Ready to get paid on time, every time?
If you plan to treat Medicare or Medicaid patients, you must clear every CMS credentialing requirement first. Skip a step and you risk landing on the dreaded “red list,” which means zero reimbursement. Relax, though: credentialing is not rocket science. Think of it as brewing your morning coffee—simple, but you still need the right steps.
In this guide, you will learn about:
- Provider enrollment basics (PECOS, CMS-855I, CMS-855B)
- Medicare and Medicaid credentialing checklists
- Telemedicine credentialing rules for virtual visits
- Delegated credentialing and how large groups speed things up
As a medical billing specialist, I have helped thousands of clinics move from pending to paid status without a single denial. You can do the same. Follow along and see how to:
- Build a spotless CAQH profile
- Avoid common credentialing denials
- Keep your NPI linked to the correct taxonomy code
- Meet every re-credentialing deadline
Have questions like “How do I join Medicare as a new provider?” or “What is the fastest way to update PECOS?” They are answered here. By the end, you will know exactly what CMS expects, which forms to file, and how to stay on the green list so your healthcare claims get paid in full and on time.
CMS Credentialing Requirements for Healthcare Providers in the USA
CMS (Centers for Medicare & Medicaid Services) credentialing requirements refer to the processes and standards that healthcare providers must meet in order to be approved for participation in Medicare and Medicaid programs.
Some of the basic requirements are:
| Requirements | Description |
| Medicare Enrollment | Providers must enroll in Medicare using the appropriate CMS-855 form. |
| Supporting Documentation | Includes state licensure, NPI, malpractice insurance, and other required documents. |
| State Licensure Verification | Providers must have a valid and unrestricted license in the state where care is provided. |
| National Provider Identifier (NPI) | Required for identification and billing under Medicare. |
| Malpractice Insurance | Must carry active malpractice insurance meeting hospital and CMS standards. |
| Criminal Background Check | Includes checks and screening against OIG Exclusion List and SAM database. |
| Medicare Participation Agreement | Providers must agree to comply with CMS inpatient care and billing regulations. |
| Revalidation | Recredentialing and revalidation with CMS are required every 5 years. |
| Ongoing Professional Practice Evaluation (OPPE) | Hospitals must continually monitor inpatient providers’ performance and outcomes. |
| Focused Professional Practice Evaluation (FPPE) | Required for new providers or those needing closer review of clinical competence. |
| HIPAA Compliance | Providers must follow HIPAA rules for patient privacy and electronic medical records. |
| Compliance with CMS Conditions of Participation (CoPs) | Hospitals and providers must meet all CMS inpatient standards, including patient rights, medical record accuracy, and care quality. |
1). Obtain Your National Provider Identifier (NPI)
The initial step in the CMS credentialing process is obtaining your NPI number. It is a 10-digit identifier utilized for all healthcare billing, including payment for Medicare and Medicaid. You will not be able to send in or get reimbursed for any claims if you do not have it.
Application for your NPI is possible through the National Plan and Provider Enumeration System (NPPES). The application involves basic information such as your name, practice address, tax ID, contact information, license, and credentials.
The majority of healthcare professionals register for the NPI first, since they will also require it during later PECOS registration and CMS enrollment.
Having an NPI is among the most usual prerequisites for any medical billing operation. It ensures that CMS and payers are able to track who is offering the services, particularly for specialties such as family medicine, behavioral health, or physical therapy.
2). Ensure Your License is Current and Validated
You will need a current and unrestricted license to practice in the state in which you will be treating patients. CMS will not accept an expired or restricted license, and they will check for this information when you are enrolling.
Depending on your provider type, you may also be asked to furnish proof of board certification or further training. For instance, some positions, such as cardiologists or nurse anesthetists, will require additional credentials.
The CMS also cross-checks the Office of Inspector General (OIG) List of Exclusions. In case you have participated in healthcare fraud, abuse, or other disqualifying conduct, you will be excluded from participation in Medicare. This is done to make sure that nothing but eligible health care providers are permitted to charge Medicare and Medicaid.
3). Fill out the CMS Enrollment Forms or Use PECOS
Once your licensure and NPI are verified, the following step is to formally enroll in Medicare. You may do this by filing the respective CMS-855 form or by enrolling online through PECOS, or Provider Enrollment, Chain, and Ownership System.
Every form has a particular function:
- Individual healthcare providers, such as physicians, therapists, and nurses, use CMS-855I.
- The CMS-855B is utilized for group practices and clinics.
- CMS-855A is for institutional providers, including hospitals and nursing facilities.
- CMS-855R is for reassigning Medicare benefits to an entity, such as a group or an organization.
PECOS is the most popular choice among providers as it enables quicker submission and immediate tracking of application status. Filing the incorrect form or omission of documentation will hold up your credentialing process by a great deal, hence you need to do this step with care.
4). Credentialing by a Medicare Administrative Contractor (MAC)
During CMS enrollment, every provider passes through a Medicare Administrative Contractor for review. A MAC is a private firm that manages Medicare enrollment, handles claims processing, and verifies provider credentials within its region.
A MAC checks your forms, confirms your license, and makes sure every supporting document is in place. If something is missing, you receive a request for more information instead of a flat denial. Processing times vary by region, so keep local timelines in mind.
When the MAC approves your file, CMS issues a Provider Transaction Access Number (PTAN). You will need this PTAN whenever you submit Medicare claims or update your record in PECOS.
Smooth MAC credentialing sets the stage for trouble-free billing with Medicare beneficiaries.
5). Medicare Participation Agreement
After credentialing, CMS asks you to sign a Medicare Participation Agreement. This short contract spells out what you agree to when you treat Medicare patients.
- You follow all CMS regulations, including coding rules, reimbursement limits, and fraud-prevention policies.
- You accept the Medicare fee schedule as full payment, except for allowed coinsurance or deductibles.
- You send clean claims on time and bill only for medically necessary services.
- You maintain quality-of-care standards, which CMS may audit through its quality reporting programs.
Once the agreement is on file, you can begin seeing Medicare patients and submitting electronic claims without delay.
6). Ongoing Compliance with Federal and State Rules
CMS approval is not the finish line. Providers must stay current with both federal regulations and state requirements to keep billing privileges active.
➜ Federal rules
- Medicare Conditions of Participation (CoPs) and Conditions for Coverage (CfCs)
- HIPAA privacy and security safeguards
- Policies in the Affordable Care Act that affect provider enrollment
- Current CMS billing and coding guidelines
These standards apply to physicians, therapists, hospitals, home health agencies, and every other Medicare-enrolled entity.
➜ State rules
- Professional licensure laws require an active, unrestricted license in each state where you practice.
- Scope-of-practice statutes limit which services your license allows you to perform.
- Each state Medicaid program has its own enrollment steps that build on federal guidance.
- Managed Care Organizations (MCOs) may add extra credentialing checks before they will contract with you.
- State privacy laws, such as California’s CCPA, can be stricter than HIPAA.
- If you deliver telehealth, you must follow every state’s telemedicine and cross-state licensure rules.
Meeting these federal and state obligations helps you avoid claim denials, overpayment recoupments, and potential exclusion from government programs.
7). Clear Background Check
CMS only accepts providers whose records are clean. During both initial credentialing and the three-year recredentialing cycle, CMS runs a background check that looks at professional qualifications, criminal history, and any past Medicare fraud or abuse. Failing this review can delay or deny enrollment, revoke billing privileges, and trigger legal or financial penalties.
What CMS reviews:
- Criminal convictions at the federal or state level
- Medicare and Medicaid exclusion lists
- License status plus any disciplinary actions
- Malpractice claims and settlements
- Education, training, and residency verification
8). Malpractice Insurance Requirements
Every provider must carry active malpractice (professional liability) insurance to protect patients and themselves against errors or negligence claims. CMS checks coverage at enrollment, at recredentialing, and during random audits.
- Most plans require at least one million dollars per claim and three million dollars aggregate each year, although limits can vary by state or specialty
- A current Certificate of Insurance (COI) must list the insured name, policy number, coverage dates, limits, and carrier
- Providers changing jobs or retiring may need tail coverage to insure prior acts
Without proof of adequate coverage, CMS can deny enrollment or terminate participation.
9). Meeting CMS Quality Standards
CMS expects all enrolled professionals and facilities to deliver safe, effective, and high-quality care. Compliance is also tied to value-based payment models.
Key quality checkpoints:
- Adhering to Medicare Conditions of Participation (CoPs) and Conditions for Coverage (CfCs)
- Reporting through MIPS if eligible
- Tracking and submitting Clinical Quality Measures (CQMs)
- Failure to meet these benchmarks can reduce reimbursement or trigger corrective action plans.
10). Provider-Specific Rules
CMS tailors requirements to the provider’s role.
- Pharmacists, physician assistants, and other non-physician practitioners may need proof of specialty certification or documented supervision
- Telemedicine professionals must hold a valid license in each state where patients are located and meet state-specific virtual-care rules
11). Additional Certifications CMS May Require
Depending on services offered, you might need extra credentials alongside standard Medicare enrollment.
| Certification | Purpose |
| CLIA | Permits laboratory testing on human specimens |
| DEA Registration | Authorizes prescribing or handling controlled substances |
| Board Certification | Often required by hospitals for specialized privileges |
| Accreditation for DMEPOS, ambulatory surgery, imaging | Confirms compliance with service-specific standards |
| State-specific permits | Radiology, Medicaid enrollment, or telehealth approval |
| HIPAA or OSHA training records | Verifies staff education on privacy and workplace safety |
| Behavioral health program credentials | Needed for mental health or substance-use care |
12). Site Visits and Operational Standards
CMS may conduct on-site inspections during initial enrollment, revalidation, or whenever red flags arise. Inspectors confirm that:
- The office address on your application physically exists and matches signage
- Posted hours are accurate and staff are present
- Patient-care areas, record storage, and equipment meet health and safety rules
- Policies align with HIPAA, infection control standards, and local building codes
Passing the site visit proves that your practice is real, operational, and ready to serve Medicare and Medicaid beneficiaries.
CMS Telemedicine Credentialing Requirements
Telemedicine follows the same core CMS enrollment rules as in-person care, yet it adds a few extra layers that reflect the unique, screen-to-screen setting. Providers who plan to deliver virtual visits to Medicare or Medicaid patients must meet each standard below to secure reimbursement and avoid claim denials.
Here are the key CMS telemedicine credentialing requirements:
| Requirements | Description |
| Medicare Enrollment | Providers must be actively enrolled with Medicare |
| Credentialing by Proxy (Hospitals) | Allowed under CMS rules with formal agreements |
| Licensure | Must be licensed in the state where the patient is located |
| Written Telemedicine Policies | Required for facilities using telehealth |
| HIPAA Compliance | Platforms must meet privacy/security standards |
| Recredentialing | Required at least every 3 years |
| Ongoing Evaluation | Must include performance and quality monitoring |
Provider Enrollment
- Complete the correct CMS-855 application and choose the telemedicine service type when prompted.
- Submit your National Provider Identifier (NPI), proof of active license, malpractice coverage, and any state-specific forms.
- Keep your information current in PECOS so payers can verify your status before processing remote-care claims.
Licensure Across State Lines
- Hold an active license in the state where the patient sits during the visit, even if you live elsewhere.
- Many providers rely on the Interstate Medical Licensure Compact or similar nursing and psychology compacts to speed up multi-state approval.
- Track renewal dates carefully; an expired out-of-state license can halt payment for every virtual visit.
HIPAA-Compliant Technology
- Use a HIPAA-compliant telemedicine platform for video, chat, and file sharing.
- Encrypt data in transit and at rest, maintain audit logs, and restrict user access to the minimum necessary.
- Provide patients with the standard Notice of Privacy Practices that explains how their data is stored and shared.
State and Federal Telemedicine Rules
- Follow your state’s practice standards, prescribing limits, and modality restrictions for virtual care.
- Some states enforce payment parity laws that require commercial plans to cover telehealth at the same rate as face-to-face visits; CMS often mirrors these rules for Medicaid.
- Document each visit just as thoroughly as an in-office encounter, including location of patient and provider.
Patient Consent
- Obtain informed telehealth consent before the first virtual session of the patient.
- Explain how the service works, any technology risks, and steps taken to secure data.
- Keep a signed or electronically acknowledged consent form on file, as CMS may request it during audits.
Supervision and Delegation
- If nurse practitioners, physician assistants, or other clinicians deliver remote care, meet CMS and state supervision or collaboration requirements.
- Clearly outline who can provide which services, how oversight is documented, and how escalation to a supervising physician occurs.
CMS Delegated Credentialing Requirements
Sometimes a health plan or large provider group lets a separate entity handle day-to-day credentialing. This is known as delegated credentialing and it comes with its own set of CMS rules. Even when the work is handed off, the original organization is still responsible for meeting every CMS standard.
Here are the key CMS delegated credentialing requirements:
| Requirement | Description |
| Written Delegation Agreement | Specifies roles, standards, oversight, and revocation rights |
| Oversight and Auditing | Annual audits and ongoing monitoring by delegator |
| Compliance with Credentialing Standards | Must meet CMS, state, and possibly NCQA/URAC standards |
| Accountability | Delegator is fully responsible for compliance, even if tasks are delegated |
| Recredentialing | Required at least every 3 years |
| Documentation & Accessibility | All records must be available for CMS/state inspection |
Formal Delegation Agreement
A clear, written agreement must be in place before any work starts. The document should
- list every task the delegate will complete, such as primary-source verification or final credentialing decisions
- spell out performance targets and how results will be reported
- describe how the delegating organization will monitor, audit, and if needed, cancel the arrangement
- require the delegate to follow NCQA or an equivalent set of credentialing standards when the health plan is NCQA-accredited
Oversight and Accountability
The health plan—or other delegating group—keeps full responsibility for compliance. To show CMS that proper oversight exists, the plan must
- review and approve the delegate’s policies and procedures before work begins
- audit the delegate, usually once a year, to confirm rules are being followed
- maintain written records of every review, audit, and corrective action
- step in quickly if audits reveal non-compliance
Credentialing Standards to Maintain
The delegate has to apply all routine credentialing checks, including primary-source verification of
- active state license and any required specialty license
- DEA certificate if the provider prescribes controlled substances
- board certification when the specialty calls for it
- education, training, and recent work history
- current malpractice insurance with adequate limits
- sanctions, disciplinary actions, and the OIG exclusion list
These safeguards ensure every provider in the network is licensed, competent, and in good standing.
Revoking or Correcting Delegation
If audits show that credentialing standards are not met, the health plan must
- issue a corrective action plan with clear deadlines
- revoke the delegation if problems persist
- resume direct credentialing in-house or choose a new, compliant delegate
By keeping a close eye on every delegated activity, the health plan protects patients and stays aligned with all CMS credentialing regulations.
FAQs
What is CMS credentialing and why does it matter?
CMS credentialing is the process that confirms a provider’s identity, professional qualifications, and compliance record before allowing Medicare or Medicaid billing. Without it, claims will be rejected and you cannot treat covered patients.
Which core documents do I need to start a CMS application?
You will need an active state license, National Provider Identifier (NPI), malpractice insurance certificate, work history, education and training records, and a completed CMS-855 application (or the PECOS online equivalent).
How long does initial credentialing for CMS usually take?
Most clean applications pass through a Medicare Administrative Contractor in thirty to ninety days. Missing paperwork, pending license renewals, or background issues can extend the timeline.
How often must I complete CMS recredentialing or revalidation?
CMS requires recredentialing every three years for all enrolled providers. A separate revalidation notice can arrive sooner if you move, change ownership, or trigger other risk factors.
What is the difference between a CMS-855 paper form and PECOS?
CMS-855 is the paper enrollment packet. PECOS is the secure online portal that lets you fill out the same information electronically, upload documents, and track your application status. Use one method per enrollment cycle.
Can my practice delegate CMS credentialing to a Credentialing Verification Organization (CVO)?
Yes. A formal delegation agreement must spell out the CVO’s duties, performance standards, audit schedule, and termination clauses. Even with delegation, your organization remains accountable for meeting every CMS rule.
Does CMS perform site visits and why?
Yes. CMS or its contractor can conduct a site visit during initial enrollment, revalidation, or when they detect billing anomalies. Inspectors verify that the listed address exists, hours are posted, staff are present, and records are secure.
Do I need a separate state license for each location where patients are treated, including telehealth?
Yes. You must hold an active license in every state where the patient is located at the time of service. This applies to both in-person care and telemedicine appointments.
