FAQ Directory: Credentials Verification Organization

Filter Results
  • Save

    Save your favorite pages and receive notifications whenever they’re updated.

    You will be prompted to log in to your NCQA account.

  • Email

    Share this page with a friend or colleague by Email.

    We do not share your information with third parties.

  • Print

    Print this page.

2.15.2023 Use of software to collect credentialing information Is it considered delegation if an organization uses software to only collect credentialing information?

No. The use of another entity’s software to collect credentialing information is not considered delegation unless the other entity also reviews the information on the organization's behalf. NCQA standards allow organizations to use software to collect credentialing information from approved sources, as long as organization staff document that the information was reviewed and verified.

CVO 2023

9.15.2022 Use of future dates to verify education and training Are future dates acceptable for verifying education and training?

No. NCQA does not accept future dates of program completion as valid verification of completion of education and training.

CVO 2022

9.15.2022 Retaining practitioner records How long should practitioner records be retained?

At a minimum, credentialing files must be retained for the period covering the survey look-back period. Otherwise, NCQA does not prescribe a specific time period for retaining credentialing files.

CVO 2022

9.15.2022 Electronic signatures Are electronic signatures (e.g., DocuSign) acceptable?

Yes, if there is a unique electronic signature or identifier and if the organization can demonstrate that the signature/identifier can only be entered by the signatory. NCQA reviews organizations’ security and login policies and procedures to confirm that the signature/identifier can only be entered by the signatory.

CVO 2022

9.15.2022 Use of expired board certification to verify education and training Can an expired board certification be used to verify education and training?

Yes. Because the board would have primary-source verified education and training before awarding certification, NCQA allows organizations to use expired board certifications to meet the requirements. Education and training information does not change even if board certification expires.

CVO 2022

9.15.2022 Use of NSC to verify education and training Can the National Student Clearinghouse be used to verify education and training?

Although the National Student Clearinghouse (NSC) is not an approved source for primary source verification, NCQA allows verification of credentials through an agent of an approved source. NSC can serve as an agent for some institutions. 

Before using NSC, the organization must obtain documentation of a contractual relationship between it and the approved source (institutions that work with NSC). The contractual relationship must entitle the agent to provide verification of credentials on behalf of the approved source. 

CVO 2022

9.15.2022 Backdating effective dates Can an organization backdate an effective date for a practitioner to the practitioner’s start date in the network?

NCQA requires organizations to credential practitioners before they provide care to members. NCQA uses the date of the Credentialing Committee or medical director’s decision (in the case of clean files) to determine credentialing timeliness requirements.

CVO 2022

6.15.2022 Clarify scope for CVO 3, Element B What are the differences in scope for system controls at the factor level in CVO 3, Element B?

For CVO 3, Element B:

  • Factor 1 applies to verification source information from credentialing and recredentialing cycles, covered in CVO 4-12.
  • Factor 2 applies to modified credentialing verification information from initial credentialing and recredentialing cycles, covered in CVO 4-12.
  • Factors 3–5 apply to all information associated with credentialing/recredentialing of practitioners, covered in CVO 4-14.
  • Factor 6 requires a monitoring process that covers compliance with all policies and procedures described in factors 1–5.

CVO 2022

6.15.2022 CVO: Annual Monitoring of CR System Controls Monitoring for Delegates Have the allowed methods to audit delegate files in CVO 15, Element C, factor 5 changed?

No. Delegate files may be audited using one of the following methods as described in the factor explanation and noted below:

  • 5 percent or 50 files, whichever is less, to ensure that information is verified appropriately.
    • At a minimum, the sample includes at least 10 credentialing files and 10 recredentialing files. If fewer than 10 practitioners were credentialed or recredentialed since the last annual audit, the organization audits the universe of files rather than a sample.
  • The NCQA “8/30 methodology” available at https://www.ncqa.org/programs/health-plans/policy-accreditation-and-certification/

Either methodology is allowed, for consistency with other Delegation Oversight requirements for annual file audits.

CVO 2022

6.15.2022 CVO: Boilerplate Language in Delegation Agreements for System Controls May organizations’ delegation agreements contain boilerplate language for system controls delegates?

Yes, if the language specifies that the delegate must meet NCQA requirements (CVO 3, Element B, factor 4; CVO 15, Element C, factor 5), template language may be used in the delegation agreement. Language specific to each delegate is not required.

CVO 2022

6.15.2022 CVO: Delegation Oversight System Controls Monitoring - Audits Are both the organization and delegate required to conduct system controls audits for CVO 15, Element C?

Both the organization and delegate must monitor the delegate’s system security controls as part of the delegation oversight requirements and may choose audit as the monitoring method. If auditing is the chosen method, the delegate provides an audit report of modifications that did not comply with its policies and procedures or with the delegation agreement.

The organization is not required to conduct an audit if it determines that the delegate adequately monitored and reported noncompliant modifications, but must provide documentation (a report, meeting minutes or other evidence) that it reviewed and agreed with the delegate’s findings. If the organization determines that the delegate did not adequately monitor noncompliant modifications, it must conduct its own audit of the delegate’s system controls.

The organization must submit its documentation and the delegate’s documentation as part of the survey.  

CVO 2022

6.15.2022 CVO: CR System Control Delegation Agreement When must the delegation agreement include a description of the delegate’s CR system controls as required in CVO 15, Element A?

New delegation agreements implemented on or after July 1, 2022, must include a description of the delegate’s CR system security controls.  

For delegation agreements in place prior to July 1, 2022, NCQA has extended the time frame for including a description of CR system controls in the delegation agreement. All delegation agreements under the 2024 CVO standards (effective July 1, 2024) must include a description of CR system controls. Prior to July 1, 2024, organizations may alternatively provide a delegation agreement and other mutually agreed upon documentation OR the delegate's system controls policies and procedures in lieu of a delegation agreement with a description of CR System controls.

CVO 2022