OIG LEIE Monthly Exclusion Screening: Process + Audit-Ready Logs
8 min read · Last reviewed May 23, 2026
The OIG LEIE database must be screened monthly for every workforce member, credentialed provider, and contractor whose services are billed to a federal healthcare program. Missing an exclusion exposes the practice to civil monetary penalties of up to $25,595 per item under 42 CFR § 1003.210(a)(4) (2026 inflation-adjusted amount; statutory authority at 42 USC § 1320a-7a) plus treble damages. Screen the LEIE, SAM.gov, and applicable state Medicaid exclusion lists on the same monthly cadence.
Cadence: why monthly, not quarterly
The OIG's Special Advisory Bulletin on the Effect of Exclusion recommends monthly screening. CMS State Medicaid Director Letter #09-001 requires that state Medicaid programs ensure providers do not employ or contract with excluded individuals — and most state Medicaid contracts pass that obligation through as monthly screening.
Quarterly does not catch a hire who became excluded mid-month, nor a vendor whose principal was excluded shortly after onboarding. Annual is essentially indefensible if the practice bills Medicare or Medicaid. The LEIE is updated by OIG within 30 days of each exclusion action; SAM.gov updates daily. Monthly screening keeps the practice's evidence window inside the OIG's update cycle.
In our analysis of 400+ d3rx client binders, the most common failure mode is not running the screen at all for back-office contractors. The second most common is running the screen monthly for W-2 staff but only at credentialing for providers, missing a provider who is excluded during the term of employment.
Who must be screened
Cast a wide net. The OIG, CMS, and most state Medicaid agencies treat "person who furnishes items or services" expansively.
| Population | Source list | Screening cadence | |---|---|---| | W-2 employees with PHI or billing access | HR roster | Monthly | | Credentialed providers (MD, DO, NP, PA, DC, etc.) | Credentialing file | Monthly | | Locum tenens and 1099 clinicians | Contractor list | Monthly | | Volunteers in clinical roles | Volunteer roster | Monthly | | Vendors who directly furnish billable items (DME, lab) | Vendor list | Monthly (entity + principals) | | Back-office vendors (RCM, transcription, IT MSP, EHR) | BAA vendor list | Quarterly minimum + executed attestation | | Owners and board members | Ownership/governance file | Monthly |
Add every new hire and every new contracted entity to the screening list before their start date. The first screen happens before the first paycheck or invoice, not after.
The monthly workflow
``` Step 1 — Build / refresh the screening roster (first business day of the month) Pull HR roster, credentialing file, contractor list, vendor list, ownership file. Cross-check against last month's roster — flag any additions, terminations, or name changes.
Step 2 — Run LEIE screen (https://oig.hhs.gov/exclusions/) Search by name and (for entities) by EIN or NPI. Export the "no records found" or "match found" result per name.
Step 3 — Run SAM.gov screen (https://sam.gov/search/exclusions) Search by name and (for entities) by Unique Entity ID. Export the result per name.
Step 4 — Run state Medicaid exclusion screen Apply each state where the practice bills Medicaid. Use the state's published exclusion list URL; some states delegate to LEIE + attestation, others publish their own list.
Step 5 — File the dated evidence in the compliance binder One per month, named YYYY-MM exclusion screening log.
Step 6 — Escalate any hit immediately (see escalation path below). ```
For a practice with under 50 names on the roster, the LEIE + SAM.gov + one state Medicaid list takes a trained staff member roughly 45 minutes per month via the free databases. Paid aggregators reduce that to under 10 minutes per month and provide an audit-formatted PDF log.
The audit-ready monthly log
This is the exact table format that survives an OCR or OIG audit. Embed it in the compliance binder, one row per screened person/entity per month.
| Date screened | Name (last, first) or entity | Role | NPI / EIN | LEIE result | SAM.gov result | State Medicaid result | Screener (initials) | |---|---|---|---|---|---|---|---| | 2026-05-01 | Adams, Jane (MD) | Credentialed provider | 1234567890 | No record | No record | CA — No record | JS | | 2026-05-01 | Brown, Marcus | Medical assistant | n/a | No record | No record | CA — No record | JS | | 2026-05-01 | RCM Vendor LLC | Billing contractor | EIN 12-3456789 | No record | No record | n/a | JS | | 2026-05-01 | Chen, Lisa (NP) | Locum tenens | 9876543210 | Match | No record | CA — pending verify | JS |
A "Match" entry triggers the escalation workflow immediately. The log is not the place to resolve a match — it is the place to record that the match was identified on a specific date.
Required columns auditors look for
- Date of screen (not just month — exact date).
- Full legal name, including any prior names or aliases noted in HR file.
- Role (credentialed provider, employee, contractor, vendor).
- NPI for individuals, EIN for entities.
- Result per database (LEIE, SAM.gov, every state Medicaid list in scope).
- Screener's name or initials.
- Retention: at least 10 years for federal-program billing entities.
Evidence to retain
For every monthly screening cycle, file in the binder:
- The roster used (CSV or PDF) — proof of who was screened.
- The full result page or export per name (a "no record found" screenshot per name OR an aggregated paid-service PDF).
- The dated log table above.
- For any match: the verification artifacts (date-of-birth match, SSN last-4, employment dates).
- Vendor attestations for any back-office vendor whose own staff are not directly screened by the practice.
Retention guidance: 10 years aligns with the False Claims Act statute of limitations and the Medicare Program Integrity Manual recordkeeping expectation. Some state Medicaid contracts require longer.
Escalation path on a match
A LEIE or SAM.gov match is a stop-the-bus event. The workflow:
- Within 1 business day: verify the match is the same person — date of birth, prior names, NPI cross-check on NPPES. False positives on common names are routine; do not act on a name-only match without verification.
- If verified: stop billing for any services furnished by the individual immediately. Document the stop with a dated note.
- Within 5 business days: notify external healthcare counsel. Excluded-person hiring is a 60-day Overpayment Rule and often a False Claims Act event.
- Within 60 days of identification: assess and refund any overpayments for services furnished by the excluded individual. The 60-day clock starts when the overpayment is identified, not when the screen is run.
- Consider OIG Self-Disclosure (SDP) for any extended employment. SDP settlements are typically multiple-times lower than litigated CMPs.
- File the matter in the binder: dated match, verification, stop-billing date, refund record, counsel engagement, SDP outcome.
This is exactly where a binder pays for itself — the dated evidence trail produced by routine monthly screening is the difference between a self-disclosed administrative matter and a CMP referral.
State preemption and Medicaid carveouts
State Medicaid agencies publish their own exclusion lists and impose state-specific screening requirements that go beyond the federal LEIE. California, New York, Texas, Florida, Pennsylvania, and Ohio each maintain a state Medicaid exclusion list with monthly screening expectations. Some states (e.g., Texas via the Texas Health and Human Services OIG list) require screening against the state list as a contractual term of Medicaid participation.
If you bill multiple state Medicaid programs, the screening roster includes the federal LEIE + SAM.gov + each state's list — not just the practice's home state.
What goes wrong
The five recurring defects in d3rx's binder review:
- Screen is run monthly for W-2 staff but only at credentialing for providers, missing mid-employment exclusion.
- Back-office vendors are never screened and no attestation is on file.
- Log entries record "no record found" but no roster is filed — auditor cannot verify who was actually screened.
- NPI/EIN columns are blank, so common-name false positives are not resolved.
- A match is recorded but no escalation evidence (counsel, stop-billing, refund) follows in the binder.
How d3rx fits
The d3rx compliance binder tracks the monthly screening roster, files the dated evidence per cycle, and prompts on every new hire or new vendor to add them to next month's screen. It is an administrative documentation aid, not a substitute for counsel on a confirmed match. The practice remains responsible for running the screens and for the billing decisions on a match.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — OIG LEIE Monthly Exclusion Screening: Process + Audit-Ready Logs. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
How often do I actually need to re-run LEIE — monthly, quarterly, or at hire?
OIG's Special Advisory Bulletin on the Effect of Exclusion (May 2013) recommends monthly screening of all employees, contractors, and vendors who are reimbursed by federal healthcare programs. CMS State Medicaid Director letters and most state Medicaid agencies impose monthly as a contractual requirement on participating providers. Quarterly is not defensible if the practice bills Medicaid. Annual is indefensible for any federally-billing practice.
Do I need to screen vendors and contractors, not just W-2 employees?
Yes. OIG's guidance is explicit that the screening obligation extends to anyone who furnishes items or services that are payable by federal healthcare programs, including independent contractors, locum tenens, billing companies, transcription services, and DME suppliers. Practical scope: screen every individual or entity on a [BAA vendor list](/compliance-guides/baa-vendor-list-small-practice), plus every provider the practice credentials, plus every billing-side contractor.
What is the difference between the LEIE and SAM.gov, and do I need both?
The OIG List of Excluded Individuals/Entities (LEIE) covers exclusions from federal healthcare programs under sections 1128 and 1156 of the Social Security Act. SAM.gov (formerly EPLS) covers a broader set of federal debarments and procurement exclusions. Best practice and most state Medicaid contracts require screening both. SAM.gov is free; the LEIE database at https://oig.hhs.gov/exclusions/ is free. Paid third-party services aggregate both plus state Medicaid lists, which is the typical small-practice approach.
What happens if I miss an exclusion and bill for the excluded person's services?
Civil monetary penalties under 42 USC § 1320a-7a of up to $25,595 per item or service furnished by the excluded individual, plus treble damages, plus possible exclusion of the practice itself. OIG also publishes Self-Disclosure Protocol settlements monthly involving practices that hired an excluded person — typical settlements are six figures even for short employment periods. The 'I didn't know' defense fails because monthly screening is the OIG's published expectation.
Can I rely on the vendor's attestation that they screen their own staff?
Use the attestation, but verify. A signed exclusion-screening attestation from the vendor is appropriate evidence to file, but it does not transfer the practice's screening obligation for individuals who directly furnish items or services that the practice bills. For pure back-office vendors (e.g., RCM, transcription) whose staff never become billable, the attestation is usually sufficient; for clinical contractors, screen the individual.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 42 CFR § 1003.210(a)(4)https://www.federalregister.gov/documents/2026/01/28/2026-01688/annual-civil-monetary-penalties-inflation-adjustment
- LEIEhttps://oig.hhs.gov/exclusions/
- SAM.govhttps://sam.gov/
- Special Advisory Bulletin on the Effect of Exclusionhttps://oig.hhs.gov/exclusions/files/sab-05092013.pdf
- State Medicaid Director Letter #09-001https://www.medicaid.gov/sites/default/files/federal-policy-guidance/downloads/smd10009.pdf
- Medicare Program Integrity Manualhttps://www.cms.gov/regulations-and-guidance/guidance/manuals/internet-only-manuals-ioms
- NPPEShttps://npiregistry.cms.hhs.gov/
- 60-day Overpayment Rulehttps://www.cms.gov/regulations-and-guidance/guidance/transmittals/2016-transmittals/r1700otn
- SDPhttps://oig.hhs.gov/compliance/self-disclosure-info/
- exclusionshttps://sam.gov/search/exclusions
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related across the archive
- SRABAA Vendor List: Which Vendors a Small Practice Needs to Sign WithA working list of the vendor categories a small practice typically needs a Business Associate Agreement with under 45 CFR 164.504(e), plus how to handle subcontractor chains.
- SRAHIPAA Policies and Procedures: What a Small Practice Actually NeedsWhat 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
- SRAHIPAA Training Requirements for a Small PracticeWhat 45 CFR 164.530(b) and 164.308(a)(5) require for HIPAA workforce training, plus a realistic cadence and documentation approach for a small practice.
- SRAWhat to Do If You Get an OCR Audit LetterA step-by-step response framework for a small practice that receives an OCR HIPAA audit or investigation letter, drawn from OCR's audit protocol and published Resolution Agreements.
- SRAOCR Audit Protocol: What Small Practices Should ExpectHow the HHS Office for Civil Rights HIPAA Audit Protocol is structured, what OCR has publicly announced about the audit program restart, and how a small practice prepares its binder against the protocol's audited elements.
- CompliancePECOS Provider Enrollment Verification (2026) — Quarterly ChecklistQuarterly PECOS provider enrollment verification workflow: who to check, the exact lookup steps, the audit log columns, and the revalidation escalation path.
- GlossarySAM.gov ScreeningScreening of staff and vendors against the federal System for Award Management exclusion list.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.