November 1, 2018

QUESTION:        We are considering having a Credentials Verification Organization (“CVO”) perform primary source verification and other required verifications for our credentialing process.  Do we need to have some sort of agreement in place?  If so, what should that agreement include?

ANSWER:            Regardless of whether you are using an internal CVO (i.e., one that is a part of your organization) or an external, independent CVO (i.e., one that has no corporate affiliation with your hospital), there should be an agreement in place between the CVO and the hospital.

An agreement should define the obligations of the CVO, including the services that it will provide.  The agreement should also specifically identify the information that will be verified and the sources that will be used for verification purposes.  If ongoing monitoring of practitioners’ credentials is a part of the services the CVO will provide, the agreement should state this and indicate the credentials that will be monitored (e.g., Medicare and Medicaid sanctions and exclusions).

Furthermore, sharing of confidential credentials information should be addressed and include provisions on how sensitive information such as National Practitioner Data Bank reports and drug or alcohol treatment information will be handled and shared.  If the hospital is involved in delegated credentialing for third-party payors, there are special considerations for sub-delegation agreements, which would include agreements with an external CVO to perform verification activities.

Specifically, the agreement must require semiannual reporting of the CVO to the hospital on its conduct of the contracted-for activities, describe the process by which the hospital evaluates the CVO’s performance under the agreement, and describe the remedies available to the hospital if the CVO does not fulfill its obligations, including revocation of the delegation agreement.

May 19, 2016

QUESTION:        Our hospital is registered with the National Practitioner Data Bank (“NPDB”).  We would like to designate as an authorized agent for NPDB querying purposes a credentials verification organization (“CVO”) with which we have recently started working.  How do we go about doing this?

ANSWER:           The NPDB explicitly permits the practice of eligible entities, including hospitals, designating authorized agents, such as CVOs, to query on their behalf.  However, according to the NPDB Guidebook, an authorized agent must, itself, register with the NPDB and comply with all the registration requirements.  Often, CVOs act as authorized agents for a number of eligible entities.  Nonetheless, the CVO must query the NPDB separately for each eligible entity they represent.  Moreover, the CVO is not permitted to share results of a query for one eligible entity with another eligible entity.

After the CVO registers with the NPDB, your hospital will have to designate the CVO as its authorized agent.  This is a relatively simple process that can be done electronically by accessing this web address:  Finally, as a part of designating the CVO as an authorized agent to query the NPDB on behalf of your hospital, you will have to create a written agreement between your hospital and the CVO.  The NPDB Guidebook does not identify any required elements for this written agreement, but the NPDB website provides recommendations for what should be included in the agreement.  According to the NPDB website, the agreement should confirm the following:  (1) the authorized agent is authorized to conduct business in the relevant state; (2) the authorized agent’s facilities are capable of maintaining the security and confidentiality of NPDB reporting and query responses; (3) the authorized agent is prohibited from using querying responses for any purpose other than that for which the disclosure was made; and (4) the agent understands that sanctions can be taken if information is requested, used, or disclosed in violation of NPDB provisions.