OIG Issues Revised Provider Self-Disclosure Protocol

Healthcare Alert

Client Alert

Author(s) , , ,

On April 17, 2013, the Office of Inspector General (OIG) of the United States Department of Health and Human Services (HHS) revised its Provider Self-Disclosure Protocol (SDP), originally published in 1998, and updated in 2006, 2008, and 2009. The revision replaces the original publication and updates.

At its core, the SDP provides a formal mechanism for a health care provider to internally investigate potential violations of federal law and to submit a report to the OIG.

Four revisions are perhaps the most notable. Though OIG has probably made similar expectations clear to health care providers that have used the previous SDP, now OIG has made these expectations public and more formal. First, the OIG has now stated explicitly that its “general practice is to require a minimum multiplier of 1.5 times single damages,” a figure much less than the potential multiplier of 3 times single damages permitted by the Civil Monetary Penalties Law and the False Claims Act (FCA). Second, the SDP now provides more guidance for disclosure of potential violations not involving claim errors, specifically for potential violations involving the anti-kickback statute or individuals excluded from federal health care programs. Third, the SDP addresses, albeit tentatively, the 60-day overpayment rule proposed last year by the Centers for Medicare & Medicaid Services (CMS). Fourth, the SDP shortens the available timeframe for health care providers by requiring a complete submission 90 days after initially submitting into the SDP, not 90 days after the OIG accepts a submission.

As revised, the SDP explains who can disclose and for what; the benefits of disclosure; the requirements of a disclosure submission; and how potential violations are resolved after submission.

Who Can Disclose and for What

As the SDP confirms, all health care providers can use the SDP to disclose potential violations of federal criminal, civil, or administrative laws. In practice, hospitals have used the SDP more than other providers have, accounting for over a third of the over 800 total disclosures. These disclosures also include potential violations based on successor liability.

Several explicit and practical limitations exist however. For example, these potential violations do not include arrangements that create liability only under the physician self-referral law, the Stark Law. And the OIG expects not only that the conduct underlying the potential violation will have ended but also that a disclosing party waive any statute of limitations defenses that would be available in a related OIG administrative action. Dollar-amount thresholds also exist: $50,000 for kickback-related conduct and $10,000 for other conduct.

Benefits of Disclosure

Most obviously, using the SDP would lower the risk of a whistleblower action or a government investigation.

In return for using the SDP, a provider seems likely to escape the ongoing burden of a Corporate Integrity Agreement (CIA) and to pay less than the triple damages possible. Citing its actual practice, the OIG has required a CIA in only one of 235 settled cases. The OIG also cites its general practice in suggesting a 1.5 multiplier on damages but also reserves its right to a higher one.

Notably, the OIG relies on the language of CMS’s proposed February 2012 rule on 60-day overpayment obligations. The OIG first cites the proposal to state that its acknowledging receipt of an SDP submission suspends the obligation to report overpayments. Second, the proposal would suspend the obligation to return overpayments until removal from the SDP or settlement. The SDP would apparently satisfy the reporting requirements for overpayments stemming from a potential violation. But reporting straight overpayments would probably occur through a Medicare Administrative Contractor. Practically, reviewing a seemingly straight overpayment, investigating underlying conduct, and deciding to use the SDP may require more than 60 days, rendering the SDP-triggered suspension unavailable.

Requirements of a Disclosure Submission

The SDP lays out the requirements for disclosure submissions generally and then, specifically, for disclosure submissions that involve three specific types of conduct: false billing; conduct involving excluded persons; and conduct involving the anti-kickback statute and physician self-referral law (Stark Law). The requirement to describe corrective actions taken is both a general requirement and a specific one.

All disclosure submissions must acknowledge that the underlying conduct is a “potential violation” of an explicitly identified law. Beyond that requirement, all disclosure submissions must include ten categories of information:

  • the provider ID number and contact information;
  • a listing of entity structure;
  • the contact information for a designated representative;
  • a concise statement of all relevant details—conduct, time period, and identification of involved individuals and their roles, for example;
  • a listing of affected federal health care programs;
  • an estimate of damages;
  • a description of corrective actions taken;
  • the identification of any government inquiry for the disclosed conduct or any other conduct related to federal health care programs;
  • the name of the individual with settlement authority; and
  • a certification that the information is truthful and submitted in a good faith effort to resolve potential liability.

For conduct involving false billing, the SDP lays out specific requirements for estimating damages. In particular, a provider submitting a disclosure must review either all claims affected by the potential legal violations or a statistically valid random sample. The disclosure submission must then identify both how the provider conducted the review and the information underlying the sampling, if applicable.

For conduct involving excluded persons, the SDP requires the following six items:

  • the identity of the excluded individual;
  • the individual’s job duties;
  • the dates of the individual’s employment or contractual relationship;
  • a description of background checks completed on the individual;
  • a description of the screening process performed; and
  • a description of how the conduct was discovered.

Further, a disclosure submission for conduct involving excluded persons should estimate damages based on the total costs of employing that person multiplied by percentage of revenue derived from federal health care programs. For conduct involving the anti-kickback statute and the Stark Law, additional information requirements also exist. Basically, a provider should describe the involved parties and the context—their identities, their relationship to one another, payment arrangements, and dates for the suspect arrangement. The SDP provides specific examples of potentially helpful questions to answer:

  • How fair market value was determined;
  • Why and for how long payments were not timely made or collected or did not conform to a negotiated agreement;
  • Why the arrangement lacked a reasonable business purpose;
  • Whether payments were made for unperformed or undocumented services; and
  • Whether referring physicians received payments violating the Stark Law.

To calculate damages for conduct involving the anti-kickback statute and the Stark Law, a provider may follow the requirements for disclosing false billing. In any event, a provider must include the total amount of remuneration that each arrangement involved and, if applicable, why the OIG should disregard any part of the remuneration. The OIG usually bases SDP settlement discussions on the total amount of remuneration.

Resolution under the SDP

The OIG emphasizes that parties should demonstrate continued cooperation, indicated by “conducting a thorough investigation, submitting all necessary information, communicating through a consistent point of contact, being responsive to OIG requests for additional information, and being willing to pay a penalty or multiplier of damages for self-disclosed conduct.” Otherwise, the OIG may remove a provider from the SDP. Settlement of any FCA liability requires Department of Justice (DOJ) participation, as does settlement of any criminal liability. When the DOJ becomes involved, the OIG promises to advocate for the provider by highlighting the disclosure.


The SDP is no guarantee. Much if not most of the conduct a provider can disclose to the OIG also violates the criminal and civil laws enforced by the DOJ. The OIG can offer no guarantees of DOJ leniency. Indeed, though the DOJ seems unlikely to institute a criminal proceeding against a disclosing provider, the DOJ, as recently reflected in its 2012 Foreign Corrupt Practices Act guidance, seems hesitant to quantify the benefits of cooperation. Further complicating the SDP process is the DOJ’s own willingness to take self-disclosures.

Second, the SDP process could unveil a whistleblower and lead to an FCA case. Third, the SDP requires documentation of potential violations. This creates uncertainty both for the privileged matter underlying an internal investigation and for continued confidentiality under the Freedom of Information Act. At minimum, this requires a provider to manage the SDP process carefully, cooperating while also minimizing the number of admissions made and ensuring that few sources of information about potential violations are referenced.

Finally, a provider removed from the SDP for failing some expected level of cooperation may find itself an obviously easy target for enforcement.

At bottom, the revised SDP offers more guidance on what the OIG is seeking from disclosing providers, which allows providers to make more informed decisions. Thus, the OIG’s SDP is a welcome and streamlining addition to the OIG’s library of guidance.

      You might also be interested in...