Credentialing Specialist's NPI Checklist: Primary Source Verification Step by Step

Q: What is the difference between NPPES and PECOS in credentialing?

NPPES is where NPI numbers are issued and where basic provider information is stored for HIPAA transaction purposes. It is self-reported and CMS does not verify specialty or whether the provider actually works at the listed address. PECOS is the Medicare enrollment system where providers must actively enroll to bill Medicare. A provider can have an active NPI in NPPES while not being enrolled in PECOS, and PECOS performs additional verification including license checks and OIG exclusion screening at the time of enrollment. For Medicare-participating credentialing, both must be checked separately.

Q: What does a taxonomy mismatch between NPPES and PECOS mean for credentialing?

A taxonomy mismatch means the specialty code the provider listed in NPPES does not match the specialty code in their PECOS enrollment record. This can trigger credentialing holds because payers cross-reference both systems. It can also cause Medicare claim denials if the specialty code in PECOS does not authorize the type of service being billed. CMS does not automatically sync taxonomy changes between the two systems; the provider must update each independently.

Q: What are the red flags in an NPI record that should pause a credentialing application?

Key red flags include: a deactivated or inactive NPI status; the NPI not found in the PECOS ordering and referring file when Medicare participation is required; a name or address discrepancy between the NPI record and the credentialing application or CAQH profile; a taxonomy code in NPPES that does not match the specialty the provider is applying to credential under; a license number in the NPI record that does not match the state board record or has a different expiration date; and a sole proprietor or individual provider listed under a Type 2 organizational NPI rather than their own Type 1.

Q: What NPI information should a credentialing application include?

An individual provider's credentialing application should include their Type 1 NPI. If the provider is part of a group or a sole proprietor who has incorporated, the application should also include the group or organization's Type 2 NPI. The NPI must be active in NPPES and the name, address, and taxonomy on the NPI record must match the application. For PECOS enrollment, the NPPES user ID and password are required, along with the NPI and supporting documents including state license, DEA number if applicable, and malpractice coverage.

By the NPI Profile Editorial Team Last updated: June 20, 2026 Based on CMS, OIG, and NCQA guidance

Quick Answer

An NPI is the starting point of provider credentialing, not the end. A valid NPI in NPPES confirms a provider has been issued a unique identifier, but it does not verify their license, confirm Medicare enrollment, or establish that they are free from exclusion. Complete primary source verification for credentialing requires checking NPPES, PECOS, the OIG LEIE, SAM.gov, the NPDB, and the applicable state licensing board as separate independent steps. This guide covers what each source verifies, what it cannot verify, the red flags that should pause an application, and the NCQA-compliant monitoring cadence for ongoing re-credentialing.^[1][2]

What an NPI Does and Does Not Prove

Understanding the limits of the NPI prevents the single most common credentialing shortcut: treating a valid NPI lookup as a proxy for full primary source verification. An NPI confirms one thing: a provider applied for and was issued a unique 10-digit identifier under HIPAA. CMS verifies only two things at the time of NPI issuance: that the Social Security number is valid and that the submitted business address exists. It does not verify licensure, specialty, whether the provider works at that address, or anything about the provider's eligibility to bill Medicare.^[3]

The NPI is also "intelligence-free" by design. Nothing encoded in the number indicates the provider's state, specialty, license status, or enrollment history. It remains permanently associated with a specific individual regardless of practice changes, state moves, or additional specialty training. This permanence is a feature for HIPAA transaction processing; for credentialing purposes it means stale NPI records are common and the number alone tells you very little about the provider's current status.

What an NPI record in NPPES confirms	What an NPI record does NOT confirm
A unique identifier was issued to this provider	The provider's state license is current or unrestricted
The provider's self-reported name, address, and taxonomy at the time of enrollment or last update	The provider actually practices at the listed address
The NPI is active (not deactivated)	The provider is enrolled in Medicare or Medicaid
The entity type (individual Type 1 or organization Type 2)	The provider is free from OIG exclusion or SAM.gov debarment
The license number and state the provider self-reported	The self-reported specialty matches a verified credential
The taxonomy code the provider selected	The taxonomy code matches the provider's PECOS enrollment specialty

NPPES data is self-reported and not actively verified

Providers are instructed to update NPPES within 30 days of any change to required data fields, but CMS does not enforce this actively and there is no penalty for having outdated information. Obsolete NPPES data does not deactivate or suspend an NPI. As a result, NPPES records often contain stale practice addresses, outdated taxonomy codes, or license numbers that have since expired or been restricted. Always verify the underlying credential at its primary source rather than relying on what the NPPES record shows.^[3]

NPPES vs. PECOS: Two Separate Systems Credentialing Must Check

The most consequential gap in credentialing workflows is treating NPPES and PECOS as equivalent or redundant. They are entirely separate databases with different purposes, different data, and different verification rigor.

NPPES issues NPIs and stores public provider information for HIPAA transaction routing. Enrollment is self-service, most data is self-reported, and there is no scheduled re-verification. Providers can have an active NPI indefinitely without updating their record or participating in any payer network.

PECOS is the Medicare enrollment system. Enrollment requires active submission of supporting documentation, license verification against state medical board websites, OIG exclusion screening, and MAC review. PECOS records must be revalidated every three to five years depending on provider type and risk level. Providers must report changes in ownership, practice location, and adverse legal actions within 30 days or risk suspension of billing privileges.^[1]

The two systems do not automatically sync. A provider can update their address in NPPES without it carrying to PECOS, and vice versa. Discrepancies between the two now trigger compliance reviews under 2026 CMS enforcement policy and can result in payment suspension. For credentialing specialists, this means both must be checked independently and any mismatch is itself a red flag requiring resolution before the application can proceed.^[2]

Primary Source Verification: All Five Sources

NCQA credentialing standards, updated in July 2025, define primary source verification as confirmation obtained directly from the issuing authority for each credential element. For NPI-related credentialing, five sources each answer a distinct question that none of the others can answer alone.

Source	What it verifies	NCQA PSV window	Where to check
NPPES / NPI Registry	NPI is active, entity type, self-reported name and taxonomy	120 days (Accreditation) / 90 days (Certification)	NPI Profile or npiregistry.cms.hhs.gov
PECOS	Medicare enrollment status and ordering/referring eligibility	Required for Medicare-participating providers	NPI Profile PECOS lookup or data.cms.gov
State licensing board	License is current, active, unrestricted, and matches the state and number in the NPPES record	120 days / 90 days	Direct query to the applicable state board website
OIG LEIE + SAM.gov	Provider is not excluded from federal health care programs; not debarred from federal contracting	At credentialing and monthly ongoing	exclusions.oig.hhs.gov and sam.gov
NPDB	Malpractice payments, adverse clinical privilege actions, DEA certificate surrenders, Medicare/Medicaid exclusion actions	Required at credentialing; query every 2 years at re-credentialing	npdb.hrsa.gov (requires registration)

Some organizations also verify the DEA registration number for prescribing providers through the DEA Diversion Control Division at deadiversion.usdoj.gov. This is not yet a universal PSV requirement but is standard practice for controlled substance prescribers and is included in the PECOS enrollment checklist for providers who hold a DEA number.^[4]

NPI Credentialing Checklist

The following checklist covers the NPI-related verification steps for an individual provider (Type 1 NPI). For organizations and groups, add a parallel checklist for the Type 2 NPI covering the entity's legal name, EIN, authorized official designation, and PECOS enrollment status as an organization.

Confirm the NPI is Type 1 (individual) and is active.
Search NPPES or NPI Profile by the provider's legal name and confirm the entity type is Type 1, the status is active, and the NPI number matches what the provider submitted on the application. A deactivated NPI stops the process. A Type 2 NPI submitted as an individual's identifier is a disqualifying error.
Verify the name in NPPES matches the application exactly.
Compare the legal name in NPPES against the name on the credentialing application. Discrepancies, including maiden name vs. married name, hyphenated surnames, and middle name vs. middle initial, must be resolved before submitting to payers. Payers cross-reference the NPPES name against the application and will reject or delay an application if they do not match.
Check that the practice address in NPPES matches the credentialing application.
The business practice location address in NPPES must match the address being submitted for credentialing. If the provider recently changed practices and has not updated NPPES, the mismatch will cause a hold. The provider must update NPPES before the credentialing application is submitted, not after. Updates to NPPES take effect on the next NPI Profile refresh cycle and may take additional time to propagate to payer systems.
Confirm the taxonomy code and that it matches the service the provider will credential for.
The primary taxonomy code in NPPES must correspond to the specialty under which the provider is credentialing. Verify the code at NPI Profile's taxonomy lookup or the NUCC taxonomy list at taxonomy.nucc.org. If the provider has multiple taxonomy codes, confirm that the correct one is designated as primary. A mismatch between the credentialing specialty and the NPPES taxonomy can delay or deny payer applications.
Cross-reference the license number in NPPES against the state licensing board.
NPPES displays the license number and state the provider self-reported at enrollment. Verify this number against the actual state board database to confirm it is active, unrestricted, and carries the same expiration date as shown in the credentialing application. A license number in NPPES that no longer exists at the state board, or that shows a different expiration, is a hard stop requiring resolution.
Check PECOS enrollment status for Medicare-participating providers.
Use NPI Profile's PECOS lookup or the CMS Medicare Fee-for-Service Public Provider Enrollment file at data.cms.gov to confirm the provider is enrolled in PECOS and is in the ordering and referring file if applicable. A provider who has an active NPI but is not in PECOS cannot bill Medicare or order items for Medicare patients. Confirm enrollment status before the credentialing application is submitted to any Medicare Advantage or Medicaid managed care plan that requires PECOS enrollment.
Screen against the OIG LEIE and SAM.gov at initial credentialing.
Search exclusions.oig.hhs.gov and sam.gov using the provider's legal name, NPI, and Social Security number or EIN where available. A match on either list means the provider is excluded from federal health care programs and cannot be credentialed for Medicare, Medicaid, or any federally funded program. Document the search date and result. Any match must be escalated to the credentialing committee before the application continues.
Query the NPDB for malpractice payments and adverse actions.
NPDB queries are required at initial credentialing and at least every two years at re-credentialing for NCQA-accredited organizations. The query returns malpractice payment history, hospital privilege revocations, DEA certificate surrenders, and Medicare and Medicaid exclusion actions. NPDB access requires registration at npdb.hrsa.gov. Results must be reviewed by the credentialing committee and retained in the provider file.
Verify CAQH ProView data matches NPPES and the application.
Most payers use CAQH ProView as a universal credentialing hub. The NPI, taxonomy, address, and license information in the CAQH profile must match NPPES exactly. Inconsistencies between the CAQH profile and NPPES are among the most common reasons payers delay or reject credentialing applications. Confirm CAQH attestation is current (not expired) before any new application is submitted.

Red Flags That Should Pause a Credentialing Application

The following conditions found during NPI-related primary source verification require resolution before an application proceeds. None of these are automatic disqualifiers, but each represents a discrepancy that payers will catch and that will cause a delay or denial if submitted unresolved.

Deactivated or inactive NPI

A deactivated NPI cannot be used in claims or enrollment. Reactivation requires a paper form submitted to the NPI Enumerator and cannot be done online. The provider must reactivate the NPI and wait for it to reflect as active in NPPES before any credentialing application is submitted. Reactivation processing can take several weeks.

Name mismatch between NPPES and the application or CAQH

Name discrepancies between the NPI record and a credentialing application, including name changes from marriage or divorce, are among the most frequent causes of credentialing delays. The provider must update NPPES to reflect their current legal name and provide supporting documentation (marriage certificate, court order) to payers who require it. All systems (NPPES, PECOS, CAQH, and the payer application) must reflect the same legal name before submission.

Individual provider listed under a Type 2 (organizational) NPI

Individual providers must be credentialed under their personal Type 1 NPI, not their group's Type 2 NPI. A sole proprietor who incorporated will have both; the individual's Type 1 NPI is the credential, and the organization's Type 2 NPI is the billing entity. Submitting a Type 2 NPI in the individual provider field causes an automatic rejection from most payers and Medicare. This is one of the top causes of credentialing delays in group practice settings.

Address in NPPES does not match the application

Providers who recently changed practices often submit a credentialing application under a new address before updating their NPPES record. Payers compare the address on the application against NPPES and will hold the application until they match. The provider must update NPPES first, then allow time for the update to propagate before submitting any payer application for the new location.

Taxonomy code in NPPES does not match the specialty being credentialed

A provider credentialing as an internal medicine physician whose NPPES primary taxonomy is listed as family medicine will cause a mismatch on payer validation. This happens frequently when providers complete additional training or change specialty focus without updating their NPPES taxonomy. The provider must log in to NPPES and change their primary taxonomy code to match the specialty under which they are credentialing, then allow time for the update to reflect before submission.

Provider not found in PECOS for a Medicare-required credential

For credentialing with Medicare Advantage plans, Medicaid managed care payers, or any payer that cross-references PECOS, a provider who has an active NPI but is not enrolled in PECOS will fail validation. PECOS enrollment must be completed and approved by the MAC before those payer applications can proceed. PECOS processing by a MAC typically takes 30 to 90 days, and PECOS enrollment does not automatically follow from having an NPI.

OIG LEIE or SAM.gov match

Any match against the OIG LEIE or SAM.gov must be escalated to the credentialing committee immediately. A confirmed match means the provider is excluded from participation in federal health care programs. Credentialing cannot proceed and any existing billing using that provider's NPI must be suspended. Note that the OIG LEIE is updated monthly and new exclusions can appear between initial credentialing and re-credentialing, which is why ongoing monthly screening is required under NCQA standards and OIG guidance.

PECOS Enrollment Document Checklist

When a provider must enroll in PECOS as part of the credentialing process, the following information is required. This checklist is drawn directly from the official CMS PECOS enrollment checklist for sole proprietors and solely owned organizations.^[4]

Requirement	Details
Active NPI	Type 1 (individual) NPI for all practitioners. Sole proprietors need only Type 1. Solely owned organizations (LLC, PC) need both Type 1 and Type 2 NPIs.
NPPES credentials	NPPES I&A user ID and password, used to access PECOS via the same login.
Personal identifying information	Legal name as it appears with the Social Security Administration, date of birth, Social Security Number.
Education	Name of medical school or professional program, graduation year.
Professional license	License number, original effective date, renewal date, and state where issued.
Certification	Certification number, original effective date, renewal date, and state where issued, if applicable.
Specialty	Primary specialty and secondary specialty if applicable.
DEA number	DEA registration number if the provider prescribes controlled substances.
Adverse action history	Any Medicare billing privilege revocations, state license suspensions, accreditation body actions, federal or state felony convictions within 10 years, or OIG exclusions or debarments.
Practice location	Medical practice location address. For solely owned organizations: legal business name as filed with the IRS (matches IRS CP575), special payment information, and medical record storage information.
EFT documentation	Electronic Funds Transfer banking information for direct deposit of Medicare Part A and Part B payments.

Taxonomy Mismatches and How They Affect Credentialing

Taxonomy codes are the credentialing dimension of the NPI record that cause the most invisible delays. A taxonomy code is a 10-character code from the NUCC Health Care Provider Taxonomy standard that describes a provider's classification and specialization. Every NPI record must have at least one primary taxonomy, and that code is visible in the public NPPES registry.

The problem arises from three system interactions:

First, NPPES and PECOS use different taxonomy systems. Most NPPES taxonomy codes map to a PECOS specialty code, but some NPPES codes map to more than one PECOS category, and some PECOS specialty categories have no corresponding NPPES code. A provider whose NPPES taxonomy maps ambiguously to PECOS may have specialty discrepancies between the two systems without either record being wrong on its own terms.^[3]

Second, a wrong taxonomy code in PECOS can cause Medicare claim denials. CMS uses the specialty information in PECOS to determine whether a provider is eligible to bill for a given service type. If PECOS lists the wrong specialty for the service being billed, the claim is denied. Because PECOS revalidation occurs on a 3 to 5 year cycle, a wrong taxonomy can silently cause denials for years before the issue surfaces in credentialing.

Third, payers cross-reference the taxonomy in NPPES against the specialty under which a provider is applying. If a behavioral health therapist's primary taxonomy in NPPES is listed as a general counselor code rather than the specific LCSW or LPC code the payer network requires, the application will return for correction. Updating NPPES taxonomy is done through the NPPES portal and requires logging in with the provider's I&A credentials.

NPPES taxonomy update process

To change a primary taxonomy code in NPPES: log in at nppes.cms.hhs.gov with the I&A user ID and password, select Manage NPIs, select Manage on the applicable NPI row, select Edit, navigate to the Taxonomy section, select the Edit button on the code to be changed, check "Make Primary," and save. The taxonomy change reflects on the next NPPES data release cycle. NPI Profile updates its data weekly from NPPES, so changes should appear within a week of the NPPES update.

Ongoing Monitoring: OIG, NCQA, and Revalidation

Initial credentialing is not a one-time clearance. Credential status changes after the initial application. Licenses expire or become restricted, providers acquire adverse actions, and OIG exclusions can be imposed at any point during a provider's career. A credentialing program that only screens at initial enrollment and re-credentialing cycles has gaps that represent both compliance risk and payment liability.

OIG LEIE and SAM.gov: monthly screening

The OIG LEIE is updated monthly. The OIG's position, supported by its 2013 Special Advisory and CMS guidance to state Medicaid programs, is that screening must be performed upon hire and monthly thereafter. Medicare Part C and Part D plans are explicitly required to run monthly checks. NCQA updated its standards in July 2025 to require monthly exclusion monitoring for all credentialed providers, escalated to a peer-review body when issues are found.^[5]

Monthly screening should cover the OIG LEIE, SAM.gov, and applicable state Medicaid exclusion lists. At least 44 states maintain their own exclusion databases, and a provider may appear on a state list before a federal OIG exclusion is imposed. The civil monetary penalty for billing for services furnished by an excluded individual is up to $25,595 per item or service as of January 2026, plus treble damages.^[5]

NCQA primary source verification timelines

As of July 2025, NCQA reduced its primary source verification window from 180 days to 120 days for organizations seeking Credentialing Accreditation and to 90 days for Credential Verification Organizations (CVOs) seeking Certification. Verification data that falls outside these windows is considered expired and must be recollected before the credentialing file can be submitted for committee approval.^[5]

PECOS revalidation

CMS requires Medicare-enrolled providers to revalidate in PECOS every five years for most individual practitioners and every three years for high-risk provider types. Trigger events that can require earlier revalidation include changes in ownership or Tax Identification Number, new practice locations, adverse legal actions, and significant malpractice settlements. Providers who miss their revalidation deadline face payment suspension. CMS sends revalidation notices by mail to the address on file in PECOS, which is another reason keeping PECOS updated separately from NPPES matters operationally.^[1]

Verify any provider's NPI, PECOS status, and taxonomy in one search. NPI Profile shows NPPES data, PECOS enrollment flag, taxonomy codes, and license information from the public CMS record for any active NPI.

Search NPI Registry

Frequently Asked Questions

Does verifying an NPI in NPPES satisfy primary source verification for credentialing?

No. NPPES confirms that a number was issued and shows self-reported demographic data, but it does not verify licensure, specialty, or Medicare enrollment. Primary source verification requires checking each credential at its authoritative source: the state licensing board for licensure, PECOS for Medicare enrollment, the OIG LEIE and SAM.gov for exclusion status, and the NPDB for adverse actions. NPPES is the starting point, not the end point.^[3]

What is the difference between NPPES and PECOS in credentialing?

NPPES issues NPI numbers and stores self-reported provider data for HIPAA transactions. PECOS is the Medicare enrollment system where providers must actively enroll to bill Medicare, with license verification and OIG exclusion screening performed at enrollment. A provider can have an active NPI without being enrolled in PECOS. Changes in one system do not carry over to the other; both must be checked and updated independently.^[1]

What does a taxonomy mismatch between NPPES and PECOS mean for credentialing?

A taxonomy mismatch means the specialty code in NPPES does not match the specialty in the provider's PECOS enrollment record. This can trigger credentialing holds and can cause Medicare claim denials when the PECOS specialty does not authorize the service being billed. The two systems must be updated independently; a taxonomy change in NPPES does not carry over to PECOS.^[3]

How often should credentialing teams check the OIG exclusion list?

The OIG recommends screening upon initial credentialing and monthly thereafter, and the NCQA July 2025 updates formalized monthly exclusion checks as a requirement for credentialing accreditation and certification programs. The LEIE is updated monthly, so less frequent screening creates gaps. Monthly screening against the OIG LEIE, SAM.gov, and applicable state Medicaid exclusion lists is the defensible operational standard, with civil monetary penalties up to $25,595 per item for billing with an excluded provider as of January 2026.^[5]

What are the red flags in an NPI record that should pause a credentialing application?

Key red flags include: a deactivated or inactive NPI; the NPI not found in the PECOS ordering and referring file when Medicare participation is required; a name or address discrepancy between the NPI record and the credentialing application or CAQH profile; a taxonomy code that does not match the specialty being credentialed; a license number that does not match the state board record; and an individual provider listed under a Type 2 organizational NPI rather than their own Type 1.

What NPI information should a credentialing application include?

An individual provider's application should include their Type 1 NPI. If the provider is part of a group or a sole proprietor who has incorporated, the application should also include the group's Type 2 NPI. The name, address, and taxonomy in the NPI record must match the application exactly. For PECOS enrollment, the NPPES I&A user ID and password are required, along with supporting documentation including state license, DEA number if applicable, and malpractice coverage.^[4]

Sources

This guide is based on the following official government publications and current industry guidance. NPI Profile summarizes these for convenience; source documents remain the authoritative reference.

Centers for Medicare & Medicaid Services, Medicare Learning Network. Medicare Provider Enrollment (MLN9658742). 2026 edition. Covering the NPPES-PECOS non-sync requirement, PECOS revalidation cycles (3-year and 5-year), the 30-day reporting window for ownership changes and adverse legal actions, and MAC review process for enrollment applications.
MedXpert Services. CMS Credentialing Requirements for Providers: 2026 Guide. February 2026. Covering CMS enforcement of NPPES-PECOS discrepancies triggering compliance reviews, the 30-day reporting window as a hard enforcement deadline, and NPI taxonomy correspondence requirements for billing eligibility.
Bindman, A.B. Using the National Provider Identifier for Health Care Workforce Evaluation. Medicare & Medicaid Research Review, 2013, Vol. 3(3). Published by CMS. Covering what CMS verifies at NPI issuance (SSN and address only), the self-reported nature of NPPES specialty data, the 30-day voluntary update window, and the NPPES-PECOS taxonomy mapping limitations.
Centers for Medicare & Medicaid Services. PECOS Help: Checklist for Sole Proprietor or Solely Owned Organizations (e.g., LLC, PC). pecos.cms.hhs.gov. Covering the complete PECOS enrollment document requirements including NPI type requirements by organization structure, required personal and professional information, adverse action disclosure requirements, and EFT documentation.
NCQA Credentialing Standards Update (effective July 1, 2025). Covering the reduction of primary source verification windows to 120 days (Accreditation) and 90 days (Certification); monthly exclusion monitoring requirement against OIG LEIE, SAM.gov, and state boards; and escalation requirements to peer-review bodies. Supplemented by: OIG LEIE guidance (2013 Special Advisory Bulletin, updated 2026 penalty schedules at $25,595 per item); and PayerReady.com credentialing compliance guide verified against CMS regulations as of June 2026.