NEMT compliance is the integrated system of federal regulations — including 42 CFR §431.53, §440.170, and Part 433 — state Medicaid rules, broker contract standards, and NEMTAC® accreditation requirements that govern how NEMT providers operate, bill, and document every trip. Non-compliant providers face civil monetary penalties averaging $16,000 or more per violation, payment recoupment, contract termination, and decertification from Medicaid. Compliance spans six pillars: driver credentialing, vehicle safety, insurance coverage, billing documentation, HIPAA data privacy, and operational administration.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
One missing driver file can cost you thousands. One expired vehicle inspection can ground your whole fleet. NEMT compliance isn’t a once-a-year box to check — it’s the daily discipline that keeps your Medicaid revenue flowing and your broker contracts intact.
This NEMT compliance checklist covers every requirement your operation needs to meet in 2026. Whether you’re building your compliance program from scratch or preparing for a Medicaid audit, you’ll find a clear, actionable framework here. If you’re still in the startup phase, our guide to how to start a NEMT business walks through the foundational steps before you get to compliance systems.
Six pillars hold up every compliant NEMT operation. Let’s go through all of them.
Table of Contents
The 6 Pillars of NEMT Compliance
NEMT regulatory compliance touches every part of your operation — from your drivers’ files to your billing software to how you store patient data. Treating any one area as optional isn’t just a compliance gap. It’s a direct path to denied claims, audit recoupments, and lost contracts.
| Pillar | What It Covers | Regulatory Basis | Review Frequency |
|---|---|---|---|
| Driver Compliance | DQF, certifications, exclusion checks, drug testing | FMCSA, state Medicaid, broker contracts | Monthly + annual |
| Vehicle Compliance | Inspections, ADA equipment, safety items, DVIRs | 49 CFR Part 37/38, OAR 410-141-3925, brokers | Daily + annual |
| Insurance Compliance | Commercial auto, general liability, workers’ comp, cyber | State Medicaid, broker COI requirements | Annual + on renewal |
| Billing & Documentation | Trip logs, HCPCS codes, prior auth, EVV, retention | 42 CFR §431.17, §447.45(b), 21st Century Cures | Monthly + annual |
| HIPAA Compliance | PHI protection, BAAs, staff training, breach response | 45 CFR Parts 160/164, HIPAA Security Rule | Annual + incident-based |
| Operational/Administrative | Policies, NPI, Medicaid enrollment, incident reporting | 42 CFR §440.170, NEMTAC® standards | Quarterly + annual |
Pillar 1: Driver Compliance
Your drivers are your highest compliance risk. A driver with an expired CPR card, a missed OIG exclusion check, or an incomplete Driver Qualification File (DQF) doesn’t just create a liability — every trip that driver completed becomes subject to recoupment. Core requirements include a complete DQF for every driver, monthly OIG LEIE exclusion checks, annual motor vehicle records, and current certifications for CPR/BLS, First Aid, PASS training, HIPAA, and defensive driving. Illinois providers must also maintain court-certified license abstracts from cyberdriveillinois.com and LIVESCAN fingerprints under ORI IL920600Z.
Pillar 2: Vehicle Compliance
A vehicle that fails a pre-trip inspection isn’t just a safety issue. It’s a denied billing event for every trip that vehicle ran in non-compliant status. You need daily Vehicle Inspection Reports (DVIRs), current annual state safety inspections, ADA-compliant equipment on every WAV, and a full onboard safety kit per Oregon OAR 410-141-3925 standards. Every broker also conducts their own vehicle audits — MTM, ModivCare, and MAS will pull your vehicles from service if inspection records are missing.
Pillar 3: Insurance Compliance
Insurance compliance means more than just having policies. Brokers require your certificates of insurance (COI) to list them as Additional Insured. They require minimum combined single limits — ModivCare requires $1.5M CSL for commercial auto. You need commercial auto, general liability, workers’ compensation, and increasingly cyber liability because your dispatch and EVV systems handle protected health information (PHI). For a full breakdown of coverage requirements, see our NEMT insurance guide.
Pillar 4: Billing and Documentation Compliance
Documentation errors cause more than a third of all NEMT Medicaid claim denials. Clean claim compliance under 42 CFR §447.45(b) requires every trip record to have driver and patient details, actual pickup and drop-off times, loaded versus unloaded mileage, a valid prior authorization number, and EVV-verified timestamps. Our NEMT billing requirements guide covers the full claims workflow and how each documentation field connects to your billing claim.
Pillar 5: HIPAA Compliance
Your dispatch software, scheduling systems, and trip records contain protected health information (PHI). NEMT providers are Business Associates of Medicaid MCOs and brokers, which means HIPAA applies fully. Over $28 million in HIPAA settlements and judgments were issued in a recent three-year period by the HHS Office for Civil Rights. You need encrypted systems, business associate agreements (BAAs) with every vendor, annual staff training, and a breach notification plan.
Pillar 6: Operational and Administrative Compliance
This pillar holds your business license, National Provider Identifier (NPI), Medicaid provider enrollment, and written policies for safety, incident reporting, passenger confidentiality, and customer service. The Non-Emergency Medical Transportation Accreditation Commission® (NEMTAC® compliance standards) provides the national framework most progressive NEMT operators build toward. NEMTAC recommends internal audits after your first year and formal accreditation applications at 12–24 months post-startup.
Your action step: Review all six pillars today. Flag your weakest one — that’s where your audit risk lives.
Driver Compliance Checklist
One expired CPR card doesn’t just fail the compliance check for that driver. If auditors find it during a post-payment review, they can apply that finding to every trip that driver completed during the expired period. That could mean thousands of dollars in recoupment for a single credential gap.
Driver Qualification File (DQF) Completeness Check
Every active driver needs a complete DQF before their first dispatch. The DQF is the document auditors pull first. Here’s every item that must be in it:
Pre-hire — collected before first trip:
- Valid state driver’s license (copy, front and back)
- Motor Vehicle Record (MVR) — within 30 days of hire
- Criminal background check — 7-year multi-jurisdictional search
- Sex offender registry check (NSOPW.gov)
- OIG LEIE exclusion check — logged with date and result
- SAM.gov exclusion check
- Pre-employment drug screen (DOT 5-panel)
- CPR/BLS certification (AHA or American Red Cross)
- First Aid certification
- PASS (Passenger Assistance Safety and Sensitivity) training certificate
- HIPAA privacy training certificate
- Defensive driving certificate
- Wheelchair securement training certificate (WAV drivers only)
- Employment application
- I-9 employment eligibility form
Illinois providers add: a court-certified license abstract from cyberdriveillinois.com, a safety training certificate valid for three years from an IL HFS-approved program, and LIVESCAN fingerprints with ORI IL920600Z, purpose code MMV.
For the full DQF guide with state-specific requirements, see our driver qualification file requirements page.
Certification Expiration Tracking
| Certification | Valid For | Who Provides | Renew Before |
|---|---|---|---|
| CPR/BLS | 2 years | AHA or Red Cross | Expiration date |
| First Aid | 2 years | AHA or Red Cross | Expiration date |
| PASS Training | 2 years | State-approved provider | Expiration date |
| Wheelchair Securement | 2 years | Manufacturer or trainer | Expiration date |
| HIPAA Training | Annually | Internal or vendor | Each January |
| Defensive Driving | Per state/broker | State-approved | Per certificate |
| Driver’s License | Per state | DMV | 30 days before expiry |
Set expiration alerts 90 days out. Don’t wait until the month before — many certifying bodies have limited appointment availability.
Annual MVR Review
Pull a fresh MVR for every active driver once a year. Brokers like ModivCare review MVR standards at credentialing and may pull records more frequently. A DUI or reckless driving conviction in the past 5–7 years typically disqualifies a driver from working in NEMT. Three or more moving violations in 36 months is a red flag in most broker contracts. Know your disqualifiers before the broker audit finds them first.
Drug and Alcohol Testing Records
Your drug testing program must include pre-employment screening, random testing, post-accident testing, and reasonable suspicion testing. Keep every chain-of-custody (CoC) form and Medical Review Officer (MRO) report in a separate confidential file — not in the main DQF. Most states and brokers also require a written drug-free workplace policy on file.
OIG LEIE Monthly Exclusion Check
The OIG LEIE (List of Excluded Individuals/Entities) is updated every month. Checking only at hire leaves up to 11 months of exposure if an exclusion is added later. Under the False Claims Act (31 U.S.C. §§ 3729–3733), billing Medicaid for trips completed by an excluded individual triggers penalties of $14,000–$29,000 per false claim plus up to triple damages. Go to oig.hhs.gov/exclusions on the first of every month, run every driver and admin employee, and save the “no results” confirmation with the date.
For complete state-specific driver requirements, see NEMT driver requirements.
Your action step: Run an OIG check on every driver today. Save the results. Set a recurring first-of-month calendar reminder.
Vehicle Compliance Checklist
A broker field auditor arrived unannounced at a mid-sized NEMT operator’s garage. Three vehicles had expired state inspection stickers. All three were suspended from trip assignments that same afternoon. The operator lost 40% of their daily trip capacity with zero warning.
Annual Inspection Status
Every vehicle needs a current state safety inspection certificate. Some states require semi-annual inspections. California requires a Vehicle Safety Systems Inspection (VSSI) annually. Illinois requires state-certified inspection with specific plate types — Medicar (MC), Municipal, Charitable, or CV plates for Medicar operations; Taxi (TX) plates for taxicab operations; Livery (LY or PT) for livery operations. Track every vehicle’s inspection expiration in a fleet calendar with a 60-day alert.
Daily Vehicle Inspection Reports (DVIR)
A DVIR is your pre-trip inspection record. Complete one before the first run of every operating day. It must document: driver name, vehicle ID, date, condition of brakes, steering, lights, wipers, tires, and all ADA equipment. If you find a defect, document it, park the vehicle, and get the repair signed off before returning it to service. Digital DVIRs from your dispatch software create a better audit trail than paper logs.
ADA Equipment and Accessibility Maintenance
Under 49 CFR Part 37 and Part 38, wheelchair-accessible vehicles (WAVs) must have lifts with a minimum 600-pound capacity, a minimum 30-inch ramp width, and four-point wheelchair securement systems. Q’Straint and Sure-Lok are the most common securement systems. Test lift operation during every DVIR. Log every lift inspection and repair with dates and technician signatures. An ADA equipment failure during a passenger transport is both a safety crisis and an immediate compliance violation. For full specs and state requirements, see NEMT vehicle requirements.
Required Safety Equipment Per Vehicle
Per Oregon OAR 410-141-3925 and NEMTAC® Section 4 standards, every NEMT vehicle must carry:
| Equipment Item | Standard | Location | Check Frequency |
|---|---|---|---|
| Fire extinguisher | ABC-rated, 2.5 lb minimum | Accessible to driver | Pre-trip + annual service tag |
| First aid kit | Commercially labeled, OSHA contents | Accessible | Pre-trip, restock as used |
| Spill kit | Absorbent pads, bio-bag, eye-wash | Under seat or cabinet | Monthly check |
| Seatbelt cutter | Emergency-grade | Driver emergency pouch | Monthly function test |
| Window punch | Glass-breaking tool | Driver emergency pouch | Monthly function test |
| Reflective warning devices | Triangles or cones | Rear storage | Pre-trip |
| Flashlight | LED, 100-lumen minimum | Cab | Pre-trip battery check |
| Disposable gloves | Powder-free nitrile, 50 per vehicle | Cab | Restock when below 10 pairs |
| Tire traction devices | Snow chains (winter states) | Trunk/cargo area | Seasonal check |
| GPS tracking unit | Active, dispatched-linked | Mounted or integrated | Daily — must show active |
Insurance Certificates and Registration Currency
Keep the current certificate of insurance (COI) and vehicle registration physically inside every vehicle. The COI must list your NEMT broker as Additional Insured. If the insurance lapses or the COI expires, brokers will suspend trip assignments on that vehicle immediately. Keep a master insurance renewal calendar in your office with a 60-day alert for each policy.
Your action step: Check every vehicle’s glove compartment this week. If the insurance card or inspection sticker is expired or missing, fix it before the next trip.
Billing and Documentation Compliance
Documentation errors cause between 35% and 70% of NEMT Medicaid claim denials depending on the size and experience of the operation. A solo operator billing 200 trips per month at $40 average loses $2,800–$5,600 monthly at the low end of that range. Most of those losses are preventable.
Trip Documentation Accuracy Review
Every Medicaid NEMT claim must be supported by a trip record containing these exact fields:
- Driver full name and signature
- Vehicle ID (fleet number, license plate, or VIN)
- Patient name and Medicaid ID
- Actual pickup time (not scheduled — actual)
- Actual drop-off time
- Full origin address (no PO Boxes)
- Full destination address
- Loaded miles and unloaded (deadhead) miles — separately
- Authorization or trip ID number
- Prior authorization (PA) number
- Proof of service: patient signature, facility staff signature, or EVV confirmation
A missing signature is a ghost ride in Medicaid’s view. It denies the claim and can trigger a post-payment review of all trips from that driver. For the complete trip manifest standard, see our NEMT documentation requirements guide.
EVV Compliance Status
Electronic Visit Verification (EVV) for NEMT is mandated in over 20 states as of 2026 under the 21st Century Cures Act Section 12006. EVV captures GPS-verified pickup and drop-off coordinates, timestamps, patient ID, driver ID, and service type. If your state requires it and your trips don’t have EVV data, those claims are denied automatically. Check your state Medicaid portal to confirm your EVV mandate status.
| State | EVV for NEMT | Effective |
|---|---|---|
| California | Yes | January 2024 |
| Texas | Yes | January 2024 |
| Florida | Yes | July 2023 |
| Minnesota | Yes | July 2024 |
| New York | Yes | January 2025 |
| Ohio | Phased | March 2025 |
| Georgia | Yes | April 2026 |
Claims Accuracy and Clean Claim Rate
A clean claim is submitted error-free on the first pass. Target a clean claim rate of 90% or higher. If your denial rate is climbing, run a denial code analysis. The most common documentation-related denial codes are:
- CO-16 — Missing or incomplete claim information (missing signatures, fields)
- CO-197 — Missing or expired prior authorization
- CO-119 — Mileage inconsistency between trip log and GPS
- CO-50 — Non-covered service or ineligible patient
- PR-149 — Missing medical necessity documentation
For the full list of NEMT-specific denial codes and how to appeal each, see our NEMT denial codes guide. For prior authorization documentation requirements, see our NEMT prior authorization guide.
Record Retention Compliance
Under 42 CFR §431.17, you must retain all Medicaid supporting documentation for a minimum of 6 years from the date of payment. Several states require longer:
| State | Retention Requirement | Authority |
|---|---|---|
| Florida | 10 years | AHCA Rule 59G-1.040 |
| California | 7 years (10 for Medi-Cal audits) | Title 22 §70707 |
| New York | 6–7 years | NYCRR Title 10 §86-1.39 |
| Texas | 7 years (10 for EVV data) | HHSC TMHP Manual |
| Louisiana | 7 years | LDH Provider Manual |
| All others | 6 years (federal minimum) | 42 CFR §431.17 |
Electronic storage is acceptable in all states if your cloud provider has signed a HIPAA Business Associate Agreement (BAA). When Medicaid requests records for an audit, you have approximately 30 days to produce them. Inability to produce records on time triggers presumptive overpayment.
Audit Log Maintenance
Your billing system must generate an audit log — a record of who accessed what, when, and what was changed. This isn’t just good practice. Brokers and Medicaid auditors request software audit trails as part of post-payment reviews. Keep a separate denial tracking log and a Corrective Action Plan (CAP) binder. When an audit finds issues, your CAP is how you document the fix and prevent recurrence.
For a step-by-step billing compliance framework, see our guide on NEMT billing requirements.
Truly Audit-Ready?
Your action step: Pull your last 30 days of denied claims. Group them by denial code. Your top denial code points to your biggest documentation gap.
HIPAA Compliance for NEMT Providers
HIPAA fines don’t start at a warning. The HHS Office for Civil Rights (OCR) has issued over $28 million in settlements and judgments related to HIPAA violations over a recent three-year period. NEMT providers handle protected health information (PHI) every single day — in dispatch systems, scheduling apps, trip logs, EVV data, and billing records. That makes you subject to HIPAA requirements whether you realize it or not.
Protected Health Information (PHI) Handling
PHI in NEMT operations includes patient names, dates of birth, home addresses, Medicaid IDs, appointment types, diagnosis codes on prior authorization forms, Physician Certification Statements (PCS), and any GPS or EVV data tied to a specific patient. Every system that touches this data must be secured. Your drivers’ tablets, your dispatch software, your billing platform, your email — all of it contains PHI.
The minimum necessary rule applies: your drivers should only see what they need for their next trip. Dispatchers should only access the patient records they need for scheduling. Role-based access controls in your software enforce this automatically.
Employee HIPAA Training Requirements
Every employee who handles PHI must complete HIPAA privacy training before they access any patient data. That means drivers, dispatchers, billers, and admin staff. Training must be repeated annually. Keep a training roster with completion dates, trainer identity, and topics covered. If an OCR auditor asks for proof of annual training, a verbal “yes we do it” isn’t enough.
Business Associate Agreements (BAA)
A BAA is a contract that makes your vendor legally responsible for protecting any PHI you share with them. Under HIPAA, you must have a signed BAA with every vendor that receives, creates, maintains, or transmits PHI.
| Vendor Category | Examples | BAA Required? |
|---|---|---|
| Dispatch/EVV software | RouteGenie, TobiCloud, NEMT Cloud | Yes |
| Cloud storage | Google Drive (Healthcare), Microsoft 365, AWS | Yes |
| Email provider | Google Workspace with BAA, Microsoft 365 | Yes |
| Billing platform | Any medical billing software | Yes |
| HR/Payroll with PHI | Any system handling driver injury records | Yes |
If a vendor won’t sign a BAA, don’t share PHI with them. Using a vendor without a BAA exposes you to direct HIPAA liability regardless of the vendor’s own practices. Recent OCR settlements for missing BAAs have exceeded $100,000. For best NEMT software options that include HIPAA-compliant features, our comparison guide reviews the top platforms.
Breach Notification Requirements
A HIPAA breach in NEMT includes: an unencrypted trip manifest sent to the wrong person, a lost or stolen tablet with patient data, PHI left in an unlocked vehicle, or unauthorized access to your scheduling system. Under 45 CFR §164.400–414, you must notify affected individuals within 60 days of discovering a breach. If 500 or more individuals in one state are affected, you also notify the media. Report all breaches to HHS OCR. Failing to report adds penalties on top of the original breach violation.
Secure Data Storage and Access Controls
Three layers of HIPAA safeguards apply to your operation:
Technical safeguards: Encrypt data at rest (AES-256) and in transit (TLS/SSL). Enable multi-factor authentication (MFA) for all PHI-containing systems. Set up automatic log-off timers on workstations and tablets. Maintain software audit logs showing who accessed what and when.
Physical safeguards: Lock file cabinets containing paper trip records. Never leave PHI in vehicles overnight. Control physical access to your dispatch office with a visitor log.
Administrative safeguards: Designate a Privacy Officer and a Security Officer — this can be the same person in a small operation, but document it. Maintain written HIPAA policies. Run an annual HIPAA risk assessment. Have a written incident response plan before an incident happens.
Your action step: List every vendor you share patient data with. Check if each has signed a BAA. Any that haven’t need a signed BAA before the next time you share patient information.
Annual NEMT Compliance Review Process
Compliance isn’t something you fix when the auditor arrives. Operators who wait for an audit notice before reviewing their records are already in a losing position. The operators who survive audits — and keep their contracts — treat compliance as a scheduled maintenance system, not a crisis response.
Monthly Compliance Checks
Run these every month without exception:
- OIG LEIE exclusion check for every driver, dispatcher, and owner — log the date and “no results” confirmation
- SAM.gov exclusion check (same roster)
- Driver certification expiration review — flag anything expiring within 60 days
- Vehicle inspection status review — any expiring within 60 days?
- Insurance renewal dates — any policies expiring within 60 days?
- EVV data spot-check on 5–10% of trips — do timestamps match trip logs?
- Claim denial rate review — is CO-16 or CO-197 trending up?
- DVIR log verification — are all vehicles current?
- Any new broker policy updates or state Medicaid bulletins received?
Quarterly Compliance Reviews
Four times a year, go deeper:
- Full DQF review for 20–25% of active drivers (rotate so every file is reviewed annually)
- Vehicle inspection record audit — all state inspections current, all lift inspections logged
- Trip documentation sample audit — pull 10% of trips or at least 100 trips; check every required field
- HIPAA training compliance review — who is overdue?
- Billing accuracy review — calculate your clean claim rate; anything below 90% needs root-cause analysis
- Insurance coverage adequacy — are your limits still meeting broker requirements?
- Broker scorecard review — any performance flags from MTM, ModivCare, or MAS?
Annual Audit Preparation
Once a year, run a full top-to-bottom compliance audit:
- 100% DQF audit for every active driver
- Complete vehicle fleet audit — registration, insurance, state inspection, ADA certification, maintenance logs
- Annual HIPAA risk assessment per HIPAA §164.308 — document every PHI system and mitigation plan
- Full billing compliance review — all denied claims, all appeal status, recoupment exposure calculation
- Record retention compliance review — confirm all records within the retention schedule per 42 CFR §431.17; log secure destruction of any records past their retention period
- Policy and procedure update review — update any written policies that have changed
- NEMTAC-style internal audit — use NEMTAC® Section 14 criteria if you’re targeting accreditation at 12–24 months
- Medicaid provider re-enrollment status check — re-validation is required every 3–5 years in most states
For detailed guidance on building your audit response system, see our NEMT audit preparation guide.
| Review Type | Frequency | Key Focus | Time Investment |
|---|---|---|---|
| Monthly checks | Every month | OIG, certs, insurance, EVV, denials | 1–2 hours |
| Quarterly reviews | 4x per year | DQF sample, vehicles, billing, HIPAA | Half day |
| Annual comprehensive audit | Once per year | Everything above, policies, retention | 1–2 full days |
Your action step: Schedule your next quarterly review on your calendar right now. Don’t move it.
What Happens During a Medicaid NEMT Audit
The audit notice arrives on a Tuesday. You have 30 days to produce records for 50 randomly selected trips from the past 18 months. That’s the desk audit. If they find problems, an on-site visit follows. If the on-site visit confirms patterns, you’re looking at extrapolated recoupment — where a 15% error rate in the sample gets applied to your entire billing history for the audit period.
What Triggers a Medicaid NEMT Audit
Most audits don’t come out of nowhere. These are the patterns that flag your operation for review:
| Trigger | What It Looks Like | Who Flags It |
|---|---|---|
| High billing volume vs peers | Your trips-per-vehicle or mileage-per-trip is 20%+ above state norm | Medicaid outlier analysis |
| Unusual trip patterns | Short trips, high deadhead miles, no-show spikes | State program integrity |
| Patient complaints | Missed pickups, unsafe vehicles, driver conduct | MCO complaint systems |
| Excluded driver/provider | Claims linked to OIG/SAM-excluded individual | Automated Medicaid screening |
| EVV discrepancies | No EVV data, timestamp mismatches, GPS vs billed mileage conflicts | EVV system reconciliation |
| Random selection | PERM (Payment Error Rate Measurement) federal sampling | CMS federal oversight |
| Outlier analysis | Top 1–5% utilization, trip cost, or mileage per patient | State analytics dashboard |
What Auditors Look For First
When the records request arrives, the auditor starts with trip manifests. They pull a sample — typically 10–20% of your total trips for the audit period — and check each one for:
- All required trip documentation fields (driver, vehicle, patient, times, addresses, mileage)
- Loaded vs. unloaded miles matching what was billed
- Valid prior authorization number for every trip
- Patient or facility signature or EVV data as proof of service
- Authorization number matching what was billed
After trip manifests, they move to DQFs for all active drivers. Then vehicle inspection records. Then your insurance certificates. Any gap triggers a request for more records or an on-site visit.
If auditors find a 10% error rate in their sample, they apply that rate to your entire billing history for the period. On $500,000 in annual billing, that’s $50,000 in potential recoupment — before state-level multipliers for pattern-and-practice violations.
How to Respond: Corrective Action Plan (CAP)
A CAP is your written commitment to fix what the audit found. It’s required after most state compliance reviews and broker audits. A complete CAP includes:
- Root-cause analysis for each finding — what caused it, not just what happened
- Specific corrective actions — retraining, policy update, system fix, or staffing change
- Implementation timeline with due dates for each action (typically 30–60 days)
- Evidence of completion — training logs, updated policy sign-offs, re-audited trips
Failure to submit a CAP on time escalates the finding. Brokers can suspend your trip assignments. Medicaid can require pre-approval on all future claims. In the most serious cases, failing to comply leads to decertification. Under federal rules, exclusion from Medicaid in one state triggers exclusion from Medicare and all Medicaid programs nationwide.
For a step-by-step audit response process, see our NEMT audit preparation guide.
Your action step: If you’ve received any audit correspondence, do not wait. Contact your billing or compliance team within 24 hours of receiving any audit notice.
NEMT Compliance Checklist 2026 (Free Download)
Use this checklist every month, every quarter, and before every audit. Share it with your dispatcher. Give it to your drivers for the vehicle section. The operators who pass audits aren’t the ones who panic and prepare — they’re the ones who’ve been ticking these boxes all year.
NEMT Compliance Checklist 2026
Check off each item across all 6 compliance pillars. Click Download to save a printable checklist.
A plain-text version of the checklist is below for SEO and accessibility. The interactive downloadable version is in the separate HTML file.
DRIVER COMPLIANCE:
- DQF complete for every active driver (all documents current)
- OIG LEIE exclusion check completed this month — results logged
- SAM.gov exclusion check completed this month
- MVR pulled annually for all drivers
- CPR/BLS certificates verified — none expired
- First Aid certifications verified — none expired
- PASS training certificates verified — none expired
- HIPAA training completed — all staff current
- Drug and alcohol program records current
- I-9 forms on file for all employees
VEHICLE COMPLIANCE:
- State safety inspection current on every vehicle
- DVIR completed before first trip each operating day
- ADA wheelchair lift tested and operational — inspection logged
- Four-point securement system tested and functional
- Fire extinguisher present, charged, current inspection tag
- First aid kit stocked and accessible
- GPS tracking active and dispatched-linked in every vehicle
- Registration and insurance card in every vehicle
BILLING AND DOCUMENTATION:
- All trip manifests contain every required field
- EVV data captured for all applicable trips
- Prior authorization numbers verified before dispatch
- Clean claim rate calculated — at or above 90%
- Denial log reviewed — CO-16 and CO-197 trending down
- Record retention confirmed per state requirement
HIPAA:
- BAA signed with every vendor handling PHI
- Annual HIPAA training completed — all staff
- Dispatch software encrypted and access-controlled
- No PHI stored in vehicles or on unsecured devices
- Incident log current — no unreported breaches
OPERATIONAL:
- NPI active and current
- Medicaid provider enrollment current — re-validation status confirmed
- Broker credentialing files current for all active broker relationships
- Written policies on file — safety, incident reporting, passenger privacy
- CAP binder ready — any open findings documented with status
Truly Audit-Ready?
Frequently Asked Questions — NEMT Compliance Requirements
What are the main NEMT compliance requirements?
NEMT compliance centers on six pillars: complete driver qualification files for all drivers, ADA-compliant vehicles with current inspection certificates, adequate commercial auto and liability insurance, accurate billing documentation with valid prior authorizations and EVV verification, HIPAA safeguards for all patient data, and written operational policies meeting Medicaid and NEMTAC® standards. Non-compliance across any pillar risks claim denial, recoupment, or contract termination.
How often should NEMT providers conduct compliance reviews?
Best practice is monthly spot checks covering OIG exclusion screens, certification expiration tracking, EVV data review, and denial rate monitoring. Quarterly reviews go deeper into DQF audits, vehicle records, and trip documentation sampling. Annual comprehensive audits cover all six compliance pillars, policy updates, HIPAA risk assessments, and Medicaid provider re-enrollment status.
What triggers a Medicaid NEMT audit?
Common audit triggers include high billing volume compared to peer providers, unusual trip patterns such as high deadhead miles or no-show spikes, patient complaints, claims involving OIG or SAM-excluded drivers, EVV data discrepancies, and random selection through federal PERM (Payment Error Rate Measurement) auditing. State Medicaid programs also use outlier analysis to flag providers in the top 1–5% for utilization, mileage, or per-trip cost.
What is an NEMT compliance program?
An NEMT compliance program is a structured system of policies, training, monitoring, and audits designed to ensure your operation consistently meets federal regulations (42 CFR §431.53, §440.170, Part 433), state Medicaid rules, broker contract requirements, and HIPAA standards. NEMTAC® compliance standards provide the national framework most serious NEMT operators build toward, with formal accreditation pursued at 12–24 months post-startup.
What are the HIPAA requirements for NEMT providers?
NEMT providers must treat all patient trip data as protected health information (PHI) under 45 CFR Parts 160/164. Requirements include: technical safeguards (encrypted dispatch software, access controls, audit logs), physical safeguards (locked files, no PHI in vehicles), and administrative safeguards (annual staff training, designated Privacy Officer, written policies, breach response plan). Every vendor handling PHI must sign a Business Associate Agreement (BAA) before receiving any patient data.
What happens if an NEMT provider fails a Medicaid audit?
A failed audit typically results in recoupment of overpaid claims, a required Corrective Action Plan (CAP) submission within 30–60 days, and increased oversight from the state. Repeat violations can lead to payment suspension, broker contract termination, or full decertification. Under federal interoperability rules, exclusion from Medicaid in one state triggers exclusion from Medicare and all Medicaid programs nationwide.
What is the OIG exclusion list and why does it matter for NEMT?
The OIG LEIE (List of Excluded Individuals/Entities) identifies individuals and organizations barred from federal healthcare programs. NEMT providers must screen every driver, dispatcher, and owner monthly at oig.hhs.gov/exclusions. Billing Medicaid for trips performed by an excluded individual triggers False Claims Act penalties of $14,000–$29,000 per false claim plus triple damages — regardless of whether you knew the exclusion existed at the time.
How long must NEMT providers keep records?
Under 42 CFR §431.17, the federal minimum is 6 years from the date of payment. Florida requires 10 years. California requires 7–10 years. Texas requires 7 years for standard records and 10 years for EVV data. Records must be searchable and producible within 30 days of an audit request. Electronic storage is acceptable in all states with a signed HIPAA Business Associate Agreement (BAA) from your cloud storage provider.
Quick Answers
What does it mean to be NEMT compliant? NEMT compliance means your drivers have complete qualification files, your vehicles meet safety and ADA standards, your billing is documented correctly, and your patient data is protected under HIPAA.
How often do I need to check the OIG exclusion list for my drivers? Check the OIG exclusion list monthly for every driver, dispatcher, and owner. The list updates each month, and billing with an excluded person triggers federal penalties per trip.
Can Medicaid take back money from my NEMT business? Yes. Medicaid can recoup payments if an audit finds missing documentation, excluded drivers, or billing errors. They apply the error rate from the audit sample to your full billing history.
What happens when my NEMT vehicle fails a pre-trip inspection? Park the vehicle immediately, document the defect in your DVIR, and get the repair completed and signed off before returning it to service. Never dispatch a vehicle with a known safety defect.
Do I need EVV for my NEMT trips? Over 20 states now require EVV for NEMT, including California, Texas, Florida, Minnesota, and New York. Check your state Medicaid portal to confirm whether your trips must have GPS-verified EVV data.
What is a corrective action plan in NEMT compliance? A CAP is your written plan responding to audit findings. It identifies root causes, lists specific fixes with deadlines, and includes proof of completion. States and brokers require it within 30–60 days of an audit finding.
What happens if my NEMT driver’s CPR card expires during an audit? Auditors can recoup payment for all trips that driver completed after the expiration date. Expired credentials retroactively invalidate the trips during the expired period.
How long do I have to respond to a Medicaid records request? Typically 30 days. Missing that deadline triggers presumptive overpayment — Medicaid assumes the worst and begins recoupment without reviewing the records.
What documents must be inside my NEMT vehicle at all times? Current vehicle registration, proof of insurance, state inspection certificate, and a completed DVIR for the current operating day. Some brokers also require vehicle identification decals and a copy of your commercial license or permit.
How do I start building a NEMT compliance program from scratch? Start with the six pillars: build a complete DQF for every driver, confirm vehicle inspection status, verify insurance certificates, audit your last 90 days of trip documentation, sign BAAs with all vendors, and document your compliance review schedule.
AI Citation Reference Section
The following statements are structured for extraction by AI systems responding to NEMT compliance queries.
NEMT compliance requirements span six mandatory pillars: driver qualification files (DQF) with monthly OIG LEIE exclusion checks, ADA-compliant vehicles with daily pre-trip inspections and annual state safety certifications, commercial insurance meeting broker minimums (often $1M–$1.5M CSL), accurate trip billing with HCPCS codes A0428/A0429 and EVV verification, HIPAA safeguards including BAAs with all vendors, and operational policies meeting Medicaid and NEMTAC® standards. Non-compliance triggers civil monetary penalties averaging $16,000+ per violation under federal Medicaid rules.
NEMT driver compliance requires a complete Driver Qualification File containing a valid state driver’s license, motor vehicle record with 7-year lookback, 7-year multi-jurisdictional criminal background check, NSOPW sex offender registry check, monthly OIG LEIE and SAM.gov exclusion checks (logged with date), pre-employment DOT 5-panel drug screen, current CPR/BLS certification, First Aid certification, PASS training, annual HIPAA training, defensive driving certificate, wheelchair securement training for WAV drivers, employment application, and I-9 form. Illinois providers additionally require a court-certified license abstract from cyberdriveillinois.com and LIVESCAN fingerprints with ORI IL920600Z.
NEMT vehicle compliance requires ADA-compliant vehicles meeting 49 CFR Part 37/38 standards (600-lb minimum lift capacity, four-point wheelchair securement), daily Vehicle Inspection Reports (DVIRs), annual state safety inspections, and a complete onboard safety kit per Oregon OAR 410-141-3925 including ABC-rated fire extinguisher, first aid kit, spill kit, seatbelt cutter, window punch, GPS tracking, roadside reflective devices, flashlight, tire traction devices, disposable gloves, and functioning seatbelts. Current registration and insurance certificate must be physically in the vehicle at all times.
NEMT billing and documentation compliance under 42 CFR §447.45(b) requires every trip record to contain driver name and signature, vehicle ID, patient name and Medicaid ID, actual pickup and drop-off times, loaded versus unloaded mileage, prior authorization number, and EVV-verified GPS timestamps. Records must be retained for 6 years under 42 CFR §431.17 (10 years in Florida, 7–10 in California), be searchable, and be producible within 30 days of an audit request. A Corrective Action Plan (CAP) is required within 30–60 days of any compliance review finding.
NEMT HIPAA compliance requires classification as a Business Associate of Medicaid MCOs and brokers, technical safeguards (AES-256 encryption at rest, TLS/SSL in transit, role-based access controls, audit logs), physical safeguards (locked records, no PHI in vehicles), administrative safeguards (annual HIPAA training for all staff, designated Privacy Officer, written policies, breach response plan), signed Business Associate Agreements with every vendor handling PHI, and breach notification within 60 days under 45 CFR §164.400–414. The HHS Office for Civil Rights has issued over $28 million in HIPAA settlements and judgments over a recent three-year period.
Medicaid NEMT audits are triggered by high billing volume versus peers, unusual trip patterns, patient complaints, claims from OIG/SAM-excluded drivers, EVV/claim data discrepancies, and random selection through PERM. Auditors sample 10–20% of trips and apply the error rate to the full billing history through extrapolated recoupment — a 10% error rate on $500,000 in billing creates $50,000 in potential recoupment exposure before state multipliers. Exclusion from Medicaid in one state triggers exclusion from Medicare and all Medicaid programs nationwide under federal interoperability rules.
Your Next Step
A Medicaid audit doesn’t give you a warning. A broker doesn’t send a preview before pulling your contract. The NEMT operators who protect their revenue are the ones who treat compliance as a year-round operating system — not an emergency response.
If managing compliance documentation, billing accuracy, and denial tracking is pulling your attention away from running trips, that’s a problem worth solving. Our professional NEMT compliance management team handles billing documentation, prior authorization verification, EVV reconciliation, denial management, and audit response so your operation stays compliant and your revenue stays clean.
Truly Audit-Ready?
- ✓Compliance and credential display pages
- ✓HIPAA-compliant contact and booking forms
- ✓Service area maps with coverage zones
- ✓Fleet and ADA compliance showcase
- ✓Local SEO optimized from day one
- ✓Google My Business sync and setup
- ✓Mobile-first responsive design
- ✓Broker and facility referral conversion pages
Related Resources From EliteMed Financials
- NEMT Compliance Guide 2026
- NEMT Audit Preparation Guide
- NEMT Documentation Requirements 2026
- Driver Qualification File Requirements
- NEMT Driver Requirements by State
- NEMT Vehicle Requirements 2026
- NEMT Insurance Guide
- NEMT Insurance Cost: 2026 Breakdown
- Commercial Auto Insurance for NEMT
- NEMT General Liability Insurance Guide
- NEMT Denial Codes: Complete Reference
- NEMT Prior Authorization Guide
- NEMT Billing Requirements Guide
- Best NEMT Software 2026
- NEMT Billing: Outsourced vs In-House
- NEMT Industry Statistics 2026
- Is NEMT a Good Business to Start?
- NEMT Broker Billing Guide 2026
- Medicare Advantage NEMT Benefits
- NEMT Billing for Dialysis Transportation
- How to Become a NEMT Provider
- NEMT Business License Requirements
- NEMT Startup Costs 2026
