HIPAA and Provider Credentialing: Protecting Physician Data

Provider credentialing occupies an unusual place under HIPAA, and understanding that nuance is the heart of compliance here. Credentialing is primarily about the provider, not the patient — verifying a clinician’s education, training, board certifications, NPI and DEA registrations, malpractice history, work history, and peer references. Because protected health information (PHI) is defined as information about a patient’s health, care, or payment, a provider’s own credentialing data generally is not PHI, and the credentialing file by itself often falls outside HIPAA. The real exposure lives in the systems credentialing runs on, the third-party verification vendors it relies on, and the points where credentialing workflows brush up against the patient records your organization already holds.

Why credentialing data needs protection even when it isn’t PHI

Even though most credentialing data is not PHI, it is still highly sensitive: Social Security numbers, dates of birth, home addresses, and DEA numbers are exactly what identity thieves and fraudsters want. State privacy laws, payer contracts, and the National Practitioner Data Bank’s confidentiality rules impose their own protections. More importantly for HIPAA, credentialing rarely happens in isolation. Credentialing and privileging staff frequently work inside the same network, email, and EHR environment that stores patient data, and a credentialing application that includes case logs, quality metrics, or peer-review material can pull patient identifiers into the file. When that happens, the document becomes a HIPAA concern.

Credentialing verification organizations and business associates

Many practices and hospitals outsource primary source verification to a credentialing verification organization (CVO) or use delegated credentialing through a health plan. If that vendor only handles provider data, it may not be a business associate. But CVOs and credentialing platforms that also touch PHI — or that host your credentialing system inside an environment containing patient data — do meet the definition, and you need a Business Associate Agreement in place before sharing anything. Mapping which of your credentialing vendors actually handle PHI is a step practices routinely overlook.

The Security Risk Analysis ties it together

HIPAA’s Security Rule requires every covered entity and business associate to conduct a Security Risk Analysis — an accurate and thorough assessment of the risks to electronic PHI — under 45 CFR § 164.308(a)(1)(ii)(A). For credentialing, the SRA is where you document which credentialing systems store or connect to ePHI, who has access, and how that access is controlled. It is the formal exercise that distinguishes provider data you manage carefully from ePHI you are legally obligated to safeguard, and it produces the risk-management plan that drives your access controls and vendor agreements. A practical HIPAA compliance checklist can help you confirm nothing is missed.

The proposed 2026 Security Rule update

Compliance expectations are about to rise. In December 2024, the Department of Health and Human Services published a Notice of Proposed Rulemaking (NPRM) that would significantly strengthen the HIPAA Security Rule, adding requirements such as mandatory encryption, multi-factor authentication, network segmentation, and more rigorous, regularly updated risk analyses. The proposal is not final; it remains in the rulemaking process, and if it is finalized as written, organizations would have roughly 240 days from the effective date to comply. Credentialing systems and the vendors behind them would fall squarely within that tightened scope, so building strong access controls now is time well spent.

How Medcurity helps

Medcurity gives credentialing-heavy practices and hospitals a guided way to run their Security Risk Analysis, inventory the systems and vendors that touch ePHI, track Business Associate Agreements, and maintain the documentation OCR expects. Our platform is $499/year (about $42/month) for a single organization, and larger or multi-entity health systems can request a quote tailored to their footprint. The result is a defensible, repeatable compliance record rather than a binder that goes stale the day after it’s finished.

Frequently asked questions

Is provider credentialing data considered PHI under HIPAA?

Generally no. PHI is information about a patient’s health, treatment, or payment, while credentialing data describes the provider. However, when a credentialing file includes patient case logs, quality metrics, or peer-review material containing patient identifiers, those portions become PHI and must be protected accordingly.

Do we need a Business Associate Agreement with our credentialing verification organization?

Only if the CVO creates, receives, maintains, or transmits PHI on your behalf, or hosts your credentialing system inside an environment that contains patient data. A CVO that handles only provider data is typically not a business associate, so map what each vendor actually touches before deciding.

How does the Security Risk Analysis apply to credentialing systems?

Your SRA must account for any credentialing system that stores or connects to electronic PHI, documenting access, safeguards, and risks under 45 CFR § 164.308(a)(1)(ii)(A). It is the formal step that determines which credentialing tools fall under HIPAA’s safeguard requirements.

Will the proposed 2026 HIPAA Security Rule change credentialing security requirements?

It could. The December 2024 NPRM proposes mandatory encryption, multi-factor authentication, and stronger risk analyses. It is not yet final, but if finalized, credentialing systems handling ePHI would need to meet those controls within roughly 240 days of the effective date.