Medical credentialing is the process of verifying that a healthcare provider has the education, training, licensure, and professional history required to practice medicine and treat patients. Every hospital, health system, and insurance company runs this verification before allowing a provider to see patients or bill for services. The process typically takes 90 to 150 days, though it can stretch beyond 180 days depending on the complexity of a provider’s background.
If you’re a provider starting at a new facility, joining an insurance network, or simply trying to understand why the process takes so long, here’s how it works and why it matters.
What Gets Verified
Credentialing is not a rubber stamp. It requires confirming every major professional qualification a provider claims to hold, and that confirmation has to come from the original source. This is called primary source verification, and it’s the backbone of the entire process. The Joint Commission, which accredits most U.S. hospitals, is explicit on this point: simply presenting a copy of a medical license does not satisfy the requirement. The organization doing the credentialing must contact the issuing body directly or use an approved verification agent.
The core items verified during credentialing include:
- Medical licensure: Active, unrestricted license in the relevant state, confirmed directly with the licensing board.
- Education and training: Medical school graduation, residency completion, and any fellowship training, verified through the institutions themselves.
- Board certification: Whether the provider holds current certification in their specialty.
- Malpractice history: A query to the National Practitioner Data Bank, which collects information on malpractice payments and disciplinary actions nationwide.
- Work history: Gaps in employment are flagged and must be explained.
- Sanctions and disciplinary actions: Any state or federal sanctions, DEA registration issues, or exclusions from government programs.
Acceptable verification methods include direct correspondence with the source, documented phone verification, secure electronic verification, or reports from credentials verification organizations that meet accreditation standards. Every verification must be documented with the date it was conducted, who conducted it, what was verified, and the result.
Credentialing vs. Privileging
These two terms often get used interchangeably, but they’re distinct steps. Credentialing answers the question: does this provider meet our baseline requirements for staff membership? It looks at training, board certification, licensure, and malpractice history. Privileging comes next and answers a different question: what specific procedures and services is this provider authorized to perform at this facility?
A surgeon might be fully credentialed at a hospital but only privileged to perform certain types of operations based on their demonstrated competence and case volume. Privileging evaluates behavior, skills, and procedural scope in a way that credentialing alone does not. Both processes must be completed before a provider can practice independently at a facility.
Why It Takes So Long
In 2025, credentialing timelines vary widely, ranging from 60 days on the fast end to more than 180 days. The preliminary credentialing phase alone, which covers the initial application and verification, typically runs 90 to 150 days.
Several factors drive that timeline. Verification requests go out to multiple organizations (medical schools, licensing boards, training programs, malpractice insurers), and each responds on its own schedule. If a provider trained at multiple institutions, practiced in several states, or has gaps in their work history that need explanation, the process takes longer. Incomplete applications are one of the most common causes of delay. Many providers now use the CAQH ProView system, a centralized online portal where they can maintain their professional information and supporting documents in one place, which multiple insurance companies and health plans can access.
Who Sets the Standards
Two main organizations establish credentialing standards in the United States. The Joint Commission sets requirements for hospitals and health systems, mandating primary source verification of licensure, training, and current competence. The National Committee for Quality Assurance (NCQA) focuses on health plans and credentialing organizations, requiring them to maintain a peer-review process, a designated credentialing committee, ongoing monitoring of sanctions and complaints, and protections for credentialing information.
NCQA requires recredentialing every three years. Hospitals must query the National Practitioner Data Bank at least every two years when reviewing clinical privileges or medical staff membership. Between these formal cycles, organizations are expected to continuously monitor for new sanctions, complaints, and quality issues.
Insurance Credentialing
Credentialing with insurance companies, sometimes called “payer enrollment,” is a parallel process. Before you can bill an insurance company for patient visits, you need to be credentialed with that payer. Each insurance company runs its own verification, even though the underlying information is largely the same.
This is why a new provider joining a practice often cannot bill certain insurers for months after their start date. Any services provided before credentialing is complete may not be reimbursed. For practices, this creates a real financial gap. Planning ahead and submitting applications as early as possible (ideally before a provider’s start date) can shorten the period of lost revenue, though it rarely eliminates it entirely.
What Happens When Credentialing Fails
Negligent credentialing carries serious legal consequences. Courts have consistently held that hospitals owe a direct duty to patients to verify the qualifications of their medical staff. This liability exists independently of any malpractice by the provider. In one landmark Wisconsin case, a court ruled that it was irrelevant whether the physician was an independent contractor: the hospital was liable for its own failure to properly vet the doctor’s credentials, not for the doctor’s actions.
The Oklahoma Supreme Court imposed a duty of “ordinary care,” requiring hospitals to take reasonable steps to ensure patient safety when they are on notice, or should be on notice, that they have granted privileges to an incompetent provider. In one extreme Florida case, a man who had stolen a physician’s identity was credentialed and granted privileges at a Miami hospital, treating patients under false pretenses.
These cases established what’s known as corporate liability theory: hospitals are not just passively credentialing providers as a formality. They are making an active promise to patients that the people treating them have been properly vetted. When that process breaks down, the institution itself bears responsibility for the harm that follows.