To Disclose or Not To Disclose, That is the Question
Health care providers and suppliers face a dilemma when they identify that potentially problematic claims have been submitted to a federal health care program. To disclose or not to disclose, that is the question. Balancing legal disclosure obligations and business interests can be difficult when entities look at short term risks and benefits. When balancing those interests, many providers are inclined to keep a potential violation quiet and hope that the government does not independently discover the violation. Is that a good strategy? Probably not. At a minimum, reporting and refunding wrongfully obtained reimbursement to Medicare is now a requirement. Moreover, depending on the circumstances, providers may be under an obligation to engage in a more fulsome self-disclosure, which may not only be an obligation but may also provide concrete benefits to the provider or supplier. But the dilemma does not end there. If a provider does decide to engage in the self-disclosure process, there are several vehicles to make that disclosure. Which is the right vehicle? This Update will provide some sign posts for providers and suppliers that are on this journey.
The starting point is that providers and suppliers are now required to report and return overpayments to Medicare as a result of a provision in the Affordable Care Act. Specifically, a provider or supplier must report and return an overpayment "by the later of – (A) the date which is 60 days after the date on which the overpayment was identified; or (B) the date any corresponding cost report is due, if applicable." Failure to return an overpayment can result in the imposition of civil monetary penalties and exclusion from federal health care programs. Moreover, the retention of an overpayment beyond 60 days becomes an "obligation" under the False Claims Act (the FCA), such that, if the provider knowingly avoids the obligation to repay the funds, the provider will be subject to the FCA per claim penalty and treble damages (which can be very costly).
This overpayment obligation applies to Medicare providers and suppliers, Medicare Advantage plans, Medicaid managed care organizations, and Medicare Part D prescription drug plan sponsors.1 This Update addresses only the final regulations that apply to Medicare Parts A and B providers and suppliers.
The new regulations define the term "overpayment" broadly to include any funds received and to which a provider or supplier is not entitled. When is an overpayment "identified" for purposes of these rules? An overpayment is identified when the provider or supplier has, or should have through the exercise of reasonable diligence, determined that the provider has received an overpayment and quantified the amount of the overpayment. The Department of Health and Human Services, Centers for Medicare and Medicaid Services (CMS) has commented that reasonable diligence includes engaging in both proactive compliance activities and investigations conducted in response to obtaining creditable information of a potential overpayment. 81 F.R. 7654, 7661 (2016).
The rule also contains a six year look back period, so that when an overpayment is identified, the provider should repay improperly paid claims going back a maximum of six years. Finally, the rule provides that, when the repayment is made, the provider must also identify the reason for the overpayment.
This method of refunding an overpayment is simple and, because it appears to be administrative in nature with the refund being made to the Medicare contractor, it may seem like the route that will least likely attract the attention of regulators and law enforcement. As a result, it is an attractive vehicle for providers and suppliers. However, if there is a risk that the payments at issue were obtained in violation of the Department of Health and Human Services Office of Inspector General's (OIG) civil monetary authority or the FCA (both of which involve "knowingly" submitting false claims) or criminal law (involves intentional conduct), this vehicle does not afford the provider protection from further action by the OIG or by the Department of Justice (DOJ). These protections can only be obtained through self-disclosure to the OIG or the DOJ.
OIG Self-Disclosure Protocol
Another potential vehicle for reporting an overpayment is the OIG Self Disclosure Protocol (SDP). The SDP is available to providers and suppliers to facilitate a resolution of matters that, "within the disclosing party's reasonable assessment, potentially violate federal criminal, civil, or administrative laws for which civil monetary penalties (CMPs) are authorized." By referencing federal criminal, civil, or administrative law in the protocol, the OIG acknowledges that the SDP is intended for those situations in which the overpayment involved more than an innocent or negligent billing error. For example, the OIG CMP statute regarding false claims imposes liability when a provider "knowingly" submits, or causes to be submitted, a false claim. The term knowingly includes situations not only where claims are submitted with actual knowledge that they are false, but also those claims that are submitted with "deliberate ignorance" or "reckless disregard" of the claim's falsity. Therefore, it is evident that the protocol is intended for overpayments that involve more than simple negligence.
The intent of the SDP is more expansive than its use for reporting overpayments related to billing or coding errors, as it can be used to also disclose violations of the Anti-Kickback Statute. However, the SDP limits its use to those kickback-related submissions where there is a minimum settlement amount of $50,000. The minimum settlement amount for other types of disclosures is $10,000.
Are There any Benefits to Using the SDP?
Avoid Imposition of Corporate Integrity Agreement. First, the OIG has emphasized that all members of the health care industry have both a legal and an ethical duty to act with integrity when billing federal health care programs. As a result, providers and suppliers have an obligation to detect and prevent improper activities, including fraud and abuse. One component of that obligation is that, when providers and suppliers become aware of concerns related to billing federal health care programs, they are expected to conduct an internal investigation to determine whether a violation has occurred. When a provider does that internal investigation and concludes that there is a potential violation of a criminal, civil, or administrative law, there is a duty to report those findings to any federal health care program that has paid erroneous claims.
The material benefit to reporting a potential violation under the SDP is that the OIG views the identification, investigation, and self-disclosure of potential violations to be indicative of an effective compliance program. Due to this view that self-disclosures are the result of an already existing effective compliance program, the OIG generally employs a presumption against requiring an integrity agreement in the context of a resolution resulting from a self-disclosure.
Lower Multiplier. A second benefit to self-disclosure is that the OIG generally applies a lower multiplier to the loss amount for those providers that self-disclose and cooperate with OIG during the self-disclosure process than the multiplier employed in qui tam or government-initiated investigations. The loss amount is arrived at by determining the amount of reimbursement associated with the wrongfully submitted claims. This can be determined either through a claim-by-claim analysis if the universe of erroneous claims is small or through statistical sampling if the universe of claims is large. After the loss amount is determined, a multiplier is applied in cases involving conduct more serious than the negligent submission of a claim. In a case brought under the FCA, the government can recover treble damages (or the loss times a multiplier of three). The OIG's policy under the SDP is to require a minimum multiplier of 1.5 times the loss amount. However, the protocol also provides that OIG will "determine in each individual case whether a higher multiplier may be warranted."
Suspend Refund Obligation. Third, using the self-disclosure protocol suspends a provider/supplier's obligation to refund an overpayment under the repayment rules discussed above until a settlement is reached between the provider/supplier and the OIG. This additional time to make a repayment may be helpful to a provider/supplier in the event that the amount is significant.
Achieve Finality. Finally, the OIG's self-disclosure process is typically resolved with a settlement agreement between the parties that includes a release of the OIG's ability to collect additional penalties and its discretionary exclusion authority. When a repayment is made directly to the contractor, the contractor does not give the provider/supplier any sort of release and has discretion to take further action. It may investigate further and, as a result of that investigation, it may dispute the amount of the repayment made by the provider/supplier or refer to OIG. The benefit to entering into a settlement agreement with the OIG is that the provider/supplier achieves certainty and finality as to the amount of the refund, the amount of any associated penalty, and the terms of the agreement (i.e., whether a corporate integrity agreement will be required). In other words, the OIG self-disclosure protocol achieves finality for the provider/supplier as to the OIG's CMP and discretionary exclusion authority.
Self-Referral Disclosure Protocol
The Self-Referral Disclosure Protocol (SRDP) is used to disclose violations of the Stark law. The SRDP disclosures are reviewed by CMS, rather than the OIG. Importantly, it should be noted that while violations of Stark are reported through the SRDP, violations of the Anti-Kickback Statute or violations that involve both the Anti-Kickback Statute and Stark should be reported to OIG through the SDP.
As most providers and suppliers are aware, Stark liability is triggered when there is an arrangement to provide designated health services between a physician and an entity with which the physician has a financial relationship and the relationship does not fall within one of the exceptions to Stark. No intent to induce referrals is required. The damages at play when there is a violation of the Stark statute can be significant in that they equal the amount of the reimbursement received and which was caused by the tainted referrals. In addition to the benefits noted in relation to the SDP, above, an important benefit to using the SRDP is that CMS employs several factors in considering whether to reduce the amount owed for Stark liability. Those factors include:
The nature and extent of the improper or illegal practice;
The timeliness of the self-disclosure; and
The cooperation in providing additional information.
Self-Disclosure to DOJ
Finally, a fourth vehicle for self-disclosure is for providers and suppliers to report potential violations directly to the DOJ, typically through the local U.S. Attorney's Office. There is no formal protocol or guidance for self-disclosing to the U.S. Attorney's Office and, as a result, there is less certainty about the outcome. For example, while the SDP is clear that the OIG uses a multiplier of 1.5 times single damages as its benchmark for settlement, the only guidance for self-disclosure to the DOJ is that the FCA provides that damages will be limited to double damages if a provider/supplier voluntarily discloses a violation and certain conditions are met.
While there is less certainty about the process, there are some factors that may weigh in favor of a self-disclosure to the U.S. Attorney's Office.
Utilize Favorable Relationships. The first potential advantage is that outside counsel or the provider may have a favorable relationship with the U.S. Attorney's Office that would help facilitate resolution of the matter.
Settlement Flexibility. A second potential benefit is that, under some circumstances (and especially where overpayments are comparatively small), the U.S. Attorney's Office may have more flexibility in crafting a settlement, both in terms of the amount of the settlement and the terms of the settlement. While there is a common practice for the DOJ to require a multiplier of two in FCA settlements, because there is no written guidance on an acceptable multiplier, a provider/supplier may propose to the DOJ that a smaller multiplier (such as a 1.5 multiplier consistent with the OIG SDP) is appropriate in light of the circumstances.
Achieve Finality. Finally, a greater level of finality may be achieved by disclosing to the U.S. Attorney's Office. First, the provider can resolve whether there is any criminal exposure. Because the U.S. Attorney's Office is charged with bringing federal criminal prosecutions of health care fraud, it has the ability to make a determination whether or not to criminally charge a provider. Two of the factors that prosecutors are directed to consider when deciding whether to charge a corporation are:
The existence and effectiveness of the entity's pre-existing compliance program; and
The corporation's timely and voluntary disclosure of wrongdoing (usually a byproduct of an effective compliance program).
In light of these directives and absent egregious circumstances, most prosecutors would hesitate to criminally charge a provider who provided a voluntary disclosure.
Second, on the civil side, a settlement with the DOJ pursuant to self-disclosure can protect against a qui tam. The DOJ is authorized to provide a FCA release when it resolves a voluntary disclosure. Obtaining a FCA release is important under circumstances where there is a chance that a whistleblower will file a qui tam under the provisions of the FCA against the provider because the FCA release provided by the DOJ will act as a defense in any subsequently filed case.
So, What Is the Best Option?
If a provider or supplier identifies a potential overpayment, it may be inclined to take the route that appears easiest and least likely to result in a government investigation – that is, to simply refund the money through the administrative contractor. In many cases, reporting and refunding the overpayment to the Medicare contractor is the appropriate vehicle. However, it is important for a provider/supplier to engage in at least two additional steps to determine the most appropriate and advantageous method of reporting and repaying an overpayment. First, the provider/supplier should conduct an internal investigation to determine whether the overpayment was simply an innocent billing mistake or whether it was associated with a potential violation of federal criminal, civil, or administrative laws. A future von Briesen Legal Update will be devoted to discussing internal investigations. That internal investigation process will facilitate the second step – carefully assessing the potential costs and benefits of reporting the overpayment through the various mechanisms described above. Due to the significant costs to a provider/supplier should it be faced with an enforcement action for failing to make a refund or an appropriate disclosure, all providers and suppliers should consider incorporating this analysis into their compliance efforts.
1 CMS has issued final regulations related to Medicare Parts A and B overpayments and Medicare Parts C and D overpayments. It has not issued final rules for Medicaid managed care overpayments. The regulations discussed in this Legal Update are those that pertain to Medicare Parts A and B overpayments. As it relates to Medicaid overpayments, the Wisconsin Medicaid Program requires repayment within 30 days of the date of a duplicative payment received from another program or within 30 days of the date of discovery for all other types of overpayments. Wis. Admin. Code DHS 106.04(5).