The National Committee for Quality Assurance (NCQA) regularly makes adjustments to its standards in response to feedback from organizations, policy makers, providers, patients and others.
The purpose of this email is to inform you of significant additions and policy clarifications to the credentialing standards. This notification only includes changes and updates to those standards. For the complete standards and updates, we recommend your organization purchases or reviews the 2022 NCQA Credentialing Standards and FAQ Directory (https://www.ncqa.org/faqs/).
New Criteria, Policy Changes Required, and Impacts on Delegation Oversight
MN DHS Excluded Individual Providers list (for Medicaid) ongoing monitoring - NEW
The MCC assigned auditor will ask for monitoring and review as part of annual audit.
CR 1 Credentialing Policies: Element C: System Controls standards:
The MCC assigned auditor will review Delegates Policies and Procedures. The organization must present its own documentation. The element applies to both paper and electronic credentialing processes. This is a Must Pass Element.
Factor 1 – Identifying all modifications on credentialing and recredentialing information that did not meet the policies and procedures - CLARIFICATION
· Factor 1 applies to verification source information from credentialing and recredentialing cycles, covered in CR 3, Elements A–C. (Source: FAQ 5.15.2022)
Factor 3 - Authorization to modify information - UPDATED:
· Policies must include titles or roles of those authorized to access, modify & delete credentialing and recredentialing information
Factor 4 - Securing Information - CLARIFICATIONS:
· Physical Access does not include building/office location but rather, computer servers, files, hardware, etc.
· Use IDs and passwords unique to each user
Factor 5 - Credentialing System and Controls annual process audit - NEW/UPDATED:
Policies describe the organization's audit process at least annually to demonstrate factors 1-4 are followed including analyzing all modifications that do not meet documented policy. Policy description should include:
· The method used by the organization to monitor compliance with its policies and procedures described in CR1.C factors 1-4.
· The organization’s policy must include the staff titles or roles responsible for oversight of the monitoring process.
· If the organization’s system does not allow modifications under any circumstances, the organization’s policy should describe the functionality of the CR system that ensures compliance with its established policies.
· If the organization’s system allows modifications only under certain scenarios or circumstances established by its policies, the description includes the process for monitoring compliance with its established policy.
· If the organization uses system alerts or flags to identify noncompliance, the organization’s policy description should include how this process is conducted and monitored.
· If the organization conducts auditing, the organization’s policy description specifies the staff roles or department involved in the audit and the audit frequency. NCQA has decided to allow sampling for organizations that use auditing as the method for monitoring in CR 1, Elements C and D. Organizations must use the “5% or 50 files total” audit method: Organizations randomly select 5% or 50 files, whichever is less, from each applicable file type (credentialing and recredentialing), to review against the requirements:
o At a minimum, the sample includes at least 10 credentialing files and 10 recredentialing files. If fewer than 10 practitioners were credentialed or recredentialed since the last annual audit, the organization audits the universe of files rather than a sample. For each applicable file type noted above, the organization must determine the sample size of 5% or 50 files (whichever is less) based on all files in the file universe. The file universe includes all files with or without modifications. The sample that will be audited must include only files with modifications (i.e., modifications that meet and do not meet the organization’s policies and procedures). NCQA does not specify how the organization selects the sample once the sample size is determined using the entire file universe. It may select the sample of modified files from the universe or, if the organization can identify files with modifications, it may randomly select the sample that will be audited from only the modified files. The organization’s audit report and/or comprehensive tool report must include the number or percentage of files that do not meet the organization’s policies and procedures (Source: FAQ 2.15.2022)
· The organizations policy also needs to describe its process for taking actions if it identifies modifications that do not meet its policy. This description should include:
o A quarterly monitoring process to assess the effectiveness of its actions on all findings until it demonstrates improvement for one finding over at least three consecutive quarters.
o The staff roles or department responsible for the actions.
o The process for documenting and reporting modifications that do not meet established policy.
CR 1 Credentialing Policies Element D. Credentialing System Controls Oversight (Factors 1-3) - NEW
The organization policy demonstrates that at least annually it monitors compliance with system controls by:
· Identifying and analyzing (qualitative and quantitative) all modifications that do not meet its policy
· Its process for taking actions if it identifies modifications that do not meet its established policy. Including:
o A quarterly monitoring process to assess the effectiveness of its actions on all findings until it demonstrates improvement for one finding over at least three consecutive quarters.
CR 8 Delegation of CR Element A. Written Delegation Agreement – NEW
For delegation agreements in place prior to January 1, 2022, NCQA has extended the time frame for including a description of CR system controls in the delegation agreement. All delegation agreements under the 2024 HPA standards (effective July 1, 2024) must include a description of CR system controls. Prior to July 1, 2024, organizations may alternatively provide a delegation agreement and other mutually agreed upon documentation OR the delegate's system controls policies and procedures in lieu of a delegation agreement with a description of CR System controls (Source: FAQ 1.15.2022)
CR 8 Delegation of CR Element C Factor 5 & 6. Annually monitors the delegate’s credentialing system security controls and acts on findings – NEW
Evidence must show that policies and procedures are audited for all factors, and sub-factors related to security controls.
Evidence to meet CR 8 Element factors 5 & 6 will include the monitoring report that shows results of review as outlined in your policies, procedures and/or delegation agreement. The organization’s audit report must include the number or percentage of files that do not meet the organization’s policies and procedures (Source: FAQ 2.15.2022)
If the organization’s system does not allow modifications under any circumstances, the organization must provide evidence of advanced system control capabilities that both automatically record dates and prevent changes that do not meet the organization’s policies and procedures. (Source: FAQ 5.15.2022)
If your organization sub-delegates, you will also have to perform this oversight as we will also be reviewing to ensure you have audited your sub-delegates systems capabilities, auditing processes and follow-up actions, quarterly. If the organization determines that the delegate did not adequately monitor modifications, it must conduct its own audit of the delegate’s system controls. (Source: FAQ 5.15.2022)
Additional Reminders:
CMS Standard ongoing monitoring for SAM (CMS products/contracts only)
Organizations must review the GSA Excluded Parties Lists System (SAM.gov) at initial credentialing, and monthly thereafter, to ensure that none of these persons or entities are excluded or become excluded from participation in federal programs. Evidence of ongoing monitoring for SAM will be requested.
NCQA CR 6 Element A Notification to Authorities and Practitioner Appeal Rights
NCQA Retired the below standards for 2018 surveys and beyond. However, CMS will still require these standards of our delegates to ensure appeals rights are being properly accorded to all credentialed providers. Therefore, the annual audit will continue to include the following:
· The organization’s Policies and procedures must describe:
o Reporting to Authorities, which includes:
• What specific incidents are reportable.
• How, and when, reporting to authorities occurs.
o An Appeal Process, which includes:
• Written notification when a professional review action has been brought against a practitioner, reasons for the action and a summary of the appeal rights and process.
• Allowing practitioners to request a hearing and the specific time period for submitting the request.
• Allowing at least 30 calendar days after the notification for practitioners to request a hearing.
• Allowing practitioners to be represented by an attorney or another person of their choice.
• Appointing a hearing officer or a panel of individuals to review the appeal.
• Written notification of the appeal decision that contains specific reasons for the decision.