Epstein Becker Green Health Care and Life Sciences Client Alert

In 1998, the Department of Health and Human Services' Office of Inspector General ("OIG") published the Self-Disclosure Protocol ("SDP"), which provides a mechanism through which health care providers may voluntarily report to the OIG potential violations of criminal, civil, or administrative law governing federal health care programs for which exclusion or civil monetary penalties ("CMPs") are authorized. The OIG reported that, within the last 15 years, over 800 disclosures were resolved under the SDP, amounting to more than $280 million in recoveries for federal health care programs. On April 17, 2013, the OIG unveiled an updated SDP,[1] which includes various new provisions, such as limitations on the SDP's scope with respect to its applicability to the Stark Law, a new minimum damages multiplier, minimum settlement amounts, and guidelines for the content of submissions by providers.

In the updated SDP, the OIG continues to emphasize the importance and benefits of voluntary disclosure and notes that "good faith disclosure of potential fraud and cooperation with the OIG's review and resolution process are typically indications of a robust and effective compliance program." Significantly, the OIG states that it "instituted a presumption against requiring [corporate] integrity obligations in exchange for a release of OIG's permissive exclusion authorities in resolving an SDP matter." In fact, the OIG reports that, of the 235 cases resolved since 2008, only one required integrity measures. Additionally, the OIG confirmed that individuals and entities that take advantage of the self-disclosure process should pay a lower multiplier for purposes of calculating damages than would normally be expected in a government investigation. Although the precise multiplier may vary based on case-specific facts, the OIG states that it will generally require a minimum multiplier of 1.5.

Of particular importance, the OIG has attempted to streamline the internal process for disclosures "to reduce the average time a case is pending with OIG to less than 12 months from acceptance into the SDP." However, in order to keep within this timeframe, the OIG is now requiring that internal investigations and damages calculations be submitted 90 days from the date of an initial submission. This is a significant change from the previous version of the SDP, which required that they be completed 90 days from acceptance into the SDP. This tightened timeframe may prove to be a challenge for the health care industry.

Another significant issue addressed in the updated SDP is the time period that the OIG expects the disclosing party to investigate in connection with the disclosed potential violation. Specifically, the OIG states that it "expects disclosing parties to disclose with good faith willingness to resolve all liability within the CMPL's six year statute of limitations...." Accordingly, the OIG must agree, as a "condition precedent" to acceptance into the SDP, that the disclosing party will waive and not plead the statute of limitations, laches, or any similar defense, except to the extent that such defenses would have been available to the disclosing party had an administrative action been filed on the date of submission.

Set forth below is a summary of the information included in the updated SDP.

Eligibility to Participate in the SDP

The SDP process may be pursued by all health care providers, suppliers, or other individuals or entities subject to the OIG's CMP authorities found at 42 C.F.R. Part 1003 and is not limited to particular industries, specialties, or types of services. However, the updated SDP clarifies certain eligibility requirements for the SDP, both in terms of who may take advantage of the process and what type of conduct falls within the scope of the SDP. The updated SDP notes, in particular, that pharmaceutical manufacturers are eligible to enter the SDP. Additionally, the updated SDP confirms that disclosing parties that are already subject to a government inquiry are not necessarily precluded from using the SDP, but the SDP cannot be used as a means to avoid such inquiry. The OIG also noted that parties that are already subject to a Corporate Integrity Agreement, which has its own reporting requirements, are also able to use the SDP process.

With respect to the type of conduct that may be disclosed, the updated SDP confirms that it can be used for conduct that potentially violates federal criminal, civil, or administrative laws for which CMPs are authorized. Importantly, the OIG specifically states that, in making a disclosure, the disclosing party "must acknowledge that the conduct is a potential violation" and must identify the specific laws that are implicated. Citing the fact that disclosing parties that fail to acknowledge potential violations are the ones likely to have unclear or incomplete submissions, etc., the OIG noted that statements such as "the Government may think there is a violation but we don't agree..." may result in the disclosing party's removal from the SDP. In doing so, the OIG also reiterated that the SDP process is separate from the Advisory Opinion process and that parties are not to use the SDP process to request an opinion from the OIG if a violation or potential violation occurred.

It is also important to note that, before making a disclosure, disclosing parties must ensure that the conduct concerning the potential violation has ended or that corrective action will be taken and that the improper arrangement will be terminated within 90 days of submission to the SDP.

Finally, the OIG addresses in the updated SDP that, in addition to the SDP, the Centers for Medicare & Medicaid Services ("CMS") has its own Self-Referral Disclosure Protocol ("SRDP") for those arrangements that involve liability only under the federal physician self-referral law, commonly referred to as the "Stark Law." (The intersection between federal Anti-Kickback Statute ("AKS") and Stark Law liability is addressed below.)

Disclosure Requirements

There are several requirements that must be met and addressed in a disclosing party's submission for acceptance into the SDP. As indicated above, disclosing parties must conduct internal investigations related to the conduct subject to the disclosure. In cases where an internal investigation is not completed before submission, the disclosing party must certify (as part of that submission) that it will complete the internal investigation within 90 days of the date of its initial submission (not 90 days of the provider's acceptance into the SDP).

Disclosures may be submitted electronically through the OIG's website or via mail. As noted in the updated SDP, all submissions must include the following information: [2]
  • The name, address, type of health care provider, provider identification number(s), and tax identification number(s) of the disclosing party and the Government payors (including Medicare contractors) to which the disclosing party submits claims or a statement that the disclosing party does not submit claims.
  • If the disclosing party is an entity that is owned or controlled by or is otherwise part of a system or network, an organizational chart, a description or diagram describing the pertinent relationships; the names and addresses of any related entities; and any affected corporate divisions, departments, or branches.
  • The name, street address, phone number, and email address of the disclosing party's designated representative for purposes of the voluntary disclosure.
  • A concise statement of all details relevant to the conduct disclosed, including, at minimum, the types of claims, transactions, or other conduct giving rise to the matter; the period during which the conduct occurred; and the names of entities and individuals believed to be implicated, including an explanation of their roles in the matter.
  • A statement of the Federal criminal, civil, or administrative laws that are potentially violated by the disclosed conduct.
  • The Federal health care programs affected by the disclosed conduct.
  • An estimate of the damages, as described in the applicable section below, to each Federal health care program relevant to the disclosed conduct, or a certification that the estimate will be completed and submitted to OIG within 90 days of the date of submission. When a disclosing party can determine the amount of actual damages to Federal health care programs, the actual damages amount must be provided instead of an estimate.
  • A description of the disclosing party's corrective action upon discovery of the conduct.
  • A statement of whether the disclosing party has knowledge that the matter is under current inquiry by a Government agency or contractor. If the disclosing party has knowledge of a pending inquiry, it must identify any involved Government entity and its individual representatives. The disclosing party must also disclose whether it is under investigation or other inquiry for any other matters relating to a Federal health care program and provide similar information relating to those other matters.
  • The name of an individual authorized to enter into a settlement agreement on behalf of the disclosing party.
  • A certification by the disclosing party, or, in the case of an entity, an authorized representative on behalf of the disclosing party, stating that to the best of the individual's knowledge, the submission contains truthful information and is based on a good faith effort to bring the matter to the Government's attention for the purpose of resolving potential liability to the Government and to assist OIG in its resolution of the disclosed matter.

In addition, the OIG provided additional guidance in the updated SDP related to specific information that must be included for certain types of conduct.

Conduct Involving False Billing

When a disclosure involves the submission of improper claims to federal health care programs, disclosing parties must conduct a review to estimate damages and report their findings, being sure to include the information specified in the SDP. The damages estimate can be done in one of two ways: (1) a review of all claims impacted by the disclosed conduct, or (2) a review conducted through a statistically valid random sample of claims (of at least 100 items generally), which would then be projected to the entire population of claims at issue. If a disclosing entity chooses to review a statistical sample, the protocol includes specific instructions and guidance related to how the sample must be generated and reviewed.

In the updated SDP, the OIG set forth information that must be included for conduct involving improper billing. Of particular importance, the OIG noted that the review should be conducted by qualified individuals—e.g., statisticians, accountants, auditors, consultants, and medical reviewers—and include a description of their qualifications in the submission. The updated SDP also noted that, if the review is based upon a sample, then the sample size must be at least 100 claims. Further, to avoid unreasonably large sample sizes, the OIG no longer requires a minimum precision level for the review of claims.

Conduct Involving Excluded Individuals

If the disclosure relates to conduct involving excluded individuals, the OIG outlined in the updated SDP the specific information that must be provided.

The OIG states that, prior to disclosing the employment of an excluded individual, disclosing parties must screen all current employees and contractors against the List of Excluded Individuals/Entities ("LEIE") and disclose all excluded persons in one submission. Damages calculations involving excluded persons can be challenging because items and services provided by excluded persons are not always billed separately (e.g., services or items provided by nurses, respiratory therapists, or administrative personnel). As such, the OIG noted that, if the items or services provided by excluded individuals are billed separately, the disclosure should include the total amounts claimed and paid by the federal health care programs for those items or services. In the case of items and services not billed separately, the damages calculation involves using the disclosing party's total costs of employment or contracting during the exclusion in order to estimate the value of items and services provided by that individual. This amount should then be multiplied by the disclosing party's revenue-based federal health care program payor mix for the relevant time period and used as a proxy for the amount paid and the single damages to the federal health care programs that resulted from employment of the excluded person.

Conduct Involving the AKS and the Stark Law

The OIG recognized that a large number of submissions relate to potential violations of the AKS, including conduct that may also violate the Stark Law.

According to the updated SDP, disclosing parties must include a succinct statement of all the details that are directly relevant to the disclosed conduct as well as a specific analysis of why each disclosed arrangement potentially violates the AKS and, if applicable, the Stark Law. Further, the description should include the identities of individuals who participated in the conduct, their relationship to one another to the extent that the relationship affects their potential liability, the payment arrangements, and the dates during which the conduct occurred. The OIG also noted that the disclosure should discuss any relevant background and those features of the arrangement that raise potential liability.

In the updated SDP, the OIG provided the following five examples of information deemed to be helpful when assessing and resolving the disclosed conduct involving AKS, and possibly Stark Law, violations:[3]
1. How fair market value was determined and why it is now in question.
2. Why required payments from referral sources, under leases or other contracts, were not timely made or collected or did not conform to the negotiated agreement and how long such lapses existed.
3. Why the arrangement was arguably not commercially reasonable (e.g., lacked a reasonable business purpose).
4. Whether payments were made for services not performed or documented and, if so, why.
5. Whether referring physicians received payments from Designated Health Service entities that varied with, or took into account, the volume or value of referrals without complying with a Stark Law exception. Finally, the submission must describe the corrective action taken to remedy the suspect arrangement(s), as well as any safeguards implemented by the disclosing party to prevent the conduct from reoccurring.

Since the government considers AKS and Stark Law compliance to be conditions of payment by the federal health care programs, the disclosing party must submit an estimate of the amount paid by federal health care programs for the items or services associated with the potential violations. In order to quantify this amount, the disclosing party may use the same methodology proposed for conduct related to fraudulent billing. Alternatively, the disclosing party may use another methodology and explain the methodology in the submission.

The disclosure must include the total amount of remuneration, whether or not the disclosing party believes that a portion of the remuneration was offered, paid, solicited, or received for a lawful purpose. However, a disclosing party should still explain what it believes is the value of the financial benefit received under the arrangement and whether any portion of the total remuneration should not be considered by the OIG when determining an appropriate settlement.

Resolution and Other Considerations

As the OIG notes in the updated SDP, in order to "promote transparency and realistic expectations in the SDP process," it will require minimum settlement amounts for participants in the SDP. For kickback-related disclosures, there is a minimum of $50,000 to resolve the matter. For all other accepted matters, there is a minimum of $10,000 to resolve the matter. These minimums include federal health care program damages and any relevant multiplier. If, prior to resolution, the disclosing party refunded an overpayment related to the same conduct, the OIG will credit the amount refunded toward the ultimate settlement amount. However, the OIG is not bound by any amount that is repaid outside the SDP process. Therefore, the OIG may question the methodology of the overpayment calculation. Even if the OIG agrees with the calculation, the disclosing party should expect to pay a multiplier on the damages under the SDP.

In the event that a disclosing party is unable to pay an otherwise appropriate settlement amount, the disclosing party should raise this "ability to pay" issue at the earliest possible time, preferably in the submission. The disclosing party will need to provide, and certify to the truthfulness and completion of, extensive financial information, including audited financial statements, tax returns, and asset records. In addition to submitting the financial information, the disclosing party should include an assessment of how much it believes that it can afford to pay.

In cases where the OIG determines that no potential fraud liability exists, the OIG will refer the matter to the appropriate payor for the acceptance of the overpayment. However, a CMP release will not be provided.

According to the OIG, the resolution of potential violations disclosed through the SDP depends on numerous factors, including the OIG's coordination with the Department of Justice and CMS, as well as the disclosing party's willingness to cooperate. In exchange for the disclosing party's cooperation throughout the SDP process, the disclosing party is generally afforded a speedy resolution, lower multiplier, and an exclusion release without integrity agreement obligations. According to the OIG, disclosing parties that fail to cooperate in good faith will be removed from the SDP.

* * *

This Client Alert was authored by George B. Breen, Jason E. Christ, Anjali N.C. Downs, Jennifer K. Goodwin, David E. Matyas, Deepa B. Selvam, and Carrie Valiant. For additional information about the issues discussed in this Client Alert, please contact one of the authors or the Epstein Becker Green attorney who regularly handles your legal matters.

If you would like to be added to our mailing list or need to update your contact information, please contact Lisa C. Blackburn at lblackburn@ebglaw.comor 202-861-1887.


[1] See Office of Inspector General, Dep't of Health & Human Serv., Updated OIG's Provider Self-Disclosure Protocol (Apr. 17, 2013), available athttps://oig.hhs.gov/compliance/self-disclosure-info/files/Provider-Self-Disclosure-Protocol.pdf.

[2] Id. at 5-6.

[3] Id. at 11-12.

Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.