OIG Releases Updated Provider Self-Disclosure Protocol

Skadden, Arps, Slate, Meagher & Flom LLP

John T. Bentivoglio Jennifer L. Bragg Michael K. Loucks Gregory M. Luce Alexandra M. Gorman

On April 17, 2013, the Office of the Inspector General (OIG) of the United States Department of Health and Human Services released an updated Provider Self-Disclosure Protocol (SDP).1  As self-described, OIG updated the SDP to provide disclosing parties with a better understanding of time frames, requirements for complete disclosure and potential post-disclosure resolutions, and to streamline and expedite the SDP process.  While the updated protocol contains some incentives for self-disclosure, some of its new provisions will have the opposite impact and discourage companies and individuals from participating in the already infrequently used process.  


Top-Line Summary

  • To be eligible for the SDP, a disclosing party must now: (1) specify the laws that were potentially violated, (2) agree to waive any statute of limitations, laches or similar defenses, and (3) ensure that corrective actions have been implemented and the misconduct has stopped.
  • OIG shortened the time line for a disclosing party to complete its investigation from “within 3 months after acceptance into the SDP” to “within 90 days of the date of its initial submission.”
  • The SDP now provides precise guidelines for disclosures involving false billing, excluded persons and violations of the federal anti-kickback statute and physician self-referral law.
  • The updated SDP establishes a minimum settlement amount for non-anti-kickback statute violations, and provides greater transparency on OIG’s coordination with the Department of Justice and Centers for Medicare and Medicaid Services to resolve criminal and civil liability.
  • OIG’s statement of its view of the benefits of the SDP process:  (1) resolution in most matters without a corporate integrity agreement, (2) settlement with a 1.5 damages multiplier in most instances, and (3) suspension, while the SDP is pending, of the obligation to report and return overpayments to the federal health care programs.


Background of OIG’s Provider Self-Disclosure Protocol

OIG issued the original SDP in 1998 with the “principal purpose” of “provid[ing] guidance to health care providers that decide voluntarily to disclose irregularities in their dealings with the Federal health care programs.”2  OIG intended to offer health care providers, whether individuals or entities, a process to voluntarily identify, disclose and resolve potential violations of federal criminal law, civil law or administrative laws for which exclusion or liability under OIG’s civil monetary penalty (CMP) is authorized. In particular, the SDP provided guidance on how to investigate conduct, quantify damages and report conduct to OIG.

In the 15 years since it first issued the SDP, OIG has resolved about 800 disclosures and recovered more than $280 million for the federal health care programs, for an average of 53 disclosures each year with a payment of $350,000. In comparison, this amounts to less than 1 percent of the $25 billion that the Department of Justice (DOJ) and OIG recovered in health care fraud criminal and civil settlements during the same period.

Updated SDP Eligibility Criteria

Under OIG’s revisions, the SDP remains available to all health care providers, suppliers, or other individuals or entities who are subject to OIG’s CMP authorities and are seeking to disclose potential violations of federal criminal, civil or administrative laws for which exclusion or CMPs are authorized. The SDP remains unavailable to matters involving overpayments, errors or arrangements solely involving the Stark Law. Eligibility is now also dependent on the party satisfying several preconditions. First, a disclosing party “must acknowledge that the conduct is a potential violation” and “explicitly identify the laws that were potentially violated” — general references to “Federal laws, rules, or regulations” or “the Social Security Act” will not suffice. Second, a disclosing party must agree to waive any statute of limitations, laches or similar defenses (unless those defenses would have been available had an administrative action been initiated on the date of submission). Third, a disclosing party “should” ensure that corrective actions are implemented and the misconduct has stopped by the time of disclosure or, for improper kickback arrangements, within 90 days of submission.

OIG intends these revisions to (1) reduce the likelihood of delays resulting from the “back-and-forth” over “unclear or incomplete submissions,” (2) ensure that all CMP liability is resolved within the applicable statute of limitations, and (3) accelerate the remediation of illegal conduct.

Updated and Clarified SDP Disclosure Obligations

OIG made several revisions to the SDP’s general disclosure requirements. The SDP now requires a disclosing party to certify in its submission that it will complete its investigation within 90 days of its initial submission, as opposed to the previous time frame of 90 days from acceptance. OIG believes this change will further facilitate the timely resolution of SDP matters.

The updated SDP also outlines 11 categories of information required for all submissions. These categories include (1) biographical information on the provider and its organizational structure, (2) a concise statement of details about the conduct, (3) a statement about the laws that potentially have been violated and the federal health care program affected, (4) a description of the corrective action, and (5) an estimate of damages.

In addition to these categories, OIG requires conduct-specific disclosures. The SDP now includes guidance on OIG’s expectations for complete disclosure of conduct involving false billing, excluded persons, and violations of the federal anti-kickback statute (AKS) and Stark Law.

Disclosures Involving False Billing

For conduct involving improper claims to the federal health care programs, the framework remains much the same. A disclosing party must conduct a review to estimate the improper amount paid by the Federal health care programs — i.e., damages — and prepare a report of its findings. The report, at a minimum, must include a description of the review objective, population, sources of data, personnel qualifications and characteristics measured. Damages may be estimated through a review of all affected claims or a sample of affected claims.

OIG made significant changes to the requirements for estimating damages from samples of affected claims. OIG now requires reports containing damage estimates derived from samples to include a Sampling Plan disclosing eight — as opposed to eleven — categories of information. OIG also increased the minimum sample size for damage estimates from “at least thirty (30) sample units” to “at least 100 items” and provides for the use of a “mean point estimate” to calculate damages. The new rules eliminate the use of “probe samples” and “minimum precision levels.”

Disclosures Involving Excluded Parties

According to OIG, it receives many submissions disclosing the employment of, or contracting with, individuals who appear on OIG’s List of Excluded Individuals and Entities (LEIE).3 For that reason, OIG provided specific guidance on the requirements for a complete disclosure of this conduct. These requirements include (1) biographical information on the excluded party, (2) a description of background checks performed on the excluded party, (3) a description of the disclosing party’s screening process, and (4) a description of how the conduct was discovered and the corrective measures implemented to prevent future occurrences. Also, a disclosing party must now screen all current employees and contractors against the LEIE.

The SDP also specifies the required method for calculating damages in such disclosures. For direct providers — i.e., individuals who furnish, order or prescribe separately billed items or services — the disclosing party must include the total amounts claimed and paid by the federal health care programs for those items or services. The SDP also provides guidance on calculating damages for indirect providers — i.e., individuals who provide items or services that are not billed separately to the federal health care programs, including nurses, respiratory therapists, and billing or other administrative services. For items or services furnished by these individuals, OIG will use the disclosing party’s total costs of employment or contracting (including all salary and benefits) to estimate the value of the items and services provided by the excluded individual. That amount is then multiplied by the disclosing party’s federal program payer mix, and the resulting amount is used in a settlement as a proxy for damages to the federal health care programs.

Disclosures Involving the Anti-Kickback Statute and Stark Law

The updated SDP reaffirms that the process is not available to parties disclosing conduct solely involving potential violations of the Stark Law, a policy change first announced in the 2009 Open Letter. To be eligible, disclosures must either implicate the AKS or both the AKS and Stark Law. Consequently, a party contemplating disclosure is responsible for determining whether a potential violation should be disclosed through OIG’s SDP or the Centers for Medicare and Medicaid Services’ (CMS) Self-Referral Disclosure Protocol (SRDP).4

Significantly, a party choosing to disclose conduct through the SDP will now face increased disclosure obligations. Indeed, the SDP reiterates that a disclosing party must clearly acknowledge that in its “reasonable assessment of the information available at the time of the disclosure,” the arrangement(s) constitute potential violations of the AKS. A party’s narrative submission also must now include a concise statement detailing (1) the parties involved in the arrangement(s), (2) the context and features of the arrangement(s), and (3) specific legal analysis of why the arrangement(s) violate the AKS. The SDP makes clear that OIG will not accept a disclosing party into the SDP that fails to clearly acknowledge the potential violation and disclose information sufficient for OIG to understand the precise nature of the conduct.

Increased Transparency for Post-Disclosure Resolutions

The SDP now provides a party contemplating disclosure with a better understanding of possible post-disclosure resolutions. The updated SDP formally implements minimum settlement amounts. For AKS-related submissions, OIG adopted the $50,000 minimum settlement amount set by the 2009 Open Letter, and for all other conduct, OIG set a minimum settlement amount of $10,000. These amounts are alleged to be consistent with OIG’s statutory authority to impose penalties under Section 1128A(a) of the Social Security Act, and are intended “to better allocate disclosing party and OIG resources.”

The updated SDP also transcends OIG’s previous statements that it “generally [resolves matters] near the lower end of the damages continuum,” and explicitly adopts a minimum damages multiplier of 1.5 times the single damages.5 For conduct involving the AKS and Stark Law, the SDP acknowledges that OIG “generally” settles these violations for “an amount based upon a multiplier of the remuneration conferred by the referral recipient” to the source of the referral. At the same time, however, the SDP reaffirms OIG’s “broad discretion in determining an appropriate resolution in these cases” and cautions that the use of a “remuneration-based methodology” in the SDP context does not govern OIG’s position in other situations (i.e., government-initiated investigations where it may use any legally supportable measure of damages, multipliers or penalties).

In addition to providing greater transparency about settlement and damages, OIG also highlights the cooperation between OIG, DOJ and CMS to resolve SDP matters. The SDP now explicitly acknowledges that OIG will “coordinate” with CMS on the review and resolution of matters involving violations of the Stark Law, but the nature of such “coordination” is unclear. More importantly, the SDP also contemplates DOJ’s participation in the settlement of civil and criminal conduct and emphasizes that DOJ will determine the “appropriate” resolution. Notably, OIG also states that in coordinating with DOJ, it will “advocate” that disclosing parties receive a benefit from disclosing, including that civil matters be resolved consistent with OIG’s approach.

The Pros and Cons of Self-Disclosure

Ultimately, a party’s decision on whether or not to self-disclose a potential violation of law that it is not otherwise required to report is a fact- and circumstance-specific determination. A party contemplating self-disclosure should undertake a comprehensive analysis of the benefits and the risks of disclosing potential violations to OIG. The new changes in the protocol create both significant incentives and disincentives to participation, and we review those here.

Pros. On the pro side, the updated SDP protocol provides a party with a clearer understanding of the disclosure process, OIG’s expectations for complete disclosure and potential post-disclosure resolutions. Unlike a government-initiated investigation, a matter resolved through the SDP generally will settle without an integrity agreement obligation.6 OIG also has confirmed that matters resolved through the SDP generally will settle for a lower damages multiplier than would be required in a government-initiated investigation. Although OIG acknowledged that a higher multiplier may be warranted in some circumstances, OIG specified that its “general practice is to require a minimum multiplier of 1.5 times the single damages” when resolving an SDP matter.

Also, disclosure through the SDP affords a provider greater flexibility for reporting and returning overpayments to the federal health care programs. Consistent with CMS’s Notice of Proposed Rulemaking from February 2012, OIG adopted CMS’s proposal to suspend a provider’s obligation, under Section 1128J of the Social Security Act, to report and return identified overpayments within 60 days.7

Cons. There are significant cons in the updated SDP protocol.

First, a party contemplating disclosure must be willing to agree to OIG’s preconditions to eligibility. A party should consider the implications of explicitly identifying the laws that were potentially violated, particularly since admission to the SDP is not guaranteed and the new process includes OIG coordination and cooperation with DOJ and CMS. The updated protocol would appear to require an individual to waive his or her Fifth Amendment rights without any guarantee of acceptance into the program. This waiver of the protections of the Fifth Amendment, coupled with the requirement in the updated SDP of waiver of any applicable statute of limitations, laches or similar defenses, creates significant exposure for would-be self-disclosing parties. In addition, any such admission would not be privileged, and plaintiff’s firms could seek to obtain such admissions from OIG (through the Freedom of Information Act process) or directly from the company in discovery. Finally, the condensed time frame can be expected to put pressure on individuals or entities considering disclosure to complete, perhaps at considerable expense, internal investigations prior to initiating the SDP process. Based on its prior history, the likelihood of OIG’s review resulting in a similarly timely resolution is modest. And no unresolved SDP disclosure affords a complete defense to a pending qui tam suit.8

Second, the increased transparency of OIG’s expectations for complete disclosure is not necessarily a benefit. A party contemplating disclosure must ensure that it has sufficient resources available to complete its internal investigation and implement corrective actions within the SDP’s compressed time frame. In complicated matters, this will effectively mean that the investigation must be done and conclusions drawn before the SDP process is initiated. Similarly, OIG’s update has all but foreclosed the opportunity for “back-and-forth” discussions concerning the scope of a party’s submission. Third, while OIG promises use of a lower multiplier, the requirement of completion of the investigation coupled with the admission of liability/culpability described above can be expected to inhibit negotiations regarding the single damages figure. Thus, during settlement negotiations following a government investigation, there is typically considerable give and take in arriving at a single damages figure as the basis for the settlement and the government must realistically consider limitations in its ability to prove its case. The revised SDP process with its various admission and defense waiver requirements can be expected to cabin, if not largely eliminate, this debate and the government could prove to be quite inflexible on the determination of single damages. Accordingly, the benefit of the “lower” 150 percent multiplier could prove to be illusory.

Finally, a disclosing party must be willing to accept and be comfortable with OIG’s inevitable coordination with DOJ and CMS. Should DOJ choose to participate in a settlement of the matter, the SDP is clear that DOJ — and not OIG — will determine the appropriate resolution. Parties considering self-disclosure should anticipate that DOJ may take a harder line than OIG on the scope of the self-disclosure and the scope of release protection provided.

Skadden Comment

When evaluated objectively, OIG’s updated protocol perpetuates existing barriers and creates significant new barriers to use of the program that undercut the agency’s stated goal of encouraging disclosures. Companies considering using the self-disclosure protocol will have to admit potential culpability as a part of the process. Coupling that with the automatic inclusion of DOJ in the process could trigger criminal investigations of company employees. Thus, entry into the SDP may not bring any closure and indeed may not stave off an expensive, time-consuming and potentially very damaging DOJ investigation, particularly where the disclosed misconduct involved upper management, was widespread or occurred over an extended period of time, or involves other factors that would typically interest federal prosecutors. Similarly, parties contemplating disclosure should not expect significant government flexibility in calculating the single damages figure. The required admission of potential liability, identifying the claims that were potentially false and calculating single damages leave disclosing parties vulnerable to qui tam suits. Even acceptance into the SDP does not deprive a court of False Claims Act jurisdiction over a qui tam suit. And, such admissions submitted to OIG may foreclose a motion to dismiss a pending qui tam case while OIG considers the disclosure.

In sum, the updated SDP is unlikely to substantially expand the use of voluntary disclosures and affords only modest assurances of a favorable resolution while posing considerable risks to the disclosing entity.


1 OIG’s Provider Self-Disclosure Protocol (April 17, 2013), http://oig.hhs.gov/compliance/self-disclosure-info/. The update follows last year’s solicitation by OIG of public comments on potential revisions, and supersedes all prior OIG guidance, including the original 1998 SDP and three subsequent Open Letters issued in 2006, 2008 and 2009. Provider Self-Disclosure Protocol, 63 Fed. Reg. 58399 (October 30, 1998); Open Letter to Health Care Providers (April 24, 2006); Open Letter to Health Care Providers (April 15, 2008); Open Letter to Health Care Providers (March 24, 2009). See also Solicitation of Information and Recommendations for Revising OIG’s Provider Self-Disclosure Protocol, 77 Fed. Reg. 36281(June 18, 2012).

2 Provider Self-Disclosure Protocol, 63 Fed. Reg. 58399, 58400 (October 30, 1998).

3 See List of Excluded Individuals and Entities, https://exclusions.oig.hhs.gov.

4 OIG’s insistence that the SDP not be used in conjunction with a parallel disclosure to CMS under the SRDP is not explained and appears to be little more than a bureaucratic turf fight. The assurance that OIG will “coordinate” such disclosures with CMS is vague, at best.

5 For prior SDP settlements, see Selected Provider Self-Disclosure Protocol Settlements, https://oig.hhs.gov/fraud/enforcement/cmp/self_disclosure.asp (last visited April 21, 2013).

6 OIG confirmed that since announcing this general policy in the 2008 Open Letter, only one of the 235 SDP matters it resolved required specific integrity measures.

7 See Notice of Proposed Rulemaking, 77 Fed. Reg. 9179 (February 16, 2012).

8 Indeed, a qui tam relator may hasten the filing of a qui tam if aware that a SDP submission is being prepared.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.