integrity Mar 08, 2023

By looking on the NCQA Report Card website for health plans and other healthcare organizations and at the number of organizations on corrective action plans (CAPs) for system controls, you can appreciate the challenges, especially if it’s your first time tackling these standards.  As the NCQA standards on system controls evolve, organizations and delegated entities must stay attuned to corrections, clarifications, and policy changes.

System controls apply to all systems for credentialing (CR), recredentialing, utilization management (UM) denials, and appeals for the organization and its delegates. All organizations that perform the function or are delegated must adhere to system control requirements, including health plans, managed behavioral health organizations (MBHO), credentials verification organizations (CVOs), organizations certified or accredited for credentialing (CR), and organizations performing utilization management (UM).

NCQA standards on system controls are not to be taken lightly, so if you need assistance with interpreting the standards, drafting documented processes, monitoring your systems, deciding on actions to take, creating reports, or reviewing your delegation agreements, be sure to contact MHR, as we have worked with many organizations in preparing them for their survey.

Included here are some key takeaways. Refer to the NCQA standards for UM and CR for complete descriptions and requirements.


  1. NCQA standards on system controls apply to all organizations that perform credentialing, recredentialing, UM denials, and UM appeals for medical necessity and benefits.
    • Included are delegated entities.
    • Not within scope are external entities that are not delegates and entities that provide only cloud-based storage functions.
  2. System controls apply to all product lines.
  3. System controls impact all surveys, including Interim Surveys, First Surveys, and Renewal Surveys for CR, and Initial Surveys and Renewal Surveys for UM.
  4. Documented processes must be explicit for unique CR and UM systems (denials and appeals). For example:
  • If your organization has two systems for UM, one for denials and one for appeals, then documented processes that address each area are needed.
  • If your organization stores credentialing data or documents on multiple systems, including network drives, your documented process must account for how that information is secured.
  1. Documented processes must be in sufficient detail that describe all factors and all bullet points included within NCQA’s explanations for each standard.
  2. Documented processes must explain the many persons and departments responsible for performing each CR and UM function that could impact system controls, including titles and roles. For example:
    • a CR specialist may modify a date when information on primary source verification was received
    • a supervisor must approve all modifications to CR information already entered
    • only the nurse manager may approve changes to dates for notifying providers about a denial
    • a quality specialist may assess and report system control modifications that do not meet policy
    • a VP must approve all system controls modifications
    • an IT manager may implement a system controls change
  3. Modifications to CR and UM data are the crux of system controls. They include changes to the original information recorded in the CR or UM systems as applicable to organizations and delegated entities.
    • Modifications include:
  • Correcting typos or mistakes
  • Deleting entered information
  • Changing:

-Receipt or notification dates

-Dates in open or closed cases

-Practitioner’s information

  • Creating a new record in place of an existing record
    • Documented processes must be specific to modifications for CR and UM systems and describe the type of information that may be modified, under what circumstances, by whom, how it is done, and when it is allowable.
    • Documentation on modifications within the CR and UM systems must list the date of approval to modify, the person approving, the date the modification was done, and the person making the change or deletion.
    • If no staff is authorized to modify dates, then state this in your policy.



  1. Annual monitoring for compliance applies to ALL factors and bullet points for each CR and UM system, including for delegates.
    • A description of the system control capabilities, alerts, and flags is required, tested, and recorded annually.
  2. Annual monitoring for compliance is required for all systems for credentialing and recredentialing and denials and appeals for medical necessity to identify files that did not meet the organization’s requirements for modifications.
    • Monitoring is required for First Surveys and Renewal Surveys.
    • Auditing may be done as a method of monitoring. See NCQA's guidelines on auditing UM and CR systems and when sampling is allowed. 
    • Results of monitoring for compliance must be evident in analysis reports.
    • The organization documents how it monitors files, including its timeframe (monthly, quarterly, semi-annual) and sampling methodology.
    • All files not meeting requirements are identified and reviewed to determine what actions must be taken.
    • The requirement for annual monitoring can be met by providing advanced system control capabilities that both:
      • automatically record dates and
      • prevent changes for potential occurrences that do not meet the organization’s policies for modifications (both capabilities are needed)
  1. Delegation Agreements must include a description of the shared responsibility of monitoring for compliance.
  2. Analyze your findings. Quantitative and qualitative analyses are required for each system according to NCQA’s requirements for Analysis.
    • Report on methodology, total universe of files (denominator), and instances of non-compliance according to your policy on modifications (numerator). Derive your percentage of non-compliance.
    • Conduct a qualitative analysis of all modifications that did not meet the organization’s policies and procedures.
    • Determine your barriers. Some questions to consider may include:
  • Are your policies and procedures explicit for each system?
  • Are staff levels appropriate for certain modifications?
  • Is an approval process in place for modifications?
  • Have alerts and flags been tested?
  • Is delegated oversight sufficient for system controls?
  1. Act on all non-compliant modifications or “deficiencies.” Include all adverse findings from your monitoring activities, not just the file review.
  • Develop an Action Plan and document actions taken/to be taken for each barrier, by whom, by what date, if one action will meet more than one adverse finding, and resources needed. For example:
    • Adding one system alert may notify staff that a modification is outside a date frame for all primary source verification information.
    • Training on system controls will increase knowledge about documentation needed when making a change.
    • Changing a policy to allow modifications for typos will reduce non-compliance.
  1. Implement, report, and monitor.
    • Implement according to your Action Plan.
    • Monitor at least quarterly to assess the effectiveness.
    • Continue monitoring until improvement is demonstrated for at least ONE finding over THREE consecutive quarters or a look-back period for each system.
    • If no improvement is demonstrated, submit all quarterly monitoring reports to show ongoing and a renewed Action Plan.



Organizations and delegates are jointly responsible for system controls as specified in a Delegation Agreement.  Non-compliance by entities like CVOs and organizations to which CR and UM are delegated can hinder health plans, MBHOs, or other organizations that depend on automatic credit for these standards. See the requisite standards for CR and UM. 


Complying with NCQA standards on system controls for CR and UM mandates detailed policies and procedures for each system, close performance monitoring for non-compliance to policy, analysis, performance improvement, and collaboration with and oversight of delegated entities. Monitoring of compliance to documented processes is now a MUST-PASS requirement and can lead to a CAP if not in sufficient detail. 

 Call to Action:

  • Contact MHR for Training. We are your experts in training on:
    • System Controls
    • Analysis
    • Delegation
    • Credentialing
    • Utilization Management
    • Appeals and Denials
  • Ensure your documented processes and delegation agreements are compliant with any corrections, clarifications, or policy changes.
  • Check if your action plan is sustaining improvement on at least one finding.

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.