The Definitive Guide to OIG Exclusions

---

Key Takeaways

• An OIG exclusion is a final administrative action that bars an individual or entity from all participation in federal healthcare programs. As of 2026, the List of Excluded Individuals/Entities (LEIE) contains 82,229 entries and is updated monthly.¹
• The “payment prohibition” is a complete bar on all federal program reimbursement for items or services furnished by excluded parties. It applies whether services are provided directly or indirectly, billed separately or bundled, and whether or not the provider knew of the exclusion at the time.
• Providers that employ or contract with excluded persons face civil money penalties (CMPs) of up to $24,947 per violation (2026 inflation-adjusted), plus overpayment liability and potential False Claims Act exposure. MA and Part D penalties reach $47,596 per violation.
• In 2025 alone, 35 healthcare organizations paid more than $26 million in CMPs and settlements for exclusion violations, a six-fold increase over 2024. A single Florida health system self-disclosed an $18.8 million settlement tied to just two excluded hires.²
• The OIG’s “knew or should have known” standard means ignorance is not a defense. Providers are liable whether the hire was intentional or an oversight.
• Monthly screening of employees, vendors, contractors, and referral sources against the LEIE, the GSA/SAM exclusion list, and all applicable state Medicaid exclusion lists is the OIG’s unequivocal expectation. It is the most reliable defense against CMP liability.

---

Section 1 — The Stakes

A $21.5 million pharmacy lesson

In one enforcement settlement, a national pharmacy chain paid $21.5 million to resolve allegations that it had employed a large number of excluded pharmacists. In another, a Tennessee home health agency paid $6.5 million because one private duty nurse on its staff had been excluded from federal healthcare programs.³ In October 2025, a south Florida health system self-disclosed an $18.8 million settlement that started with two excluded hires who had slipped through the cracks. The system was not marginal: 17,000 employees, 2,500 medical staff, nearly 1,000 locations, and a $300 million capital budget.⁴

These are not isolated stories. They are the shape of modern exclusion enforcement. In 2025, at least 35 healthcare organizations paid more than $26 million in CMPs and settlements for exclusion violations, a six-fold jump from the $4.2 million paid the year before.⁵ Penalties were issued in 45 of the 50 states and Puerto Rico. No sector escaped: hospitals, nursing homes, home health agencies, behavioral health providers, pharmacies, laboratories, ambulance companies, staffing agencies, and even a speech-generating device manufacturer all appeared in the 2025 data.⁶

What is an OIG exclusion?

An OIG exclusion is a final administrative action, imposed by the Office of Inspector General (OIG) of the U.S. Department of Health and Human Services, that bars a named individual or entity from participating in federal healthcare programs: Medicare, Medicaid, TRICARE, CHIP, and any other program funded in whole or in part by federal or state funds.⁷

Exclusions are final when imposed. They are not stayed while appeals are pending. The OIG publishes every exclusion on the List of Excluded Individuals/Entities (LEIE), which as of this writing contains 82,229 entries and is refreshed monthly. Federal healthcare programs are legally barred from paying for any items or services furnished by anyone on that list.¹

Definitions are deliberately broad. An “item or service” includes any item, device, drug, biological, supply, or service, including management and administrative services. Services are “furnished” if they are provided or supplied, directly or indirectly, by an individual or entity. An indirect claim is one where a non-excluded provider submits the claim, but an excluded person or entity provided or created the underlying item or service.⁸

The practical effect: the payment prohibition reaches everywhere federal program dollars touch. Every staff member, every vendor, every referral source, every dependency in the revenue cycle.

Why exclusion screening is not a checkbox

Compliance teams often treat exclusion screening as an administrative formality, one more regulatory box to tick during onboarding. That framing understates the legal exposure by orders of magnitude. Exclusion violations create three compounding categories of liability:

1. Civil money penalties (CMPs). Up to $24,947 per individual violation and up to $47,596 per Medicare Advantage or Part D contracting violation, inflation-adjusted annually.⁹
2. Overpayment liability. Every claim touched by an excluded party is an overpayment that must be repaid. Under the Fraud Enforcement Recovery Act of 2009 and the Affordable Care Act, a retained overpayment is itself a legal “obligation,” and failure to repay can expose a provider to False Claims Act liability with treble damages.¹⁰
3. Exclusion of the organization itself. For a healthcare organization that depends on Medicare and Medicaid revenue, a corporate-level exclusion is existential.

The payment prohibition extends well beyond direct patient care. The OIG has specifically identified the following activities as potentially problematic if screening is not properly performed:¹¹

• Management, administrative, or leadership roles
• Surgical support that indirectly supports care
• Claims processing and information technology
• Drivers and dispatchers in transportation services
• Selling, delivering, or refilling medical devices and equipment
• Preparing surgical trays or reviewing treatment plans, whether billed separately or bundled

Even unpaid volunteers can trigger CMP liability if the items or services they furnish are not “wholly unrelated to Federal Health Care Programs” and the provider has not ensured that appropriate exclusion screening was performed.¹²

The liability also extends to referral sources. Laboratories, imaging centers, and pharmacies are required to verify at the point of service that the ordering or prescribing physician is not excluded. Failure to do so violates the payment prohibition independently of whether the laboratory or pharmacy itself has any direct relationship with the excluded person.¹³

The standard: “knew or should have known”

Providers often believe they are safe because they did not know an employee or contractor had been excluded. That belief is incorrect. The legal standard is “knew or should have known,” and the OIG applies it with consistency. A provider who could have discovered the exclusion through reasonable screening, and did not, will generally be held liable as if it had actual knowledge.¹⁴

This standard is the reason exclusion screening is not optional. It is the documented practice that converts the phrase “we didn’t know” from an admission of negligence into a defensible record of reasonable diligence.

---

Section 2 — How We Got Here, and Why the Rules Are So Broad

Understanding the current exclusion framework requires a brief tour of its legislative history. The rules are the way they are because Congress has been layering protections onto federal healthcare programs for nearly five decades, and each new layer responded to a specific enforcement gap.

A four-decade legislative ratchet

Year	Statute or Action	What It Did
1977	Medicare-Medicaid Anti-Fraud and Abuse Amendments	First federal authority to exclude individuals from Medicare and Medicaid.
1981	Civil Money Penalties Law	Broadly extended CMP authority for exclusion violations.
1987	Medicare and Medicaid Patient and Program Protection Act	Created the current mandatory/permissive exclusion framework.
1988	Delegation to OIG	Authority to impose and enforce exclusions formally delegated to the OIG.
1995	DOJ “call to action”	Attorney General Janet Reno declared healthcare fraud the DOJ’s top priority after violent crime.
1996	HIPAA — Health Care Fraud and Abuse Fund	Created a permanent funding stream for healthcare fraud enforcement.
1997	Balanced Budget Act	Expanded OIG civil money penalty authority.
2003	Medicare Modernization Act	Added bases for permissive exclusions (obstruction of audits, improper certification, false statements).
2009	Fraud Enforcement Recovery Act (FERA)	Made retention of an “obligation” to the government a false claim under the FCA.
2010	Affordable Care Act (ACA)	Required cross-state termination reporting (§6501); clarified that retained overpayments are “obligations” under FERA.
2013	Updated OIG Special Advisory + Self-Disclosure Protocol	Shifted expectation from annual to monthly screening; created a disclosure pathway with a defined damages formula.
2015	OIG Special Litigation Unit	Dedicated internal unit for CMPs and exclusions.
2017	CMP Rule Update	Re-emphasized dual focus on program integrity and patient safety.

The 2013 updates are the turning point compliance teams feel today. Before 2013, the OIG generally suggested annual screening. After 2013, the expectation became monthly screening against an expanded universe of persons and entities: employees, vendors, contractors, owners, officers, directors, managing employees, active medical staff, and referral sources.

For the full statutory and regulatory framework — SSA §1128, 42 C.F.R. Part 1001, appeal rights, mitigating and aggravating factors, and waivers in detail — see The Legal Guide to OIG Exclusions.

Mandatory vs. permissive exclusions

The statute splits exclusions into two categories. The category drives the minimum length, the legal basis, and the most common fact patterns providers actually encounter.

Mandatory exclusions (codified at SSA §§1128(a)(1)–(a)(4); 42 C.F.R. §1001.101). These are imposed when an individual or entity has been convicted of:

• A criminal offense related to the delivery of an item or service under Medicare or a state healthcare program, including management or administrative services (§1128(a)(1)).
• A criminal offense related to the neglect or abuse of a patient, whether or not reimbursed by a federal or state healthcare program (§1128(a)(2)).
• A felony related to healthcare fraud, theft, embezzlement, breach of fiduciary responsibility, or other financial misconduct in connection with healthcare delivery (§1128(a)(3)).
• A felony relating to the manufacture, distribution, or dispensing of a controlled substance (§1128(a)(4)).

Mandatory exclusions have a minimum length of five years. Depending on aggravating facts, they can extend much longer. And the definition of “conviction” is extraordinarily broad: it includes nolo contendere pleas, deferred prosecutions, deferred adjudications, and expungements in any state, federal, or local court.¹⁵ Criminal defense lawyers unfamiliar with healthcare law regularly misjudge the collateral consequences of a seemingly minor plea deal.

Permissive exclusions (SSA §§1128(b)(1)–(b)(16); §1156; 42 C.F.R. §§1001.201–1001.1552). These are discretionary. The OIG may, but is not required to, exclude an individual or entity on a broad range of grounds, including:

Basis (SSA §)	Trigger	Minimum Period
§1128(b)(1)(A)–(B)	Misdemeanor health care fraud / government program fraud	3 years
§1128(b)(2)	Conviction for obstructing a healthcare investigation or audit	3 years
§1128(b)(3)	Misdemeanor controlled-substance conviction	3 years
§1128(b)(4)	License revocation, suspension, or surrender for professional competence or integrity	Period of state action
§1128(b)(5)	Exclusion or suspension under any federal or state healthcare program	Period of other program
§1128(b)(6)	Excessive services or failure of an HMO to furnish medically necessary services	1 year
§1128(b)(7)	Fraud, kickbacks, and other prohibited activities under the anti-kickback statute	None specified
§1128(b)(8)	Entities controlled by a sanctioned individual or close family member	Same as the underlying exclusion
§1128(b)(9)–(11)	Failure to disclose required information, subcontractor data, or payment information	None specified
§1128(b)(12)	Failure to grant immediate access to records or premises	None specified
§1128(b)(13)	Hospital’s failure to take corrective action	None specified
§1128(b)(14)	Default on a health education loan or scholarship	Until resolved
§1128(b)(15)	Ownership or control of a sanctioned entity where the person knew or should have known	Same as the underlying exclusion
§1128(b)(16)	False statements in applications or bids to participate	None specified

The permissive exclusion universe is dominated by license actions. Approximately 90% of permissive exclusions are triggered by the revocation, suspension, or surrender of a professional license, not by a conviction. Conviction-based permissive exclusions account for roughly 6%. State-exclusion-based permissive exclusions account for roughly 1%. Loan-default exclusions, historically a meaningful share, have effectively dropped to zero.¹⁶

Compliance teams routinely assume exclusion enforcement targets physicians. The data flatly contradicts that assumption. Nurses and nurse aides account for roughly 70% of permissive exclusions. “Other licensed professionals” (therapists, mid-level practitioners, counselors) account for another 16%. Physicians make up only 9%. Business owners account for 3%.¹⁷

Screening only your clinical staff, or only your physicians, is structurally insufficient. The modal excluded person at the modal provider is not a physician; it is a bedside nurse, a CNA, a home health aide, or a therapist.

Civil money penalties: the remedial machinery

CMPs are characterized by the OIG not as punishment but as “remedial measures designed to protect the Federal health care programs from those whose continued participation constitutes a risk to the programs and their beneficiaries.”¹⁸ The remedial framing is important: it explains why the penalties are imposed even in the absence of intent to defraud, and why patient harm is treated as an aggravating factor.

The statutory and regulatory bases for CMPs most relevant to exclusion screening, and their 2026 inflation-adjusted amounts, are:¹⁹

Conduct	Authority	2026 Adjusted Penalty
Presentation of a claim for an item or service by an excluded party	§1003.200(a)(3); §1003.210(a)(1)	Up to $24,947 per violation
Excluded party retaining ownership or control	§1003.200(b)(3); §1003.210(a)(3)	Up to $24,947 per day of prohibited relationship
Arranging or contracting with an excluded party	§1003.200(b)(4); §1003.210(a)(4)	Up to $24,947 per violation
Ordering or prescribing medicine from an excluded person	§1003.200(b)(6); §1003.210(a)(1)	Up to $24,947 per violation
Medicare Advantage or Part D contracting with an excluded party	§1003.410(c)	Up to $47,596 per violation

A single case of ongoing employment of an excluded person can generate hundreds of individual violations: one per claim for a billing provider, or one per day for an ownership-and-control violation. The arithmetic compounds quickly.

Overpayment liability and False Claims Act exposure

The CMP is only the first of two financial layers. The second is the overpayment.

Federal healthcare programs cannot pay for any item or service furnished by an excluded party. Any amount they did pay is, by definition, an overpayment that must be repaid. This is true whether or not the provider knew of the exclusion at the time.²⁰

For a billing provider, the calculation is blunt: every claim for every service furnished, directly or indirectly, is an overpayment. For a non-billing employee (a nurse, a surgical assistant, an administrator, an IT staffer), the self-disclosure protocol creates a “proxy” calculation. The provider identifies the total cost of employment (salary and benefits) during the exclusion period and multiplies that amount by the provider’s federal payer mix, ideally at the unit level. The result is the proxy for single damages and the basis for compromising the OIG’s CMP authority.²¹

The False Claims Act layer is where the stakes escalate. FERA (2009) expanded “reverse false claims” by making the retention of an “obligation” to the government actionable under the FCA. The ACA (2010) clarified that retained overpayments are “obligations” within the meaning of FERA.²² The logical chain is direct:

A provider knows it has a legal obligation to ensure compliance with exclusion regulations. An excluded person is employed. An overpayment results. The overpayment, once retained, is an obligation. Failure to repay it can constitute “reckless disregard” or “deliberate ignorance.” Either triggers FCA liability with treble damages.

The OIG illustrated the reach plainly in its 2013 Special Advisory: “If a hospital contracts with a staffing agency for temporary or per diem nurses, the hospital will be subject to overpayment liability … if the nurse furnishes items or services reimbursed by a federal health care program.”²³ The hospital’s contract with the agency does not shift the liability; the nurse’s status flows upstream to the hiring provider.

This is the mechanism by which exclusion violations compound. An unnoticed hire leads to a CMP, which leads to an overpayment, which, if unaddressed, leads to an FCA case with treble damages. The $18.8 million Florida settlement shows the pattern in full: what began as two excluded hires became a nine-figure exposure when investigators followed the thread into broader billing problems.⁴

---

Section 3 — Who, What, When: Building a Compliant Screening Program

The rest of this guide is a practitioner’s reference for building and defending a compliant screening program. The five questions below are the ones the OIG effectively audits for when it examines a provider’s compliance posture.

Who must be screened?

Employees

The governing principle from the OIG’s 2013 Special Advisory: screen every employee who furnishes any item or service that is directly or indirectly, in whole or in part, payable by a federal healthcare program.²⁴

The OIG’s suggested process is a job-category review: “review each job category or contractual relationship to determine whether the item or service being provided is directly or indirectly, in whole or in part, payable by a Federal health care program. If the answer is yes, then the best mechanism for limiting CMP liability is to screen all persons that perform under that contract or that are in that job category.”²⁵

The payable-by-federal-programs definition is so broad that a job-by-job review rarely produces a defensible exclusion. Providers are best served by screening all direct employees unless they can identify specific employees working in a separate, identifiable division wholly unrelated to federal healthcare programs. Picking and choosing is dangerous unless a true quarantine can be guaranteed.

Corporate Integrity Agreements (CIAs) imposed by the OIG as part of FCA settlements have made the universe even clearer. Standard CIA language requires screening of:

• Owners
• Officers and directors
• Managing employees
• Agents
• Active medical staff

…regardless of whether they are employed directly or indirectly. If the OIG has written your screening obligations into a CIA, the universe is not a suggestion.

The scope reaches well beyond patient care: management, administration, surgical support, claims processing, IT, transportation, food service, and equipment handling are all activities the OIG has specifically identified as exclusion-sensitive.²⁶

A practical scoping framework: a hospital example

Applied to a typical mid-sized hospital, the screening universe covers far more people than most compliance teams initially expect. A useful way to think about scoping is to walk job categories against the “is this service, directly or indirectly, payable by a federal healthcare program?” test.

Category	Included	Reasoning
Physicians, NPs, PAs, RNs, LPNs, CNAs	Yes	Direct clinical care; most are directly billable.
Therapists (PT, OT, SLP, RT)	Yes	Billable services or bundled into inpatient stays.
Pharmacists, pharmacy technicians	Yes	Drug dispensing billable to Part D and state Medicaid.
Laboratory staff (techs, phlebotomists, pathology assistants)	Yes	Services billed separately or bundled.
Radiology techs and assistants	Yes	Imaging services billed to federal programs.
Medical records, coders, billers	Yes	Claims processing is within the payable-by-federal-programs definition.
Revenue cycle, accounts receivable	Yes	Claims-adjacent work.
HR, finance, executive leadership	Yes	CIAs include officers, directors, and managing employees regardless of billing role.
IT staff	Yes	OIG specifically identifies “claims processing and information technology” as sensitive.
Food service, housekeeping, transport	Yes (generally)	OIG has specifically flagged indirect support activities.
Security	Usually	Common in CIA-enumerated categories.
Gift shop and purely retail personnel	Not typically	“Wholly unrelated to Federal Health Care Programs” quarantine applies.

The takeaway: a defensible program screens virtually all direct employees, with the narrow exception of staff working in genuinely quarantined divisions. Attempting to exclude large job categories from screening is almost always more expensive than just screening them, both in audit risk and in the operational cost of maintaining and defending the exclusion logic.

Vendors and contractors

The OIG’s guidance on vendors is the same in principle as its guidance on employees: apply the same analysis, screen those whose services are payable by federal programs, and focus in particular on vendors whose work is “integral to the provision of patient care.”²⁷

Applying the guidance, the vendors and contractors most likely to require exclusion screening include:

• Ambulance and other transportation service providers
• IT solution providers
• Security providers and their technicians
• Medical equipment suppliers
• Food service workers
• Laboratory technicians
• Billers and coders
• Pharmacists
• Nurses, physicians, and other individuals provided by staffing agencies
• Physician groups providing emergency room coverage

CIA language generally exempts vendors whose sole connection is selling supplies or equipment for which the vendor does not bill. This is a common-sense exception that removes a large class of low-risk vendor relationships.²⁸

A closer look at each of the enumerated vendor categories explains why the OIG has flagged them:

• Ambulance and transportation providers. Every transport is typically billable to Medicare or Medicaid, directly or through a facility. An excluded driver or dispatcher renders every run a potential overpayment. Ambulance companies have appeared in multiple 2025 settlements.¹⁴
• IT solution providers. The OIG explicitly identifies “claims processing and information technology” as exclusion-sensitive. Revenue cycle IT contractors, coding software vendors, and EHR implementation teams all touch federal program claims and fall within scope.
• Security providers. Less intuitive but routinely included in CIA-enumerated vendor categories, particularly when staff are present during clinical operations.
• Medical equipment suppliers. The vendor is in scope when the vendor bills the federal program (home DME is the common example). Suppliers that sell to the provider who then bills are typically exempt under the “no billing” carve-out.
• Food service workers. In hospital and skilled nursing contexts, food service is part of the per-diem rate and therefore indirectly payable by federal programs. This is one of the counter-intuitive inclusions that most internal teams miss.
• Laboratory technicians. Laboratory services are billed directly to federal programs; an excluded tech renders every processed specimen a potential overpayment.
• Billers and coders. The highest-scrutiny vendor category, because coding and billing staff directly produce the federal program claims. The OIG will only accept delegation of exclusion screening to a billing company that meets four specific conditions (see below).
• Pharmacists. The $21.5 million pharmacy settlement referenced earlier turned on employment of excluded pharmacists. Pharmacy staff appear in more enforcement actions per capita than almost any other category.
• Staffing agency nurses and physicians. The single largest delegation-risk category. Hospital reliance on agency nurses expanded substantially during 2020–2024; so did enforcement. A West Coast health system generated six separate self-disclosed penalties exceeding $1 million during that window before reducing agency reliance by 43% in 2025 and seeing the penalties taper.⁴²
• Emergency room physician groups. Independent ER staffing companies are functionally similar to staffing agencies. Delegation does not transfer liability; the hospital remains responsible for the exclusion status of ER physicians practicing on its premises.

Billing companies receive particularly close OIG attention. Under most CIAs, a provider may only delegate exclusion screening to a billing company if that company (a) has a policy of not employing excluded persons, (b) screens its employees upon hire and monthly thereafter against the LEIE, (c) provides proof of its screening activities, and (d) trains its employees on federal program requirements.²⁹

Referral sources

Laboratories, imaging centers, and pharmacies must verify at the point of service that the ordering or prescribing physician is not excluded. This is independent from their employee-screening obligations and is among the fastest-moving areas of enforcement. The 2016 New York settlement illustrates the exposure precisely: a pharmacy paid $442,000 to resolve allegations that it had been filling prescriptions written by an excluded physician.³⁰

Which databases must you screen?

The answer is more layered than a single LEIE check. A defensible program screens against federal lists, state lists, and in some cases program-specific lists.

Federal lists

OIG LEIE (List of Excluded Individuals/Entities). The canonical federal list. 82,229 entries as of this writing, updated monthly.¹

GSA/SAM (System for Award Management exclusions). The OIG formally takes the position that it cannot require GSA/SAM screening. Part C payers, Part D payers, and most state Medicaid programs all require it. Effectively, SAM is not optional. For a breakdown of which lists cover what, see the different federal and state exclusion lists.³¹

State exclusion lists

Forty-four states maintain their own state exclusion lists, Medicaid sanction lists, or equivalent registries. Terminology varies by state (exclusions, terminations, suspensions, sanctions, debarments), but the substantive effect is similar: a barred provider cannot participate in the state’s Medical Assistance Program.³²

State requirements frequently go beyond the list itself. Texas, for example, requires providers to conduct an internal review and certify that they have done so. New Jersey requires confirmation that no employee, vendor, or contractor has ever been the subject of any suspension, debarment, disqualification, or recovery action involving Medicaid, Medicare, or any other federally or state-funded healthcare program.

Three reasons a defensible program screens all applicable state lists, not just the LEIE:

1. Latency. It routinely takes several months for a state-imposed exclusion to reach the LEIE. Screening only the LEIE means your compliance is months behind the state-level record.
2. Cross-state mobility. Individuals excluded in one state frequently relocate and seek employment elsewhere. They will not volunteer the prior exclusion during the hiring process.
3. ACA §6501 cross-state requirements. When a state terminates a provider “for cause,” it must report the action, and other states in which the provider participates must determine whether the conduct warrants termination. The OIG is also supposed to evaluate whether the state action warrants a federal exclusion. The chain exists specifically to close the mobility loophole.³³

State requirements vary, and often go beyond the list

A federal-only screening program leaves the provider exposed to the fastest-growing category of enforcement: state-level Medicaid exclusion actions. The cost of missing state-specific exclusions has shifted from the five-figure range in 2020 ($20,000–$60,000) to the mid-to-high six figures in recent years ($450,000–$860,000).³⁴ A short tour of the higher-friction states:

• California (Medi-Cal). California’s Department of Health Care Services maintains the Medi-Cal Suspended and Ineligible Provider List. California’s enforcement tends to concentrate on large integrated systems and M&A-driven facility-based senior care platforms; $4.3 million in exclusion-related penalties accrued 2020–2025.
• Illinois (HFS / OIG-Illinois). Illinois enforcement centers on Chicago-area nursing homes and safety-net hospitals. The state’s $3.4 million in penalties over six years includes collective settlements that spread a single compliance failure across multiple facilities under common ownership.
• New York (OMIG). The New York Office of the Medicaid Inspector General maintains an active exclusion list and has been an aggressive enforcer against pharmacies, home health agencies, and long-term care facilities.
• Pennsylvania (PA Medicheck). Pennsylvania maintains the Medicheck list of precluded providers. PA enforcement concentrates on nonprofit human services, behavioral health, and academic medical centers. The pattern tracks the state’s Medicaid funding structure for behavioral health and children’s services.
• Texas (HHSC OIG). Beyond its exclusion list, Texas requires providers to conduct an internal review and certify compliance as part of enrollment. Enforcement in Texas tends to target ancillary services (ambulance, laboratory, regional clinics) rather than hospital inpatient care.
• New Jersey. New Jersey requires providers to confirm that no employee, vendor, or contractor has ever been the subject of any suspension, debarment, disqualification, or recovery action involving Medicaid, Medicare, or any other federally or state-funded healthcare program. That is a broader lookback than most state certifications require.
• Florida. Florida’s Medicaid program relies heavily on AHCA enforcement; the state has seen $2.6 million in exclusion-related penalties 2020–2025, driven by high-volume Medicare billing concentrations in cardiology, oncology, and urology.

The practical lesson for multi-state providers: a centralized corporate screening process that hits the LEIE and SAM but misses the state lists where newly acquired or newly opened facilities operate is a common failure mode. The August 2022 multi-state settlement that penalized facilities in Nevada, California, and Indiana for missing Medi-Cal exclusions shows how centralized compliance can fail against decentralized state requirements.³⁵

Exclusion Screening’s SAFER platform automatically screens against the LEIE, SAM, and all 44 state Medicaid exclusion lists as standard. The alternative, in an organization of any size, is a matrix of manual checks that is prohibitively difficult to maintain.

How often should you screen?

No statute or regulation states an exact frequency. The OIG’s position is nonetheless unequivocal: screening must be performed upon hire and monthly thereafter to avoid overpayment and CMP liability. The 2013 Special Advisory states the expectation plainly: a provider that does not screen monthly “is at risk for overpayment and CMP liability.”³⁶

Three supporting data points make this the operational standard:

• The LEIE itself is updated monthly. Screening less frequently than the list is updated is, by definition, leaving a gap.
• Medicare Part C and Part D payers explicitly require monthly screening.
• CMS guidance to State Medicaid Directors in 2008 and 2009 established the hire-plus-monthly standard for all Medicaid providers.³⁷

The business case reinforces the regulatory case. The faster an excluded employee is identified and removed, the smaller the overpayment exposure window. A quarterly-screening program that discovers a problem three months in has, by arithmetic, approximately three times the overpayment exposure of a monthly program that would have caught the same problem within 30 days.

Can you delegate screening? Yes, but not the liability.

The OIG expressly recognizes that providers may delegate screening to contractors, staffing agencies, or third-party vendors. When delegation occurs, the OIG requires that the provider demand and maintain documentation that the screening was performed.³⁸

The critical distinction, stated directly in the 2013 Special Advisory: “even when a third party reliably and ‘effectively’ screens for excluded individuals,” those that rely on them are still “responsible for overpayments and CMPs.” Delegation transfers the operational burden; it does not transfer the regulatory liability.³⁸

The practical implication is the opposite of discouraging. Delegation to a competent vendor:

1. Creates documented evidence that screening was performed. The OIG looks for exactly this record in any audit.
2. Layers professional match-verification on top of automated database checks, reducing false positives and missed matches.
3. Covers the state list universe without requiring a 44-state manual process.
4. Produces an audit trail that, in the event a mistake occurs, is a strong CMP defense under the “reasonable diligence” inquiry.

Reliance on a vendor does not eliminate liability, but it changes what the OIG sees when it audits: documented systematic screening rather than gaps in a spreadsheet.

The case for a third-party vendor

Providers sometimes read the “liability does not transfer” point as a reason to keep screening in house. The opposite is true. A qualified third-party vendor provides the operational infrastructure most internal compliance teams cannot realistically maintain:

• Automated scheduling. No missed months.
• Sophisticated name-matching algorithms. These catch variants, aliases, and common misspellings rather than only exact matches.
• Expert match verification. This reduces false positives that would otherwise consume internal staff time.
• State-list coverage. All 44 state exclusion lists screened as part of standard service, not as add-ons.
• Complete compliance records. Every screening cycle documented, searchable, and defensible.

Why EXSC specifically. Exclusion Screening LLC was founded by Paul Weidenfeld and Robert W. Liles, both former National Healthcare Fraud Coordinators at the U.S. Department of Justice. They are among the federal prosecutors who built the enforcement framework that this guide describes. Our SAFER Plus platform screens against 42+ federal and state exclusion databases, runs automated monthly cycles, and provides expert match verification. Pricing starts at $30 per month per 100 screens. Learn more about SAFER Plus or schedule a demo.

The arithmetic of a screening program

Compliance budgets are under pressure. The 2025 environment compounds the pressure: up to $700 billion in proposed Medicaid spending reductions are prompting boards to revisit every cost center, and compliance is not exempt from the review.⁴³ Cutting back on exclusion screening to save budget is exactly the wrong move. The arithmetic runs in the opposite direction.

For a provider with 500 covered persons, annual exclusion screening costs are roughly:

• In-house manual program: 10–15 hours per month of compliance staff time, no sophisticated matching, incomplete state coverage, fragile documentation. Annualized fully-loaded cost typically runs $8,000–$20,000, not including the state-list coverage gaps.
• Third-party vendor (SAFER Plus pricing): $30 per month per 100 screens. For 500 covered persons screened monthly against 42+ databases, annual cost is approximately $1,800, with expert verification, documentation, and state coverage included.

Set against the $24,947-per-violation CMP exposure and the $26 million in 2025 aggregate penalties, the screening cost is not meaningful on either side of the decision. The meaningful number is the penalty avoided.

---

Section 4 — Enforcement, Self-Disclosure, and Remediation

How enforcement actually works

The OIG credits the 1999 Special Advisory as the “beginning” of its exclusion enforcement initiative. The more honest starting date is 2013, the year the Special Advisory was updated and the Self-Disclosure Protocol was rewritten. Before 2013, the OIG generally suggested annual screening and had no formal disclosure path for exclusion violations. After 2013, monthly screening became the expectation and self-disclosure became the preferred pathway for remediation.³⁹

For the underlying data, see EXSC’s historical OIG settlements and penalties database, which tracks every publicly reported CMP settlement by year, state, and sector.

Enforcement matters arrive at the OIG through several channels:

• OIG-initiated investigations. Flagged through data analytics, CMS contractor referrals, or sister-agency coordination.
• Hotline tips and whistleblower actions. Often the trigger for FCA cases.
• Self-disclosures. The OIG relies heavily on provider-initiated disclosures, consistent with its position that healthcare compliance is provider-driven.
• Office of Evaluations and Inspections / Office of Audit initiatives. Both of these internal OIG divisions have run formal “exclusion initiatives” that identify systemic patterns and drive targeted enforcement.
• Special Litigation Unit. Established in 2015 with a focus specifically on CMPs and exclusions.

The 2025 enforcement data makes the current posture concrete. Of the 35 organizations that paid CMPs or settlements for exclusion violations in 2025, approximately 57.9% came to the OIG through self-disclosure and approximately 42.9% through government investigation.⁴⁰ The ratio matters: it reflects both the OIG’s preference for self-disclosure and the mathematical advantage providers obtain by disclosing proactively.

Where enforcement concentrates: sectors

The six-year aggregate (2020–2025) shows where risk is concentrated:⁴¹

Sector	2020–2025 Total Penalties	Share
Hospital / medical center	$10.3 million	34.2%
Facility-based senior care	$9.0 million	29.9%
Behavioral health	$3.3 million	10.8%
Practice / medical group	$2.5 million	8.2%
Home health	$2.3 million	7.6%
Healthcare services	$984,000	3.3%
Education / government	$859,000	2.8%
Pharmacy	$785,000	2.6%
Laboratory	$471,000	1.6%
Education / government (universities)	$218,000	0.7%
Ambulance / EMS	$217,000	0.7%
Insurance	$71,000	0.2%
Total	$30.2 million	—

The common thread across the top sectors (hospitals, facility-based senior care, behavioral health, practices) is a high-volume, high-turnover, contractor-heavy workforce model. Large integrated systems have scale, but scale without centralized monitoring is a risk multiplier rather than a protective factor. Responsibility for screening is typically distributed across HR (employees), medical staff services (credentialed providers), and finance (vendors), each running separate workflows on varying schedules. Each handoff is a potential gap.

Where enforcement concentrates: geography

The state-level data is equally clear:⁴⁴

State	2020–2025 Total Penalties	Drivers
California	$4.3 million	Large integrated systems; M&A-heavy nursing and rehab platforms.
Illinois	$3.4 million	Chicago-area nursing homes and safety-net hospitals on Medicaid.
Florida	$2.6 million	High-volume Medicare billing; cardiology, oncology, urology concentration.
Texas	$2.3 million	Ancillary services — ambulance, lab, regional clinics.
Pennsylvania	$2.2 million	Nonprofit human services, behavioral health, academic medical centers.
Ohio	$1.7 million	—
Pennsylvania (combined)	$1.4 million	—
New York	$1.3 million	—

Five-state concentration is not random. It reflects the specific healthcare ecosystems that present the most compliance friction: large multi-facility platforms, dense urban Medicaid populations, specialty billing concentrations, and infrastructure-heavy ancillary service markets. Since 2020, 45 of 50 states plus Puerto Rico have seen at least one CMP settlement for exclusion violations. “Flying under the radar” based on geography is no longer a viable assumption.⁴⁵

Anatomy of a seven-figure failure: the Florida $18.8M case

The October 2025 Florida settlement is the clearest recent case for compliance teams. The organization was not a marginal operator. The health system had 17,000 employees, more than 2,500 medical staff working across almost 1,000 locations, a $300 million capital budget, and a sophisticated information technology and cybersecurity posture. It had invested in digital transformation and data security. And despite all of that, two employees slipped through the exclusion screening process long enough to produce a self-disclosed $18.8 million settlement.⁴⁶

The settlement was not purely for the exclusion violations themselves. It bundled the exclusion issue with claims “for services that were not performed or failed to meet coverage criteria.” Internal analysis conservatively attributes approximately 10% of the settlement amount (roughly $1.88 million) directly to the exclusion violations. The remaining exposure is the compounding pattern compliance leaders need to understand: exclusion failures rarely stay contained.

The OIG’s audit pathway in cases like this is consistent. An exclusion violation is identified. Auditors follow the thread. The investigation widens into broader billing, coding, and medical necessity review. Secondary issues surface. The final settlement reflects the full investigative surface. The original exclusion is only the starting point.

What went wrong operationally? The pattern is familiar:

• Distributed responsibility. Screening was split across HR (employees), medical staff services (credentialed providers), and finance (vendors). Each function ran separate workflows on different schedules.
• Point-in-time checks. Screening was performed at hire, credentialing, and reappointment, but not monthly against the full covered population.
• No centralized monitoring. No single system tracked whether every covered person had been screened against every required database in every cycle.

This is the failure mode of large health systems. Atul Gawande frames the distinction in The Checklist Manifesto as the difference between ignorance and ineptitude. Ineptitude is the case where the knowledge exists but is not applied systematically. The Florida case is ineptitude, not ignorance. The knowledge of how to screen was present. The systematic application of it was not.

The lesson is not that large systems need to invest more. This organization already had substantial investment. The lesson is that scale without centralization is a risk multiplier rather than a protective factor. A consolidated screening system (one platform, one monthly cycle, one documented audit trail across every covered person) would have caught both hires before they became a nine-figure problem.

M&A contagion: the Illinois 19-facility case

A second case, from May 2025: an Illinois company operating 19 skilled nursing facilities under common ownership paid $1.5 million when excluded employees surfaced at multiple locations. The facilities shared centralized back-office services, including screening. The centralized screening had a consistent gap that replicated across the portfolio.⁴⁷

The lesson for investors and roll-up operators is that shared services can spread compliance failures as effectively as they spread efficiency gains. Private equity firms consolidating facility-based senior care platforms, dental service organizations, behavioral health networks, or medical practice groups routinely centralize compliance infrastructure to capture margin. When that centralization replaces local controls without adding rigorous central screening, a single compliance failure infects the entire portfolio.

The contagion pattern is consistent across sectors with M&A-driven roll-ups: senior care, home health, pharmacy chains, DSOs, ambulance services, and staffing platforms. For investors, exclusion screening is no longer a back-office compliance line item. It is infrastructure that protects returns.

What to do if you discover an excluded employee

When a provider discovers an excluded individual on staff, the recommended sequence is:

1. Immediately remove the individual from any role connected to federal healthcare programs. The removal stops the overpayment clock. Every additional shift, claim, or billable encounter expands exposure.

2. Investigate the scope. Identify the period of employment, the payer mix applicable to the person’s work, and the claims (direct or indirect) that the person touched. Document everything contemporaneously; the file you build in this phase is the file you will submit.

3. Self-disclose via the OIG’s Self-Disclosure Protocol. The updated Protocol includes a specific section for exclusion violations. Required narrative contents:⁴⁸

• Identification information for the excluded individual, including license and provider IDs.
• Job duties and dates of service.
• A description of the screening performed both before and after employment began.
• How the problem was discovered and what corrective actions were taken.
• A calculation of the loss.

4. Calculate the loss. For a billing provider, the calculation is direct: every claim connected to the excluded person during the exclusion period. For a non-billing employee (the more common case), the proxy formula applies:

Loss = (Total Cost of Employment, including benefits) × (Federal Payer Mix Percentage)

Use unit-level payer mix when possible; entity-wide mix is acceptable when unit-level data is not available. The result is the proxy for single damages and the basis for compromising the OIG’s CMP authority.

Why self-disclosure is usually the right choice

Two former National Healthcare Fraud Coordinators, Paul Weidenfeld and Robert W. Liles (both EXSC co-founders), have made the self-disclosure case directly:⁴⁹

• The multiplier changes. Under the False Claims Act, a government-initiated investigation can result in treble damages (3×). Self-disclosure through the SDP typically caps damages at a 1.5× multiplier. On a seven-figure overpayment, the delta is not trivial.
• The posture changes. Self-disclosure moves the organization from being a “target” of investigation to a “partner” in resolution. That shift is procedural. It shapes discovery, scope, and settlement.
• The narrative changes. A provider that discloses defines the scope of the issue. A provider that waits reacts to the scope defined by federal agents.
• The timeline changes. Self-disclosure proceeds on a relatively predictable timetable. Government-initiated investigations compound with legal costs, extended discovery, and often public enforcement.

The cost of silence almost always eclipses the cost of disclosure. In every material respect (financial, operational, reputational) the earlier action is the better action.

Reinstatement after exclusion

Reinstatement is not automatic. An excluded individual or entity must apply, and may submit an application no earlier than 90 days before the reinstatement date.⁵⁰

The reinstatement date itself depends on the basis of the exclusion:

• License-based permissive exclusions (§1001.501): eligibility typically requires regaining the license (or an equivalent license in another state). If the license is not regained, a minimum of three years must pass, and the original exclusion must not have been based on patient abuse or neglect. (42 C.F.R. §1001.501(b)–(c).)
• State-program-based permissive exclusions (§1001.601): the individual is not eligible for reinstatement until the underlying state exclusion is lifted, unless the state action was itself based on the OIG exclusion, in which case reinstatement is decoupled. (42 C.F.R. §1001.601(b).)

When evaluating a reinstatement application, the OIG considers:⁵¹

• Conduct of the individual or entity before and after the exclusion.
• Whether there are reasonable assurances that the underlying conduct will not recur.
• Whether all fines and debts have been repaid or satisfactorily arranged.
• The benefits of reinstatement to federal healthcare programs and their beneficiaries.
• Whether CMS has determined the individual or entity complies with (or will comply with) all applicable conditions of participation.

If reinstatement is denied, the excluded party has 30 days to submit additional documentary evidence and written argument. After evaluating the submission, the OIG sends a final written decision. A final denial is not subject to administrative or judicial review, and the excluded party must wait at least one year before submitting another application. (42 C.F.R. §§1001.3002; 1001.3004.)

Waivers

Waivers are rare and tightly constrained. They must be requested by a program administrator (not by the excluded person) and only under specific conditions. (See our detailed OIG exclusion waiver guide for the full procedural record.)⁵²

• Mandatory exclusions: the program administrator must determine that (1) the individual or entity is the sole source of an essential specialized service in the community, and (2) the exclusion would impose a hardship on beneficiaries.
• Permissive exclusions: the OIG must determine that imposing the exclusion would not be in the public interest.
• Abuse or neglect exclusions: waivers are categorically unavailable.

Waivers apply only to the specific program(s) for which they are requested. If the basis for the waiver ceases to exist, the waiver is rescinded. Waiver decisions (grant, denial, or rescission) are not subject to administrative or judicial review. (42 C.F.R. §1001.1801.)

---

Section 5 — Your Exclusion Screening Program: A Compliance Checklist

A defensible exclusion screening program has the following characteristics. Use this as a checklist against your current program; any missing item is a gap worth closing before the next audit.

Scope of the screening universe
– [ ] All direct employees are screened, excepting only those in divisions wholly unrelated to federal healthcare programs.
– [ ] Owners, officers, directors, managing employees, agents, and active medical staff are screened regardless of employment structure.
– [ ] All vendors and contractors whose services are payable, directly or indirectly, by federal healthcare programs are screened.
– [ ] Referral sources (ordering and prescribing physicians) are verified at the point of service.
– [ ] Unpaid volunteers whose work is not wholly unrelated to federal programs are included in the screening universe.

Databases screened
– [ ] OIG LEIE.
– [ ] GSA/SAM exclusion list.
– [ ] All applicable state Medicaid exclusion lists: all 44 states with their own lists, not only the state of primary operation.
– [ ] Any additional state-specific requirements (for example, Texas internal review certification; New Jersey historical sanction attestation).

Cadence
– [ ] Screening performed on every new hire and engagement, before the start of work.
– [ ] All covered individuals and entities re-screened monthly.
– [ ] Documented screening records retained for every cycle, every database, every person.

Operational controls
– [ ] Centralized, documented process covering HR, medical staff services, and vendor management.
– [ ] Sophisticated name-matching (not exact-match only) with expert verification of potential hits.
– [ ] Written protocol for responding to a confirmed match: immediate removal, investigation, self-disclosure.
– [ ] Self-disclosure plan and template in place before the first violation occurs, not after.
– [ ] Annual review of the screening program against current OIG guidance.

Why healthcare organizations choose EXSC

• Founded by former federal prosecutors who built the exclusion enforcement framework: Paul Weidenfeld and Robert W. Liles, both former National Healthcare Fraud Coordinators, U.S. Department of Justice.
• 42+ federal and state exclusion databases screened automatically, including the LEIE, SAM, and all 44 state Medicaid exclusion lists.
• Automated monthly screening with expert match verification. No missed cycles, no manual name entry.
• Complete compliance documentation maintained for every person, every database, every cycle.
• Transparent pricing from $30 per month per 100 screens. No per-match fees. No surprise add-ons.
• SAFER Plus platform with self-service capabilities, API access, and HRIS integrations.
• Compliance Hotline for real-time questions with compliance attorneys ($100/month add-on).
• 382+ healthcare organizations trust EXSC for their federal and state exclusion screening.

Ready to see your exposure?

• Take the free screening assessment. A 25-question diagnostic that grades your program against the OIG’s 2013 Special Advisory and flags gaps before they become penalties.
• Schedule a SAFER Plus demo. See the platform and get a custom quote in one call.
• Call the Compliance Hotline: 1-800-294-0952.

---

Section 6 — Frequently Asked Questions

What is exclusion screening in healthcare?
Exclusion screening is the process of checking employees, vendors, contractors, and referral sources against federal and state databases of individuals and entities that have been barred from participating in federal healthcare programs. It is a core compliance obligation under the Social Security Act §1128 and the OIG’s 2013 Special Advisory, and is the primary defense against civil money penalties, overpayment liability, and False Claims Act exposure for hiring an excluded person.

How often must healthcare providers screen for exclusions?
The OIG’s unequivocal position is that screening must be performed upon hire and monthly thereafter. The LEIE is updated monthly, Medicare Part C and Part D payers explicitly require monthly screening, and CMS guidance to State Medicaid Directors has imposed the same expectation on all Medicaid providers. Quarterly or annual screening is not defensible under current OIG guidance.

What databases should I screen against?
At minimum: the OIG’s List of Excluded Individuals/Entities (LEIE), the GSA/SAM exclusion list, and every applicable state Medicaid exclusion list (44 states maintain their own). Some states (Texas, New Jersey, and others) impose additional certification or attestation requirements beyond the list itself.

What happens if I employ an excluded individual?
Three categories of liability compound: (1) civil money penalties up to $24,947 per violation (up to $47,596 for MA and Part D); (2) overpayment liability for every claim the excluded person touched, directly or indirectly; and (3) potential False Claims Act exposure with treble damages if the overpayment is retained. In 2025, 35 organizations paid more than $26 million for these violations, including a single $18.8 million self-disclosed settlement triggered by two excluded hires.

Can I delegate exclusion screening to a staffing agency or vendor?
Yes. The OIG expressly recognizes delegation to contractors, staffing agencies, and third-party vendors. But delegation does not transfer liability. The provider remains responsible for overpayments and CMPs even if a third party reliably and effectively performs the screening. Delegation shifts the operational burden; it does not shift the legal exposure. Done well, however, delegation produces a defensible compliance record that is stronger than most internal programs.

How do I self-disclose an exclusion violation to the OIG?
Use the OIG’s Self-Disclosure Protocol. The required submission includes identification information for the excluded individual, job duties and dates of service, screening history, how the problem was discovered, corrective actions taken, and a calculation of the loss. For a non-billing employee, the loss proxy is the total cost of employment multiplied by the federal payer mix. Self-disclosure typically caps damages at a 1.5× multiplier, versus up to 3× (treble damages) in a government-initiated FCA action.

How much do civil money penalties cost?
As of 2026, CMPs are up to $24,947 per individual violation and up to $47,596 per Medicare Advantage or Part D contracting violation. These amounts are inflation-adjusted annually. Because a single case of ongoing employment can generate hundreds of violations (one per claim or one per day of prohibited relationship), total CMPs routinely reach six or seven figures.

What’s the difference between mandatory and permissive exclusions?
Mandatory exclusions (SSA §§1128(a)(1)–(a)(4)) are required when an individual or entity has been convicted of healthcare fraud, patient abuse or neglect, certain felony fraud offenses, or controlled-substance felonies. They have a minimum five-year period. Permissive exclusions (SSA §§1128(b)(1)–(b)(16); §1156) are discretionary and can be imposed on a broad range of grounds, most commonly state license actions (roughly 90% of permissive exclusions).

Do I need to screen volunteers?
Yes, if the items or services they furnish are not “wholly unrelated to Federal Health Care Programs” and the provider cannot ensure an appropriate exclusion screening was performed. Even unpaid volunteers can trigger overpayment and CMP liability under the OIG’s 2013 Special Advisory.

How long does an OIG exclusion last?
Mandatory exclusions have a minimum of five years and can run much longer depending on aggravating facts. Permissive exclusion periods vary by basis: license-based exclusions run for the period of the state action, state-program-based exclusions run until the state action is lifted, and other bases range from one year to indefinite. Reinstatement is not automatic; an individual or entity must apply, no earlier than 90 days before the reinstatement date.

---

Notes and Citations

---

About the authors

Paul Weidenfeld is a co-founder of Exclusion Screening LLC and a former National Healthcare Fraud Coordinator at the U.S. Department of Justice. He is among the federal prosecutors who built the healthcare fraud enforcement framework that governs OIG exclusions today.

Robert W. Liles, J.D., C.P.C., C.M.C.O., M.B.A., M.S. is a co-founder of Exclusion Screening LLC, managing partner at Liles Parker PLLC, and a former National Healthcare Fraud Coordinator at the U.S. Department of Justice.

This guide is intended as an educational reference for compliance officers and healthcare executives. It does not constitute legal advice. Providers facing specific exclusion, CMP, or self-disclosure questions should consult qualified healthcare compliance counsel.

Last updated: April 2026.