On April 17, 2013, the Department of Health & Human Services, Office of Inspector General (OIG), issued an updated Self-Disclosure Protocol (SDP) outlining its current guidance on how health care providers, suppliers and other individuals or entities can voluntarily identify, disclose and resolve instances of potential fraud and abuse involving federal health care programs.

In an effort to offer guidance beneficial to the health care industry and to improve the efficient resolution of matters disclosed using the SDP, the SDP contains the OIG’s guidance on how health care providers, entities and individuals can investigate improper conduct, quantify damages and report the conduct to the OIG to resolve liability under the OIG’s civil monetary penalty (CMP) authorities. The updated SDP replaces the OIG’s earlier self-disclosure protocol published in 1998 and subsequent guidance in Open Letters issued in 2006, 2008 and 2009.

In particular, the SDP:

  • Establishes the procedure and timeframes health care providers must follow to self-disclose potential fraud and abuse to the OIG and specifies the information that must be included in the SDP submission;
  • Clarifies the OIG’s presumption against requiring corporate integrity agreements in exchange for a release of the OIG’s permissive exclusion authorities in resolving an SDP matter;
  • Communicates for the first time that, although the OIG can assess civil penalties of up to three times the single damages (i.e., the improper amount paid by federal health care programs), in addition to per-violation penalties, the OIG’s common practice will be to require those using the SDP to pay civil penalties calculated using a multiplier of one and a half times the single damages, subject to OIG’s case-by-case determination;
  • Suggests that the SDP may mitigate potential exposure under the Centers for Medicare & Medicaid Services (CMS) proposed 60-day overpayment rule by suspending the 60-day obligation to return overpayments upon OIG’s confirmed receipt of a timely SDP submission until the SDP is settled, withdrawn or removed from the SDP (Note: OIG plans to issue additional guidance as needed after CMS releases its final overpayment rule);
  • Requires those disclosing conduct of employees who are excluded from participating in federal health care programs to disclose specified information, such as the employee’s identity, dates of employment, background checks, and the employer’s screening process, manner of discovery of the employee’s exclusion and corrective actions; and
  • Requires disclosure of other information that may be helpful in resolving disclosures related to potential violations of the anti-kickback statute, as well as the Stark Law if applicable, including how fair market value was determined, why required payments from referral sources were not made or collected in a timely manner, or whether payments were made for services that were not rendered or documented.

In addition to the above guidance, the OIG offers insight into the OIG’s experience, perspective and concerns to date with the SDP. For example, the OIG reveals that hospitals have been the biggest users of the SDP, comprising more than a third of the 800 self-disclosures resolved since 1998, resulting in more than $280 million in recoveries. Similarly, the SDP reveals that the OIG has resolved 235 SDP cases through settlements since 2008, and in all but one of those cases it released the disclosing parties from permissive exclusion without requiring any integrity measures.

The SDP also emphasizes that OIG will not accept providers into the SDP if they fail to clearly acknowledge that the arrangement is a potential violation of the anti-kickback statute and, if applicable, the Stark Law or other federal criminal, civil, or administrative laws for which CMPs are authorized. As a result, the SDP is not the appropriate vehicle to seek an opinion from the OIG on whether conduct is a violation or to argue that it is not.

The SDP reiterates the OIG’s prior guidance that the self-disclosure process is not intended for billing errors and mistakes, or potential Stark Law violations that do not also involve potential anti-kickback statute violations that can be self-disclosed using the CMS SDP. In addition, the SDP states that the OIG will require a minimum settlement of $50,000 to resolve any self-disclosure involving a potential anti-kickback violation and a minimum settlement of $10,000 for any other disclosures using the SDP, such as a Stark Law violation.

The SDP affirms that information submitted under the SDP is accessible to the public under a Freedom of Information Act (FOIA) request. To be exempt from production under a FOIA request, the OIG FOIA officer must determine that the information meets FOIA’s exemption criteria. As a result, those desiring to use the SDP but protect the information disclosed must work proactively with the OIG to obtain an exemption.


The SDP provides some specific and useful guidance on the SDP process and clarifies the OIG’s current expectations. It reflects the OIG’s commitment to working with health care providers and others using the SDP in good faith and to continuing to improve the self-disclosure process. It also offers users of the SDP some additional certainty about how to prepare and submit a successful self-disclosure and how and on what timeframe the OIG will likely resolve disclosed matters.

Further challenges remain, however. For example, the SDP gives no indication about how the Department of Justice (DOJ) views the SDP. When the OIG refers disclosures to the DOJ, the OIG will advocate for providers, but the DOJ is not bound by the SDP. The lack of specific guidance on the interplay between the OIG and the DOJ leaves some measure of speculation and uncertainty for those who elect to use the SDP process. Those considering using the SDP to resolve potential liability under the CMPs will need to weigh these considerations carefully before electing to use the SDP.