Healthcare Staffing Agency Compliance Checklist 2026
A compliance failure at a healthcare staffing agency is not a minor operational hiccup. It is an existential business risk. In 2025, the average cost of a single compliance-related contract termination for staffing agencies was $1.8 million in lost annual revenue. Across the industry, agencies reported spending an aggregate $340 million on compliance remediation activities. The agencies that spent the least on remediation were the ones that had robust preventive processes in place.
This checklist covers every compliance requirement that a U.S. healthcare staffing agency placing nurses must satisfy in 2026, organized by regulatory source and operational function.
Federal Requirements
CMS Conditions of Participation
CMS does not directly certify staffing agencies, but hospitals that use contract staff must ensure those staff meet the same standards as direct employees. Your agency bears the burden of proof.
- Primary source license verification for every nurse before first assignment
- Ongoing license monitoring with documented verification frequency
- OIG exclusion list screening at hire and monthly thereafter
- SAM.gov exclusion screening at hire and monthly thereafter
- Background check per state and facility requirements
- Drug screening per state and facility requirements
- Immunization compliance including Hepatitis B, MMR, Varicella, seasonal influenza, and COVID-19 (per current CMS mandate status)
- TB screening per facility requirements (annual or baseline plus symptom screening)
- Competency assessment documentation for each clinical specialty placed
- EMTALA training documentation for nurses placed in emergency departments
HIPAA Requirements
Your agency handles protected health information (PHI) in credential files and must comply with HIPAA Privacy and Security Rules.
- Business Associate Agreements (BAAs) with every facility client
- HIPAA training for all agency staff with access to nurse records, completed annually
- Written privacy policies and procedures covering PHI handling
- Incident response plan for potential data breaches
- Access controls with role-based permissions on credential management systems
- Encryption of PHI at rest and in transit
- Minimum necessary standard applied to all PHI disclosures
- Breach notification procedures compliant with the 60-day notification rule
- Physical safeguards for any paper credential files
OSHA Requirements
- Bloodborne pathogen exposure control plan communicated to placed nurses
- Workplace violence prevention awareness for nurses placed in high-risk settings
- Hazard communication training documentation
- PPE training documentation where applicable
Joint Commission (TJC) HCSS Standards
If your agency holds or seeks TJC Health Care Staffing Services certification:
Human Resources Standards
- HR.01.02.05: Primary source verification of licensure, certification, registration
- HR.01.02.05: Education verification for positions requiring specific degrees
- HR.01.02.05: Work history verification covering the most recent five years
- HR.01.02.07: Clinical competency assessment with specialty-specific skills checklists
- HR.01.02.07: Clinical references from recent supervisors (minimum two)
- HR.01.04.01: Ongoing monitoring of licensure status (daily automated preferred)
- HR.01.04.01: Ongoing monitoring of certifications (BLS, ACLS, PALS, NRP)
- HR.01.04.01: Documentation of actions taken on monitoring findings
Leadership Standards
- LD.03.06.01: Quality improvement program with measurable metrics
- LD.03.06.01: Incident tracking and corrective action documentation
- LD.03.06.01: Client satisfaction monitoring and response process
Information Management
- IM.01.01.03: Credential data integrity controls
- IM.01.01.03: Audit trail for all credential file access and modifications
- IM.01.01.03: Data retention policies compliant with state and federal requirements
State-Level Requirements
State requirements vary significantly. Your agency must comply with every state where you place nurses and every state where your nurses hold licenses.
Licensing and Registration
- Agency licensure in each state that requires staffing agency registration (currently 32 states plus DC)
- State-specific credentialing requirements documented per state of placement
- Nurse Licensure Compact (NLC) tracking with current compact member state list
- State board of nursing reporting requirements for adverse events or credential issues
State-Specific Background Check Requirements
- State criminal background check per each state's requirements (some require state-specific checks in addition to national)
- Sex offender registry check (required in most states)
- Abuse registry check (required in many states for healthcare workers)
- Fingerprint-based background check (required in some states such as California, New York)
Mandatory Reporting
- Abuse and neglect reporting training documentation for placed nurses
- State-specific mandatory reporter training where required by law
- Documentation of compliance with state-specific reporting requirements
Facility-Specific Requirements
Each client facility may impose requirements beyond federal and state mandates.
- Facility-specific orientation documentation signed by nurse and facility representative
- Facility-specific competency requirements beyond standard skills checklists
- Facility-specific immunization requirements (some exceed CMS minimums)
- Facility credentialing deadlines documented and tracked per contract
- Facility-specific drug screening panels (7-panel, 10-panel, 12-panel per contract)
- Professional liability insurance meeting facility minimum requirements
- Facility-specific EMR training documentation where required
Operational Compliance Processes
Beyond document requirements, your agency must demonstrate systematic compliance processes.
Credential File Management
- Standardized credential file structure across all nurse records
- Document indexing system showing required vs. obtained credentials per nurse
- Expiration tracking system with automated alerts at J-90, J-60, J-30, J-14, J-7, J-0
- Escalation procedures for unresolved credential gaps
- Credential file completeness reporting with real-time dashboard
- Document retention schedule compliant with state and federal requirements (typically 7-10 years)
Ongoing Monitoring
- Daily license status verification via Nursys or primary source
- Monthly OIG/SAM exclusion screening with documented results
- Annual re-verification of education and work history for long-term placements
- Continuous certification tracking with renewal alerts
- Disciplinary action monitoring via Nursys e-Notify or equivalent
Incident Management
- Written incident response procedures for compliance failures
- Root cause analysis process for credential-related incidents
- Corrective action documentation with timeline and accountability
- Client notification procedures for compliance issues affecting placed nurses
- Regulatory reporting procedures where required by law
Quality Improvement
- Key performance indicators tracked monthly (time-to-credential, compliance rate, incident count)
- Quarterly compliance review with documented findings and actions
- Annual compliance program assessment with recommendations
- Staff training records showing annual compliance education
Technology Requirements
Manual processes cannot reliably satisfy the scope of these requirements at scale. Essential technology:
- Credential management platform with automated tracking and alerts
- Primary source verification integration (Nursys, state boards)
- OIG/SAM automated screening with scheduling and documentation
- Background check vendor integration for streamlined results intake
- Nurse self-service portal for document uploads and status tracking
- ATS integration (Bullhorn, BlueSky, or equivalent) for workflow continuity
- Audit-ready report generation producing complete credential files on demand
- Role-based access controls with audit logging
- Data encryption for PHI at rest and in transit
- Disaster recovery and business continuity for credential data
Annual Compliance Calendar
| Month | Action |
|---|---|
| January | Annual compliance program assessment; update policies |
| February | State licensure renewal check (varies by state) |
| March | Q1 compliance metrics review |
| April | TJC audit preparation (if applicable) |
| May | HIPAA training refresh cycle begins |
| June | Q2 compliance metrics review; mid-year incident review |
| July | NLC membership update check; state requirement changes review |
| August | Annual competency assessment cycle begins for long-term placements |
| September | Q3 compliance metrics review |
| October | Insurance policy review and renewal |
| November | Annual training schedule for next year |
| December | Year-end compliance report; document retention review |
Getting Started
This checklist contains over 80 individual compliance items. If your agency is not tracking all of them systematically, you are carrying risk that can be quantified in lost contracts and regulatory exposure.
Download the interactive version of this checklist with built-in tracking, priority scoring, and gap analysis. Map your current state against every requirement and identify where your compliance program has exposure.
