OIG Issues Revised Provider Self-Disclosure Protocol

by Bradley Arant Boult Cummings LLP

On April 17, 2013, the Office of Inspector General (OIG) of the United States Department of Health and Human Services (HHS) revised its Provider Self-Disclosure Protocol (SDP), originally published in 1998, and updated in 2006, 2008, and 2009. The revision replaces the original publication and updates.

At its core, the SDP provides a formal mechanism for a health care provider to internally investigate potential violations of federal law and to submit a report to the OIG.

Four revisions are perhaps the most notable. Though OIG has probably made similar expectations clear to health care providers that have used the previous SDP, now OIG has made these expectations public and more formal. First, the OIG has now stated explicitly that its “general practice is to require a minimum multiplier of 1.5 times single damages,” a figure much less than the potential multiplier of 3 times single damages permitted by the Civil Monetary Penalties Law and the False Claims Act (FCA). Second, the SDP now provides more guidance for disclosure of potential violations not involving claim errors, specifically for potential violations involving the anti-kickback statute or individuals excluded from federal health care programs. Third, the SDP addresses, albeit tentatively, the 60-day overpayment rule proposed last year by the Centers for Medicare & Medicaid Services (CMS). Fourth, the SDP shortens the available timeframe for health care providers by requiring a complete submission 90 days after initially submitting into the SDP, not 90 days after the OIG accepts a submission.

As revised, the SDP explains who can disclose and for what; the benefits of disclosure; the requirements of a disclosure submission; and how potential violations are resolved after submission.

Who Can Disclose and for What

As the SDP confirms, all health care providers can use the SDP to disclose potential violations of federal criminal, civil, or administrative laws. In practice, hospitals have used the SDP more than other providers have, accounting for over a third of the over 800 total disclosures. These disclosures also include potential violations based on successor liability.

Several explicit and practical limitations exist however. For example, these potential violations do not include arrangements that create liability only under the physician self-referral law, the Stark Law. And the OIG expects not only that the conduct underlying the potential violation will have ended but also that a disclosing party waive any statute of limitations defenses that would be available in a related OIG administrative action. Dollar-amount thresholds also exist: $50,000 for kickback-related conduct and $10,000 for other conduct.

Benefits of Disclosure

Most obviously, using the SDP would lower the risk of a whistleblower action or a government investigation.

In return for using the SDP, a provider seems likely to escape the ongoing burden of a Corporate Integrity Agreement (CIA) and to pay less than the triple damages possible. Citing its actual practice, the OIG has required a CIA in only one of 235 settled cases. The OIG also cites its general practice in suggesting a 1.5 multiplier on damages but also reserves its right to a higher one.

Notably, the OIG relies on the language of CMS’s proposed February 2012 rule on 60-day overpayment obligations. The OIG first cites the proposal to state that its acknowledging receipt of an SDP submission suspends the obligation to report overpayments. Second, the proposal would suspend the obligation to return overpayments until removal from the SDP or settlement. The SDP would apparently satisfy the reporting requirements for overpayments stemming from a potential violation. But reporting straight overpayments would probably occur through a Medicare Administrative Contractor. Practically, reviewing a seemingly straight overpayment, investigating underlying conduct, and deciding to use the SDP may require more than 60 days, rendering the SDP-triggered suspension unavailable.

Requirements of a Disclosure Submission

The SDP lays out the requirements for disclosure submissions generally and then, specifically, for disclosure submissions that involve three specific types of conduct: false billing; conduct involving excluded persons; and conduct involving the anti-kickback statute and physician self-referral law (Stark Law). The requirement to describe corrective actions taken is both a general requirement and a specific one.

All disclosure submissions must acknowledge that the underlying conduct is a “potential violation” of an explicitly identified law. Beyond that requirement, all disclosure submissions must include ten categories of information:

  • the provider ID number and contact information;
  • a listing of entity structure;
  • the contact information for a designated representative;
  • a concise statement of all relevant details—conduct, time period, and identification of involved individuals and their roles, for example;
  • a listing of affected federal health care programs;
  • an estimate of damages;
  • a description of corrective actions taken;
  • the identification of any government inquiry for the disclosed conduct or any other conduct related to federal health care programs;
  • the name of the individual with settlement authority; and
  • a certification that the information is truthful and submitted in a good faith effort to resolve potential liability.

For conduct involving false billing, the SDP lays out specific requirements for estimating damages. In particular, a provider submitting a disclosure must review either all claims affected by the potential legal violations or a statistically valid random sample. The disclosure submission must then identify both how the provider conducted the review and the information underlying the sampling, if applicable.

For conduct involving excluded persons, the SDP requires the following six items:

  • the identity of the excluded individual;
  • the individual’s job duties;
  • the dates of the individual’s employment or contractual relationship;
  • a description of background checks completed on the individual;
  • a description of the screening process performed; and
  • a description of how the conduct was discovered.

Further, a disclosure submission for conduct involving excluded persons should estimate damages based on the total costs of employing that person multiplied by percentage of revenue derived from federal health care programs. For conduct involving the anti-kickback statute and the Stark Law, additional information requirements also exist. Basically, a provider should describe the involved parties and the context—their identities, their relationship to one another, payment arrangements, and dates for the suspect arrangement. The SDP provides specific examples of potentially helpful questions to answer:

  • How fair market value was determined;
  • Why and for how long payments were not timely made or collected or did not conform to a negotiated agreement;
  • Why the arrangement lacked a reasonable business purpose;
  • Whether payments were made for unperformed or undocumented services; and
  • Whether referring physicians received payments violating the Stark Law.

To calculate damages for conduct involving the anti-kickback statute and the Stark Law, a provider may follow the requirements for disclosing false billing. In any event, a provider must include the total amount of remuneration that each arrangement involved and, if applicable, why the OIG should disregard any part of the remuneration. The OIG usually bases SDP settlement discussions on the total amount of remuneration.

Resolution under the SDP

The OIG emphasizes that parties should demonstrate continued cooperation, indicated by “conducting a thorough investigation, submitting all necessary information, communicating through a consistent point of contact, being responsive to OIG requests for additional information, and being willing to pay a penalty or multiplier of damages for self-disclosed conduct.” Otherwise, the OIG may remove a provider from the SDP. Settlement of any FCA liability requires Department of Justice (DOJ) participation, as does settlement of any criminal liability. When the DOJ becomes involved, the OIG promises to advocate for the provider by highlighting the disclosure.


The SDP is no guarantee. Much if not most of the conduct a provider can disclose to the OIG also violates the criminal and civil laws enforced by the DOJ. The OIG can offer no guarantees of DOJ leniency. Indeed, though the DOJ seems unlikely to institute a criminal proceeding against a disclosing provider, the DOJ, as recently reflected in its 2012 Foreign Corrupt Practices Act guidance, seems hesitant to quantify the benefits of cooperation. Further complicating the SDP process is the DOJ’s own willingness to take self-disclosures.

Second, the SDP process could unveil a whistleblower and lead to an FCA case. Third, the SDP requires documentation of potential violations. This creates uncertainty both for the privileged matter underlying an internal investigation and for continued confidentiality under the Freedom of Information Act. At minimum, this requires a provider to manage the SDP process carefully, cooperating while also minimizing the number of admissions made and ensuring that few sources of information about potential violations are referenced.

Finally, a provider removed from the SDP for failing some expected level of cooperation may find itself an obviously easy target for enforcement.

At bottom, the revised SDP offers more guidance on what the OIG is seeking from disclosing providers, which allows providers to make more informed decisions. Thus, the OIG’s SDP is a welcome and streamlining addition to the OIG’s library of guidance.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bradley Arant Boult Cummings LLP | Attorney Advertising

Written by:

Bradley Arant Boult Cummings LLP

Bradley Arant Boult Cummings LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.