State Medicaid Exclusion Lists: A Credentialing Manager's Guide to Screening Beyond the Federal OIG and SAM

State Medicaid Exclusion List Screening: A Credentialing Manager's Guide Beyond Federal OIG and SAM

If you're a credentialing manager, you already know the basics. You screen against the OIG LEIE. You check SAM.gov. You feel confident that your organization is protected from employing or contracting with excluded individuals.

But here's the uncomfortable truth: federal-only screening leaves significant gaps in your compliance program. State Medicaid exclusion list screening is where many organizations fall short — and where regulators are increasingly looking.

Every state maintains its own exclusion list. These lists often contain individuals and entities that don't appear on federal databases. Miss one name, and your organization could face severe penalties: repayment of claims, civil monetary penalties of up to $100,000 per item or service, and even criminal liability under the False Claims Act.

This guide walks you through everything you need to know about state Medicaid exclusion lists — what they are, why they matter, how they differ from federal lists, and how to build a screening program that actually protects your organization.

TL;DR: Key Takeaways

Federal exclusion screening (OIG LEIE and SAM) is necessary but not sufficient for compliance.
Each state maintains its own Medicaid exclusion list, and individuals can appear on state lists without being on federal ones.
Screening against all applicable state lists is a regulatory expectation, not a nice-to-have.
Manual state-by-state screening is error-prone and unsustainable at scale.
Automated sanction screening solutions can check federal and state lists simultaneously, reducing risk and saving credentialing teams hundreds of hours.
The JCAHO 2025 monthly monitoring mandate makes continuous, comprehensive screening more critical than ever.

What Are State Medicaid Exclusion Lists?

Every state that participates in the Medicaid program has the authority to exclude individuals and entities from its state Medicaid program. When someone is excluded at the state level, they are barred from participating in that state's Medicaid-funded services.

These exclusions can result from:

State-level investigations into fraud, abuse, or patient harm
License revocations or suspensions by state licensing boards
Convictions for crimes related to healthcare delivery
Administrative actions for program integrity violations
Reciprocal actions based on exclusions in other states

The key point: a state exclusion does not automatically trigger a federal exclusion. An individual can be excluded from a state Medicaid program while remaining absent from the OIG LEIE or SAM. This is the gap that catches organizations off guard.

How State Lists Differ from Federal Lists

Factor	Federal (OIG LEIE / SAM)	State Medicaid Exclusion Lists
Maintained by	OIG / GSA	Individual state Medicaid agencies
Scope	All federal healthcare programs	State Medicaid program (sometimes broader)
Update frequency	Monthly (OIG), varies (SAM)	Varies widely by state — some monthly, some quarterly, some irregular
Format	Standardized, downloadable	Inconsistent — PDFs, HTML tables, searchable databases, or no online access
Overlap with federal	N/A	Partial — many state-excluded individuals are NOT on federal lists
Number of lists	2 primary databases	50+ (each state, territory, and D.C.)

This inconsistency is what makes state Medicaid exclusion list screening so challenging — and so important.

Why State Medicaid Exclusion List Screening Matters More Than Ever

1. Regulatory Expectations Are Expanding

The OIG has long recommended that healthcare organizations screen against both federal and state exclusion lists. But "recommended" has increasingly become "expected." State Medicaid agencies, CMS, and the DOJ all look at whether organizations performed due diligence beyond the bare minimum.

The DOJ's updated Corporate Enforcement Policy emphasizes the importance of effective compliance programs. A compliance program that only screens against federal databases — while ignoring the state lists where your employees and vendors actually practice — is hard to defend as "effective."

2. The Financial Penalties Are Severe

Employing or contracting with an excluded individual can trigger:

Civil Monetary Penalties (CMPs): Up to $100,000 per item or service furnished by the excluded individual
Treble damages under the False Claims Act — three times the amount of the fraudulent claims
Repayment of all federal healthcare program payments tied to the excluded individual's work
Program exclusion for the employing organization itself in extreme cases

These aren't theoretical risks. The OIG publishes settlements regularly. Many involve organizations that failed to identify excluded individuals because they only screened against federal databases.

3. State-Only Exclusions Are More Common Than You Think

Some states are aggressive about excluding providers independently. States like New York, Texas, California, and Florida maintain large exclusion lists with entries that don't appear on the OIG LEIE. If your organization operates in multiple states, the number of state-only exclusions you could miss grows quickly.

4. JCAHO 2025 Monthly Monitoring Raises the Bar

For healthcare organizations subject to Joint Commission accreditation, the JCAHO 2025 mandate requiring monthly credential re-verification adds another layer of urgency. Monthly monitoring means monthly screening — not just at hire and annually. If you're already building infrastructure for monthly license verification, adding comprehensive exclusion screening (including state lists) is a logical and necessary extension.

The Problem with Manual State Exclusion Screening

Let's be honest about what manual screening looks like in practice.

Your credentialing team has to:

Identify all applicable state lists based on where your organization operates, where employees are licensed, and where services are delivered.
Navigate to each state's database — assuming it exists online. Some states still require phone calls or written requests.
Search each name individually across each list, accounting for name variations, maiden names, aliases, and common misspellings.
Document every search with screenshots, timestamps, and results for audit purposes.
Repeat this process monthly (per JCAHO 2025 requirements) or at minimum quarterly for every employee, contractor, and vendor.

Now multiply that by hundreds or thousands of employees.

The math doesn't work. Even a mid-sized healthcare system with 2,000 employees screening against 10 state lists monthly generates 20,000 individual searches per month. That's before you account for contractors, vendors, and affiliated providers.

Common Failures in Manual Screening

Inconsistent coverage: Teams screen some states but not others, or screen at hire but not on an ongoing basis.
Name-matching errors: Manual searches miss variations. "Robert Smith" might be excluded as "Bob Smith" or "R. Smith, Jr."
Documentation gaps: Without automated audit trails, proving you screened is almost as hard as the screening itself.
Delayed detection: Quarterly or annual screening cycles mean an excluded individual could work for months before being identified.
Staff burnout: Credentialing teams spending hours on repetitive searches have less time for higher-value work.

How to Build a Comprehensive Exclusion Screening Program

Whether you're starting from scratch or upgrading an existing process, here's a practical framework for state Medicaid exclusion list screening.

Step 1: Map Your Screening Obligations

Start by identifying every exclusion list relevant to your organization:

Federal: OIG LEIE, SAM (EPLS), OFAC SDN list
State Medicaid: Every state where you operate, deliver services, or employ licensed professionals
State licensing boards: While not exclusion lists per se, license actions often precede or accompany exclusions
Other relevant databases: State-specific fraud and abuse registries, if applicable

Document this list and review it at least annually — especially if your organization expands into new states.

Step 2: Define Who Gets Screened

The OIG guidance is clear: screen everyone who could affect federal healthcare program participation. This includes:

All employees (clinical and non-clinical)
Contractors and temporary staff
Vendors and suppliers
Board members and governing body members
Volunteers with patient access
Physicians and affiliated providers

A common mistake is screening only clinical staff. Non-clinical employees who handle billing, coding, or administration can also trigger liability if excluded.

Step 3: Establish Screening Frequency

Best practices and emerging requirements point toward monthly screening as the standard:

At hire / before credentialing: Screen before the individual starts work or enters a contract
Monthly: Aligns with JCAHO 2025 requirements and OIG recommendations
Upon re-credentialing: Additional check during formal credentialing cycles
Event-driven: Screen when you receive notice of a license action, legal proceeding, or other red flag

Step 4: Automate the Process

Manual screening cannot scale. Automation is not a luxury — it's a necessity for any organization with more than a handful of employees.

Look for a screening solution that:

Checks federal and state exclusion lists simultaneously in a single workflow
Uses precision matching algorithms to reduce false positives (industry-standard false positive rates can exceed 90%, creating massive review backlogs)
Provides an immutable audit trail documenting every search, result, and resolution
Supports batch processing so you can screen your entire workforce efficiently
Offers a financial guarantee backing the accuracy of results

For context, organizations using automated sanction screening with precision algorithms can reduce false positive rates to 20-30% — compared to the 90%+ false positive rates common with basic name-matching tools. That difference translates directly into hours saved reviewing and clearing false matches.

Ethics Case Management Software Buyer's Guide: 12 Must-Have Features for 2025

Step 5: Build an Escalation and Response Protocol

Screening is only valuable if you act on the results. Define clear procedures for:

Who reviews matches — typically a compliance officer or credentialing manager, not the screened individual's direct supervisor
How quickly matches are investigated — same-day review is best practice for confirmed matches
What happens when an exclusion is confirmed — immediate removal from federal healthcare program work, HR notification, legal review, and potential OIG self-disclosure
Documentation requirements — every step from initial match to final resolution must be recorded

Step 6: Integrate Screening with Broader Compliance Infrastructure

Exclusion screening shouldn't exist in a silo. It's most effective when connected to your broader Ethics & Compliance program:

Case management: When a screening match requires investigation, it should flow into your case management system for tracking and resolution. A centralized system gives you a 360-degree view of all compliance-related activity.
Disclosure management: Conflicts of interest disclosures can surface relationships with excluded entities before screening even catches them.
Reporting and analytics: Track screening metrics (match rates, resolution times, false positive rates) over time to demonstrate program effectiveness to auditors and regulators.

State-by-State Screening Challenges: What to Watch For

Not all state exclusion lists are created equal. Here are common challenges credentialing managers face:

Accessibility Issues

Some states offer searchable online databases. Others publish static PDF lists. A few require you to contact the agency directly.
Database URLs and formats change without notice, breaking automated integrations.

Update Frequency Gaps

While the OIG LEIE updates monthly, state lists update on varying schedules. Some update weekly, others quarterly, and some have no published schedule at all.
This means a newly excluded individual might appear on a state list weeks before (or after) appearing on a federal list.

Naming Conventions and Data Quality

State lists may include limited identifying information — sometimes just a name and city, without date of birth, NPI, or license number.
This sparse data increases false positive rates dramatically when screening common names.

Multi-State Complexity

Organizations operating in multiple states must screen against every relevant state list. A health system operating in five states might need to check five separate state Medicaid exclusion lists in addition to federal databases.
Telehealth expansion has made this even more complex, as providers may be licensed and delivering services across state lines.

The Cost of Getting It Wrong (and the Value of Getting It Right)

Let's put the risk in perspective.

Scenario: A mid-sized healthcare organization employs a billing specialist who was excluded from a state Medicaid program two years ago. The exclusion never appeared on the OIG LEIE. The organization screens only against federal databases.

Over two years, this individual processes thousands of Medicaid claims. When the state Medicaid agency discovers the situation during an audit, the organization faces:

Repayment of every claim the excluded individual touched
Civil monetary penalties per item or service
Potential False Claims Act liability with treble damages
Reputational damage and increased regulatory scrutiny
Loss of staff time responding to investigations

Contrast this with an organization that screens against both federal and state lists monthly using automated tools. The exclusion is caught before the individual is hired — or within a month of the exclusion action. Total cost: the price of the screening software. Total penalty exposure: zero.

The math is simple. Comprehensive state Medicaid exclusion list screening isn't a cost center. It's insurance against catastrophic financial and reputational loss.

What to Look for in an Automated Screening Solution

When evaluating tools for exclusion screening, credentialing managers should prioritize:

Comprehensive list coverage: Federal (OIG LEIE, SAM, OFAC) and state Medicaid exclusion lists in a single platform
Low false positive rates: Precision algorithms that reduce false positives dramatically — look for rates in the 20-30% range rather than the 90%+ common with basic tools
Batch processing speed: The ability to screen hundreds of names in one to two hours, with smaller batches completing in under an hour
Financial guarantee: A provider willing to back their screening accuracy with a financial guarantee demonstrates confidence in their results
Audit-ready documentation: Automated, immutable records of every screening action
Managed service options: For organizations that want expert oversight rather than adding more tasks to an already-stretched team
Integration capability: The ability to connect screening data with case management, credentialing workflows, and compliance reporting

Why 75% Identified Caller Rates Matter for DOJ Compliance Program Evaluations

Conclusion: Close the Gap Before Regulators Find It

Federal exclusion screening is the floor, not the ceiling. State Medicaid exclusion list screening is what separates compliance programs that check a box from those that actually protect the organization.

The regulatory environment is moving toward more frequent, more comprehensive screening. JCAHO 2025's monthly monitoring mandate is just one example. The DOJ's emphasis on effective compliance programs is another. Organizations that build robust, automated screening programs now will be better positioned for whatever comes next.

Your action items:

Audit your current screening program — are you covering all applicable state lists?
Assess your screening frequency — is monthly monitoring feasible with your current process?
Evaluate your false positive burden — how many hours does your team spend clearing false matches?
Explore automated solutions that cover federal and state lists with precision matching and financial guarantees.
Connect your screening program to your broader E&C infrastructure for a complete compliance picture.

The gap between federal-only and comprehensive screening is where risk lives. Close it.

Frequently Asked Questions

Is state Medicaid exclusion list screening legally required?

Federal regulations (42 CFR 455.436) require state Medicaid agencies to screen providers against federal and state exclusion lists. For healthcare organizations, screening against state lists is a best practice strongly recommended by the OIG and increasingly expected by auditors and regulators. Failure to screen can be used as evidence of an ineffective compliance program.

How often should we screen against state exclusion lists?

The OIG recommends monthly screening against the LEIE at minimum. Best practice extends this to state lists as well. With JCAHO 2025 requiring monthly credential re-verification, monthly screening against all applicable exclusion lists is becoming the standard for healthcare organizations.

Do we need to screen against every state's list, or just the states where we operate?

At minimum, screen against every state where your organization operates, delivers services, or employs licensed professionals. For organizations with multi-state telehealth operations or traveling staff, this may mean screening against many or all state lists. When in doubt, broader coverage reduces risk.

What's the difference between sanction screening and background checks?

Sanction screening checks individuals against government exclusion and debarment lists (OIG LEIE, SAM, OFAC, state Medicaid exclusion lists) to determine eligibility for participation in government healthcare programs. Background checks examine criminal history, employment history, and other personal records. They serve different compliance purposes and are not interchangeable.

How do we handle a confirmed exclusion match?

Immediately remove the individual from any role involving federal or state healthcare program work. Notify your compliance officer and legal counsel. Document the discovery and all actions taken. Consider whether an OIG self-disclosure is appropriate. Review how the exclusion was missed (if the individual was already employed) and update your screening procedures accordingly.