Blog

OIG Exclusion List Monitoring: What You Need to Know

icon person x with checkmark

OIG exclusion list monitoring is a critical tool for ensuring compliance, program integrity, and patient safety. Since it’s also a CMS condition of participation, healthcare organizations can’t afford not to monitor their employed and contracted populations for OIG exclusions.

If you’re looking for an introduction or refresher of the HHS Office of Inspector General (OIG) Exclusion Program and the process of screening your population for exclusions, you’ve come to the right place. In this post, we explain the basics of OIG exclusions and exclusion list monitoring.

Jump to: The OIG LEIE, SAM.gov, Exclusion Monitoring Requirements, Penalties, The Industry’s Best Monitoring

Exclusion Authorities

Exclusions can be levied by HHS OIG, a state agency or Medicaid Fraud Control Unit (MFCU), or by one of the many agencies associated with SAM.gov. Regardless of the authority that levies the exclusion, the excluded party is subject to the same prohibitions.

Here’s a little more insight into each of those authorities. 

HHS Office of Inspector General

The HHS Office of the Inspector General (OIG) Exclusion Program serves to protect federal healthcare programs by limiting the impact of fraudulent and bad actors. Since federal tax dollars are used to reimburse healthcare providers for services, the Department of Health and Human Services (HHS), the Center for Medicare and Medicaid Services (CMS), as well as the Department of Justice (DOJ), have oversight on how those dollars are spent. 

One of the actions HHS OIG can take against an individual (like a doctor or nurse) or entity (such as a provider or vendor) who has been convicted of a certain crime is to exclude them from receiving federal tax dollars, specifically from Medicare and Medicaid. This is called an OIG exclusion.  

State Agencies and Medicaid Fraud Control Units (MFCUs)

Each state has a department or agency dedicated to upholding the integrity of Medicaid programs and public health. Though each state enforcement authority can vary by name and functions, (Department of Medicaid, State OIG, Department of Health Care Services) each one outlines the rules of ineligibility for licensed providers who have been disciplined or lost certain license privileges. Many states maintain and publish their own exclusion list, all of which should be included in your monthly screening process. See our interactive Exclusions List Map to find information about a particular state. 

Download our Guide to Healthcare Exclusion Authorities to learn more.

Mandatory and Permissive Exclusions

While many exclusions are the result of fraudulent or abusive behavior, others are levied due to administrative actions. Regardless of the type or reason, the excluded party is barred from directly or indirectly receiving government healthcare dollars until reinstated.

There are two types of exclusions, mandatory and permissive, depending on the severity of the excluded party’s actions. Mandatory exclusions carry a longer required duration. The reasons for exclusions are described in the Social Security Act 1128.

Mandatory Exclusions

To receive a mandatory exclusion, an individual or entity must have received a felony conviction for:
  • Substance abuse or alcohol abuse
  • Patient abuse
  • Fraud and abuse
  • Sexual assault
  • License revocation due to any of the above
The mandatory exclusion can last from five years up to 50 years—and in certain cases, can be permanent if the felony warrants it.

Permissive Exclusions

To receive a permissive exclusion, an individual or entity must have received a misdemeanor conviction for the crimes listed above. Defaulting on a federal student loan also can also result in a permissive exclusion. The permissive exclusion can last up to five years, but typically lasts one to three years.

When the exclusion period is over for either a mandatory or permissive exclusion, the individual or entity must apply for reinstatement at the federal and state level. Reinstatement is not automatic after the duration has expired.

Exclusion Sources

Exclusions are not just published in one source. They span dozens of on and offline sources across the country. Each source has its own unique way of doing things, which makes monitoring all of them a great big puzzle. 

The HHS Office of Inspector General (OIG)

After the OIG sanctions these individuals and entities, they put them on a list called the List of Excluded Individuals/Entities (LEIE)

Healthcare organizations must then vet their current employees and people they’re considering hiring by checking the list to ensure  that vendors and others they may work with or buy from haven’t been excluded and placed on the list. 

This process happens through the (OIG) Exclusion Program which sets forth expectations and guidelines for healthcare organizations to follow. At first glance, these mandates seem straightforward and simple enough to implement: 

  1. Don’t employ or contract with individuals or entities who have been convicted for certain felonies or misdemeanors. Specifically, don’t reimburse salaries, benefits or items claimed or billed by licensed healthcare providers or administrative personnel. Also, don’t purchase goods or services from an entity or vendor that is excluded.  
  2. Check for currently excluded or sanctioned individuals and entities on the LEIE. 
  3. Check the list regularly to ensure you’re not working with anyone on the list.


The OIG relies on healthcare organizations to carry out this important work and to ensure there are consequences for the parties who have committed these crimes.

GSA SAM.gov

The SAM.gov database is formerly known as the Government Services Administration’s (GSA) list of Excluded Parties List System (EPLS). In 2012, GSA announced it was migrating data from the EPLS to a new and more comprehensive system called the System for Award Management (SAM). Formed under a mandate of the Affordable Care Act, SAM.gov created one broader dataset of individuals and entities that are debarred, sanctioned, or excluded from doing business under a federal contract. The most significant database for healthcare providers, SAM.gov includes several federal contracting databases such as USDA-FNS, TREAS-OFAC, OPM, and more.

If an individual or entity is on SAM.gov, a healthcare company should not be in contractual privity with such person or company as it would be conducting business with a sanctioned, debarred, or excluded party. HHS OIG and CMS have both made it clear that federal program payment for (1) items or services furnished by excluded individuals or entities, and (2) salaries, expenses, or fringe benefits of excluded individuals (regardless of whether they provide direct patient care) are prohibited. SAM.gov datasets should be included in all exclusion screening processes for employed and contracted populations. Learn more about the OIG LEIE vs. SAM.gov.

State Medicaid Exclusion Sources

State Medicaid exclusion sources are varied and present significant challenges to manual screening processes. They publish exclusion records in different formats and with varying amounts of data, making it difficult and resource-intensive to identify a match within your population. 

Learn more about Why Your Low-Cost Exclusion Monitoring is Costing More than You Think.

Why is it important to check every available state exclusion source? Because if an individual or entity is excluded in one state, they’re excluded in every state. And because 50% of all state Medicaid exclusions never show up on the OIG LEIE.

Penalties for Non-Compliance

The financial cost of paying excluded parties is significant. In 2020, the average penalty for an exclusion violation was $101,000. 

Here is what healthcare organizations face if they engage with and reimburse a party that’s on the OIG LEIE:

  • $20,000 per each item claimed or service provided.
  • Treble damages (3 times the amounts claimed to CMS for reimbursement).
  • Possible program exclusion of the company.
  • Possible loss of the right to bill CMS for services rendered.
  • Possible additional fines for filing false claims under the False Claims Act (Penalties up to $11,000 per claim, and possible placement in a Corporate Integrity Agreement with the OIG).
  • Possible criminal fines and/or jail time.

Exclusion Monitoring: How and When

CMS requires healthcare organizations to conduct monthly exclusion monitoring of all employees, contractors, vendors, and ordering and referring providers. But given the irregularity of primary source updates, an ongoing exclusion program is best practice. If you have an excluded provider in your organization, you need to know as soon as possible. 

To find all the current exclusion sources, you can use our interactive exclusion map.  

Given how tedious and time-consuming exclusion monitoring can become, most healthcare organizations choose to partner with a vendor like ProviderTrust who specializes in this monitoring and can provide a more efficient experience. But be aware: not all exclusion monitoring vendors successfully overcome the many challenges involved.

The Challenges

Manually checking all available exclusion sources each month requires an incredible amount of work! We do not recommend an organization of any size attempt to do this—it’s simply not worth your time. Here’s why: 

  • The data is sparse. The publicly available data is pretty thin, which makes it hard to confirm exclusion matches with any certainty—unless you have enriched primary source data to fill in the gaps (like ProviderTrust does). Learn more about data enrichment
  • States must report in 30 days; in reality, it’s 173. States with Medicaid exclusion lists are required to report exclusions or terminated providers to OIG within 30 days in accordance with Performance Standard 8. However, the actual average time to make it to the OIG LEIE is 173 days. 
  • It’s always a moving target. Lists are regularly updated and published on different schedules— some update once a month, others once a quarter and others update periodically with no formal schedule.
  • Determining a match with certainty is complex. Most vendors can only return “potential” or “fuzzy” matches, which means they don’t have enough data about the exclusion to be certain whether that individual or entity is working with your organization. This creates hours of manual work for your team each month. 
  • Once you’re done, you have to start over again. To stay in compliance, this checking and cross-checking must be done every month. 
  • There’s no room for error. Anyone who hires an individual or entity on the LEIE may be subject to civil monetary penalties (CMP).  If your vendor misses an exclusion, you’re the one who has to pay the penalties. Learn more about Why Your Low-Cost Exclusion Monitoring is Costing More than You Think.

The Industry’s Best Exclusion Monitoring

Don’t trust your organization’s compliance with anyone but the best. Unlike most vendors, ProviderTrust doesn’t rely only on sparse publicly available data. We combine powerful data enrichment and the industry’s best matching algorithms to deliver your team superior results with the most efficiency. 

Stay Up-to-Date

Subscribe and get the latest news and advice from industry experts delivered straight to your inbox.

Related Resources

Never miss an update

Get the latest healthcare news, advice from industry experts, and all things related to monitoring solutions delivered straight to your inbox.