Credentialing Expiration Management: Keeping Your Provider Roster Compliant Year-Round

The Silent Risk in Every Active Roster

Network adequacy compliance is typically discussed in terms of gaps that appear at filing time — counties below threshold, specialties with insufficient providers, exception filings that weren't approved. But there is a category of adequacy risk that develops invisibly between filing cycles: the credentialing expiration. A provider who was fully credentialed when the plan filed its HPMS submission may have a lapsed credential six months later. Under CMS requirements and applicable accreditation standards, that provider cannot remain on the active roster. Removing them may create an adequacy gap in a county that CMS already reviewed and accepted as compliant.

This is not a theoretical risk. Plans that undergo CMS audits or accreditation reviews regularly discover that their active rosters include providers whose credentials have lapsed, sometimes by months. The audit finding is a dual violation: the credential maintenance failure and the directory accuracy failure that results from listing a provider as active when they are not credentialed. Both findings carry enforcement implications, and together they create a remediation burden that a systematic approach to expiration management would have entirely prevented.

This article explains the credentialing expiration timeline, how to build a 90-day advance warning system, the full recredentialing workflow, how to handle credential gaps during the recredentialing process, what documentation is required for audits, and how Blueprint tracks expiration dates and triggers alerts across a large active roster.

Understanding the Credentialing Cycle: NCQA and URAC Standards

The standard credentialing cycle under both NCQA and URAC accreditation standards is 36 months — three years from the date of initial credentialing or the most recent recredentialing. CMS does not set its own credentialing cycle length for Medicare Advantage plans, but it requires that plans follow their credentialing policies, which must meet applicable accreditation standards if the plan is accredited. For the vast majority of MA plans, this means the 36-month NCQA or URAC cycle applies.

Some plans operate on a 24-month cycle — either voluntarily or because their state regulator or accrediting body requires it for certain provider types. Behavioral health providers, substance abuse treatment providers, and certain allied health professionals are sometimes subject to shorter credentialing cycles under state law or plan policy. Plans with mixed-cycle policies must track each provider's cycle length individually, not apply a blanket 36-month assumption.

Within the 36-month cycle, certain elements of the credential must be verified more frequently. Malpractice insurance must be verified annually. Sanctions checks (OIG exclusion list, SAM, state licensing boards) must be conducted at least annually under CMS Compliance Program requirements. These interim checks do not reset the credentialing cycle, but their results must be documented and may trigger a special review or credential suspension if a sanction is discovered outside the standard recredentialing window.

Building a 90-Day Advance Warning System

A 90-day advance warning system is the minimum viable early-warning mechanism for credentialing expirations. At 90 days before expiration, the plan has enough runway to complete recredentialing — typically 30 to 60 days for a standard recredentialing file — and still have buffer time for committee review and approval before the expiration date. Plans that wait until 30 days before expiration are at high risk of a gap, because the full recredentialing workflow cannot be completed in 30 days for most providers.

An effective 90-day warning system has three components: a database of credentialing expiration dates that is updated in real time as new providers are credentialed or recredentialed; an automated alert mechanism that triggers at 90 days, 60 days, and 30 days before each expiration; and a workflow assignment that routes the recredentialing initiation task to the appropriate staff member at the 90-day mark.

The alert mechanism is only as good as the underlying data. Plans that maintain credentialing dates in spreadsheets or disconnected systems regularly experience silent expirations — the expiration date passes without an alert because the data wasn't current or the alert wasn't configured. Plans that have invested in credentialing management platforms connected to their network rosters see dramatically lower rates of lapsed credentials, because the alert is generated automatically from the same record that drives the active roster.

A secondary element of the warning system should be provider-facing communication. Sending the provider a notice at 90 days — requesting attestation completion, updated malpractice certificate, and current licensure documentation — starts the process from the provider's side simultaneously with the internal workflow. Providers who receive no advance notice routinely express surprise when contacted for recredentialing close to the expiration date, which delays the process further.

The Recredentialing Workflow: Attestation to Approval

The recredentialing workflow mirrors initial credentialing in structure but benefits from an existing record. The core steps are:

• Provider attestation — The provider completes a credentialing attestation form confirming that their identifying information, practice location, hospital privileges, board certifications, and history of sanctions or malpractice actions is current and accurate. The attestation must be signed and dated within 180 days of the committee review date under NCQA standards.
• Primary source verification — The credentialing team verifies directly with the issuing authority — state medical board, DEA, ABMS, National Practitioner Data Bank, malpractice carrier — the currency of each required credential element. Primary source verification cannot be based on copies provided by the provider; it must go to the source. NCQA and URAC specify which elements require primary source verification and which may be accepted via attestation.
• Sanctions check — OIG List of Excluded Individuals and Entities (LEIE), System for Award Management (SAM), state licensing board sanction history, and CMS preclusion list checks. These must be completed within 30 days of the committee review date.
• Credentialing committee review — The completed file is presented to the credentialing committee (or a credentialing committee designee for plans using a delegated credentialing model). The committee reviews for completeness, evaluates any adverse findings, and approves, denies, or conditionally approves the recredential. The decision must be recorded in committee minutes with enough specificity to demonstrate that each file was independently reviewed.
• Provider notification — The provider is notified of the recredentialing decision. For approvals, the notification includes the new credentialing term (36 months from the approval date). For adverse decisions, the notification must include appeal rights under the plan's fair hearing policy.
• Roster and HPMS update — The roster is updated to reflect the new credentialing term. If the provider's HPMS status changes as a result of the recredentialing decision (for example, a denied recredential resulting in removal from the panel), the HPMS update must occur within 30 days of the decision under the provider directory accuracy requirements at 42 CFR 422.111.

Handling Temporary Credential Gaps During Recredentialing

If a recredentialing file is not complete and approved before the expiration date, the plan faces a temporary credential gap. The provider's credential has lapsed; they cannot be carried as an active panel member during the gap period. How the plan handles this situation has significant implications for both member access and compliance.

NCQA standards permit plans to continue services during a brief gap period — typically defined as the time between expiration and a subsequent committee review cycle — provided the plan has a documented policy governing this situation and can demonstrate that the gap was due to administrative delay rather than an adverse finding. This grace period is not unlimited; plans that routinely allow extended gaps without committee review are operating outside accreditation standards.

CMS does not have a parallel grace period provision for network adequacy purposes. If a provider's credential lapses and the plan removes them from the active roster, the adequacy calculation for the affected county is based on the remaining active providers. If the removal creates a gap below CMS threshold, the plan has an adequacy deficiency that must be reported and remediated.

The practical implication is that plans should never allow a recredentialing file to approach expiration without a committee decision in hand. If a file is incomplete at 30 days before expiration — missing provider attestation, outstanding primary source verification, incomplete sanctions check — the credentialing coordinator should escalate immediately. An emergency committee review is operationally disruptive; an adequacy gap finding is more so.

Documentation Requirements for Credentialing Audits

CMS audits of credentialing practices — whether conducted as part of a routine audit or triggered by a complaint — focus on documentation of the full credentialing cycle. Auditors expect to find, for every provider on the active roster, a complete credentialing file that includes the initial credentialing file, all subsequent recredentialing files, all primary source verification records, all sanctions check results, committee minutes reflecting the review and decision, and provider notification letters.

Files that are missing elements, contain undated documents, or show primary source verification that was obtained from the provider rather than from the issuing source are audit findings. Files where the committee minutes do not reflect individual file review — for example, minutes that approve a batch of files by number without identifying each one — are findings. Files where the recredentialing approval date is after the expiration date with no documentation of the grace period decision are findings.

Retention requirements for credentialing files under CMS contracts are a minimum of 10 years. This is longer than the credentialing cycle, which means plans must retain files for providers who are no longer in their network. Plans that purge credentialing records when a provider terminates their contract are non-compliant with retention requirements and risk being unable to produce records in a CMS audit.

How Blueprint Tracks Expiration Dates and Triggers Alerts

Blueprint's credentialing module maintains a real-time expiration calendar for every provider in the network, populated from the credentialing file at the time of initial credentialing or onboarding. The system automatically calculates the expiration date based on the plan's configured cycle length (36-month default, configurable by provider type) and sets alert triggers at 90, 60, and 30 days before expiration.

Alerts are routed to the credentialing coordinator assigned to each provider's file, with escalation to a supervisor if no action is taken within five business days of the 90-day alert. The dashboard view shows the full active roster categorized by credentialing status: current (more than 90 days to expiration), approaching (90–30 days), urgent (less than 30 days), and expired. This categorization allows credentialing directors to triage their workflow and ensure that urgent files receive immediate attention.

The system also maintains the adequacy impact view: for any provider in the approaching or urgent category, the dashboard shows whether removing that provider from the active roster would create an adequacy gap in any county. This integration between the credentialing module and the adequacy module gives network operations teams advance warning of credential-driven adequacy risk — not just credential risk in isolation. Plans using Blueprint consistently report lower rates of credential-gap-driven adequacy deficiencies than plans using standalone credentialing systems without adequacy integration.