On April 17, 2013, the U.S. Department of Health and Human Services Office of Inspector General ("OIG") issued an updated Provider Self-Disclosure Protocol ("SDP"). The SDP supersedes the OIG's self-disclosure protocol and includes increased clarity in the SDP process, as well as new burdensome requirements for disclosing parties, such as reduced timeframes for internal investigations and reporting.

The Previous Protocol and Open Letters

The OIG released its initial self-disclosure protocol in 1998 ("1998 Protocol"). The OIG's goal was to create an open-ended process for providers to voluntarily identify and disclose potential federal health care program abuses and work cooperatively with the OIG to resolve violations. The protocol was available to health care providers that wished to report potential violations of the federal Anti-Kickback Statute ("AKS") and resolve civil monetary penalty ("CMP") liability that might arise under the AKS, False Claims Act ("FCA"), or other statutes. In a series of Open Letters to the health care industry, the OIG clarified the 1998 Protocol and provided further guidance regarding potential types of violations subject to the 1998 Protocol, circumstances that could result in the imposition of a corporate integrity agreement, and the disclosure and resolution processes.

The SDP supersedes all prior OIG guidance, including the initial 1998 Protocol and the OIG's Open Letters issued in April 2006, April 2008, and March 2009.

The Updated Self-Disclosure Protocol

Significant changes and clarifications in the SDP include:

1. The OIG's express acknowledgement that parties using the SDP will likely not have to enter into a corporate integrity agreement with the OIG;

2. A requirement that disclosing parties acknowledge that the reported conduct is a potential violation of federal law;

3. Moving up the timeline and requiring disclosing parties to complete internal investigations within 90 days of submitting a matter to the OIG (the 1998 Protocol required completion within 90 days from the date of acceptance into the protocol);

4. Elimination of certain reporting requirements and the introduction of new guidelines for submissions involving false billing, excluded persons, and AKS and Stark violations,;

5. Adoption of lower multipliers, usually a minimum multiplier of 1.5 times single damages;

6. Updating the minimum settlement amount for non-AKS violations;

7. Clarification that disclosing parties must waive defenses related to the statute of limitations, laches, or any similar defense in a subsequent OIG administrative action; and

8. Clarification that the OIG will coordinate with the Department of Justice ("DOJ") and the Centers for Medicare and Medicaid Services ("CMS") in resolving criminal and civil liability under those agency's statutory authorities.

In addition to the changes and clarifications outlined above, the SDP addresses eligibility, general requirements for all disclosures, and specific requirements for disclosures involving false billing, excluded persons, and liability under the AKS and the physician self-referral law ("Stark Law").

Eligibility for the SDP

Health care providers subject to the OIG's CMP authorities may use the SDP to disclose potential violations of the CMP law. Under the updated SDP, the disclosing parties must now specifically state which laws are potentially violated. Ineligible conduct is generally the same as in the 1998 Protocol, and conduct involving overpayments, errors, or solely violations of the Stark Law may not be disclosed under the SDP. For example, overpayments that are not attributable to knowing or willful conduct, and which therefore would not be subject to the FCA or CMP, should be addressed through repayment to the provider's fiscal intermediary rather than through the SDP; the SDP may be the appropriate vehicle, however, for overpayments that are subject to the CMP due to a failure to return the payment within the 60-day rule discussed later in this Update.

Eligibility for the SDP depends upon the disclosing party waiving statute of limitations, laches, or similar defenses unless those defenses would have been available had an administrative action been initiated on the date of submission. Finally, disclosing parties must end the conduct or terminate the arrangement within 90 days of submission to the SDP in order to maintain eligibility.

Requirements of Disclosures

The SDP requires a narrative submission outlining 11 types of information, including: (i) biographical information of the provider and its relationship within in a system or network, if any; (ii) information on the disclosing party's designated representative and individual authorized to settle the matter; (iii) a statement about the details of the conduct; (iv) a statement about the specific federal criminal, civil, or administrative laws that are potentially violated; (v) the federal health care programs affected; (vi) an estimate or actual amount of damages; (vii) a statement on whether the disclosing party knows that the matter is under investigation by another government agency or contractor; and (viii) a certification that the submission is to the best of the authorized representative's knowledge.

Disclosures Involving False Billing

The SDP adopts many provisions of the 1998 Protocol with regard to disclosing improper claims. The disclosing party must conduct a review of claims data. Disclosing parties may either disclose all affected claims or provide a statistically valid random sample of claims. For disclosures of all claims, the disclosing party must provide the objective of the review, a description of the claims population, the data sources used in the review, the qualifications of the person conducting the review, and the characteristics used to determine when a claim is an improper claim.

Disclosures using a sample must include the above information and an additional Sampling Plan. The SDP increases sample size requirements from 30 items to a minimum of 100 items (or more than 100 items for diverse claim populations) and requires the use of the mean point estimate to calculate damages. Disclosing parties must define the sample design, the sampling unit and frame, note any missing data, and use the OIG's estimation method. However, the SDP no longer requires the precision level for sampling results required under the 1998 Protocol.

Disclosures Involving Excluded Persons

Many submissions under the 1998 Protocol were related to the employment of or contracting with excluded persons. Under the SPD, providers must disclose all excluding persons in one submission and include the following information: (1) the excluded party's identity, job duties, employment, or contractual relationship; (2) a description of background checks performed on the excluded party; (3) the disclosing party's screening process and any problems with that process; (4) a description of how the conduct was discovered and any corrective measures the disclosing party took to reduce future employment of excluded persons.

The SDP also outlines the method for calculating damages. For direct providers, such as physicians, who furnish, orders, or prescribe separately billed items or services, the disclosing party must provide the OIG with the total amounts claimed and paid by federal health care programs for those items or services.

For items and services that are not separately billed, such as nursing services, the OIG uses a formula based on the excluded party's total cost of employment, including salary and benefits, or contracting. The OIG will multiply this amount by the disclosing party's federal program payor mix. The payor mix itself must be broken down by program, but the disclosing party may use the excluded party's department or unit, if possible, or may use the entire facility's payor mix.

Disclosures Involving AKS and Stark Law

In addition to requirements for disclosures involving false billing and excluded persons, the SDP provides guidance regarding disclosures that raise potential AKS or both AKS and Stark Law liability. As with other SDP disclosures, such disclosures must clearly acknowledge that the disclosed arrangement constitutes a potential violation of the AKS, and the Stark Law, if applicable.

The SDP also provides a nonexclusive list of information the OIG finds useful in assessing potential AKS (and AKS and Stark Law) violations, including: (1) the methodology for determining fair market value; (2) the commercial reasonableness analysis for the arrangement; (3) whether referring physicians received payments from Stark "Designated Health Services" entities that varied with, or took into account, the value or volume of referrals without complying with a Stark Law exception; and (4) applicable corrective action.

Disclosing parties must include the total remuneration provided under the agreement, whether or not it believes the remuneration was lawfully provided or received. The SDP also allows disclosing parties to explain that portions of the remuneration should not be considered by the OIG in determining the settlement amount.

Minimum Penalty Multiplier and Settlement Amounts

In contrast to the 1998 Protocol and Open Letters, the SDP notes that the OIG's "general practice" is to require a minimum multiplier of 1.5 times single damages to amounts paid and not claimed. The SDP also outlines minimum settlement amounts. The minimum settlement amount of an AKS-related submission remains $50,000, and for all other matters, the SDP sets a minimum settlement amount of $10,000.

SDP and the 60-Day Overpayment Rule

The OIG also outlined the interaction between the SDP and the 60-day overpayment rule (the "60-Day Rule"), which requires that Medicare and Medicaid overpayments must be reported and returned by the later of 60 days after the date on which the overpayment was identified or the date any applicable corresponding cost report is due. Prior OIG guidance instructed providers not to return overpayments subject to a self-disclosure. The SDP clarifies that CMS intends to suspend notice and repayment obligations under the 60-Day Rule when the OIG has acknowledged receipt of a timely submission to the SDP.

The OIG plans on issuing further guidance on the interaction of the SDP and the 60-Day Rule after CMS releases the 60-Day Rule final rule.

Practical Implications of the Updated SDP

The SDP provides the health care industry with a more formalized understanding of submission requirements, timeframes, and post-disclosure compliance expectations. Ideally the SDP's streamlined process will allow disclosing parties to provide a complete submission and move through the settlement process more efficiently.

When determining whether to disclose under the SDP, providers may wish to take into account the following considerations:

1. The SDP provides entities considering disclosure with more clarity regarding the disclosure process. Therefore, this procedural clarity offers disclosing parties a better understanding of the SDP process. However, disclosing parties have little or no leeway for excuses when submitting an incomplete or untimely disclosure.

2. Under the SDP's streamlined process and expedited timeframes for completing internal investigations, disclosing parties should be sure to complete a thorough internal investigation prior to entering the SDP process. Disclosing parties should consider timeframes for submitting required reports and damage estimates—and the corresponding investment in preparing the submissions—when determining when to enter the SDP process.

3. Disclosing parties must now be willing to acknowledge, in writing, potential violations of specific federal law(s) and fully describe the relevant conduct. The OIG will not accept disclosures that are framed as hypotheticals, or which seek an advisory opinion as to the legality of the conduct at issue. Providers should keep this new requirement in mind when determining which portions of their disclosures should be identified as exempt from disclosure under the Freedom of Information Act ("FOIA") as trade secrets, commercial, financial, privileged, or confidential.

4. The OIG has confirmed that disclosures limited solely to potential Stark Law liability should be disclosed to CMS through its Self-Referral Disclosure Protocol ("SRDP"); potential AKS liability, either alone or coupled with Stark Law liability, should be disclosed to the OIG through its SDP. Parties should be prepared for the OIG and CMS to coordinate with each other. Consequently, disclosing parties that choose to use the Stark SRDP with CMS should be reasonable in their assessments that potential disclosures are limited to Stark Law liability.

5. With the SDP's 1.5 multiplier and presumption against corporate integrity agreements, providers now have a more definitive understanding of the minimum liability and required compliance for settlement under the SDP. This clarity should permit providers to better estimate the investment in post-disclosure compliance.