Delegated Credentialing in Network Builds: Accelerating Provider Onboarding at Scale

What Delegated Credentialing Is and the Standards That Govern It

Delegated credentialing is an arrangement in which a health plan authorizes a third-party organization — typically a hospital, large multispecialty group, independent practice association (IPA), or management services organization (MSO) — to perform credentialing and re-credentialing functions on the plan's behalf for providers affiliated with that organization. Rather than credentialing each affiliated provider directly, the plan accepts the delegated organization's credentialing determination, subject to oversight and audit requirements that preserve the plan's ultimate accountability for the quality of its network providers.

Delegated credentialing is governed primarily by NCQA credentialing standards — specifically the standards in NCQA's Credentialing and Recredentialing (CR) chapter — and by URAC credentialing standards for plans seeking URAC accreditation. Both NCQA and URAC require that plans maintaining delegation agreements meet defined requirements for delegation agreement content, ongoing oversight activity, and periodic audit of the delegated organization's credentialing files. CMS's Medicare Advantage program requires that MA plans maintain credentialing programs that meet the standards of a recognized accreditation organization, effectively incorporating NCQA or URAC standards into the federal regulatory framework through the accreditation pathway.

State Medicaid programs impose credentialing requirements through managed care contract provisions, which frequently reference NCQA or URAC standards as the applicable framework. Plans participating in Medicaid managed care should review their Medicaid managed care contract provisions carefully, as state-specific credentialing requirements may impose additional constraints on delegation arrangements beyond those in the NCQA/URAC standards — particularly for behavioral health, substance use disorder treatment, and LTSS provider types where states have enacted provider-specific credentialing requirements.

Which Entities Can Serve as Delegated Credentialing Organizations

Not every organization that asks to serve as a delegated credentialing organization is appropriately structured to fulfill that role. NCQA standards require that a plan assess a potential delegate's credentialing program before delegation commences, using a standardized evaluation process that examines the delegate's credentialing policies and procedures, its credentialing committee structure, its primary source verification practices, and its ability to meet the plan's credentialing standards.

The entities most commonly structured to serve as effective delegated credentialing organizations are hospital systems and health systems with established medical staff offices. Hospital medical staff credentialing processes are typically sophisticated, well-resourced, and aligned with NCQA-equivalent standards through hospital accreditation requirements (The Joint Commission, DNV, HFAP). Plans that enter delegation agreements with hospital systems inherit the benefit of a credentialing infrastructure that has been built and refined to meet regulatory standards in its own right.

Large multispecialty medical groups, IPAs, and MSOs with dedicated credentialing staff and established credentialing processes are also appropriate delegate candidates when their programs meet NCQA standards on pre-delegation assessment. The risk with group practice and IPA delegation is variability in program quality — some large groups maintain sophisticated credentialing programs; others maintain minimal processes that will not withstand the oversight audit requirements that delegation agreements impose.

Behavioral health organizations, substance use disorder treatment networks, and LTSS provider networks are increasingly common delegation candidates as plans build out these specialty networks under 1115 waiver and integrated care initiatives. These organizations may have state-required licensing and certification processes that overlap with, but do not substitute for, NCQA-aligned credentialing standards. Plans entering behavioral health or SUD network delegation arrangements should assess whether the delegate's existing certification process covers the primary source verifications and sanction screening requirements that NCQA credentialing standards mandate.

Delegation Agreement Requirements: Oversight, Audit Rights, and Reporting

The delegation agreement is the legal and operational foundation of a delegated credentialing arrangement. NCQA standards specify the required content of delegation agreements, and plans that enter delegation arrangements without delegation agreements that meet NCQA's content requirements are in violation of their accreditation standards — an exposure that can affect the plan's accreditation status regardless of whether the underlying credentialing being performed is technically adequate.

Required delegation agreement elements under NCQA standards include: a description of the specific credentialing functions being delegated; the credentialing standards that the delegate is required to follow; the plan's right to conduct oversight audits of the delegate's credentialing files; reporting requirements that specify the frequency and format of credentialing activity reports; the plan's right to approve or reject individual credentialing determinations; termination provisions that specify the conditions under which the plan can terminate the delegation arrangement; and provisions for the plan to assume direct credentialing responsibilities in the event that delegation is terminated.

Audit rights provisions deserve particular attention in delegation agreement negotiations. NCQA standards require that plans conduct periodic oversight audits of their delegates' credentialing files — minimally annually — to verify that the delegate's credentialing determinations meet the plan's standards. Delegation agreements that restrict the plan's audit rights — for example, by limiting the plan to reviewing a sample size the delegate controls, or by requiring advance notice periods that allow the delegate to remediate files before the audit — undermine the compliance value of the delegation arrangement. Plans should insist on unannounced or minimally noticed audit rights with sample sizes that give the plan statistical confidence in the delegate's program quality.

Reporting requirements in delegation agreements should specify, at minimum: monthly or quarterly reports of all credentialing actions taken during the period (new credentialing, re-credentialing, adverse actions, terminations); immediate notification of adverse credentialing actions within a defined timeframe (typically 30 days of the action or the plan's credentialing committee meeting, whichever is sooner); and a list of currently delegated providers in a format that the plan can use to maintain its network roster and adequacy model.

How Delegation Compresses Timelines in a Network Build Context

The timeline compression benefit of delegated credentialing is most dramatic in network builds that require onboarding large numbers of providers affiliated with a single delegated organization. In a direct credentialing model, the plan must credential each provider individually — collecting credentialing applications, verifying primary sources, running sanction checks, and convening a credentialing committee review for each provider before that provider can be counted in the adequacy model. For a network build that requires contracting with a large hospital system or a multispecialty group with hundreds of affiliated providers, direct credentialing of each provider individually can add 90–180 days to the network build timeline.

Under a delegated credentialing arrangement with the same hospital system or group, the plan accepts the organization's existing credentialing determinations for currently credentialed providers, subject to a pre-delegation audit that verifies the organization's credentialing program meets the plan's standards. Providers who are currently credentialed by the organization can be added to the plan's network and counted in the adequacy model once the pre-delegation audit is complete and the delegation agreement is executed — typically a 30–60 day process rather than the 90–180 days required for individual direct credentialing.

For newly joining providers — those who are not yet credentialed by the delegated organization — the timeline compression is less dramatic, because the organization's credentialing process must still run before those providers can be onboarded. However, the plan benefits from the organization's established primary source verification relationships, credentialing committee infrastructure, and process discipline, which typically produce faster individual credentialing decisions than a plan building a new credentialing relationship with each provider individually.

The timeline compression effect is most valuable at the beginning of a network build, when the plan needs to achieve adequacy threshold as quickly as possible in order to meet regulatory or market entry timelines. Plans that identify potential delegation partners early in the network build planning process — before provider contracting negotiations begin — can structure their network build strategy to prioritize delegation-eligible provider groups for initial contracting and use the time saved on credentialing to work through the provider types and geographies where direct credentialing is unavoidable.

Ongoing Oversight Visits and Monitoring Under Delegation

NCQA standards require that plans conduct oversight activities on an ongoing basis throughout the delegation relationship — not only at initial delegation. The oversight requirements include an annual audit of a statistically valid sample of the delegate's credentialing files, regular review of the delegate's credentialing activity reports, and documentation of the plan's oversight activities in a format that can be produced during an NCQA survey or CMS audit.

Annual audits of delegated credentialing files should be structured to evaluate whether the delegate's credentialing determinations meet the plan's standards across multiple dimensions: completeness of the credentialing application, completion of all required primary source verifications within the timeframes the plan's standards require, documentation of sanction screening against applicable exclusion lists (OIG List of Excluded Individuals and Entities, SAM.gov, state Medicaid exclusion lists), and appropriate credentialing committee review and approval documentation. Plans should document the sample methodology, the file elements reviewed, the findings, and any corrective actions required — and maintain this documentation in an audit-ready format.

Oversight monitoring between annual audits should include review of the delegate's monthly or quarterly credentialing activity reports for completeness and any anomalies — adverse actions that were not reported timely, credentialing decisions that appear inconsistent with the plan's standards, or gaps in reporting that may indicate operational issues at the delegate. Adverse credentialing actions by the delegate — denials, terminations for cause, restrictions on privileges — require particularly careful oversight because they have direct implications for the plan's network and must be reflected in the plan's provider roster and, where applicable, reported to the National Practitioner Data Bank (NPDB).

When Delegation Creates Risk and Direct Credentialing Is Safer

Delegation is not always the right choice, and network operations leaders should be alert to the situations where the compliance risk of a delegation arrangement outweighs the timeline benefit it offers.

The highest-risk delegation situations are those where the plan enters a delegation arrangement with an organization whose credentialing program has not been properly assessed, where the delegation agreement does not include the required content elements, or where the plan's oversight activities are inadequate to detect deficiencies in the delegate's credentialing decisions. Plans that enter delegation arrangements to compress timelines without investing in a genuine pre-delegation assessment and ongoing oversight program are accepting compliance exposure that can exceed the timeline benefit they sought to capture.

Direct credentialing is safer — and often required — in certain provider categories. Providers without organizational affiliation (solo practitioners, small independent practices) cannot be credentialed through organizational delegation and must be credentialed directly. Providers in high-risk specialty categories — particularly surgery, anesthesiology, and high-complexity procedural specialties — may warrant direct credentialing even when organizational affiliation exists, to ensure the plan has complete primary source verification documentation rather than relying on the organization's review. Plans with prior credentialing audit findings should exercise particular caution about expanding delegation relationships before demonstrating that their direct credentialing program meets NCQA standards consistently.

DMEPOS and Behavioral Health Delegation Nuances

Durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) suppliers and behavioral health providers present specific nuances in the delegation credentialing context that network teams should understand before entering delegation arrangements with organizations in these categories.

DMEPOS suppliers are subject to Medicare enrollment requirements administered through PECOS and must hold a valid Medicare supplier number to participate in Medicare Advantage networks. The credentialing of DMEPOS suppliers differs from the credentialing of licensed healthcare professionals in that it focuses on supplier qualifications, accreditation status, and Medicare enrollment status rather than individual licensure, board certification, and clinical training. NCQA credentialing standards have separate provisions for supplier organizations, and delegation arrangements with DMEPOS supplier networks must be structured around the supplier credentialing standards rather than the provider credentialing standards that govern physician and mid-level credentialing.

Behavioral health credentialing through delegation is complicated by the diversity of behavioral health provider types — psychiatrists, psychologists, licensed clinical social workers, licensed professional counselors, marriage and family therapists, certified substance use disorder counselors — and the varying licensure and certification requirements that apply to each type across state lines. Delegation arrangements with behavioral health organizations must specify which provider types are included in the delegation scope and must verify that the delegate's credentialing process covers the specific primary source verifications and licensure checks applicable to each provider type in each state where the plan operates. Plans that delegate behavioral health credentialing to organizations that operate across multiple states should verify that the delegate's credentialing process accounts for state-specific licensure requirements rather than applying a single-state process to a multi-state provider population.