Updated Self-Disclosure Protocol Clarifies Disclosure Process and Obligations

by Mintz Levin - Health Law & Policy Matters

Individuals and entities subject to the Civil Monetary Penalty Law (CMP) have received clarification regarding the process for disclosing and resolving potentially unlawful conduct involving the federal health care programs (FHCP). On April 17, 2013, in response to a 2012 solicitation for comments and recommendations, the Office of Inspector General for the Department of Health and Human Services (the “OIG”) issued an updated Provider Self-Disclosure Protocol (the “Updated SDP”). The OIG published its first guidance on self-disclosure in a 1998 Federal Register notice1 and subsequently issued three open letters that expanded upon that notice.2 With the Updated SDP, the OIG has consolidated its issuances on self-disclosure into a single, 15-page document that supersedes past issuances and formalizes some aspects of the process not previously articulated in writing.

Among other things, the Updated SDP:

  1. identifies the individuals and entities and the conduct eligible for the SDP;
  2. outlines the information a disclosing party must provide in all submissions;
  3. defines specific information to be included in disclosures involving false billing, employment of individuals excluded from FHCPs, and possible violations of the Anti-Kickback Statute3 (AKS) and the Physician Self-Referral Law4 (Stark Law);
  4. addresses the tolling of a provider’s 60-day obligation to return overpayments following a submission to the SDP; and
  5. describes some of the methodologies the OIG uses for calculating damages.

The following chart summarizes key aspects of the Updated SDP. 

Components of the Updated Self-Disclosure Protocol

Key Changes


  • Minimum settlement amount
    • $50,000 for AKS violations
    • $10,000 for others
  • Eligible conduct
    • Potential violations of federal criminal, civil, or administrative law for which CMPs are authorized (collectively, “Applicable Laws”).
  • Ineligible conduct
    • Any conduct that does not involve a violation of Applicable Laws, such as conduct involving only overpayments or other payment errors or the Stark Law exclusively.5
  • Waiver of defenses under a statute of limitations or laches required in most circumstances.

Requirements are mostly consistent with the OIG’s existing procedures and practices.

The OIG made clear that a disclosing party must waive defenses related to the statute of limitations and laches and reiterated that it does not accept Stark-only disclosures.

General Disclosure Requirements

  • A concise statement of the relevant conduct disclosed.
  • Identification of the federal criminal, civil, or administrative laws potentially violated.
  • Acknowledgement of a potential violation of one or more of the Applicable Laws.
  • A summary of the findings from the internal investigation.
  • Description of the corrective actions taken upon discovery of the conduct.
  • Estimate of damages, or certification that the estimate will be submitted to the OIG within 90 days of submission of the self-disclosure.
  • Acknowledgement that the disclosed matter is the subject of a government inquiry, if applicable.

Requirements are mostly consistent with the OIG’s existing procedures and practices.

The OIG now requires the disclosing party to acknowledge that the conduct is a potential violation of law.

The OIG previously allowed the internal investigation to be completed 90 days from the date of acceptance into the SDP.

Disclosure Requirements Applicable to Certain Disclosures

  • False billing matters
    • Estimate of the improper amount paid the FHCPs (i.e., damages) based on a review of all affected claims or a statistically valid random sample.
    • If using a sample, the disclosing party must identify the sample size (100 item minimum) and methodology.
  • Excluded individual matters
    • Identification of former and current background check and screening processes used, and explanation of any corrective action taken upon discovery of the disclosed conduct.
  • AKS (and Stark Law) matters
    • The OIG identified a non-exclusive list of information it uses to assess a possible AKS violation (and Stark Law violation, if applicable), such as: the disclosing party’s fair market value determination methodology; commercial reasonableness of the financial arrangement; and the circumstances of the failure to meet a statutory requirement, an AKS safe harbor or exception, or a Stark Law exception.

The OIG formalized existing case evaluation procedures and practices but provided more transparency on the information it requires, particularly for AKS/Stark disclosures.

The OIG increased the minimum sample size from 30 to 100, but no longer requires a precision level for sampling results.

The OIG will not permit the offset overpayments with underpayments when calculating damages.

Additionally, the OIG now requires more information regarding corrective actions.

Damages calculations

  • A minimum 1.5 multiplier of single damages (rather than double or treble damages) will be sought.
  • Excluded individual matters
    • Damages are based on the dollar amount of services an excluded individual billed to the FHCPs.
    • If the excluded individual did not individually bill, the proportion of the excluded individual’s compensation and benefits attributable to the FHCPs, using the provider’s FHCP “payor mix” as a proxy.
  • AKS (and Stark Law) matters
    • Damages are based on remuneration paid rather than claims paid.

These changes mostly formalize the OIG’s existing procedures and practices.

The 1.5 minimum multiplier for damages did not appear in past guidance documents.

The OIG no longer requires its prior consent before a disclosing party may return an overpayment to another agency before SDP resolution.

If the repaid overpayment is related to the disclosed conduct, the OIG will credit the payment against the ultimate settlement.

Interplay with the 60-Day Overpayment Rule

The OIG addressed the relationship between the Updated SDP and the 60-day overpayment rule (the “Overpayment Rule”), which was passed in 2010 as part of the Affordable Care Act and which was the subject of a proposed rule published by the Centers for Medicare & Medicaid Services (CMS) in February 2012 (the “Proposed Rule”).6 Because the Overpayment Rule requires providers and suppliers to return Medicare and Medicaid overpayments within 60 days of identification, many have wondered how the Overpayment Rule related to the OIG’s previous instruction not to return overpayments that are the subject of a self-disclosure. According to the Proposed Rule, CMS intends to suspend the Overpayment Rule’s notice and repayment obligations “when [the] OIG acknowledges receipt of a submission to the OIG SDP” and “until a settlement agreement is entered, or the provider or supplier withdraws or is removed from the OIG SDP.” Consistent with the Proposed Rule, CMS Self-Referral Disclosure Protocol stays any requirements under the Overpayment Rule. The OIG plans to provide additional guidance on how participation in the SDP will account for or mitigate liability under the Overpayment Rule after CMS finalizes the regulations.

Disclosing Parties Must Weigh Costs and Benefits of Self-Disclosure

Self-disclosing possibly unlawful conduct to the OIG has both benefits and challenges. Benefits include potentially reduced damages and penalties; coordinated settlements among multiple enforcement agencies (CMS for Stark Law violations and the Department of Justice under the False Claims Act); a presumption that the OIG would not require a Corporate Integrity Agreement in exchange for the OIG’s release of its exclusion authority; and a potential stay of the 60-day deadline to return overpayments. However, a disclosing party faces a substantial burden because it must complete a thorough investigation of any potentially unlawful conduct before the self-disclosure and estimate damages within 90 days of submission. Further, the disclosing party must acknowledge that a potential violation of the Applicable Laws occurred.

Thomas Crane of Mintz Levin’s Health Care Enforcement Defense Group, who has substantial experience with the self-disclosure process, believes that “health care providers have long understood the significant challenges and risks presented by self-disclosure,” and, according to Crane, the Updated SDP “provides greater procedural clarity but raises the bar on submission requirements.” Thus, a party considering disclosure must carefully consider the conduct at issue and carefully weigh the pros and cons of submitting a self-disclosure.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz Levin - Health Law & Policy Matters | Attorney Advertising

Written by:

Mintz Levin - Health Law & Policy Matters

Mintz Levin - Health Law & Policy Matters on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.