OIG’s Provider Self-disclosure Protocol: Updated and Improved
Before you self-disclose, be sure to undergo a detailed internal investigation.
On April 17, 2013 the U.S. Department of Health & Human Services (HHS) Office of Inspector General (OIG) issued an updated Provider Self-Disclosure Protocol, revising its guidance on how healthcare providers, suppliers, and other individuals or entities can voluntarily identify, report, and resolve instances of potential fraud and abuse involving federal healthcare programs.
The OIG issued the original protocol in 1998 with the “principal purpose” of providing “guidance to health care providers that decide voluntarily to disclose irregularities in their dealings with Federal health care programs.”
The OIG has now streamlined its disclosure process to allow for expedited resolutions by deleting the full internal investigation report requirement, and by only accepting submissions relevant to specific federal laws, such as the False Claims Act, the anti-kickback statute, and claims pertaining to excluded individuals. More emphasis is placed on the disclosing party’s responsibility of undergoing an internal investigation before disclosure submission and providing detailed findings to the OIG.
Satisfy Self-disclosure Preconditions
A healthcare provider’s acceptance into the self-disclosure process is now dependent on the party satisfying several preconditions:
- A disclosing party must ensure the conduct violating federal criminal, civil, or administrative laws has ended at the time of disclosure, or for “improper kickback arrangements, that corrective action will be undertaken and the improper arrangement will be terminated within 90 days of submission.” Corrective actions must be designed to correct the underlying problem that results in program violations and to prevent future non-compliance.
- A disclosing party must agree to waive any defenses related to the statute of limitations and laches (a proceeding in which a plaintiff seeks equitable relief) pertaining to any administrative action filed by the OIG.
- A disclosing party “must acknowledge that the conduct is a potential violation” and “explicitly identify the laws that were potentially violated.” General references to federal laws or the Social Security Act will not suffice. Failure to acknowledge that the conduct is a potential violation may result in a longer review and resolution process, and removal from the protocol.
To further expedite the self-disclosure process, the OIG launched, on July 8, 2013, an online self-disclosure protocol submission process for healthcare practitioners and entities (see https://oig.hhs.gov/compliance/self-disclosure-info/index.asp). Previously, submissions were only accepted if they were written and mailed to the OIG. This new submission route should increase the efficiency with which the OIG initially responds to provider self-disclosures of potential federal healthcare program violations.
The OIG intends the protocol to reduce delays due to unnecessary “back-and-forth” over “unclear or incomplete submissions” that might have resulted in a disclosing party’s removal from the protocol, but now should expedite the remediation of illegal conduct.
The OIG lists four incentives given to healthcare providers who self-disclose potential violations:
- The OIG will no longer require Corporate Integrity Agreement (CIA) obligations in exchange for releasing the disclosing party from permissive exclusion. CIAs are agreements the OIG negotiates with healthcare providers and other entities as part of a settlement. In a CIA, providers agree to a list of conditions in exchange for the OIG not seeking their exclusion from federal healthcare programs. In the past, the OIG required all healthcare providers and entities to enter into a CIA to resolve a self-disclosure matter.
- The updated protocol includes a lower multiplier (1.5 times the single damages) as a reward for using it and cooperating with the OIG. The statutory multiplier is three times the total amount claimed; by using the protocol, a provider or entity can drastically lower the monetary penalties it may have to pay for a violation. The prior protocol did not set forth any damage multipliers or relevant civil monetary penalties (CMPs).
- The Centers for Medicare & Medicaid Services (CMS) has proposed to suspend “the obligation to report overpayments” when the OIG acknowledges receipt of a timely submission into the self-disclosure protocol. This proposal also includes a suspension of the obligation to return overpayments until a settlement is reached or the provider withdraws from the protocol. CMS had not issued a final ruling on this proposal prior to this article going to print. To date, CMS requires an overpayment to be reported and returned within 60 days after the identified overpayment date or the date any cost report is due.
- The OIG has reduced the time a case is pending to less than 12 months. Normally, investigative work requires more than a year to yield results but, in an effort to reward disclosing parties who voluntarily come forward, the OIG will expedite its investigation by having all of the information needed to resolve a matter in their possession prior to the initiation of an investigation.
The OIG also has changed the time frame for submission of a disclosing party’s internal investigation findings and damage calculations from 90 days after acceptance into the protocol to 90 days from the date of initial submission. This may pressure individuals or entities considering disclosure to complete internal investigations before initiating the self-disclosure process.
Eligibility Criteria and Guidance
The OIG has expanded its eligibility criteria and guidance, which informs providers of who may use the self-disclosure protocol, and the conduct eligible for the protocol.
The protocol is open to all healthcare providers and entities to disclose potential violations of federal criminal, civil, or administrative laws, such as violations of the anti-kickback statute, because such violations entail concomitant competitive medical plan liability.
Ineligible conduct includes using the self-disclosure process to request an opinion from the OIG about whether a violation has occurred (the OIG maintains an advisory opinion process for such inquiries). The protocol is not available for disclosure of a liability under Stark law without accompanying anti-kickback liability. CMS maintains a self-referral disclosure protocol for Stark-only violations. The OIG reiterates that the protocol is not a vehicle for matters that do not involve potential violations of “Federal criminal, civil, or administrative laws for which CMPs are authorized, such as one exclusively involving overpayments or errors.”
General Requirements for All Disclosures
The OIG now leaves it to the provider to ensure the conduct in violation of federal criminal, civil, or administrative laws ended at the time of disclosure, or that corrective action is undertaken within 90 days of submission to the protocol.
The voluntary disclosure submission protocol has expanded to include a general requirement protocol for all disclosures and separate additional requirements for: (1) false billing; (2) excluded persons; and (3) anti-kickback and Stark law violations.
The general requirements for disclosures have changed little, but now also include:
- A statement of the federal criminal, civil, or administrative laws that are potentially violated by the disclosed conduct
- An estimation of the damages to each federal healthcare program relevant to the disclosed conduct
- A description of the corrective action undertaken by the disclosing party upon discovery of the conduct
- The individual’s name “authorized to enter into a settlement agreement on behalf of the disclosing party”
False Billing Requirements
Disclosing parties must conduct a review to estimate the improper amount received from a federal healthcare program when reporting a submission of improper claims to the protocol. Damage estimation must be either a review of claims submitted or a random sample of affected claims (the random sample must be accompanied by a copy of the sampling plan). The new rules also eliminate the use of “probe samples” and “minimum precision levels.”
Employment of Excluded Persons
A high percentage of prior self-disclosures received by the OIG involved the employment of excluded individuals or entities. The new protocol requires details involving the disclosure of information pertaining to the excluded individual, along with the general information under “Requirements for All Disclosures.” One important factor is the requirement that the disclosing party screen all current employees and contractors against the OIG’s List of Excluded Individuals and Entities and report all excluded persons in one submission.
No payment may be made for items or services furnished, ordered, or prescribed by an excluded provider. Any item or service furnished at the direction or prescription of an excluded individual or entity is not reimbursable when the party furnishing the item or service either knows or should know of the exclusion. Healthcare providers and entities also may not employ or contract with an excluded individual to provide items or services paid for by a federal healthcare program. Accordingly, all payments received are potentially overpayments and false claims, which must be reported to the OIG, along with a calculation of damages as specified in the protocol.
Anti-kickback and Stark Law Violations
The requirements for conduct involving the anti-kickback statute and Stark law involve a clear acknowledgement that the “subject arrangement(s) constitute potential violations of the AKS and, if applicable, the Stark Law.” Not acknowledging this potential violation prevents the disclosing party from gaining acceptance into the protocol. Claims that include items or services resulting from an anti-kickback violation constitute false claims. The procedures for calculating damages under this section are also detailed.
Coordination with the Department of Justice (DOJ) and CMS
The OIG highlights the cooperation between the OIG, DOJ, and CMS to resolve self-disclosure matters; however, the DOJ determines its own approach to cases and is not required to consider participation in the self-disclosure process. Stark-only violations should be disclosed to CMS under its self-referral disclosure protocol. The self-disclosure protocol explicitly acknowledges that OIG will “coordinate” with CMS on the review and resolution of matters disclosed to either agency, but the OIG does not participate in CMS’ protocol.
Minimum Settlement Amounts
The OIG has established a minimum settlement of $50,000 to resolve anti-kickback-related disclosures, and a minimum settlement of $10,000 for all other disclosures. These minimum amounts are consistent with the OIG’s statutory authority to impose penalties, and are intended “to better allocate disclosing party and OIG resources.”
The updated protocol also expands on the OIG’s previous statements that it generally resolves matters “near the lower end of the damages continuum,” and explicitly adopts a minimum damages multiplier of 1.5 times the single damages, which is applied to the amount paid by federal healthcare programs, not the amount claimed.
Inability to Pay and Overpayment Liability
A disclosing party’s inability to pay the appropriate settlement amounts should be stated in the party’s initial disclosure, along with an assessment of how much they think they can afford to pay. The OIG will require extensive financial information, including tax returns and asset records, along with a certification of truthfulness and accuracy of the financial disclosure. The OIG expressly states that it isn’t bound by a provider’s calculation; and if it disputes the calculation, a higher damages or overpayment amount may result. The OIG now allows crediting an overpayment refund toward the settlement amount. Nevertheless, a disclosing party should expect to pay a damage multiplier on the overpayment.
A disclosing party must weigh several important considerations when deciding whether to self-disclose. The protocol provides a party with a better understanding of the disclosure process, the OIG’s expectations for complete disclosure, and potential monetary penalties. Unlike a government-initiated investigation, a matter resolved through the protocol may settle without an integrity agreement obligation and with lower monetary penalties, including a lower damages multiplier.
An individual or entity contemplating self-disclosure must be willing to agree to the OIG’s preconditions for protocol eligibility. A party also should consider the implications of explicitly identifying the laws that were potentially violated, particularly because admission to the protocol is not guaranteed, and the updated process includes OIG coordination and cooperation with the DOJ and CMS.
Robert A. Pelaia, Esq., CPC, CPCO, is senior university counsel for health affairs at the University of Florida College of Medicine in Jacksonville, Fla. He is certified as a Health Care Law Specialist by the Florida Bar Board of Legal Specialization and Education, serves on AAPC’s Legal Advisory Board, and was a 2011-2013 AAPC National Advisory Board member. Pelaia is a member of the Jacksonville River City, Fla., local chapter.
Rosanne (Rosie) Brandt, DDS, holds a Doctorate of Dental Surgery from Northwestern University. After practicing dentistry for 20 years, she changed careers to attend Florida Coastal School of Law, where she is now a part-time second year law student, J.D. candidate 2015, and an extern with the Fifth District Court of Appeals in Daytona Beach, Fla. After graduation, her concentration will be on healthcare law. Brandt occasionally practices dentistry for ACC Healthcare, performing exams and treatment for deploying National Guardsmen throughout the United States.