Skip to content
Keelstar

Guide

How to Screen IT Vendors with PHI Access for OIG

By Keelstar Team · Updated July 11, 2026

The short answer

IT vendors whose personnel access PHI, EHR systems, or claims platforms perform services connected to federal healthcare program operations — they belong in your OIG LEIE screening program. Screen the vendor entity, DBAs, and individual technicians or consultants with production system access when your policy requires principal screening. Excluded individuals performing billing support, coding, or system administration create the same CMP exposure as clinical exclusions. Document LEIE searches at onboarding before provisioning credentials and re-screen on your recurring schedule. Include IT subcontractors in flow-down screening requirements — cloud hosts, managed service providers, and offshore support teams are not exempt because work is technical rather than clinical. Combine OIG screening with BAA execution and access provisioning gates.

Why IT vendors are in OIG scope

Federal rules bar payment for services furnished by excluded individuals — including billing support, coding assistance, and claims system work. IT contractors with PHI access can affect program integrity even without patient contact.

Define PHI and claims access tiers

Classify IT vendors by access level. Production PHI and claims system access warrants highest-tier screening frequency.

  • Production EHR and billing system access
  • Revenue cycle and coding support contractors
  • Cloud infrastructure with PHI storage
  • Help desk with PHI ticket visibility
  • Implementation consultants with admin credentials

Screen before credential provisioning

Make LEIE clearance a prerequisite for account creation — alongside BAA signature and security training. Do not grant VPN or admin access pending screening.

Offshore and subcontractor IT screening

Require prime IT vendors to screen subcontractors with PHI access and provide evidence on request. Verify high-risk offshore personnel independently when contractually permitted.

Re-screen on personnel changes

New consultants joining an existing IT engagement trigger immediate screening. Include named personnel in recurring re-screen roster when they retain active access.

Combine with HIPAA and BAA controls

OIG screening complements — not replaces — BAA and security requirements. Document both before vendor IT relationships become operational.

Frequently asked questions

Do IT vendors without patient contact need OIG screening?
If they access PHI or claims systems connected to Medicare or Medicaid billing, yes. Remote access does not reduce exclusion screening obligations.
Should we screen individual developers with EHR access?
Screen personnel with production PHI or claims access per your policy — especially contractors and offshore support staff.
Do SaaS vendors need LEIE screening?
Screen vendors whose employees perform implementation, support, or maintenance touching your PHI or claims data. Pure licensing without service access may be lower tier — document your assessment.
When should IT vendor screening happen?
Before credential provisioning and system access — not after go-live.

Related guides

Put this into a monitored workflow

Exclusion Monitor handles this continuously — with reminders and an audit trail.