CVO vs. Delegated Credentialing: What Health Plans Get Wrong
The two terms get used interchangeably in network operations meetings every week. They describe fundamentally different things — and the conflation is one of the most reliable sources of NCQA delegation findings, audit deficiencies, and avoidable regulatory exposure in health plan credentialing today. A health plan can use a CVO without delegating credentialing. A health plan can delegate credentialing to entities that are not CVOs. A health plan can delegate credentialing to a CVO, which is the configuration most teams have in mind when they use the terms loosely — but only that configuration triggers the full weight of NCQA delegation oversight requirements.
This guide walks through what each term actually means, where health plans most often get it wrong, and what proper oversight looks like under the current NCQA framework, including the Credentialing Information Integrity changes that took effect July 2025.
What Is a CVO?
A Credentials Verification Organization performs primary source verification (PSV) on practitioner credentials. That means contacting the actual source — the state medical board for licensure, the medical school for education, the DEA for registration, the National Practitioner Data Bank for malpractice and sanctions, the relevant specialty board for certification — and documenting what was verified, when, and from where. A CVO is a service function, not a decision-making body. It does not operate a credentialing committee, does not make approval or denial decisions, and does not set the network participation criteria. It produces the verified file and hands it to the entity that does.
NCQA offers a specific designation for CVOs: Credentialing Certification, sometimes called CVO Certification. This designation covers primary source verification services without committee review. It is the appropriate NCQA credential for an organization whose scope is verification, not credentialing decisions. A health plan can contract with a certified CVO for PSV work while keeping the credentialing committee, decision-making authority, and network participation criteria entirely in-house. That arrangement is a vendor relationship, not delegation in the regulatory sense.
What Is Delegated Credentialing?
Delegated credentialing is a contractual arrangement in which a health plan authorizes another organization — a provider group, IPA, MSO, health system, or CVO — to perform credentialing activities on the plan's behalf. The key word is authorizes. The delegate is operating with the plan's regulatory authority, performing functions the plan would otherwise perform itself. NCQA recognizes a broader designation for organizations that perform full-scope credentialing, including committee review and decision-making: Credentialing Accreditation. This is the appropriate NCQA credential for an organization whose scope includes the full credentialing function, not just verification.
Delegation does not transfer accountability. The plan remains responsible to NCQA, CMS, state regulators, and members for the quality and timeliness of credentialing decisions. What delegation transfers is operational responsibility — and the plan owes the regulators a documented oversight structure proving it knows what the delegate is doing.
What Health Plans Get Wrong
Treating the two as interchangeable
The most common error is treating "we use a CVO" and "we delegate credentialing" as the same statement. They are not. A plan that contracts with a CVO for primary source verification but retains its credentialing committee, decision authority, and file review process is not in a delegation arrangement and does not owe the full delegation oversight workload. A plan that delegates the credentialing function — verification, file completeness, committee review, recredentialing cycles — to an external entity owes pre-delegation evaluation, annual audits, semiannual report review, performance monitoring, corrective action processes, and a delegation agreement that meets NCQA's full specification. Confusing the two leads either to over-investment in oversight infrastructure that isn't required, or under-investment that surfaces as findings at the next NCQA survey.
Treating delegation as a handoff that ends oversight
Delegation is regulated transfer, not abandonment. NCQA requires a pre-delegation evaluation before the arrangement begins, annual audits of the delegate's credentialing function (typically including a file sample of 5 to 30 files depending on the scope and population), semiannual evaluation of reports from the delegate, and ongoing performance monitoring against agreed standards. If issues are identified, the plan must implement and track corrective action. A health plan whose oversight artifacts amount to a signed agreement and a once-a-year courtesy call is not in compliance regardless of how technically competent the delegate is.
A delegation agreement that doesn't cover the right specifications
NCQA's delegation standards specify what the agreement must contain. At minimum: the specific functions being delegated, the standards the delegate must meet, performance expectations and reporting requirements (with frequencies), audit rights, the plan's right to require corrective action, termination rights, and — under the 2025 standards — explicit provisions on Credentialing Information Integrity, covering how the delegate maintains and safeguards credentialing data against inappropriate documentation and updates. The agreement must also specify which entity is responsible for oversight if the delegate uses a subdelegate (for example, a delegated medical group that further delegates verification to a CVO). Plans that built their delegation agreement template before the 2025 standards and never updated it are carrying a quiet liability.
Assuming a CVO contract is exempt from delegation oversight if the CVO is NCQA-Certified
NCQA Certification of a CVO does provide certain benefits when that CVO is functioning as a delegate. Effective for 2025 standards and later, plans receive automatic credit for specific delegation oversight factors — including the semiannual reporting evaluation and certain delegation agreement requirements — when the delegate is NCQA-Accredited or NCQA-Certified. But automatic credit on a factor is not the same as exemption from the broader oversight structure. The plan still needs a delegation agreement, a pre-delegation evaluation, and the foundational oversight infrastructure. The benefit is reduced redundancy, not elimination of duty.
Missing the information integrity requirements introduced in 2025
The 2025 NCQA standards (effective July 2025) added explicit Credentialing Information Integrity requirements — defining inappropriate documentation and updates to credentialing information, requiring full audit trails (who made which change, when, and why), mandating annual staff training, and requiring annual audits with corrective action re-audits. These requirements flow through to delegates. A plan that delegates credentialing without verifying that its delegate can produce the required audit trail and information integrity controls is going to discover the gap during the next survey, not before.
Forgetting that decision authority has limits
Under NCQA Credentialing Accreditation eligibility rules, organizations cannot delegate more than 50 percent of credentialing decision-making and remain eligible. A starting position of "delegate everything" runs into structural limits before it runs into operational ones. The plan's credentialing committee — or an equivalent governance body — must retain authority over the majority of decisions, even when verification and file preparation are fully delegated.
When to Use a CVO Without Delegation
A vendor CVO arrangement makes sense when the plan wants to outsource the labor-intensive verification work but keep credentialing decisions, criteria, and committee governance in-house. This is the right configuration for plans with a lean credentialing function that values control over the network decision process but doesn't have the staff to do PSV at volume. It's also often the right starting configuration for newer SNPs and regional plans whose volume doesn't justify standing up a full delegation oversight infrastructure. The arrangement is a service contract, not a delegation, and the oversight burden is correspondingly lighter — but the plan still needs to verify the CVO's PSV practices meet NCQA standards for primary source, timeliness, and documentation.
When Delegation Makes Sense
Delegation makes sense when a large provider group, IPA, or health system is bringing significant network volume and already operates a mature credentialing function — particularly one with NCQA Credentialing Accreditation. In that scenario, the delegation arrangement reduces duplication, accelerates onboarding for the delegate's providers, and (when the delegate is NCQA-Accredited) qualifies the plan for automatic credit on specific oversight factors. Delegation also makes sense when the plan has resourced the oversight function properly — committee infrastructure, audit capacity, reporting review, corrective action workflow. Without those resources, delegation creates risk faster than it creates efficiency.
The Non-Negotiables for Plans That Delegate
Any plan operating a delegated credentialing arrangement under current NCQA standards needs, at minimum: a documented pre-delegation evaluation (CR 9B/CR 3B), a delegation agreement that meets the full specification including Information Integrity provisions and subdelegation oversight assignment, an annual audit of the delegate's credentialing function (or formal acceptance and review of the delegate's own audit if the delegate is NCQA-Accredited/Certified), semiannual evaluation of delegate reports with documented committee review, ongoing performance monitoring against the standards in the agreement, and a corrective action process with follow-up effectiveness analysis when issues are identified. Recredentialing cycles run on a minimum 36-month basis under NCQA — practical operations target 34 to 35 months to maintain a compliance buffer — and the delegate is responsible for staying within those windows.
The Bottom Line
The CVO versus delegated credentialing distinction is not a vocabulary problem. It is a regulatory architecture problem. A plan that doesn't know which arrangement it is operating is, by definition, not operating either one well. The verification-only vendor arrangement and the full delegation arrangement carry different oversight workloads, different agreement requirements, different audit obligations, and different liability profiles. The plans that get this right have made an explicit decision about which configuration fits their network strategy, resourced the corresponding oversight infrastructure, and updated their delegation agreements and audit tools to reflect the 2025 Information Integrity changes. The plans that get it wrong are usually carrying both the cost of delegation and the risk of inadequate oversight at the same time.
If your plan is evaluating whether to stand up a CVO function, restructure an existing delegated credentialing arrangement, or update its delegation oversight infrastructure for the 2025 NCQA standards, OpsKR Consulting builds credentialing programs from the operational level up. We work with health plans, provider organizations, and emerging SNPs to design verification and delegation arrangements that match the plan's network strategy and survive NCQA scrutiny.
Contact us at (210) 740-1666 or opskr.llc@gmail.com to schedule a readiness assessment.
Sources: NCQA Credentialing Accreditation Standards and Guidelines; NCQA Credentialing Certification (CVO) Standards; NCQA FAQ Directory: Utilization Management, Credentialing and Provider Network (December 2025); NCQA, "The Strategic Value of Delegation for Health Plans and Delegated Entities" (February 2026); Managed Healthcare Resources, "Information Integrity for NCQA Credentialing" and "How to Prepare for Changes in Credentialing Delegation Agreements"; 2025 NCQA Retroactive Changes Memo.
