Federal Regulations & Other Standards For Credentialing and Privileging

Provider credentialing and privileging are essential for healthcare quality, safety, and risk management. Improper credentialing and privileging can lead to patient harm and lawsuits, as in this example:

A physician had completed a one-day training course in robotic hysterectomy, using pigs to learn the procedure. A hospital granted him privileges to perform the robotic procedure as long as a proctor privileged to use the technique was present for his first three surgeries. The physician performed his first robotic hysterectomy on a patient without the required supervision. That patient, who lost bladder function as a result of the surgery, sued the hospital for negligent privileging. In this case, the physician lacked the training and experience to safely perform the surgical technique.

To protect patients, hospitals must adhere to complex and lengthy credentialing and privileging processes to screen providers, verify their ability to practice, and determine which procedures and services they're competent to perform and deliver. Professional credentialing staff collect volumes of data about each applicant, often from multiple primary sources; verify each piece of data for accuracy and veracity—again, in consultation with numerous persons and organizations; and carefully and holistically analyze the credentials to assess the applicant's training, experience, competence, and abilities.

But despite the critical necessity of getting this process right, there's no federal law mandating how to perform credentialing and privileging. A provider, after all, is prohibited by law from practicing without possessing a clearly defined scope of practice and a set of certifications and licenses. Yet how a hospital goes about verifying those credentials is largely left up to them.

The Federal Credentialing Standard: CoPs

Hospitals generally follow a basic credentialing and privileging framework established within the section of the U.S. Code of Federal Regulations (CFR) comprising the Public Health Service Act. However, these CFR Title 42 regulations (Conditions of Participation—CoPs) only specify credentialing and privileging requirements for hospitals to gain or maintain accreditation to participate in Medicare and Medicaid.

But even though Title 42 CoPs don't directly affect hospitals outside of Centers for Medicaid and Medicare Services (CMS) jurisdiction, they're still important to an unregulated health sector operating in a patchwork federal, state, and civil legal landscape.

The legal landscape of credentialing and privileging

The lack of a federal mandate for a standardized credentialing and privileging process isn't to suggest it's not considered important; rather, entrenching a regulated standard is generally viewed as being unnecessary. Hospitals undertake these processes to:

  • Protect patient safety
  • Mitigate and manage risk
  • Comply with accreditors and regulators

Federal regulations currently on the books seek to satisfy the third, while existing civil tort (malpractice, negligence) and criminal laws, for the most part, cover the first two.

The evolution of credentialing and privileging

Over time, as malpractice and negligence laws evolved, hospitals were forced to change the way they related with  their medical staff.

Until the mid-20th century, hospitals viewed themselves as healthcare facilitators rather than providers. They were typically operated by community organizations, providing facilities and equipment so that practitioners could care for their own patients. As such, hospitals made little or no effort to evaluate the competency of their affiliated medical providers, with the exception of requiring a medical license.

Hospitals were historically granted immunity from negligence and malpractice claims by using a two-pronged legal defense:

1. Since hospitals merely provided equipment and facilities to practitioners, they were therefore immune from responsibility for patient injury or death resulting from medical malpractice.
2. Hospitals used the doctrine of charitable immunity to argue that having to pay large financial penalties would hinder their ability to provide care for the community, and a judgement against them would therefore do more harm to the public than good.

Two landmark cases changed everything

As charitable immunity began to lose ground as a viable legal argument, the 1957 case Bing v. Thunig firmly established that hospitals do have a responsibility for the medical care received by patients. A few years later, the 1965 Darling v Charleston Community Memorial Hospital case—in which a staff practitioner so severely erred in the setting of a broken leg that it eventually had to be amputated—set the legal precedent that a hospital could be held negligent for failing to assess or monitor the competency of their medical staff.

To limit liability in the aftermath of these cases, hospitals implemented more stringent credentialing and privileging protocols. Unfortunately, this led to another problem: Some of the practitioners denied appointment or privileges by a hospital’s governing body turned to the Sherman Act and state antitrust laws to claim that the practice of credentialing amounted to anti-competitive collusion. Practitioners claiming injury under the Sherman Act must demonstrate the denial or revocation decision negatively impedes the availability of medical services within the community.

Caught in the middle of this legal minefield, hospital and medical staff leadership, in particular those tasked with peer review responsibilities, were reluctant to deny medical staff appointment or privileges. The Health Care Quality Improvement Act (HCQIA) of 1986 provided those physicians involved in peer review activities a layer of protection against lawsuits filed by the physician under review in retaliation for a negative decision by their peers. Improperly used, HCQIA can be seen as a shield inviting abuse by those in a peer review position for decisions that benefit themselves directly or indirectly. As a result, antitrust claims continue.

Over the years, hospitals recognized that strong and transparent credentialing and privileging processes provide the greatest assurance of a qualified and competent medical staff and the best defense against legal risks. In that light, the industry as a whole views the CFR regulations as the best available due diligence standard.

Federal regulations affecting credentialing and privileging

The regulations outlined in 42 CFR 482.22 and 482.12 cite credentialing and privileging practices that hospitals must implement as CoPs in CMS programs. These include:

Medical Staff Credentialing and Privileging Requirements

Credentials and privileges must be assessed and assigned accordingly.

42 CFR 482.22 (a)(2)

“The medical staff must examine the credentials of all eligible candidates for medical staff membership and make recommendations to the governing body on the appointment of these candidates in accordance with State law, including scope-of-practice laws, and the medical staff bylaws, rules, and regulations.”

And that medical staff must:

42 CFR 482.22 (c)(4)

“Describe the qualifications to be met by a candidate in order for the medical staff to recommend that the candidate be appointed by the governing body.”


42 CFR 482.22 (c)(6)

“Include criteria for determining the privileges to be granted to individual practitioners and a procedure for applying the criteria to individuals requesting privileges.”

Thus, 42 CFR 482.22 requires an individual’s credentials must include:

  • A request for clinical privileges
  • Evidence of current licensure
  • Evidence of training and professional education
  • Documented experience
  • Supporting references of competence

Credentialing Criteria

This section sets the requirement for hospitals to create governing bodies to assess candidates and outlines the minimum evaluation criteria to be used.

42 CFR 482.12 (a)(6)

“The governing body must:

Ensure the criteria for selection are individual character, competence, training, experience, and judgment.”

A framework for accurate and efficient credentialing

The National Committee for Quality Assurance (NCQA) offers Credentialing Verification Organization (CVO) Certification or Credentialing Accreditation to a range of healthcare organizations for provider credentialing. Both designations mean that organizations apply industry best practices to deliver efficient and accurate credentialing verification services.

CVO Certification evaluates the operations of organizations that verify practitioner credentials through the primary source, a recognized source, or a contracted agent of the primary source. Credentialing Accreditation evaluates the operations of organizations that provide full-scope credentialing services. In addition to verifying practitioner credentials, these organizations have a designated credentialing committee that reviews provider credentials and makes recommendations, and they monitor provider sanctions and complaints between recredentialing cycles.

To receive NCQA CVO Certification, organizations must meet NCQA standards in three areas, demonstrating that they:

1. Have an internal quality improvement process
2. Protect provider credentialing information (i.e., data security)
3. Verify provider credentials consistently and effectively


Organizations that receive NCQA Credentialing Accreditation must meet the standards in those same three areas, as well as seven additional areas, demonstrating that they:

1. Maintain appropriate agreements and collaboration with clients
2. Have documented credentialing policies (to ensure integrity)
3. Provide a peer-review process (i.e., credentialing committee)
4. Re-evaluate providers in a timely manner (recredentialing)
5. Monitor providers’ performance (complaints, adverse events, and Medicare/Medicaid sanctions)
6. Notify authorities of safety/quality issues and notify practitioners of their appeal rights
7. Evaluate organizational providers, including behavioral health providers


Credentialing and privileging in a national emergency

Hospitals responded to the COVID-19 National Emergency Declaration by activating emergency protocols. To ensure care coverage during the pandemic, health plans and hospitals relaxed guidelines and implemented procedures to expedite credentialing, privileging, and enrollment processing times.

Under Emergency Protocol, many hospitals granted providers disaster or emergency privileges—temporary privileges that terminate once the situation is under control. In this situation, the privileging process can be completed in 72 hours. To expedite health plan enrollment, managed care organizations have the option to implement provisional credentialing procedures in compliance with NCQA or Utilization Review Accreditation Commission. Primary source verification for provisional credentialing requires only three items: a current, valid medical license; five years of malpractice history; and a current signed application and attestation. The government continued the COVID-19 national emergency declaration beyond March 1, 2021. Emergency-staffed providers must be recredentialed, reprivileged, and re-enrolled once the COVID-19 national emergency ends.

Telehealth regulations in a national emergency

To increase care access during the COVID-19 national emergency, CMS relaxed restrictive regulations for telemedicine use, including patient eligibility, reimbursement, interstate licensing, and privileging.

Credentialing and privileging

To deliver telemedicine services throughout a health system, providers must be privileged at each hospital. Different hospitals may have unique credentialing and/or privileging requirements. Now, according to The Joint Commission, providers who are currently credentialed and privileged in a facility can furnish the same patient care services via a telehealth link, without any additional credentialing or privileging specifically for telemedicine. Telehealth does not need to be specified as a privilege for those providers.

The ultimate responsibility

Even though federal regulations are intended for CMS accreditation purposes, courts have maintained that hospitals are ultimately responsible for the competence of their medical staff members by following thorough credentialing and privileging practices. With that in mind, and lacking a single set of standards, hospitals consistently turn to Title 42 CoPs to guide the management of their medical providers.

By outsourcing credentialing to a CVO that has NCQA CVO Certification or NCQA Credentialing Accreditation, hospital leaders can be confident that credentialing is conducted in accordance with the strictest quality standards. Hospitals must be sure that providers granted provisional credentials and emergency privileges are properly credentialed and privileged when the COVID-19 national emergency ends.


Request a Demo