OIG, SAM, and OFAC: What Healthcare Providers Must Screen

Four lists, four different risks

Healthcare compliance teams often treat 'exclusion screening' as a single checkbox. In practice, U.S. providers navigate multiple federal and state sources. Each list reflects a different enforcement action — healthcare program ban, federal contract debarment, economic sanctions, or state Medicaid exclusion — and a party can appear on one list but not others.

OIG LEIE — federal healthcare program exclusions

The List of Excluded Individuals and Entities is maintained by HHS OIG. Excluded parties cannot furnish items or services paid by Medicare, Medicaid, or other federal healthcare programs. This is the list CMS surveyors and payer auditors ask about most often for providers billing federal programs.

SAM.gov — federal contract and assistance debarment

The System for Award Management tracks parties debarred, suspended, or otherwise excluded from receiving federal contracts or certain types of federal financial assistance. Hospitals with NIH grants, FQHCs, and vendors selling to government healthcare entities need SAM screening even when OIG is clear.

State Medicaid exclusion lists

Most states maintain their own Medicaid exclusion or sanction lists. A provider can be excluded in Texas but not yet on the OIG LEIE — or vice versa. Multi-state operators and telehealth providers serving patients across state lines must define which state lists apply to each relationship.

OFAC — sanctions and blocked parties

OFAC administers U.S. economic sanctions. Healthcare is not exempt: international medical device vendors, offshore billing partners, and wire payments to foreign entities all trigger OFAC obligations. OIG screening does not satisfy OFAC requirements.

Build a screening matrix

Document which lists you check for each relationship type — employee, clinical contractor, billing vendor, facilities vendor — and at what frequency. A one-page matrix attached to your compliance policy prevents the common failure mode where AP screens OIG but HR never checks state lists.

• Employees and clinical staff → OIG, state Medicaid, SAM (if applicable), OFAC
• Billing and RCM vendors → OIG, SAM, OFAC, state lists where they touch claims
• Pure facilities vendors → risk-based; often COI-heavy, exclusion-light unless contract requires
• Staffing agencies → screen agency and placed workers; verify agency's own program

Operational ownership

Compliance usually owns the policy; HR owns employee screening; procurement or AP owns vendor screening. Without a named owner per list and relationship type, gaps appear at handoffs — especially for locums, agency nurses, and new billing companies added mid-year.