Skip to main content

Fraud detection has changed: Why your old strategy is now a liability

2/3/2026 Share via:
By Justin Mann, Principal Advisor, Propelus
Healthcare professional walking through visualization of interconnected data networks with binary code, representing modern AI-driven fraud detection and compliance monitoring systems.

Ten years ago, exclusion screening was a simple compliance checklist. If your team downloaded the Office of Inspector General’s (OIG’s) List of Excluded Individuals/Entities (LEIE) periodically and ran a search, your organization was considered “safe.”

Today, that approach is dangerously outdated.

As the Department of Health and Human Services (HHS) and state agencies modernize their data capabilities - and federal and state governments increase their focus on fraud enforcement — the definition of effective Fraud, Waste, and Abuse (FWA) protection has shifted. It is no longer enough to react to federal exclusions after they happen. Leading health systems are now using sophisticated data to catch risks before they result in liability.

In part 1 of our two-part series on fraud, we look beyond the basic definitions to explore the hidden financial risks of mandatory exclusion - and why checking the LEIE is just the beginning.

The foundation: What is mandatory exclusion?

At its core, mandatory exclusion is a legal firewall designed to protect federal healthcare programs. The OIG is required by law to exclude individuals and entities convicted of specific crimes from participating in programs like Medicare and Medicaid.

The “Big 4” triggers for mandatory exclusion:

  1. Medicare or Medicaid fraud.
  2. Patient abuse or neglect.
  3. Felony convictions for other healthcare-related fraud, theft, or financial misconduct.
  4. Felony convictions regarding controlled substances.

If an individual lands on this list, the consequences are severe: a mandatory minimum exclusion period of five years, though it can be indefinite.

The “hidden” risks: Why the LEIE is no longer enough

While understanding the definition is important, relying on the LEIE as your only safety net leaves two critical gaps in your defense.

1. The “upstream” gap (the speed problem)

The OIG LEIE is often the final stop in a long legal journey. A provider might lose their license in one state today due to misconduct, but it can take months—sometimes over a year—for that data to trickle up to the federal OIG and appear on the LEIE (if it does at all).

During this “administrative lag,” that provider might continue to work at your facility. If you only check the LEIE, they look clean. But if you screen State Medicaid Exclusion Lists and Licensing Board Actions (the “upstream” sources), you catch the red flag immediately.

  • The modern standard: It isn’t enough to check these lists once at hire. Modern solutions monitor them continuously, ensuring you catch red flags that arise days, months, or years into employment.

Modern compliance isn’t about watching the finish line; it’s about watching the race.

2. The SAM.gov blind spot

Many organizations overlook the System for Award Management (SAM.gov). While the OIG focuses on healthcare crimes, SAM.gov tracks federal contractor debarments for issues like student loan defaults, research fraud, or other federal contract violations.

The catch: You cannot pay a debarred contractor with federal funds, even if they aren’t on the OIG LEIE. Comprehensive screening must cover both lists to ensure your vendors and contractors are eligible for payment.

3. The new enforcer: Data-driven detection

Beyond the gaps in the lists themselves, the method of enforcement has fundamentally changed.

Historically, federal investigations were reactive—triggered by whistleblower tips or patient complaints. Today, the DOJ’s Health Care Fraud Data Fusion Center uses proactive artificial intelligence to scan billions of claims in real-time, integrating intelligence from the FBI, HHS-OIG, and CMS.

The reality: The government has upgraded its tech stack. In the 2025 National Health Care Fraud Takedown, this data-first approach helped charge 324 defendants responsible for $14.6 billion in alleged fraud.

By using “data as the detective,” regulators can now spot the exact “upstream” gaps mentioned above (such as a provider excluded in Illinois but billing in Indiana) long before a human investigator would. If your defense relies on manual checks while the prosecutor uses AI, you are fighting a digital battle with analog tools.

The “janitor rule” and DRGs: Who actually needs screening?

A common misconception is that exclusion screening only applies to direct caregivers. In reality, the OIG’s “Payment Prohibition” is much broader.

Federal programs will not pay for any item or service furnished by an excluded person, including administrative and management services. This is largely due to how hospitals are paid via DRGs (Diagnosis-Related Groups).

  • How it works: Medicare often pays a flat fee for a patient’s stay (the DRG). This payment is calculated to cover everything: surgery, nursing, electricity, and administrative overhead.
  • The trap: Because salaries for IT directors, HR managers, and custodial staff are part of that “administrative overhead,” they are technically paid with federal funds.
  • The consequence: If you employ an excluded janitor or admin, you are using federal dollars to pay their salary. This triggers the payment prohibition and can lead to Civil Monetary Penalties (CMPs), even if that employee never touched a patient.

Myth vs. reality: “Am I liable if the OIG hasn’t posted it yet?”

One of the most dangerous assumptions in compliance is that if a name isn’t on the federal list, you are safe to hire them.

MYTH: “If a provider isn’t on the OIG LEIE yet, I can’t be held liable for hiring them.”

REALITY: You are likely still liable. Here is why:

  • The “should have known” standard: The law penalizes organizations that “knew or should have known” about an exclusion. Because State Medicaid Exclusion lists are public records, the government argues you should have known about the risk. Ignoring state lists is often viewed as negligence.
  • The “Domino” effect (ACA Section 6501): The Affordable Care Act states that a provider terminated from one state Medicaid program is legally terminated from all state Medicaid programs. This happens immediately—it does not wait for the federal list to update. If you bill for them during the lag time, you may be submitting False Claims.

The math of non-compliance: By the numbers

Why is “upstream” screening so critical? Because the cost of missing a single exclusion is staggering.

  • The daily risk: In FY 2024, the OIG excluded 3,234 individuals and entities—an average of nearly 9 new exclusions every day.
  • The financial penalty: If you employ an excluded individual, the OIG can fine you up to $22,427 for each item or service they furnish, plus an assessment of 3x the amount claimed.
    • Real-world impact: This can result in fines reaching hundreds of thousands of dollars for a single oversight.
  • The hidden gap: An OIG audit revealed that more than half of state-terminated providers were not properly flagged in federal databases due to reporting failures. If you aren’t checking state lists directly, you are relying on a broken federal reporting pipeline.

The modern solution: Automated, upstream intelligence

The risks of today cannot be solved with the tools of yesterday. Manually checking the LEIE or relying on intermittent batch files leaves your organization exposed to the “gap time” between a crime occurring and a federal exclusion being posted.

How Propelus changes the game: Instead of relying on web scraping like legacy vendors, Propelus leverages privileged partnerships and direct integrations with licensing boards and agencies. With up to 98.5% automation — depending on population — and 52 million monthly verifications, we don’t just ‘check’ the data—we have a direct pipeline to the primary source.

  • Catch risks early: Identify license sanctions before they become exclusions.
  • Monitor broadly: Automatically screen SAM.gov, OIG, and state databases simultaneously.
  • Verify reinstatement: Reinstatement is never automatic. Even after the 5-year term ends, individuals remain excluded until they receive an official OIG reinstatement letter. Propelus also monitors State Licensing Boards, ensuring that a candidate who is “cleared” by the OIG isn’t still blocked by a revoked license.

Conclusion

Protecting your patients and your revenue requires more than doing the minimum. It requires a partner who understands the full lifecycle of compliance.

By moving from simple “list checking” to sophisticated, upstream monitoring, you aren’t just avoiding fines–you are building a safer, more resilient healthcare organization.

However, monitoring these lists is only half the battle. What happens when the person you hired isn’t who they say they are? Stay tuned for part 2 of our series on fraud, where we tackle how to know if someone is who they say they are, and how to ensure all of their credentials are real and remain in good standing - not just the ones they tell you about.