Sanction Checks & Exclusions Regulated by the Office of Inspector General (OIG) to Ensure Enterprise Risk Management in Healthcare


The Office of Inspector General (OIG) was established in the U.S. Department of Health and Human Services (HHS) to identify and eliminate fraud, waste, and abuse in the department’s programs and to promote efficiency and economy in departmental operations. The OIG carries out its responsibilities through a nationwide program of audits, inspections, and investigations. The OIG has also been given the authority to exclude individuals and entities who have engaged in fraud or abuse from participation in MedicareMedicaid, and other federal health care programs The OIG also have the authority to impose civil money penalties (CMPs) for certain misconduct related to federal health care programs (sanction checks and exclusions).

Congress has further strengthened and expanded the OIG’s authority to exclude individuals and entities from federal health care programs. These laws expanded the OIG’s authority to assess monetary penalties against individuals and entities that violate the law. To combat healthcare fraud, OIG partners with the United States Department of Justice (DOJ), state Medicaid Fraud Control Units (MFCUs), and other federal, state, and local law enforcement agencies. These partnerships include the Medicare Fraud Strike Force, which detect, investigate, and prosecute healthcare fraud through a coordinated and data-driven approach. In OIG’s recent semiannual report to Congress, the OIG indicated that they expect $2.91 billion in investigative recoveries and $521 million in audit recoveries for fiscal year 2018.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996, authorized the OIG to provide guidance to the health care industry to prevent fraud and abuse, and to promote high levels of ethical and lawful conduct. The Balanced Budget Act (BBA) of 1997 further expanded the OIG’s sanction authorities. These statutes extended the application and scope of the current CMPs and exclusion authorities beyond programs funded by the department to all “federal health care programs.” BBA also authorized a new CMP authority to be imposed against health care providers or entities that employ or enter into contracts with excluded individuals for the provision of services or items to federal program beneficiaries.

The basic effect of an OIG exclusion from federal health care programs is that no federal health care program payment may be made for any items or services furnished by an excluded individual or entity or directed or prescribed by an excluded physician. This payment ban applies to all methods of federal program reimbursement.

The prohibition against federal program payment for items or services furnished by excluded individuals or entities also extends to payment for administrative and management services not directly related to patient care, but that are a necessary component of providing items and services to federal program beneficiaries.

There are a variety of types of items or services that are reimbursed by federal health care programs which, when provided by excluded parties, violate an OIG exclusion. These include:

  • Services performed by excluded nurses, technicians, or other excluded individuals who work for a hospital, nursing home, home health agency, or physician practice.
  • Services performed by excluded pharmacists or other excluded individuals who input prescription information for pharmacy billing or who are involved in any way in filling prescriptions for drugs reimbursed.
  • Services performed by excluded ambulance drivers, dispatchers, and other employees involved in providing transportation.
  • Services performed for program beneficiaries by excluded individuals who sell, deliver, or refill orders for medical devices or equipment.
  • Services performed by excluded social workers who are employed by health care entities to provide services.
  • Administrative services, including the processing of claims for payment, performed for a Medicare intermediary or carrier, or a Medicaid fiscal agent, by an excluded individual.
  • Services performed by an excluded administrator, billing agent, accountant, claims processor, or utilization reviewer that are related to and reimbursed, directly or indirectly.

Cost of Violation of an OIG Exclusion by an Excluded Individual or Entity

Receiving an exclusion from OIG can have a devastating effect on a healthcare stakeholder and can spell the end of a career or a business in the healthcare industry. Once excluded or sanctioned, an individual or entity is prohibited from receiving payment or reimbursement from any federal healthcare program, which includes Medicare and Medicaid. The payment prohibition affects the person, anyone who contracts or employs the excluded person, and health providers that service the person.

An excluded party is in violation of its exclusion if it furnishes to federal program beneficiaries’ items or services for which federal health care program payment is sought. An excluded individual or entity that submits a claim for
reimbursement to a federal health care program, or causes such a claim to be
submitted, may be subject to a CMP of $10,000 for each item or service
furnished during the period that the person or entity was excluded. The
individual or entity may also be subject to treble damages for the amount
claimed for each item or service. Consider that a large organization probably
processes thousands of claims in a month. Multiply that by $10,000 and you can
understand the significance of this risk to a healthcare organization.

The major challenges faced are significant as there are now close to 42 Federal and State Exclusions Lists that should be checked, and the changes are dynamic. A provider or vendor may not be on an exclusion list one month and then on it the next. If the healthcare organization has not performed adequate sanction checks, they could now be working with any entity that they are forbidden to work with.

To be effective in the sanction checks screening process, it is necessary to go through the exclusion lists managed and maintained by the entities that give out the sanctions, which is either the OIG or a state Medicaid agency. The OIG’s List of Excluded Individuals and Entities (LEIE) is the primary federal-level list that should be referenced for currently excluded individuals but there are others like the General Services Administration’s (GSA) Excluded Parties List System (EPLS). The LEIE is updated every month while the GSA System for Award Management, which includes the EPLS, is usually updated every week.

Additionally, there are the state-level exclusion lists that are separately maintained by different states. Ideally, the names included in the state-level lists should
also be found in the LEIE, but that is not a certainty. As such, it’s best to
also consult the specific state’s exclusion list when performing a sanction
checks screening. How often these lists are updated depends on the state. So,
if a healthcare entity is doing business in multiple states, a healthcare
stakeholder needs to consider both the federal and state databases that apply.

Any person who provides any service or item that is being paid in part or in full by any federal healthcare program must be screened. This includes employees, contractors, subcontractors, and even people employed by contractors. Employees
might be screened by the human resources department. Professional caregivers
may be screened by a credentialing committee.  The procurement department might perform sanction checks screening on all their vendors to ensure that their contractors and vendors are not on any of the exclusions lists. Ultimately, the
responsibility for all of this falls on the compliance office.

The sheer number of names to be screened and the different formats, update schedules, and features of the sanction lists make manual screenings a complicated, time-consuming, and very risky task. While the sanction checks screening process is conducted, here are some areas to consider:


The OIG updates the LEIE list every month and recommends that providers perform
sanction checks on their employees on a monthly basis. Adhering to this
guideline lowers financial risk as it allows the organization to detect excluded
employees or contractors as early as possible and minimize the amount of
potential take backs and fines from CMS. In addition, screening employees,
physicians, and contractors or vendors before getting them on board is also a
must and then this should be maintained as they are working with the


When doing searches, exact matches of first and last names are not enough. To ensure the reliability and accuracy of the sanctions check search consideration should be given to name variations, maiden names, hyphenations, international names, and spelling errors. While this is a difficult process, it cannot be used as an excuse for failing to detect an excluded individual.


Vendor matching for sanction checks can be difficult because, aside from the vendor name and Employer Identification Number (EIN), there’s often times not a lot more information that can be used.  If screening all vendors is too monumental a task, the healthcare stakeholder should consider prioritize contractors that get paid beyond a certain amount or provide significant billing services. This can help lower financial risk.


Sanction checks screening documentation plays an important role in the event there is a match or a probable match, or in case of an audit. It’s ideal to keep screenshots, documents, and time stamps of the names that have already been reviewed, the exclusion list the names were reviewed against, and the process of determining a match.

The process of taking internal, manual responsibility is extremely difficult for any healthcare stakeholder and particularly for those of any size. Consider a mid-size hospital or large physician practice could have hundreds to thousands of providers to screen and a similar number of contractors and vendors. As such, many healthcare organizations may use the services of agencies that specialize in background searches. This can be a costly choice and static in nature as these agencies only do sanction checks when commissioned by the provider. Thus, there is latency in the process. Utilizing more current sanction checks and exclusion screening technologies is an option for companies that want cost-effective, quick, continuous searches with reliable results.

If you are evaluating utilizing technology to assist in the screening process, here are requirements that you should verify that the healthcare enterprise risk management solution has:

  1. The healthcare enterprise risk management solution sanction checks all databases. There are currently 42 federal and state exclusion and screening databases.
  2. The technology can be distributed to different internal stakeholders to carry out their sanction checks screening processes. As indicated, the responsibility for employees may reside in HR, practitioners in credentialing, and vendors in supply chain/procurement. The system should allow these different stakeholders to carry out the tasks they are assigned.
  3. Data can be centralized and viewed at both a macro and micro level. The compliance department requires an overall insight to all sanctioned or excluded providers and vendors. While different departments may carry out the process, the overall data should be able to be rolled up.
  4. The healthcare technology solution provides the information on the reason for an exclusion or sanction. Ideally, documentation should list the reason for compliance purposes.
  5. The healthcare enterprise risk management solution allows documentation, interaction, and verification internally and externally. There can be areas identified that need to correspond with the provider or vendor to further validate and document for the organization to take action. Assure that the considered solution can do this.
  6. The sanction checks process is continuous; the solution should be regularly checking ALL providers, employees, and vendors continuously. More advanced solutions will do daily sanction checks of all databases and have sophisticated algorithms on the backend to identify daily changes to any of the databases.
  7. The solution provides active alerting and notifications. In a busy environment, ideally an organization is alerted when there is a change or exception in the data. If all is good, a software assistant can do this and have it send an alert if a new exception or sanction has been identified for action to be taken.
  8. The healthcare enterprise risk management solution is checking ALL your vendors, employees, and practitioners. Previously with manual processes, this was not viable, and many healthcare stakeholders tried to stratify their providers and vendors by those at highest potential risk. Today with new technologies, all providers and vendors should be checked.
  9. Ideal pricing model; make sure that billing is not based on every sanction check performed. Ideally, the provider should have a monthly or annual charge for doing all of continuous sanction checks.

Enable Healthcare Stakeholders to Comply with Regulations, Protect PHI, and Avoid Penalties

Data breaches, healthcare fraud, and violations are increasingly receiving public notoriety resulting in negative brand exposure to healthcare stakeholders. They are not only facing significant fines, but the negative brand image typically results in declining revenues. The increasing oversight and enforcement by the OIG necessitates that the business associates, third party vendors, contractors, employees, and new hires of a healthcare entity are screened in a timely manner to minimize vulnerabilities that could result in costly fines and public stigma.

With healthcare organizations leveraging the services of hundreds of third-party vendors and business associates, not to mention hundreds of full-time employees, migrating traditional, cumbersome manual processes to a SaaS-based automated approach can save an enormous amount of time, not to mention the ability to minimize risk, faster. Enterprise healthcare risk management monitoring software enables healthcare organizations to conduct OIG screening, sanctions checks, and employee backgrounds in real-time with no need to wait days, weeks, or months – all while reducing risk to the healthcare organization.


Find out how simple ongoing security and compliance monitoring can be with an enterprise risk management solution.

Download the Playbook for Corporate Compliance in Healthcare.


OIG is Protecting PHI by Ramping Up Enforcement Oversight to Ensure Appropriate Risk Management Process

The 2009 enactment of the American Reinvestment and Recovery Act (ARRA) and the accompanying Health Information Technology for Economic and Clinical Health (HITECH) Act created a new and rapid adoption of Electronic Health Records (EHR) for hospitals and physician practices. The HITECH Act authorized roughly $36 billion worth of incentives for demonstrating meaningful use of EHR through healthcare technology. There are a number of requirements that need to be validated as to required functionality  of a certified EHR healthcare technology solution to qualify for the incentive payments. One of these critical components is the validation and assurance that proper enterprise security risk management was performed including risk and security assessments to protect patient data, conducted and remediated on a regular basis. This further expanded into the new the Merit-Based Incentive Payment System (MIPS). This program was revised to reward or penalize outpatient Medicare payment adjustments for meeting certain quality and practice excellence. Along with this, there is also a significant portion to assure that security risk assessments were conducted. As thousands of hospitals and physician practices registered for the incentive payment programs, the Office of the Inspector General (OIG) recognized that it would not be feasible to audit all hospitals and medical practices; instead, OIG allowed organizations to self-report and attest that these risk assessments had been conducted. The OIG was providing an honor system but have consistently indicated that, as the program was developed, there would be more resources and services dedicated to enforcement and warned healthcare organizations that they would be severely penalized for any false reporting, as OIG’s goal is protecting PHI. Coffey Health’s recent $250k slap by the DoJ is a recent example of the increased OIG enforcement based on lack of appropriate enterprise security risk management. The allegations are that Coffey Health falsely attested to security risk analysis to meet EHR incentive program requirements. The OIG is following through on their commitment to make sure that providers are carrying out proper practices and will be focusing heavily on incentive payment roll backs and penalties. It is crucial for organizations to assure that a proper risk management process is in place and that risk assessments and remediations are conducted. Healthcare organizations often struggle with this because they perceive this to be resource intensive, time consuming, or do not have the expertise. However, these are not valid excuses in the eyes of the OIG and Department of Justice. These requirements can be mitigated but utilizing simple, easy to set up, and robust risk and security healthcare technology solutions that can conduct the risk assessments and assure proof to oversight bodies that they have not only been conducted, but also acted upon, to remediate risk. Find out how simple ongoing security and compliance monitoring can be. Download the Playbook for Corporate Compliance in Healthcare.



Importance of Compliance in the Healthcare Industry

Civil and criminal liability for healthcare organizations and their representatives is a continuing and growing threat. While organized healthcare fraud, particularly in Medicare, is a well-known problem, legitimate healthcare organizations increasingly face criminal and civil exposure due to various factors, including increased enforcement of complex federal regulations and improper actions by companies whose representatives are tempted to cut corners due to shrinking margins and increased competition in the industry.

Of course, a healthcare organization’s exposure to criminal, civil, and administrative penalties can never be eliminated entirely. It can be substantially reduced, through the development and implementation of a compliance program. Such programs have become a requirement of prudent corporate healthcare management because the institution and operation of an effective program can prevent violations of the law in the first instance. In addition, if the program’s preventative function somehow fails, it can reduce the penalties imposed in a criminal, administrative, or civil proceeding. In short, compliance programs are an honest corporation’s best hope to prevent violations and to limit exposure if a problem has occurred.

The existence of a well-implemented healthcare compliance program is an essential component of lenity in the sentencing of organizations under the United States Sentencing Guidelines. Further, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) has announced that it will consider the existence of an effective compliance program that predates any governmental investigation when addressing the appropriateness of administrative penalties.

Proactive Compliance: What are the Compliance Requirements in the Healthcare Industry

Healthcare is one of the most regulated industries in the United States, making healthcare compliance a crucial and growing field within the industry. Here’s an overview of some of the major laws, acts, and regulations that healthcare organizations need to stay in compliance with and that compliance professionals need to know. In addition, it is crucial to stay on top of these and new regulations and to strive for proactive compliance as the government will inevitably amend and add to the healthcare compliance requirements.

Healthcare Regulations that Safeguard Privacy and Ensure Quality Care

The U.S. Department of Health and Human Services’ (HHS) Office of the Inspector General (OIG) is the governmental wing responsible for protecting patient
privacy, ensuring quality care, and combating fraud by ensuring healthcare
organizations are compliant with federal healthcare laws and HHS programs.

The Healthcare Information Portability and Accountability Act (HIPAA), passed in 1996 and implemented in 2003, spurred the need for healthcare compliance across the industry. Among other things, HIPAA mandates industry-wide standards and processes for the protection and confidential handling of patient health information.

The Health Information Technology for Economic and Clinical Health Act (HITECH) promotes standardized electronic health records (EHR). The act was implemented in 2009 to address the patient data privacy and security concerns, EHR files, and how they’re shared. HITECH strengthens the enforcement of HIPAA’s protected patient information rules, requiring the Department of Health and Human Services Office for Civil Rights to conduct periodic provider audits and stiffen penalties for breaches of information, meaning a provider or facility found noncompliant can face a fine of up to $1.5 million.

The Emergency Medical Treatment and Labor Act (EMTALA) ensures public access to emergency services regardless of a patient’s insurance coverage or ability to pay. EMTALA continues to be a “high-risk area” as identified by the OIG, primarily due to conflicting legal interpretations of what constitutes a “medical screening” and “stabilization”.

The Affordable Care Act (ACA) brought mandatory, subsidized healthcare to the U.S. The law requires healthcare providers implement a compliance and ethics program as a condition for reimbursement for patients enrolled in federally funded healthcare programs. The goal is to keep costs down and improve patient outcomes, incentivizing healthcare providers with a “pay-for-value” model rather than the traditional “pay-for-service”.

The Centers for Medicare and Medicaid Services (CMS) within the HHS is responsible for the administration of Medicare, Medicaid and the Children’s Health Insurance Program (CHIP). CMS oversight also includes the Electronic Health Record (EHR) Incentive Programs, which sets incentives and criteria for meeting standards set by HITECH for the implementation of electronic health records; the 2015 Medicare Access and CHIP Reauthorization Act (MACRA), which includes the Quality Payment Program and its Merit-Based Incentive Payments System (MIPS), reimbursing physicians and healthcare organizations based on quality of care and patient outcomes.

Fighting Healthcare Fraud and Abuse

As of 2017, U.S. healthcare spending reached $3.5 trillion with roughly 3% to 10% lost to fraud. A number of laws, statutes and even entire units exist to combat fraud and waste. For physicians and compliance professionals, understanding these laws is crucial, as violations can result in criminal charges, fines and, for physicians, possibly the loss of their medical license.

Medicaid Fraud Control Units (MFCU) investigate and prosecute Medicaid provider fraud (which falls under the False Claims Act), as well as patient abuse or neglect in healthcare facilities. According to the The United States Department of Justice of the $3.5 billion recovered from False Claims Act cases in 2015, $1.9 billion came from healthcare organizations.

The federal Anti-Kickback Statute prohibits healthcare professionals from accepting any kind of “kickback” (i.e. money, contracts, products) as rewards for referrals or providers recommendations to patients on federally covered medical programs, such as Medicare and Medicaid. The statute covers the payers of kickbacks as well as the recipients of kickbacks, with physicians who pay or accept kickbacks facing penalties of up to $50,000 per kickback.

The Physician Self-Referral Law prohibits physicians from referring patients covered by Medicare or Medicaid to treatment or service entities that the physician has a financial relationship with or stands to profit from.

Staying on Top of Healthcare Regulations

In a fluid regulatory landscape, healthcare compliance will only grow more complex, and the need for comprehensive tool kits and qualified professionals to lead
organizations through the regulatory minefield will grow more intense.


Maintaining Continuous Healthcare Compliance

Every healthcare compliance requirement stated above has a corresponding audit protocol. For example, the HIPAA Audit Protocol reviews the policies and procedures adopted and employed by covered entities and business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.

The audit protocol is organized by rule and regulatory provision and addresses separately the elements of privacy, security, and breach notification. The audits performed assess entity compliance with selected requirements and may vary based on the type of covered entity or business associate selected for review.

The audits target the appropriate privacy, security, and breach notification official(s) or person(s) designated by the covered entity or business associate for the implementation of policies and procedures and other standards.

All relevant policies, procedures, documentation of evidence has to be associated with the relevant compliance requirement and current as of the period of audit, for objective verification.

The audits cover:

  • all workforce members including
    entity employees, on-site contractors, students, and volunteers
  • information systems including
    hardware, software, information, data, applications, communications, and

Consequences of Non-Compliance

A sample of cases highlights the need for both covered entities and business associates to take the risk seriously:

  • Oregon Health & Science University agreed to a $2.7 million settlement in a case that addressed several breaches. OHSU stored over 3,000 individuals’ ePHI in Google Drive and Google Mail without any business associate agreement in place with Google.
  • Raleigh Orthopaedic Clinic paid a $750,000 settlement for charges regarding their failure to have a Business Associate Agreement in place with a firm that promised to transfer x-ray images to electronic media in exchange for harvesting the silver from the x-ray films. Raleigh provided more than 17,000 records to the unnamed firm, who failed to return the materials.
  • North Memorial Hospital agreed to pay $1.55 million as part of settling charges stemming from an incident in 2011 when a laptop with unencrypted PHI on 9,497 patients was stolen from an employee’s car.
  • Catholic Health Care Services, a business associate, paid a $650,000 settlement after the theft of an employee’s cell phone that contained unprotected PHI for 412 patients. Children’s Medical Center of Dallas paid a civil penalty of $3.2 million for the impermissible disclosure of unsecured PHI, including the loss of an unencrypted, non-password protected Blackberry device that contained the PHI of 3,800 individuals and the theft of an unencrypted laptop with 2,462 individuals’ PHI. Additional non-compliance with HIPAA regulations was also discovered, such as a failure to implement risk management plans and lack of adequate security precautions.
  • Advocate Health Care Network agreed to pay $5.55 million to settle charges stemming from multiple breaches, one of which involved a hacking incident at its business associate, Blackhawk Consulting Group. Advocate did not have a satisfactory BAA in place with Blackhawk at the time.
  • On March 8, 2019, Sweet Town, LLC d/b/a Cleveland Manor Nursing and Rehabilitation (Cleveland Manor), Cleveland, Oklahoma, entered into a $171,047 settlement agreement with OIG. The settlement agreement resolves allegations that Cleveland Manor employed an individual who was excluded from participating in any Federal healthcare program. OIG’s investigation revealed that the excluded individual, an office manager, provided items or services to Cleveland Manor’s patients that were billed to Federal healthcare programs.

The settlement costs are only part of the total cost of a breach to the organization, which includes lawyer fees, investigation and notification resources, and other costs. It’s estimated that every compromised record in a data breach costs $407 for healthcare entities, compared to $221 across all industries.

Healthcare Technology for Continuous Compliance

In today’s healthcare compliance environment, it is critical to implement solutions that focus on proactive compliance. While there are many technology solutions available in the market,  maintaining a state of continuous compliance seems to be more of a challenge given siloed approach to addressing issues relating to Governance Risk and Compliance (GRC), Vulnerability Analysis and Penetration Testing (VAPT), third party risk assessments, dark web threats, data leak prevention, etc., that result in highly fragmented approach at a high cost.

SureShield simplifies all of these processes through automation and interlinking of security, risk, privacy, and regulatory/standard controls and processes for end-to-end automation of Risk, Security, and Compliance (RSC). This is unique and significant as it simplifies security, risk, and compliance across multiple regulations and standards.

To find out more about how SureShield’s IT Risk & Compliance Software can help your organization meet today’s ever-changing compliance requirements, download the Playbook for Corporate Compliance in Healthcare.