OIG Self-Disclosure Protocol Redesign After 14 Years

June 20, 2012

Agency seeks industry comment on self-disclosure protocol to address issues and provide guidance to healthcare industry.

This week, the U.S. Department of Health and Human Services Office of Inspector General (OIG) announced that it will update its voluntary Provider Self-Disclosure Protocol (SDP or Protocol) and is soliciting suggestions from the public on potential revisions.[1] The agency is seeking suggestions on "how best to revise the Protocol to address relevant issues and to provide useful guidance to the health care industry."[2]


OIG originally published the SDP[3] 14 years ago, in 1998. Modeled on the Department of Defense's self-disclosure protocol, the SDP offered healthcare providers the opportunity to self-report potential fraud involving federal healthcare programs to OIG. The protocol was published at the same time as Health Insurance Portability and Accountability Act (HIPAA) healthcare fraud enforcement, False Claims Act investigations, and so-called "national enforcement projects" were getting under way. It also coincided with the beginnings of OIG's compliance program guidances for various industry sectors. It was also at this time that Stark Law compliance emerged as a front-burner issue, even though the Centers for Medicare & Medicaid Services (CMS) had not yet finalized its Stark Law regulations or issued a self-disclosure protocol for Stark Law issues.

SDP Usage

While originally intended to expedite resolution of potential fraud matters by shifting the investigative burden to disclosing providers, self-disclosures under the Protocol often are anything but "speedy," largely due to limited OIG resources or a lack of agency prioritization. Partly as a result of this, other self-disclosure options (such as disclosures to states, U.S. Attorneys' offices, or the Department of Justice) have emerged as more nimble and user-friendly. Further, with the advent of the CMS Self-Referral Disclosure Protocol (SRDP) in 2010, providers also have the option of self-disclosing potential Stark Law violations to CMS, although this mechanism is still new and has resulted in relatively few settlements with hospitals and physician practices thus far.[4] Settlements of self-disclosures, many of which are summarized by OIG on its website, indicate that most providers have used the SDP to disclose employment of excluded persons, as well as anti-kickback and/or self-referral (Stark Law) issues related to documentation of physician financial relationships, in hopes of obtaining favorable settlement terms in recognition of their having coming forward voluntarily.[5] To date, according to statistics published by OIG, participating providers have resolved more than 800 matters with OIG through the Protocol, with settlements totaling $280 million.[6] Nonproviders, such as pharmaceutical and medical device companies, have rarely used the Protocol, perhaps because the SDP was originally envisioned for licensed providers of healthcare services.

Open Letters Clarify Protocol

Since 2006, reflecting shifting sands in the Stark Law and OIG resource environment, OIG has issued three open letters clarifying aspects of the Protocol.[7] (OIG's forthcoming revision would be the first update to the Protocol itself.) In 2006, on the heels of increased Stark Law enforcement, OIG announced an initiative to encourage providers to disclose conduct involving OIG self-referral and anti-kickback authorities, stating that the office would calculate damages based on a multiplier of the value of the excess benefit that the provider conferred upon physicians as opposed to the total amount of "tainted" Medicare claims involved—a welcome concession. Subsequently, in 2008, OIG clarified requirements for initial submissions to the Protocol and announced that it would not require compliance agreements (e.g., corporate integrity agreements (CIAs)) in most cases. Finally, in 2009, OIG backed away from its earlier solicitation of Stark Law self-disclosures, declaring that it would no longer accept disclosure of matters involving physician self-referral violations in the absence of a "colorable anti-kickback violation," a term which the open letter did not define. In that 2009 open letter, OIG also announced a minimum settlement amount of $50,000 for disclosures of anti-kickback issues, perhaps in recognition of OIG's limited resources.

Comments Regarding SDP Revision

OIG's notice soliciting industry input on changes to the Protocol gives providers and other industry sectors (e.g., manufacturers) an opportunity to obtain additional guidance on the Protocol and to alter some of its key features. Improvements to the Protocol could enhance its value as a tool for managing False Claims Act risk. This is an important consideration for private equity firms and other buyers of healthcare businesses since they often unearth legal issues during acquisition due diligence. For life sciences companies, one potential improvement relates to the Protocol's requirement that participants estimate Medicare or Medicaid "damages," or paid claims. This requirement limits manufacturers' access to the Protocol since they are often unable to comply with this provision. Some other areas for potential comments include the following:

  • The need to define the "colorable anti-kickback violation" requirement for disclosures involving self-referral issues and the Protocol's interplay with the CMS SRDP (unless the Affordable Care Act (ACA) is found unconstitutional and nonseverable by the U.S. Supreme Court, in which case the CMS SRDP may cease to exist).
  • Establishing a time frame for OIG's assessment of completed submissions under the Protocol.
  • Clarity on whether OIG will continue to require Certification of Compliance Agreements (CCAs) for resolutions under the Protocol. OIG has not agreed to a CCA in several years and the reference may be out of date or offer false hope. (Note: CCAs are less burdensome than CIAs.)
  • Guidance on whether, and in what circumstances, OIG would impose CIA obligations on self-disclosing entities.
  • Potential for a more streamlined disclosure and proportional settlement approach for matters involving employment of excluded persons.
  • Standards for the range of multipliers that OIG will apply to matters self-disclosed under the Protocol.
  • Guidance on OIG's expectations regarding repayment in light of the new requirement to return identified overpayments within 60 days (although if the ACA is found unconstitutional and nonseverable by the Supreme Court, the 60-day refund requirement may be derailed).

Since OIG has issued an open call for suggestions, providers may also wish to submit general comments on why they do not currently use the Protocol.

Comments must be delivered by 5:00 p.m. ET on August 17, 2012, to the federal eRulemaking Portal at or by mail to Kenneth D. Kraft, Office of Inspector General, Department of Health and Human Services, Cohen Building, 330 Independence Avenue S.W., Washington, DC 20201.

We will continue to monitor OIG's efforts to revise the Protocol and provide further analysis on how these updates may affect the healthcare industry.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact the authors, Howard J. Young (202.739.5461; and Arianne N. Callender (202.739.5280;

[1]. See 77 FR 36281, 36281-36282, available here (last visited June 18, 2012).

[2]. See id.

[3]. OIG Self-Disclosure Protocol documents available here (last visited June 18, 2012).

[4]. CMS publishes a summary of its SRDP settlements on its website, available here (last visited June 18, 2012).

[5]. See here (last visited June 18, 2012).

[6]. See 77 FR 36281, 36281-36282, available here (last visited June 18, 2012).

[7]. OIG Open Letters available here (last visited June 18, 2012).