Federal Employee Health Benefits Program Provider Access Credential Authority Failure Through Billing Access Maintained for Providers Whose Authorization Conditions Were No Longer Valid — OPM OIG FY2025

The Federal Employee Health Benefits Program covers approximately eight million federal employees, retirees, and their dependents through contracts with approved health insurance carriers. Health care providers participate in FEHB by meeting enrollment conditions established by OPM and by operating without disqualifying conduct. The provider enrollment credential — the authorization to bill FEHB plans — is issued when those conditions are present. The conditions that make enrollment valid include absence of criminal conviction related to health care, absence of license revocation, absence of exclusion from Medicare or Medicaid, and absence of fraud or abuse against the FEHB program itself.

None of those conditions are encoded in the enrollment credential. They are verified at enrollment and assumed to persist. When a provider is convicted, sanctioned, or excluded, the credential that authorized their billing access does not automatically reflect the change. The disqualifying condition exists. The credential continues to move as sufficient. The billing continues until the OPM OIG Administrative Sanctions Group identifies the provider and issues a formal debarment or suspension.

OPM OIG's FY2025 results document the scale of the credential validity gap in the FEHB program. For the fiscal year, OIG auditors recommended that $99,618,250 be returned to OPM trust funds — payments authorized by enrollment credentials that should not have been valid at the point of billing. OIG investigations produced 17 arrests, 20 indictments, and 8 convictions. The Administrative Sanctions Group issued 1,018 administrative sanctions against health care providers to prevent them from participating in FEHB — each sanction representing a provider whose enrollment credential had moved as sufficient after the authorization conditions it represented had ceased to exist.

The sanctions are the remediation. They are not the detection. By the time a sanction is issued, billing has already occurred under a credential that was no longer valid. The $99.6 million recommended for recovery represents payments that moved through the FEHB system on the authority of credentials whose underlying conditions were no longer present at the point of billing.

The provider enrollment credential authorizes billing access on the basis of conditions established at a point in time. Those conditions — absence of exclusion, license in good standing, compliance with program requirements — are the authorization conditions the credential is supposed to represent. When any of those conditions changes, the credential does not change with it. There is no mechanism that connects a disqualifying event — a conviction, a license revocation, an exclusion from another federal program — to the enrollment credential that continues to authorize FEHB billing access. The credential is issued. The conditions it represents are assumed. The gap between what the credential says and what the conditions actually are is not visible at the point of billing.

This case is structurally parallel to Case 070 in the SD&C domain, where a professional license authorized practice after the conditions that justified it had changed. Here the mechanism is the same: the credential outlives the condition. The difference is institutional scale. In Case 070, one license authorized one practitioner's access. Here, the FEHB enrollment credential system authorized billing access for 1,018 providers in a single fiscal year whose disqualifying conditions were established — but not encoded — before the sanction was issued.

The authorization condition is binary — a provider either meets the enrollment requirements or does not. The credential does not reflect which state is current. The billing system accepts the credential as sufficient without evaluating whether the conditions it represents are still present. The FEHB trust funds absorb the payments. The OIG recovers what it can after the fact. The credential gap that produced the payments remains structurally unchanged.

The Administrative Sanctions Group operates as a post-hoc correction mechanism — it identifies providers whose enrollment credentials are no longer valid and removes their billing access. The 1,018 sanctions in FY2025 represent the enforcement output of a process that operates after the credential gap has already produced unauthorized payments. The $99.6 million recommended for recovery represents the financial consequence of payments that moved through the system before the gap was identified. The sanctions correct the credential status. They do not recover all payments made while the status was incorrect. They do not prevent the gap from recurring for other providers whose disqualifying conditions have not yet been identified.

• OPM OIG recommended $99,618,250 be returned to OPM trust funds in FY2025 — payments authorized by FEHB provider enrollment credentials that had moved as sufficient after the authorization conditions they represented were no longer present; 1,018 administrative sanctions were issued against providers to prevent further participation
• The FEHB provider enrollment credential authorizes billing access on the basis of conditions — absence of exclusion, license in good standing, program compliance — that are verified at enrollment and assumed to persist; none of those conditions are encoded in the credential and none are evaluable at the point of billing without external verification
• Disqualifying events — criminal conviction, license revocation, exclusion from Medicare or Medicaid — occur independently of the enrollment credential; no mechanism connects the disqualifying event to the credential that continues to authorize billing access until the OIG Administrative Sanctions Group identifies the provider and issues a formal debarment or suspension
• The 1,018 sanctions represent the enforcement record of the credential validity gap: each sanction marks a provider whose enrollment credential had already moved as sufficient after the authorization condition ceased to exist; the sanctions correct the credential status after unauthorized payments have been authorized
• The structural parallel to Case 070 (SD&C) is direct: in both cases a credential authorized activity after the conditions that justified it had changed; in Case 070 the scale was a single practitioner over 24 years; here the scale is 1,018 providers in a single fiscal year, with $99.6 million in recommended recovery representing the financial consequence of the same credential validity gap at institutional scale
• The $99.6 million in recommended recovery does not represent the full financial consequence of the credential validity gap — it represents what OIG auditors identified and recommended; payments made before identification and outside audit scope are not captured in this figure