On April 17, 2013, the Office of Inspector General of the Department of Health and Human Services (OIG) released a revised self-disclosure protocol (SDP) that significantly overhauls the process for providers and others to voluntarily disclose and resolve instances of potential fraud involving federal health care programs. The revised protocol adds substantial new guidance on assembling the content included in disclosures and the process for resolution of disclosed matters, including new minimum settlement amounts and a shortened period for completing the required internal investigation.

The revised SDP supersedes and replaces all previous guidance on the SDP, including the 1998 Federal Register notice that launched the SDP and the three open letters OIG issued in 2006, 2008, and 2009 to clarify its implementation and application in certain contexts. Notably, OIG has not addressed whether, and if so how, the principles articulated in the revised SDP will be applied to individuals and entities currently engaged in the SDP process.

Eligibility for the SDP

OIG’s new guidance confirms that the SDP is available to entities beyond the program participating providers and suppliers who submit the claims at issue in a disclosure. Pharmaceutical and medical device manufacturers can avail themselves of the SDP. The revised SDP also makes explicit that a party may disclose conduct of another entity for which the disclosing party may have successor liability through a merger or acquisition. Consistent with limitations on the SDP that OIG announced in its 2009 open letter, OIG will not accept disclosures of arrangements that violate only the physician self-referral law (the Stark law). The SDP will continue to be available for resolution of Stark law issues that are based on the same facts giving rise to potential violations of the Anti-kickback law or other violations of Federal criminal, civil, or administrative law for which civil monetary penalties are authorized.

Required content

The revised protocol includes considerable new detail on the information disclosing parties must include in disclosure reports, including new content requirements specific to particular types of potential violations.

Required content for all disclosures

The new protocol requires disclosing parties to submit all of the basic information required under the original protocol and open letters, and adds a requirement that a disclosing party include a description of corrective action taken upon discovery of the potentially fraudulent conduct. Moreover, the new SDP requires the disclosing party to identify the name of an individual authorized to enter into a settlement agreement on behalf of the disclosing party.

Required content for false billing disclosures

The new SDP adds specific content requirements for disclosures involving the submission of improper claims to federal healthcare programs. These requirements generally track the review and sampling requirements described in the original SDP, with the notable exception that disclosures relying on a sample to estimate damages must now use a sample of at least 100 items.

Required content for excluded persons disclosures

The new SDP adds entirely new content requirements for disclosures involving excluded persons. Such disclosures now must include the following information:

  • the identity of the excluded individual and any provider identification number;
  • the job duties performed by the individual;
  • the dates of the individual’s employment or contract;
  • a description of any background checks the disclosing party completed before and/or during the individual’s employment or contract;
  • a description of the disclosing party’s screening process and any flaw or breakdown in the process that led to the individual’s hiring or contract;
  • a description of how the conduct was discovered; and
  • a description of any corrective action (including copies of revised policies or procedures) implemented to prevent future hiring of excluded persons. 

Furthermore, the new SDP requires the disclosing party to screen all current employees and contractors against the OIG List of Excluded Individuals and Entities before making its disclosure. The SDP goes on to state that after conducting this follow-up screening, the disclosing party should disclose all excluded persons in one submission. This new requirement suggests that once a party makes a submission related to excluded persons under the revised SDP, future submissions regarding excluded persons from that same party may be poorly received by OIG.

Finally, the revised SDP explains that in cases where an excluded individual provided items or services that are not separately billed to federal healthcare programs, OIG will calculate damages based on the disclosing party’s total costs of employing or contracting with that individual, including salary, benefits, insurance, and employer taxes, adjusted for the disclosing entity’s federal healthcare program payor mix. The resulting amount is used as the single damages to the federal healthcare programs resulting from the employment of or contracting with the excluded individual. Although OIG indicates that it has used this methodology in the past, this is the first time it has been articulated publicly.

Required content for disclosures of Anti-Kickback and Stark Law violations

The revised SDP, which continues to restrict Stark disclosures to cases where there is also a colorable Anti-kickback violation, now requires parties disclosing potential violations of these laws to include greater detail about the potential violations. In particular, the disclosing party must explicitly describe why the disclosed conduct may violate the Anti-kickback statute (and Stark Law), and offer specific examples of such information, including how fair market value was determined and why it is now in question, or why the arrangement was arguably not commercially reasonable (e.g., lacked a reasonable business purpose). Anti-kickback and Stark disclosures must also describe the corrective action taken to remedy the suspect arrangement and safeguards to prevent the conduct from recurring.

With respect to calculation of damages, Anti-kickback and Stark disclosures must now include an estimate of the amount paid by federal healthcare programs associated with the potential violations, including the total amount of remuneration involved in each arrangement without regard to whether a portion of the total remuneration was for a lawful purpose.

Resolution and consequences of self-disclosure

Perhaps most significantly, in the revised SDP, OIG articulates a formulaic approach to calculating the amount disclosing parties should expect to pay to resolve disclosed matters. The new SDP establishes a US$10,000 floor for the resolution of all non-kickback matters while maintaining the US$50,000 minimum settlement amount for Anti-kickback violations OIG first established in the 2009 open letter. The new SDP also articulates OIG’s practice of applying a minimum multiplier of 1.5 times the single damages amount for disclosed violations. The minimum settlement amounts could be problematic for parties that wish to disclose isolated and small-scale violations (e.g., a single consulting arrangement that potentially violates the Anti-kickback law or a handful of prescriptions by an excluded physician), as OIG based these amounts on the maximum per-transaction civil monetary penalties available – thereby effectively converting a statutory ceiling into a settlement floor.

The SDP also shortens the period disclosing parties have to complete the required internal investigation following an initial submission: disclosing parties now must submit findings from their investigation within 90 days of the initial submission, rather than within 90 days of acceptance into the SDP. Disclosing parties must also complete their damages calculation and, for Anti-kickback violations, complete corrective actions, within this 90-day period after initial submission. Unless a disclosing party can negotiate an extension of this time-period (the availability of which is not addressed in the revised SDP), this shortened timeframe may force parties who learn of complex potential violations to delay availing themselves of the SDP during the internal investigation, thereby remaining vulnerable to government investigations and whistleblower actions likely to result in greater penalties.

Lastly, the new SDP provides clearer guidance on the consequences of disclosure. The SDP maintains OIG’s presumption against requiring an integrity agreement for parties who use the protocol and states that only 1 out of 235 protocol cases since 2008 resulted in imposition of integrity measures. The SDP also recognizes that the proposed rule issued by the Centers for Medicare & Medicaid Services (CMS) in February 2012 proposed to suspend the obligation to report and return overpayments made by Medicare or Medicaid when OIG acknowledges receipt of a timely self-disclosure protocol submission. See Hogan Lovells' Health Alert on Proposed Overpayments Rule (February 24, 2012). The SDP states that OIG will provide additional guidance on its website as necessary when CMS issues the final rule on the overpayment obligation.