FAQ Directory: Credentials Verification Organization

Filter Results
  • Save

    Save your favorite pages and receive notifications whenever they’re updated.

    You will be prompted to log in to your NCQA account.

  • Email

    Share this page with a friend or colleague by Email.

    We do not share your information with third parties.

  • Print

    Print this page.

6.15.2022 CVO: Delegation Oversight System Controls Monitoring - Audits Are both the organization and delegate required to conduct system controls audits for CVO 15, Element C?

Both the organization and delegate must monitor the delegate’s system security controls as part of the delegation oversight requirements and may choose audit as the monitoring method. If auditing is the chosen method, the delegate provides an audit report of modifications that did not comply with its policies and procedures or with the delegation agreement.

The organization is not required to conduct an audit if it determines that the delegate adequately monitored and reported noncompliant modifications, but must provide documentation (a report, meeting minutes or other evidence) that it reviewed and agreed with the delegate’s findings. If the organization determines that the delegate did not adequately monitor noncompliant modifications, it must conduct its own audit of the delegate’s system controls.

The organization must submit its documentation and the delegate’s documentation as part of the survey.  

CVO 2022

6.15.2022 Clarify scope for CVO 3, Element B What are the differences in scope for system controls at the factor level in CVO 3, Element B?

For CVO 3, Element B:

  • Factor 1 applies to verification source information from credentialing and recredentialing cycles, covered in CVO 4-12.
  • Factor 2 applies to modified credentialing verification information from initial credentialing and recredentialing cycles, covered in CVO 4-12.
  • Factors 3–5 apply to all information associated with credentialing/recredentialing of practitioners, covered in CVO 4-14.
  • Factor 6 requires a monitoring process that covers compliance with all policies and procedures described in factors 1–5.

CVO 2022

6.15.2022 CVO: Boilerplate Language in Delegation Agreements for System Controls May organizations’ delegation agreements contain boilerplate language for system controls delegates?

Yes, if the language specifies that the delegate must meet NCQA requirements (CVO 3, Element B, factor 4; CVO 15, Element C, factor 5), template language may be used in the delegation agreement. Language specific to each delegate is not required.

CVO 2022

6.15.2022 CVO: CR System Control Delegation Agreement When must the delegation agreement include a description of the delegate’s CR system controls as required in CVO 15, Element A?

New delegation agreements implemented on or after July 1, 2022, must include a description of the delegate’s CR system security controls.  

For delegation agreements in place prior to July 1, 2022, NCQA has extended the time frame for including a description of CR system controls in the delegation agreement. All delegation agreements under the 2024 CVO standards (effective July 1, 2024) must include a description of CR system controls. Prior to July 1, 2024, organizations may alternatively provide a delegation agreement and other mutually agreed upon documentation OR the delegate's system controls policies and procedures in lieu of a delegation agreement with a description of CR System controls.

CVO 2022

6.15.2022 CVO: Annual Monitoring of CR System Controls Monitoring for Delegates Have the allowed methods to audit delegate files in CVO 15, Element C, factor 5 changed?

No. Delegate files may be audited using one of the following methods as described in the factor explanation and noted below:

  • 5 percent or 50 files, whichever is less, to ensure that information is verified appropriately.
    • At a minimum, the sample includes at least 10 credentialing files and 10 recredentialing files. If fewer than 10 practitioners were credentialed or recredentialed since the last annual audit, the organization audits the universe of files rather than a sample.
  • The NCQA “8/30 methodology” available at https://www.ncqa.org/programs/health-plans/policy-accreditation-and-certification/

Either methodology is allowed, for consistency with other Delegation Oversight requirements for annual file audits.

CVO 2022

6.15.2022 CVO: CR Advanced System Controls—Policies and Procedures Are organizations that provide evidence of “advanced system controls” eligible to receive Met for CVO 3, Element B?

No. If the organization provides evidence of advanced system controls capabilities, it must submit policies and procedures for CVO 3, Element B. Policies and procedures must address all factors regarding advanced system control capabilities.

CVO 2022

3.15.2022 Inaccessibility of practitioners’ licensure information from Maryland Department of Health The Maryland Department of Health (MDH) experienced a network security incident on December 4, 2021, that made its network systems and practitioners’ licensing information inaccessible for primary source verification. The MDH reports that all disrupted licensing board systems were restored as of February 4, 2022. The MDH granted a grace period (with no expiration date) on practitioners’ licenses set to expire between November 2021 and February 2022, and issued temporary licenses to affected practitioners whose licenses will expire June 2022.

How will NCQA evaluate affected practitioners’ files?

For Maryland practitioners credentialed between December 2021 and February 2022, NCQA will not penalize organizations on inability to verify licensure due to the MDH network security incident. NCQA accepts the MDH’s grace period on licensure expirations and accepts temporary licenses issued by the MDH and will consider them current and valid. Organizations should adhere to guidance provided by MDH and document the guidance in the affected practitioners’ credentialing files.

CVO 2022

3.15.2021 CVO 5, Element A: NTIS Verification Source Is the National Technical Information Service (NTIS) an acceptable verification source for DEA under the 2016 CVO Standards and Guidelines?

No. Effective November 17, 2020, NTIS is no longer an acceptable source to verify a practitioner's DEA certificate. This FAQ was addressed in the 2021 CVO updates on 11/23/2020. Please see https://dea.ntis.gov for more information.

CVO 2016

8.15.2019 Policy Update regarding must-pass elements and the status modifier “Under Corrective Action” NCQA posted an update for PHP 2019, CVO/HIP/WHP/DM 2016 and PHQ 2013 that stated, “If an organization does not meet the must-pass threshold for any must-pass element, a status modifier of ‘Under Corrective Action’ will be displayed after the applicable accreditation status (e.g., Accredited/Certified—Under Corrective Action) until NCQA confirms that the organization has completed the Corrective Action Plan (CAP).”
Is NCQA changing the policy for these products, which has been that if an organization fails to meet the must-pass threshold, it is denied Accreditation or Certification?

No. This policy update was made in error and will be corrected in November 2019 for the products listed. An organization will be denied Accreditation or Certification if it fails to meet the must-pass threshold for specified requirements in those products.

CVO 2013

8.24.2018 What is the price for CVO Certification?

Pricing is based on multiple factors. Full pricing information can be obtained by submitting a request through My NCQA.


8.24.2018 How do I get started with CVO Certification?

If you are not currently certified and are interested in learning more, contact NCQA. If you are currently Certified and want to talk to someone about your current status, renewing or adding Certifications, submit a question through My NCQA.

CVO 2016

8.24.2018 What organizations are eligible for CVO Certification?

Any organization that provides credentials verification services can apply for Certification if it:

  • Verifies practitioner credentials for health plans, MBHOs, physician organizations or health care organizations, and
  • Provides verification services for at least six months before application, and 
  • Performs verification activities for at least 50% of contracted practitioners, and
  • Maintains the necessary credentials documentation, policies and procedures for NCQA to conduct the survey, and
  • Obtains errors and omissions insurance for $1M–$2M.