Hospital Privileges and the Credential Stack You Cannot Skip

Obtaining clinical privileges at a hospital is not a one-step process. A physician, nurse practitioner, or physician assistant seeking hospital medical staff privileges must satisfy a credential stack that spans licensing boards, federal registries, national certification bodies, and independent insurance requirements — all simultaneously, all current, all verifiable from primary sources.

What follows is the complete credential checklist for hospital clinical privileges, with explanations of why each element is required and what the biannual reappointment cycle misses.

The credential stack for hospital privileges

1. Active state medical or practice license

The foundation of any privilege application. The license must be active and in good standing in the state where the hospital is located. Hospitals are required by CMS Conditions of Participation to verify licensure through primary source verification — meaning directly with the state licensing board, not from a copy provided by the applicant. Any board action, probation, or restriction on the license must be disclosed and reviewed by the medical executive committee. See our article on primary source verification requirements.

2. DEA registration

Required for any provider who will prescribe, administer, or order controlled substances. DEA registration is federal, renewed every 3 years, and tied to the state of the practice address. Note: in several states, a DEA registration automatically lapses if the underlying state medical license expires — creating a cascade dependency.

3. Board certification or board eligibility

The majority of hospital credentialing committees require either current board certification from the applicable specialty board (ABMS or AOA member boards) or documented board eligibility for initial appointment. Board certification is time-limited and must be maintained through periodic recertification. Board eligibility has a defined window — typically 5 to 7 years from residency completion — after which uncertified providers may no longer qualify.

4. NPI registration

The National Provider Identifier from CMS NPPES is required for billing and claims submission at any Medicare or Medicaid-participating facility. NPI registration has no expiration but must reflect current practice address and taxonomy. Privileges cannot generate billable claims without a valid, active NPI.

5. Malpractice insurance with required limits

Each hospital sets minimum coverage limits — typically $1 million per occurrence / $3 million aggregate for physicians, though limits vary by specialty and institution. Proof of current coverage is required at application and reappointment. A gap in malpractice coverage during an active privilege period creates both coverage and credentialing problems simultaneously.

6. BLS certification

The baseline life support certification is required for all clinical privileges. No hospital grants clinical privileges without current BLS. BLS renews every 2 years from the AHA and is a prerequisite for ACLS and PALS — a lapse in BLS does not just affect BLS, it undermines the entire life support credential stack.

7. ACLS certification

Required for most adult acute care privileges. Emergency medicine, hospitalist, critical care, perioperative, and any role with resuscitation responsibility requires current ACLS. It renews every 2 years, on its own calendar. For a complete breakdown of which roles require ACLS, see our article on ACLS certification requirements.

8. PALS certification

Required for pediatric privileges at most institutions. Family medicine physicians with pediatric scope, pediatric surgical teams, and providers credentialed in mixed adult/pediatric settings will typically be required to hold both ACLS and PALS. See our article on PALS requirements in pediatric care. For providers seeking L&D or NICU privileges, current NRP certification is also required — see NRP requirements for labor and delivery privileges.

9. NPDB query

Hospitals are legally required under the Health Care Quality Improvement Act (HCQIA) to query the National Practitioner Data Bank at initial appointment and at each reappointment. The query reveals malpractice payment history, board actions, clinical privilege actions at other facilities, and DEA sanctions. NPDB is not a public database — only authorized entities with a verified query account can access it. See our comparison of OIG vs SAM.gov vs NPDB.

10. OIG and SAM.gov exclusion checks

Federal law prohibits Medicare- and Medicaid-participating hospitals from employing or contracting with excluded providers. This check must be performed at initial credentialing and regularly thereafter. Monthly re-screening is the standard recommended by OIG. For the full cost exposure of a missed exclusion, see our article on the cost of employing an excluded provider.

11. State Medicaid exclusion check

Separate from the OIG federal list, each state maintains its own Medicaid exclusion registry. A provider excluded from a state's Medicaid program may not appear on the federal OIG list. For organizations billing state Medicaid programs, both checks are required.

12. DEA and controlled substance history check

Beyond verifying DEA registration currency, most credentialing committees require disclosure of any DEA sanctions, surrenders, or controlled substance-related actions in any state. This history is reported to the NPDB in many cases, but may not be complete there for older actions.

The biannual reappointment gap

Hospital medical staff committees review privileges at initial appointment and at reappointment — which occurs on a cycle of every 1 to 2 years at most institutions. The problem: certifications expire independently of the reappointment cycle.

A physician whose ACLS certification lapsed in month 13 of a 24-month privilege cycle is not caught until reappointment. For those 11 months, they are practicing under privileges that require current ACLS — which they no longer hold. The hospital is credentialing committee has no visibility into this gap until the next review.

The biannual cycle creates systematic blind spots. The only mechanism that eliminates those blind spots is continuous monitoring of every credential in the stack — not just the ones that renew on the reappointment calendar.

For CRNA-specific credentialing requirements and the additional complexity of the advanced practice credential stack, see our article on the CRNA credential stack. For the concept of how each credential in this list builds on the previous one, see cascade credentials explained. PracticeSentry tracks every element of the hospital privileges credential stack with continuous monitoring and automated alerts before expiry dates arrive.