Six Potential Compliance Gaps in Your Provider Credentialing & Enrollment Processes

Errors, omissions, and misinformation can seep into the credentialing process despite the safeguards built-in. Credentialing professionals in hospitals and payer organizations know the high risks of failing to identify and correct compliance gaps. Potential patient harm—plus accreditation, legal, and financial trouble can follow. Even in the context of pressure to onboard providers quickly, there’s no alternative to stopping in your tracks when a questionable item appears in a practitioner’s file.

One solution to provide an extra layer of security that doesn’t upend efficiency is a self-audit in areas identified as high risk for credentialing compliance. A cloud-based provider data management system keeps you on track to flag items for further review, request and receive additional information or documents electronically, and make notes about aberrations in files. 

Consider these six complex areas within the stages of primary source verification (PSV) and credentialing that warrant attention to avoid compliance gaps.

1. You never touch the phone when getting references

It’s agreed that professional references are among the best ways to gain a true picture of an applicant's clinical acumen and professional behavior, since the information comes from residency or fellowship program directors or department chiefs who saw the provider in action. You want to reach the people who’ve had recent and direct exposure to the applicant’s practice. 

Obtaining references is a challenge for many reasons, including:

  • Clinicians are busy and often never respond to reference requests
  • Telemedicine and locum tenens practitioners move around, making references voluminous and hard to track
  • References aren’t always forthright due to legal concerns
  • Getting candid information can be challenging, especially where problems with a practitioner existed

Not every reference check requires a call, but any red flag should send you to the phone for follow-up. Consider the issue’s nature and  determine the best person to make the call—a credentialing professional, practitioner, or medical staff leader. Some cases of clinical or behavioral issues are better discussed provider to provider. Hints you can get from references on the phone that you can’t get from a form, especially when it’s incomplete, include failure to directly answer a question, one-word answers, or a query about whether the response is on the record.

2. You onboard in this order: hire, set start date, credential, enroll

If the order your healthcare organization uses to onboard starts with setting a start date and ends with payer enrollment, you might be: 

  • Jeopardizing compliance with Medicare
  • Leaving reimbursement money on the table
  • Inconveniencing the provider or patients
  • Doing double time on some credentialing/PSV steps

Many hospitals and group practice networks put the proverbial cart before the horse. They set a provider’s start date and then work backward to complete credentialing and enrollment applications, which can take from 30 to 160+ days. A provider can be billed for only when the insurer documents that the enrollment is complete. Note that some payer plans enable billing for a new physician under a supervising physician once the credentialing is underway, but a signed statement is required. In addition, Medicare allows physicians to retro-bill 30 days from the date their Medicare application was received at the Medicare Administrative Contractors office, established through the receipt of the physician’s Provider Transaction Access Number. 

Business- and compliance-savvy organizations first identify the plans in which to enroll the new provider, including any new to the organization. Based on their excellent understanding of the contracts, they can estimate carrier by carrier what the turnaround time will be. Only then do they set the provider’s first appointment dates. While most providers can be enrolled in about 90 days, missed or incorrect data and signatures, use of the wrong/outdated form, and missing supplemental documents cause delays. 

Contracts that link provider start date with receipt of enrollment material are becoming more common but can be unpopular with practitioners if done incorrectly. Communicate to your providers that the goal is to lessen the paperwork burden. It benefits the provider to be accurately enrolled and credentialed with all payers, and that takes time and effort upfront, so mistakes aren’t made. If you use contracts with a linkage requirement, provide a reasonable enrollment cushion, for example letting the provider know the effective date may be no sooner than 120 days after receipt of all information. Keep the provider in the loop, enabling them to realistically fill their clinical schedule. 

3. You accept non-primary/non-designated sources

Credentialing’s effectiveness comes from the act of going directly to the source of the credential or the institution that issued the document for PSV. You can also verify through a designated equivalent source, which is an accrediting agency’s approved agent of the source that has been determined to maintain specific credentialing items that are identical to the information at the primary source.

Note that obtaining original documents doesn’t necessarily constitute PSV, especially when the communication comes from the applicant themselves or through their agent. Resort to secondary sources (e.g., another healthcare facility, photos or photocopies of a credential verification, confirmation from a source who PSV’d the credential) only in cases where the true primary source is unavailable. Information received directly from the issuing source can be received as:

  • Written communication (email, letter, or fax)
  • Phone (Document: name of organization, date, person contacted, questions asked, response, the name of the person receiving the response)
  • An approved website

Go the extra mile: In addition to using primary sources, consider conducting backup research such as an online search including social media. Often, any negative articles or posts about the provider’s background or behavior can be unearthed this way.

4. You don’t keep up with APPs’ scopes

Advanced practice professionals (APPs, e.g., nurse practitioners, physician assistants, certified registered nurse anesthetists) are filling physician-shortage gaps, and their scopes of practice are expanding. Credentialing compliance for this group goes beyond adherence to your accreditation body’s standards and internal bylaws and policies. Stay apprised of state scope-of-practice laws and professional licensure laws. Primary source verification, credentialing, and onboarding of APPs is different in every state and organization.  

These tips can serve as a guide for creating an APP credentialing policy or evaluating an existing one: 

  • Is there a job description for each APP role? Does any activity on the job description conflict with state scope of practice laws? 
  • Do any differences exist between the laws/regulations or accreditation standards overseeing this APP (e.g., Centers for Medicare & Medicaid Services, The Joint Commission/NCQA) and the hospital’s bylaws, and medical staff policies and procedures)? How will you correct these in your organization’s bylaws?
  • Does the APP role require supervisory or collaborative arrangements? If so, does the supervisor/collaborator/APP leader make recommendations during credentialing (pre-privileging)? 
  • Do APP leaders need to be included as voting members of the Credentials Committee?
  • Does the supervisor/collaborator/APP leader need to review all collaborating agreements, billing processes, and supervisory processes for compliance?

Follow a consistent policy regarding the credentialing of APPs to avoid violating licensure laws and/or scope creep. 

5. You automatically enroll providers as servicing all of your locations 

In-network providers are the only choice for many patients due to the high cost of going out of network. As a result, they rely on network directories for accuracy. Meanwhile, providers benefit from being listed in payers’ directories in that it affords them the opportunity to increase practice volume. However, The Centers for Medicare & Medicaid Services (CMS) warns that it sees group practices wrongly publishing data at the group level rather than at the provider level (i.e., the group has an office at the site, even if that specific provider rarely or never sees patients there).

CMS can conduct directory checks inexpensively. Third-party call centers directly dial out to practices using the site’s own directories or rosters to request a specific provider. When met with the response that the provider doesn’t practice at that location, trouble can ensue in the form of penalties and enrollment sanctions.

CMS is getting more vigilant in finding and correcting inaccurate online provider directories, and monitoring provider accessibility and provider network adequacy standards. For egregious service location enrollment errors, CMS reserves the right to automatically disenroll groups/providers without notification.

“Just in case” scenarios that some healthcare organizations employ are especially problematic. In them, providers are automatically enrolled into multiple (or all) of service locations, even sites where the practitioner may never provide care or services. Other organizations simply don’t have a good handle on keeping their directory data accurate. Those issues can result in a CMS’ finding of location inaccuracy (specifically, “provider not practicing at location”). Another common error: Stating that providers are accepting new patients when they are not.

6. You don’t train and invest in staff 

Every staff member has a role and job description, but compliant and well-functioning organizations set the tone from the top down that everyone contributes to patient safety and quality improvement. Organizations that invest in continuing education and training for enrollment and credentialing professionals find that staff become surrogate “compliance officers” and quality assurance advocates. 

Train staff on: 

  • Compliance: Staff exposed to the state or federal regulations that the practice abides by become the provider’s next best eyes and ears for the provision of safe patient care. 
  • Quality and patient safety: Often a part of a Just Culture program, incident management is a method of shared accountability for safety. All parties across the healthcare spectrum help to collect data on incidents and near misses toward the goals of greater patient safety and quality. To make it successful, train all parties—administration/management, clinicians, staff, and patients—on how it works. The goal is to develop a robust program that encourages everyone to report incidents, near-misses, and errors in a blame-free environment. 
  • Managed care/The healthcare business: Enrollment and credentialing professionals must understand where the steps involved in PSV, credentialing, privileging, and enrollment fit into the entire provider life cycle picture. Organizations such as the National Association Medical Staff Services provide basic training about the full revenue cycle—patient treatment, claims processing, payment collection—that can give credentialing professionals a global outlook on the business of patient care. 

Learn how to avoid compliance risk by visiting symplr today for a demonstration.


Request a Demo