Skip to content
Keelstar

Guide

How to Build an OIG Screening Policy

By Keelstar Team · Updated July 11, 2026

The short answer

An OIG screening policy defines who you screen, which lists you check, how often you re-screen, what you document, and how you handle matches — in writing, approved by compliance leadership. Scope should cover employees, contractors, vendors, subcontractors, and medical staff performing services connected to federal healthcare programs. Specify LEIE plus applicable state Medicaid lists. Assign risk-based re-screening frequencies: monthly or quarterly for high-risk roles, less frequent for lower tiers with documented rationale. Require dated search records with list version, names searched, result, and reviewer. Define match investigation steps, hold procedures, and escalation to legal. Name policy owners and backup owners. Review the policy annually and after audit findings. A written policy without enforcement is insufficient — tie it to onboarding gates, payment holds, and automated monitoring.

Policy purpose and regulatory context

Open with why exclusion screening exists: federal law prohibits payment for services by excluded parties. Reference Social Security Act sections 1128 and 1156 and CMP exposure for violations.

Define screening scope

List every population in scope: employees, contractors, locums, vendors, subcontractors, medical staff, and downstream entities.

  • W-2 employees in billable roles
  • 1099 contractors and consultants
  • Vendors and suppliers
  • Subcontractors and agency placements
  • Medical staff and credentialed providers

Lists and search methodology

Specify OIG LEIE as primary federal list plus state Medicaid lists by operating state. Require legal name search with aliases. Reference LEIE download date in every record.

Frequency by risk tier

Document tier definitions and re-screen schedules. High-risk: monthly or quarterly. Medium: quarterly or semi-annual. Low: annual with risk assessment. Ad hoc triggers on name or ownership changes.

Match investigation and escalation

Define hold procedures, identifier comparison steps, false positive documentation, confirmed match escalation to legal, and re-engagement rules after reinstatement verification.

Governance, training, and audit

Name policy owner and backup. Require staff training. Schedule internal audits of screening completeness. Review policy effectiveness after CMS or payer audit findings.

Frequently asked questions

What must an OIG screening policy include?
Scope of parties screened, lists checked, frequency by risk tier, documentation requirements, match investigation procedures, responsible owners, and enforcement consequences.
Does CMS require a written exclusion policy?
CMS and payer auditors expect documented screening programs. A written policy demonstrates intentional compliance design — not ad hoc checking.
How often should the policy be updated?
Review annually and after significant audit findings, organizational changes, or payer contract updates affecting screening requirements.
Who should approve the OIG screening policy?
Compliance leadership with input from legal, HR, and vendor management. Board or committee review may be required for some provider types.

Related guides

Put this into a monitored workflow

Exclusion Monitor handles this continuously — with reminders and an audit trail.