OIG Unveils Updated Self-Disclosure Protocol

by Epstein Becker & Green

In 1998, the Department of Health and Human Services' Office of Inspector General ("OIG") published the Self-Disclosure Protocol ("SDP"), which provides a mechanism through which health care providers may voluntarily report to the OIG potential violations of criminal, civil, or administrative law governing federal health care programs for which exclusion or civil monetary penalties ("CMPs") are authorized. The OIG reported that, within the last 15 years, over 800 disclosures were resolved under the SDP, amounting to more than $280 million in recoveries for federal health care programs. On April 17, 2013, the OIG unveiled an updated SDP,[1] which includes various new provisions, such as limitations on the SDP's scope with respect to its applicability to the Stark Law, a new minimum damages multiplier, minimum settlement amounts, and guidelines for the content of submissions by providers.

In the updated SDP, the OIG continues to emphasize the importance and benefits of voluntary disclosure and notes that "good faith disclosure of potential fraud and cooperation with the OIG's review and resolution process are typically indications of a robust and effective compliance program." Significantly, the OIG states that it "instituted a presumption against requiring [corporate] integrity obligations in exchange for a release of OIG's permissive exclusion authorities in resolving an SDP matter." In fact, the OIG reports that, of the 235 cases resolved since 2008, only one required integrity measures. Additionally, the OIG confirmed that individuals and entities that take advantage of the self-disclosure process should pay a lower multiplier for purposes of calculating damages than would normally be expected in a government investigation. Although the precise multiplier may vary based on case-specific facts, the OIG states that it will generally require a minimum multiplier of 1.5.

Of particular importance, the OIG has attempted to streamline the internal process for disclosures "to reduce the average time a case is pending with OIG to less than 12 months from acceptance into the SDP." However, in order to keep within this timeframe, the OIG is now requiring that internal investigations and damages calculations be submitted 90 days from the date of an initial submission. This is a significant change from the previous version of the SDP, which required that they be completed 90 days from acceptance into the SDP. This tightened timeframe may prove to be a challenge for the health care industry.

Another significant issue addressed in the updated SDP is the time period that the OIG expects the disclosing party to investigate in connection with the disclosed potential violation. Specifically, the OIG states that it "expects disclosing parties to disclose with good faith willingness to resolve all liability within the CMPL's six year statute of limitations…." Accordingly, the OIG must agree, as a "condition precedent" to acceptance into the SDP, that the disclosing party will waive and not plead the statute of limitations, laches, or any similar defense, except to the extent that such defenses would have been available to the disclosing party had an administrative action been filed on the date of submission.

Set forth below is a summary of the information included in the updated SDP.

Eligibility to Participate in the SDP

The SDP process may be pursued by all health care providers, suppliers, or other individuals or entities subject to the OIG's CMP authorities found at 42 C.F.R. Part 1003 and is not limited to particular industries, specialties, or types of services. However, the updated SDP clarifies certain eligibility requirements for the SDP, both in terms of who may take advantage of the process and what type of conduct falls within the scope of the SDP. The updated SDP notes, in particular, that pharmaceutical manufacturers are eligible to enter the SDP. Additionally, the updated SDP confirms that disclosing parties that are already subject to a government inquiry are not necessarily precluded from using the SDP, but the SDP cannot be used as a means to avoid such inquiry. The OIG also noted that parties that are already subject to a Corporate Integrity Agreement, which has its own reporting requirements, are also able to use the SDP process.

With respect to the type of conduct that may be disclosed, the updated SDP confirms that it can be used for conduct that potentially violates federal criminal, civil, or administrative laws for which CMPs are authorized. Importantly, the OIG specifically states that, in making a disclosure, the disclosing party "must acknowledge that the conduct is a potential violation" and must identify the specific laws that are implicated. Citing the fact that disclosing parties that fail to acknowledge potential violations are the ones likely to have unclear or incomplete submissions, etc., the OIG noted that statements such as "the Government may think there is a violation but we don't agree…" may result in the disclosing party's removal from the SDP. In doing so, the OIG also reiterated that the SDP process is separate from the Advisory Opinion process and that parties are not to use the SDP process to request an opinion from the OIG if a violation or potential violation occurred.

It is also important to note that, before making a disclosure, disclosing parties must ensure that the conduct concerning the potential violation has ended or that corrective action will be taken and that the improper arrangement will be terminated within 90 days of submission to the SDP.

Finally, the OIG addresses in the updated SDP that, in addition to the SDP, the Centers for Medicare & Medicaid Services ("CMS") has its own Self-Referral Disclosure Protocol ("SRDP") for those arrangements that involve liability only under the federal physician self-referral law, commonly referred to as the "Stark Law." (The intersection between federal Anti-Kickback Statute ("AKS") and Stark Law liability is addressed below.)

Disclosure Requirements

There are several requirements that must be met and addressed in a disclosing party's submission for acceptance into the SDP. As indicated above, disclosing parties must conduct internal investigations related to the conduct subject to the disclosure. In cases where an internal investigation is not completed before submission, the disclosing party must certify (as part of that submission) that it will complete the internal investigation within 90 days of the date of its initial submission (not 90 days of the provider's acceptance into the SDP).

Disclosures may be submitted electronically through the OIG's website or via mail. As noted in the updated SDP, all submissions must include the following information:[2]

  • The name, address, type of health care provider, provider identification number(s), and tax identification number(s) of the disclosing party and the Government payors (including Medicare contractors) to which the disclosing party submits claims or a statement that the disclosing party does not submit claims.
  • If the disclosing party is an entity that is owned or controlled by or is otherwise part of a system or network, an organizational chart, a description or diagram describing the pertinent relationships; the names and addresses of any related entities; and any affected corporate divisions, departments, or branches.
  • The name, street address, phone number, and email address of the disclosing party's designated representative for purposes of the voluntary disclosure.
  • A concise statement of all details relevant to the conduct disclosed, including, at minimum, the types of claims, transactions, or other conduct giving rise to the matter; the period during which the conduct occurred; and the names of entities and individuals believed to be implicated, including an explanation of their roles in the matter.
  • A statement of the Federal criminal, civil, or administrative laws that are potentially violated by the disclosed conduct.
  • The Federal health care programs affected by the disclosed conduct.
  • An estimate of the damages, as described in the applicable section below, to each Federal health care program relevant to the disclosed conduct, or a certification that the estimate will be completed and submitted to OIG within 90 days of the date of submission. When a disclosing party can determine the amount of actual damages to Federal health care programs, the actual damages amount must be provided instead of an estimate.
  • A description of the disclosing party's corrective action upon discovery of the conduct.
  • A statement of whether the disclosing party has knowledge that the matter is under current inquiry by a Government agency or contractor. If the disclosing party has knowledge of a pending inquiry, it must identify any involved Government entity and its individual representatives. The disclosing party must also disclose whether it is under investigation or other inquiry for any other matters relating to a Federal health care program and provide similar information relating to those other matters.
  • The name of an individual authorized to enter into a settlement agreement on behalf of the disclosing party.
  • A certification by the disclosing party, or, in the case of an entity, an authorized representative on behalf of the disclosing party, stating that to the best of the individual's knowledge, the submission contains truthful information and is based on a good faith effort to bring the matter to the Government's attention for the purpose of resolving potential liability to the Government and to assist OIG in its resolution of the disclosed matter.

In addition, the OIG provided additional guidance in the updated SDP related to specific information that must be included for certain types of conduct.

Conduct Involving False Billing. When a disclosure involves the submission of improper claims to federal health care programs, disclosing parties must conduct a review to estimate damages and report their findings, being sure to include the information specified in the SDP. The damages estimate can be done in one of two ways: (1) a review of all claims impacted by the disclosed conduct, or (2) a review conducted through a statistically valid random sample of claims (of at least 100 items generally), which would then be projected to the entire population of claims at issue. If a disclosing entity chooses to review a statistical sample, the protocol includes specific instructions and guidance related to how the sample must be generated and reviewed.

In the updated SDP, the OIG set forth information that must be included for conduct involving improper billing. Of particular importance, the OIG noted that the review should be conducted by qualified individuals—e.g., statisticians, accountants, auditors, consultants, and medical reviewers—and include a description of their qualifications in the submission. The updated SDP also noted that, if the review is based upon a sample, then the sample size must be at least 100 claims. Further, to avoid unreasonably large sample sizes, the OIG no longer requires a minimum precision level for the review of claims.

Conduct Involving Excluded Individuals. If the disclosure relates to conduct involving excluded individuals, the OIG outlined in the updated SDP the specific information that must be provided.

The OIG states that, prior to disclosing the employment of an excluded individual, disclosing parties must screen all current employees and contractors against the List of Excluded Individuals/Entities ("LEIE") and disclose all excluded persons in one submission. Damages calculations involving excluded persons can be challenging because items and services provided by excluded persons are not always billed separately (e.g., services or items provided by nurses, respiratory therapists, or administrative personnel). As such, the OIG noted that, if the items or services provided by excluded individuals are billed separately, the disclosure should include the total amounts claimed and paid by the federal health care programs for those items or services. In the case of items and services not billed separately, the damages calculation involves using the disclosing party's total costs of employment or contracting during the exclusion in order to estimate the value of items and services provided by that individual. This amount should then be multiplied by the disclosing party's revenue-based federal health care program payor mix for the relevant time period and used as a proxy for the amount paid and the single damages to the federal health care programs that resulted from employment of the excluded person.

Conduct Involving the AKS and the Stark Law. The OIG recognized that a large number of submissions relate to potential violations of the AKS, including conduct that may also violate the Stark Law.

According to the updated SDP, disclosing parties must include a succinct statement of all the details that are directly relevant to the disclosed conduct as well as a specific analysis of why each disclosed arrangement potentially violates the AKS and, if applicable, the Stark Law. Further, the description should include the identities of individuals who participated in the conduct, their relationship to one another to the extent that the relationship affects their potential liability, the payment arrangements, and the dates during which the conduct occurred. The OIG also noted that the disclosure should discuss any relevant background and those features of the arrangement that raise potential liability.

In the updated SDP, the OIG provided the following five examples of information deemed to be helpful when assessing and resolving the disclosed conduct involving AKS, and possibly Stark Law, violations:[3]

  1. How fair market value was determined and why it is now in question.
  1. Why required payments from referral sources, under leases or other contracts, were not timely made or collected or did not conform to the negotiated agreement and how long such lapses existed.
  1. Why the arrangement was arguably not commercially reasonable (e.g., lacked a reasonable business purpose).
  1. Whether payments were made for services not performed or documented and, if so, why.
  1. Whether referring physicians received payments from Designated Health Service entities that varied with, or took into account, the volume or value of referrals without complying with a Stark Law exception. Finally, the submission must describe the corrective action taken to remedy the suspect arrangement(s), as well as any safeguards implemented by the disclosing party to prevent the conduct from reoccurring.

Since the government considers AKS and Stark Law compliance to be conditions of payment by the federal health care programs, the disclosing party must submit an estimate of the amount paid by federal health care programs for the items or services associated with the potential violations. In order to quantify this amount, the disclosing party may use the same methodology proposed for conduct related to fraudulent billing. Alternatively, the disclosing party may use another methodology and explain the methodology in the submission.

The disclosure must include the total amount of remuneration, whether or not the disclosing party believes that a portion of the remuneration was offered, paid, solicited, or received for a lawful purpose. However, a disclosing party should still explain what it believes is the value of the financial benefit received under the arrangement and whether any portion of the total remuneration should not be considered by the OIG when determining an appropriate settlement.

Resolution and Other Considerations

As the OIG notes in the updated SDP, in order to "promote transparency and realistic expectations in the SDP process," it will require minimum settlement amounts for participants in the SDP. For kickback-related disclosures, there is a minimum of $50,000 to resolve the matter. For all other accepted matters, there is a minimum of $10,000 to resolve the matter. These minimums include federal health care program damages and any relevant multiplier. If, prior to resolution, the disclosing party refunded an overpayment related to the same conduct, the OIG will credit the amount refunded toward the ultimate settlement amount. However, the OIG is not bound by any amount that is repaid outside the SDP process. Therefore, the OIG may question the methodology of the overpayment calculation. Even if the OIG agrees with the calculation, the disclosing party should expect to pay a multiplier on the damages under the SDP.

In the event that a disclosing party is unable to pay an otherwise appropriate settlement amount, the disclosing party should raise this "ability to pay" issue at the earliest possible time, preferably in the submission. The disclosing party will need to provide, and certify to the truthfulness and completion of, extensive financial information, including audited financial statements, tax returns, and asset records. In addition to submitting the financial information, the disclosing party should include an assessment of how much it believes that it can afford to pay.

In cases where the OIG determines that no potential fraud liability exists, the OIG will refer the matter to the appropriate payor for the acceptance of the overpayment. However, a CMP release will not be provided.

According to the OIG, the resolution of potential violations disclosed through the SDP depends on numerous factors, including the OIG's coordination with the Department of Justice and CMS, as well as the disclosing party's willingness to cooperate. In exchange for the disclosing party's cooperation throughout the SDP process, the disclosing party is generally afforded a speedy resolution, lower multiplier, and an exclusion release without integrity agreement obligations. According to the OIG, disclosing parties that fail to cooperate in good faith will be removed from the SDP.

* * *

This Client Alert was authored by George B. Breen, Jason E. Christ, Anjali N.C. Downs, Jennifer K. Goodwin, David E. Matyas, Deepa B. Selvam, and Carrie Valiant. For additional information about the issues discussed in this Client Alert, please contact one of the authors or the Epstein Becker Green attorney who regularly handles your legal matters.

If you would like to be added to our mailing list or need to update your contact information, please contact Lisa C. Blackburn at lblackburn@ebglaw.com or 202-861-1887.


[1] See Office of Inspector General, Dep't of Health & Human Serv., Updated OIG's Provider Self-Disclosure Protocol (Apr. 17, 2013), available at https://oig.hhs.gov/compliance/self-disclosure-info/files/Provider-Self-Disclosure-Protocol.pdf.

[2] Id. at 5-6.

[3] Id. at 11-12.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Epstein Becker & Green | Attorney Advertising

Written by:

Epstein Becker & Green

Epstein Becker & Green on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.