The Enforcement Environment

Due to increasing demands on federal and state budgets, pressure has intensified for the U.S. government to recover funds alleged to have been lost on fraud and abuse in federal and state health programs. In today's environment, enforcement actions by federal and state governments result from audits and data mining by Medicare and Medicaid contractors, as well as from whistleblowers (many of whom work in or with provider organizations) seeking bounties under the federal False Claims Act (FCA) for violations of the Stark Law (concerning self-referrals), the federal Anti-kickback statute and other fraud statutes. The Patient Protection and Affordable Care Act (ACA) was enacted into law on March 23, 2010. Section 6409 of the ACA required the Centers for Medicare and Medicaid Services (CMS) to publish a protocol advising providers and suppliers how they may voluntarily disclose actual and potential violations of the Stark Law. (Mandatory reporting and return of overpayments that involve Anti-kickback and statutes other than the Stark Law are covered under Section 6402 of the ACA.)

The Stark Law Self-Referral Disclosure Protocol (SRDP) was posted on the CMS website on September 23, 2010. One incentive for providers to self-disclose is that Section 6409(b) of the ACA gives the Secretary of the U.S. Department of Health and Human Services (HHS) the authority to reduce the amount due and owing for all violations of the Stark Law. In addition, once CMS receives an electronic disclosure from a provider, the obligation to return any potential overpayment within 60 days is suspended until a settlement is reached with the government. However, there are many risks in making a self-disclosure that providers may want to carefully consider.

Benefits and Risks of Making a Disclosure Under the New Self-Referral Protocol

The ACA established a fast timetable for reporting and returning overpayments to CMS. Under Section 6402 of the ACA, an "overpayment" is defined as, "any funds that a person receives or retains under Medicare or Medicaid to which the person, ‘after applicable reconciliation,' is not entitled." After identifying an overpayment, a provider must report and return overpayments by the later of: (1) 60 days after the date of identification of the overpayment; or (2) the date when a corresponding cost report is due, if applicable. The SRDP gives providers and suppliers the opportunity to make a good-faith self-disclosure of overpayments they have identified. The benefits of self-disclosure include the possibility of reduced penalties, as well as the suspension of the time within which to make the payment to the government. In addition, providers and suppliers may be able to avoid exclusion from the Medicare and Medicaid programs as part of a settlement through the SRDP. Further incentive to self-disclose is the possible protection from a viable qui tam whistleblower action, as the whistleblower must be an original source of information to the government.

While the SRDP is available to providers already under investigation, it is not risk-free. CMS cautions that disclosing providers must act in good faith and cannot seek an advisory opinion to clarify whether the conduct is a likely violation. Under the SRDP, providers are required to explain in detail how the conduct violated the Stark Law, while identifying in detail any potentially applicable exceptions to Stark. They also have to provide details about the financial impact involved, describe any preexisting compliance programs, how the violation was discovered and what corrective measures have been taken.

If all goes well, CMS will accept the disclosing provider into the SRDP and the provider's financial and legal exposure may be limited. Among the factors that CMS will consider are:

  1. the nature and extent of the illegal practice;
  2. the timeliness of the self-disclosure;
  3. the provider's cooperation in presenting additional information related to the disclosure;
  4. the litigation risk associated with the disclosed information;
  5. the financial position of the disclosing provider; and
  6. other appropriate factors.

As the outcome of self-disclosures under the SRDP is uncertain, CMS cautions providers to proceed with care.

The ACA has added new civil monetary penalties, with the potential for exclusion from federal programs that can be imposed on providers who:

  1. fail to report and return known overpayments;
  2. knowingly make false statements in an application, bid or contract to participate or enroll as a supplier or provider in Medicare or Medicaid;
  3. order or prescribe items or services when the prescriber was excluded from a federal or state program;
  4. knowingly make, use or cause to be made a false record or statement material to a false claim for payment under a federal program; or
  5. fail to timely grant access for an audit, investigation or evaluation, upon reasonable request by the Office of Inspector General (OIG).

A potentially significant disadvantage of self-disclosure is that providers must waive appeal rights to claims related to the disclosed conduct. Another key concern is that CMS will share information presented by the provider with HHS's Office of the Inspector General (OIG) and the U.S. Department of Justice, and CMS may make referrals to these agencies for civil and criminal liabilities, including possible FCA liability. While providers can withdraw an application to the SRDP, doing so may be problematic. By the time the provider has made the disclosure, the government's attention may be focused on problems the provider has articulated through the presentation of evidence that has enabled the government to establish liability.

There are other practical problems that may warrant consideration. For example, publicly traded companies may want to evaluate whether a private plaintiff may seek an internal investigative report or the self-disclosure report, contending that the provider waived its privileges by taking part in the SRDP. These issues of waiver for voluntary disclosures do not appear to have been eliminated by the most-recent amendments to Federal Rule of Evidence 502. Moreover, disclosing providers must be able to complete an internal investigation very quickly. In the past, the OIG instructed disclosing providers to complete an investigation and damages assessment within three months of acceptance into the self-disclosure protocol. While the SRDP does not allude to this, CMS says it must have access to all financial statements, notes, disclosures and other supporting documents without the assertion of privileges or limitations on the information produced.

Providers who are wondering whether they should disclose may want to consider whether the government already knows about the problems they have uncovered. Violating the federal Anti-kickback statute, the Stark Law and the FCA can lead to administrative sanctions, civil fraud actions, criminal prosecutions and exclusion from Medicare or Medicaid and other federal programs. Providers should have effective compliance plans designed and implemented to detect problems with billing, coding and documentation so these problems can be timely and properly addressed. Once mistakes are found, providers may wish to work with legal counsel promptly and prudently to assess solutions to possibly avert or limit potential legal problems.

In sum, providers may have little choice but to self-disclose. There is a good chance that the government, through its many new data-gathering resources, may already have, (or soon will acquire) sufficient information to take action. These are delicate matters that often require outside counsel with an awareness of specific legal issues and strategies. In today's environment, the government expects nothing less than full cooperation and looks sharply at mistakes—innocent or not.