Skip to main content

Updated Self-Disclosure Protocol Clarifies Disclosure Process and Obligations

Individuals and entities subject to the Civil Monetary Penalty Law (CMP) have received clarification regarding the process for disclosing and resolving potentially unlawful conduct involving the federal health care programs (FHCP). On April 17, 2013, in response to a 2012 solicitation for comments and recommendations, the Office of Inspector General for the Department of Health and Human Services (the “OIG”) issued an updated Provider Self-Disclosure Protocol (the “Updated SDP”). The OIG published its first guidance on self-disclosure in a 1998 Federal Register notice and subsequently issued three open letters that expanded upon that notice. With the Updated SDP, the OIG has consolidated its issuances on self-disclosure into a single, 15-page document that supersedes past issuances and formalizes some aspects of the process not previously articulated in writing.

Among other things, the Updated SDP:

  1. identifies the individuals and entities and the conduct eligible for the SDP;
  2. outlines the information a disclosing party must provide in all submissions;
  3. defines specific information to be included in disclosures involving false billing, employment of individuals excluded from FHCPs, and possible violations of the Anti-Kickback Statute (AKS) and the Physician Self-Referral Law (Stark Law);
  4. addresses the tolling of a provider’s 60-day obligation to return overpayments following a submission to the SDP; and
  5. describes some of the methodologies the OIG uses for calculating damages.

The following chart summarizes key aspects of the Updated SDP.


Components of the Updated Self-Disclosure Protocol

Key Changes


  • Minimum settlement amount
    • $50,000 for AKS violations
    • $10,000 for others
  • Eligible conduct
    • Potential violations of federal criminal, civil, or administrative law for which CMPs are authorized (collectively, “Applicable Laws”).
  • Ineligible conduct
    • Any conduct that does not involve a violation of Applicable Laws, such as conduct involving only overpayments or other payment errors or the Stark Law exclusively.5
  • Waiver of defenses under a statute of limitations or laches required in most circumstances.

Requirements are mostly consistent with the OIG’s existing procedures and practices.

The OIG made clear that a disclosing party must waive defenses related to the statute of limitations and laches and reiterated that it does not accept Stark-only disclosures.

General Disclosure Requirements

  • A concise statement of the relevant conduct disclosed.
  • Identification of the federal criminal, civil, or administrative laws potentially violated.
  • Acknowledgement of a potential violation of one or more of the Applicable Laws.
  • A summary of the findings from the internal investigation.
  • Description of the corrective actions taken upon discovery of the conduct.
  • Estimate of damages, or certification that the estimate will be submitted to the OIG within 90 days of submission of the self-disclosure.
  • Acknowledgement that the disclosed matter is the subject of a government inquiry, if applicable.

Requirements are mostly consistent with the OIG’s existing procedures and practices.

The OIG now requires the disclosing party to acknowledge that the conduct is a potential violation of law.

The OIG previously allowed the internal investigation to be completed 90 days from the date of acceptance into the SDP.

Disclosure Requirements Applicable to Certain Disclosures

  • False billing matters
    • Estimate of the improper amount paid the FHCPs (i.e., damages) based on a review of all affected claims or a statistically valid random sample.
    • If using a sample, the disclosing party must identify the sample size (100 item minimum) and methodology.
  • Excluded individual matters
    • Identification of former and current background check and screening processes used, and explanation of any corrective action taken upon discovery of the disclosed conduct.
  • AKS (and Stark Law) matters
    • The OIG identified a non-exclusive list of information it uses to assess a possible AKS violation (and Stark Law violation, if applicable), such as: the disclosing party’s fair market value determination methodology; commercial reasonableness of the financial arrangement; and the circumstances of the failure to meet a statutory requirement, an AKS safe harbor or exception, or a Stark Law exception.

The OIG formalized existing case evaluation procedures and practices but provided more transparency on the information it requires, particularly for AKS/Stark disclosures.

The OIG increased the minimum sample size from 30 to 100, but no longer requires a precision level for sampling results.

The OIG will not permit the offset overpayments with underpayments when calculating damages.

Additionally, the OIG now requires more information regarding corrective actions.

Damages calculations

  • A minimum 1.5 multiplier of single damages (rather than double or treble damages) will be sought.
  • Excluded individual matters
    • Damages are based on the dollar amount of services an excluded individual billed to the FHCPs.
    • If the excluded individual did not individually bill, the proportion of the excluded individual’s compensation and benefits attributable to the FHCPs, using the provider’s FHCP “payor mix” as a proxy.
  • AKS (and Stark Law) matters
    • Damages are based on remuneration paid rather than claims paid.

These changes mostly formalize the OIG’s existing procedures and practices.

The 1.5 minimum multiplier for damages did not appear in past guidance documents.

The OIG no longer requires its prior consent before a disclosing party may return an overpayment to another agency before SDP resolution.

If the repaid overpayment is related to the disclosed conduct, the OIG will credit the payment against the ultimate settlement.


Interplay with the 60-Day Overpayment Rule

The OIG addressed the relationship between the Updated SDP and the 60-day overpayment rule (the “Overpayment Rule”), which was passed in 2010 as part of the Affordable Care Act and which was the subject of a proposed rule published by the Centers for Medicare & Medicaid Services (CMS) in February 2012 (the “Proposed Rule”). Because the Overpayment Rule requires providers and suppliers to return Medicare and Medicaid overpayments within 60 days of identification, many have wondered how the Overpayment Rule related to the OIG’s previous instruction not to return overpayments that are the subject of a self-disclosure. According to the Proposed Rule, CMS intends to suspend the Overpayment Rule’s notice and repayment obligations “when [the] OIG acknowledges receipt of a submission to the OIG SDP” and “until a settlement agreement is entered, or the provider or supplier withdraws or is removed from the OIG SDP.” Consistent with the Proposed Rule, CMS Self-Referral Disclosure Protocol stays any requirements under the Overpayment Rule. The OIG plans to provide additional guidance on how participation in the SDP will account for or mitigate liability under the Overpayment Rule after CMS finalizes the regulations.

Disclosing Parties Must Weigh Costs and Benefits of Self-Disclosure

Self-disclosing possibly unlawful conduct to the OIG has both benefits and challenges. Benefits include potentially reduced damages and penalties; coordinated settlements among multiple enforcement agencies (CMS for Stark Law violations and the Department of Justice under the False Claims Act); a presumption that the OIG would not require a Corporate Integrity Agreement in exchange for the OIG’s release of its exclusion authority; and a potential stay of the 60-day deadline to return overpayments. However, a disclosing party faces a substantial burden because it must complete a thorough investigation of any potentially unlawful conduct before the self-disclosure and estimate damages within 90 days of submission. Further, the disclosing party must acknowledge that a potential violation of the Applicable Laws occurred.

Thomas Crane of Mintz Levin’s Health Care Enforcement Defense Group, who has substantial experience with the self-disclosure process, believes that “health care providers have long understood the significant challenges and risks presented by self-disclosure,” and, according to Crane, the Updated SDP “provides greater procedural clarity but raises the bar on submission requirements.” Thus, a party considering disclosure must carefully consider the conduct at issue and carefully weigh the pros and cons of submitting a self-disclosure.


1 Since releasing the Self-Disclosure Protocol in 1998, the OIG has issued three Open Letters dated April 24, 2005, April 15, 2008, and March 24, 2009. These letters are available at the OIG’s SDP website:

2 63 Fed. Reg. 58399 (Oct. 30, 1998).

3 42 U.S.C. § 1320a-7b(b).

4 42 U.S.C. § 1395nn.

5 The Centers for Medicare & Medicaid Services (CMS) oversees the Self-Referral Disclosure Protocol, which is designed to cover disclosure of potential violations of the Stark Law. See Thomas S. Crane and Brian P. Dunphy, CMS Implements Self-Referral Disclosure Protocol Process to Self-Disclose Stark Law Violations (Sept. 27, 2010); Thomas S. Crane and Brian P. Dunphy, “HHS Issues Report to Congress on the Self-Referral Disclosure Protocol” (Mar. 28, 2012).

6 For a discussion of the proposed 60-Day Overpayment Rule, see Karen S. Lovitch and Stephanie D. Willis, CMS Publishes Proposed Rule on Return of Medicare and Medicaid Overpayments, (Feb. 16, 2012).

Subscribe To Viewpoints


Karen S. Lovitch

Chair, Health Law Practice & Co-Chair, Health Care Enforcement Defense Practice

Karen advises industry clients on regulatory, transactional, operational, and enforcement matters. She has deep experience handling FCA investigations and qui tam litigation for laboratories and diagnostics companies.

Brian P. Dunphy

Member / Co-Chair, Health Care Enforcement Defense Practice

Brian P. Dunphy is a member of the Health Care Enforcement & Investigations Group at Mintz. He defends clients facing government investigations and whistleblower complaints regarding alleged violations of the federal False Claims Act. Brian also handles commercial health care litigation.