How to Set Up an OIG Exclusion Screening Program: A Step-by-Step Guide for Healthcare Organizations

Building a dependable exclusion screening program protects your organization from billing risk, overpayments, and reputational harm. By methodically screening your workforce and vendors against the OIG List of Excluded Individuals/Entities and related datasets, you can prevent sanctioned parties from participating in federal healthcare programs. The steps below translate regulatory expectations into a practical, auditable workflow you can implement today.

Use this guide to define scope, set screening frequency, and establish documentation requirements that stand up to audits. You will also learn how to respond when you encounter potential matches, including legal counsel notification and corrective actions tied to healthcare program sanctions.

Understand OIG Guidelines

What exclusion means

Exclusion bars an individual or entity from participating in federal healthcare programs. If an excluded party provides items or services that are billed—directly or indirectly—to those programs, related claims can trigger overpayments and penalties. Your goal is to prevent excluded parties from being hired, contracted, staffed, or paid for federal program work.

Who you must screen

• All employees, medical staff, contractors, temps, volunteers, students, and governing body members who may influence, furnish, order, or bill for federally reimbursed services.
• Vendors and subcontractors whose work supports care delivery or billing (e.g., pharmacy services, revenue cycle, transportation, telehealth, IT support tied to claims).
• Referral sources and ordering providers whose decisions can affect federal claims.

Core datasets and concepts

• OIG List of Excluded Individuals/Entities (LEIE) as the primary federal source for exclusions.
• State-level Medicaid Exclusion Lists and other state sanctions that can affect your program participation and payer contracts.
• Healthcare program sanctions beyond exclusion, such as license actions or federal debarment, which may be relevant to your Compliance Programs and credentialing.

Document the regulatory touchpoints that apply to your organization, including federal participation requirements, payer contracts, and state Medicaid mandates. This foundation drives policy design and audit readiness.

Develop Policies and Procedures

Governance and accountability

Assign ownership to Compliance, with defined roles for HR, Medical Staff Services, Supply Chain, Credentialing, and Revenue Cycle. Establish a compliance committee reporting path and board-level visibility. Name a program owner responsible for monitoring performance and resolving escalations.

Scope and inclusion criteria

• Define which populations are screened (employees, privileged providers, contractors, vendors, students) and when (pre-hire, pre-privileging, pre-contract, and ongoing).
• Specify which data sources are mandatory and which are risk-based additions.
• Codify screening frequency for each population and dataset, including ad hoc checks for high-risk events (e.g., role change, adverse media, complaint).

Process controls

• Standardize data collection at onboarding (legal name history, date of birth, NPI, and other identifiers) to improve match accuracy.
• Require independent review for potential matches, with separation of duties between screeners and approvers.
• Set Documentation Requirements for every step: search parameters, results, disposition notes, reviewer names, and timestamps.

Escalation and legal alignment

Define clear Legal Counsel Notification triggers (e.g., confirmed exclusion, payer inquiry, government subpoena, repayment exposure). Include timelines for immediate removal from federally reimbursed duties, claim impact analysis, and disclosure considerations.

Identify Screening Sources

Primary sources to include

• OIG List of Excluded Individuals/Entities for federal exclusions.
• Medicaid Exclusion Lists for every state where you operate, bill, or where your workforce resides.
• State professional licensing boards and disciplinary actions to detect sanctions that can foreshadow or accompany exclusions.
• Other relevant sanctions or debarment datasets required by your payers or contracts.

Data elements to collect for matching

• Full legal name with aliases, date of birth, NPI, professional license numbers, and organization names with former/DBA names.
• For entities: FEIN, address history, and parent/subsidiary relationships to reduce false negatives.

Quality and privacy safeguards

Use standardized, role-based access to screening tools. Retain only the minimum necessary identifiers, secure stored results, and restrict access to authorized reviewers to protect sensitive data during matching and adjudication.

Conduct Initial Screening

Prepare your roster

• Consolidate onboarding and HRIS data into a single deduplicated list of all screened populations.
• Normalize names and identifiers; capture name changes and prior identities to improve match rates.

Run searches and adjudicate results

• Search required datasets using exact and fuzzy logic (e.g., name variants, reversed first/last names).
• Flag potential matches and route them for secondary review. Verify identity using multiple data points (DOB, NPI, license, address).
• For vendors, confirm the legal entity name and FEIN align with contracts and invoices.

Finalize dispositions and controls

• Record the basis for each decision (matched/not matched/insufficient data) and the reviewer’s sign-off.
• For any confirmed exclusion, immediately restrict the individual or entity from federally reimbursed work and notify appropriate leaders per your policy.

Perform Ongoing Monitoring

Set screening frequency

Adopt a screening frequency that meets regulatory expectations and payer requirements while fitting your risk profile. Many organizations perform monthly checks of the LEIE and state Medicaid Exclusion Lists, with more frequent reviews for high-risk roles and less frequent for low-risk vendors when permitted by policy.

Risk-based monitoring

• High-risk: ordering/prescribing providers, revenue cycle, pharmacy, DME, home health—monitor monthly or more often.
• Moderate risk: clinical support, IT tied to claims, third-party billing—monitor monthly or quarterly.
• Lower risk: indirect vendors not involved in claims—monitor quarterly or semiannually if policy allows.

Change-driven triggers

Re-screen immediately upon role changes, new privileges, new contracts, adverse events, or credible complaints. Capture these out-of-cycle checks in your logs with full context and disposition notes.

Document and Track Results

Build an auditable record

• Store search date, dataset name and version, search terms, raw results, disposition rationale, and approver details.
• Maintain a cumulative screening history per person or entity to show continuous monitoring.

Retention and security

• Define retention periods that align with regulatory, payer, and organizational requirements.
• Encrypt stored results, restrict access, and audit user activity to safeguard PHI and sensitive identifiers.

Program performance metrics

• Track cycle times, hit rates, false positives, unresolved cases aging, and corrective action completion.
• Report trends to your compliance committee and board to demonstrate an effective Compliance Program.

Train Staff

Who to train and when

• Provide training for HR, Medical Staff Services, Credentialing, Supply Chain, managers, and screeners during onboarding and at least annually.
• Offer targeted refreshers after policy changes or audit findings.

What to cover

• Purpose and impact of exclusions, including healthcare program sanctions and repayment risk.
• Step-by-step screening workflow, documentation standards, and privacy safeguards.
• How to recognize red flags and initiate Legal Counsel Notification when needed.

Measure effectiveness

• Use scenario-based exercises, spot checks, and post-training quizzes to confirm comprehension.
• Document attendance, scores, and remediation to evidence a culture of compliance.

Respond to Positive Matches

Immediate containment

• Temporarily remove the person or entity from federally reimbursed duties pending verification.
• Secure relevant records and pause payments related to the suspected match.

Verification workflow

• Compare multiple identifiers (DOB, NPI, license, FEIN, address) to confirm identity.
• Document each verification step and reviewer sign-off. If confirmed, classify the start date of the exclusion for impact analysis.

Corrective actions and notifications

• Notify Legal and Compliance leadership immediately per your Legal Counsel Notification protocol.
• Assess claims and payments during the exclusion period; initiate repayment and disclosure steps consistent with your policy and payer requirements.
• Update rosters, restrict system access, and revise processes that allowed the lapse.

Prevention and follow-up

• Perform a root-cause analysis, issue or update corrective action plans, and add control checkpoints where gaps were identified.
• Communicate lessons learned in staff training and governance reports.

Conclusion

A strong exclusion screening program blends clear policies, reliable data sources, disciplined monitoring, and rapid response. By aligning screening frequency with risk, enforcing rigorous documentation requirements, and hardwiring escalation to legal counsel, you protect your organization from healthcare program sanctions and ensure only eligible parties support federally reimbursed care. This step-by-step approach makes it practical to set up and sustain an OIG exclusion screening program that stands up to scrutiny.

FAQs.

What is the OIG exclusion list?

The OIG exclusion list—officially the OIG List of Excluded Individuals/Entities—identifies people and organizations barred from participating in federal healthcare programs. If an excluded party provides items or services billed to those programs, related claims can trigger overpayments, penalties, and additional sanctions.

How often should exclusions screening be performed?

Many organizations screen the LEIE and applicable Medicaid Exclusion Lists on a monthly basis because new exclusions are posted frequently. Your screening frequency should reflect regulatory and payer expectations and your internal risk assessment, with more frequent checks for high-risk roles and less frequent for low-risk vendors when allowed by policy.

What steps should be taken after a positive match?

Immediately restrict the individual or entity from federally reimbursed duties, verify the match using multiple identifiers, and notify Legal and Compliance. Conduct a claims impact review, initiate any required repayments or disclosures, document every action taken, and implement corrective measures to prevent recurrence.

What are the penalties for non-compliance?

Penalties can include repayment of affected claims, civil monetary penalties, damage to payer relationships, corporate integrity obligations, and other healthcare program sanctions. Strong policies, thorough documentation, and prompt escalation to legal counsel help reduce exposure and demonstrate good-faith compliance.