compliance evidence is already established during implementation.
No competitor has publicly named or explained this concept. No accessible resource addresses how to build a compliance-driven credentialing program that mirrors accreditation standards without the formal seal. IHS owns this content category.
Who Needs a Credentialing Program?
What types of organizations need a credentialing program but may not need NCQA accreditation?
Most organizations that need credentialing programs do not need formal NCQA accreditation. The compliance-driven (shadow accreditation) approach serves: Medicaid MCOs that must comply with 42 CFR 438.214 but operate in states that do not mandate NCQA accreditation; IPAs and provider networks seeking delegated credentialing contracts from health plans; state Primary Care Associations forming Clinically Integrated Networks; FQHCs under HRSA Section 330 requirements; new market entrants building operational infrastructure before launch; and organizations that want to reduce audit risk without incurring $30,000+ in survey fees.
The 26 states that legally require NCQA Health Plan Accreditation for Medicaid participation represent the segment where formal accreditation is most likely necessary. Organizations in the remaining states, and organizations that are not health plans (IPAs, PCAs, FQHCs), typically need compliant programs without the formal seal.
Do state primary care associations need credentialing programs?
Yes. Approximately 52 state and regional Primary Care Associations operate across the United States under NACHC and HRSA/BPHC oversight. PCAs are increasingly forming Clinically Integrated Networks (CINs) to negotiate value-based Alternative Payment Models (APMs) with payers. Those CINs need universal credentialing programs standardizing provider quality metrics across statewide networks of member FQHCs.
The scale is significant: 1,512 Community Health Centers operate across more than 17,000 locations, serving 52 million Americans — 1 in 7 nationwide — with 326,000 FTEs. Each of those centers must satisfy HRSA credentialing requirements under Section 330 federal funding. PCAs that form CINs need standardized credentialing infrastructure spanning all member centers, which is a program design challenge that IHS addresses directly.
Do independent physician associations (IPAs) need a credentialing program?
Yes. IPAs must self-credential constituent members to present verified provider rosters to contracting health plans. Without programs operationally equivalent to accredited entities, IPAs cannot secure delegated credentialing agreements — the contracts where health plans delegate credentialing authority to the IPA.
Health plans conducting delegation audits evaluate the IPA's credentialing program against the same NCQA standards used for accredited entities. If the IPA's program does not demonstrate equivalent rigor — compliant PSV timelines, monthly monitoring, committee governance, escalation protocols — the delegation contract is at risk. IHS designs IPA credentialing programs specifically to satisfy health plan delegation audit requirements.
What credentialing requirements apply to Medicaid MCOs that are not NCQA accredited?
Every Medicaid MCO, regardless of NCQA accreditation status, must comply with 42 CFR 438.214, which mandates written credentialing and recredentialing policies, a documented provider selection and retention process, and compliance with state-specific requirements. MCOs must submit MCPARs to CMS within 180 days of each contract year.
CMS cross-program termination enforcement means a provider terminated by one state Medicaid program is flagged across all others. MCOs must implement continuous monitoring to prevent employment of excluded providers. The de facto compliance benchmark, even for non-accredited MCOs, is the NCQA CR standards series — because state Medicaid auditors evaluate against these standards.
Do FQHCs need a formal credentialing program?
Yes. FQHCs and Community Health Centers receiving Section 330 federal funding from HRSA must maintain compliant credentialing programs. HRSA compliance requirements mandate primary source verification, ongoing monitoring, and documented credentialing decisions for all providers. With 1,512 CHCs across 17,000+ locations, the need for program design expertise is continuous — and 47% of organizations openly report lacking confidence in their compliance policy frameworks.
How Does the Credentialing Program Design Process Work?
What are the steps in building a credentialing program from scratch?
Building a compliant credentialing program follows five phases over 6 to 12 months. Phase 1 (months 1-2): Standard-by-Standard Review and gap assessment — IHS reviews current operations against NCQA CR standards and CMS requirements, identifying systemic failures and producing a prioritized remediation roadmap. Phase 2 (months 3-4): Document preparation and policy development — IHS provides customized templates for committee charters, PSV protocols, monitoring SOPs, escalation workflows, delegation agreements, and all required policy categories. Phase 3 (months 5-6): Operational implementation — new policies move into live operations with mandatory staff training, monthly monitoring activation, and first compliant committee meeting. Phase 4 (months 7-8): Mock survey and corrective action — IHS simulates an external audit against a statistically significant sample of files. Phase 5 (months 9-12 and ongoing): Full compliance operations with documented evidence trail.
What is required in a compliant credentialing committee structure?
A compliant credentialing committee must include appropriate clinical representation (physicians or other licensed clinical professionals), meet at least quarterly, and maintain exhaustive meeting minutes documenting every enrollment, denial, suspension, and termination decision with clinical rationale. The formally adopted committee charter must define exact membership structure, quorum rules, voting rights, conflict-of-interest recusal protocols, and the scope of delegated decision-making authority.
Common deficiency: committees that meet but fail to maintain sufficient documentation of their decisions. The minutes must demonstrate that the committee actually reviewed credentialing files, considered primary source verification results, and made documented decisions — not just rubber-stamped applications. IHS provides committee charter templates and meeting minute frameworks that satisfy all NCQA CR 2 requirements.
What is continuous monitoring in credentialing and why is it required?
Continuous monitoring is the mandatory, recurring process of checking all enrolled providers against OIG LEIE, SAM.gov, NPDB, and state Medicaid exclusion databases. Under 2025 NCQA standards, this must happen at least every 30 days with documented results and monthly reporting to the credentialing committee.
When monitoring identifies a sanctioned or excluded provider, the escalation protocol requires notification to a clinical peer-review body within one business day, with formal assessment completed within five business days. If an excluded provider renders services billed to Medicare or Medicaid, the organization faces mandatory repayment of all claims plus potential civil monetary penalties. The quarterly or semi-annual monitoring schedules that many organizations still use are no longer compliant under 2025 standards.
How do I build a compliant delegation agreement for delegated credentialing?
A compliant delegation agreement must explicitly address all 11 NCQA evaluation elements. The agreement must specify exactly which elements the CVO or delegate handles and which remain your organization's responsibility. Required provisions include: performance monitoring requirements with defined metrics, semiannual reporting obligations, the right to audit the delegate's operations, corrective action procedures for non-compliance, and termination conditions.
The most common deficiency in delegation agreements: organizations fail to verify exactly which of the 11 evaluation elements the CVO is certified to handle. They are cited for compliance gaps they incorrectly assumed were covered by the CVO contract. Your organization retains ultimate accountability regardless of what is delegated. IHS provides delegation agreement templates and oversight checklists covering all 11 elements.
How Much Does Credentialing Program Design Cost?
What does it cost to build a credentialing program from scratch?
IHS engagements are scoped to each client's specific situation. We begin every engagement with a complimentary discovery call that produces a fixed-fee proposal tailored to your organization's network size, documentation maturity, and timeline. For detailed breakdowns of internal staffing and software costs by org type, see our complete cost guide.
What does credentialing program design consulting cost?
IHS structures engagements as bespoke project-based statements of work calibrated to your network size, existing documentation maturity, and compliance gap severity. Contact us for a tailored proposal. For comparison, formal NCQA accreditation survey fees alone cost approximately $30,000 [verify current fees with NCQA] — and that does not include the consulting engagement to prepare for the survey.
What is the cost of not having a compliant credentialing program?
The cost of non-compliance far exceeds the cost of building a compliant program. Credentialing delays cost $6,000 to $8,000 per provider per month in lost revenue. Specialists can lose up to $15,000 per day in deferred billing — translating to $1.5 million over a 90-day delay for a single specialist. Failed credentialing audits trigger corrective action plans, financial penalties, and potential Medicaid contract termination. CMS cross-program termination enforcement means compliance failures in one state cascade across all states where you operate. If an excluded provider renders services billed to Medicare or Medicaid, mandatory repayment plus civil monetary penalties apply.
What Can Go Wrong?
What are the risks of operating without a compliant credentialing program?
Operating without a compliant credentialing program exposes your organization to regulatory penalties, revenue loss, legal liability, and contract termination. For Medicaid MCOs, non-compliance with 42 CFR 438.214 can result in state sanctions up to and including contract termination. For IPAs, non-compliant programs mean inability to secure or retain delegated credentialing contracts. For FQHCs, HRSA compliance failures put Section 330 federal funding at risk. Across all organization types, 47% of organizations openly report lacking confidence in their compliance policy frameworks — meaning they recognize the risk but have not addressed it.
What happens when a Medicaid MCO fails a credentialing audit?
A failed audit triggers escalating consequences: corrective action plans with defined remediation timelines, financial penalties, contract sanctions, and potential termination of the Medicaid managed care contract. CMS cross-program termination enforcement under 42 CFR 438.214 means compliance failures in one state trigger scrutiny across all states where the MCO operates. Beyond regulatory consequences, the reputational damage affects contract negotiations and network adequacy certifications in other states.
What happens if an excluded provider renders services billed to Medicare or Medicaid?
If an excluded provider (listed on OIG LEIE, SAM.gov, or state exclusion lists) renders services billed to Medicare or Medicaid, the organization faces mandatory repayment of all claims submitted during the period the excluded provider was active, plus potential civil monetary penalties per item or service. This is why monthly monitoring against exclusion databases is mandatory — not recommended, mandatory. The organization cannot claim ignorance if it failed to check. Under 2025 NCQA standards, monitoring must occur at least every 30 days with documented results.
What are the most common credentialing program deficiencies?
The ten most common deficiencies, in order of prevalence: (1) expired PSVs outside the 120-day window, (2) monitoring gaps between 36-month recredentialing cycles with no monthly monitoring, (3) insufficient committee decision documentation, (4) failure to check OIG/SAM/NPDB monthly, (5) missing sanction escalation protocols, (6) deficient Information Integrity audits, (7) missing staff training documentation, (8) non-compliant practitioner applications, (9) delegation oversight gaps, and (10) recredentialing timeline violations past the 36-month cycle. IHS addresses every one of these through our Standard-by-Standard Review and template-based remediation approach.
How Does Credentialing Program Design Compare to Alternatives?
Credentialing program design vs. NCQA accreditation — when do you need each?
You need formal NCQA accreditation if you operate in one of the 26 states that legally require it for Medicaid managed care participation, if your contracts specifically require the NCQA seal, or if you want the competitive advantage of displaying accreditation status to prospective clients. You need credentialing program design without accreditation if you need compliance but not the seal — if you are an IPA, PCA, FQHC, or MCO in a state without an accreditation mandate. The compliance-driven approach costs less (no $30,000+ survey fee), achieves the same operational rigor, and can later convert to formal accreditation if your requirements change.
Internal credentialing program vs. outsourcing to a CVO — pros and cons?
Internal programs provide maximum control over credentialing decisions, committee governance, and compliance evidence — but require dedicated FTE allocation (1 per 250 providers with automation, 1 per 125 without). CVO outsourcing reduces internal staffing requirements and leverages the CVO's NCQA-certified processes — but requires delegation agreements covering all 11 evaluation elements and ongoing oversight that many organizations fail to maintain. The hybrid model (outsource PSV, retain governance internally) is often the most practical choice. See our detailed comparison.
Building a credentialing program vs. deploying credentialing software — what is the difference?
Credentialing software (Medallion, symplr, Modio Health, Verifiable) automates data collection, PSV requests, and database monitoring. It is a tool. A credentialing program is the governance infrastructure: committee charters, escalation protocols, delegation agreements, non-discrimination policies, Information Integrity controls, and the decision-making authority structure. Software cannot draft bylaws, structure a credentialing committee, design escalation protocols, or defend your program during an adversarial state Medicaid audit. You need both — but the program must be designed before the software can be effectively deployed. IHS designs the program; we then advise on the software platform best suited to your network size and budget.
Related Resources
- Credentialing Program Design Service Page — Complete overview of IHS credentialing program design consulting
- Credentialing Program Design Cost Guide — Detailed cost breakdowns by organization type and engagement model
- Internal Program vs. CVO Outsourcing Comparison — Side-by-side analysis of the build vs. buy decision
- NCQA CVO Certification Consulting — For organizations ready to pursue formal NCQA certification
Have a Question We Did Not Answer?
Schedule a consultation with IHS. We will answer your specific credentialing program questions and assess whether your organization needs program design, formal accreditation, or both.