OIG Exclusion Screening: The Procurement Lead's Compliance Checklist

Published May 19, 2026

Procurement teams at multi-location healthcare practices share an uncomfortable secret: the OIG exclusion check is one of the most legally consequential pieces of compliance infrastructure in the building, and almost everyone executes it badly.

The Office of Inspector General publishes the List of Excluded Individuals and Entities (LEIE), updated monthly. The General Services Administration runs SAM.gov, which absorbed the older Excluded Parties List System. Every state Medicaid agency maintains its own exclusion list. Layered on top: OFAC sanctions screens, the FDA Debarment List, the OPM Suspension and Debarment list, and PECOS provider opt-out records. A healthcare entity that bills any federal program is responsible for screening against all of them, at the right cadence, with documentation that survives audit.

The penalty structure makes the stakes literal. Under the Civil Monetary Penalties Law at 42 U.S.C. § 1320a-7a, employing or contracting with an excluded individual exposes the organization to up to $10,000 per item or service furnished by the excluded person, plus treble damages, plus the exclusion itself extending to the employing entity. The 2024 OIG annual report enumerated 3,323 exclusion actions in fiscal year 2023, the highest count in five years.

This checklist is for the procurement lead who has to answer to a board, an external auditor, or a CMS regional office about how the practice screens. Workflow-jargon is out of scope. What follows is the framework procurement officers can take into a vendor RFP, a delegated credentialing audit, or a Joint Commission survey without flinching.

What an OIG exclusion actually is

The OIG can exclude an individual or entity from participation in federal healthcare programs under two statutory authorities. Mandatory exclusions under 42 U.S.C. § 1320a-7(a) cover convictions for Medicare or Medicaid fraud, patient abuse, felony controlled substance offenses, and certain other crimes. These run at least five years. Permissive exclusions under § 1320a-7(b) cover license revocation, defaulted health-education loans, kickback violations, and other offenses where the OIG exercises discretion on length, typically three years minimum.

Once excluded, the individual cannot bill federal healthcare programs directly, cannot be employed by an entity that bills federal programs in any role that supplies items or services reimbursed by those programs, and cannot serve as an officer, director, or owner of such an entity. The OIG interprets “items or services” broadly. Administrative staff, IT contractors, billing-company employees, and even janitorial vendors at facilities receiving federal reimbursement fall within scope under OIG Special Advisory Bulletin guidance, specifically when their work cost is built into a federal reimbursement claim.

Pull quote. The OIG’s 2013 Special Advisory Bulletin is the document that converts the abstract exclusion list into operational scope. Every procurement officer responsible for vendor credentialing should print it, highlight it, and keep it within reach during RFP review.

A common procurement misunderstanding: the OIG screens individuals, not roles. A nurse practitioner excluded for opioid diversion shows up on the LEIE under their personal name, not under the title they held. If your screening process searches by job category instead of by person, the entire screen is forensically useless.

The eight-source screening matrix

The minimum defensible screening protocol for a multi-location practice or PE-backed clinic group should cover eight independent sources. None of these is optional under current enforcement posture; missing any of them is a defensible audit finding.

The Affordable Care Act, specifically Section 6501, made the state-Medicaid screen federally mandatory in 2010. Before that, many practices screened only the federal LEIE. Auditors now expect to see state-list documentation for every state where the practice has Medicaid billing privileges, even if that state isn’t where the provider primarily works.

The cadence column is not a target; it is the regulatory floor. The OIG’s exclusion list updates on the first business day of each month, with adds and removes throughout. A practice that screens quarterly absorbs three months of unscreened employment risk per cycle. The OIG made its position explicit in a March 2021 Frequently Asked Questions update, reaffirming the monthly cadence as the audit baseline.

The match-and-resolve workflow

A monthly screening run is not complete when the system returns “0 matches.” It is complete when every potential match has been resolved with documentation linking the hit to a decision: confirmed match, name-collision dismissal, or pending verification.

OIG LEIE matches typically produce false positives because the list does not include date of birth or social security number, only name and address. A practice screening 800 employees plus 200 contracted providers will return roughly 5-15 potential matches per month, of which fewer than one in 50 is a true positive. The Joint Commission and NCQA both expect the match-resolution log to be preserved with the screening report itself, not separately.

Resolution evidence that survives audit:

• A copy of the LEIE entry as it appeared on the screening date
• A copy of the individual’s credential file showing date of birth, last four of SSN, NPI, and licensure history
• A written note from the credentialing officer documenting why the match was dismissed (date-of-birth mismatch, state-of-licensure mismatch, etc.) or confirmed
• For confirmed matches: documentation of the termination action and the date the individual stopped having access to any federal-reimbursement claim chain

Practices that skip the resolution log are technically screening but have no defensible audit posture. The OIG considers the absence of a resolution record functionally equivalent to a missed screening.

Retention policy: 10 years, full audit trail

The OIG’s recommended retention for exclusion screening records is the same as the federal statute of limitations for the False Claims Act, plus a margin: 10 years minimum. This means the screening report, the match-resolution log, and the underlying credential evidence for every dismissed match must remain retrievable for a decade after the screening date.

In practice, three failure modes dominate the retention question. First, practices that migrate credentialing software vendors lose historical screening records when the old vendor sunsets the contract. Procurement teams negotiating a credentialing software contract should explicitly require:

• Export of all historical screening reports in machine-readable format upon contract termination
• A signed acknowledgment that the vendor retains no proprietary lock on the practice’s screening data
• An indemnification clause covering audit defense if vendor-side retention proves inadequate

Second, practices that screen using spreadsheets or ad-hoc desktop tools rarely maintain version history. The November 2024 screening report cannot be the same file as the December 2024 screening report; auditors need to see the snapshot at the moment of screening, not the current state of the underlying list.

Third, off-boarded employees and contractors fall out of the screening rotation, which is correct, but their historical screening records are often archived in HR systems with retention policies set for general employment records (typically 7 years), not for the longer compliance horizon. Procurement should align HR retention policies with credentialing retention policies, in writing, before the next audit.

Contractor and vendor scope

The procurement-facing surface of OIG screening that most practices underestimate is the contractor and vendor scope. The 2013 OIG Special Advisory Bulletin made the position clear: any individual whose work cost is included in a federal reimbursement claim is in scope. That includes:

• Per-diem and locum tenens providers
• Billing-company employees and revenue-cycle outsourcing staff
• IT contractors maintaining systems that handle PHI used for federal billing
• Medical device representatives present in operating rooms for procedures billed to Medicare
• Pharmacy benefit management staff
• Practice management consultants whose fees are built into overhead allocated to federal reimbursement
• Cleaning and biohazard contractors at facilities receiving federal reimbursement, if their cost is part of overhead in cost-report-based reimbursement

The practical interpretation in 2024-2026 enforcement actions has been that overhead-allocated costs do count. An October 2023 settlement involving Genesis Healthcare resulted in a $53,448 settlement for employment of a single excluded individual whose role was administrative, not clinical.

The procurement RFP language to require from any vendor whose staff will be onsite or whose work touches the billing chain:

“Vendor agrees to screen all personnel assigned to this contract against the OIG LEIE, SAM.gov, and applicable state Medicaid exclusion lists on a monthly basis. Vendor agrees to provide upon request the date of last screening and the documentation of resolution for any potential matches. Vendor warrants that no excluded individual is currently assigned to work performed under this contract, and agrees to remove any individual identified as excluded within 24 hours of identification.”

A vendor that pushes back on this language is signaling that they do not currently screen or do not retain screening evidence. Both are disqualifying for any credentialing-adjacent service contract.

Common audit findings

The OIG’s Work Plan and Office of Audit Services reports surface the same exclusion-screening findings cycle after cycle. Procurement officers preparing for accreditation or external audit should pressure-test their screening against each of these:

• No documentation of state Medicaid screening for states where the practice bills. Particularly common at multi-state practices where the credentialing team is based in one state and screens primarily against that state’s list, not against the lists of the states where the practice has secondary locations.
• No screening of board members, owners, or governance-tier individuals. The CMP Law applies to anyone whose position or work cost flows into federal reimbursement; ownership and governance roles count.
• Missing screens during the first 30-60 days of an employee’s tenure. Most practices screen at hire and monthly thereafter, but the first monthly screen often arrives 30+ days into employment. Auditors expect to see the at-hire screen happen before the first day of work, not afterward.
• Reliance on vendor-provided “automated” screening with no resolution log. The vendor’s automated screen may produce a zero-match report, but if a true match was suppressed by a name-normalization heuristic without human review, the practice still carries liability.
• No re-screening after name changes (marriage, legal name change). A nurse who married mid-cycle and updated their HR record without updating the screening name field can pass screening under the new name while still being on the LEIE under the old.
• Vendor screening evidence destroyed at contract termination. Any prior-vendor LEIE reports not exported in machine-readable format before the contract ended are unrecoverable.

What to ask credentialing software vendors

If you are evaluating credentialing software during procurement, these are the questions that separate vendors with real exclusion-screening capability from vendors who treat screening as a checkbox feature:

1. Which of the eight screening sources in the matrix above are screened natively by your platform, and which require a manual lookup or third-party add-on?
2. How do you handle name-collision resolution? Show me a sample match-resolution log for a real customer (anonymized).
3. What is your retention policy for historical screening reports, and what is your export format on contract termination?
4. How do you handle name changes mid-employment? Is the screening database joined to your HR data feed?
5. Do you screen contractors and per-diem staff with the same cadence as W-2 employees, or are contractors a separate screening flow?
6. What is your annual audit support workflow? When an external auditor or CMS requests our screening evidence for the past 10 years, what is the access pattern?
7. Are your screening results timestamped against the source-list publication date, or against the date your platform ran the query? (The audit-defensible answer is: timestamped against the source-list publication date.)
8. What is your remediation workflow when a confirmed match is identified? Do you produce the termination paperwork, the OIG self-disclosure draft, the CMP exposure analysis, or are all of those manual?

Most vendors will answer 1-3 plausibly and start hedging on 5-8. The vendors worth a Pro-tier contract answer all eight without hedging.

The procurement officer’s monthly checklist

For the procurement or compliance officer who runs the monthly cycle:

• OIG LEIE downloaded as of the first business day of the month
• SAM.gov exclusion file downloaded
• State Medicaid exclusion lists downloaded for every state where the practice bills
• OFAC SDN list refreshed (quarterly minimum, but monthly is the audit-clean cadence)
• PECOS opt-out and revocation records pulled for all enrolled providers
• Full roster screened (employees + contractors + per-diem + governance + owners)
• Potential matches generated and reviewed within 5 business days
• Resolution log entries created for each potential match (dismissed or confirmed)
• Confirmed matches actioned within 24 hours: termination, OIG self-disclosure consideration, CMP exposure calculation
• All evidence archived in immutable, retrievable format
• Quarterly: roster reconciliation between HR system, credentialing system, and screening system to catch records that exist in one but not the others

The board-level metric worth reporting at every audit committee meeting: the count of full screening cycles completed in the trailing 12 months (should be 12, occasionally 13 if a month has two cycles for cleanup), the count of potential matches generated, the count resolved, the count confirmed, and the count of active employment relationships terminated as a result. Boards that see these five numbers monthly understand exclusion-screening posture. Boards that see “compliance is in good standing” do not.

Where this fits in the larger compliance frame

OIG exclusion screening is one of three pillars of the federal healthcare-fraud screening regime. The other two are the False Claims Act self-audit cycle and the Anti-Kickback Statute / Stark Law conflict screening. Practices that treat exclusion screening as a standalone monthly task without connecting it to the broader compliance program are operating one-third of the system. The audit-mature posture is a single integrated screening calendar that runs OIG, AKS conflict review, and FCA self-audit on a documented cadence, with the same retention policy, the same evidence-preservation discipline, and the same board reporting cycle.

The procurement-facing payoff: a credentialing software vendor that handles all three pillars in a single platform is worth materially more than one that only handles OIG. When evaluating Pro-tier or Enterprise-tier credentialing platforms during procurement, the integration with adjacent compliance domains is where the meaningful pricing differentiation lives. Vendors that price their OIG screening module as a la carte while charging extra for AKS or FCA workflow integration are pricing the easy part and offloading the hard part to your compliance team.

The conversation procurement should have with their compliance officer, before the next vendor demo: “Show me the integration story between OIG screening, kickback review, and self-audit.” If the vendor cannot articulate it cleanly in five minutes, the vendor sells screening, not compliance.