Compliance

OIG Exclusion List Screening for Provider Credentialing: The Complete Step-by-Step Guide

By Super Admin | | 32 min read
Reviewed by PayerReady Credentialing Team

In This Article

Key Takeaways

  • Employing or contracting with an excluded individual can trigger Civil Monetary Penalties of $100,000 per item or service billed, plus treble damages and program exclusion for the organization itself.
  • NCQA credentialing-standards" style="text-decoration:underline;text-decoration-style:dotted;text-underline-offset:3px;color:inherit;" title="Credentialing Standards: View Definition">credentialing standards now require monthly exclusion screening, not just at initial credentialing and recredentialing.
  • Five separate databases must be checked: OIG LEIE, SAM.gov, NPDB, state Medicaid exclusion lists, and state licensing boards.
  • Every person who touches federal healthcare dollars must be screened, including physicians, nurses, billing staff, contractors, board members, and even vendors.
  • If you discover a match, you have 60 days from the date of the overpayment identification to report and return funds to CMS, or you face additional penalties under the False Claims Act.
  • False positives are common (roughly 2% to 5% of initial screens), and your organization needs a documented process for resolving them quickly.

Maria Delgado had been the compliance officer at Valley Physicians Medical Group in Phoenix for six years when the call came. A routine internal audit had flagged something unusual: a locum tenens physician who had been covering weekend shifts in their urgent care clinic for the past four months was listed on the OIG's List of Excluded Individuals and Entities. The physician had been excluded three years earlier following a Medicaid fraud conviction in another state. Nobody at Valley Physicians had checked. The physician's staffing agency had not disclosed it. And in those four months, the clinic had billed Medicare and Medicaid for 847 patient encounters under that provider's name.

The math was devastating. At $100,000 per item or service, the theoretical maximum penalty exposure exceeded $84 million. Even after negotiation, Valley Physicians settled for $1.2 million, terminated the staffing agency contract, and spent the next eighteen months under a Corporate Integrity Agreement that required monthly reporting to the OIG. Maria kept her job, but she later told colleagues that the experience changed everything about how she approached credentialing. "We were doing exclusion checks at hire and at recredentialing," she said. "That was every three years. It was nowhere near enough."

This scenario is not rare. The OIG adds approximately 3,000 to 4,000 individuals and entities to its exclusion list every year. Organizations that screen only during initial credentialing and recredentialing leave gaps of 24 to 36 months where a provider, employee, or contractor could be excluded without anyone in the organization knowing. And the penalties for billing federal healthcare programs for services provided by excluded individuals are among the most severe in all of healthcare compliance.

This guide walks through every step of the exclusion screening process: what to check, how to check it, who needs to be screened, how to document results, and exactly what to do if you find a match.

Why Exclusion Screening Is the Highest Stakes Check in Credentialing

Of all the verification steps in the credentialing process, exclusion screening carries the most immediate financial risk. A lapsed board certification might delay a provider's enrollment. An expired DEA registration can be renewed. But billing for services rendered by an excluded individual triggers automatic liability under federal law, regardless of whether the organization knew about the exclusion.

This is a strict liability standard. The OIG does not need to prove that your organization intentionally hired an excluded person. The mere fact that services were billed to a federal healthcare program and an excluded individual was involved in providing, ordering, or prescribing those services creates the violation.

The statute (Section 1128A of the Social Security Act) imposes penalties that scale with volume. Every claim, every line item, every prescription written by an excluded provider during the period of noncompliance counts as a separate violation. For a busy primary care physician seeing 25 patients per day, even a three month gap between exclusion and detection could generate thousands of individual violations.

This is why exclusion screening occupies a unique position in credentialing. It is not just a quality check or a best practice recommendation. It is the single verification that, if missed, can destroy an organization financially in a matter of months.

The OIG's authority to exclude individuals and entities from federal healthcare programs comes from two sections of the Social Security Act. Section 1128(a) covers mandatory exclusions, which the OIG must impose. Section 1128(b) covers permissive exclusions, which the OIG may impose at its discretion.

Mandatory exclusions apply to individuals convicted of:

  • Medicare or Medicaid fraud
  • Patient abuse or neglect in connection with healthcare delivery
  • Felony convictions related to healthcare fraud
  • Felony convictions related to controlled substances

Permissive exclusions cover a broader range of conduct, including misdemeanor fraud convictions, license revocation, default on Health Education Assistance Loans, and controlling interest in a sanctioned entity. The OIG exercises this authority frequently: in fiscal year 2023 alone, the office excluded 2,640 individuals and entities.

Once excluded, an individual cannot participate in any federal healthcare program in any capacity. That includes Medicare, Medicaid, TRICARE, CHIP, and all other programs funded by the federal government. The exclusion applies not just to direct patient care but to any role that touches federal healthcare dollars, including administrative, billing, and management positions.

What the OIG LEIE Actually Is and How It Works

The List of Excluded Individuals and Entities (LEIE) is the OIG's public database of every person and organization currently excluded from participation in federal healthcare programs. The database is updated monthly, typically on or around the 20th of each month, and is freely searchable online.

The LEIE contains basic identifying information for each excluded party: name, general location (city and state), NPI number (if applicable), date of birth (partial), exclusion type, and exclusion date. For organizations, it includes the legal entity name, doing business as (DBA) names, and EIN when available.

How to Access the LEIE

The OIG provides three methods for searching the LEIE:

Online search. The simplest method. Go to exclusions.oig.hhs.gov and enter a name or NPI. Results appear immediately. This is adequate for individual lookups but impractical for organizations screening hundreds or thousands of individuals.

Downloadable database. The OIG publishes the entire LEIE as a downloadable file (updated monthly) in CSV format. Organizations can download this file and run batch comparisons against their workforce roster. This is the preferred method for organizations with more than 50 individuals to screen.

API access. For larger organizations or those using automated compliance software, the OIG offers an API that allows programmatic queries against the LEIE. This enables real time screening integrated directly into credentialing and HR workflows.

Understanding Exclusion Types

Each LEIE entry includes an exclusion authority code that indicates why the individual was excluded. The most common codes are:

  • 1128(a)(1): Conviction of program related crimes (minimum 5 year exclusion)
  • 1128(a)(2): Conviction related to patient abuse (minimum 5 year exclusion)
  • 1128(a)(3): Felony conviction for healthcare fraud (minimum 5 year exclusion)
  • 1128(a)(4): Felony conviction for controlled substance (minimum 5 year exclusion)
  • 1128(b)(4): License revocation or suspension (exclusion concurrent with state action)
  • 1128(b)(7): Fraud, kickbacks, or other prohibited activities (variable length)

The exclusion type matters because it affects the minimum exclusion period and the reinstatement process. Mandatory exclusions under 1128(a) carry minimum five year terms. Some permissive exclusions under 1128(b) have shorter minimums, but reinstatement is never automatic. The excluded individual must affirmatively apply to the OIG for reinstatement after the minimum period expires.

The Financial Consequences of Missing an Excluded Provider

The penalties for employing or contracting with an excluded individual and billing federal programs are structured to be catastrophic. This is by design. The OIG uses these penalties as a deterrent, and the amounts are calibrated to exceed any possible benefit an organization might gain from the arrangement.

Civil Monetary Penalties

Under 42 USC 1320a-7a, the OIG can impose Civil Monetary Penalties (CMPs) of up to $100,000 for each item or service furnished by an excluded individual and billed to a federal healthcare program. Prior to 2017, the per item penalty was $10,000. The Bipartisan Budget Act of 2018 increased it tenfold.

To understand the scale: if an excluded physician sees 20 Medicare patients per day, five days per week, for three months before detection, that is approximately 1,300 claims. At $100,000 per claim, the theoretical penalty exposure is $130 million. In practice, the OIG negotiates settlements below the statutory maximum, but even settlements routinely reach seven and eight figures.

Treble Damages

In addition to the per item penalty, the OIG can assess damages of up to three times the amount paid by federal programs for items or services involving the excluded individual. If Medicare paid $500,000 for services rendered by an excluded provider over a twelve month period, the treble damages alone could reach $1.5 million, on top of the per item penalties.

Program Exclusion for the Organization

Perhaps the most devastating consequence is that the organization itself can be excluded from federal healthcare programs. For a hospital or large medical group, exclusion from Medicare and Medicaid is effectively a death sentence. No healthcare organization of significant size can survive without federal program revenue. The threat of organizational exclusion gives the OIG enormous negotiating power in settlement discussions.

Corporate Integrity Agreements

Even when the OIG does not pursue the maximum penalties, settlements almost always include a Corporate Integrity Agreement (CIA) that imposes extensive compliance obligations for a period of three to five years. CIAs typically require the organization to hire an independent compliance monitor, implement specific screening protocols, submit regular reports to the OIG, and undergo annual audits at the organization's expense. The cost of CIA compliance alone can run $500,000 to $2 million per year.

NCQA 2025 Monthly Screening Requirements

For organizations seeking or maintaining NCQA accreditation for their credentialing programs, the standards have become significantly more stringent regarding exclusion screening. If you are preparing for an NCQA review, our NCQA credentialing standards guide covers all the recent changes in detail.

What Changed

Prior NCQA standards required exclusion screening at initial credentialing and at recredentialing (every three years). The updated standards now explicitly require organizations to perform OIG and SAM.gov exclusion checks on a monthly basis for all credentialed providers.

This change reflects what compliance experts had been recommending for years. A three year screening interval is dangerously inadequate. Providers can be excluded at any time between credentialing cycles, and the organization remains liable for every claim submitted during the gap between exclusion and detection.

Monthly Screening Protocol Under NCQA

To meet the current NCQA standard, your organization must:

  1. Download the updated LEIE and SAM.gov exclusion files monthly (or use an automated screening tool that performs monthly checks)
  2. Screen every credentialed provider against both databases within the same calendar month
  3. Document the date of each screen, the databases checked, and the results
  4. Maintain evidence that negative results (no match found) were recorded, not just positive matches
  5. Have a documented process for immediate action if a match is identified

The documentation requirement is critical. During an NCQA survey, reviewers will ask to see evidence of monthly screening for randomly selected providers. If you cannot produce documentation showing that a specific provider was screened in a specific month, the screen is treated as if it did not occur.

Beyond NCQA: CMS and State Requirements

Even organizations that do not hold NCQA accreditation face screening requirements from other sources. CMS requires Medicare Advantage organizations and Medicaid managed care plans to screen their provider networks against the LEIE and SAM.gov. Many state Medicaid programs impose their own screening requirements, sometimes with frequencies that exceed the NCQA standard.

The safest approach, regardless of which accreditation or regulatory framework applies to your organization, is monthly screening of all individuals against all five major databases.

Five Databases You Must Check (Not Just the OIG List)

The OIG LEIE is the most well known exclusion database, but it is only one of five sources that a thorough screening process must include. Checking only the LEIE leaves significant gaps. An individual might be excluded at the state level but not yet at the federal level, or might have a sanction recorded in the NPDB that has not resulted in an OIG exclusion.

1. OIG LEIE (List of Excluded Individuals and Entities)

URL: exclusions.oig.hhs.gov Updated: Monthly (around the 20th) Coverage: All federally excluded individuals and entities Cost: Free

This is the primary federal exclusion database. Every screening cycle must include a LEIE check. As noted above, it can be searched individually online, downloaded as a flat file for batch processing, or queried via API.

2. SAM.gov (System for Award Management)

URL: sam.gov Updated: Daily Coverage: Debarred, suspended, proposed for debarment, and excluded parties across all federal programs (not just healthcare)

SAM.gov is broader than the LEIE. It covers exclusions across all federal agencies, not just the OIG. An individual might appear in SAM.gov for fraud related to a federal contract outside of healthcare, and that exclusion would still prohibit participation in federal healthcare programs. SAM.gov also includes the General Services Administration (GSA) excluded parties list, which was previously maintained separately.

3. NPDB (National Practitioner Data Bank)

URL: npdb.hrsa.gov Updated: Continuously (reports added as received) Coverage: Medical malpractice payments, adverse actions, and negative actions or findings by federal and state agencies Cost: Querying requires enrollment and per query fees

The NPDB is not technically an exclusion list, but it contains information that is directly relevant to exclusion screening. Adverse actions reported to the NPDB include state licensing board actions, clinical privileges restrictions, professional society membership actions, Medicare/Medicaid exclusions, and DEA actions. If you are building a comprehensive credentialing audit trail, the NPDB query is an essential component.

Free Consultation

Need help getting credentialed?

Our specialists handle 190+ payer enrollments across all 50 states. Average turnaround: 60–90 days.

NPDB queries are required at initial credentialing and recredentialing under NCQA standards. While monthly NPDB queries are not currently required, many organizations perform them quarterly as a supplemental screening measure.

4. State Medicaid Exclusion Lists

Updated: Varies by state (monthly to quarterly) Coverage: Individuals excluded from the state's Medicaid program

Every state maintains its own Medicaid exclusion list, separate from the federal LEIE. A provider can be excluded from a state Medicaid program without being excluded from federal programs, particularly in the early stages of an investigation. State lists are especially important for organizations that bill Medicaid, because state Medicaid agencies can impose penalties independently of the OIG.

The challenge with state exclusion lists is that there is no single national repository. Each state publishes its list in its own format, on its own schedule, and at its own URL. Organizations operating in multiple states must track and check each relevant state list individually.

5. State Licensing Board Verification

Updated: Varies by board Coverage: License status, disciplinary actions, restrictions

State licensing boards are not exclusion databases per se, but a license revocation or suspension is both a disqualifying credentialing event and a potential indicator of an impending OIG exclusion (since license revocation is a basis for permissive exclusion under 1128(b)(4)). Checking licensing board status during monthly exclusion screening catches issues that might not yet appear in the LEIE. For a broader view of everything to verify during credentialing, see our credentialing checklist for new practices.

Who Exactly Needs to Be Screened

One of the most common mistakes organizations make is screening only their credentialed providers. The OIG's exclusion prohibition applies to any individual or entity that receives federal healthcare program funds or that provides items or services for which federal healthcare program payment may be made. That scope is far broader than the medical staff.

Providers and Clinical Staff

This category is obvious but bears emphasizing: every physician, nurse practitioner, physician assistant, therapist, counselor, pharmacist, and other licensed clinician must be screened. This includes locum tenens, temporary staff, moonlighting physicians, and telehealth providers who may not be physically present at your facility.

Non Clinical Employees

Billing specialists, coders, front desk staff, medical records personnel, IT staff with access to billing systems, and any other employee whose work supports the submission of claims to federal programs must be screened. The OIG has consistently taken the position that the exclusion applies to anyone who is "involved in" providing items or services to federal program beneficiaries, and it interprets "involved in" broadly.

Contractors and Temporary Staff

Staffing agency personnel, independent contractors, consultants, and any temporary worker must be screened before they begin work and on an ongoing monthly basis. The Valley Physicians scenario described at the beginning of this article is a textbook example: the staffing agency failed to disclose the physician's exclusion, and the organization failed to independently verify. Both parties bore liability.

Board Members and Owners

Individuals with an ownership or controlling interest in the organization must be screened. If an excluded individual holds a 5% or greater ownership stake, the organization itself may be subject to exclusion. Board members, officers, and managing employees are also subject to screening.

Vendors and Suppliers

Pharmaceutical representatives, medical device sales representatives, laboratory service providers, durable medical equipment suppliers, and other vendors who provide items or services billed to federal programs should be screened. While the practical risk is lower with vendors (since claims are typically submitted by the provider, not the vendor), an excluded vendor can still create liability if the items they supply are billed to Medicare or Medicaid.

Step by Step: How to Run a Complete Exclusion Check

The screening process itself is straightforward once you have a system in place. The difficulty lies in doing it consistently, documenting it properly, and acting quickly when a match is found. Here is the step by step process for running a complete monthly exclusion cycle.

Step 1: Maintain a Current Roster

Before you can screen anyone, you need a complete and current list of every individual who requires screening. This roster should include:

  • Full legal name (including maiden names and aliases)
  • Date of birth
  • Social Security Number (for internal matching only; never transmitted to external databases)
  • NPI number (for licensed providers)
  • State of licensure
  • Role/position
  • Hire or contract start date
  • Status (active, on leave, terminated)

The roster must be updated continuously. New hires, new contractors, and new credentialed providers should be added immediately upon engagement. Terminated individuals can be removed after their final date of service and after any pending claims have been processed.

Step 2: Download Current Database Files

At the beginning of each monthly screening cycle:

  1. Download the current LEIE file from exclusions.oig.hhs.gov (look for the "Updated LEIE Database" link)
  2. Download the current SAM.gov exclusion records (requires a registered SAM.gov account)
  3. Obtain current state Medicaid exclusion lists for each state in which your organization operates
  4. Note the download date for each file; this becomes part of your documentation

Step 3: Run the Comparison

Match your roster against each downloaded database. Matching should be performed using multiple identifiers to reduce both false positives and false negatives:

  • Primary match: Last name + first name + date of birth
  • Secondary match: NPI number (for providers)
  • Tertiary match: Last name + state + exclusion date range (to catch name variations)

If you are using the LEIE flat file and a spreadsheet, a VLOOKUP or INDEX/MATCH formula on the name fields is the simplest approach. For larger organizations, a database query joining your roster table to the exclusion file on multiple fields is more reliable.

Automated screening software performs this matching continuously and flags potential matches for human review. If your organization screens more than 200 individuals, investing in an automated solution typically pays for itself in staff time savings within the first year.

Step 4: Review Potential Matches

Any name that matches between your roster and an exclusion database must be manually reviewed to determine whether it is a true match or a false positive. This review should compare:

  • Full name (including middle name or initial)
  • Date of birth
  • NPI number
  • State of residence or practice
  • Physical description or photo (if available from the licensing board)

Do not dismiss a match without documenting the basis for the dismissal. "The middle initial didn't match" is a valid reason, but it must be written down and included in the screening record.

Step 5: Document Everything

For each monthly screening cycle, create a record that includes:

  • Date of screening
  • Name and version of each database checked
  • Total number of individuals screened
  • Number of potential matches identified
  • Disposition of each potential match (confirmed match, false positive, or pending investigation)
  • Name and title of the person who performed the screening
  • Name and title of the person who reviewed and approved the results

This documentation must be retained for a minimum of ten years (matching the OIG's look back period for False Claims Act cases) and must be producible on request during an audit, survey, or investigation.

Documentation Requirements for Every Screen

Documentation is where many organizations fail, even when they are performing the actual screens correctly. The compliance value of exclusion screening is only as strong as the evidence that it was performed. If you cannot prove you screened a specific individual on a specific date, regulators and accrediting bodies will treat it as if the screen never happened.

What to Document for Each Screening Cycle

Create a standardized screening log that captures the following for every monthly cycle:

Cycle information:

  • Screening period (month/year)
  • Date screening was initiated
  • Date screening was completed
  • Databases used (with version dates or download dates)

Results summary:

  • Total individuals on roster
  • Total individuals screened
  • Number of potential matches
  • Number confirmed as true matches
  • Number confirmed as false positives
  • Number still under investigation

Attestation:

  • Screener name and title
  • Reviewer name and title (must be different from screener)
  • Signatures or electronic attestation

Retention Requirements

Federal and state retention requirements vary, but the safest practice is to retain all exclusion screening documentation for ten years. This aligns with the statute of limitations for False Claims Act cases (six years from the date of the violation, or three years from the date the government knew or should have known, up to a maximum of ten years after the violation). Organizations subject to Corporate Integrity Agreements may have specific retention requirements that exceed this baseline.

Integrate your screening documentation into your broader recredentialing and deadline tracking system to ensure nothing falls through the cracks during audit preparation.

What to Do When You Find a Match

Discovering that an employee, contractor, or credentialed provider is on an exclusion list is a crisis that demands immediate, structured action. The steps you take in the first 48 hours determine whether the situation results in a manageable compliance issue or an organization threatening enforcement action.

Immediate Actions (First 48 Hours)

1. Verify the match. Before taking any other action, confirm that the match is real and not a false positive. Compare all available identifiers. If the match is confirmed, proceed immediately to step 2.

2. Remove the individual from all federal program activities. The excluded individual must immediately stop providing, ordering, prescribing, or certifying any items or services that could be billed to Medicare, Medicaid, or any other federal healthcare program. This does not necessarily mean immediate termination (depending on employment law considerations), but it does mean complete separation from any activity connected to federal healthcare program billing. Reassignment to non federal program duties may be possible in some cases, but consult legal counsel before relying on this approach.

3. Notify leadership and legal counsel. The compliance officer, CEO, general counsel, and board (if applicable) must be notified immediately. This is not a situation that should be managed at the department level.

4. Preserve all records. Place a litigation hold on all records related to the excluded individual, including employment records, credentialing files, billing records, and screening documentation.

The 60 Day Repayment Rule

Under Section 6402(a) of the Affordable Care Act, once an organization identifies an overpayment (including payments received for services provided by an excluded individual), it has 60 days to report and return the overpayment to the applicable federal healthcare program. Failure to return the overpayment within this window converts the overpayment into a False Claims Act obligation, which carries penalties of $11,000 to $23,000 per claim plus treble damages.

The 60 day clock starts when the overpayment is "identified," which the CMS final rule defines as the date the organization has, or should have through reasonable diligence, determined that it received an overpayment and quantified the amount. In practice, this means you cannot delay the clock by dragging out your internal investigation. Once you know a match is confirmed, the 60 day period is running.

Calculating the Overpayment

To determine the amount that must be returned, identify every claim submitted to federal healthcare programs that involved the excluded individual during the exclusion period. This includes:

  • Claims where the excluded individual was the rendering provider
  • Claims where the excluded individual ordered the service
  • Claims where the excluded individual prescribed the medication
  • Claims where the excluded individual supervised the service

Aggregate the total amount paid by federal programs for all identified claims. This is the overpayment amount that must be reported and returned within the 60 day window.

Reporting to the OIG

In addition to returning the overpayment to CMS (or the relevant state Medicaid agency), organizations must consider whether to self disclose the situation to the OIG through the Self Disclosure Protocol. Self disclosure is not strictly required in all cases, but it can significantly reduce the penalties the OIG ultimately imposes. Organizations that self disclose and cooperate with the OIG's review typically receive more favorable settlement terms than those that are discovered through audits or investigations.

Handling False Positives Without Losing Your Mind

False positives are an inevitable part of exclusion screening, and they can create significant operational disruption if not handled efficiently. Common last names, data entry errors, and the limited matching fields available in exclusion databases all contribute to false matches.

Common Causes of False Positives

  • Common names. "John Smith" will match dozens of entries in the LEIE. Without additional identifiers (date of birth, NPI, state), distinguishing between them is impossible.
  • Name variations. A provider credentialed as "Robert Johnson" might appear in the LEIE as "Bob Johnson" or "R. Johnson."
  • Data entry errors. Misspelled names or incorrect dates of birth in either your roster or the exclusion database can create or mask matches.
  • Partial matches. Some screening tools flag partial name matches (same last name, similar first name), which increases sensitivity but also increases false positive volume.

Building a False Positive Resolution Process

Your organization needs a documented procedure for resolving potential matches within a defined timeframe (48 to 72 hours is the standard recommendation). The resolution process should include:

  1. Initial comparison of all available identifiers (full name, date of birth, NPI, SSN last four, state)
  2. Secondary verification using state licensing board records, which typically include photos and detailed demographic information
  3. Direct contact with the individual if identifiers are insufficient to confirm or deny the match
  4. Documented disposition recording the basis for the determination, the identifiers compared, and the person who made the final call
  5. Supervisor review of all false positive determinations before the file is closed

Keep a running log of resolved false positives. If the same individual triggers a false positive every month (because they share a name with an excluded individual), document the basis for clearance once and reference that documentation in subsequent months. This saves time and creates a clean audit trail.

Real Enforcement Cases That Changed the Industry

The OIG's exclusion enforcement actions provide concrete examples of how quickly and severely the penalties accumulate. These cases are not hypothetical scenarios; they are documented settlements that reshaped compliance programs across the industry.

Tuomey Healthcare System: $237 Million

The Tuomey Healthcare System case in Sumter, South Carolina, is perhaps the most frequently cited enforcement action in credentialing compliance circles. While the case centered primarily on Stark Law violations (improper physician compensation arrangements), the exclusion screening failures that emerged during the investigation highlighted systemic compliance gaps. Tuomey ultimately paid $237 million in penalties and damages, a sum that exceeded the hospital's annual revenue and forced it to close its doors permanently in 2017.

The Tuomey case demonstrated that compliance failures rarely exist in isolation. Organizations with weak exclusion screening processes tend to have weak compliance programs overall, and when investigators start pulling threads, the scope of violations expands rapidly.

Halifax Hospital Medical Center: $85 Million

Halifax Hospital Medical Center in Daytona Beach, Florida, agreed to pay $85 million to settle False Claims Act allegations that included employing and billing for services provided by individuals who were excluded from federal healthcare programs. The settlement also covered allegations of improper physician compensation and unnecessary admissions, but the exclusion screening failures were a significant component of the government's case.

Smaller Organizations Are Not Immune

While the headline cases involve large hospital systems, the OIG regularly pursues enforcement actions against small practices, clinics, and individual providers. In 2023, a three physician primary care practice in Ohio paid $340,000 to settle allegations that it had employed an excluded medical assistant for fourteen months. The medical assistant's duties included drawing blood, administering injections, and processing insurance authorizations, all of which were considered "items or services" under the exclusion statute.

The message is clear: no organization is too small to face enforcement action. If you bill federal healthcare programs and you employ or contract with an excluded individual, you are exposed, regardless of your size.

Integrating Exclusion Screening Into Your Credentialing Workflow

Exclusion screening should not exist as a standalone compliance activity. It must be woven into the credentialing and privileging workflow at multiple touchpoints to ensure continuous coverage.

At Initial Credentialing

Exclusion screening is one of the primary source verifications required during initial credentialing. Before any provider is approved for participation:

  1. Run a full five database exclusion check
  2. Document results in the credentialing file
  3. Flag any potential matches for immediate review
  4. Do not issue privileges or execute contracts until the screen is clear
  5. Record the screening date in the credentialing tracking system

At Recredentialing

The same five database check must be performed during every recredentialing cycle. Because recredentialing occurs every two to three years (depending on the organization and applicable standards), the recredentialing screen serves as a formal checkpoint, but it should not be the only time screening occurs.

Monthly Ongoing Screening

Between credentialing and recredentialing, monthly screening ensures continuous compliance. The monthly process should be:

  1. Automated if possible (batch file comparison or integrated screening tool)
  2. Completed within the first ten business days of each month
  3. Documented with the same rigor as initial credentialing screens
  4. Reviewed by a designated compliance staff member
  5. Reported to the compliance committee quarterly (aggregate results, any matches found, any process improvements)

At Hire (Non Provider Staff)

Human Resources must incorporate exclusion screening into the standard hiring process for all positions. The screen should occur after a conditional offer of employment is extended but before the new employee begins work. This mirrors the approach used for background checks and drug screening.

At Contract Execution (Vendors and Contractors)

Before executing any contract with a vendor, supplier, or independent contractor who will provide items or services billed to federal programs, run a full exclusion screen. Include a contractual provision requiring the vendor to notify your organization within 24 hours if any of their employees or subcontractors are excluded during the term of the contract.

Integrating With Your Credentialing Software

If your organization uses credentialing management software (as recommended in our audit preparation guide), configure the system to:

  • Trigger automatic exclusion checks at every credentialing milestone
  • Send alerts when monthly screening is due
  • Store screening results directly in the provider's credentialing file
  • Generate reports showing screening compliance rates by month
  • Flag providers who were not screened in a given month for immediate follow up

For organizations looking to build or improve their credentialing infrastructure, our credentialing platform includes built in exclusion screening workflows that align with NCQA standards.

Complete Exclusion Screening Checklist

Use this checklist to verify that your organization's exclusion screening program covers all requirements. Review it quarterly and update it whenever regulations or accreditation standards change.

Governance and Policy

  • Written exclusion screening policy approved by the compliance committee or board
  • Policy specifies screening frequency (monthly minimum for NCQA compliance)
  • Policy defines who must be screened (providers, staff, contractors, vendors, board members, owners)
  • Policy identifies all databases to be checked (OIG LEIE, SAM.gov, NPDB, state Medicaid lists, licensing boards)
  • Policy includes a documented procedure for immediate action when a match is confirmed
  • Policy addresses the 60 day repayment rule and self disclosure protocol
  • Policy assigns specific staff responsibility for conducting and documenting screens
  • Policy is reviewed and updated annually

Monthly Screening Process

  • Complete roster of all individuals requiring screening is maintained and current
  • LEIE database file downloaded and dated each month
  • SAM.gov exclusion records downloaded and dated each month
  • State Medicaid exclusion lists obtained for all states of operation
  • State licensing board statuses verified for all licensed providers
  • All roster individuals compared against all databases
  • Potential matches reviewed and resolved within 48 to 72 hours
  • Results documented with screener name, date, databases used, and disposition
  • Supervisor review and sign off completed for each screening cycle
  • Documentation filed in a retrievable format with ten year retention

New Hire and New Provider Screening

  • Exclusion screening completed before first day of work or first date of service
  • Screen results documented in the individual's HR or credentialing file
  • Any positive match triggers an immediate hold on employment or contracting
  • Screening results shared with credentialing committee (for providers) or HR leadership (for staff)

Vendor and Contractor Screening

  • All vendors providing items or services billed to federal programs are screened before contract execution
  • Contracts include a clause requiring vendor self disclosure of any exclusion within 24 hours
  • Vendor screens are repeated monthly or at contract renewal (whichever is more frequent)
  • Vendor screening results are maintained separately from employee and provider files

Match Response Protocol

  • Confirmed matches trigger immediate removal from federal program activities
  • Legal counsel is notified within 24 hours of a confirmed match
  • All claims involving the excluded individual are identified and quantified within 30 days
  • Overpayment is reported and returned within 60 days of identification
  • Consideration given to self disclosure through the OIG Self Disclosure Protocol
  • Root cause analysis performed to determine why the exclusion was not detected sooner
  • Corrective action plan implemented and documented
  • Board and compliance committee briefed on the incident and response

Audit Readiness

  • Screening logs for the past 36 months are immediately accessible
  • Sample provider files contain evidence of exclusion screening at initial credentialing
  • Sample provider files contain evidence of monthly ongoing screening
  • False positive resolution documentation is complete and available
  • Policy and procedure documents reflect current regulatory requirements
  • Staff responsible for screening can articulate the process in an interview setting
  • Annual training on exclusion screening has been provided to all compliance and credentialing staff

Exclusion screening is one of the most straightforward compliance activities in healthcare, yet it remains one of the most commonly cited deficiencies in credentialing audits, OIG investigations, and NCQA surveys. The databases are free (with the exception of NPDB queries). The process is well defined. The penalties for noncompliance are severe and well publicized. There is simply no acceptable reason for an organization that bills federal healthcare programs to have gaps in its exclusion screening program.

The organizations that do this well treat exclusion screening not as a bureaucratic checkbox but as a core risk management function. They automate wherever possible, document everything, train their staff, and act immediately when a match is found. They understand that the cost of a comprehensive screening program (typically $2 to $5 per individual per month for automated solutions, or a few hours of staff time per month for manual processes) is negligible compared to the potential penalties for noncompliance.

If your organization has not reviewed its exclusion screening process in the past twelve months, start with the checklist above. Identify your gaps, assign responsibility for closing them, and set a deadline. The next OIG exclusion list update is less than 30 days away, and the question is not whether your organization will encounter an excluded individual eventually. The question is whether you will catch it in time.

For a complete overview of the OIG exclusion process and terminology, visit our OIG exclusion glossary entry.

Reviewed by the PayerReady Credentialing Team

Our credentialing specialists verify every article against current CMS regulations, NCQA standards, and payer-specific enrollment requirements. Last reviewed April 17, 2026. See our editorial process.

Sources Referenced

National Practitioner Data Bank (NPDB)

National Committee for Quality Assurance (NCQA)

All regulatory citations verified as of April 2026. Source links point to official government and industry organization websites.

Need help getting credentialed?

Our credentialing specialists handle the entire enrollment process: applications, follow-ups, and approvals across all 50 states.

Free consultation. No commitment required.

Tags

OIG exclusion screening sanctions monitoring LEIE check SAM.gov screening credentialing compliance

Free Credentialing Tools

NPI Lookup

Search the NPI registry instantly

Timeline Estimator

Estimate credentialing timelines

Readiness Checker

Check if you are ready to apply
Credentialing Resource Hub
Guides, tools, and checklists for every payer
Payer Enrollment Guides
Medicare, Medicaid, and commercial payers

Related Credentialing Guides

Medicaid Guide

Related Articles

Faster Approvals

Ready to Cut Your Enrollment Timeline in Half?

Join providers in all 50 states who handed off credentialing to a dedicated specialist. Create your free account in minutes and start enrolling the same day.

Get Started Today Request a Demo
All 50 States Covered
No Long-Term Contracts
HIPAA HIPAA Compliant Platform
Dedicated Specialist Included