Direct enterprise tier, not a marketplace listing

Real-time healthcare and federal compliance API for risk and vendor diligence teams

269K records across federal exclusions, state Medicaid, DEA, and state board discipline. Webhook delta delivery on every nightly source pull. REST API access for on-demand screening. Monthly bulk CSV. One flat subscription. No per-call metering.

269K records8+ source feedsWebhook delta delivery$999/mo flat

Month-to-month. Cancel any time from the Stripe portal. API key and webhook secret provisioned by email within one business day of payment.

Who buys this

Four buyer profiles drive the direct enterprise subscription. Each one wants the feed wired into their own systems, not a per-call dashboard.

Vendor onboarding pipelines

Verify a vendor is not on LEIE, SAM, or any state exclusion list before contracting. Wire the API into the procurement workflow and block engagement on a positive match.

Healthcare credentialing teams

LEIE plus state Medicaid plus DEA plus state board actions in one feed. One nightly delta refresh covers what previously required four separate manual checks.

M&A counterparty diligence

Screen target-entity officers, agents, and affiliated NPIs against federal and state exclusion data. Surface issues before LOI rather than during confirmatory diligence.

Compliance SaaS embed

White-label the feed inside a downstream compliance product. Filter rules let your customers narrow to their own roster scope without exposing the full dataset.

Sources covered

Federal exclusion lists plus state Medicaid plus DEA plus state board actions. Each source is pulled, fingerprinted, and compared against the prior snapshot to produce change rows.

LEIE (HHS-OIG)

List of Excluded Individuals and Entities, refreshed monthly by the OIG. 82,749 active exclusions as of the most recent pull.

Free 5K-row sample on Kaggle →

OFAC SDN (US Treasury)

Specially Designated Nationals list — individuals, entities, vessels, and aircraft under US sanctions. 19,050 records refreshed daily.

Free 5K-row sample on Kaggle →

SAM exclusions (GSA)

System for Award Management exclusion records covering federal debarment, suspension, and ineligibility. 167,643 records across individuals and entities.

State Medicaid exclusions

Active sweep across published state Medicaid exclusion lists. Coverage expanding; current focus includes TX, CA, NY, FL, and additional states.

DEA registration data

DEA controlled-substance registrant data and revocation actions. Used to surface providers whose DEA authority has lapsed or been pulled.

State medical board actions

License discipline and revocation actions published by state medical and dental boards. Names, NPIs where available, and action dates.

How webhook delta delivery works

Customers register a webhook URL plus a filter_rules JSONB object. Every night, after every source refresh, any matching change rows fire to the configured URL. Three retries with exponential backoff. Signed payloads. Delivery logs retained for 90 days.

example filter_rules

{
  "sources": ["LEIE", "SAM"],
  "states": ["MI", "OH", "IN", "IL"],
  "npis": [
    "1234567890",
    "9876543210"
  ]
}

example webhook payload

{
  "event": "exclusion.added",
  "delivery_id": "evt_8c7b2f1d3e4a",
  "subscription_id": "sub_a1b2c3",
  "change": {
    "id": "5f3e2c1d-7a8b-49d0-9c1e-2b3a4d5e6f7a",
    "source": "LEIE",
    "change_type": "added",
    "fingerprint": "9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d",
    "affected_entity": {
      "name_hash": "5b4f3a2e1d0c9b8a7c6d5e4f3a2b1c0d",
      "npi": "1234567890",
      "state": "MI",
      "exclusion_type": "1128(a)(1)",
      "exclusion_date": "2026-05-14",
      "source_url": "https://oig.hhs.gov/exclusions/exclusions_list.asp"
    },
    "detected_at": "2026-05-20T03:14:07Z"
  }
}

curl -X POST https://palavir.co/api/compliance-api/webhook-register \
  -H "Content-Type: application/json" \
  -d '{
    "api_key": "cmpl_live_...",
    "webhook_url": "https://hooks.your-domain.com/palavir",
    "filter_rules": {
      "sources": ["LEIE", "SAM"],
      "states": ["MI", "OH"]
    },
    "notification_email": "compliance@your-domain.com"
  }'

Change-row schema

Every change row carries the same shape. Customers can persist the raw payload as-is or extract the fields they need into their own warehouse.

Field	Type	Description
source	enum	LEIE \| SAM \| STATE_MEDICAID \| DEA \| STATE_BOARD
change_type	enum	added \| removed \| modified
fingerprint	string	SHA-256 of the canonical record fields
affected_entity.npi	string \| null	10-digit NPI when available
affected_entity.name_hash	string	Salted SHA-256 of the entity name
affected_entity.state	string \| null	Two-letter state code
affected_entity.exclusion_type	string \| null	Source-specific exclusion code
affected_entity.exclusion_date	date \| null	ISO date when the exclusion was effective
affected_entity.source_url	string	URL of the originating public list
detected_at	timestamp	ISO 8601 UTC of when the change row was detected

One flat subscription

Direct enterprise tier. No per-call metering. No marketplace middleman.

Direct enterprise

Compliance API

$999/mo

Month-to-month. Cancel from the Stripe portal at any time.

Webhook delta delivery on every nightly source pull
Filter rules by source, state, or NPI roster
REST API access for on-demand lookups
Monthly bulk CSV across the full dataset
HMAC-SHA256 signed payloads on every webhook
Three delivery attempts with exponential backoff
Delivery logs retained for 90 days

Volume buyers and embedded resellers can request custom terms by email. For the metered marketplace tier (single-call lookups starting at $9/mo), see the exclusion screening page.

Common questions

How is this different from the RapidAPI listing?

The RapidAPI listing is a metered tier for low-volume single-call lookups. This direct enterprise tier is the same underlying dataset but delivered as nightly webhook deltas, unmetered REST API access, and a monthly bulk CSV. It is for teams that want the data flowing into their own systems rather than a per-call screening tool.

What does the webhook delta pattern actually look like?

On every nightly source pull, the system fingerprints every record. Any record whose fingerprint changed, was added, or was removed becomes a change row. Subscriptions with matching filter rules receive a signed POST to the configured webhook URL. Three delivery attempts, then the failure is logged for inspection.

How are payloads signed?

Every webhook delivery carries an X-Palavir-Signature header of the form sha256=hex. The signature is HMAC-SHA256 over the raw request body using the subscription secret returned at registration time. Verify the signature before processing the payload.

What states are covered for Medicaid exclusions?

Active coverage rotates as states publish updates. TX, CA, NY, and FL are core. Additional states are added as their published lists are integrated. The source_url on each change record points back to the originating list.

Can I filter to my own NPI roster?

Yes. The filter_rules object accepts npis as an array of 10-digit NPI strings. Up to 10,000 NPIs per subscription. Only changes matching any NPI in the list will fire to that webhook.

What does name_hash mean?

Personally identifying provider names on excluded individuals are delivered as a salted SHA-256 hash so the webhook payload cannot be replayed as a name search index. Customers who need cleartext names for credentialing use the REST API with their authenticated API key.

How do I cancel?

Month-to-month. Cancel from the Stripe customer portal at any time. The API key and webhook subscriptions remain active through the end of the current period and then deactivate on renewal.

Wire the feed into your compliance stack

269K records. Nightly deltas. Signed webhooks. REST API. Monthly bulk CSV. $999/mo flat.