Guide
How to Screen IT Vendors with PHI Access for OIG
By Keelstar Team · Updated July 11, 2026
The short answer
IT vendors whose personnel access PHI, EHR systems, or claims platforms perform services connected to federal healthcare program operations — they belong in your OIG LEIE screening program. Screen the vendor entity, DBAs, and individual technicians or consultants with production system access when your policy requires principal screening. Excluded individuals performing billing support, coding, or system administration create the same CMP exposure as clinical exclusions. Document LEIE searches at onboarding before provisioning credentials and re-screen on your recurring schedule. Include IT subcontractors in flow-down screening requirements — cloud hosts, managed service providers, and offshore support teams are not exempt because work is technical rather than clinical. Combine OIG screening with BAA execution and access provisioning gates.
Why IT vendors are in OIG scope
Federal rules bar payment for services furnished by excluded individuals — including billing support, coding assistance, and claims system work. IT contractors with PHI access can affect program integrity even without patient contact.
Define PHI and claims access tiers
Classify IT vendors by access level. Production PHI and claims system access warrants highest-tier screening frequency.
- Production EHR and billing system access
- Revenue cycle and coding support contractors
- Cloud infrastructure with PHI storage
- Help desk with PHI ticket visibility
- Implementation consultants with admin credentials
Screen before credential provisioning
Make LEIE clearance a prerequisite for account creation — alongside BAA signature and security training. Do not grant VPN or admin access pending screening.
Offshore and subcontractor IT screening
Require prime IT vendors to screen subcontractors with PHI access and provide evidence on request. Verify high-risk offshore personnel independently when contractually permitted.
Re-screen on personnel changes
New consultants joining an existing IT engagement trigger immediate screening. Include named personnel in recurring re-screen roster when they retain active access.
Combine with HIPAA and BAA controls
OIG screening complements — not replaces — BAA and security requirements. Document both before vendor IT relationships become operational.
Frequently asked questions
- Do IT vendors without patient contact need OIG screening?
- If they access PHI or claims systems connected to Medicare or Medicaid billing, yes. Remote access does not reduce exclusion screening obligations.
- Should we screen individual developers with EHR access?
- Screen personnel with production PHI or claims access per your policy — especially contractors and offshore support staff.
- Do SaaS vendors need LEIE screening?
- Screen vendors whose employees perform implementation, support, or maintenance touching your PHI or claims data. Pure licensing without service access may be lower tier — document your assessment.
- When should IT vendor screening happen?
- Before credential provisioning and system access — not after go-live.
Related guides
Put this into a monitored workflow
Exclusion Monitor handles this continuously — with reminders and an audit trail.