The HHS OIG Exclusions List is a database of individuals and organizations that are prohibited from participating in federal health care programs. Healthcare providers participating in federal health care programs are advised to regularly check the HHS OIG Exclusions List to avoid penalties for non-compliance with §1128 of the Social Security Act. This article answers the following:
- What is the HHS Office of Inspector General?
- What is the HHS OIG Exclusions List?
- How is the OIG Exclusions List populated?
- Why check the OIG list for exclusions?
- What are the penalties for engaging excluded entities?
- How can providers mitigate the risk of a penalty?
- What other lists should be checked for exclusions?
- Conclusion: The importance of regularly checking for exclusions
What is the HHS Office of Inspector General?
The HHS Office of Inspector General (OIG) is a team of investigators, auditors, analysts, attorneys and cybersecurity specialists within the Department of Health and Human Services (HHS). The team’s roles are to investigate and audit the Department’s operations to prevent fraud, waste, and abuse within the Department, and also to audit and investigate potential crimes against the Department.
HHS was one of the first Departments to have an Office of Inspector General in 1976 due to billions of dollars being lost each year to Medicaid fraud. At the time there was a ten-year backlog of uninvestigated cases, so Congress passed Public Law 94-505 to create an independent unit with adequate resources to clear the backlog and implement measures to detect future fraud and abuse.
Subsequent Acts of Congress increased the OIG’s regulatory authority to prevent crimes against the Department. The False Claims Amendment Act in 1986 lowered the bar for proof of fraud and increased the fines the OIG could impose, while the Health Insurance Portability and Accountability Act (HIPAA) in 1996 established the Health Care Fraud and Abuse Control (HCFAC) Program.
HCFAC gave HHS’ OIG the resources to enforce §1128 of the Social Security Act. This section relates to the “Exclusion of Certain Individuals and Entities from Participation in Medicare and State Health Care Programs”, which – although effective since the passage of the Medicare-Medicaid Anti-Fraud and Abuse Amendments in 1977 – had never been properly enforced due to a lack of resources.
What is the HHS OIG Exclusions List?
The HHS OIG Exclusions List is the name given to the list of individuals and organizations excluded from participating in federal health care programs under section 1128 (and subsequently section 1156) of the Social Security Act. The list now covers more than just Medicare and State Health Care Programs, and includes programs such as CHIP, TRICARE, and Veterans Affairs.
Also known as the OIG’s List of Excluded Individuals and Entities (LEIE), the HHS OIG Exclusions List contains details such as the excluded individual’s or organization’s address, National Provider Number, Unique Physician Identification Number, date of birth, job description, the date of exclusion, and the reason for exclusion – referring to the relevant clause of §1182 of the Social Security Act.
There are a number of reasons why an individual or organization may be included on HHS OIG Exclusion List. Some of these reasons attract a mandatory exclusion (i.e., required by law). Others are known as “permissive exclusions”, which are discretionary and which – in most cases – give individuals or organizations 30 days advance notice to appeal against inclusion on the list.
|Examples of Mandatory OIG Exclusions
|Medicare or Medicaid fraud
||Minimum 5 years
|Patient abuse or neglect
||Minimum 5 years
|Other healthcare-related theft, fraud, or financial misconduct
||Minimum 5 years
|Unlawfully manufacturing, distributing, prescribing, or dispensing a controlled substance
||Minimum 5 years
|Second mandatory exclusion offense
||Minimum 10 years
|Third mandatory exclusion offence
|Examples of Permissive OIG Exclusions
|Fraud in non-health care programs
||Baseline 3 years
|Obstruction of an investigation or audit
||Baseline 3 years
|License revocation or suspension.
||Same as state licensing authority
|Kickbacks and other prohibited activities
|Default on health education loan or scholarship obligations
||Until default or obligation has been resolved
|Failure to provide medically necessary services meeting professionally recognized standards
||Minimum 1 year
What the LEIE list does not show is the length of exclusion (most exclusions are not permanent). If an individual or organization does not request that their name is removed from the list once the period of exclusion is finished, it will remain on the HHS OIG Exclusions List indefinitely – potentially complicating searches when multiple entries exist for individuals with identical names.
How is the HHS OIG Exclusions List Populated?
The OIG Exclusions List is populated from several sources. Most mandatory exclusions on the LEIE list originate from enforcement actions taken by the HHS OIG or DOJ which result in a felony conviction. Enforcement actions taken by the HHS OIG and other federal agencies which result in misdemeanor convictions usually appear as permissive exclusions. These do not have a right of appeal.
In addition to HHS OIG enforcement actions, Medicare Fraud Control Units (MFCUs) operate in every state and territory. MFCUs have the authority to investigate and prosecute Medicaid provider fraud and patient abuse or neglect; and, when MFCU prosecutions result in a conviction, the individuals or organizations responsible for the fraud, abuse, or neglect are added to the HHS OIG Exclusions List.
Additionally, every state and territory have its own Office of Inspector General (or equivalent), its own laws regarding exclusions, and its own exclusion database. In some states, an exclusion at the federal level automatically triggers a state-level exclusion, but this does not always work in reverse because an event that constitutes a state violation may not constitute a federal violation.
Other excludable events can be reported to HHS OIG by healthcare providers, licensing authorities, and law enforcement agencies. However, these events can take some time to be added to the LEIE list because of factors such as the right of appeal. In some cases, exclusions reported to HHS OIG from these sources can take up to two years to appear on the HHS OIG Exclusions List.
Why Check the OIG List for Exclusions?
The reason healthcare providers are advised to check the OIG list for exclusions is that §1128A of the Social Security Act prohibits individuals and organizations that appear on the OIG Exclusions List from providing goods or services to providers that participate in federal health care programs. Excluded individuals are also prohibited from working for a participating healthcare provider in any capacity.
Healthcare providers that acquire goods or services from an excluded supplier – including prescribed medical items – will not only have their claims rejected by the federal health care program (which means they will have to absorb the cost themselves), but may also be subject to a civil monetary penalty, damages (described in the next section), and inclusion on the OIG LEIE list themselves!
With regards to excluded individuals, the prohibitions not only apply to individuals working in a medical capacity (including volunteers). If a participating healthcare provider employs an excluded individual in an administrative or environmental role – or subcontracts an excluded individual via an agency – this also qualifies as a violation of §1128 of the Social Security Act.
Importantly, pleading ignorance of an organization’s or an individual’s exclusion is no defense against a penalty for engaging – or engaging with – an excluded entity. The HHS OIG Exclusions List has been online and well-publicized since 1999, and the penalty clauses of §1128A of the Social Security Act apply to persons “who knew or who should have known” they were engaging an excluded entity.
What are the Penalties for Engaging an Excluded Entity?
The penalties for engaging an excluded entity or engaging with an excluded entity (for example, acquiring goods or services from an excluded supplier) are listed in §1128A of the Social Security Act. Last updated by the Bipartisan Budget Act of 2018 (and therefore likely to change in the near future), the current penalties for engaging – or engaging with – an excluded individual are:
- A civil monetary penalty of up $20,000 for each item or service claimed, per violation occasion.
- Assessed damages of up to three times the amount claimed for each item or service (no limit).
- Potential addition to state and HHS OIG Exclusion Lists depending on the nature of the violation(s).
The penalties for engaging – or engaging with – an excluded entity can be significant if a relationship with an excluded entity continues for many years. For example, in 2022, a Connecticut psychiatric practice entered into a settlement agreement of $310,874 for employing an excluded individual as its clinical director for five years and using federal reimbursement to pay the individual’s salary.
More recently, in June 2023, the Chinese American Planning Council Home Attendant Program in New York entered into a settlement agreement of $866,339 with HHS OIG for employing a personal assistant who was excluded from participation in the New York Medicaid program. HHS OIG alleged that the organization had billed New York Medicaid for services furnished by the personal assistant.
How can Providers Mitigate the Risk of a Penalty?
Providers can mitigate the risk of a penalty by frequently checking exclusion lists for individuals and organizations prohibited from providing goods and services to healthcare providers. HHS OIG recommends “providers should check the LEIE prior to employing or contracting with persons and periodically check the LEIE to determine the exclusion status of current employees and contractors”.
As well as checking the exclusion status of prospective and existing employees and contractors, it is important healthcare providers develop policies relating to the frequency of screening existing employees and contractors, the responsibility for screening, and which databases to check. These policies must be documented along with the results of database checks and positive identifications.
Any excluded individuals or organization identified in a database check that are already employed or providing goods and services to the healthcare provider should be reported to HHS OIG via the Health Care Fraud Self-Disclosure Protocol in order to mitigate the risk of a penalty. Naturally, if a prospective employee or contractor (or a member of a contractor’s workforce) matches an entry on an exclusion database, the prospective employee or contractor should not be engaged.
The challenge with mitigating the risk of a penalty is that the HHS OIG Exclusions List is not the only database healthcare providers should be checking. Depending on a provider’s location and the nature of their operations, it may be necessary to check multiple state and federal databases to identify individuals and organizations excluded from providing goods and services.
What Other Lists should be Checked for Exclusions?
Other federal lists healthcare providers may need to check for exclusions – depending on the nature of their operations – include (but are not limited to) the Medicare Exclusion Database, the GSA’s System for Award Management database, and the National Practitioner Data Base. It is also advisable to check local state exclusion lists for location-specific exclusions.
The Medicare Exclusion Database (MED)
The Medicare Exclusion Database includes data about individuals and entities that have been precluded from billing Medicare due to being assessed a penalty, owing an outstanding debt, or being subject to a Medicare payment suspension for (for example) fraudulent billing, overcharging, providing substandard care, or non-compliance with CMS rules and regulations.
An entity that appears on CMS’ Medicare Exclusion Database might not appear on the HHS OIG Exclusions List depending on the reason for being excluded. Therefore, although engaging – or engaging with – an entity that only appears on the Medicare Exclusion Database will not attract a penalty, it could mean a healthcare provider will not get paid for services billed to Medicare.
The System for Award Management (SAM) Database
The General Services Administration’s (GSA) System for Award Management (SAM) database is a procurement repository that healthcare providers can use to determine the eligibility of individuals and entities to participate in federal programs. The database not only includes contractors approved to do business with the federal government, but also contractors excluded from federal programs.
Excluded contractors that appear on the SAM database would have previously appeared in the Excluded Parties List System (EPLS). However, this system was integrated into the SAM database – effectively making it easier to search a single database. Like the MED database, inclusion on the SAM database does not guarantee an excluded entity will appear on the HHS OIG Exclusions List.
The National Practitioner Data Bank (NPDB)
The National Practitioner Data Bank is an information clearinghouse that lists adverse actions taken by licensing agencies against health care practitioners and health care entities, adverse privileging actions, and any negative actions or findings taken against health care practitioners or entities by Quality Improvement Organizations and Private Accreditation Organizations.
In 2013, the NPDB was merged with the Healthcare Integrity and Protection Data Bank (HIPDB) which was created by HIPAA to provide information on adverse licensing and certification actions, healthcare-related criminal convictions, civil judgments, exclusions from Federal or State health care programs, and other decisions. This information is now available via the NPBD database.
Conclusion: The Importance of Regularly Checking for Exclusions
While most healthcare providers will be aware of the HHS OIG Exclusions List, and likely check it before employing new hires or entering into contracts with new vendors, it is important to continue regularly checking the database because exclusions that originate from outside the Office of Inspector General or an MCFU can take up to two years to appear on the HHS OIG Exclusions List.
Furthermore, as well as checking the LEIE list and any other lists relevant to their activities, healthcare providers should develop policies for the frequency of screening, and procedures for when a database check results in a positive match. The policies, checks, and any self-disclosure reports should be documented to mitigate the risk of a penalty for non-compliance.
Indeed, the penalties for engaging – or engaging with – an excluded individual or organization can be significant if checks are not performed and a relationship with an excluded individual is allowed to continue. Six-figure civil monetary penalties are not uncommon and healthcare providers also run the risk of themselves being added to the HHS OIG Exclusions List.
Therefore, the importance of frequently checking for exclusions cannot be understated. Although not mandatory (except for State Medicaid agencies), the “should have known” clause in §1128A of the Social Security Act means there is no justifiable defense for healthcare providers that fail to check all applicable databases. If any healthcare provider is unsure of its exclusion responsibilities under §1128 of the Social Security Act, it is recommended to seek professional compliance advice.
The post What is the HHS OIG Exclusions List? appeared first on HIPAA Journal.