On April 17, 2013, the Office of Inspector General (“OIG”) of the United States Department of Health and Human Services released a revised Self-Disclosure Protocol that updates previous guidance for how health care providers can voluntarily disclose and resolve instances of potential fraud involving Federal health care programs such as Medicare and Medicaid. This guidance supersedes the original guidance provided in 1998, which has been updated various times over the years.

The original self-disclosure protocol was intended to be “voluntary.” However, with enactment of the Affordable Care Act (“ACA”) in 2010, providers are required to report and return any Medicare or Medicaid overpayment within 60 days of the date the overpayment was identified (“ACA Overpayment Requirement”). As such, providers can no longer afford to look the other way when they learn that they received an overpayment, and should utilize the Self-Disclosure Protocol to mitigate the risk of substantial penalties whenever fraud may be involved.

The newly released Self-Disclosure Protocol introduces several new concepts and provides important clarifications to guide health care providers on reporting potential fraud to the government.

What are the Benefits of Self-Disclosure?

Disclosure of potential fraud to the OIG can provide several benefits to the provider. As identified in the Self-Disclosure Protocol, making a self-disclosure can demonstrate to the OIG that the provider has a “robust and effective compliance program.” Thus, when a provider utilizes the Self- Disclosure Protocol, according to the OIG, the provider will enjoy a presumption that OIG will not require integrity agreement obligations in exchange for a release of OIG’s permissive exclusion authority.

 The OIG may also be willing to accept a lower amount to resolve the potential fraud being reported than the OIG might otherwise seek to impose under the Civil Monetary Penalties Law. Likewise, a provider can mitigate any additional exposure to liability under the Federal False Claims Act and the ACA Overpayment Requirement. Finally, the provider can expect a speedier resolution of the matter being disclosed. The OIG notes that it has now streamlined its internal processes so that the average time a self-disclosure is pending with the OIG is less than 12 months from acceptance into the Self-Disclosure Protocol.

Who May Use the Self-Disclosure Protocol?

All health care providers, suppliers, and other individuals or entities, including pharmaceutical or medical device manufacturers and managed care plans, can utilize the Self-Disclosure Protocol. The OIG advises that Disclosing Parties already subject to a government investigation or audit, or party to a Corporate Integrity Agreement, may also use the Self-Disclosure Protocol, provided that the disclosure is made in “good-faith” and is not an attempt to circumvent an ongoing inquiry.

What Conduct May be Disclosed Via the Protocol?

Only matters that involve a potential violation of Federal criminal, civil, or administrative laws, for which Civil Monetary Penalties are authorized, may be disclosed via OIG’s Self-Disclosure Protocol. All other overpayments may be addressed through the Medicare Administrative Contractor, subject to the proposed regulations issued by the Centers for Medicare and Medicaid Services (“CMS”) on February 16, 2012 (77 Federal Register 32 at 9179-9187) (“Proposed Regulations”).1 See our earlier memo of March 5, 2012. The Proposed Regulations clarify that they cover disclosures of overpayments based on billing or other errors, not potential violations of law.2

Disclosing Parties may not use the Self-Disclosure Protocol to report billing or other misconduct committed by another, unrelated party. Nor should an improper physician referral, involving potential liability only under the physician self-referral law, 42 U.S.C. § 1395nn (the “Stark Law”). Stark Law violations are to be reported to CMS through the Medicare Self-Referral Disclosure Protocol.

What is the Timing for Making a Disclosure Pursuant to OIG’s Protocol?

While the timing of any self-disclosure is not specifically addressed in the guidance, a disclosure pursuant to the Self-Disclosure Protocol should be made within 60 days of identifying an overpayment consistent with the ACA Overpayment Requirement. In this regard, the OIG’s guidance notes that a self-disclosure under the Protocol will “toll” the duty to report and return an overpayment under the ACA Overpayment Requirement. This guidance is consistent with CMS’ advice in the Proposed Regulations, that a provider’s obligation to return an overpayment would be suspended once the OIG acknowledges receipt of the self-disclosure, until a settlement agreement is entered into or until the provider withdraws or, is removed by the OIG from the Self-Disclosure Protocol.

The OIG’s guidance seeks to ensure that the rights of the parties are preserved while the matter is being resolved through the Self-Disclosure Protocol. Accordingly, as a condition precedent to the OIG’s acceptance of a Disclosing Party into the Self-Disclosure Protocol, the Disclosing Party must waive any statute of limitations or related defense to any administrative action filed by the OIG relating to disclosed conduct, except to the extent that such defenses would have been available to the Disclosing Party had an administrative action been filed on the date of the submission of the self-disclosure. Likewise, OIG expects a Disclosing Party to resolve all liability arising from the potential fraud within the six year statute of limitations applicable to the Civil Monetary Penalties Law.

What are the Other Salient Requirements under the Self-Disclosure Protocol?

Corrective Action. The Self-Disclosure Protocol makes clear that, regardless of which law may have been violated, the Disclosing Party should ensure, prior to disclosure, that the conduct in question has ended and necessary corrective action has been implemented. However, if the provider is unable to complete its internal investigation before making the disclosure, the Disclosing Party must certify that it will complete the investigation within 90 days of the date of the submission. In the case of a kickback being reported by the provider, the provider must terminate the improper arrangement within 90 days of submission of the self-disclosure.

The Content of the Self-Disclosure. The self-disclosure must contain a narrative that includes, among other things, (i) a detailed statement of the disclosed conduct, (ii) a statement of the specific Federal laws that have potentially been violated, (iii) a description of the corrective action taken, (iv) an estimate of the damages or a certification that an estimate will be submitted to the OIG within 90 days of the date of submission, and (v) a certification that the submission is truthful and based on good faith.3

What are the Specific Requirements for Reporting False Billing?

The OIG has identified additional steps that a Disclosing Party must take whenever the conduct at issue involves false billing. In that circumstance, a Disclosing Party must conduct a review of its claims to estimate the improper amount paid by Federal health care programs and prepare a report of its findings. The review must encompass either all the claims affected by the disclosed matter or a statistically valid random sample of affected claims numbering at least 100. The self-disclosure must include detailed information about the provider’s review of the claims, and in the case of a sample review, the criteria used to determine the sample and other particulars about the universe of claims, the sample, and the sampling and extrapolation methodology.

What are the Specific Requirements for Excluded Persons?

When a provider makes a self-disclosure as a consequence of employing an individual or entity excluded from the Medicare or Medicaid programs, the Disclosing Party must identify (i) the excluded provider’s identity and provider identification number, (ii) the job duties performed by the excluded provider, (iii) the dates of employment, (iv) a description of any background checks conducted by the Disclosing Party, (v) a description of its excluded persons screening process, (vi) how the apparent violation was discovered, and (vii) what corrective action has been taken. Moreover, before making the self-disclosure, the Disclosing Party must screen all current employees and contractors against the OIG’s List of Excluded Individuals and Entities so that the self-disclosure will include all excluded providers.

Damages Calculation. The Disclosing Party must also include in its self-disclosure, a detailed calculation of the amount the Disclosing Party will have to repay on account of employing the excluded persons. For excluded individuals or entities that provided items or services that were not billed separately to the government, the OIG would accept the Disclosing Party’s total costs of the excluded person’s employment or contracting during the exclusion period as the calculated overpayment. The employment costs include all salary and benefits and other compensation, health insurance, life insurance, disability insurance, and employer taxes paid related to employment of the individual. This amount is then to be multiplied by the Disclosing Party’s Medicare or Medicaid payor mix (revenue-based) for the relevant period. The resulting figure is to be used to determine the amount to be repaid.

What are the Specific Requirements Involving the Anti-Kickback Statute and Stark Law Violations?

If the self-disclosure involves the Anti-Kickback Statute and/or Stark Law, the Disclosing Party must “clearly acknowledge” that, in its “reasonable assessment,” it engaged in conduct that constitutes a potential violation of law. The submission must include a concise statement of all the details relevant to the conduct and why the conduct is potentially a violation of law.

Damages Calculation. To calculate an estimate of the overpayment received by the Disclosing Party, the Disclosing Party should follow the same procedures outlined for conduct involving false billing.

What is the Ultimate Amount to be Repaid to the Government?

The 1.5 Multiplier “Default”. The OIG clarified that Disclosing Parties should expect to pay a multiple of 1.5 times the amount of the overpayment received on account of the reported conduct, but reserves the right to use a higher multiplier depending upon the facts and circumstances. As the reported conduct involves a potential fraud, the Disclosing Party could be liable to pay treble the amount of the overpayment, plus other penalties, if the government were to uncover the fraud.

Minimum Settlement Amounts. Moreover, the OIG clarified that to “better allocate” its resources, it will require a minimum settlement amount for kickback-related submissions of $50,000; for all other matters, $10,000, citing the Anti-Kickback Statute and the Civil Monetary Penalties Law respectively as the legal bases for those thresholds.

Notwithstanding the OIG’s rationale, application of these minimums could result in anomalous and arguably inequitable treatment of providers. For instance, a provider that may have violated the Anti-Kickback Statute on a relatively small scale financially -- well below the settlement threshold -- in good faith might utilize the Self-Disclosure Protocol to resolve the matter. That provider could end up paying a multiple of several fold of the actual overpayment, while a provider that may have violated the Anti-Kickback Statute on a much larger scale may only have to pay a multiple of 1.5.

Caution With Respect to Pre-Settlement Repayment!

If prior to resolving a reported matter, a Disclosing Party has refunded the overpayment that is subject of the self-disclosure, the OIG will credit the amount toward the ultimate settlement amount. However, the OIG cautions that it is not bound by any amount repaid outside of the Self- Disclosure Protocol process. In other words, the OIG reserves the right to contest the amount refunded and may require further review.

What if the Disclosing Party Lacks Sufficient Funds to Repay the Government?

In cases where the Disclosing Party is unable to fully repay, the Disclosing Party will have to affirmatively assert its inability to pay in its submission. OIG may require extensive financial information, including audited financial statements, tax returns, and asset records, and an assessment of how much the Disclosing Party believes it can pay. The OIG will then determine how much it would be willing to accept to resolve the self-disclosure.

* * * *

The updated Self-Disclosure Protocol clarifies many issues about when and how to disclose potential violations of law to the government. In light of this guidance, providers should revisit their current policies and procedures for reporting and returning overpayments in those circumstances to ensure they comport with the Self-Disclosure Protocol.