If an organization contracts with external entities to store its own credentialing data or contracts with CR delegates that store data, NCQA also reviews contracts from up to four randomly selected external entities, or reviews all external entities if the organization has fewer than four. If factor 4 is not addressed in a contract, the organization may also present the external entity’s policies and procedures for review. NCQA reviews documentation from the organization and from each external entity against the factor. To be scored “yes,” the organization's and each external entity’s documentation must meet the factor.
Note: The underlined text is an update to the FAQ posted on June 15, 2020. Refer also to the FAQ on the same date regarding cloud storage entities.