Excluded but Still Prescribing

The Office of Inspector General (OIG) maintains a list of providers excluded from federal healthcare programs — typically due to convictions for fraud, patient abuse, or other serious offenses. Yet when we cross-referenced this list against the most recent Medicare Part D prescribing data, we found something alarming: 82 excluded providers appear in the 2023 dataset, collectively responsible for 766,860 prescription claims totaling $80.0M in costs billed to Medicare.

These are not hypothetical risks. These are real providers, with real National Provider Identifiers (NPIs), who were convicted of offenses serious enough to warrant exclusion from federal healthcare — and who nonetheless appear in active prescribing records paid for by taxpayer dollars.

What Is the OIG Exclusion List?

The OIG exclusion list — formally known as the List of Excluded Individuals and Entities (LEIE) — is a federal database maintained by the U.S. Department of Health and Human Services Office of Inspector General. It contains the names and identifying information of every individual and organization that has been barred from participating in Medicare, Medicaid, and all other federal healthcare programs.

Being placed on the LEIE is one of the most severe administrative actions in American healthcare. It means the federal government has determined, typically through a criminal conviction or administrative finding, that an individual poses such a risk to patients or program integrity that they should not be allowed to bill federal programs or provide services reimbursed by federal dollars.

The consequences extend beyond the individual provider. Any hospital, pharmacy, or healthcare organization that knowingly employs or contracts with an excluded individual for services billed to federal programs faces civil monetary penalties of up to $100,000 per item or service. The LEIE is updated monthly and is publicly searchable on the OIG website, making it a critical compliance tool for healthcare employers.

Types of Exclusions

OIG exclusions fall into two broad categories, each reflecting different levels of severity and the government's discretion in imposing them.

Mandatory Exclusions

Mandatory exclusions are required by law. When a provider is convicted of certain offenses, OIG has no choice — exclusion is automatic. These offenses include:

• Medicare or Medicaid fraud — Any felony or misdemeanor conviction related to the delivery of items or services under Medicare or Medicaid
• Patient abuse or neglect — Criminal convictions related to abuse, neglect, or mistreatment of patients in connection with healthcare delivery
• Felony healthcare fraud — Convictions for fraud against any healthcare program, public or private
• Felony controlled substance convictions — Convictions related to the unlawful manufacture, distribution, prescription, or dispensing of controlled substances

Mandatory exclusions carry a minimum five-year period. For subsequent convictions, the minimums increase — ten years for a second offense, permanent exclusion for a third.

Permissive Exclusions

Permissive exclusions are at the OIG's discretion. The OIG may exclude providers for a broader range of conduct, including:

• Misdemeanor fraud convictions — Fraud against non-healthcare programs
• License revocation or suspension — Loss of professional license for reasons related to professional competence or performance
• Default on student loans — Health Education Assistance Loan defaults
• Controlled substance violations — Misdemeanor convictions related to controlled substances
• Excessive claims or unnecessary services — Submitting claims for services that are substantially in excess of the patient's needs
• Kickbacks and referral schemes — Participation in illegal payment arrangements for patient referrals

Permissive exclusion periods vary based on the severity of the conduct and any aggravating or mitigating factors the OIG considers during its review.

How We Found Them

Our methodology is straightforward: we performed a direct cross-reference between two publicly available federal datasets.

The first dataset is the CMS Medicare Part D Prescribers file, published annually by the Centers for Medicare and Medicaid Services. This file contains every provider who wrote at least eleven prescriptions under Medicare Part D in a given year, including their NPI, name, specialty, total claims, and total drug costs. We used the 2023 release, the most recent available.

The second dataset is the OIG LEIE database, which we downloaded in its entirety. The LEIE contains each excluded individual's name, NPI (when available), date of birth, exclusion type, exclusion date, and reinstatement date (if applicable).

The matching process used NPI as the primary key. Every provider in the Medicare Part D dataset has a unique 10-digit NPI assigned by CMS. We matched these NPIs against the LEIE database, filtering for individuals whose exclusion was active during the 2023 prescribing period. This produced 82 confirmed matches — providers who appear on both lists simultaneously.

This is not a fuzzy match or a probabilistic estimate. NPI is a unique, permanent identifier assigned to each healthcare provider. When the same NPI appears in both the exclusion list and the prescribing data, it represents the same individual.

What This Means

The implications are direct: $80.0M in Medicare Part D spending is associated with providers the federal government itself has deemed unfit to participate in federal healthcare programs. That money comes from the Medicare Trust Fund, which is funded by payroll taxes, premiums paid by beneficiaries, and general tax revenue.

At an average of $976K per excluded provider, these are not trivial amounts. Each claim represents a prescription filled for a real Medicare beneficiary — an elderly or disabled American who relied on Medicare for their medication. The prescriptions were written by someone the government had already determined posed a risk to patients or program integrity.

It is worth emphasizing what exclusion means in practice. These providers were not flagged for billing irregularities or placed on a watch list. They were formally excluded, in many cases following criminal convictions. The LEIE is not a list of suspicions — it is a list of adjudicated outcomes.

The Enforcement Gap

How can a provider excluded from federal healthcare programs still appear in active Medicare prescribing data? The answer reveals a systemic weakness in how CMS administers its programs.

Several factors contribute to this gap:

• Decentralized claims processing — Medicare claims are processed by private contractors (Medicare Administrative Contractors, or MACs) and Part D plan sponsors. Each entity is responsible for screening against the LEIE, but enforcement varies. There is no single automated gate that blocks an excluded NPI from appearing on a claim.
• NPI persistence — An NPI is never deactivated when a provider is excluded. The NPI remains valid in the NPPES registry even after exclusion. This means pharmacies and plan sponsors may process prescriptions under an excluded NPI without receiving an automated rejection.
• Prescribing vs. billing — A provider writes a prescription. The pharmacy fills it and bills Medicare. The provider's NPI appears on the claim as the prescriber, but the provider did not directly submit the claim. This creates a gap where the pharmacy may not know — or check — whether the prescriber is excluded.
• Timing and data synchronization — The LEIE is updated monthly, but CMS prescribing data is compiled annually. Some matches may reflect narrow windows where exclusion took effect mid-year, or where reinstatement occurred between snapshots.
• Limited pharmacy obligations — While healthcare employers are required to check the LEIE, pharmacies filling prescriptions may not consistently verify the exclusion status of every prescriber whose prescriptions they dispense. The legal obligation primarily falls on employers, not on pharmacies filling third-party prescriptions.

The result is a system where exclusion is announced but not comprehensively enforced at the point of service. A provider can be placed on the LEIE and, in practice, continue to write prescriptions that Medicare pays for — because no automated system reliably prevents it.

Patterns We Observed

While we do not identify individual providers by name in this analysis, several patterns emerged from examining the 82 matches in aggregate.

Geographic concentration was notable. Several states accounted for a disproportionate share of excluded-but-prescribing providers, with higher concentrations in states that also have large Medicare populations. This is not surprising — more providers means more potential matches — but it also suggests that some regional MACs may be less effective at screening than others.

Specialty distribution was uneven. Certain specialties appeared more frequently among excluded providers than their share of the overall prescriber population would predict. This is consistent with OIG enforcement priorities, which tend to focus on specialties with higher fraud risk, such as those involving controlled substances or durable medical equipment referrals.

Claim volumes varied dramatically. Some excluded providers had minimal prescribing activity — a handful of claims that might represent prescriptions written just before exclusion took effect. Others had substantial claim volumes, suggesting sustained prescribing activity throughout the year. A small number of excluded providers generated hundreds of claims and tens of thousands of dollars in costs, which is harder to explain by timing alone.

Cost patterns also varied. The average cost per excluded provider was $976K, but this average masks significant dispersion. Some providers were associated with low-cost generic prescriptions, while others prescribed expensive brand-name medications or controlled substances at elevated rates.

Why This Matters for Our ML Model

These 82 confirmed cases are not just a policy finding — they are the foundation of OpenPrescriber's machine learning fraud detection model.

Building a fraud detection model requires labeled training data: known examples of providers who have been confirmed as problematic. In healthcare fraud detection, this is notoriously difficult to obtain. Fraud investigations are confidential, settlements often include non-disclosure provisions, and most publicly available data does not label individual providers as fraudulent.

The LEIE cross-reference solves this problem. By matching excluded providers to their actual prescribing patterns, we create a dataset of 82 providers whose prescribing behavior can be studied in detail. We know their specialties, their geographic locations, their total claim volumes, their drug costs, and the specific drugs they prescribed. More importantly, we know they were excluded — giving us a confirmed positive label for supervised learning.

Our model learns what distinguishes these 82 excluded providers from the broader population of Medicare prescribers. It identifies patterns in prescribing volume, drug selection, cost per claim, specialty-adjusted benchmarks, and geographic outlier status. These learned patterns are then applied to the full Medicare Part D dataset to identify additional providers whose prescribing behavior closely resembles the confirmed cases.

The result: the model flags 4,183 additional providers as high-risk based on behavioral similarity to the 82 known exclusions. These flagged providers are not accused of fraud — they are identified as statistically similar to providers who were. You can explore the full results on our High Risk Providers page.

Data Limitations and Caveats

We present these findings with appropriate caveats. The cross-reference between the LEIE and Medicare Part D prescribing data is a point-in-time snapshot, not a real-time surveillance system. Several factors could affect interpretation:

First, the LEIE snapshot and the prescribing data period may not perfectly overlap. A provider excluded in October 2023 would appear on the LEIE but may have legitimately prescribed for the first nine months of the year. Their claims would still appear in the annual dataset. We cannot distinguish, at the annual level, which specific claims occurred before versus after the exclusion date.

Second, some providers on the LEIE may have been reinstated. OIG reinstatement is not automatic — providers must apply and demonstrate that they meet the conditions for reinstatement. However, there can be processing delays between reinstatement approval and LEIE database updates. A small number of our 82 matches may reflect recently reinstated providers who had not yet been removed from the LEIE at the time of our download.

Third, we match on NPI only. While NPI is a unique identifier, data entry errors in either dataset could theoretically produce false matches. We consider this risk minimal given the structured nature of both datasets, but we acknowledge it as a possibility.

Despite these caveats, the overall finding is robust. Even if a fraction of the 82 matches are explained by timing or data lag, the remainder represent a genuine enforcement gap that warrants investigation. And from a machine learning perspective, even imperfect labels provide valuable signal — the model learns general patterns of high-risk prescribing, not the specific circumstances of each individual case.

The Broader Context of Medicare Fraud

Medicare fraud is not a marginal problem. The Department of Justice estimates that fraud and improper payments account for billions of dollars annually across Medicare programs. The Government Accountability Office (GAO) has placed Medicare on its High Risk List every year since 1990, citing its vulnerability to fraud, waste, and abuse.

Part D is particularly vulnerable because of its structure. Unlike Part A (hospital) and Part B (physician services), Part D is administered entirely through private plan sponsors — insurance companies that contract with CMS to provide prescription drug coverage. Each plan sponsor is responsible for its own claims processing, provider screening, and fraud detection. This decentralized model creates inconsistencies in oversight.

The 82 excluded providers we identified represent only the most visible layer of the problem — cases where the government has already investigated, adjudicated, and excluded an individual, yet that individual's prescribing activity persists in paid claims data. If the system cannot catch providers it has already formally excluded, it raises serious questions about its ability to detect providers who have not yet been investigated.

Policy Implications

The existence of 82 excluded providers in active Medicare prescribing data points to several policy failures that deserve attention.

Real-time claims screening is inadequate. If CMS and its contractors cannot reliably prevent excluded providers from appearing in paid claims data, the exclusion system has a fundamental enforcement problem. Exclusion without enforcement is merely a list.

NPI deactivation should follow exclusion. Currently, a provider's NPI remains active in the National Plan and Provider Enumeration System (NPPES) even after OIG exclusion. Linking these two systems — so that exclusion triggers an NPI flag visible to pharmacies and plan sponsors at the point of service — would close a significant gap.

Pharmacy-level screening needs strengthening. Pharmacies are the final point of contact before a Medicare-funded prescription is dispensed. Requiring pharmacy management systems to check prescriber NPIs against the LEIE at the point of dispensing would add a practical enforcement layer.

Cross-dataset analysis should be routine. The fact that a simple NPI match between two public datasets reveals 82 concerning cases suggests this analysis is not being performed systematically by CMS. Automated cross-referencing between the LEIE and claims data should be a standard, recurring audit function.

Transparency drives accountability. Both the Medicare Part D prescribing data and the LEIE are public. By making this cross-reference accessible through OpenPrescriber, we enable journalists, researchers, policymakers, and the public to examine these cases independently. Transparency is not a substitute for enforcement, but it creates pressure for improvement.

What You Can Do

If you are concerned about these findings, there are concrete steps you can take:

• Check your own providers. You can search the OIG LEIE directly at exclusions.oig.hhs.gov to verify whether any of your healthcare providers have been excluded. You can also search any provider on OpenPrescriber to see their prescribing patterns and risk indicators.
• Contact your representatives. The enforcement gap described here is a policy problem that requires legislative or regulatory action. Contacting your Congressional representatives about Medicare fraud oversight puts this issue on their radar.
• Share this analysis. Public awareness drives change. Share this page with others who care about healthcare integrity and responsible use of taxpayer funds.
• If you are a healthcare employer, verify that your organization screens all employees and contractors against the LEIE monthly. OIG provides a free screening tool, and failure to screen can result in civil monetary penalties.
• If you are a researcher or journalist, the underlying data is public. We encourage independent verification and further investigation. Our methodology page documents our data sources and approach in detail.
• Report suspected fraud. If you have reason to believe a healthcare provider is improperly billing Medicare, you can report it to the OIG hotline at 1-800-HHS-TIPS or online at oig.hhs.gov/fraud/report-fraud. Reports can be made anonymously.

The goal of OpenPrescriber is not to replace federal oversight — it is to demonstrate what is possible with public data and to make that analysis accessible to everyone. When a straightforward NPI cross-reference reveals 82 excluded providers in active prescribing data, it shows both the value of transparency and the urgency of systemic reform.