What Is Primary Source Verification (PSV) and When Is It Required?

Most credentialing processes ask providers to submit a copy of their license. That copy proves one thing: the provider has access to a printer. It does not confirm the license is current, has never been disciplined, or belongs to the person presenting it.

Primary source verification — PSV — is the practice of confirming a credential directly with the body that issued it, bypassing the individual entirely. It is the foundation of defensible credentialing, and it is required by every major healthcare accreditor.

What primary source verification means

A primary source is the original issuing authority: the state licensing board that granted a physician's license, the American Heart Association portal that records a BLS card, the National Practitioner Data Bank that tracks malpractice payments and board actions. PSV means going directly to those sources — not accepting documentation from the individual and not relying on a verbal attestation.

The distinction matters because documentation can be altered and attestations can be false. A license number can be real but belong to a different person. A certificate can show a valid date but have been revoked the following week. None of that surfaces unless you check the source.

Who requires PSV

The Joint Commission

The Joint Commission's Medical Staff Standards (MS.06.01.05) require PSV for all medical staff credentials prior to granting initial privileges, and re-verification when a license is renewed or when there is reason to question the information. For some credentials, re-verification is required at least every three years. Hospitals accredited by the Joint Commission must document that each verification was obtained from a primary source — not from the provider.

NCQA

The National Committee for Quality Assurance requires PSV for health plans and managed care organizations credentialing participating providers. NCQA's credentialing standards (CR 1) require primary source verification of licensure, DEA registration, board certification, malpractice history, and other elements — completed within 180 days prior to the credentialing decision.

CMS Conditions of Participation

For hospitals participating in Medicare and Medicaid, CMS Conditions of Participation (42 CFR §482.22) require that the medical staff bylaws establish a credentialing process. CMS expects PSV as the mechanism for confirming licensure and competence — and surveyors look for documented evidence that verifications were obtained directly from primary sources.

What counts as a primary source

• State licensing board website or official database. Most boards publish searchable license status lookup tools that are considered primary sources.
• AHA eCard portal. The American Heart Association's online verification tool is the primary source for BLS, ACLS, PALS, and NRP certifications. A physical card or PDF from the provider is not.
• NPI Registry (NPPES). The National Provider Identifier registry is a primary source for NPI verification and taxonomy classification.
• National Practitioner Data Bank (NPDB). A subscription query to the NPDB is a primary source for malpractice payment history, board actions, and clinical privilege restrictions.
• DEA Diversion Control Division website. DEA registration verification through the official lookup is the primary source for controlled substance prescribing authority.

What does NOT count as a primary source

• A photocopy of a license provided by the employee or applicant
• An attestation form signed by the provider
• A credential copy stored in the provider's personnel file from a prior employment
• A letter from a prior employer confirming licensure at the time of their employment
• A certificate issued by a third-party training vendor (for certifications with an official primary source portal)

How often PSV must be repeated

Requirements vary by accreditor and credential type. The Joint Commission requires re-verification of some credentials at initial appointment and at re-appointment, typically every two years for medical staff. For certain credentials, ongoing monitoring satisfies the re-verification requirement if the platform queries the primary source continuously. CMS requires verification upon hire and when information arises that calls credentials into question.

The practical implication: a one-time check at hire is not sufficient. A license that was valid on January 1 can be suspended on March 15. Without ongoing verification against the primary source, the organization does not know.

How automation changes the PSV equation

Manual PSV is expensive. Each query to a state board requires staff time, and with hundreds or thousands of providers across dozens of credential types, the process does not scale. The result is that organizations often check at hire and then rely on the provider to self-report any changes — exactly the gap that compliance failures exploit.

Automated platforms integrate directly with primary sources — state board databases, the AHA portal, the NPDB — and query them on a defined schedule without staff intervention. A status change at the source triggers an alert the same day. The verification is logged with a timestamp and the source queried, creating the audit documentation that accreditors require.

This is what transforms PSV from a one-time onboarding task into a continuous background process. See what continuous license monitoring means in practice and the full healthcare license verification checklist for the complete picture. Organizations looking to understand the role of AI in this process can review how AI is transforming regulatory compliance.