Information Integrity for NCQA Credentialing - Steps to Take Now

By Nancy Ross Bell, RN

Estimated time to read: 4 minutes

Now is the time for organizations to make NCQA’s 2025 standards on Information Integrity a top priority. 

In this blog, we explain:  

• Why Information Integrity Matters
• NCQA’s Transition from System Controls to Information Integrity
• Requirements and Scoring
• What Organizations Should Do Now
• Next steps on delegating credentialing Information Integrity

Why Does Information Integrity Matter?

The prevalence of cyber security attacks on healthcare data is unsettling. Just as critical is credentialing data contained within organizations performing credentialing activities. Risks associated with not maintaining the integrity of information could lead to:

• Wrong decisions about healthcare and provider networks
• Penalties from state or federal agencies because of fraudulent information
• Member dissatisfaction if care is wrongfully denied or delayed
• Provider dissatisfaction
• Impaired reputation that your organization is compromised and not trusted
• Staff frustration about inconsistencies and lack of integrity
• Financial loss

NCQA has strengthened its support of Information Integrity in the 2025 credentialing standards with the following:

• Must-Pass Elements
• Structural Requirements
• Annual Training
• Annual Audits
• Analyses   

You can’t be too safe with protecting all credentialing information.

As you read through this blog and consider your needs, know that MHR’s Consultants will guide you through this transition. 

Additionally, refer to MHR’s blog on Information Integrity for standards specific to UM denials and appeals.

NCQA’s Transition from System Controls to Information Integrity

On July 25, 2024, NCQA’s Policy Accreditation Team released a directive on System Controls.  It reads:

For 2025, NCQA replaced the 2024 UM and CR “System Controls” requirements in Health Plan Accreditation; Managed Behavioral Healthcare Accreditation, Accreditation in Utilization Management, Credentialing and Provider Network; and Certification of Credentialing Verification Organizations with UM/CR “Information Integrity” requirements. Organizations are no longer required to describe their process for monitoring each factor or describe their auditing methodology in policies and procedures. Additionally, organizations are no longer required to describe the building security that adequately limits physical access for Credentialing Accreditation and Certification of Credentialing Verification Organizations.

For each of the accreditations and certifications included above, NCQA listed the Elements and Factors eliminated with the 2025 standards and explained that organizations would be scored NA (Not Applicable) for 2024 surveys that begin on or after July 1, 2024.

Information Integrity for Credentialing/Recredentialing

As we highlight sections of the standards below, please refer to the complete details of the 2025 standards purchased through the NCQA Store.

• 2025-Health Plan Accreditation (CR 8 and CR 9)
• 2025 CR-PN Accreditation-Accreditation and Certification in Credentialing and Provider Network (includes CVOs) (CR 2 and CR 3) are within the Credentialing Core Standards

The 2025 NCQA standards for MBHO have not been released at this writing.

CR 8A/CR 2A: Protecting the Integrity of Credentialing Information

Element A requires a Policy and Procedure that applies to safeguarding the integrity of information organizations use in the credentialing/recredentialing process.

Critical points to note with CR 8/CR 2 Element A are the following:

• Multiple bullet points are listed within the Explanation for each Factor and must be explicitly described in the Policy and Procedure.

A Policy is a formal documented process describing the overarching course of action the organization will follow to protect the integrity of information. Policies must be formally adopted by the organization with a documented effective date.

A Procedure describes how and by whom staff will carry out the actions to achieve the objectives stated in the policy with a documented effective date.

• Policies and procedures must cover the entirety of the LBP. The scope of Element A Factor 1 has vastly increased from Primary Source verification information to all types of credentialing information, as seen in the Explanation for Factor 1. This expanded scope is incorporated into Element C Audits and Analysis.
• Pay close attention to Factor 4 and the list of inappropriate documentation and updates. Policies and procedures must specify these five bullet points and be included in the annual training of Credentialing staff on Information Integrity, as seen in Element B, and auditing in Element C. These bullet points are:
• Falsifying credentialing dates (e.g., licensure date, credentialing decision date, staff verifier date, ongoing monitoring dates)
• Creating documents without performing the required activities (e.g., photocopying a prior credential and updating information as a new credential)
• Fraudulently altering existing documents (e.g., credentialing minutes, clean-file reports, ongoing monitoring reports)
• Attributing verification or review to an individual who did not perform the activity
• Updates to information by unauthorized individuals
• Applies to all surveys and product lines with a Look-Back Period of prior to the survey date.
• Applies to credentialing and recredentialing information in both paper and electronic formats.
• Is a Must-Pass Element where four of five Factors are needed to be scored as Met. There is no Partially Met scoring option.
• Is a Structural Requirement where the organization must present its own documentation.

CR 8B/CR 2B: Information Integrity Training

Organizations must train their credentialing/recredentialing staff on their Policy and Procedure describing all bullet points in CR 8A/CR 2A Factors 4 and 5.

• Training is required annually (CR 8B/CR 2B)
• The Information Integrity training must include inappropriate documentation and updates, as well as annual auditing, how to document and report inappropriate documentation, and consequences for inappropriate documentation (CR 8B/CR 2B Factors 1 and 2).
• Examples of appropriate and inappropriate behaviors and a post-training assessment or survey to assess attendees’ knowledge of inappropriate documentation and updates may be helpful to reinforce learning.
• Reports reflect when training was conducted, by whom, how it was conducted, and associated materials (i.e., training presentation and evidence training was done).
• Applies to all surveys and product lines.
• Is a Structural Requirement.

CR 8C/CR 2C: Audit and Analysis

Audit for inappropriate documentation and updates, as staff were trained on in Element B, as well as a qualitative analysis of the findings, is the focus of Element C.

• Applies to annual random audits of credentialing/recredentialing files.
• Keep in mind that the audit scope expanded to include the following bullet points listed in CR 8A/CR 2A Factor 1 Explanation:
  • The practitioner application and attestation
  • Credentialing documents received from the source or agent
  • Documentation of credentialing activities
    • Verification dates
    • Report dates (e.g., sanctions, complaints, identified adverse events)
    • Credentialing decision dates
    • Signature or initials of the verifier or reviewer
  • Credentialing Committee minutes
  • Documentation of clean file approval, if applicable
  • Credentialing checklist, if used
• Requires an audit report regardless of findings (Element C Explanation).
• A qualitative analysis of EACH instance of inappropriate documentation and update identified in the audit is required. The report must include:
  • The titles of credentialing staff involved in the analysis
  • The cause of each finding must be described

 This information drives corrective actions as required in CR 8D/CR 2D.  

Ensure the qualitative analysis includes all requirements defined by NCQA in the Glossary.

Findings of the qualitative analysis drive improvement actions for CR 8/CR 2 Element D. 

Need assistance? MHR’s report templates on Analysis walk you through the steps.

• Applies to First and Renewal Surveys for all product lines, with a Look-Back Period of at least once during the prior year.

Refer to Examples under CR 8C/CR 2C on how audit Reports may be structured.

CR 8D/CR 2D: Improvement Actions

Element D completes the quality process by following through on actions to improve the findings from CR 8C/CR 2C, then audits for the effectiveness of actions taken.

• Documented Process required for Factor 1 describes the organization's corrective actions planned or taken. Include the issue or finding, reason or source of the problem, actions to be taken or taken, time frame, and title of staff responsible.
• Corrective actions are taken to address all inappropriate findings found in CR 8C/CR 2C.
• Audits of effectiveness must be conducted 3-6 months after completion of the annual audit where improvement actions were identified. Clearly describe the methodology used in conducting the audit. Where actions were taken, a conclusion of the overall effectiveness must be drawn (CR 8D/CR 2D Factor 2 Explanation).
• Is a Structural Element and applies to First and Renewal Surveys for all product lines, with a Look-Back Period of at least once during the prior year

Tips on writing a conclusion:

• What was the corrective action taken?
• Was the action effective in preventing inappropriate documentation and updates based on the follow-up assessment within 3-6 months?
• Were any new features or processes working properly?

Refer to Examples in CR 8D/CR 2D on how Reports for corrective actions may be structured. 

Delegating Information Integrity-Credentialing and Recredentialing (CR 9/CR 3)

What to do now?

Check the implementation date of all CR Delegation Agreements and update them according to the timeframes described in CR 9A/CR 3A Scope of Review and included below. These timeframes relate to the addition of the bullet points in CR 9A/CR 3A Factor 4 Explanation on inappropriate documentation and updates to credentialing/recredentialing information.  

For Factor 4:

• Delegation Agreements in place before July 1, 2025, that include requirements for System Controls under the 2022-2024 standards do not need to be updated with new credentialing Information Integrity requirements, as NCQA will not evaluate these Agreements against prior System Controls standards. Note: After July 1, 2025, Agreements should be updated.
• Delegation Agreements in place before July 1, 2025, that do not address System Controls under the 2022-2024 standards must be updated with requirements on credentialing Information Integrity before July 1, 2025. Priority-Take Action!
• New Delegation Agreements implemented on or after July 1, 2025, must include requirements on credentialing Information Integrity.

Tip:  If not already in place, make a table to track your Delegation Agreements. MHR has a proprietary Delegation Suite of tools to help track and assess Agreements.

• Formally add new credentialing/recredentialing Information Integrity responsibilities of the organization and delegated entity to the Delegation Agreement (CR 9A/CR 3A Factor 2 Explanation). These include the details of credentialing activities performed by the delegate and credentialing activities retained by the organization.
• Assess if delegated entities have subdelegated activities whereby responsibilities for credentialing Information Integrity must be updated. The Delegation Agreement must specify which organization is responsible for oversight of the subdelegate (CR 9A/CR 3A Factor 2 Explanation).
• Update requirements on performance monitoring according to the timeframes listed above. Include all bullet points for performance monitoring specified in CR 9A/CR 3A Factor 4 Explanation for inappropriate documentation and updates.
  • Please note that performance monitoring for credentialing includes the process used to maintain and safeguard the information used in the initial credentialing and recredentialing process against inappropriate documentation and updates. The Delegation Agreement must specify what is inappropriate.
• For amended and new Delegation Agreements initiated within the Look-Back Period, predelegation evaluation is required (CR 9B/CR 3B Explanation). If the organization amends the Delegation Agreement to include additional credentialing activities within the Look-Back Period, it performs a predelegation evaluation for the additional activities.
• Additional credentialing activities may include those listed under the scope, training, audit, and analysis. Note the Exceptions for Delegation Agreements that have been in effect for longer than the Look-Back Period.
• Verify if the delegate is NCQA-Accredited under the 2025 standards as explained under Predelegation Evaluation. Automatic credit may be available for Information Integrity requirements (CR 9B/CR 3B Explanation).
• Annually audit and analyze each delegate’s credentialing/recredentialing files for Information Integrity (CR 9C/CR 3C Factor 5 Explanation). The delegate or organization must provide a completed audit report even if no inappropriate findings were noted. Note that the audit for Information Integrity is in addition to other audits (CR 9C/CR 3C).
• A qualitative analysis and conclusion are required for the annual audit for credentialing Information Integrity. Each non-compliant file must be evaluated, and corrective action must be taken, followed by an analysis of effectiveness from 3-6 months after the action was taken (CR 9C/CR 3C Factors 6-7).
  • The organization may conduct audits for credentialing Information Integrity, or
  • The organization may use the delegate’s audit.
    • In this case, the organization submits the delegate’s audit and report to NCQA with proof of the health plan’s review and evaluation as demonstrated in a report and meeting minutes.
  • For Delegation Agreements in place over 12 months, opportunities for improvement are identified and followed up on, and corrective actions are implemented (CR 9D/CR 3D).

Formal Notification of Changes

Depending on your organization, updates to Delegation Agreements to include new or expanded responsibilities (CR 9A/CR 3A Factor 2) may be done by either updating the Agreement currently in place or formally notifying the Delegate in writing that the notification is an update to the Agreement. 

In order for a formal notification to be acceptable, the Delegation Agreement must require the delegate to remain compliant with current NCQA Standards. The formal notification must reference this section of the agreement as this section is what requires the delegate to be compliant with the new requirements.

Key Points:

• When formal notification to the delegate is used, reference the section of the Delegation Agreement that requires ongoing compliance with NCQA and the expectation to meet the new or expanded Credentialing Information Integrity requirements.
• Describe all new or expanded responsibilities for Information Integrity required of the delegate and retained by the organization
• Add annual staff training on Information Integrity with evidence of attendees and curriculum
• Explain the requirement for annual audits and analysis with corrective actions and follow-up analysis of effectiveness
• Require the delegate to remain compliant with current NCQA Standards
• Describe changes to delegated oversight in relationship to Information Integrity, including subdelegation oversight
• Require the delegate to affirm in writing receipt of notification and understanding by signature on an updated Delegation Agreement or other formal signature document from the organization

Getting Started

• Assess the effective date of your Delegation Agreements and prioritize according to their date and if/when Credentialing Information Integrity is included.
• Approach changes with a multi-disciplinary team, including Credentialing, Contracting, Quality/Accreditation, Training, IT systems, and Legal.
• Ask your MHR Consultant to review all Policies and Procedures, Reports, and Agreements.
• Schedule training on NCQA Credentialing Information Integrity with your MHR Consultant.

How Can MHR Assist?

Potential risks of non-compliance are high.

MHR can:

• review your Policies and Procedures
• assess audit methodology for new or increased scope of the audit on credentialing/recredentialing Information Integrity
• ensure your qualitative analyses and conclusions meet requirements
• assess potential areas for automatic credit
• review your organization’s training presentations and evidence
• prioritize actions to be taken for each Delegate
• guide you in responsibilities to include in your Delegated Agreements or other formal notification
• train your team on the NCQA Accreditation standards, Delegation, and Analysis

Call to Action:

• Schedule a call with your MHR Consultant on Information Integrity
• Schedule 2025 NCQA Credentialing standards, Delegation, and Analysis Training
• For non-clients, contact us at [email protected]

MHR follows a quality review process for all blogs. This blog was written with insights from Kim Carpenter Petit. Please read more about Kim and MHR’s other Independent Consultants at ManagedHealthcareResources.com/About Our Consultants.  

MHR: Driving healthcare quality one NCQA accreditation at a time