Back to Docs

Provider Credentialing Workflow

Automate healthcare provider credentialing and ongoing monitoring using DEA registration lookup, OIG LEIE exclusion screening, SAM.gov checks, and FDA drug verification — all via the ComplianceGrid API.

Reading time: 8 minLast updated: Feb 2026

Regulatory Context

Healthcare organizations participating in federal programs (Medicare, Medicaid, TRICARE) are required to screen providers against the OIG LEIE and SAM.gov exclusion lists. Failure to do so can result in Civil Monetary Penalties (CMPs) of up to $100,000 per occurrence, plus treble damages.

OIG Mandate

42 CFR 1001 — must screen all employees, contractors, and providers monthly.

CMS Requirements

State Medicaid agencies must check both OIG LEIE and SAM.gov.

DEA Compliance

21 CFR 1301 — verify DEA registration before allowing controlled substance handling.

Workflow Steps

Step 1: DEA Registration Lookup

Verify the provider's DEA registration number, schedules authorized, and active status. Required for any provider who prescribes, dispenses, or handles controlled substances.

Step 2: OIG LEIE Exclusion Check

Screen the provider against the OIG List of Excluded Individuals and Entities (LEIE). Excluded providers cannot participate in federal healthcare programs.

Step 3: SAM.gov Exclusion Check

Verify the provider is not excluded or debarred in SAM.gov. Required for entities receiving federal funds.

Step 4: FDA Drug & NDC Verification

Verify drug products by NDC code, check active status, labeler information, and shortage alerts.

Step 5: OFAC Sanctions Screening

Screen providers and associated entities against OFAC SDN and other federal watchlists.

Step 1: DEA Registration Lookup

1-dea-lookup.ts
import ComplianceGrid from "@compliancegrid/sdk";

const cg = new ComplianceGrid({
  apiKey: process.env.COMPLIANCEGRID_API_KEY,
});

// Verify a provider's DEA registration
const dea = await cg.pharma.deaLookup({
  deaNumber: "AB1234567",
});

console.log("Registrant:", dea.data.name);
console.log("DEA Number:", dea.data.deaNumber);
console.log("Status:", dea.data.status); // "ACTIVE" | "EXPIRED" | "REVOKED"
console.log("Schedules:", dea.data.schedules); // ["II", "IIN", "III", "IIIN", "IV", "V"]
console.log("Business Activity:", dea.data.businessActivity);
console.log("Expiration:", dea.data.expirationDate);

if (dea.data.status !== "ACTIVE") {
  console.error("DEA registration is NOT active — cannot handle controlled substances");
}

Step 2: OIG LEIE Exclusion Screening

2-oig-screening.ts
// Screen against OIG List of Excluded Individuals/Entities
const oig = await cg.legal.oigLeieSearch({
  lastName: "Smith",
  firstName: "John",
  // Or search by NPI, UPIN, or business name
});

if (oig.data.totalResults > 0) {
  console.error("EXCLUDED — provider found on OIG LEIE");
  for (const match of oig.data.results) {
    console.log(`  Name: ${match.lastName}, ${match.firstName}`);
    console.log(`  Exclusion Type: ${match.exclusionType}`);
    console.log(`  Exclusion Date: ${match.exclusionDate}`);
    console.log(`  Specialty: ${match.specialty}`);
    console.log(`  State: ${match.state}`);
  }
} else {
  console.log("CLEAR — no OIG LEIE exclusions found");
}

// Also check by NPI if available
const oigByNpi = await cg.legal.oigLeieSearch({
  npi: "1234567890",
});
Critical: OIG recommends monthly screening of all employees, physicians, contractors, and vendors. Any excluded individual must be immediately terminated from federal healthcare program participation.

Step 3: SAM.gov Exclusion Check

3-sam-check.ts
// Check SAM.gov for entity exclusions/debarments
const sam = await cg.business.samSearch({
  legalBusinessName: "Smith Medical Group LLC",
});

const entity = sam.data.results[0];
if (entity) {
  console.log("Entity:", entity.legalBusinessName);
  console.log("UEI:", entity.uniqueEntityId);
  console.log("Registration Status:", entity.registrationStatus);

  if (entity.hasExclusions) {
    console.error("SAM.gov EXCLUSION — entity is debarred or excluded");
    for (const ex of entity.exclusions) {
      console.log(`  Type: ${ex.type}`);
      console.log(`  Agency: ${ex.agency}`);
      console.log(`  Effective: ${ex.effectiveDate}`);
    }
  } else {
    console.log("No SAM.gov exclusions — entity in good standing");
  }
}

Step 4: FDA Drug & NDC Verification

4-fda-drug.ts
// Search FDA drug database
const drug = await cg.pharma.fdaDrugSearch({
  brandName: "Lipitor",
});

console.log("Drug:", drug.data.results[0].brandName);
console.log("Generic:", drug.data.results[0].genericName);
console.log("NDC:", drug.data.results[0].ndcCode);
console.log("Labeler:", drug.data.results[0].labelerName);
console.log("DEA Schedule:", drug.data.results[0].deaSchedule || "Not scheduled");

// Check for drug shortages
const shortage = await cg.pharma.drugShortageCheck({
  ndcCode: drug.data.results[0].ndcCode,
});

if (shortage.data.isShortage) {
  console.warn("SHORTAGE ALERT:", shortage.data.shortageDetails);
  console.log("Alternatives:", shortage.data.alternatives);
}

Complete Credentialing Function

credential-provider.ts
interface CredentialingResult {
  provider: string;
  timestamp: string;
  deaStatus: "ACTIVE" | "EXPIRED" | "REVOKED" | "NOT_FOUND";
  oigExcluded: boolean;
  samExcluded: boolean;
  sanctionsHit: boolean;
  overallStatus: "APPROVED" | "REVIEW_REQUIRED" | "DENIED";
  details: Record<string, any>;
}

async function credentialProvider(
  firstName: string,
  lastName: string,
  deaNumber?: string,
  npi?: string,
  orgName?: string
): Promise<CredentialingResult> {
  const result: CredentialingResult = {
    provider: `${firstName} ${lastName}`,
    timestamp: new Date().toISOString(),
    deaStatus: "NOT_FOUND",
    oigExcluded: false,
    samExcluded: false,
    sanctionsHit: false,
    overallStatus: "APPROVED",
    details: {},
  };

  // Run all checks in parallel for speed
  const [deaResult, oigResult, samResult, screenResult] = await Promise.all([
    deaNumber
      ? cg.pharma.deaLookup({ deaNumber }).catch(() => null)
      : Promise.resolve(null),
    cg.legal.oigLeieSearch({ firstName, lastName, npi }).catch(() => null),
    orgName
      ? cg.business.samSearch({ legalBusinessName: orgName }).catch(() => null)
      : Promise.resolve(null),
    cg.compliance.screenParties([
      { name: `${firstName} ${lastName}`, country: "US", type: "INDIVIDUAL" },
    ]).catch(() => null),
  ]);

  // Evaluate DEA
  if (deaResult?.data) {
    result.deaStatus = deaResult.data.status;
    result.details.dea = deaResult.data;
    if (deaResult.data.status !== "ACTIVE") {
      result.overallStatus = "REVIEW_REQUIRED";
    }
  }

  // Evaluate OIG
  if (oigResult?.data?.totalResults > 0) {
    result.oigExcluded = true;
    result.details.oig = oigResult.data;
    result.overallStatus = "DENIED"; // Mandatory exclusion
  }

  // Evaluate SAM.gov
  if (samResult?.data?.results?.[0]?.hasExclusions) {
    result.samExcluded = true;
    result.details.sam = samResult.data;
    result.overallStatus = "DENIED";
  }

  // Evaluate sanctions
  if (screenResult?.data?.overallResult === "HIT") {
    result.sanctionsHit = true;
    result.details.sanctions = screenResult.data;
    result.overallStatus = "DENIED";
  }

  return result;
}

// Usage
const cred = await credentialProvider("John", "Smith", "AB1234567", "1234567890", "Smith Medical Group");
console.log(`Status: ${cred.overallStatus}`);
if (cred.overallStatus === "DENIED") {
  console.log("Reason:", cred.oigExcluded ? "OIG excluded" : cred.samExcluded ? "SAM excluded" : "Sanctions hit");
}

Ongoing Monitoring Schedule

CheckFrequencyRequirement
OIG LEIEMonthlyOIG guidance — monthly screening of all individuals
SAM.gov ExclusionsMonthlyCMS State Medicaid requirement
OFAC SDNMonthly or on transactionOFAC compliance for all entities
DEA RegistrationBefore credential renewal21 CFR 1301 — verify active status
State LicenseBefore credential renewalState-specific requirements
Firearms License Verification

ATF FFL lookup workflow

KYC & Due Diligence

SEC + FDIC + FINRA workflows