New Reporting for CVOs on NCQA System Controls

By Nancy Ross Bell, RN

Estimated time to read:  3 minutes

In a world where the hacking of healthcare systems is not rare, keeping systems and data safe is incredibly important for all organizations, including Credentialing Verification Organizations (CVOs).

With the recent release of NCQA’s 2024 Standards and Guidelines for Certification of Credentialing Verification Organizations, Effective July 1, 2024, we look closer at Credentialing System Controls in Standard CVO 3, Elements B and C.

97 Organizations are NCQA-Certified CVOs   

CVOs verify practitioners’ credentials and report findings to their clients, commonly health plans and managed behavioral health organizations.

As of this writing, 97 NCQA-Certified CVOs are certified in all or some of the 11 evaluation areas, including Application and Attestation Content, Application and Attestation Processing, DEA, Education and Training, Malpractice Claims History, Medical Board Sanctions, Medicare/Medicaid Sanctions, Ongoing Monitoring of Sanctions, Verification of Board Status, Verification of Licensure, and Work History.

What is New in 2024?

Already in place was CVO 3, Element B, requiring a documented process for Credentialing System Controls. What is new is CVO 3, Element C, for monitoring compliance with Element B, and reporting on findings for modifications in meeting organizations policies, analyzing results of those modifications with quantitative and qualitative (Q&Q) analysis, acting on all findings, and implementing quarterly reviews until improvement is found with at least one finding.

CVO 3, Element B is a MUST-PASS ELEMENT!

CVO 3, Element C is a NEW ELEMENT!

Take Note of These Important Points in Your Documented Process (CVO 3, B)

CVO 3, Element B requires that a documented process:

• be in place throughout the entire look-back period
• include an effective date before the beginning of your look-back period
• clearly describe how annual monitoring is done

Read the Scope of Review, Explanations, and Examples for all Factors in CVO 3, B!

NCQA has further clarified each factor and provided helpful examples. Factor 4 on security controls in place to prevent unauthorized access and factor 6 for annually monitoring credentialing processes are two whereby organizations struggle. If these factors are not met, the organization will be scored non-compliant during the survey process.

Identify-Analyze-Act on System Controls that Did Not Meet (CVO 3, C)

With a documented process in place, the new Element C requires you to monitor and report on the process you described in Element B, including:

• at least annually, identify modifications that did not meet your process
• at least annually, conduct a Q&Q analysis of data
• act on all findings with quarterly monitoring to assess effectiveness until improvement is found in at least one finding

When preparing your report for CVO 3, C:

• Describe in detail the methodology used for selecting files to detect instances when processes for modifications were not
• Address all findings discovered during the file review.
• Show a numerator, denominator, and percentage for results.

Be sure to read all requirements described in bullet points and sub-bullet points under each Explanation.

 
Keep These Tips in Mind

Based on our consultants’ survey and client experiences, System Controls for CVOs are a “high-risk” area for all organizations. Frankly, it is rare for CVOs to understand the breadth and depth of the requirements, and because of this, NCQA focuses a great deal of surveyor training on System Controls and Q&Q Analysis. Therefore, this is top of mind for the surveyors and why MHR, with its high concentration of NCQA surveyor consultants, is adept at identifying and navigating these high-risk areas and mitigating the risk. All the following areas are seen as issues with all of our clients.

• Documented processes must be present throughout the look-back period described in the Scope of Review for CVO 3, Element B.
• CVO 3, Element B is a MUST-PASS Element with lengthy details in the Scope of Review and Explanations. If all are not met, then the scoring is 0%, and your organization is placed on a Corrective Action Plan (CAP).
• Annual monitoring for system modifications that did not meet your documented process is required.
• A Q&Q analysis of data demonstrating your annual monitoring of system controls is required. This is å broader and deeper requirement than CVOs ever think!
• CVO 3, Element C requires that actions be taken on all findings where modifications did not meet established criteria and that monitoring on effectiveness be continued quarterly.
• Staff and departments responsible for non-compliant modifications must be identified and training provided to eliminate unauthorized modifications.

What Happens if You are Placed on a CAP?

If you score 0% for CVO, B, your organization is placed on a CAP, which is noted in the public NCQA Report Card and will state “Under Corrective Action.” As of this writing, 15 CVOs are under corrective action.

Not meeting your CAP requirements leads to a Denied status. There are currently eight CVOs that have been denied. With that designation, the organization must wait a year before reapplying for CVO certification.

Call to Action:    

• Have your staff been trained on System Controls and Q&Q Analysis?
• Are you on target to meet your annual monitoring?
• Do your reports meet all requirements for Q&Q analysis?
• Have you acted on findings that did not meet your policy?
• See MHR’s related blogs:
  • NCQA Systems Control Are Must Pass
  •  NCQA Systems Control Promote System Integrity
  •  NCQA Q&Q Analyses That Bring Results
• Read more about NCQA’s CVO Certification program
• Avoid a CAP and ask MHR for assistance:

Managedhealthcareresources.com or email Susan K. Moore 

 This blog was written with expert input from Jean Lockington, an Independent Consultant with MHR.