HHS OIG Exclusions: The Federal Healthcare Fraud Blacklist That Every Provider Must Screen Against

The HHS Office of Inspector General maintains the List of Excluded Individuals/Entities — the LEIE — a federal blacklist covering every provider, supplier, and entity barred from participating in Medicare, Medicaid, and all other federal healthcare programs. As of mid-2026, it contains more than 76,000 active exclusion records. Under 42 U.S.C. § 1320a-7b, a healthcare organization that submits a claim for services rendered by an excluded individual faces a civil monetary penalty of $10,000 per service plus full repayment of any federal funds received — regardless of whether the organization knew about the exclusion. That strict-liability structure makes automated LEIE screening not a best practice but a legal necessity.

The statutory framework: 42 U.S.C. § 1320a-7

The exclusion authority lives at 42 U.S.C. § 1320a-7, added by the Medicare and Medicaid Patient and Program Protection Act of 1987 and substantially amended by the Balanced Budget Act of 1997. The statute splits exclusions into two categories: mandatory and permissive. Both produce the same practical result — the excluded party is barred from any participation in federal healthcare programs — but the grounds and minimum durations differ significantly.

The civil monetary penalty authority under 42 U.S.C. § 1320a-7a is separate from the exclusion authority itself. It is enforced by the OIG and applies to any person that “knowingly presents or causes to be presented to an officer, employee, or agent of the United States” a claim for services rendered by an excluded individual. The word “knowingly” in the penalty statute has been interpreted to include constructive knowledge — the organization should have known because the information was publicly available in the LEIE and the organization failed to check. Courts and OIG have consistently held that ignorance of the exclusion is not a defense once the LEIE is populated.

Mandatory exclusions: automatic, no discretion

Section 1320a-7(a) lists four grounds for mandatory exclusion. When any of these apply, the OIG has no discretion: exclusion is automatic and must last a minimum of five years.

• Conviction of program-related crimes. Any felony or misdemeanor conviction under federal or state law relating to the delivery of, or payment for, items or services under Medicare, Medicaid, or any state health program. This includes billing fraud, kickbacks, and false statements in connection with healthcare programs.
• Patient abuse or neglect. Conviction of a criminal offense relating to neglect or abuse of patients in connection with the delivery of healthcare items or services. This ground applies regardless of the program involved — a conviction for patient abuse at a private-pay facility still triggers exclusion from federal programs.
• Felony drug convictions. Conviction under federal or state law of a felony relating to the manufacture, distribution, prescription, or dispensing of a controlled substance. This ground is not limited to healthcare professionals — a janitor at a hospital convicted of felony drug distribution is subject to mandatory exclusion.
• Felony healthcare fraud. Conviction under federal or state law of a felony relating to fraud, theft, embezzlement, breach of fiduciary responsibility, or other financial misconduct in connection with the delivery of healthcare items or services, or involving any act or omission in a healthcare program. The minimum exclusion for a second mandatory exclusion is ten years; for a third or subsequent conviction, exclusion is permanent.

The OIG may extend a mandatory exclusion beyond the five-year minimum based on aggravating factors: the severity of the offense, the amount of financial harm, prior criminal history, and whether the individual held a position of trust. Mitigating factors can reduce the period below the five-year floor only in limited circumstances.

Permissive exclusions: OIG discretion

Section 1320a-7(b) enumerates the grounds for permissive exclusion — situations where the OIG may exclude but is not required to. Permissive exclusions carry no statutory minimum period, though in practice the OIG follows internal guidelines that set baseline durations for each ground. Common permissive grounds include:

• Misdemeanor healthcare fraud. Conviction of a misdemeanor relating to healthcare fraud, or a misdemeanor drug offense. Unlike the mandatory felony grounds, the OIG weighs the facts before excluding and may decline to exclude for minor offenses.
• License revocation or suspension. Loss of a healthcare professional license in any state for reasons related to professional competence, professional performance, or financial integrity. This ground means a physician whose license is revoked in one state can be excluded from federal programs even if they hold a valid license in another state.
• Exclusion or suspension from state programs. If a state Medicaid program suspends or excludes a provider, the OIG may mirror that exclusion at the federal level.
• Failure to provide access for audits. An entity that denies the OIG, HHS, or the Comptroller General access to its facilities, records, or employees for audit or investigation purposes.
• Controlled substance violations and default on federal obligations. The permissive list also covers DEA revocation, default on health education loans guaranteed by the federal government, and providing false or misleading information in the application for enrollment in Medicare or Medicaid.
• Ownership or control by an excluded individual. An entity owned or controlled by an excluded person — or by someone convicted of a mandatory exclusion offense — may itself be excluded. This prevents excluded individuals from continuing to participate in federal programs by routing services through a corporate shell.

What the LEIE contains

The LEIE is structured as a flat file with one record per exclusion action. Each record includes:

• LASTNAME / FIRSTNAME / MIDNAME. For individuals, the legal name at time of exclusion. The OIG does not update name fields for name changes after exclusion, which is one reason fuzzy matching is necessary for reliable screening.
• BUSNAME. For entities (corporations, partnerships, LLCs), the legal business name. Individual fields (LASTNAME, etc.) are blank when BUSNAME is populated.
• NPI. National Provider Identifier, when the excluded party held one. Not all excluded individuals are licensed providers with NPIs — a billing manager or medical equipment supplier may be excluded without ever having held an NPI. Where present, the NPI is the most reliable matching key.
• UPIN. Unique Physician Identification Number, the predecessor to the NPI. Now largely obsolete but still populated for historical exclusions.
• EIN. Employer Identification Number for entities.
• EXCLTYPE. The exclusion type code. The OIG publishes a reference table mapping codes (e.g., 1128a1, 1128b4) to the statutory ground. This is one of the most useful fields for compliance analysis — it distinguishes program fraud exclusions from license-revocation exclusions, which carry different compliance implications.
• EXCLDATE. The effective date of the exclusion. Claims for services rendered on or after this date by the excluded party are subject to civil monetary penalties.
• REINDATE. The reinstatement date, populated if the exclusion has been lifted. The OIG does not remove reinstated individuals from the LEIE — they remain in the file with a populated REINDATE. Screening code must filter out reinstated records or flag them as historical rather than active.
• WAIVERDATE and WVRSTATE. Date and state of an exclusion waiver, where the HHS Secretary has issued a waiver for a specific state program. Waivers are rare and do not apply to Medicare; they typically cover circumstances where the excluded individual is the sole provider of essential services in a rural area.
• ADDRESS / CITY / STATE / ZIP / COUNTRY. Address at time of exclusion. Not reliably maintained; useful for disambiguation when names match but geographic context differs.

Accessing the LEIE: monthly downloads and the supplemental update file

The OIG publishes two types of downloads at https://exclusions.oig.hhs.gov:

The full LEIE file is a complete snapshot of all active and reinstated exclusion records. It is available as both CSV and DBF (dBase format). The CSV is the practical choice for modern tooling. The file is updated monthly and typically published in the first week of each month. The current file is always named UPDATED.csv at the canonical URL, making it straightforward to automate monthly downloads without parsing an index page.

The supplemental update file contains only the changes since the previous month's full file: new exclusions (additions) and reinstatements. It covers a rolling 12-month window of monthly supplements. The supplement is useful for incremental database updates — instead of reprocessing 76,000 records every month, compliance systems can apply the 200–600 monthly delta records against their existing copy. The supplement file is also CSV and follows the same field structure as the full file, with a TYPE field indicating whether each record is an addition (ADD) or a reinstatement (REINSTATE).

The OIG also provides an online search interface and a LEIE API at https://exclusions.oig.hhs.gov/api/1.0. The API supports name-based searches and returns JSON with the same fields as the CSV. For one-off lookups the API is convenient; for batch screening of a large roster the CSV download is faster and avoids rate-limit issues.

SAM.gov and the EPLS comparison

Healthcare compliance teams frequently ask whether screening the OIG LEIE is sufficient or whether they also need to screen SAM.gov. The answer is both, and for different reasons.

The System for Award Management at SAM.gov maintains the Excluded Parties List System (EPLS), now integrated into SAM.gov's entity exclusions module. The SAM exclusions database covers entities and individuals debarred or suspended from federal procurement contracts, grants, and financial assistance programs government-wide. Its scope is explicitly cross-agency: a suspension from the Department of Defense shows up in SAM, as does an EPA debarment.

The OIG LEIE, by contrast, is healthcare-specific. It covers participation in Medicare, Medicaid, CHIP, and other HHS-administered healthcare programs. An individual excluded from the LEIE is barred from every federal healthcare program; the SAM exclusion may or may not separately apply to government contracting.

The two lists do not duplicate each other reliably. Some exclusions appear in both (a healthcare company debarred by HHS and suspended from government contracting may appear in both databases), but many appear in only one. A physician excluded from Medicare for fraud will be in the LEIE but may not be in SAM. A defense contractor debarred for bid-rigging will be in SAM but not in the LEIE. Healthcare organizations that also participate in federal grants or contracts — hospitals, research institutions, community health centers — need to screen both.

Python: downloading the LEIE, fuzzy-matching against a provider roster

The script below downloads the full LEIE CSV, builds a normalized lookup, and screens a provider roster through three passes: exact NPI match, exact normalized name match, and fuzzy name match using token-sort ratio to handle name variations. The rapidfuzz library is a fast C-extension implementation of Levenshtein and Jaro-Winkler distance functions; install with pip install requests rapidfuzz.

import csv
import io
import requests
from rapidfuzz import fuzz, process

# -------------------------------------------------------
# Step 1: Download the full LEIE exclusions file
# -------------------------------------------------------
LEIE_URL = "https://oig.hhs.gov/exclusions/downloadables/UPDATED.csv"

resp = requests.get(LEIE_URL, timeout=60)
resp.raise_for_status()

# The file is encoded in ISO-8859-1 (Latin-1), not UTF-8
reader = csv.DictReader(io.StringIO(resp.content.decode("latin-1")))
leie_rows = list(reader)

print(f"LEIE records loaded: {len(leie_rows)}")
# Typical output: LEIE records loaded: 76412

# -------------------------------------------------------
# Step 2: Build a normalized name lookup from LEIE
# -------------------------------------------------------
def normalize_name(raw: str) -> str:
    """Strip punctuation, collapse whitespace, uppercase."""
    import re
    return re.sub(r"\s+", " ", re.sub(r"[^\w\s]", " ", raw.upper())).strip()

leie_entries = []
for row in leie_rows:
    # LEIE individuals have LASTNAME / FIRSTNAME / MIDNAME fields.
    # Entities have BUSNAME; individual fields are blank.
    if row.get("BUSNAME", "").strip():
        display = row["BUSNAME"].strip()
        key = normalize_name(display)
    else:
        parts = [row.get("LASTNAME", ""), row.get("FIRSTNAME", ""), row.get("MIDNAME", "")]
        display = " ".join(p.strip() for p in parts if p.strip())
        key = normalize_name(display)
    leie_entries.append({
        "display": display,
        "key": key,
        "npi": row.get("NPI", "").strip(),
        "excl_type": row.get("EXCLTYPE", "").strip(),
        "excl_date": row.get("EXCLDATE", "").strip(),
        "reinstate_date": row.get("REINDATE", "").strip(),
        "waiver_date": row.get("WAIVERDATE", "").strip(),
        "state": row.get("STATE", "").strip(),
        "row": row,
    })

# Index by NPI for fast exact lookup
npi_index = {e["npi"]: e for e in leie_entries if e["npi"]}
# Flat list of normalized names for fuzzy matching
leie_keys = [e["key"] for e in leie_entries]

# -------------------------------------------------------
# Step 3: Define the provider roster to screen
# -------------------------------------------------------
# Replace with your actual employee/contractor list.
# Each record should have at least name and NPI (if known).
provider_roster = [
    {"name": "Jane Smith, MD", "npi": "1234567890"},
    {"name": "Acme Home Health LLC", "npi": ""},
    {"name": "Robert Johnson", "npi": ""},
]

# -------------------------------------------------------
# Step 4: Screen each roster entry
# -------------------------------------------------------
FUZZY_THRESHOLD = 90  # Jaro-Winkler score 0-100; 90+ is a near-match

flags = []
for provider in provider_roster:
    hits = []

    # Pass 1: exact NPI match (definitive; NPI is a unique identifier)
    if provider["npi"] and provider["npi"] in npi_index:
        entry = npi_index[provider["npi"]]
        hits.append({"method": "npi_exact", "score": 100, "leie_entry": entry})

    # Pass 2: exact normalized name match
    norm = normalize_name(provider["name"])
    exact_idx = next((i for i, k in enumerate(leie_keys) if k == norm), None)
    if exact_idx is not None:
        hits.append({"method": "name_exact", "score": 100, "leie_entry": leie_entries[exact_idx]})

    # Pass 3: fuzzy name match (catches slight name variations)
    if not hits:
        fuzzy_results = process.extract(
            norm,
            leie_keys,
            scorer=fuzz.token_sort_ratio,
            limit=3,
            score_cutoff=FUZZY_THRESHOLD,
        )
        for match_key, score, idx in fuzzy_results:
            hits.append({"method": "fuzzy", "score": score, "leie_entry": leie_entries[idx]})

    if hits:
        flags.append({"provider": provider, "hits": hits})
        for h in hits:
            e = h["leie_entry"]
            print(
                f"FLAG [{h['method']} score={h['score']}] "
                f"Roster: {provider['name']} | "
                f"LEIE: {e['display']} | "
                f"Excl type: {e['excl_type']} | "
                f"Date: {e['excl_date']} | "
                f"Reinstated: {e['reinstate_date'] or 'No'}"
            )

print(f"\nScreening complete. {len(flags)} roster entries flagged for review.")

Several implementation details matter for production use. First, the LEIE CSV is encoded in ISO-8859-1 (Latin-1), not UTF-8; attempting to decode it as UTF-8 will fail on accented characters in provider names. Second, the REINDATE field must be checked: the LEIE retains reinstated individuals in the file, and a naive match against the full file will falsely flag people whose exclusions have been lifted. Active exclusions have a blank or zero REINDATE. Third, names in the LEIE frequently differ from operational records — a physician enrolled in Medicare as “Robert J. Johnson, MD” may appear in the LEIE as “Johnson Robert James” (last-name-first, no suffix). The token-sort ratio scorer handles reordering; a threshold of 90 catches most name-order variations while limiting false positives.

For very large rosters (tens of thousands of employees and contractors), consider building a TF-IDF index over the normalized LEIE names and using cosine similarity for a first-pass candidate retrieval before applying the more expensive fuzzy scoring to the top candidates. The pattern is identical to the three-pass design used in the compliance screening risk score system.

Exclusion type codes and compliance risk triage

Not all exclusions carry the same compliance implication. The EXCLTYPE code maps to the specific statutory subsection and, by extension, to the underlying conduct. A compliance program that ingests the LEIE should preserve and surface the exclusion type, because it governs how the organization should respond to a hit.

An individual excluded under 1128(a)(1) — program-related conviction, mandatory five-year minimum — represents an active criminal finding. The organization must terminate the individual's ability to provide, order, or supervise items or services billed to federal programs, and must document that action in its compliance records. An individual excluded under 1128(b)(4) — license revocation — requires verification that the individual holds a valid license in another state before making employment decisions, and may require state-level licensing board cross-referencing beyond the LEIE itself.

The OIG publishes a reference table of all EXCLTYPE codes with statutory citations and plain-language descriptions at its exclusions web page. Compliance programs should map these codes to internal severity tiers and escalation protocols rather than treating all LEIE hits identically.

LEIE screening as a mandatory compliance program element

The OIG's model compliance guidance for various healthcare industry segments — hospitals, physician practices, clinical labs, home health agencies — consistently identifies LEIE screening as a required element of an effective healthcare compliance program. The guidance sets specific expectations:

• Pre-employment screening. Screen every prospective employee, contractor, physician, and vendor before any federal-program-related services are rendered or billed. Do not wait for onboarding to complete.
• Monthly ongoing screening. Screen the entire employee and contractor roster monthly against the updated LEIE. New exclusions take effect on the OIG's publication date; an employee who was clean at hire may be added to the LEIE after a conviction that postdates onboarding. Monthly screening using the supplemental update file is the minimum standard; the OIG has indicated in advisory opinions that quarterly screening is insufficient.
• SAM.gov cross-check. For organizations participating in federal grants, contracts, or other non-healthcare federal assistance, extend the same monthly screening to the SAM.gov exclusions database.
• Documentation and audit trail. Retain records of each screening run: the date, the file version downloaded, the roster screened, and the results. The OIG expects to see these records during audits. A compliance program that claims to screen monthly but cannot produce documentation will be treated as if screening did not occur.
• Response protocol. Define in advance what happens when a hit is confirmed: immediate suspension from federal-program-related duties, notification to HR and legal, preservation of employment records, voluntary disclosure consideration, and repayment of any claims submitted after the exclusion date. The OIG's Self-Disclosure Protocol provides a formal mechanism for organizations that discover they have billed with excluded individuals and wish to settle the resulting liability before enforcement action.

The civil monetary penalty exposure is not the only financial risk. False Claims Act liability (31 U.S.C. §§ 3729–3733) also attaches when excluded providers bill federal programs, because presenting a claim that implicitly certifies compliance with program requirements — including the exclusion rules — while that certification is false can give rise to FCA treble damages and per-claim penalties. Healthcare organizations discovered to have employed excluded individuals routinely face parallel OIG CMP proceedings and DOJ False Claims Act investigations.

Reinstatement and the path back into programs

An excluded individual or entity may apply for reinstatement after the mandatory minimum period has elapsed. The OIG does not reinstate automatically; the excluded party must submit a written request with supporting documentation demonstrating rehabilitation, compliance with applicable laws, and fitness to participate in federal programs. The OIG reviews the application and issues a written decision; reinstatement is discretionary and can be denied.

When the OIG grants reinstatement, the REINDATE field in the LEIE is populated but the record is not removed from the file. This means a properly built screening system must treat an exclusion record with a populated REINDATE as historical — the individual is no longer excluded — and must not generate an active-exclusion alert. Systems that naively flag every LEIE match without checking REINDATE will generate significant false positives for reinstated providers.

Reinstatement also does not wipe the exclusion history. Healthcare organizations considering whether to hire or contract with a reinstated individual may use the EXCLTYPE code and the duration of the exclusion as factors in their own employment decisions, separate from the federal program participation question.

The Wall of Shame: what the HHS-OCR HIPAA breach database reveals about healthcare data security — the parallel HHS enforcement database covering 5,000+ breach reports since 2009; how to download and analyze the CSV, what the Hacking/IT Incident trend reveals, and how business associate exposures compound breach counts.

DOJ False Claims Act Settlements: The $70 Billion Fraud Recovery Database — the qui tam whistleblower mechanism that drives parallel FCA liability whenever excluded providers bill federal programs, and how to build a settlements database from DOJ press releases.

Compliance Screening Across 30+ Federal Enforcement Lists: How the Risk Score Works — how HHS OIG exclusions are combined with OFAC, SAM.gov, SEC enforcement, and 27+ other lists into a single 0–100 risk score with per-list hit details.