Left Arrow
Blog

NCQA Credentialing Standards in 2026: What Changed, What It Means, and How to Stay Compliant

Rahul Shivkumar
March 9, 2026

NCQA credentialing standards have always been the baseline most organizations point to when they talk about doing credentialing "the right way." In July 2025, new updates changed everything. Compliance now focuses on tighter primary source verification timelines, expanded monitoring, and stricter data controls that can withstand scrutiny.

It is no longer enough to say your process works. You have to prove it. And you cannot simply exclude yourself, because whether you manage credentialing internally or partner with a Credentials Verification Organization, these changes affect you.

5 Immediate Actions Every Credentialing Manager Should Take

Before diving into the full breakdown, start here.

1. Review your current primary source verification (PSV) timelines and confirm whether they align with the new standards: 120 days for Accreditation or 90 days for Certification.

2. Inventory your ongoing monitoring activities to ensure checks are performed monthly and escalated to a peer-review body as needed.

3. Evaluate your credentialing software and workflows to verify they are updated to collect the required demographic data and contain a non-discrimination statement.

4. Examine your information integrity program. Confirm annual audits are in place, staff training is conducted, and corrective actions are both documented and implemented.

5. Request documentation from any Credentials Verification Organization you use to validate their NCQA Certification status and determine which evaluation elements are covered.

Taking these steps will help you quickly identify where your program meets NCQA's revised requirements and where you may need to make adjustments.

To make your transition smoother, start by addressing any areas where your current practices do not meet the new NCQA standards, as these carry the highest risk for non-compliance. Next, tackle quick wins (such as updating forms or requesting documentation from vendors) before moving on to more complex updates like workflow redesign or staff training. Prioritizing your actions this way will help you build momentum and ensure nothing falls through the cracks.

NCQA Credentialing Certification vs. Accreditation: What Buyers Need to Know

When people say "NCQA certified," they often mean two very different things. Under NCQA credentialing standards, Certification and Accreditation serve completely different purposes, and if you are buying credentialing services or building your own program, you need to understand that distinction.

CVO Certification

CVO Certification is intended for organizations that perform primary source verification on behalf of others. It covers 11 evaluation elements:

  • State license
  • DEA registration
  • Education and training
  • Board certification
  • Work history
  • Malpractice history
  • Sanctions checks
  • Application processing
  • Attestation content
  • Medicare/Medicaid sanctions monitoring
  • Ongoing sanctions monitoring

A CVO can be certified for all 11 elements, or only a subset. If you are evaluating a vendor, you need to confirm not just that they are certified, but exactly which elements their certification covers.

Ask the vendor to provide their current NCQA CVO Certification documentation, which lists the specific elements they are certified in. You can also request their official certification report from NCQA or check the details in the NCQA Report Card. Be sure to directly ask which evaluation elements are included, and document the answers. Save copies of the vendor's certification documentation, your request, and their written response. If there are any gaps in coverage, your organization will be responsible for those elements.

Accreditation

Accreditation applies to organizations running full-scope credentialing programs. This includes committee review, recredentialing cycles, policies, appeals processes, and ongoing monitoring. Health plans and large health systems pursue Accreditation for their internal programs.

If you are choosing a vendor, Certification should be the standard that matters most to you. If you are building or maintaining your own credentialing department, Accreditation should matter most.

You should also note that health plans seeking NCQA Health Plan Accreditation can receive automatic credit for verification work performed by an NCQA-certified CVO. That can reduce audit scope and speed up delegation agreements.

Right now, NCQA is consolidating both certification and accreditation into a Single Credentialing program, which offers options for individual certifications or full Accreditation.

What Changed in the 2025 NCQA Credentialing Standards

1. Shorter Primary Source Verification Windows

What changed: The 180-day verification window was reduced to 120 days for Accreditation and 90 days for Certification, effective July 1, 2025.

Under prior NCQA credentialing standards, many teams relied on that six-month duration, which meant files could sit in the queue for a while and backlogs could be managed because there was room to catch up. That is no longer the case.

What it means operationally: Vendors and internal teams now have roughly three months or less to complete all required primary source verification. For CVO Certification, the 90-day window is strict. If license verification, malpractice checks, or board confirmation are delayed, the entire file risks non-compliance.

2. Monthly Ongoing Monitoring

What changed: License expirations, Medicare and Medicaid exclusions (OIG and SAM), and sanctions must be monitored at least every 30 days. Any findings must escalate to a peer-review body, not remain within the credentialing team.

Previously, some organizations relied on quarterly or even semi-annual checks. That is no longer sufficient.

What it means operationally: Quarterly batch checks are not compliant. You now need documented monthly monitoring cycles. More importantly, you need to escalate any discrepancies beyond the credentialing department. If a sanction appears, it cannot simply be logged. It must be reviewed by an appropriate peer-review authority. The monitoring process has shifted from administrative tracking to structured oversight, and your documentation must reflect that escalation.

A Compliant Escalation Protocol for Sanction Findings

A typical escalation workflow includes these steps:

Step 1: Discovery: The monitoring team identifies a potential sanction or license issue during routine monthly checks.

Step 2: Immediate notification: The monitoring team documents the finding and notifies the credentialing manager within one business day.

Step 3: Preliminary review: The credentialing manager verifies the information and determines potential severity.

Step 4: Escalation to peer review: If the issue is confirmed, the case is escalated to the credentialing committee or peer-review body for formal assessment within five business days.

Step 5: Committee action: The committee reviews the case, documents its findings, and makes recommendations (for example, continued participation, suspension, or a corrective action plan).

Step 6: Final documentation: All decisions and actions are documented in the provider's record, including date, participants, and follow-up requirements.

3. Information Integrity Standards Replace System Controls

What changed: The former "System Controls" requirement has been replaced with Information Integrity standards.

What it means operationally: Organizations must now implement formal data integrity training programs, which were previously absent. An annual audit is mandatory, and this audit must go beyond simply documenting its occurrence. It needs to analyze patterns, pinpoint inappropriate documentation or access issues, and clearly demonstrate the corrective actions taken as a result of the findings.

What to Retain for Your Annual Audit

For annual audit documentation, be sure to keep:

  • Formal audit reports summarizing findings and analysis
  • Lists or logs of files reviewed
  • Records of any identified data issues or unauthorized access attempts
  • Documentation of staff attendance in integrity training
  • Copies of corrective action plans showing the steps taken and outcomes
  • Meeting minutes from any audit review discussions
  • Evidence of policy updates resulting from the audit

You must document the specific changes implemented.

4. Practitioner Demographic Data Requirements

What changed: Credentialing applications must now include voluntary fields for race, ethnicity, and language data, along with a non-discrimination statement.

What it means operationally: If you use a Credentials Verification Organization, confirm that their forms include these fields. If not, the responsibility still falls on you. This might seem like a small operational change, but it is one you cannot overlook.

5. Program Structure and Survey Changes

What changed: The CVO Certification cycle has been extended from 2 years to 3 years. A new Interim Survey option provides a pathway toward Accreditation within 18 months. Scoring now follows a Met, Partially Met, or Not Met structure.

What it means operationally: A longer certification cycle means surveyors may review a broader documentation period. If you are an organization pursuing Accreditation for the first time, the Interim Survey option lowers your barrier to entry, offering a structured pathway rather than an all-or-nothing approach. The updated scoring system also increases visibility into areas of partial compliance, making documentation quality more important than ever.

How to Evaluate a Credentialing Vendor's NCQA Compliance

Outsourcing credentialing does not outsource accountability. Under current NCQA credentialing standards, the responsibility does not disappear just because you signed a contract. The questions you ask upfront matter. Even after selecting a vendor, you need to maintain active oversight to ensure continuous compliance.

1. Verify CVO Certification

Confirm that the vendor holds an active NCQA CVO Certification. Do not take their word for it. Check the NCQA Report Card directory yourself. Fewer than 100 organizations hold this certification.

Then look at the scope. Certification covers 11 evaluation elements. Not every vendor is certified for all of them. You need to know exactly which elements are included and whether any verification responsibility remains with your organization.

2. Review Their Primary Source Verification Timelines

Certification requires compliance with the 90-day primary source verification window. Ask about their average turnaround time from application receipt to completed verification. If their process regularly runs close to 90 days, there is little room for delays, missing information, or volume spikes.

3. Confirm Monthly Monitoring

Do not accept general statements like "we perform ongoing monitoring." Ask directly:

  • Which databases are checked? (OIG, SAM, NPDB, state boards?)
  • How often are checks performed? (Monthly is the minimum.)
  • What happens when there is a finding?
  • Who reviews and escalates it?

Monitoring must be documented and tied to a peer-review body. It must not be handled solely by the credentialing team.

4. Ask About Their Information Integrity Program

The July 2025 updates introduced formal Information Integrity requirements. A compliant vendor should be able to explain:

  • How staff are trained on credentialing data integrity
  • How their annual audit is conducted
  • Whether the audit includes a qualitative review of documentation issues
  • How corrective actions are tracked and implemented

5. Check Their Application Forms

Request a copy of their practitioner application. It should include voluntary demographic data fields for race, ethnicity, and language, along with a non-discrimination statement. This detail can reveal whether the vendor actually updated their workflows after July 2025.

6. Evaluate Delegation Support

If you plan to pursue delegated credentialing, ask the vendor how they support that process. Do they provide audit documentation packages? Sample file access? Committee materials? Support during pre-delegation review?

7. Look for Additional Accreditations

Although not required, additional recognition such as URAC accreditation or Joint Commission recognition is a good indicator of compliance maturity. Very few organizations hold both NCQA and URAC credentials. It is not mandatory, but it shows the organization values oversight and structure.

Compliance Checklist

If You Run Your Own Credentialing Program

  • Primary source verification completed within 120 days (Accreditation) or 90 days (Certification)
  • Monthly exclusion checks: OIG, SAM, NPDB, and applicable state boards
  • Monthly license expiration tracking with documented escalation to a peer-review body
  • Credentialing committee meetings held at least monthly, with minutes and record-keeping
  • Annual Information Integrity audit that includes qualitative analysis of documentation and access controls
  • Staff training on credentialing data integrity documented annually
  • Application forms updated with required demographic fields and a non-discrimination statement
  • Recredentialing completed within the 36-month cycle
  • Annual review of credentialing policies and procedures

If You Use a Credentialing Vendor

  • Vendor holds current NCQA CVO Certification (verified through the NCQA Report Card)
  • Certification covers all required evaluation elements
  • Vendor consistently meets the 90-day primary source verification window
  • Monitoring performed at least monthly, with peer-review reporting
  • Information Integrity program formally documented
  • Your organization conducts an annual oversight audit of the CVO

Frequently Asked Questions

1. How important is it for a credentialing solution to be NCQA certified?

Not legally required, but widely expected. Most health plans prefer or require NCQA-certified partners for delegation. The key benefit is auto-credit: health plans can accept a certified CVO's work without re-auditing every file. How much it matters depends on your payer relationships and whether you pursue delegated credentialing.

2. What are the best practices for maintaining credentialing compliance in 2026?

Meet the shortened PSV windows of 120 days for Accreditation and 90 days for Certification. Implement monthly monitoring for sanctions, exclusions, and license expirations. Document a formal Information Integrity training and audit program. Update application forms with demographic data fields. Review policies annually against updated NCQA standards.

3. How can I ensure my credentialing process is NCQA compliant?

Internal programs pursue Accreditation for full-scope credentialing. CVOs pursue Certification for verification services. Both require purchasing the NCQA Standards and Guidelines, conducting a gap analysis via the Interactive Survey Tool, and scheduling a formal survey. The process typically takes around 12 months.

4. What credentialing software features support NCQA standards?

Look for automated primary source verification, ongoing monitoring, expiration tracking, committee-ready file generation, and audit documentation. Verify whether the vendor holds NCQA CVO Certification itself, not just claims of alignment. Check which evaluation elements are covered.

5. What are the most common compliance failures in credentialing?

The most common failures are expired verifications outside the PSV window, monitoring gaps between recredentialing cycles, and insufficient documentation of committee decisions. Automating monthly monitoring, tracking license expirations with proactive alerts, and documenting escalation protocols for sanction findings address the majority of these risks.

Get NCQA-Compliant Credentialing with Assured

Assured holds NCQA CVO Certification across all credentialing evaluation elements, with automated PSV across 2,000+ sources and monthly ongoing monitoring built into the platform.

Book a demo to see how Assured meets the 2025 standard requirements.

Table of contents:

Example H2
Example H3
Written By:
Rahul Shivkumar
LinkedIn Icon

Rahul Shivkumar, co-founder of Assured and product engineer by trade, started the company based on the issues he encountered while building and scaling Dawn Health, a virtual sleep clinic. He personally battled the inefficiencies of provider network management and set out to build the AI-powered solution he and his team wished existed. Assured has seen increasing usage and demand from major health systems across the country since launching, demonstrating the urgent demand for modern provider operations infrastructure.

Get started

Slash onboarding time from months to days

Automated credentialing, licensing, and payer enrollment — all in one system.

Book a demo
Task management interface showing urgent provider tasks: Add missing five-year work history assigned to Alice Smith, RN, expired due 1/2/2025; Upload renewed DEA certificate assigned to Michael Johnson, PT, due in 2 days; and Complete CAQH attestation assigned to Emma Brown, NP, due in 5 days.

Related reading

How to Fix Healthcare Provider Data Compliance Issues with Automated Real-Time Monitoring

Varun Krishnamurthy
March 11, 2026

Top 7 Healthcare Provider Network Management Solutions You Need to Know

Rahul Shivkumar
March 11, 2026

Provider Network Management: The Complete Guide for Healthcare Operations Leaders (2026)

Rahul Shivkumar
March 11, 2026
interface-icon-arrow-right-x-small
© 2026 Assured