Every health plan and every provider network has a credentialing function. Not every health plan and every network has a credentialing *system* — and the difference between those two things is where most of the downstream pain in this industry comes from.
Credentialing is the gate. It determines who is permitted to bill the plan, who shows up in the directory, who gets attributed members for HEDIS, and who the plan will defend as a participating provider if a regulator, a member, or a court ever asks. When credentialing works, every downstream function — claims adjudication, network adequacy reporting, directory accuracy, HEDIS measurement, delegated oversight, accreditation, prompt-pay compliance — has a reliable foundation to sit on. When credentialing doesn’t work, every downstream function is corrupted, and nobody figures out why until the audit, the lawsuit, or the recoupment letter arrives.
This post is for plan executives, network owners, TPA operators, and the people who have to sign the management representation letter. Here is why credentialing is the system you cannot afford to treat as paperwork, what a real program actually does, and what the software should do to support it.
Why credentialing is non-negotiable. The regulatory framework does not treat credentialing as optional, and neither should you. Here is the short list of what breaks when credentialing is weak.
Federal funds exposure. If an excluded or sanctioned provider is paid on a claim that touches federal dollars — APTC, CSR, Medicare Advantage, Medicaid — you have a False Claims Act problem, a CMS recoupment problem, and potentially a criminal referral. Sanction screening has to be continuous, not annual.
Network adequacy misrepresentation. CMS’s time-and-distance analysis, your state DOI’s adequacy filings, your NCQA attestations — all of it assumes the providers in the file are really in the network. Inflated or stale rosters produce ghost networks: adequate on paper, inaccessible in the field. Regulators now routinely secret-shop. They will find it.
No Surprises Act liability. The NSA requires directory verification every 90 days, update processing within two business days, and a one-business-day response to member network-status inquiries. Miss any of those, and if a member relies on wrong information, you eat the difference between in-network and out-of-network cost share. At volume, that’s a material hit to MLR.
HEDIS, CAHPS, and Star Ratings damage. PCP attribution, medical-record chase, hybrid measure sampling — all of it runs off the provider file. A bad credentialing system corrupts the denominator of every measure that depends on panel assignment, and the supplemental data you submit is only as good as the identifiers attached to it.
Continuity-of-care failures. The 30-day termination notice and the 90-day continuity-of-care protection only work if the roster reflects reality. Silent terminations create real member harm, real grievances, real regulatory complaints.
Fiduciary and contract exposure. For any self-funded business you administer, paying wrong because the credentialing data was wrong is an ERISA §404 problem. For any rented network, repricing against the wrong provider record because the crosswalk is broken is functionally a silent-PPO posture, with all the state-law consequences that entails.
Credentialing is the upstream control for every one of those risks. Underinvest here and you are not saving money — you are financing your own liability.
What a real credentialing program must do:
A credentialing program that earns its name covers all of the following.
Primary source verification. License, DEA registration, education and training, board certification, work history, malpractice history — verified directly from the issuing source, not from the provider’s word or a secondary aggregator. Every element, every time, at initial credentialing and at every recredentialing.
Sanction and exclusion screening. OIG LEIE, SAM, NPDB, state Medicaid exclusion lists, state medical board actions, and DEA restriction status — all of it, at onboarding and continuously thereafter. Monthly automated screens are the operating floor, not the ceiling.
Credentialing committee review and documentation. A qualified committee, operating under clear decision criteria, with minutes that show the committee actually reviewed each file. This is the heart of the NCQA CR standards and what accreditation surveyors will actually read.
Recredentialing on a defined cycle. At least every 36 months under NCQA; sooner where state law or the plan’s own policy requires. Recredentialing is not a rubber stamp — it is a full re-verification.
Ongoing monitoring between cycles. License expirations, malpractice payments, new sanctions, new board actions, new complaints. The 36-month cycle is the outer boundary, not the only touchpoint.
NSA-compliant directory verification. Provider attestation at least every 90 days, update processing within two business days, documented removal of providers who cannot be verified, and a one-business-day response protocol for member inquiries with a two-year retention requirement.
Delegated credentialing oversight. If you delegate credentialing to a medical group, a rented network, or any downstream entity: pre-delegation audit, annual oversight audit, monthly or quarterly reporting from the delegate, and contractual authority to require corrective action and terminate the delegation. Delegation transfers the work, not the accountability.
Audit-ready documentation. Every decision, every verification, every source document, every date — retrievable on demand for CMS audits, state DOI market-conduct exams, NCQA surveys, URAC surveys, delegation audits, and any civil discovery that comes your way.
The software wishlist — what the system should actually do
Most credentialing software has been written for the compliance team. That is the wrong starting point. Credentialing software should be written for the people who have to operate the plan — the claims team, the network team, the directory team, the HEDIS team, the product team, the auditors, and most of all the members and providers who experience the consequences of the data. The number one requirement on my list says exactly that.
- It tracks everything in one place and pushes it downstream automatically. Every data element captured during credentialing — NPI, TIN, taxonomy, license state and number, DEA, board certification, specialty, subspecialty, languages spoken, accepting new patients, hospital affiliations, group affiliations, panel size, locations with hours, wheelchair accessibility, telehealth availability, product-line participation, effective and termination dates — should flow without re-entry into the provider roster, the directory, the claims system, the HEDIS supplemental file, the EDI 274 feed, and the Provider Directory API. One source of truth, downloadable to every downstream system that depends on it. If the credentialing team updates a field, every system sees the update within the NSA’s two-business-day window automatically. No manual exports. No reconciliation spreadsheets.
- Real-time crosswalk and identifier management. Internal entity IDs, NPI (Type 1 and Type 2), TIN, taxonomy codes, state license numbers, network-specific provider IDs, claims-system IDs — all mapped, all versioned, all auditable. This is the single piece of infrastructure that prevents the defective-roster nightmare. When a carrier ships you a new roster, the system should be able to reconcile it against the existing map and flag every discrepancy before a single claim gets paid against the wrong record.
- Continuous sanction and license monitoring, automated. Monthly LEIE, SAM, NPDB, and state-board screens against every active provider. Automatic flag, automatic suppression from the directory, automatic notification to the credentialing committee, automatic hold on claims routing — all without human intervention for the routine case.
- Provider self-service attestation portal. Providers log in, see their current data, edit what has changed, and attest to the rest. Every attestation is timestamped, retained, and counts toward the NSA 90-day verification clock. Non-response triggers the removal workflow automatically.
- Member-facing and call-center integration. Real-time roster data feeds the public directory, the member portal, and the call center’s screen. A CSR answering a network-status question is looking at the same record the credentialing team just verified, and the answer is logged to the member’s file for the two-year retention requirement automatically.
- Delegation oversight dashboard. For every delegated entity: pre-delegation audit status, annual audit status, monthly roster reconciliation, sanction-screen reconciliation, corrective action plans in flight, and the contract with the termination clauses one click away.
- Committee workflow with a real audit trail. Files routed to the committee, decisions recorded, minutes generated, denials and restrictions documented with the specific findings that supported them, and the whole file retrievable exactly as the committee saw it.
- KPI dashboard. Percent of providers verified in the last 90 days, percent of updates processed within two business days, upcoming license expirations by week, pending recredentialings by month, sanction hits this cycle, delegated entities out of compliance, directory-accuracy secret-shopper results, time-to-credential for new applicants, and NSA inquiry response compliance. The metrics that tell you whether the program is actually working.
- Extensible, API-first, HIPAA-compliant, and SOC 2 audited. It should integrate with the claims system, the EDI gateway, the directory publisher, the data warehouse, and the regulatory reporting stack. Role-based access controls, full audit logs, encryption at rest and in transit, business associate agreement in place, and evidence of security posture the carrier’s CISO will actually accept.
- Reporting that the regulators actually ask for. NCQA CR report packs, URAC equivalents, state DOI market-conduct report formats, CMS QHP application attachments, NSA compliance attestations, delegated entity roll-ups — generated from the system of record, not hand-built by the compliance team at two in the morning the night before submission.
The bottom line
Credentialing is not a back-office function. It is the load-bearing wall for every regulatory, financial, and reputational obligation a health plan or network carries. Treat it like paperwork and it will fail quietly for years before it fails loudly all at once. Treat it like the infrastructure it actually is — with real software, real workflow, real oversight, and real KPIs — and everything downstream gets easier.
If you are building a plan or a network right now, pick the credentialing platform first. Everything else in your operation is going to depend on it.