Under ostensible agency, the liability for a provider's credentialing decisions stems from what key factor?

The key factor is the appearance of control by the MCO. In ostensible (agency by appearance) liability, what matters is what a third party reasonably believes about who has authority. If the MCO’s actions, statements, or practices make it seem as though the MCO directs or controls how a provider’s credentialing decisions are made, others may rely on that impression and hold the MCO responsible for those decisions. The actual contract between the provider and the MCO or the provider’s internal arrangements aren’t what trigger this liability; it’s the perceived authority created by the MCO’s conduct. The other options don’t fit because they involve unrelated elements: a formal contract alone doesn’t automatically create ostensible authority unless it projects the MCO as controlling credentialing; patient confidentiality breaches and agreements with federal regulators do not pertain to the authority to credential.