Why the 2025 NCQA overhaul changed telehealth provider onboarding

Until last year, telehealth organizations credentialing providers across multiple states were operating under standards written for a world where most providers practiced in one location, with one payer, in one regulatory environment. On July 1, 2025, the NCQA released the largest set of changes to its credentialing standards in two decades, and the impact on multi-state telehealth operations was immediate.

Monthly monitoring of OIG exclusion lists, SAM.gov, and individual license status is now mandatory. Quarterly checks, which were standard practice at most organizations, no longer meet compliance requirements. Verification windows were shortened from 120 to 180 days down to 90 to 120 days, meaning the documentation your legal team collected six months ago may already be out of cycle.

At the same time, CMS updated its enrollment standards effective January 2026, adding enhanced primary source verification requirements for Medicare and Medicaid participation. And the end of COVID-era HIPAA enforcement discretion has closed the informal grace period telehealth organizations had been operating under for multi-state provider access.

For organizations onboarding contractors across state lines, these changes have a specific consequence: compliance training must be state-specific, time-stamped, and auditable at the individual provider level. The central question organizations are now asking is whether the platform delivering that training can generate the documentation their legal team will need when an audit happens.

The multi-state contractor problem

Hiring a contractor to provide telehealth services across five states means onboarding that provider into five overlapping compliance frameworks simultaneously. Each state has its own licensure requirements, documentation standards, and payer enrollment rules. Some states require providers to complete state-specific HIPAA training as a condition of practice. Others require documented completion of platform-specific protocols before a provider can be given access to patient records.

Telehealth credentialing became a distinct category in 2026 rather than an extension of traditional healthcare credentialing. In traditional healthcare, most providers need to be licensed in their primary state. In telehealth, licensure is required in each state where the patient is located, and those requirements vary significantly. The Interstate Medical Licensure Compact simplifies some of this, but state-specific compliance training requirements exist independently of licensing compacts and apply regardless of whether a provider holds a compact license.

A credentialing delay costs between $8,000 and $10,000 in lost revenue per month for each provider who can't see patients. For specialists, that figure can exceed $20,000 per month. Organizations managing this well have learned that telehealth compliance training and credentialing verification are one problem with two failure modes: providers who are credentialed but haven't completed state-specific compliance training create legal exposure, and providers who have completed training but aren't yet credentialed represent lost revenue. Closing both gaps requires tying training completion directly to access.

What the platforms most telehealth organizations use can't do

Docebo and Skilljar are the platforms most commonly used for healthcare provider training at scale. Both can deliver compliance content and track completion. Neither was built to gate clinical system access based on credential status, generate per-state audit trails for individual contractors, or send escalating reminders to providers who haven't completed jurisdiction-specific training modules.

These platforms were designed for employee learning and customer education, where the cost of an incomplete training module is a knowledge gap. In telehealth, the cost is a coverage gap and a documentation liability for your legal team. Treating compliance training as a content catalog is what creates the manual verification process that healthcare operations and legal teams are living with today: someone on your staff confirming, one provider at a time, that required modules are complete before handing over system credentials.

The organizations that have moved past generic LMS platforms for telehealth provider onboarding have replaced content libraries with structured onboarding programs. Each program is built around a provider's practice states, enforces sequential completion, and generates timestamped records that can be exported for audit. When a state-specific requirement changes, the program updates, and every affected provider receives a re-enrollment notification automatically.

What telehealth provider onboarding actually requires

Building a healthcare provider onboarding program that holds up to multi-state compliance scrutiny requires five capabilities that most platforms don't provide together.

• State-specific learning paths. A provider licensed in New York, Texas, and California needs onboarding paths built around each jurisdiction's requirements. Sending the same module to every provider regardless of practice state creates documentation gaps and provider confusion.
• Access gating by completion status. Providers should not have access to clinical systems, scheduling tools, or patient records until required compliance modules are complete. After the end of COVID-era HIPAA enforcement discretion, this is a compliance requirement, not a best-practice recommendation.
• Automated re-enrollment for regulatory changes. When NCQA updated its standards in 2025, every organization that had completed credentialing under the prior cycle had to re-verify under the new one. A platform that automatically re-enrolls providers into updated training paths when regulations change eliminates weeks of manual follow-up.
• Per-provider audit documentation. When an audit happens, your compliance team needs timestamped completion records for specific providers, specific training modules, and specific states. A program-level completion percentage is not sufficient documentation for a state health department review.
• Escalation for non-completers. A provider who is 80% through their state compliance training is still a compliance gap. The platform needs to send escalating notifications to the provider, their supervising physician, and the operations team if completion doesn't happen within the required window.

How cohort-based delivery changes the compliance calculus

The telehealth organizations solving this problem have built provider onboarding around structured, cohort-based programs rather than static content libraries. Each cohort is tied to a practice state or contract type, enforces sequential module completion, and generates individual completion records that satisfy audit requirements.

Disco is built for this type of structured program delivery. A telehealth organization onboarding 40 contractor providers across 12 states can build separate onboarding cohorts for each state, automate enrollment of new contractors into the appropriate state-specific path, gate access to clinical tools until required modules are complete, and export per-provider completion records at any point in the credentialing cycle.

The social dimension matters for telehealth provider onboarding in ways that are easy to underestimate. Providers who complete compliance training alongside peers in the same practice context are more likely to ask questions, flag confusion about jurisdiction-specific requirements, and engage with updated protocols when regulations change. A compliance module completed in isolation doesn't generate that feedback loop. A cohort-based program with structured peer discussion does, and for organizations that need to catch compliance misunderstandings before they become audit findings, that difference is significant.

For telehealth organizations building new contractor programs or scaling into additional states, a purpose-built healthcare training platform that enforces completion before access, generates documentation that satisfies audit requirements, and scales to new jurisdictions without rebuilding from scratch changes the entire compliance calculus.

The audit trail problem lives in your training platform

Legal teams at growing telehealth organizations are increasingly surfacing this issue. A credentialing specialist can verify that a provider holds a valid license in three states. What they can't confirm from the credentialing system is whether that provider completed the platform-specific HIPAA training required for access to the patient portal in each of those states.

That gap lives in the training platform. If the platform is a module library with a completion dashboard, the audit trail it generates may not be granular enough to satisfy a state health department review or a CMS enrollment audit.

The organizations building durable telehealth provider onboarding programs treat training completion as a precondition for clinical access. They build that enforcement into the platform rather than relying on operations teams to verify it manually before handing over system credentials.

That shift, from treating training as content delivery to treating it as access control, is what separates organizations that can scale contractor hiring across state lines from the ones that slow down every time they add a new jurisdiction. See how healthcare organizations are building structured, accountability-driven training programs on Disco, or talk to our team about building a compliant telehealth provider onboarding program for your network.