Healthcare organizations cannot take a provider’s word for their qualifications, no matter how strong the resume looks. Primary Source Verification (PSV) is the process that closes that gap. It is the mechanism by which every credential a provider claims is confirmed directly with the institution that issued it, not through copies, self-reports, or secondary databases. Without it, credentialing is a formality. With it, it becomes the patient safety and compliance foundation it is designed to be.
This article covers what PSV is, what must be verified, how it works in practice, what NCQA’s updated 2025 standards require, and what happens when organizations get it wrong.
What is Primary Source Verification (PSV)?
Primary Source Verification is the process of confirming a healthcare provider’s credentials directly with the original issuing authority: the medical school, state licensing board, certifying specialty board, or government agency that granted the credential in question.
The defining characteristic of PSV is that verification comes from the source itself, not from a copy the provider submits, a third-party database that aggregates records, or the provider’s own attestation. If a provider lists board certification in internal medicine, PSV means contacting the American Board of Internal Medicine directly, not accepting a certificate on file.
PSV is a mandatory requirement for credentialing under multiple regulatory frameworks, including NCQA (National Committee for Quality Assurance) standards, CMS (Centers for Medicare & Medicaid Services) Conditions of Participation, The Joint Commission accreditation standards, and URAC. Each framework has specific requirements for what must be verified, how it must be documented, and how frequently it must be repeated.
For a broader overview of how PSV fits into the full credentialing workflow, see our Provider Credentialing Guide 2026.
PSV vs. Secondary Source Verification: A Critical Distinction
One of the most common misunderstandings in credentialing is treating secondary source data as equivalent to PSV. They are not interchangeable.
Primary source verification means obtaining confirmation directly from the credentialing authority: the state medical board, the issuing university, the DEA, the certifying specialty board. The information flows from that authority to your organization without an intermediary.
Secondary source verification refers to information obtained from a database, aggregator, or third party that has itself collected data from primary sources. A secondary source holds a copy of data; a primary source holds the original.
The distinction matters for compliance. NCQA, The Joint Commission, and CMS do not accept secondary source data as a substitute for PSV in most credential categories. A provider directory that lists an active license is not PSV. A third-party database that reports board certification status is not PSV unless that database is specifically recognized by the accrediting body as a Designated Equivalent Source (DES).
What Is a Designated Equivalent Source (DES)?
A Designated Equivalent Source is a specific organization that an accrediting body, most commonly The Joint Commission or NCQA, has formally recognized as maintaining credential data that is identical in reliability to the primary source itself. DES status is granted selectively and must be documented in your policies.
Commonly recognized DES examples include:
- American Medical Association (AMA): verifies physician licensure and credentials across medical disciplines
- American Board of Medical Specialties (ABMS): certifies board certification status for physicians in recognized specialties
- National Student Clearinghouse: verifies academic and educational credentials
- National Council of State Boards of Nursing (NCSBN) / Nursys: verifies nursing licensure across states
- Federation of State Medical Boards (FSMB): verifies licensure and disciplinary history for physicians
Using a DES is acceptable where recognized, but organizations must confirm that their accrediting body accepts a given DES for each specific credential category. DES status is not universal across all frameworks.
What Must Be Verified Through PSV?
The specific elements requiring PSV vary by accrediting body and organization type, but the following represent the standard set verified across virtually all credentialing frameworks in the U.S.:
Licensure State medical licensure must be confirmed as active and in good standing directly with the relevant state medical licensing board. For providers practicing in multiple states, each state license must be verified separately. License expiration dates must now be tracked on a continuous basis under NCQA’s 2025 standards (see below).
DEA and Controlled Dangerous Substance (CDS) Registration For providers authorized to prescribe controlled substances, DEA registration must be verified directly with the DEA database, along with any state-level CDS registration where required.
Education and Training Medical school graduation must be verified directly with the institution. Residency and fellowship completion must be confirmed with the training program. The highest level of education and training claimed is the minimum verification requirement under NCQA standards.
Board Certification Certification status must be confirmed with the issuing specialty board, such as ABIM, ABFM, ABS, or ABP, not from a certificate copy in the provider’s file. Initial certification and maintenance of certification status are both verifiable elements.
Malpractice History A malpractice claims history covering up to the past five years (including residency and fellowship periods) must be obtained. NCQA permits the National Practitioner Data Bank (NPDB) as an acceptable source for this verification.
Medicare and Medicaid Sanctions and Exclusions Providers must be checked against the OIG List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM.gov), and state-level Medicaid exclusion databases. Under NCQA’s 2025 standards, these checks must be performed at least monthly, not only at initial credentialing and recredentialing cycles.
Work History Employment history covering a defined lookback period must be verified. Any unexplained gaps must be documented and reviewed by the credentialing committee.
National Practitioner Data Bank (NPDB) An NPDB query must be conducted at initial credentialing and at recredentialing. The NPDB captures malpractice payment reports, adverse licensure actions, clinical privileges actions, and exclusions from federal programs.
Clinical Privileges Any clinical privileges held at other facilities must be verified, including whether any privileges have been restricted, suspended, or voluntarily relinquished under investigation.
Professional Liability Insurance Current malpractice insurance coverage must be confirmed with the insuring carrier, including applicable policy limits and any claims history disclosed under the coverage.
NPI Number The provider’s National Provider Identifier (NPI) must be confirmed through the NPPES (National Plan and Provider Enumeration System) registry.
Additional elements commonly verified as part of a complete credential file include: continuing medical education (CME) compliance, immunization records per facility policy, background and criminal history checks, peer references, and professional association memberships.
NCQA's PSV Requirements: What Changed in 2025
1. Shortened Verification Windows
NCQA reduced the maximum timeframe within which all primary source verifications must be completed:
- NCQA Credentialing Accreditation: PSV for all required elements must be completed within 120 days of the credentialing committee decision (reduced from 180 days)
- NCQA Credentialing Certification (CVOs): PSV must be completed within 90 days (reduced from 120 days)
2. Monthly Monitoring Is Now Mandatory
NCQA’s prior standards required monitoring of sanctions and exclusions between credentialing cycles, but the frequency was not precisely defined. The 2025 standards close that gap: monthly monitoring is now a hard requirement for all credentialed providers.
Monthly checks must cover:
- Medicare and Medicaid exclusions (OIG LEIE)
- SAM.gov (System for Award Management) federal debarment records
- State medical board disciplinary actions and license status changes
- License expiration dates, which must now be tracked continuously, not just at recredentialing
This shifts PSV from a point-in-time activity at initial credentialing and recredentialing into an ongoing operational function. A provider whose license is suspended or who receives an OIG exclusion between credentialing cycles must be identified within 30 days, not at their next recredentialing date.
3. Full Audit Trails Required
NCQA now requires organizations to maintain complete documentation of who performed each verification, what source was queried, when the query occurred, and what the result was. Ad hoc or informal verification practices that lack timestamps and source documentation will not survive an NCQA survey.
4. Credentialing Committee Notification Window Shortened
The notification window for communicating credentialing and recredentialing decisions to practitioners has been shortened to 30 calendar days. Organizations need internal review and communication workflows that can support this timeline.
5. Demographic Data Collection (New Requirement)
Credentialing applications must now include fields for provider race, ethnicity, and languages spoken. Completion by the provider is voluntary, but organizations are required to offer the fields and include a non-discrimination statement. Demographic data must also be shared with peer-review committees.
The Consequences of PSV Failure
PSV failures are not theoretical compliance problems. They produce direct, documented harm to patients and organizations.
A frequently cited example from the credentialing literature involves a Wisconsin surgical case where a hospital failed to conduct proper primary source verification on a surgeon who had misrepresented board certification status and had undisclosed malpractice restrictions at prior facilities. None of this was identified during credentialing. The result was patient paralysis and subsequent litigation against the institution.
Beyond individual cases, the organizational consequences of inadequate PSV include:
Loss of accreditation. An NCQA or Joint Commission survey that uncovers systematic PSV failures, including incomplete verifications, missing source documentation, and lapsed monitoring, can result in accreditation denial or revocation.
CMS Conditions of Participation violations. Hospitals that fail to properly verify medical staff credentials risk losing CMS certification, which means losing Medicare and Medicaid reimbursement entirely. This is not a financial penalty; it is a reimbursement shutdown.
Claim denials and revenue exposure. Providers credentialed through incomplete PSV processes may later be flagged during payer audits, resulting in retroactive claim denials and demands for repayment. For a full breakdown of how credentialing gaps translate into revenue loss, see Credentialing Delays Cause Revenue Loss.
Legal liability. An organization that allowed an underqualified or fraudulently credentialed provider to deliver care, and that cannot demonstrate it performed adequate PSV, faces significant malpractice exposure.
OIG exclusion violations. Billing for services provided by an OIG-excluded provider, even unknowingly, triggers civil monetary penalty liability. Monthly exclusion monitoring under the 2025 NCQA standards is specifically designed to prevent this exposure.
How PSV Works in Practice
PSV is a multi-source, multi-step process. While the specific workflow varies by organization size, accreditation framework, and whether PSV is conducted in-house or delegated to a CVO, the standard sequence follows this structure:
- Collect the provider’s credential information through application, CAQH ProView profile, or both. For guidance on setting up and maintaining a CAQH profile correctly, see our CAQH Credentialing Guide.
- Identify the primary source for each required element: state board for licensure, specialty board for certification, NPDB for malpractice history, and so on.
- Contact each primary source directly through secure online databases, official written requests, or direct confirmation from the issuing authority.
- Document each verification, recording the source, method, date, result, and the staff member who performed the verification. Under 2025 NCQA standards, this documentation must constitute a complete, timestamped audit trail.
- Identify and resolve discrepancies. Any mismatch between what the provider reported and what the primary source confirms must be flagged, investigated, and brought to the credentialing committee’s attention before an approval decision is made.
- Submit to credentialing committee. The completed, verified credential file forms the basis for the committee’s credentialing decision.
- Initiate ongoing monitoring. Following the initial credentialing decision, continuous monitoring of sanctions, exclusions, and license status must begin and run on the monthly cadence required by NCQA 2025 standards.
The Role of CVOs in PSV
A Credentialing Verification Organization (CVO) is a third-party entity that performs PSV on behalf of healthcare organizations. CVOs have established relationships with primary sources, including state licensing boards, specialty certification bodies, the NPDB, and exclusion databases, along with the systems infrastructure to manage high-volume verification at speed.
Under NCQA’s framework, CVOs can hold their own Credentialing Certification, which is distinct from Credentialing Accreditation. The difference matters operationally:
- NCQA Credentialing Accreditation is for organizations that manage the full credentialing lifecycle, including committee oversight and final credentialing decisions.
- NCQA Credentialing Certification is for CVOs that perform verification functions (PSV) but delegate final credentialing authority back to the contracting organization.
An NCQA-certified CVO can perform PSV on behalf of a health plan or hospital, and if the CVO holds NCQA Certification, the contracting organization may be able to forgo the file audit it would otherwise be required to conduct on a delegate’s credentialing files. This is a significant operational benefit for organizations managing delegated credentialing relationships.
Advantages of Outsourcing PSV to a CVO
Speed. CVOs have automated integrations with state licensing boards, NPDB, specialty boards, OIG, and SAM.gov. Verifications that require days of manual outreach in-house are completed in hours through a well-resourced CVO infrastructure.
Compliance accuracy. NCQA’s 2025 shortened verification windows (120/90 days) and monthly monitoring requirements are structurally difficult for understaffed in-house teams to maintain. CVOs are built for this volume and cadence.
Audit readiness. CVOs maintain the timestamped, source-documented verification records that NCQA’s new audit trail requirements demand. An in-house team rebuilding documentation after the fact will not satisfy a surveyor.
Discrepancy handling. CVOs encounter edge cases, including name discrepancies, multi-state licensure, credential gaps, and provider non-responsiveness, regularly enough to have documented resolution protocols. In-house teams encountering these situations for the first time introduce delay and inconsistency.
Scalability. For organizations onboarding multiple providers simultaneously or managing large provider networks, in-house PSV creates inevitable bottlenecks. CVOs absorb volume without creating credentialing backlogs.
Automating PSV: The Technology Shift
NCQA’s 2025 standards were explicitly informed by the availability of modern credentialing technology. The rationale for shortening verification windows was that automated PSV tools can complete most standard verifications in hours, not weeks. Organizations that have not adopted automation are being held to timelines designed for organizations that have.
Automation affects PSV in three specific ways:
Faster primary source queries. Credentialing platforms with direct integrations to state licensing portals, the DEA database, ABMS, NPDB, OIG, and SAM.gov can execute most PSV queries automatically upon application submission, eliminating manual outreach queues.
Continuous monitoring without manual effort. The monthly monitoring requirement under NCQA 2025 standards would create an unsustainable administrative burden if conducted manually across a large provider network. Automated monitoring platforms run the required checks on a defined cadence and surface only the exceptions that require human review.
Audit-ready documentation by default. Every automated query generates a timestamped record of the source, method, date, and result. This is the audit trail NCQA now requires, produced automatically rather than reconstructed after the fact.
PSV and Recredentialing
PSV is not a one-time event. Most payers and accrediting bodies require recredentialing every two to three years (NCQA requires it at least every three years). At recredentialing, a new round of PSV must be conducted, verifying that licensure remains active, malpractice coverage is current, no new sanctions have been issued, and no changes in board certification status have occurred.
Under NCQA’s 2025 continuous monitoring requirement, monthly exclusion and sanction checks are now required throughout the entire credentialing cycle, not only at the initial credentialing and recredentialing touchpoints. This means a provider whose license is suspended in month 14 of a 36-month credentialing cycle must be identified within 30 days, not at recredentialing two years later.
Organizations that have historically treated the recredentialing cycle as the primary PSV checkpoint are no longer compliant with current standards.
Neolytix CVO Credentialing Services
Managing PSV at scale, across multiple providers, payers, accreditation frameworks, and now monthly monitoring cycles, requires a process infrastructure that most healthcare organizations were not designed to maintain in-house.
Neolytix’s NCQA-ready CVO Credentialing Services handle end-to-end primary source verification, including automated license and exclusion monitoring, NPDB queries, and audit-ready documentation and ongoing compliance tracking.
The goal is straightforward: providers that are fully verified, enrolled, and billing faster, with a documented PSV trail that satisfies NCQA, Joint Commission, and CMS requirements at every point in the credentialing lifecycle.
Frequently Asked Questions
What is the difference between primary source verification and secondary source verification?
PSV obtains credential confirmation directly from the issuing authority, such as the state board, the certifying body, or the DEA. Secondary source verification obtains data from a database or aggregator that collected it from a primary source. NCQA and CMS do not accept most secondary sources as substitutes for PSV unless formally designated as an equivalent source.
What does NCQA require for primary source verification in 2025?
NCQA’s 2025 standards require PSV to be completed within 120 days for accredited organizations and 90 days for certified CVOs. Monthly monitoring of exclusions, sanctions, and license expiration dates is now mandatory. Full audit trails documenting the source, date, method, and result of every verification are required.
Who is responsible for performing PSV?
The healthcare organization is responsible, either by conducting PSV directly or by delegating it to an NCQA-certified CVO. If a CVO is used, the organization must ensure the CVO holds appropriate NCQA certification or must audit the CVO’s credentialing files to verify compliance.
How often must PSV be repeated?
At initial credentialing, at recredentialing (at minimum every three years under NCQA standards), and through continuous monthly monitoring of exclusions, sanctions, and license status between recredentialing cycles.
What happens if PSV is not performed correctly?
Inadequate PSV can result in accreditation loss, CMS Conditions of Participation violations (and loss of Medicare/Medicaid reimbursement), retroactive claim denials, civil monetary penalties for billing services rendered by excluded providers, and legal liability if a credentialing failure contributes to patient harm.
Can CAQH be used for PSV?
CAQH ProView stores provider self-reported credential data and is widely used to streamline the application process. CAQH’s Primary Source Verification service is a separate product that conducts actual PSV against primary sources. CAQH ProView alone, without PSV verification, does not satisfy PSV requirements.
