Healthcare Credentialing: CMS Requirements You Can't Miss

Healthcare credentialing is the process of verifying that every clinician in your facility holds the qualifications, licenses, and certifications required to provide patient care. For facilities that participate in Medicare and Medicaid — which is virtually all hospitals, nursing homes, and many outpatient clinics — credentialing isn't optional. It's a condition of participation that CMS enforces through surveys, corrective action plans, and ultimately, program termination.

The consequences of inadequate credentialing extend beyond regulatory penalties. When a facility fails to verify a practitioner's credentials and that practitioner causes patient harm, the facility faces direct malpractice liability, potential loss of accreditation, and the kind of media attention that permanently damages institutional reputation.

This guide covers the CMS credentialing requirements that healthcare facilities must meet, the role of The Joint Commission and other accrediting bodies, the mechanics of primary source verification, and best practices for ongoing credential monitoring.

CMS Conditions of Participation: The Foundation

CMS Conditions of Participation (CoPs) are the minimum standards that healthcare facilities must meet to participate in Medicare and Medicaid programs. For hospitals (42 CFR Part 482), the CoPs require that the medical staff be organized and accountable to the governing body for the quality of care, and that credentialing and privileging processes be clearly defined and consistently followed.

Specifically, CMS requires that hospitals verify the following for every member of the medical staff: current and valid licensure, relevant training and education, current competence, and the ability to perform the privileges requested. This verification must be completed before a practitioner is granted privileges and must be re-verified at least every two years.

For long-term care facilities (42 CFR Part 483), CMS requires that nursing staff hold current, valid licenses and that the facility verify licensure status before the employee provides care. CMS also requires that facilities maintain documentation of all credentials and make them available during surveys.

Non-compliance with credentialing CoPs is classified as a "condition-level deficiency" — the most serious category. A condition-level deficiency triggers an immediate corrective action plan with a defined timeline. If the facility fails to correct the deficiency, CMS can terminate the facility's Medicare/Medicaid provider agreement.

The Joint Commission Standards

The Joint Commission (TJC) accredits approximately 80% of U.S. hospitals and maintains credentialing standards that parallel and in some areas exceed CMS requirements. TJC's Medical Staff (MS) standards require a formal credentialing and privileging process that includes primary source verification of licensure, education, training, board certification, and malpractice history.

TJC requires that initial credentialing be completed within a defined timeframe (typically 120 days) and that reappointment occur at least every two years. At reappointment, the facility must re-verify current licensure, review clinical performance data, and assess ongoing competence. TJC surveys specifically examine credentialing files and will cite facilities that have incomplete or outdated documentation.

One area where TJC goes beyond CMS is the Focused Professional Practice Evaluation (FPPE) and Ongoing Professional Practice Evaluation (OPPE) requirements. FPPE applies to all newly privileged practitioners and requires a defined period of enhanced monitoring. OPPE is an ongoing data-driven assessment of each practitioner's performance that must inform reappointment decisions.

Primary Source Verification: What It Means and How to Do It

Primary source verification (PSV) means confirming a credential directly with the issuing body — not accepting a photocopy of a license from the practitioner, but checking with the state licensing board that the license is valid and unrestricted. CMS and TJC both require PSV for core credentials.

The credentials that require primary source verification include: state medical or professional license (verified through the state licensing board's online database or written confirmation), education and training (verified through the educational institution or a CVO — Credentials Verification Organization), board certification (verified through the relevant specialty board or the American Board of Medical Specialties), DEA registration (verified through the DEA online system), and malpractice claims history (verified through the National Practitioner Data Bank).

Facilities may use a Credentials Verification Organization (CVO) to perform PSV on their behalf. The National Committee for Quality Assurance (NCQA) certifies CVOs that meet specific standards for verification processes. Using a NCQA-certified CVO provides a presumption of compliance with TJC verification requirements.

Document every verification. Your credentialing file for each practitioner should include the date of verification, the source contacted, the method of verification (online database, phone, letter), and the result. During a TJC survey or CMS survey, the surveyor will examine these records closely.

Ongoing Monitoring Between Credentialing Cycles

Credentialing every two years is the minimum requirement, but two years is a long time. Licenses can be suspended, malpractice actions can be filed, DEA registrations can lapse, and clinical competence can deteriorate between credentialing cycles. CMS and TJC both expect facilities to have systems for ongoing monitoring.

At a minimum, ongoing monitoring should include monthly checks of the Office of Inspector General (OIG) List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM) exclusion database, and applicable state exclusion lists. Employing an excluded individual can result in Civil Monetary Penalties of $100,000 per day and mandatory repayment of all Medicare/Medicaid claims associated with that individual.

License status should be monitored at least quarterly, or in real-time using automated license monitoring services. Several states now offer automated notification when a licensee's status changes — facilities should enroll in these notification systems wherever available.

Common Credentialing Failures and Their Consequences

The most common credentialing failure is allowing a practitioner to continue providing care after a credential has expired. This typically happens with state licenses and DEA registrations, which have specific expiration dates that differ from the facility's credentialing cycle. If a physician's state license expires in March but their next credentialing cycle isn't until September, six months of uncredentialed practice can occur.

Another frequent failure is inadequate privileging documentation. CMS requires that each practitioner be granted specific privileges based on demonstrated competence — not just a blanket authorization to practice. When a surgeon performs a procedure outside their approved privileges, the facility is exposed to significant liability even if the outcome is positive.

In 2025, a CMS survey of a major hospital system found that 12% of active medical staff had at least one expired or unverified credential. The resulting corrective action plan required the system to re-verify every credential for every practitioner within 90 days — a massive operational disruption involving hundreds of staff hours and significant cost.

Building an Effective Credentialing System

An effective credentialing system combines technology, process, and accountability. On the technology side, you need a database that tracks every credential for every practitioner, with automated expiration alerts and the ability to store verification documentation. Manual tracking with spreadsheets is inadequate for any facility with more than a handful of practitioners.

Process-wise, establish clear ownership of the credentialing function. Many facilities assign credentialing to a Medical Staff Office or Credentialing Committee, but the specific structure matters less than ensuring someone is accountable for every credential staying current. Define workflows for initial credentialing, reappointment, and ongoing monitoring, and document them in your Medical Staff Bylaws.

CertTracker supports healthcare credentialing with templates for medical licenses, DEA registrations, board certifications, BLS/ACLS, HIPAA training, and specialty certifications. The automated reminder system ensures that no credential expires unnoticed, and the document storage capability keeps verification records organized and accessible for surveys.

The facilities that handle credentialing best treat it as a patient safety function, not an administrative chore. Every expired credential represents a potential risk to patients. Every verified credential represents assurance that the people providing care are qualified to do so. That perspective makes the investment in proper credentialing systems an easy decision.