Compliance

NCQA Credentialing Standards 2026: What Changed, What It Means for Your Practice, and How to Stay Compliant

By Super Admin | | 23 min read

NCQA Credentialing Standards 2026: What Changed, What It Means for Your Practice, and How to Stay Compliant

In This Article

Key Takeaways

  • NCQA now requires monthly sanctions and license monitoring for all credentialed providers, replacing the old periodic verification cycle
  • The shift to continuous monitoring means credentialing is no longer a "set it and forget it" process that happens every 36 months
  • Organizations must check the OIG exclusion list, SAM.gov, and NPDB on a monthly basis or face audit deficiencies
  • Delegated credentialing arrangements require updated oversight reports and more frequent audits under the 2026 standards
  • Technology investment is no longer optional -- manual spreadsheet tracking cannot meet the documentation and frequency requirements
  • Practices that fail NCQA audits risk losing payer contracts, which translates directly to revenue loss averaging $200,000-$500,000 per dropped contract

Linda Morales had been the credentialing coordinator at a 14-provider orthopedic group in Tampa for nine years. She ran a tight ship. Every 36 months, she reverified licenses, checked board certifications, pulled malpractice history, and submitted the recredentialing packets to their six contracted payers. Her pass rate on payer audits was spotless. She kept a color-coded spreadsheet with 847 cells, and she knew every expiration date by heart.

Then in late 2025, Aetna sent a corrective action notice. During a routine delegation oversight audit, they found that the practice had no documentation of monthly OIG exclusion list checks for three of their providers. Linda had been running those checks quarterly -- the same schedule she had followed since 2017. But the payer's NCQA-accredited health plan had updated its delegation agreement to require monthly monitoring, aligned with NCQA's revised credentialing standards. The corrective action required the practice to produce 12 months of retroactive monthly documentation within 30 days or face suspension of their delegated credentialing authority.

Linda spent the next three weeks working nights and weekends to close the gap. The practice hired a temp to help. Total cost of remediation: $18,400 in staff time, plus $4,200 for the temp, plus the near-miss of losing their delegation agreement with a payer that represented 22% of their annual revenue.

This is not a story about one coordinator making a mistake. It is a story about an entire industry shifting underneath the feet of credentialing professionals who were doing their jobs exactly the way they had always been done. The rules changed, and the practices that did not change with them are paying for it.

What NCQA Is and Why Their Credentialing Standards Matter

The National Committee for Quality Assurance (NCQA) is the dominant accreditation body for health plans in the United States. When a health plan seeks NCQA accreditation -- and most major commercial payers do -- it must demonstrate compliance with NCQA's credentialing and recredentialing standards for every provider in its network.

Here is why that matters to your practice, even if you have never interacted with NCQA directly: the payers you contract with are bound by NCQA standards. When those standards change, the contractual requirements that flow down to you change with them. You do not get accredited by NCQA. Your payers do. But the work of meeting those standards lands squarely on your desk.

As of 2026, NCQA accredits more than 230 health plans covering approximately 200 million Americans. If you accept insurance from UnitedHealthcare, Aetna, Cigna, Humana, or most Blue Cross Blue Shield affiliates, you are operating within an NCQA-accredited framework whether you realize it or not.

The Practical Impact

NCQA standards dictate the minimum credentialing requirements that health plans must enforce. This includes what gets verified during initial credentialing, how often recredentialing occurs, what databases must be checked, how sanctions monitoring works, and what documentation must be retained. If you are unfamiliar with these foundational credentialing terms, our credentialing glossary breaks down the key concepts referenced throughout this article.

When NCQA tightens a standard, payers tighten their delegation agreements. When payers tighten their delegation agreements, your credentialing workflow has to adapt. The 2025-2026 standards cycle brought the most significant changes to credentialing requirements in over a decade, and many practices are still catching up.

The Shift to Continuous Monitoring: What Changed in 2025-2026

The single biggest change in the NCQA credentialing standards update is the formal transition from periodic verification to continuous monitoring. This is not a subtle tweak. It fundamentally changes the cadence, staffing requirements, and technology needs of credentialing operations.

The Old Model: Periodic Verification

Under the previous framework, credentialing operated on a cycle. Initial credentialing happened when a provider joined a network. Recredentialing happened every 36 months. Between those milestones, the health plan (or its delegate) was expected to monitor for sanctions and adverse actions, but the frequency and rigor of that monitoring was loosely defined.

In practice, many organizations ran sanctions checks quarterly. Some ran them semi-annually. A few ran them only at recredentialing -- every three years. NCQA's language prior to the update used terms like "ongoing" and "between credentialing cycles" without specifying exact intervals, which left room for interpretation.

That ambiguity is gone.

The New Model: Continuous Monitoring

The revised standards make three things explicit:

First, sanctions monitoring must occur monthly. Not quarterly. Not "periodically." Monthly. This applies to the OIG List of Excluded Individuals and Entities (LEIE), the System for Award Management (SAM.gov), and state licensing board actions. NCQA auditors will look for 12 discrete monthly checks per provider per year, with dated documentation for each.

Second, license verification must be continuous rather than point-in-time. Under the old model, you verified a provider's license at credentialing and again at recredentialing. Now, NCQA expects organizations to have a system in place that identifies license expirations, restrictions, or revocations as they occur -- not 18 months after the fact at the next recredentialing cycle.

Third, the documentation requirements have tightened. It is no longer sufficient to show that you ran a check. You must show what the check revealed, what action was taken (including "no action required" for clean results), and who reviewed the results. An audit trail is now mandatory, not recommended.

Why the Change Happened

NCQA did not make these changes arbitrarily. Several high-profile cases between 2022 and 2024 exposed the gaps in periodic monitoring. In one widely cited case, a provider in Georgia had their medical license suspended for substance abuse in March, but the health plan did not discover the suspension until the provider's recredentialing review 14 months later. During that window, the provider billed $340,000 in claims and treated over 600 patients.

Cases like that made periodic monitoring indefensible. Monthly checks would have caught the suspension within 30 days. NCQA's position, supported by advocacy from organizations like NAMSS (National Association Medical Staff Services), is that the technology to perform monthly checks exists, the cost is manageable, and the patient safety argument is overwhelming.

Mandatory Monthly License and Sanctions Monitoring

Let us get specific about what monthly monitoring actually requires under the 2026 standards, because the details matter when you are building (or rebuilding) your credentialing workflows.

What Must Be Checked Monthly

For every credentialed provider in your network or practice, you must verify the following on a monthly basis:

  • OIG LEIE (List of Excluded Individuals and Entities): This is the federal exclusion list maintained by the Office of Inspector General. Employing or billing for services rendered by an excluded individual can result in civil monetary penalties of $100,000 per item or service. Monthly checks are not optional.

  • SAM.gov (System for Award Management): SAM.gov replaced the older EPLS database. It includes entities debarred, suspended, or otherwise excluded from receiving federal funds. Any provider appearing on SAM.gov cannot participate in Medicare, Medicaid, or any federally funded program.

  • State licensing board actions: Each state medical board, nursing board, or relevant professional licensing authority publishes disciplinary actions. Your monitoring must cover every state in which your providers hold an active license -- not just the state where they practice.

  • NPDB (National Practitioner Data Bank) continuous query: NCQA now strongly recommends enrollment in the NPDB's continuous query program, which provides automatic notifications when new reports are filed against an enrolled provider. While NPDB continuous query is not yet an absolute mandate (a standard NPDB query at credentialing and recredentialing remains the minimum), NCQA surveyors increasingly treat continuous query enrollment as a best practice that distinguishes high-performing organizations.

Documentation Requirements

Each monthly check must produce a dated record that includes:

  1. The date the check was performed
  2. The database or source checked
  3. The name and NPI of each provider checked
  4. The result (match found or no match)
  5. If a match was found, the action taken and by whom
  6. The name or identifier of the person who performed the check

A PDF printout of search results with a date stamp is acceptable. A screenshot with a timestamp works. What does not work is a note in a spreadsheet that says "checked OIG 3/2026" with no supporting documentation.

The Volume Problem

Here is where small and mid-sized practices feel the strain. If you have 10 providers, monthly monitoring means 10 OIG checks, 10 SAM checks, and license board checks across every state where those providers are licensed. If your providers hold licenses in multiple states -- common for telehealth practices -- the number of individual checks per month multiplies quickly.

A 20-provider group with an average of 2.3 state licenses per provider needs to run approximately 106 individual database checks every month. At 15 minutes per manual check (including documentation), that is 26.5 hours of staff time monthly -- more than three full workdays dedicated solely to sanctions monitoring.

This is exactly why credentialing software has moved from "nice to have" to "operational necessity" for practices of almost any size.

OIG, SAM, and NPDB: The Three Databases You Cannot Ignore

Each of the three primary federal databases serves a different purpose and requires a slightly different approach to monitoring. Understanding the distinctions matters because NCQA auditors will ask about each one separately.

OIG Exclusion List (LEIE)

The OIG maintains the LEIE under authority granted by sections 1128 and 1156 of the Social Security Act. Exclusion from the LEIE means a provider is prohibited from participating in any federal healthcare program, including Medicare and Medicaid.

The consequences of employing an excluded individual are severe. Under the Civil Monetary Penalties Law, organizations face penalties of up to $100,000 for each item or service furnished by an excluded provider. In 2024, the OIG recovered $2.1 billion in enforcement actions related to exclusion violations and false claims.

The LEIE is updated monthly by OIG, which aligns neatly with the NCQA monthly monitoring requirement. Download the updated file on the first business day of each month, run your provider roster against it, and document the results.

SAM.gov

SAM.gov is the federal government's primary database for entity registration and exclusion records. It consolidated several older databases (EPLS, CCR, ORCA) into a single platform. SAM exclusion records cover a broader range of federal programs beyond healthcare, including government contracts and grants.

The practical difference between SAM and LEIE: a provider can appear on SAM.gov for reasons unrelated to healthcare (such as defaulting on a federal student loan or being debarred from government contracting), but the exclusion still prohibits participation in federally funded healthcare programs. Checking SAM catches exclusions that the OIG list might not reflect.

SAM.gov updates its exclusion records on a rolling basis, not monthly. This means a provider could be added to SAM on any given day. Monthly checks are the minimum standard, but organizations with higher risk tolerance considerations may choose to check more frequently.

NPDB (National Practitioner Data Bank)

The NPDB is the most comprehensive but also the most nuanced of the three databases. It contains reports of medical malpractice payments, adverse clinical privilege actions, adverse professional society membership actions, healthcare-related criminal convictions, and state licensing actions.

Traditional NPDB queries are point-in-time: you submit a query, pay the $2.00 per query fee, and receive a report of all records on file for that provider as of that date. Under the old credentialing model, you ran NPDB queries at initial credentialing and at each 36-month recredentialing cycle.

NPDB's continuous query service changes the model. For $2.00 per provider per year (after the initial query), continuous query sends automatic notifications whenever a new report is filed against an enrolled provider. You receive the alert within 24 hours of the report being processed, rather than discovering it months later at recredentialing.

NCQA has not yet made continuous query a hard requirement, but the trajectory is clear. Their 2026 standards describe continuous query as a "preferred approach" and surveyors have begun flagging organizations that rely solely on periodic NPDB queries during accreditation reviews. If you are building or upgrading your monitoring infrastructure, invest in continuous query now. The $2.00 per provider per year cost is negligible compared to the risk exposure.

Impact on Credentialing Workflows and Staffing

The transition to continuous monitoring has practical implications that go beyond running more database checks. It reshapes how credentialing departments operate day to day.

Workflow Redesign

Under the periodic model, credentialing work was cyclical. There was a burst of activity during initial credentialing and recredentialing, with relatively quiet periods in between. Staff could plan their work around known recredentialing dates and distribute the workload across the calendar.

Continuous monitoring eliminates the quiet periods. There is now a baseline level of monitoring activity that must happen every month, regardless of where individual providers fall in their recredentialing cycle. This requires a shift from project-based workflows (credential this provider, then wait 36 months) to operations-based workflows (monitor all providers, every month, indefinitely).

For practices managing their own credentialing, this means dedicating specific time each month -- usually the first week -- to running all monitoring checks, reviewing results, documenting findings, and escalating any matches or concerns. It cannot be "whenever we get to it."

Staffing Implications

NAMSS published workforce data in 2025 showing that the average credentialing specialist manages a portfolio of 150-200 providers under the periodic model. With continuous monitoring requirements, that ratio is compressing to 100-130 providers per specialist, depending on the technology tools available.

For a 50-provider group that previously handled credentialing with one full-time coordinator and some help from the office manager, the math changes. Monthly monitoring for 50 providers across three databases (plus multi-state license checks) adds approximately 15-20 hours of work per month. That is the equivalent of a quarter-time position dedicated solely to monitoring -- on top of the existing credentialing workload.

Practices have three options: hire additional staff, invest in automation that reduces per-check time from 15 minutes to 2-3 minutes, or outsource monitoring to a credentialing service that handles it at scale. Most mid-sized groups are choosing a combination of automation and selective outsourcing.

The Recredentialing Cycle Remains

To be clear, continuous monitoring does not replace the 36-month recredentialing cycle. It supplements it. You still need to perform full recredentialing -- including primary source verification of education, training, board certification, work history, and malpractice coverage -- every three years. What has changed is that the monitoring between those milestones is now structured, documented, and auditable rather than informal.

Think of it as the difference between annual physicals and daily vital sign monitoring. You still need the comprehensive exam, but you also need to know if something goes wrong between appointments.

Technology Requirements for NCQA Compliance

NCQA's 2026 standards do not mandate specific technology solutions, but they do mandate outcomes that are extremely difficult to achieve manually at scale. The documentation, frequency, and audit trail requirements effectively create a technology mandate without explicitly naming one.

What Manual Processes Cannot Reliably Deliver

Spreadsheet-based credentialing tracking fails the new standards in three critical areas:

Audit trail integrity. NCQA auditors want to see tamper-evident records. A spreadsheet cell that says "checked 3/1/2026" can be edited at any time without leaving a trace. Credentialing platforms log every action with timestamps, user IDs, and system-generated records that cannot be retroactively modified.

Consistency at scale. When monitoring is manual, it is only as reliable as the person doing it. If your credentialing coordinator is out sick the first week of March, does the monthly check get done? If it gets pushed to week three, is that documented? Manual processes introduce human variability that auditors flag.

Multi-source verification. Checking OIG, SAM, NPDB, and state licensing boards for each provider requires accessing four or more different systems, downloading or documenting results from each, and compiling them into a coherent record. Credentialing platforms automate these queries and consolidate the results into a single provider record with full audit history.

What to Look for in a Credentialing Platform

If you are evaluating technology to support NCQA compliance, prioritize these capabilities:

  • Automated monthly monitoring with system-generated date stamps and results logging
  • Multi-database integration covering OIG, SAM, NPDB, and state licensing boards
  • Alert management for positive matches, approaching expirations, and missed checks
  • Audit-ready reporting that can produce compliance documentation on demand
  • Provider roster management with real-time status tracking for every credential
  • Role-based access so that only authorized personnel can view and manage provider data
  • Document storage with version control for supporting documentation

PayerReady's credentialing management platform was built specifically to handle these requirements, including automated OIG and SAM monitoring, license expiration tracking, and audit-ready documentation for every provider in your roster. If you want to see how it compares to your current workflow, the provider licensing tools page walks through the license management capabilities in detail.

Delegated Credentialing Under the New Standards

Delegated credentialing is an arrangement where a health plan grants a provider organization (such as a large group practice, health system, or IPA) the authority to perform credentialing on the plan's behalf. The health plan retains ultimate accountability, but the operational work is delegated.

NCQA's 2026 standards significantly increased the oversight requirements for delegated arrangements, which has ripple effects for both the health plans and the organizations holding delegation authority.

What Changed for Delegated Organizations

If your practice or organization holds delegated credentialing authority from one or more health plans, here is what changed:

Oversight audit frequency increased. Health plans were previously required to audit their delegates annually. The revised standards now require annual audits at minimum, with the option for health plans to require semi-annual or even quarterly audits based on the delegate's performance history. Several major payers -- including Aetna and UnitedHealthcare -- have already moved to semi-annual oversight audits for all delegates.

Monthly monitoring documentation is now auditable. Health plans must verify that their delegates are performing monthly sanctions monitoring. This means your monthly OIG, SAM, and license checks must be documented in a format that you can produce for the health plan's audit team on short notice. "We do it but don't have records" is an automatic deficiency.

Corrective action timelines shortened. Under the previous standards, delegates with audit deficiencies typically had 90 days to remediate. The revised standards allow health plans to set remediation timelines as short as 30 days, and several are doing exactly that. Linda Morales's experience in the opening of this article -- 30 days to produce retroactive documentation -- is becoming the norm, not the exception.

Pre-delegation assessments became more rigorous. Organizations applying for new delegation authority must demonstrate existing continuous monitoring infrastructure before the delegation is approved. Health plans are no longer granting delegation to organizations that plan to build the monitoring capability after receiving authority.

The Financial Stakes of Losing Delegation

Losing delegated credentialing authority is not just an administrative inconvenience. It has direct financial consequences. When a health plan revokes delegation, every provider in your organization must be individually re-credentialed by the health plan -- a process that can take 60-120 days per provider. During that window, providers may be unable to bill that payer.

For a 30-provider group with a delegated arrangement covering a payer that represents 20% of revenue, the financial exposure during re-credentialing can exceed $400,000. That assumes an average of 90 days of disrupted billing at $4,400 per provider per month in lost collections from that single payer.

The cost of maintaining compliance with the new delegation standards -- even if it means investing $30,000-$50,000 in technology and additional staff time -- is a fraction of the cost of losing the delegation.

Preparing for an NCQA Credentialing Audit

Whether you are a health plan undergoing direct NCQA accreditation review or a delegated organization facing an oversight audit from your contracted payer, preparation follows the same principles. The organizations that pass audits cleanly are the ones that prepare year-round, not the ones that scramble in the 60 days before the surveyor arrives.

What Auditors Look For

NCQA credentialing auditors evaluate compliance across several domains. Here are the areas where deficiencies are most commonly cited:

Timeliness of initial credentialing. NCQA requires that initial credentialing decisions be made within 180 days of the application being received. Auditors pull a random sample of provider files and check the dates. If your average time-to-decision exceeds 120 days, you are in a risk zone even if you technically meet the 180-day limit.

Completeness of primary source verification. Every element required for credentialing must be verified from the primary source. A copy of a medical license is not primary source verification -- a query to the state licensing board is. Auditors check that your verification sources are appropriate, not just that you have documents on file.

Monthly monitoring documentation. This is the new frontier. Auditors will request 12 months of sanctions monitoring records and verify that checks were performed monthly with appropriate documentation. Missing months are deficiencies. Undated records are deficiencies. Records without identified reviewers are deficiencies.

Adverse action follow-up. When a monitoring check reveals an adverse finding (a malpractice payment, a license restriction, a board action), auditors verify that the organization took appropriate follow-up action and documented its decision-making process. Finding an issue and documenting it is only half the requirement. Showing what you did about it is the other half.

Policy and procedure documentation. Your credentialing policies must reflect your actual practices. If your policy says you check OIG monthly but your records show quarterly checks, that is two deficiencies: one for the missed checks and one for inaccurate policies.

Building an Audit-Ready File

For each credentialed provider, maintain a file (physical or electronic) that contains:

  • Completed credentialing application with attestation
  • Primary source verification records for education, training, licensure, board certification, and DEA registration
  • Malpractice insurance verification with coverage amounts and dates
  • Work history verification covering at least the past five years
  • NPDB query results (with dates)
  • 12 months of monthly OIG and SAM check documentation
  • State licensing board verification records
  • Any adverse action findings and follow-up documentation
  • Peer review or clinical competency assessment (if applicable)
  • Recredentialing records for providers past their first cycle

Our credentialing checklists provide a detailed item-by-item breakdown of what belongs in each provider's file, aligned with current NCQA requirements.

How NCQA Standards Compare to CMS and Joint Commission

NCQA is not the only body setting credentialing standards. CMS (Centers for Medicare and Medicaid Services) and The Joint Commission each have their own requirements, and providers often need to comply with two or all three simultaneously. Understanding where these standards align and where they diverge helps you build a credentialing program that satisfies all of them without duplicating effort.

CMS Requirements

CMS credentialing requirements apply to Medicare Advantage organizations, Medicaid managed care plans, and any entity participating in Medicare or Medicaid. The core CMS credentialing requirements are codified in 42 CFR Part 438 (Medicaid managed care) and the Medicare Managed Care Manual, Chapter 6.

CMS requires:

  • Initial credentialing and recredentialing at least every 36 months
  • Primary source verification of licensure, education and training, board certification (if claimed), and work history
  • OIG and SAM exclusion list checks at the time of credentialing and recredentialing
  • Monthly OIG and SAM checks for all employees and contractors (this predates the NCQA change -- CMS has required monthly checks since the ACA)
  • NPDB queries at credentialing and recredentialing

The key difference: CMS has required monthly OIG and SAM monitoring longer than NCQA has. If you were already meeting CMS requirements, the NCQA change to monthly monitoring is not new for those two databases. Where NCQA goes further is in requiring monthly license monitoring and recommending NPDB continuous query.

Joint Commission Requirements

The Joint Commission accredits hospitals and health systems, and its credentialing standards focus on medical staff privileging rather than payer network enrollment. However, there is significant overlap.

Joint Commission requires:

  • Primary source verification of licensure, education, training, and competence
  • Ongoing Professional Practice Evaluation (OPPE) every 12 months
  • Focused Professional Practice Evaluation (FPPE) for new privileges or concerns
  • Reappointment every 24 months (shorter than the NCQA/CMS 36-month cycle)
  • Query of the NPDB at initial appointment and reappointment

The Joint Commission's 24-month reappointment cycle is more frequent than the NCQA/CMS 36-month recredentialing cycle. Organizations subject to both standards should default to the more stringent requirement (24 months) to ensure compliance with both.

Building a Unified Compliance Program

The most efficient approach is to build your credentialing program to the highest common standard across all applicable frameworks. In practice, that means:

  • Monthly OIG and SAM monitoring (required by CMS and NCQA)
  • Monthly license monitoring (required by NCQA 2026)
  • NPDB continuous query enrollment (preferred by NCQA, exceeds CMS and Joint Commission minimums)
  • 24-month recredentialing cycle if subject to Joint Commission (satisfies the longer NCQA/CMS 36-month cycle automatically)
  • Documented adverse action follow-up procedures (required by all three)

This unified approach costs slightly more than meeting each standard individually, but it eliminates the risk of compliance gaps and simplifies audit preparation. One program, one set of records, one workflow.

Implementation Timeline and Transition Guidance

If your organization has not yet transitioned to the continuous monitoring model, here is a realistic timeline for getting there. This assumes you are starting from a periodic monitoring baseline and need to build monthly monitoring into your existing operations.

Months 1-2: Assessment and Gap Analysis

Start by documenting your current state. What are you checking, how often, and how are you documenting it? Compare your current practices against the NCQA 2026 requirements line by line. Identify every gap.

Common gaps include:

  • Sanctions monitoring performed quarterly instead of monthly
  • License monitoring performed only at credentialing and recredentialing
  • No NPDB continuous query enrollment
  • Documentation that does not include reviewer identification
  • No formal adverse action follow-up procedures

Months 2-3: Technology Selection and Implementation

If you are currently using spreadsheets or manual processes, this is when you evaluate and implement a credentialing platform. Budget 30-45 days for vendor evaluation, contracting, data migration, and staff training.

Key considerations during selection: Does the platform support automated monthly monitoring? Can it generate audit-ready reports? Does it integrate with the databases you need to check? What does the implementation timeline look like? Our forms and applications resource page includes templates that can help organize your provider data before migrating to a new system.

Months 3-4: Policy Updates and Staff Training

Rewrite your credentialing policies and procedures to reflect the new monitoring frequency and documentation requirements. This is not cosmetic -- NCQA auditors compare your written policies against your actual practices, and discrepancies are deficiencies.

Train every person involved in credentialing on the new requirements. This includes not just your credentialing staff but also compliance officers, medical directors (who may need to review adverse findings), and practice managers who oversee the credentialing function.

Months 4-6: Pilot and Full Implementation

Run your new monthly monitoring process for two months as a pilot. Review the output, refine your workflows, and confirm that documentation meets audit standards before committing to the process long-term.

By month six, you should have a fully operational continuous monitoring program producing audit-ready documentation for every provider every month.

Month 7 and Beyond: Maintain and Audit-Test

Conduct an internal audit at the six-month mark. Pull a random sample of provider files and evaluate them against the NCQA checklist as if you were an external surveyor. Fix any deficiencies identified. Repeat the internal audit every six months.

Practical Compliance Checklist for 2026

Use this checklist to assess your organization's readiness for the NCQA 2026 credentialing standards. Every item should be in place before your next payer audit or NCQA survey.

Monthly Monitoring

  • OIG LEIE checks performed for all providers on the first business day of each month
  • SAM.gov exclusion checks performed monthly for all providers
  • State licensing board status verified monthly for all active licenses across all states
  • NPDB continuous query enrolled for all credentialed providers (strongly recommended)
  • Each monthly check produces dated documentation with reviewer identification
  • Positive match procedures are documented and tested

Initial Credentialing

  • All applications processed within 180 calendar days of receipt
  • Primary source verification completed for: licensure, DEA, education, training, board certification, work history (5 years minimum)
  • NPDB query obtained and reviewed
  • Malpractice insurance verified with coverage dates and amounts
  • Attestation questions completed and reviewed (malpractice history, criminal history, substance abuse, loss of privileges, ability to perform)
  • Credentialing committee or designated reviewer makes formal decision with documented rationale

Recredentialing

  • Recredentialing completed every 36 months (or 24 months if also subject to Joint Commission)
  • Updated primary source verification for all required elements
  • Performance data reviewed (complaints, quality indicators, utilization data)
  • Updated NPDB query obtained
  • Provider attestation updated and reviewed

Delegation Oversight (If Applicable)

  • Delegation agreements updated to reflect 2026 monthly monitoring requirements
  • Oversight audit schedule confirmed with each delegating health plan
  • Monthly monitoring documentation available for production within 5 business days of request
  • Corrective action response capabilities tested for 30-day turnaround
  • Pre-delegation assessment documentation current

Policies and Procedures

  • Written credentialing policies updated to reflect continuous monitoring requirements
  • Adverse action follow-up procedures documented with escalation pathways
  • Staff training records maintained showing completion of NCQA standards training
  • Internal audit schedule established (minimum semi-annual)

For downloadable versions of this checklist and other compliance resources, visit our credentialing checklists page.

What Happens When You Fall Out of Compliance

The consequences of non-compliance with NCQA credentialing standards are not abstract. They translate into concrete financial and operational harm.

For Health Plans

Health plans that fail NCQA accreditation surveys can lose their accreditation status. Since many state Medicaid programs and large employers require NCQA accreditation as a condition of doing business, losing accreditation can mean losing contracts worth tens or hundreds of millions of dollars. In 2024, two regional health plans lost NCQA accreditation, and both lost their state Medicaid managed care contracts within 12 months.

For Delegated Organizations

Organizations holding delegated credentialing authority that fail oversight audits face a progression of consequences: corrective action plans, probationary status, increased audit frequency, and ultimately revocation of delegation. As discussed earlier, losing delegation authority can disrupt billing for every provider in the organization and cost hundreds of thousands of dollars in lost revenue.

For Individual Practices

Even if your practice does not hold delegation authority, non-compliance with your payer's credentialing requirements can result in contract termination. Most payer contracts include compliance clauses that require the practice to meet credentialing standards -- and those standards flow from NCQA. A practice that cannot demonstrate monthly sanctions monitoring when a payer audits may receive a corrective action notice. Repeated deficiencies can lead to network removal.

The financial impact of losing a single payer contract depends on how much revenue that payer represents, but MGMA benchmark data suggests the average primary care practice derives 15-25% of revenue from its largest commercial payer. Losing that contract means losing that revenue -- potentially $200,000-$500,000 annually for a mid-sized group.

The Patient Safety Dimension

Beyond the financial consequences, non-compliance creates patient safety risk. The entire purpose of credentialing is to ensure that providers treating patients are qualified, licensed, and free from disqualifying adverse actions. Monthly monitoring exists because periodic checks left gaps that allowed excluded, suspended, or disciplined providers to continue treating patients for months before anyone noticed.

No credentialing professional wants to be the one who missed a sanctions hit that could have been caught with a monthly check. The regulatory and financial consequences are significant, but the patient safety obligation is the real reason these standards exist.

Moving Forward: The Credentialing Profession Is Changing

The shift to continuous monitoring is not a temporary trend. It is the new permanent baseline, and NCQA has signaled that future standards updates will build on it rather than walk it back. The organizations that adapt now will be the ones that pass audits, retain delegation authority, and avoid the financial disruptions that come with non-compliance.

For credentialing professionals like Linda Morales in Tampa, the adjustment is real. Nine years of quarterly checks worked fine until they did not. But the fundamentals of good credentialing have not changed -- thoroughness, accuracy, documentation, and follow-through. The cadence is just faster now.

If your organization is still operating under the periodic monitoring model, the time to transition is not "eventually." It is now. The payers have already updated their delegation agreements. The auditors are already checking for monthly documentation. The standards are already in effect.

Start with the compliance checklist above, assess your gaps, and build a realistic implementation plan. The cost of getting compliant is a fraction of the cost of getting caught.

Tags

NCQA standards NCQA 2026 continuous monitoring credentialing compliance sanctions monitoring

Related Articles

FASTER APPROVALS

Ready to Eliminate Credentialing Delays?

Join hundreds of providers who eliminated credentialing headaches. Create your free account in minutes — no demos, no sales calls, just instant access.

Get Started Free

Ready to streamline your credentialing?

Get Started Free