6 Red Flags in Your Credentialing Workflow That Could Be Trouble in a Compliance Audit

Compliance cannot be treated as a credentialing afterthought. It's the entire point.

Every license you verify, every exclusion list you check, every enrollment you file exists because a compliance rule says it has to. And yet most organizations treat credentialing and compliance as separate functions. Neither one succeeds without the other.

I've spent years on the operational and compliance side of healthcare work and survived many an audit. The lesson that stuck: you work every day as if the audit is coming tomorrow, so that when it shows up, it's uneventful. The auditor's primary question is simple: Can you prove it happened, on the dates you say it did? A credentialing system that can't answer that has a compliance gap. Better you find it now, while you still have time to fix it, than have an auditor find it for you.

These gaps look remarkably alike from one organization to the next, so I'm outlining six that auditors look for and giving you time to act.

1. Inconsistent exclusion list screening

Exclusion screening is one of the clearest places where doing the work and proving the work was done are two different things. The exposure is real: if you bill Medicare, Medicaid, or any federal program, paying or employing someone on a federal exclusion list can bring civil monetary penalties. The OIG List of Excluded Individuals and Entities (LEIE) refreshes every month. No law sets how often you have to check it, but OIG points to monthly screening as the practice that best limits overpayment and CMP exposure (OIG Special Advisory Bulletin, 2013), and CMS requires state Medicaid agencies to run federal exclusion checks at least monthly, an obligation many states pass down to the providers they enroll. Your payer mix and state can pull in SAM.gov and state-specific lists as well. So here's the question an auditor will put to you: for any given provider, can you produce a dated record, month by month, against every list you're required to check, showing each result and what you did about any hit? Screening at hire and never again, or on and off with no documentation, is the gap they find. And saying "Yeah, we do that" won't be accepted without the log to prove it.

2. Missing or incomplete provider files

Every credentialed provider should have a complete file that includes verified copies of their license, board certification, education, training, malpractice history, work history, and exclusion screening results. Incomplete files are a compliance deficiency that can trigger corrective action requirements from payers and accreditation bodies. If an auditor pulls a file and finds missing documents, expired credentials that weren't flagged, or verification records without dates, that one bad file puts the integrity of the entire system in question. An auditor doesn't want a promise that the documents exist somewhere, or assurances that proper checks are being run. They want the proof in the file in front of them, complete, with dates.

3. Recredentialing with no documented process

Initial credentialing is the start, not the finish. Major accreditation standards require systematic recredentialing on defined cycles. NCQA requires recredentialing every 36 months, and in 2022, with CMS approval, The Joint Commission moved its medical staff reappointment standard to every three years for most hospital settings, aligning with NCQA. Some states impose shorter cycles, and certain CMS Conditions of Participation, like those for surgical privileges, can apply separately. It's critical you identify the cycle that applies to your organization and follow it for every provider. An auditor will be checking that documented timelines, completed verifications, and committee reviews are on file, and that each one matches the correct cycle. Recredentialing isn't one-size-fits-all, and keeping it straight from memory instead of a documented system is bound to leave cracks. You can be sure an auditor will find whatever fell through them.

4. Expired credentials with no evidence of follow-up

Things expire. That's expected. What matters is whether you catch them in advance and whether you can show what you did when one slips through. A provider seeing patients on a lapsed license, or a malpractice policy that sat expired for three months before anyone noticed, is a patient-safety and liability problem, and an auditor will treat it as one. What protects you is documented tracking with evidence of timely notification and resolution. Automated alerts with an audit trail are the most reliable way to get there, but the bar is documentation, not a specific tool.

5. Credentialing data stored without access controls

Credentialing files are full of sensitive data like Social Security numbers, DEA registrations, dates of birth, malpractice history, and more. Storing this in spreadsheets, shared drives, or email inboxes with no role-based access, no encryption, and no audit logging is a security and privacy data breach waiting to happen. If patient information lands in those files, say a malpractice file or peer-review notes that identify specific patients, now you've got HIPAA in the mix too. Auditors are evaluating both the contents of a credentialing file and how it's stored and accessed. Technical documentation and implementation of role-based access, encryption, and audit logs of who touched what are a necessity to protect you on the day-to-day and when an auditor comes knocking.

6. Credentialing decisions with no committee oversight

Many accreditation standards require that credentialing decisions be reviewed by a medical staff committee or peer review body. If your organization approves credentials without documented committee review, or if the review process exists on paper but has no meeting minutes, attendance records, or decision documentation, auditors will note the gap. Even the smallest organizations need to have a documented process for who reviews and approves credentialing decisions. Auditors are looking for proof of what was reviewed, who reviewed it, and how that review led to a decision. Your documentation has to defend every step.

Compliance requires the right tools

Spreadsheets and shared drives were never built to carry the weight of compliance. They can't enforce role-based access, they can't hold an audit trail, and they can't prove to an auditor that the work happened on the dates you say it did. This is why you need credentialing software with built-in audit trails, automated monitoring, role-based access, and systematic workflows that address every one of these red flags. CredNet logs every action, gives every document a chain of custody, and makes every status change traceable. The AI layer, CredAssist, is built to require human sign-off at every step that matters, because the people doing this work should stay in the decisions, not get automated out of them.

Run these six as your pre-audit checklist. If you came up empty-handed for any of them, I'd love to help you find a solution. Reach out to us at credentialnetwork.com.

References

[1] OIG Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs (May 8, 2013). View bulletin.

[2] OIG List of Excluded Individuals and Entities (LEIE). Access the database.

[3] NCQA Credentialing Standards. View standards.

[4] The Joint Commission: Medical Staff Credentialing FAQ. View FAQ.

[5] HHS HIPAA Security Rule. View resource.

[6] CMS, 42 CFR 455.436, Federal Database Checks. View regulation.

[7] NAMSS, CMS Approval of Three-Year Reappointment (November 2, 2022). View resource.