Most healthcare organizations that use staffing-agency caregivers operate under a quiet assumption: when the staffing partner says they screen their placements against federal exclusion lists, that screening flows down to protect the receiving organization. Hospitals running float pools, senior care facilities filling shifts with per-diem nurses, behavioral health practices covering rosters with locum psychiatrists, home health agencies sourcing caregivers from a third-party bench. All of them inherit a coverage assumption from the same contractual language. Section 1128A of the Social Security Act is unambiguous about why that assumption is wrong.
Civil Monetary Penalty exposure under Section 1128A attaches to whoever presents (or causes to be presented) the claim for a federally funded service. The billing entity owns the penalty. A staffing-agency attestation is, at best, a contractual indemnity between two private parties; it is not a regulatory defense with the government. The 2026 CMP baseline of $23,331 per false claim, multiplied across months or years of undetected service delivery, is what an audit recovers. Across 2020 through 2025, healthcare organizations paid over $30.2 million in exclusion-related penalties, with $26 million of that total recorded in 2025 alone — a sharp escalation from $4.2 million the year prior (Beyond the Checkbox, EXSC 2025).
This guide is for compliance leads at any organization that bills Medicare or Medicaid for services delivered by staffing-agency personnel. The framework is the same whether you run a hospital nursing pool, a senior care float team, a behavioral health locum roster, or a home health caregiver bench. The Section L reference written by EXSC’s co-founders, both former federal prosecutors, is the framework most healthcare attorneys use on exactly this question.
Why the staffing-agency placement is the riskiest line item on a healthcare screening program
Across sectors, a meaningful share of clinical care comes from personnel who are not on the receiving organization’s W-2 payroll. Hospitals use float-pool nurses from staffing agencies and locum tenens physicians in critical-access and rural facilities. Senior care and nursing facilities depend on per-diem CNAs and LPNs sourced through staffing partners, especially during shortage cycles. Behavioral health practices cover panels with contracted therapists and locum psychiatrists. Home health agencies build their caregiver bench through staffing relationships, particularly in border-state operations. Dental groups and FQHCs fill gaps with traveling providers.
That reliance has grown sharply. The COVID-era nursing shortage drove a step-change in staffing-agency dependence across hospital systems and senior care facilities, and that dependence has persisted — the West Coast health system case study below documents one such trajectory through 2024. Every one of those staffing-agency names enters and leaves the screening universe on a different cadence than employees, and most compliance programs treat staffing-agency placements as someone else’s compliance problem. The five SERP-leading articles on exclusion screening, including pages from Verisys, ProviderTrust, Cisive, Symplr, and AccountableHQ, collectively give the staffing-agency question one bullet point, in one article (Verisys), inside a list of “contractors and vendors.”
The result is a category of compliance exposure that is operationally invisible to the receiving organization until an audit asks for screening evidence on a per-individual basis. By that point, the question is no longer “did our staffing partner screen?” but “do we have records showing every individual we billed for was screened against the right databases, on the right cadence, with documented match resolution?”
What Section 1128A actually says about who owns the penalty
Section 1128A is the Civil Monetary Penalty authority. It attaches liability to whoever “presents or causes to be presented” a claim for services rendered by an excluded individual. That formulation is deliberate: it reaches the billing entity, the people inside the billing entity who knew or should have known, and any party in the chain that materially contributed to causing the claim. The staffing agency that placed the individual is not the entity submitting the claim to Medicare or Medicaid. The receiving organization is.
The “knew or should have known” standard converts screening from a best practice into a screening obligation. An organization is liable if it knew the individual was excluded or if it would have known had it run a reasonable screen. As EXSC’s Beyond the Checkbox whitepaper puts the point: “The legal standard is ‘knew or should have known.’ Therefore, ignorance is not a defense. Penalties apply whether the hire was intentional or an oversight.”
The legal effect is that a credible screening program is itself a defense; the absence of one is itself an admission. A staffing partner’s attestation may demonstrate good faith, but it does not satisfy the “should have known” standard if the receiving organization’s own screening would have caught the exclusion.
Federal prosecutors treat the screening obligation as non-delegable in this specific sense: an organization can contractually share the operational work, but it cannot transfer the regulatory liability. The receiving organization’s own records (what was screened, when, against which databases, with what resolution) are what the auditor reviews. The staffing partner’s records are evidence of the partner’s compliance, not of the receiving organization’s. EXSC’s whitepaper documents the pattern directly: “Many providers contractually delegate pre-hire screening to staffing agencies. But this delegation doesn’t transfer regulatory liability. Regulators still hold employers to the ‘knew or should have known’ standard. When a violation occurs, the penalty falls on the hiring health system or practice — not the agency.”
EXSC’s co-founders Paul Weidenfeld and Robert Liles, both former federal prosecutors and the authors of EXSC’s Section L reference on this framework, built the company on the position that screening is a regulatory backstop, not a paperwork chore. The same framework applied in their 2017 analysis of the CMS Final Rule that made screening a Condition of Participation for home health agencies. The regulatory deep-dive at /home-health-final-rule-exclusion-screening-condition-of-participation/ is worth reading alongside this guide. The full legal framework walks the Section 1128 / 1128A statutory text in detail.
What it costs when the gap is discovered after the fact
The 2026 CMP baseline of $23,331 per false claim is the per-instance number. The math that bites healthcare organizations is not a single misbilled visit; it is the multiplier. Exclusion-screening gaps surface during audits, months or years after the fact, and the CMP exposure is per-claim. The denominator is every service delivered by the excluded individual during the undetected window.
Across sectors, the historical accumulation of exclusion-related penalties from 2020 through 2025 illustrates how much is at stake:
| Sector | Penalties 2020–2025 | Share |
|---|---|---|
| Hospital / Medical center | $10.3M | 34.2% |
| Facility-based senior care | $9.0M | 29.9% |
| Behavioral health | $3.3M | 10.8% |
| Practice / Medical Group | $2.5M | 8.2% |
| Home health | $2.3M | 7.6% |
| All other sectors | $2.8M | 9.3% |
| Grand total | $30.2M | 100% |
Source: Beyond the Checkbox (EXSC 2025), six-year dataset of public CMP settlements. The underlying case data sits in the historical OIG settlements database.
Size doesn’t protect you. In October 2025, a Florida health system disclosed an $18.8 million settlement after two employees slipped through its exclusion screening process. The organization had 17,000 employees, 2,500+ medical staff across nearly 1,000 locations, and a $300 million operating budget. It had substantial IT and compliance investments. Two excluded individuals were still employed long enough to become the largest self-disclosed exclusion CMP in the dataset (Beyond the Checkbox, 2025). The lesson the whitepaper draws is direct: “Not knowing that the employee had previously been sanctioned is not a valid defense.”
Consolidation amplifies the exposure. Common-ownership structures spread one compliance failure across an entire portfolio. A May 2025 settlement involved a single compliance failure that reached across 19 skilled nursing facilities under common ownership, resulting in $1.5 million in fines (Beyond the Checkbox, 2025). For private equity portfolios in facility-based senior care — the second-largest sector by exclusion-penalty exposure since 2020 — the math compounds across every operating site.
Agency-level exclusion is the ceiling. Beyond CMPs, the regulator’s most severe tool is excluding the receiving organization itself from federal health programs. In March 2015, the OIG took the unprecedented step of doing exactly that to an Illinois home health agency for three years because the agency had employed an excluded nurse and billed Medicare and Medicaid for her services (the case is documented at exclusionscreening.com/hhs-oig-illinois-exclusion/, written by Paul Weidenfeld at the time). The OIG assigned two Senior Counsels and a Paralegal Specialist to the case, a signal of how seriously the regulator treated the precedent. That precedent stands.
The arithmetic of self-disclosure is the other side of the cost equation. When an organization finds the gap itself and discloses through the OIG Self-Disclosure Protocol, the financial outcome is roughly an order of magnitude better than when an audit finds it first (Beyond the Checkbox). The cost sits in the math of who finds the gap, not just in whether the gap exists. The Self-Disclosure Protocol pillar covers the procedural detail. OIG enforcement actions across sectors covers the precedent base.
Why your staffing partner’s attestation doesn’t protect you
Three failure modes show up in audited staffing-agency screening with predictable regularity:
1. Federal-only coverage with no state Medicaid screening. The staffing partner subscribes to the OIG LEIE and GSA SAM and calls it done. If your organization bills Medicaid in any state the partner doesn’t screen, there is a coverage gap by definition. There are 46 distinct state Medicaid exclusion lists in the United States, and they do not duplicate the federal list; each state maintains its own roster of providers excluded from that state’s Medicaid program.
2. Annual or hire-only screening with no monthly re-screening. A pre-hire screen says nothing about whether the placement is excluded on day 90 of an engagement, or day 365. New exclusions hit the lists every month, including names already in your workforce. The “knew or should have known” standard makes monthly re-screening the practical floor, not the ceiling.
3. Match-resolution discipline that defaults to “name match, probably nothing.” When a screening hit returns, a credible program either verifies identity (date of birth, NPI, or SSN-last-4) or escalates to specialist review. Programs that skip identity verification file confirmed matches as false positives, and the real exclusions disappear into the noise.
An attestation says “we screen our people.” It tells you nothing about which databases were checked, on what frequency, or how matches were resolved. None of the three failure modes above transfers regulatory liability away from the entity billing the federal payer. The receiving organization owns the exposure regardless of how thorough the partner’s screening was.
The pattern in real data. EXSC’s whitepaper documents one West Coast health system that grew through M&A of small and mid-sized practices and, facing pandemic-driven nursing shortages, increased reliance on staffing agencies from 2020 to 2024. During that period, six separate incidents across various locations resulted in over $1 million in self-disclosed penalties for employing excluded individuals via agency placements. The system reduced its use of agency nurses by 43% by 2025, and the penalty stream stopped (Beyond the Checkbox, 2025). The cause and effect is the article’s thesis in one case: more staffing-agency reliance, more screening exposure attributable to the receiving organization, regardless of who signed the caregivers’ paychecks.
How to audit your staffing-agency exposure in 30 days
A compliance lead at any healthcare organization can run this audit on existing staffing relationships in about 30 days. Five steps:
-
Inventory every staffing partner providing care-delivery or billing-touchpoint personnel. Locum physicians, per-diem nurses, contract aides, contracted therapists, contracted billing or coding staff, contracted intake coordinators with PHI access. The question is the same across sectors: who is delivering services we bill for, and who isn’t on our W-2 payroll?
-
Request screening evidence per individual placed. Not an attestation; actual records. Dates of screening, databases checked, match results, resolution if any hits returned. If the partner can’t produce this, you have your answer.
-
Compare the partner’s database coverage to your billing footprint. If you bill Medicaid in eight states, the partner’s screening must reach the Medicaid exclusion list in each of those eight states. Federal-only is not sufficient.
-
Verify match-resolution discipline. Ask the partner what happens when a name match returns. If the answer doesn’t include an identity-verification step (date of birth, NPI, SSN-last-4) before flagging a hit, the program has a false-negative problem.
-
Decide what to renegotiate in the MSA and what to run yourself. The staffing partner’s screening is risk reduction; your own screening on every placement is the regulatory backstop. Run your own monthly screening on every staffing-agency placement, regardless of what the partner does. SAFER Plus is built for exactly this: monthly screening across LEIE, GSA SAM, and all 46 state Medicaid exclusion lists, with our specialists handling match resolution. The receiving organization’s own records, on its own infrastructure, are what survives an audit. The framing for the rest of the program is straightforward: build a defensible compliance program on the assumption that your own evidence is the only evidence that matters.
What “screening evidence per individual” actually looks like
The documentation standard the OIG and CMS auditors expect is concrete:
- Dated database evidence per individual per month. Not “we screened this quarter.” A specific date, a specific set of databases, and a specific result.
- Match-resolution log per hit. Every name match returns either “false positive: identity verified” or “confirmed exclusion: action taken” with the date.
- Retention: ten years. The False Claims Act six-year statute of limitations is the legal floor. Practical retention is ten years to accommodate tolling provisions.
A log without dated database evidence is worse than no log. It shows the program was aware of the obligation and didn’t fulfill it. A program that simply doesn’t screen and then catches itself can still self-disclose; a program with a paper trail showing awareness but not action loses the good-faith argument.
The standard applies whether you run the screening or the staffing partner runs it on your behalf. If it’s the partner doing the work, you need the partner’s evidence in your file, not in the partner’s file. Records you don’t possess won’t survive an audit. The federal exclusion databases reference covers what each list contains and how it’s maintained.
Frequently asked questions
Does our staffing partner’s attestation that “we screen our people” protect us in an audit?
No. The attestation is a representation, not evidence. Under Section 1128A, CMP exposure attaches to whoever bills the federal payer. The attestation may demonstrate good faith but does not displace the “knew or should have known” standard. What matters in the audit is what database screening evidence you have on file for each individual delivering care for which you billed.
Which state Medicaid exclusion lists do we need to screen if our billing footprint is multi-state?
Every state where you bill Medicaid. There are 46 distinct state Medicaid exclusion lists. If you bill in eight states, you need screening evidence against those eight lists for every individual delivering billable services in those states. Federal-only is not sufficient.
Our MSA already has an indemnification clause for exclusion violations. Why isn’t that enough?
Indemnification is a contractual remedy between you and your staffing partner. It is not a regulatory defense with the government. OIG and CMS look to the billing entity for compliance and penalties; the indemnity, at best, helps you recover from the staffing partner after you have already paid the government. The indemnity also presumes the partner has the financial standing to make you whole on a meaningful CMP.
What do we do if we discover an excluded staffing-agency placement mid-engagement?
Stop billing for that individual’s services immediately. Document the discovery, the date, and the actions taken. Look at the OIG Self-Disclosure Protocol with counsel. Self-disclosure typically costs an order of magnitude less than waiting for an audit to find it (Beyond the Checkbox), and it preserves credibility with the regulator. The decision tree depends on facts: how long the exclusion was in place, how many claims were billed, and whether the organization has any prior exclusion history.
How is this different across sectors? Does a hospital have the same exposure as a home health agency or a behavioral health practice?
The mechanic is identical. Section 1128A does not distinguish by sector. The math varies because claim volume and average claim value differ; a hospital billing thousands of visits a month has more multipliers attached to a given $23,331 per-claim baseline than a small behavioral health practice. The screening obligation is the same. EXSC’s six-year sector data shows hospitals carrying 34.2% of total exclusion-related penalty exposure since 2020, with facility-based senior care close behind at 29.9%.
How EXSC handles the staffing-agency screening problem
EXSC’s SAFER Plus is the screening platform built on the same framework EXSC’s founders used to write Section L. It addresses each of the three failure modes above directly.
Federal-and-state coverage runs in a single workflow. Monthly screening reaches LEIE, GSA SAM, and all 46 state Medicaid exclusion lists, which is the federal-plus-state combination that staffing-agency attestations rarely cover end-to-end. The coverage scales as state expansion happens.
EXSC verifies identity before flagging any hit. That step suppresses the false-positive noise that drowns out real exclusions on high-volume staffing rosters with common-name overlaps.
Match resolution sits with EXSC specialists, not the customer. For receiving organizations without a full-time compliance team, that is the difference between a screening program that runs and one that stalls during a busy week.
Plans start at $30 per month (Basic: federal databases plus one state, up to 100 screens) and $40 per month (Premium: federal plus all 46 state Medicaid lists, up to 100 screens). Custom pricing covers higher volumes and vendor-screening or compliance-hotline bundles. EXSC is a member of the Home Care Association of America (HCAOA).
See SAFER Plus screen a staffing-agency placement live. Federal databases, all 46 state Medicaid lists, identity verification, match resolution by our specialists. Schedule a demo →
Built by former federal prosecutors who wrote the screening framework.