FAQ Directory: Utilization Management, Credentialing and Provider Network

Filter Results
  • Save

    Save your favorite pages and receive notifications whenever they’re updated.

    You will be prompted to log in to your NCQA account.

  • Email

    Share this page with a friend or colleague by Email.

    We do not share your information with third parties.

  • Print

    Print this page.

expand all

5.24.2022 Updated: Boilerplate Language in Delegation Agreements for System Controls May organizations’ delegation agreements contain boilerplate language for system controls delegates?

Yes, if the language specifies that the delegate must meet NCQA requirements (UM 12, Elements A and C, factor 6; UM 13, Element C, factor 5; CR 1, Element C, factor 4; CR 8, Element C, factor 5), template language may be used in the delegation agreement. Language specific to each delegate is not required.

Note: The underlined text is a correction. The previous FAQ referred to the wrong element. 

UM_CR 2022

5.15.2022 System Controls Goal for Analysis Is a goal required for system controls monitoring analysis for UM 12, Elements B and D, factor 2 and CR 1, Element D, factor 2?

No. Although the organization may set a monitoring goal, NCQA does not require it for UM 12, Elements B and D, factor 2 and CR 1, Element D, factor 2. The intent is that the organization reviews all instances of modifications that did not meet its policies and procedures.

UM_CR 2022

5.15.2022 Clarify scope for new UM System Controls Oversight requirement (UM 12, Elements B and D) How are the new oversight requirements, UM 12 Elements B and D, different from the monitoring requirements in factor 7 in UM 12, Element A and C?

UM 12, Elements A and C, factor 7 require organizations to have a process for monitoring that policies and procedures are followed for all other factors (factors 1–6) in this element at least annually. Policies and procedures must describe the monitoring process for factor 7.

For UM 12, Elements B and D, the organization submits evidence that it identified, analyzed and acted only on modifications to receipt and notification dates (UM 5) that did not meet the organization’s policies and procedures.

UM_CR 2022

5.15.2022 Clarify scope for new Credentialing System Controls Oversight requirement (CR 1, Element D) How is the new oversight requirement, CR 1, Element D, different from the monitoring requirement in factor 5 in CR 1, Element C?

CR 1, Element C, factor 5 requires organizations to have a process for monitoring that policies and procedures are followed for all other factors (factors 1–4) in this element at least annually. Policies and procedures must describe the monitoring process for factor 5.

For CR 1, Element D, the organization submits evidence that it identified, analyzed and acted only on modifications to credentialing/recredentialing information (CR 2 – CR 5) that did not meet the organization’s policies and procedures.

UM_CR 2022

5.15.2022 System Control Requirements Review by Product Line If auditing is used to monitor an organization’s system controls or a delegate’s system controls, is sampling by product line required?

No. Sampling is not required by product line if the product lines are managed the same (a single system is used to manage all product lines).

UM_CR 2022

5.15.2022 Delegation Oversight System Controls Monitoring - Audits Are both the organization and delegate required to conduct system controls audits for factor 5 in UM 13, Element C and CR 8, Element C?

Both the organization and delegate must monitor the delegate’s system security controls as part of the delegation oversight requirements and may choose audit as the monitoring method. If auditing is the chosen method, the delegate provides an audit report of modifications that did not comply with its policies and procedures or with the delegation agreement.

The organization is not required to conduct an audit if it determines that the delegate adequately monitored and reported noncompliant modifications, but must provide documentation (a report, meeting minutes or other evidence) that it reviewed and agreed with the delegate’s findings. If the organization determines that the delegate did not adequately monitor noncompliant modifications, it must conduct its own audit of the delegate’s system controls.

The organization must submit its documentation and the delegate’s documentation as part of the survey.
 

UM_CR 2022

5.15.2022 Clarify scope for CR 1, Element C What are the differences in scope for system controls at the factor level in CR 1, Element C?

For CR 1, Element C:

  • Factor 1 applies to verification source information from credentialing and recredentialing cycles, covered in CR 3, Elements A–C.
  • Factor 2 applies to modified credentialing verification information from initial credentialing and recredentialing cycles, covered in CR 3, elements A–C.
  • Factors 3–4 apply to all information associated with credentialing/recredentialing of practitioners, covered in CR 2–CR 5.
  • Factor 5 requires a monitoring process that covers compliance with all policies and procedures described in factors 1–4.

UM_CR 2022

5.15.2022 UM and CR Advanced System Controls—Policies and Procedures Are organizations that provide evidence of “advanced system controls” eligible to receive Met for UM 12, Elements A and C, and for CR 1, Element C?

No. If the organization provides evidence of advanced system controls capabilities, it must submit policies and procedures for UM 12, Elements A and C and for CR 1, Element C. Policies and procedures must address all factors regarding advanced system control capabilities.

Organizations are only eligible to receive a score of Met for UM 12, Elements B and D, and for CR 1, Element D if they provide evidence of advanced system control capabilities that both automatically record dates and prevent changes that do not meet the organization’s policies and procedures.

UM_CR 2022

5.15.2022 Clarify scope for UM 12, Elements A and C What are the differences in scope for system controls at the factor level in UM 12, Elements A and C?

For UM 12, Elements A and C:

  • Factors 1–5 apply to receipt and notification dates, covered in UM 5 and UM 8–UM 9.
  • Factor 6 applies to all UM system data for managing denials and appeals (not only the dates specified in factors 1–5), covered in UM 4–UM 7 and UM 8–UM 9.
  • Factor 7 requires a monitoring process that covers compliance with all policies and procedures described in factors 1–6.

UM_CR 2022

3.15.2022 Inaccessibility of practitioners’ licensure information from Maryland Department of Health The Maryland Department of Health (MDH) experienced a network security incident on December 4, 2021, that made its network systems and practitioners’ licensing information inaccessible for primary source verification. The MDH reports that all disrupted licensing board systems were restored as of February 4, 2022. The MDH granted a grace period (with no expiration date) on practitioners’ licenses set to expire between November 2021 and February 2022, and issued temporary licenses to affected practitioners whose licenses will expire June 2022.

How will NCQA evaluate affected practitioners’ files?

For Maryland practitioners credentialed between December 2021 and February 2022, NCQA will not penalize organizations on inability to verify licensure due to the MDH network security incident. NCQA accepts the MDH’s grace period on licensure expirations and accepts temporary licenses issued by the MDH and will consider them current and valid. Organizations should adhere to guidance provided by MDH and document the guidance in the affected practitioners’ credentialing files.

UM_CR 2022

2.15.2022 Updated: Sampling for UM/CR System Controls Monitoring May organizations that use auditing as a method for monitoring system controls use sampling for UM 12 and CR1, Elements C and D?

Yes. NCQA has decided to allow sampling for organizations that use auditing as the method for monitoring in UM 12, Elements A – D and CR 1, Elements C and D. Organizations must use the “5% or 50 files” audit method: Organizations randomly select 5% or 50 files, whichever is less, from each applicable file type, to review against the requirements: 

  • Credentialing and recredentialing. (5% or 50 files total)  
    • At a minimum, the sample includes at least 10 credentialing files and 10 recredentialing files. If fewer than 10 practitioners were credentialed or recredentialed since the last annual audit, the organization audits the universe of files rather than a sample. 
  • UM denials (5% or 50 files). 
  • UM appeals (5% or 50 files). 

For each applicable file type noted above, the organization must determine the sample size of 5% or 50 files (whichever is less) based on all files in the file universe. The file universe includes all files with or without modifications. The sample that will be audited must include only files with modifications (i.e., modifications that meet and do not meet the organization’s policies and procedures). NCQA does not specify how the organization selects the sample once the sample size is determined using the entire file universe. It may select the sample of modified files from the universe or, if the organization can identify files with modifications, it may randomly select the sample that will be audited from only the modified files.

The organization’s analysis report must include the number or percentage of files that do not meet the organization’s policies and procedures.
Example for UM denials:

  • An organization’s UM denial file universe contains 800 files with and without modifications. Therefore, the minimum required sample for review is 40 files (5% of 800) which is less than 50 files. The organization must randomly select the 40 files for review from the total universe of 800 files or from only files with modifications (if the organization’s system has the capability to identify files with modifications). All 40 files must have a modification and are reviewed against the organization’s policies and procedures to identify noncompliant modifications.

Note: The underlined text is an update to the FAQ posted on January 15, 2022.

UM_CR 2022

2.15.2022 Annual Monitoring of CR System Controls Monitoring for Delegates Have the allowed methods to audit delegate files in CR 8, Element C, factor 5 changed?

No. Delegate files may be audited using one of the following methods as described in the factor explanation and noted below:

  • 5 percent or 50 of its files, whichever is less, to ensure that information is verified appropriately.
    • At a minimum, the sample includes at least 10 credentialing files and 10 recredentialing files. If fewer than 10 practitioners were credentialed or recredentialed since the last annual audit, the organization audits the universe of files rather than a sample.
  • The NCQA “8/30 methodology” available at https://www.ncqa.org/programs/health-plans/policy-accreditation-and-certification/

Either methodology is allowed, for consistency with other Delegation Oversight requirements for annual file audits.

UM_CR 2022