What Happens If You Employ an Excluded Medicaid Provider? The Real Consequences

The question that compliance officers should be asking is not "what happens if we employ an excluded provider?" It is "what happens when CMS finds out we did?" The answer is specific, statutory, and expensive.

The statutory framework

Section 1128A of the Social Security Act authorizes the Department of Health and Human Services to impose Civil Monetary Penalties (CMPs) on any person or organization that submits claims for services provided by an excluded individual. The penalties are not discretionary minimums — they are the floor:

• $10,000 per item or service billed while an excluded provider was involved in furnishing or directing that service
• Three times the amount claimed (assessments) in addition to the per-item penalty
• Potential exclusion of the organization itself from Medicare and Medicaid — not just the individual provider

To illustrate the math: if an excluded physician sees 20 Medicare patients per day over a three-month period before the violation is discovered, that is roughly 1,200 patient encounters. At $10,000 per item, the CMPs alone reach $12 million — before the 3x assessment on the underlying claim amounts.

What "employ" means under the exclusion rules

The scope of prohibited activity is broader than direct patient care. Under OIG guidance, an organization violates the exclusion rules if an excluded individual:

• Provides direct patient care that is billed to a federal health program
• Directs the care of other providers whose services are billed — a supervisory or medical director role qualifies
• Orders items or services — a physician who orders labs, imaging, or medications triggers the exclusion even if someone else performs the service
• Performs administrative functions that are a necessary prerequisite to billing — billing oversight, utilization review, and similar functions have been found to qualify

The excluded provider does not need to touch a patient. If their role connects to a Medicare or Medicaid claim in any of the ways above, the penalty attaches.

State Medicaid parallel enforcement

The federal CMP framework applies to Medicare and federal Medicaid dollars. State Medicaid agencies have independent enforcement authority and their own exclusion lists. Most states maintain exclusion databases that overlap with the OIG LEIE but include additional individuals excluded under state law. Employing a provider excluded at the state level — even one not on the federal LEIE — exposes the organization to state-level repayment demands and penalties.

The interaction between federal and state exclusions means that checking only the OIG list is not sufficient. A provider not excluded federally can still be excluded from your state's Medicaid program.

The look-back period

OIG exclusion penalties are retroactive to the date the provider was listed on the LEIE — not the date the organization discovered the exclusion. If a provider was added to the LEIE on February 1 and the organization did not find out until a CMS audit in August, every claim filed from February through August is subject to the penalty. There is no good-faith discovery exception that eliminates liability; it may affect the penalty amount negotiated in settlement, but it does not remove the underlying violation.

How organizations discover violations

In the majority of cases we've seen, organizations discover an exclusion violation the same way: a CMS audit or OIG self-disclosure request — not an internal compliance check.

The pattern is consistent. A routine CMS audit of a hospital or practice cross-references submitted claims against the LEIE. It finds a match — a provider who was excluded six months ago. The organization had no system for checking the LEIE after initial hire. The audit opens a repayment and penalty process that takes 12 to 24 months to resolve and results in a settlement that dwarfs what a monitoring subscription would have cost.

Remediation once a violation is discovered

When an organization discovers it has employed an excluded provider, the standard path is the OIG Self-Disclosure Protocol (SDP). Self-disclosure does not eliminate liability, but it typically results in a reduced multiplier on the assessment — the OIG's stated position is that self-disclosing entities may receive a lower assessment than those identified through audit. The process requires:

• Immediate removal of the excluded provider from any role connected to federal program billing
• A complete lookback calculation of all claims filed during the excluded period
• Submission of the disclosure to the OIG with full claim detail
• Negotiation of a settlement amount and, often, a Corporate Integrity Agreement (CIA) that imposes ongoing monitoring obligations

A Corporate Integrity Agreement can require five years of monitored compliance, annual reporting, and external review — turning a single missed exclusion check into a decade of elevated compliance burden.

The prevention math

The OIG LEIE is a free monthly CSV download. Automated platforms that check against it continuously cost a fraction of a single month's penalty exposure. The true cost of non-compliance analysis applies here with particular force: the asymmetry between prevention cost and violation cost is as wide as it gets in healthcare compliance. For the full context on what exclusion means and how the major databases work, see what is an excluded provider and what is the OIG exclusion list.