Credentialing & Privileging

NCQA’s 2025 Credentialing Standard Changes

By Carol Delage, M.S.

On July 1, 2025, the largest set of changes to the National Committee for Quality Assurance (NCQA) credentialing standards in the last 20 years take effect. This article summarizes critical updates, but space limits the ability to discuss all the details. Any organization attempting to meet these requirements must read all the 2025 standards to understand what must be done to comply with the changes.

Policy and Procedure Requirement Changes

Credentialing policies and procedures (P&Ps) must be updated to address the following changes:

1. Define criteria for credentialing committee review of practitioner sanctions, complaints, and adverse events from ongoing monitoring activities.
2. Notify practitioners of credentialing and recredentialing decision within 30 calendar days of credentialing date (which used to be 60 calendar days).

Practitioner Application Changes

Practitioner applications must include questions about race, ethnicity, and language capabilities. It must state responses to these questions are optional and the information provided will not be used to discriminate against the practitioner.

Primary Source Verification Changes

Files credentialed on or after July 1, 2025, must:

1. Complete primary source verification within 120 days prior to the decision (rather than the former 180-day limit in effect before July 1, 2025).
2. Determine whether practitioners are excluded from Medicare and Medicaid programs (in addition to the presence or absence of sanctions by those programs).

Files credentialed and recredentialed prior to July 1, 2025, are evaluated against the historical requirements.

Ongoing Monitoring Changes

To meet the ongoing monitoring changes, organizations must update their P&Ps and provide reports demonstrating implementation of the following:

1. Monthly monitoring must include exclusions from Medicare and Medicaid programs (in addition to the presence or absence of sanctions by those programs).
2. Monitoring must confirm each network practitioner’s license has been renewed as it expires (license expiration date and evidence of renewal must be documented in each file).

System Controls Requirements Evolved into Information Integrity Requirements

The former systems controls requirements have been revised, clarified, and renamed “Information Integrity”. The term “modification” has been replaced with the word “updates”. Understanding how NCQA uses the word “updates” in this context is critical to compliance.

By updates, NCQA means that information was documented in the file for the current credentialing cycle and changed either during file processing before committee review or after committee review. For example, an appropriate update is documentation of reverification of a practitioner’s license that expired before the file was reviewed by the credentialing committee. Completing primary verifications and decisions for a new recredentialing cycle is not an update (a common misconception of the term “modification”). However, there may be circumstances during a recredentialing cycle which require information in the file to be updated.

System controls policies and procedures must include all the following (note, your historical P&Ps will need changes to meet these revised requirements):

1. The scope of credentialing information protected by these procedures (NCQA defines the minimal scope in the Standards and Guidelines).
2. Staff titles (i.e., credentialing manager, verification associate) responsible for performing the information integrity activities, including the audit process.
3. The process for documenting updates to credentialing information (must include circumstances when updates are appropriate and the process for documenting in the credentialing system or file what was changed, when the change was made, who made the change, and why the change was made).
4. Types of inappropriate documentation and updates of credentialing information (NCQA defines specific inappropriate activities that must be included in your P&P).
5. The process for annual audit of credentialing information integrity, documentation, and reporting of inappropriate documentation (audits must focus on inappropriate documentation and updates, which means organizations must be able to identify files with this content).

Additional Information Integrity Updates

Staff training: This new requirement validates that organizations trained credentialing staff annually on inappropriate documentation and updates and audit processes to assess compliance with these requirements. Organizations must provide evidence of training to NCQA.

Annual audit: Annually, organizations must audit files that include inappropriate documentation or updates, using procedures that meet NCQA requirements. The audit must determine the causes of the inappropriate documentation.

Improvement actions and follow-up monitoring: Organizations must implement corrective action to address the causes of the inappropriate documentation. Actions must go beyond the annual training. Follow-up auditing must occur within three to six months of the initial audit to determine whether the actions effectively addressed the inappropriate documentation causes.

These changes are designed to help organizations comply with these critical requirements. One of the biggest challenges with the former systems controls and current information integrity requirements is identifying files that include inappropriate documentation not allowed by these standards. This will require programming work to obtain reports from your credentialing information system. Standard reports that show each data entry into the system (often called modification reports) are not adequate, unless you can filter the data to identify entries that are inappropriate.

If you have questions about the new changes, you can check the FAQs on NCQA’s website.  You can also submit a question to NCQA’s Policy Team.

Carol Delage, M.S.

Prior to her retirement in January 2023, Carol had a 30-year career as a consultant working with health plans and other healthcare organizations on accreditation and regulatory compliance. Pre-retirement, Carol was the president of Tashidy Corporation, a consulting firm.

Carol has been an administrative surveyor for the National Committee for Quality Assurance (NCQA), a managed care accreditation organization, since 1992. She still is conducting surveys for NCQA.

Carol received a Bachelor of Arts degree in nursing from the University of St. Catherine, St. Paul, Minnesota, and a Master of Science in nursing from the University of Minnesota.