Compliance Due Diligence for Skilled Nursing Facilities: What to Verify and How Often

Skilled nursing facilities sit at the intersection of three regulators that don't coordinate with each other: CMS (which sets Conditions of Participation and runs the 5-Star survey), the state survey agency (which actually walks the building), and the HHS Office of Inspector General (which runs exclusion screening and brings False Claims Act cases). Add the DOJ's standing interest in long-term care fraud and the result is a sector with more concentrated audit exposure per bed than almost anywhere else in healthcare.

Most SNFs are not failing because they don't care about compliance. They're failing because credential checking is treated as an HR onboarding task, run once at hire, on a spreadsheet, by someone who also has nine other priorities. That model breaks at the volume and velocity an SNF actually operates at. Here's what due diligence looks like when you build it for the regulators you actually have.

Why SNFs are exposed in ways acute-care isn't

In November 2024, the OIG issued the first new Industry Segment-Specific Compliance Program Guidance for Nursing Facilities in over fifteen years. The guidance is not optional reading. It tells you exactly what risk areas the OIG considers most likely to produce enforcement, and the list is uncomfortably specific: Medicare and Medicaid billing accuracy, kickbacks tied to ancillary services, quality of care as a fraud vector, and (the one that surprises operators) credentialing and exclusion screening as a foundational element of any defensible compliance program.

The DOJ has been telling you the same thing through enforcement. Genesis Healthcare resolved a False Claims Act matter for $53.6 million over allegations that included grossly substandard nursing care tied to insufficient staffing. SavaSeniorCare paid $11.2 million to resolve allegations that included failure to maintain adequate staffing to meet residents' needs. "Adequate staffing" in DOJ's framing isn't just headcount. It's headcount that holds active, unrestricted, unexpired credentials. A nurse practicing on a lapsed license is, for billing purposes, not a nurse.

Per-role credential checks in an SNF

Registered nurses and LPNs

Active license in every state where the SNF operates beds. "Active" is not the same as "in good standing," and a state board lookup that shows a green status field can sit alongside an open disciplinary proceeding. Pull both the license status and the disciplinary tab. See the healthcare license verification checklist for the full set of checks.

Certified nursing assistants

CNAs are registered on the state nurse aide registry, which is also where state survey agencies post findings of abuse, neglect, or misappropriation of resident property. Federal law (42 CFR 483.156) prohibits an SNF from employing a CNA listed on the registry with an unfavorable finding. This is not a recommendation. It is a Conditions of Participation issue and a survey deficiency waiting to happen.

Medical Director (MD or DO)

Active state medical license, active DEA registration in the state of practice, OIG LEIE clear, SAM.gov clear, state Medicaid exclusion list clear. Medical Directors are physician employees or contractors of the facility, which means their exclusion status is the facility's problem the moment they sign the agreement. See what an excluded provider is and what happens if you employ one.

Nursing Home Administrator (NHA)

Every state requires NHAs to hold an active state license issued by a state board of NHA examiners. CE requirements vary by state. Some states require continuing education in compliance, ethics, or resident rights specifically. A lapsed NHA license in the building during a survey is a finding.

Allied roles: dietary, social services, therapy

Registered Dietitians (RD/RDN credential through CDR), Licensed Social Workers where required by state, and contracted therapy staff (PT, OT, SLP) all carry credential and exclusion exposure. Therapy contractors are particularly important because the DOJ's long-running theory in SNF cases is that medically unnecessary therapy minutes are billed to maximize Resource Utilization Group (RUG) categories. If the underlying clinician is also excluded, you are stacking liability.

Federal exclusion screening: cadence and statute

OIG guidance has been consistent for years: screen all employees and contractors against the LEIE at hire and monthly thereafter. The statutory hook is 42 USC 1320a-7a, which authorizes Civil Monetary Penalties for arrangements with excluded persons. Penalties can run into six figures per item or service billed in the aggregate, plus repayment of the federal share. Screening monthly is not paranoia. It is the bare minimum the OIG expects you to be doing.

SAM.gov adds a separate layer of federal exclusion data that does not duplicate the LEIE. State Medicaid exclusion lists add a third. OIG vs SAM.gov vs NPDB walks through how the four federal sources differ and why none of them substitutes for the others.

What the survey actually catches

State surveyors enter the building under CMS authority and inspect against the F-tag system. Several F-tags route directly to credential and staffing questions. F-725 and F-726 cover sufficient and competent nurse staffing. F-940 and F-941 cover training requirements and competency. F-947 covers the in-service training program. A surveyor who finds that a CNA on the schedule has a lapsed certification, or an RN whose license shows a probationary action the facility never documented reviewing, writes the deficiency under one of these tags. Repeated or substantial deficiencies move into Immediate Jeopardy territory, which means civil money penalties and potential denial of payment for new admissions.

The 5-Star rating system also pulls staffing data from PBJ submissions and matches it against payroll. A facility that reports staffing levels its payroll data does not support gets flagged. A facility that has staff on payroll whose credentials cannot be verified has a different problem, and it is the more dangerous one.

Cadence: what to verify and how often

• License status (RN, LPN, MD, DO, NHA, RD, LSW): continuous monitoring, not annual checks. A license can be suspended any day of the year. Continuous license monitoring exists because annual is structurally too slow.
• OIG LEIE: monthly for every employee and contractor. No exceptions.
• SAM.gov: monthly, alongside LEIE.
• State Medicaid exclusion list: monthly, for every state where the SNF bills Medicaid.
• CNA registry: at hire and at least annually, with re-screening when a state survey agency posts new findings.
• DEA registration (Medical Director, prescribing PAs/NPs): at hire and at expiration, with a 90/60/30-day reminder cascade.
• BLS/ACLS/PALS where role applies: 90-day prior-to-expiry monitoring. See the BLS/ACLS/PALS/NRP comparison.
• Primary source verification of every license: annually as a baseline, continuously if the platform supports it. See what PSV actually means.

The cost of getting it wrong

Beyond the headline DOJ settlements, the operational cost of a credentialing failure in an SNF is severe. A surveyor finding tied to lapsed credentials can result in denial of payment for new admissions, which strands beds and crushes census during the months it takes to remediate. A False Claims Act case attaches treble damages to claims the federal government would not have paid had it known a non-credentialed or excluded person was involved. Malpractice carriers can deny coverage for incidents involving providers whose credentials lapsed, leaving the facility uninsured for the worst-case event. See how a lapsed license can void malpractice coverage.

The pattern across DOJ SNF enforcement is consistent. The government doesn't have to prove the facility set out to defraud anyone. It has to show that the facility billed federal programs for services rendered by people the facility either should have known, or could easily have known, were not eligible to render them. Monthly LEIE checks and continuous license status monitoring are how you generate the documentation that says you tried.

The audit trail is the deliverable

Every check this article describes produces a record. The record is the deliverable. When an OIG investigator or a CMS surveyor asks how you knew the Medical Director was not on the LEIE in February, the answer needs to be a timestamped log entry, not a recollection. Spreadsheets do not produce this audit trail in any defensible form. Modern compliance platforms do, automatically, as a side effect of doing the screening in the first place.

SNFs that build the audit trail before the audit don't fear the audit. The ones that don't, do.