Compliance Due Diligence for Ambulatory Surgery Centers: A Risk-Based Credentialing Framework

Ambulatory surgery centers carry, per square foot, the most concentrated audit exposure of any outpatient setting in healthcare. CMS Conditions for Coverage at 42 CFR Part 416 set the federal floor. Medicare deemed-status accreditation by AAAHC, the Joint Commission, or AAAASF adds another layer that brings its own credentialing requirements. State licensure adds a third. State Medicaid programs add a fourth. The OIG and DOJ run False Claims Act cases over upcoding, medically unnecessary procedures, and kickbacks tied to physician ownership. The ASC owner who treats credentialing as a back-office task is not running a defensible compliance program.

The core challenge in an ASC is that the regulatory model assumes hospital-grade compliance infrastructure on a fraction of the staffing budget. The credential stack is the same as a hospital's. The reappointment cycle is the same. The exclusion screening obligation is the same. What is missing, almost always, is the dedicated medical staff services office that hospitals have. The result is a structural gap between what the rules require and what the operation can actually deliver. Here is how to close it.

Why ASCs face concentrated exposure

42 CFR 416 lays out what an ASC must do to be a Medicare-certified facility. The Conditions for Coverage include explicit requirements around governing body responsibility for the medical staff, credentialing and privileging, quality assessment, and infection control. CMS state survey teams audit against these conditions. Accreditation organizations audit against their own standards, which are usually stricter than the federal floor. State licensing surveys audit against state regulations, which vary.

On the enforcement side, the DOJ and OIG have brought significant ASC and surgical facility cases. An Arizona surgical hospital paid $5.6 million to resolve False Claims Act allegations. Advanced Urology and its principal paid $14 million to resolve allegations of fraudulent billing and unnecessary procedures, with ASC operations central to the conduct. More recent matters, including upcoding cases tied to surgical center billing, continue to populate the OIG enforcement database. The pattern is consistent: ASCs that don't run tight credentialing and exclusion screening end up tangled with the conduct cases for reasons that have nothing to do with their primary clinical activity.

Per-role credential checks

Operating physicians

Active state medical license, no restrictions. DEA registration current and matched to schedules used. Board certification or eligibility per medical staff bylaws. Hospital-equivalent privileges in the specific procedures being performed at the ASC, granted by the ASC's governing body and renewed at reappointment. OIG LEIE clear, SAM.gov clear, NPDB query at appointment and at reappointment, state Medicaid exclusion list clear. Malpractice coverage at policy minimums. See the hospital privileges credential checklist, which translates almost directly to ASC privileging.

Anesthesiologists and CRNAs

Active license (MD/DO for anesthesiologists, RN plus APRN/CRNA credential for CRNAs). DEA registration. ACLS current. PALS current if the center sedates pediatrics. Board certification status (ABA for anesthesiologists, NBCRNA for CRNAs). Anesthesia privileges granted by the ASC. The CRNA role specifically carries a five-credential stack with independent expiry dates. See the CRNA credential stack for the full picture.

Registered nurses (peri-op, PACU, circulator)

Active state RN license. BLS current. ACLS current for PACU and circulator roles in most accreditation frameworks. PALS current where pediatric cases are scheduled. Specialty certifications (CNOR, CPAN, CAPA) where credentialing standards or insurer contracts require them.

Surgical technologists and sterile processing

State certification or registration where required. CST credential through NBSTSA where used as a hiring standard. CRCST or similar sterile processing credentials. These are not federally licensed roles in most states, but accreditation surveys still inspect against them, and a finding that sterile processing was performed by uncertified staff is the kind of thing that ends up on a CMS plan of correction.

The reappointment trap

Every accreditation framework requires medical staff reappointment at intervals that do not exceed two years. The ASC governing body reviews the practitioner's file, refreshes credentials, queries the NPDB, and reaffirms privileges. Then the file goes back into the cabinet for two more years.

The blind spot is between cycles. A surgeon's license can be suspended six months after reappointment. Their DEA can be revoked. They can be added to the OIG LEIE. They can have a board action filed against them in another state. None of this surfaces on the ASC's timeline if the ASC's timeline is the reappointment cycle. Continuous license monitoring exists precisely because the every-two-years model has structural failure built into it. The hospital privileges credential checklist lays out the same gap from the inpatient side, with the same fix.

Federal exclusion + DEA + state Medicaid screening

The ASC's federal program exposure is identical to any other Medicare and Medicaid biller. Civil monetary penalties under 42 USC 1320a-7a apply to claims billed during periods when an excluded individual contributed to the care. See what an excluded provider is, how OIG, SAM.gov, and NPDB differ, and what happens if you employ an excluded provider.

DEA registration is a particular ASC risk because anesthesia depends on it and because DEA registrations expire on individual three-year cycles that do not align with anything else in the credential stack. A DEA expiration that lapses on a Tuesday silently invalidates every controlled-substance order written on Wednesday. The clinical staff usually do not notice. The pharmacy might. The auditor definitely will.

The cascade angle: anesthesia depends on a stack

Anesthesia in an ASC, whether delivered by an anesthesiologist or a CRNA, depends on a cascade of certifications. ACLS is the foundation for adult emergencies. PALS is required wherever the center sedates pediatric patients. BLS underlies both ACLS and PALS, since most accreditation frameworks treat current BLS as a prerequisite for the higher-acuity certifications. NRP appears in centers that perform OB or fetal procedures, and even in some pediatric ASCs.

Every one of these renews on its own two-year cycle from a different issuer than the others. A CRNA whose ACLS expired in March is technically out of compliance with most accreditation requirements until ACLS is reinstated, regardless of how recent their CRNA recertification is. See how cascade credentials work and the BLS/ACLS/PALS/NRP comparison. ACLS coverage by role spells out which clinical positions need it and when it has to be current.

Cadence: what to verify and how often

• State licenses (MD, DO, RN, APRN, CRNA): continuous monitoring. The reappointment cycle is too slow.
• OIG LEIE, SAM.gov, state Medicaid exclusion list: monthly, for every employee, contractor, and credentialed provider.
• NPDB query: at appointment, at every reappointment, and where state law or accreditation requires interim queries.
• DEA registration: tracked to expiry with 90/60/30-day reminders, separately for every state of practice.
• BLS, ACLS, PALS, NRP: 90-day prior-to-expiry monitoring, every cycle, for every role that needs each one.
• Specialty certifications (board certifications, CNOR, etc.): tracked to recertification cycle.
• Privileging file refresh: at reappointment, with continuous license monitoring closing the in-between gap.
• Primary source verification: at appointment, at reappointment, and continuously for status changes. See what PSV means and when it's required.

The audit trail is the deliverable

A CMS state survey team, an accreditation surveyor, or an OIG investigator does not grade on the practitioner's actual current status. They grade on what the ASC knew and when. A surgeon whose license was technically active throughout the audit period but whose file shows no documented monthly LEIE check, no documented continuous license monitoring, and no documented annual PSV is a finding regardless of the practitioner's clean record. The deliverable is the trail, not the conclusion.

Modern compliance platforms generate this trail as a continuous byproduct. Spreadsheets and email threads do not. The ASC sector's financial structure (low overhead, narrow margins, owner-operator governance) often pushes against compliance investment until the first survey finding. The arithmetic does not work in that direction. A single CMS condition-level deficiency tied to credentialing can trigger a plan of correction, an extended survey, and in serious cases termination from Medicare participation. The platform that prevents the finding costs a fraction of the response to one.

Build the system before the surveyor walks in. By the time they do, the audit trail has either been generated continuously or it has not.