Media Center

Decisions, Decisions: Reporting Fraud and Abuse

July 16, 2019

Reprinted with permission from the July/August, 2019 edition of Corporate Counsel Business Journal © 2019 Law Business Media. Further duplication without permission is prohibited. All rights reserved.

Incentivized to self-report violations, healthcare organizations must navigate an array of self-disclosure protocols.

Over the last decade, government agencies charged with enforcing federal fraud and abuse laws, namely the Office of Inspector General (OIG) of the Department of Health and Human Services, the Centers for Medicare and Medicaid Services (CMS) and DOJ – OIG, CMS and DOJ are collectively referred to as “agencies” – have made a concerted effort to incentivize healthcare organizations to self-report actual or suspected violations of fraud and abuse laws. While each agency adopts its own self-disclosure protocols or guidelines, referred interchangeably here as “protocols,” and offers different incentives for voluntary disclosures, the common theme behind these protocols is that healthcare organizations that proactively identify, self-report and remedy actual or potential violations may be considered for more lenient treatment, typically in the form of reduced monetary liability.

Although these protocols share similarities and the agencies enforcing them may have overlapping or parallel jurisdiction depending on the type of violation, each agency administers its own protocols, has different requirements for participation, and offers different incentives for voluntary disclosure. Healthcare organizations that identify potential legal violations should carefully evaluate whether self-disclosure is appropriate and desirable under their circumstances, should familiarize themselves with each protocol and determine which agency is best suited to receive the entity’s voluntary disclosure.

Choosing an Agency for Voluntary Self-Disclosure

The difficulty and complexity of selecting the agency to which the entity will submit its voluntary disclosure can vary greatly. By way of example, a hospital identifies a potential violation resulting from its assumption of employment agreements of physicians formerly employed by a group practice that the hospital acquired. Under the agreements, each physician’s total compensation is consistent with fair market value, but the agreements do not comply with all the elements of either the bona fide employment or fair market value compensation exceptions to the Physician Self-Referral Statute[1] (commonly referred to as the Stark Law). While the agreements appear to violate the Stark Law, a strict liability statute, the parties lack the requisite intent necessary for violations of the Anti-Kickback Statute[2] (AKS). In addition, the hospital’s payment of compensation to the physicians likely does not violate the AKS because the payments would be protected under the AKS statutory exception for compensation to bona fide employees.[3] Under these circumstances, which agency would be best suited to receive the entity’s self-disclosure?

In the preceding example, the hospital’s identified potential violation appears to only implicate the Stark Law; as such, the entity’s only option would be to make a voluntary self-disclosure under the CMS Self-Disclosure Referral Protocol (SDRP). Conversely, in circumstances where the underlying conduct potentially violates both the Stark Law and the AKS, the entity would be advised to make a voluntary self-disclosure under the OIG’s Provider Self-Disclosure Protocol (SDP). OIG and CMS guidance are clear that entities should not use both agencies’ protocols for the same arrangement. Finally, if the underlying conduct implicates the Stark Law, the AKS and the False Claims Act (FCA), the OIG encourages entities to disclose the conduct through the OIG’s protocol and the OIG will coordinate with DOJ in resolving the potential violations disclosed. Given DOJ’s recent guidelines on the award of cooperation credit to parties who self-disclose potential FCA violations in civil matters, entities contemplating voluntary disclosure may want to carefully consider whether direct disclosure of potential FCA violations to DOJ would also be warranted to ensure receipt of cooperation credit.

Navigating the self-disclosure process can be daunting. Although an in-depth discussion of each agency’s protocol is beyond the scope of this article, the following summaries of the agencies’ respective protocols may be helpful to entities and their counsel trying to decide whether the entity should self-disclose, and if so, to which agency.

CMS Self-Disclosure Referral Protocol

Following enactment of the Affordable Care Act (ACA) in 2010, CMS implemented a protocol under which providers and suppliers may voluntarily disclose actual and suspected violations of the Stark Law. On March 28, 2017, CMS issued a new SRDP[4] announcing a new “streamlined” process for voluntary disclosures and requiring the use of several forms for all voluntary disclosures made on or after June 1, 2017. These forms include: SRDP Disclosure Form, Physician Information Form, Financial Analysis Worksheet and Certification. Note that under the current SRDP a disclosing party is required to update its submission within 30 days of it filing for bankruptcy, undergoing a change of ownership, or changing its designated representative.

As previously mentioned, the SRDP may only be used to report violations of the Stark Law. Key potential benefits and drawbacks of self-disclosing Stark violations through the SRDP include:


  • Potential reduction of overpayment liability. CMS may consider the following factors in deciding whether to reduce the total amount owed (this list is not exhaustive): “(1) the nature and extent of the improper or illegal practice; (2) the timeliness of the self-disclosure; and (3) the cooperation in providing additional information related to the disclosure.”[5]
  • Submission of self-disclosure tolls the 60-day period for repayment of identified overpayments under the Affordable Care Act.


  • No guarantee that CMS will reduce overpayment liability.
  • CMS does not have authority to release the discloser from civil monetary penalties (CMP) as those are within the authority of the OIG.[6]
  • Participation in the protocol requires that the discloser certify noncompliance with the Stark Law. CMS may refer disclosed matters to OIG or DOJ for further investigation and possible prosecution.

OIG’s Provider Self-Disclosure Protocol

The OIG Provider Self-Disclosure Protocol was first published in 1998 to “establish a process for health care providers to voluntarily identify, disclose, and resolve instances of potential fraud involving the Federal health care programs.”[7] The SDP was updated on April 17, 2013.[8] The SDP is available for providers, suppliers, and other entities or individuals whose conduct potentially violates Federal criminal, civil or administrative laws for which OIG is authorized to impose CMPs under 42 C.F.R. Part 1003. The types of matters that may be voluntarily disclosed and potentially resolved through the SDP include, without limitation, violations of AKS, violations of both Stark and the AKS, overpayments that become false claims under the ACA 60-day repayment rules, and submission of claims to federal healthcare programs for items or services furnished by persons who appear on the OIG’s List of Excluded Individuals and Entities.

Key potential benefits and drawbacks of self-disclosing violations through the SDP include:


  • Imposition of a lower multiplier on single damages. OIG’s general practice is to require a multiplier of 1.5 times the amount that was improperly paid by the government.
  • Presumption against requiring the discloser to enter into a Corporate Integrity Agreement with the OIG.
  • Submission of self-disclosure tolls the 60-day period for repayment of identified overpayments under the ACA.


  • No guarantee that OIG will reduce penalties.
  • OIG is required to refer criminal conduct to DOJ.
  • Disclosing Party must conduct an internal investigation and report the findings to OIG or certify that it will do so within 90 days.

Voluntary Disclosure to DOJ

The DOJ is the latest agency to adopt guidelines meant to encourage entities to self-report potential violations of fraud and abuse laws in the civil context. On May 7, 2019, DOJ updated its Justice Manual to include guidelines to DOJ attorneys for awarding cooperation credit in civil cases involving potential violations of the FCA. The guidelines provide that “[e]ntities or individuals that make proactive, timely and voluntary self-disclosure to the Department about misconduct will receive credit during the resolution of a FCA case.”[9] Credit may also be awarded to entities that cooperate with ongoing government investigations and take remedial actions to correct and prevent reoccurrence of the misconduct.

The level of credit that could be awarded will depend on the particular facts and circumstances and the extent of the entity’s cooperation as determined by DOJ. The guidelines are clear that the type of conduct that is considered “cooperation” and makes an entity eligible for credit does not include expected and legally required actions such as disclosure of information required by law, response to a subpoena, investigative demand or other compulsory process for information. Credits will generally be awarded by reducing the multiple sought by the government for determining the total amount of penalties and damages for the FCA violation. DOJ may also award credit through other avenues such as notifying a relevant agency about the entity’s disclosure or other cooperation so the other agency is aware of the entity’s good faith cooperation efforts; publicly acknowledging the entity’s disclosure or other cooperation; and assisting the entity in resolving any pending quitam litigation.

Key potential benefits and drawbacks of self-disclosing civil FCA violations to the DOJ include:


  • Potential for reduced penalties or damages multiplier under the FCA. Maximum monetary credit available would be single damages, plus lost interest, investigative costs and relator share on quitam cases.
  • Credit may also be awarded in non-monetary ways, such as the examples identified above.


  • No specific protocol has been adopted to govern voluntary disclosures to DOJ, so the process, timeframe for resolution and expected outcome is even more unpredictable than other self-disclosures.
  • No guarantee that DOJ will reduce penalties and damages and/or award cooperation credits.
  • Risk that DOJ will initiate its own investigation into the disclosed matters, or other matters outside the scope of the disclosure.

© 2019 McNees Wallace & Nurick LLC
Healthcare Law Update is presented with the understanding that the publisher does not render specific legal, accounting or other professional service to the reader. Due to the rapidly changing nature of the law, information contained in this publication may become outdated. Anyone using this material must always research original sources of authority and update this information to ensure accuracy and applicability to specific legal matters. In no event will the authors, the reviewers or the publisher be liable for any damage, whether direct, indirect or consequential, claimed to result from the use of this material.

[1] 42 U.S.C. §1395nn.

[2] 42 U.S.C. §1320a-7b(b).

[3] Id. at (b)(3).

[4] Available at (accessed May 22, 2019).

[5] Id. at Page 3, Section VIII.

[6] 42 C.F.R. § 1003.102(a)(5).

[7] SDP, Page 1, Section I. Available at (accessed May 22, 2019).

[8] Id.

[9] Department of Justice, Office of Public Affairs, Justice Manual, § 4-4.112.