Resources
Last updated: May 19, 2026 · By CredentialTrack Pro Editorial Team
Provider credentialing is the formal process of verifying a healthcare provider's qualifications — license, DEA registration, education, training, board certification, work history, and malpractice coverage — before they can practice or bill insurance at an organization. Initial credentialing typically takes 60 to 120 days, must be repeated at least every 36 months under NCQA and Joint Commission rules, and is a separate workflow from payer enrollment. The 30 questions below cover the topics credentialing coordinators ask most often.
Provider credentialing is the formal process of collecting and verifying a healthcare provider's qualifications — including education, training, licenses, board certifications, work history, and malpractice coverage — before they can practice or bill insurance at a given organization. It is required by hospitals, health systems, payers, and accreditation bodies such as the Joint Commission and NCQA.
Initial provider credentialing typically takes 60 to 120 days from a complete application, depending on payer responsiveness and how quickly primary sources reply to verification requests. Hospital privileging adds another 30 to 90 days on top of that, and missing or incorrect application data is the most common reason files stretch past 120 days.
Credentialing verifies who a provider is — their license, education, training, certifications, and work history. Privileging is the separate decision a hospital or facility makes about what specific procedures or services that provider is permitted to perform, based on their documented training, experience, and competency.
A standard credentialing file includes a current state license, DEA registration, NPI, board certification, diploma and residency certificates, ECFMG certificate (for IMGs), malpractice insurance face sheet, work history covering the last 5 to 10 years, immunization and PPD records, and a current CV with no unexplained gaps. Most payers also require a completed and attested CAQH ProView profile.
NCQA, URAC, and the Joint Commission all require providers to be re-credentialed at least every 36 months (three years). Many hospitals and payers run a lighter monthly or quarterly monitoring cycle in between to catch license expirations, sanctions, and new malpractice claims.
In a small practice the office manager or practice administrator usually owns credentialing, often with help from an outside Credentialing Verification Organization (CVO). Larger groups and hospitals employ dedicated Medical Staff Services Professionals (MSPs) — typically certified through NAMSS as a CPCS or CPMSM — to manage the full credentialing and privileging workflow.
Primary source verification (PSV) is the process of confirming a provider's credential directly with the original issuing source — for example, querying the state medical board for a license or the ABMS for board certification — instead of relying on a copy supplied by the provider. PSV is required by NCQA, URAC, the Joint Commission, and CMS for any credential used to make a credentialing decision.
PSV is required for current state license, DEA registration, board certification, education and post-graduate training, malpractice claims history, hospital privileges, work history, and any sanctions or exclusions. Items like the NPI, CV, and immunization records are typically accepted as provider-attested rather than primary-source verified.
A medical license is verified by querying the issuing state medical board directly — either through the board's online lookup, the Federation of State Medical Boards (FSMB Physician Data Center), or a designated equivalent source. The verification must capture the license number, status, issue and expiration dates, and any board actions, and must be dated within the timeframe required by the credentialing body (usually 180 days).
Board certification is verified directly with the certifying board — most commonly the American Board of Medical Specialties (ABMS Certification Matters), the American Osteopathic Association (AOA), or the American Board of Physician Specialties (ABPS). NCQA and the Joint Commission also accept ABMS-designated equivalent sources such as the AMA Physician Masterfile.
NCQA requires primary-source verification of license, DEA, education and training, board certification, work history (5 years), malpractice claims (5 years), Medicare/Medicaid sanctions, and any state licensure sanctions. Verifications must be no older than 180 calendar days at the time of the credentialing decision and must be documented with the source, date, and verifier.
Payer enrollment is the process of registering a provider with a health insurance plan — Medicare, Medicaid, or a commercial payer — so that claims submitted under that provider's NPI will be paid in-network. It is a distinct step from credentialing: a provider can be fully credentialed by a hospital and still not be enrolled (and therefore not reimbursable) with a specific payer.
Medicare enrollment through PECOS typically takes 45 to 90 days for a clean application, and the effective date can be back-dated up to 30 days before the application was received. Applications missing documentation, signatures, or with mismatched NPI/legal-name data are routinely returned and add 30 to 60 days to the process — see the official CMS PECOS portal.
CAQH ProView is a free, centralized provider data repository operated by the Council for Affordable Quality Healthcare. Nearly every major commercial payer pulls credentialing data from CAQH instead of asking each provider to fill out a payer-specific application, so an attested, up-to-date CAQH ProView profile is effectively required to enroll with commercial plans.
Credentialing verifies that a provider is qualified to deliver care at a hospital, group, or health plan. Payer enrollment is the contractual step of being added to a specific insurer's network so claims under that provider's NPI will be reimbursed — many payers run their own credentialing as part of enrollment, but the two are still separate workflows with separate effective dates.
A provider can usually see patients as soon as they are licensed, DEA-registered, and credentialed by the facility, but claims submitted before the payer's enrollment effective date are typically denied or held. Some commercial payers allow retroactive billing back to the application receipt date; Medicare permits up to 30 days of retroactive billing, and Medicaid rules vary by state.
Most state medical licenses renew every 1 to 3 years depending on the state — for example, California and Texas are every 2 years, while Florida is every 2 years on staggered cycles. Each renewal requires payment of a state fee and attestation that any mandated CME has been completed.
A DEA registration is valid for 3 years from the issue date and must be renewed before the expiration date — there is no grace period, and a lapsed registration must be reapplied for from scratch. The DEA sends a single paper renewal notice ~65 days before expiration, so most organizations track DEA dates internally rather than relying on the notice (see DEA Diversion Control).
Practicing on a lapsed license is treated as the unlicensed practice of medicine — it can trigger state board discipline, denial and clawback of all claims paid during the lapse, malpractice coverage gaps, and personal liability for the provider and the employing organization. Most payers also require the organization to self-report the lapse and refund any payments tied to dates of service after the expiration date.
Most credentialing programs store CME certificates against each provider and total them by activity type (Category 1 AMA PRA, state-mandated topics such as opioid prescribing or human trafficking, etc.) for each renewal cycle. The ACCME's CME Passport can also serve as an authoritative source for ACCME-accredited activities.
Nurse practitioners and physician assistants need their own DEA registration if they will prescribe, administer, or dispense any controlled substance (Schedules II–V) and have prescriptive authority for controlled substances under state law. Mid-level prescriptive authority is set state by state, and some states further require a collaborative practice agreement or a separate state-level controlled substances registration in addition to the federal DEA number.
An OIG exclusion check is a search of the HHS Office of Inspector General's List of Excluded Individuals/Entities (LEIE) to confirm that a provider or vendor has not been barred from participation in Medicare, Medicaid, or any other federal healthcare program. The official source is the OIG LEIE online database, which is updated monthly.
The OIG's Special Advisory Bulletin recommends screening all employees, contractors, vendors, and referring providers against the LEIE at least monthly, and most state Medicaid programs require monthly screening as well. SAM.gov should be checked on the same monthly cycle to catch debarment actions that don't appear on the LEIE.
SAM.gov hosts the federal government's consolidated list of parties excluded from receiving federal contracts, grants, and other assistance — including healthcare-related debarments from agencies beyond HHS. A SAM.gov hit can disqualify a provider or vendor from federally funded programs even when they do not appear on the OIG LEIE.
Under federal law, organizations that submit claims for items or services furnished, ordered, or prescribed by an excluded individual can face Civil Monetary Penalties of up to $20,000 per claim, treble damages, and program exclusion of the organization itself. These penalties apply even if the excluded person had no direct patient contact, which is why monthly LEIE/SAM screening is treated as a baseline compliance control.
Medical credentialing software is a system of record for provider qualifications — licenses, DEA, board certifications, malpractice, CME, hospital privileges, and payer enrollment — with built-in expiration tracking, document storage, primary-source verification workflows, and exclusion monitoring. It replaces the spreadsheets, shared drives, and email reminders that small practices traditionally use to keep providers compliant and billable.
Modern SaaS credentialing software is generally priced per provider per month, with typical list prices ranging from about $15 to $75 per provider per month depending on features such as primary-source verification, exclusion monitoring, and payer enrollment tracking. CredentialTrack Pro's current per-provider and organization pricing is published on the pricing page.
Even practices with only a handful of providers tend to outgrow spreadsheets quickly because licenses, DEA registrations, board certifications, malpractice policies, and CME deadlines all expire on independent cycles. Dedicated software pays for itself the first time it prevents a missed renewal — a lapsed license or DEA can result in denied claims, payer recoupment, and gaps in malpractice coverage.
Credentialing software stores provider records — licenses, DEA, SSNs, board certifications — rather than patient PHI, so HIPAA technically governs only the parts of the system that touch a covered entity's workforce data. Reputable vendors still apply HIPAA-grade controls: encryption at rest (AES-256) and in transit (TLS 1.2+), role-based access, MFA, full audit logging, and a signed BAA on request.
Most modern credentialing platforms can pull provider profile data from CAQH ProView via the CAQH Direct Assure / API program, either automatically on a schedule or on demand. This eliminates duplicate data entry and ensures the credentialing system stays aligned with the attested profile that commercial payers will use to enroll the provider.
Still have questions? See the pricing page for plan details or head back to the CredentialTrack Pro home page for a full product overview.
Reviewed May 19, 2026 by the CredentialTrack Pro Editorial Team. Sourced from NCQA, the Joint Commission, CMS PECOS, CAQH, the OIG, and the DEA Diversion Control Division.