Two of the principles governing healthcare providers require them to self-monitor their compliance with various legal requirements and to self-report when they discover noncompliance.
First, the Department of Justice (DOJ) and Office of Inspector General (OIG) encourage self-disclosure if a provider discovers noncompliance with the Stark Law, Anti-Kickback Statute (AKS), False Claims Act (FCA), or Civil Monetary Penalties Law (CMP Law)—all four generally referred to as “fraud and abuse laws.”[2][3][4][5] DOJ and the OIG are the primary enforcement agencies. However, other enforcement agencies (such as state Medicaid and the Department of Defense) work closely with DOJ and the OIG to resolve self-disclosures. Therefore, reference to DOJ and the OIG in this article also generally includes any other government payor or enforcement agency.
Second, government payor rules (such as Medicare’s myriad payment guidelines and rules) require that providers submit accurate bills for payment. If any noncompliance with these payment guidelines is discovered (such that the provider may have received an overpayment from any government payor), then the provider is required to pay the requisite government payor(s) back. These two principles go hand in hand and are codified in statute, regulation, and various guidance. When an issue of potential noncompliance is discovered, then healthcare providers should work with counsel to determine whether to repay an overpayment or enter into either the OIG’s or the Centers for Medicare & Medicaid Services (CMS) Self-Disclosure Protocol.
Legal Duty to Self-Disclose
The legal duty to self-disclose arises in several ways—both explicitly through federal law and implicitly through damage considerations under the fraud and abuse laws and other “carrots and sticks” offered by DOJ and the OIG. The obligations and principles described apply to payments made by any federal payment programs, including Medicare, Medicare Advantage, Tricare, and Medicaid (government payors or payors). Please note that the CMS’s 60-Day Rule described in this article applies specifically to Medicare Parts A and B. However, the Affordable Care Act repayment obligations and self-disclosure principles apply across all federal payors and Medicaid.
In 1995, the OIG, DOJ, and several other agencies piloted a precursor to OIG’s first self- disclosure protocol. The OIG issued its first Self-Disclosure Protocol in 1998, although the OIG had worked informally with providers to facilitate self-disclosure prior to that date.[6] The crux of these programs was to encourage providers to implement compliance programs and come forward when they discovered noncompliance through the offer of incentives, such as reduced fines. These programs have evolved but retained the original goal of encouraging self-disclosure of compliance-related issues. Most recently, DOJ issued 2019 updated guidelines explaining that self-disclosure and other cooperation with the government will result in a reduction in potential damages.[7]
FCA Repayment Obligations
The FCA also contains an explicit obligation not to retain overpayments. In 2009, Congress passed the Fraud Enforcement and Recovery Act.[8] The relevant section of the law is an amendment to the FCA explicitly making retention of any government overpayment actionable under the FCA.[9] This amendment to the FCA modified prior requirements that a false claim required an affirmative presentation of a false claim to the government. Now, any knowing retention of an overpayment is governed by the FCA.[10] This amendment also codifies incentives for self-disclosure by providing by law that damages will be reduced from mandatory treble damages to double damages if a provider self-discloses and fully cooperates with any ensuing investigation.
Affordable Care Act 60-Day Rule Repayment Obligations
The Affordable Care Act and related regulations, more than any other law or regulation, codified and gave explicit instruction on the requirement to return overpayments and self-disclose behavior leading to an overpayment. Section 6402(a) of the Affordable Care Act established a new section 1128J(d) of the Social Security Act (SSA).[11] In 42 U.S.C. § 1320a-7k (d)(1) of the SSA, it requires a person who has received an overpayment to report and return the overpayment to the appropriate entity and to notify the entity to which the overpayment was returned in writing of the reason for the overpayment.[12] The overpayment must be reported and returned by the later of:
-
The date that is 60 days after the date on which the overpayment was identified; or
-
The date any corresponding cost report is due, if applicable.
Failure to comply (meaning retention of a known overpayment or failure to investigate a suspected overpayment) can result in liability under the FCA.
CMS issued regulations governing the 60-Day Rule on February 12, 2016.[13] The 60-Day Rule identifies several important concepts, including identification of an overpayment, what is an overpayment, required lookback period, and how to report the overpayment.
Identification
The 60-Day Rule requires healthcare providers to return an overpayment within 60 days of identification of the overpayment. CMS regulations define “identification” to mean the following:
A person has identified an overpayment when the person has, or should have through the exercise of reasonable diligence, determined that the person has received an overpayment and quantified the amount of the overpayment. A person should have determined that the person received an overpayment and quantified the amount of the overpayment if the person fails to exercise reasonable diligence and the person in fact received an overpayment.[14]
From a practical standpoint, this means that an overpayment is identified when the provider becomes aware that an overpayment may exist, investigates it, and quantifies the amount. CMS stated in the final rule, “We believe that undertaking no or minimal compliance activities to monitor the accuracy and appropriateness of a provider or supplier’s Medicare claims would expose a provider or supplier to liability under the identified standard articulated in this rule based on the failure to exercise reasonable diligence if the provider or supplier received an overpayment.”[15] The rule contains a “know or should have known” qualifier and a “reasonable diligence” qualifier. Both of these qualifiers serve to require healthcare providers to maintain a compliance program and to exercise diligence to proactively investigate any potential overpayment.
The 60-Day Rule also states that a healthcare provider has “identified” an overpayment once it has quantified the overpayment. Again, from a practical standpoint, this means that a provider will become aware of a potential overpayment and then must take steps to investigate the amount of the overpayment. The provider has “quantified” the overpayment once it has completed its internal or external review and identified the amount of the overpayment. CMS offers a time period of six months as a reasonable time period for conducting such an investigation absent extraordinary circumstances. Extraordinary circumstances could include very complex or difficult investigations or external forces, such as natural disaster or pandemic. Complex investigations could occur because the overpayment requires a particularly in-depth review of a very large number of charts. It could also result from technical issues, such as a need to manually retrieve data from a historical electronic medical record system that cannot produce the reports needed to conduct a review.
This is the point at which the 60-day clock begins ticking and the provider must either self-disclose or refund the overpayment.
Overpayment
The 60-Day Rule also discusses what an overpayment is. Overpayment means “any funds that a person has received or retained under title XVIII of the Act to which the person, after applicable reconciliation, is not entitled under such title.”[16]
This definition is straightforward. If a provider receives funds to which it is not entitled, it is an overpayment. This is true regardless of whether there was a billing error by the provider or a payment error by a Medicare Administrative Contractor (MAC) or a violation of the Stark Law resulting in overpayment or any other means.
However, it is also important to note that there are some instances in which a provider may bill incorrectly, but no increase in reimbursement results. This may happen, for example, where an inpatient is classified under one diagnosis code where another diagnosis code may have been more appropriate, but because both codes fall under the same diagnosis-related group, no increase in reimbursement results. CMS has specified that in such cases where there is no change in reimbursement, there is no overpayment: “This rule concerns reporting and returning overpayments received by the provider or supplier. Therefore, if the error or non-reimbursable cost at issue did not result in an increase in reimbursement, then no overpayment was received and section 1128J(d) of the Act is not implicated.” [17]
Lookback Period
The 60-Day Rule also discusses the investigative “lookback period” that providers should use when investigating an overpayment, setting the period at six years.[18] This means that when providers receive information regarding potential overpayments, then the default position should be an investigation that reviews similar bills and practices going back for six years. As an example, if a provider becomes aware that its employed physicians may have been billing physician assistants (PAs) as incident-to, but that the building in which such services were performed did not comply with CMS “same suite” requirements to bill incident-to, then the provider should use a six-year lookback period determine the overpayment amount on improperly billed incident-to services.
However, a six-year lookback period may not be necessary where there is a specific reason for using a shorter period. Using the prior example, if the building in which the physicians were in a different suite than the PAs was built only three years prior to the issue coming to light, then a three-year lookback period would be appropriate.
By contrast, for example, if a hospital buys another hospital and the purchasing hospital assumed the liabilities of the purchased hospital by accepting assignment of the Medicare agreement, then the purchasing hospital is responsible for historical overpayments of the purchased hospital and must use a six-year lookback period as a default even though it may not have owned the purchased hospital at the time of the overpayments.
Method to Return Overpayments
The final element of the 60-Day Rule is a discussion of how to return the overpayment. Pursuant to 42 C.F.R. § 401.305(d), providers must either return the overpayment through a voluntary refund process or self-disclose after determining which method is appropriate.
The rule states, “A [provider] must use an applicable claims adjustment, credit balance, self-reported refund, or other reporting process set forth by the applicable Medicare contractor to report an overpayment, except as provided in paragraph (d)(2) of this section. If the person calculates the overpayment amount using a statistical sampling methodology, the person must describe the statistically valid sampling and extrapolation methodology in the report.”[19] This requirement allows providers to return overpayments via a voluntary refund process or other applicable reporting process as permitted by a provider’s MAC.
The rule also states, “A person satisfies the reporting obligations of this section by making a disclosure under the OIG’s Self-Disclosure Protocol or the CMS Voluntary Self-Referral Disclosure Protocol resulting in a settlement agreement using the process described in the respective protocol.”[20] Thus, the provider may also use the self-reporting protocols provided by the OIG or CMS, as appropriate, to report an overpayment and enter into a settlement to resolve the overpayment.
Choosing Whether to Self-Disclose or Repay
It states in 42 C.F.R. § 401.305(d) that a provider satisfies the requirements of the 60-day rule if it uses the MAC voluntary refund process or if it uses the CMS or OIG Self-Disclosure Protocols. How does a provider decide which to do?
The OIG typically only accepts providers into its Self-Disclosure Protocol when the provider believes that there may have been a violation of a fraud and abuse law.[21] Likewise, CMS only accepts Stark Law self-disclosures when there is evidence that there was a breach of the Stark Law. Therefore, as a rule of thumb, a provider may ask whether the overpayment was indicative, or showed signs of, a breach of one of the above laws. In many cases, this may mean looking for intent to defraud in some manner or looking to determine whether there has been a specific breach of the CMP Laws, such as employing an excluded person or failing to return a known overpayment.[22]
By contrast, for overpayments that do not implicate the Stark Law and that do not show signs of intentional fraudulent activity or violation of an element of the CMP Law, a voluntary refund to the MAC will usually suffice. These are mostly run-of-the-mill overpayments. For example, inadvertent supervision mistakes, documentation errors, or poor documentation missing certain elements tend to be billing mistakes that are usually not the result of any intent to defraud federal payor programs.
Self-Disclosure or Voluntary Refund Team
Compliance with the 60-Day Rule and any required investigation and self-disclosure or voluntary refund will often require involvement of several team members. For small overpayments based on isolated and identifiable individual claims, it may not be necessary to hire counsel or auditors to return the overpayment via the voluntary refund process or other approved process with the provider’s MAC. However, for larger compliance or overpayment concerns—especially those that may require extrapolations from a sample of claims—providers should strongly consider involving their counsel as well as an audit team. If a self-disclosure is indicated, providers should involve counsel, whether internal or external.
Attorneys can assist in several ways. The first and most basic is simply providing legal counsel: helping providers decide how to structure an internal investigation, audit in a compliant manner, and determine whether a voluntary refund or a self-disclosure is the more legally appropriate response. Counsel is also helpful in determining whether an overpayment exists based on relevant laws and regulations. Second, by involving counsel at the outset of an internal investigation and allowing counsel to take the lead on an audit or investigation, the investigation or audit can be performed under attorney-client privilege. Auditing or investigating under privilege is beneficial because it allows providers to investigate and fully understand the root cause of the breach of any laws in a protected environment that would not be discoverable by the government in litigation. This is important in order to fix the problem in a meaningful manner.
The second important part of an audit team is an outside auditing firm. Many internal investigations and audits are simply too large for providers to handle solely with in-house resources. External auditors can provide both billing and clinical experts, as well as statisticians to design the audit. Outside auditors and statisticians may also be helpful in instances where expert testimony to the government is ultimately required. As a best practice, an outside auditing firm should be engaged by, and interface directly with, the provider’s counsel. This will allow auditors to perform their audit and investigation under attorney-client privilege as well.
When providers are put on notice that an overpayment may exist, they should consider early in the process which team they will need. If the overpayment is based on an isolated and easily discernable incident, then the provider may be able to do a simple voluntary refund. However, for larger audits that require any statistical sampling or show signs of violation of the fraud and abuse laws, providers should strongly consider engaging an attorney and working with their attorney to engage an outside auditing firm.
Voluntarily Refunding an Overpayment
For overpayments that do not show any signs of intentional fraud or other clear-cut breach of the fraud and abuse laws, providers should return the overpayment to their MAC using the MAC’s voluntary refund process or other process approved by the MAC.
Providers using the voluntary refund process will use the specific forms required by their MAC. The details of the process may differ by individual MAC, but all MACs provide the information and forms on their individual websites. In general, the MACs’ forms will request the following information:
-
Provider’s name and other relevant identifying information
-
The reason for the overpayment
-
The health insurance claim number and other identifying information on the claim, as appropriate
-
Date of service as appropriate
-
Whether the provider has a corporate integrity agreement with the OIG or is under the OIG Self-Disclosure Protocol
-
The time frame and the total amount of refund for the period during which the problem existed that caused the refund
-
If a statistical sample was used to determine the overpayment amount, a description of the statistically valid methodology used to determine the overpayment
In some cases, a provider may have discovered a specific and identifiable set of claims that were overpaid and be able to provide specific information on each claim, such as the claim amount, claim number, patient name, and date of service. In such cases, a provider will provide the required information for each individual claim to be refunded, which may be recorded on an attachment, spreadsheet, or similar method.
In many other cases it would be impracticable to provide a claim-by-claim repayment. Providers will instead need to calculate the overpayment amount using statistical sampling. This would occur when a provider has discovered a broad issue of noncompliance, such as routine failure to follow incident-to guidelines; inappropriate supervision issues; coding issues resulting in improper coding along a whole service line or routine upcoding of E&M (evaluation and management) codes; ongoing improper use of a modifier; or other similar problems. These issues are difficult to isolate on a claim-by-claim basis because there may have been many thousands of claims submitted with a potential error. In such instances, providers should consider engaging counsel and a healthcare auditor (through counsel) to perform a statistically significant claim review and extrapolation. In performing this review, an auditor will develop a random, statistically significant sample of a set population of claims using government-approved statistical methods. This allows the auditors to review only a small sample of the many thousands of potential claims in error. In simple terms, the auditors will then review the claims and determine an error rate. Using the error rate and the provider’s total payments received for the population of claims at issue, the auditors will use statistical extrapolation methods to reach a statistically valid estimation of the overpayment amount, usually expressed as a range based on statistical levels of confidence and related factors.
This process must be described to the MAC when making a voluntary refund explaining how the sample was selected and how the extrapolation was completed. Finally, the provider must actually return the overpayment to the MAC. Most MACs prefer that this be paid via the provider’s payment portal with the MAC, although MACs will also accept a check from the provider for the overpayment or an offset request. Providers that can show financial need for additional time to return a large overpayment may request a repayment schedule from their MAC in most cases, following the financial documentation guidelines and request protocols provided by the MAC.
In addition to the voluntary refund process, CMS specifies that providers may use other appropriate processes, such as the claims adjustment process, the cost-report reconciliation process, the credit balance reporting process, and other permissible processes where appropriate, to return overpayments.[23]
Benefits, Risks, and Potential Outcomes
Voluntary refunds are a low-risk option for providers. Typically, MACs will accept the voluntary refund with no further questions. It is possible, however, that a MAC could refer a voluntary refund to the OIG for further investigation if the MAC believes that the refund may have represented intentional fraudulent activity. This could ultimately result in a larger fine, rather than a simple repayment of the actual amount overpaid.
Voluntary refund processes and other similar processes also do not extinguish FCA liability. This means that a provider could make a voluntary refund, but if a whistleblower separately filed a qui tam lawsuit regarding the same activity under the FCA, the provider could still be liable. By contrast, the Self-Disclosure Protocol discussed next typically extinguishes the FCA liability under a qui tam lawsuit if the provider self-discloses before a qui tam lawsuit is filed.[24]
Provider Self-Disclosure Protocols
In cases where a self-disclosure is indicated, there are two possible self-disclosure protocols from which to choose: the OIG’s Self-Disclosure Protocol and CMS’s protocol. The OIG’s protocol is appropriate for overpayment and compliance concerns that may have resulted from behavior that violates the FCA, AKS, or CMP Law. CMS’s protocol is appropriate for overpayments that are the result of a Stark Law violation that do not also implicate the AKS.
OIG Self-Disclosure Process
The OIG provides an online process for submitting the self-disclosure via a portal on its website.[25] Prior to submitting the disclosure, providers should understand what is required and be prepared to submit all requested information and respond to further questions. The OIG Self-Disclosure Protocol has certain required general information that all providers must submit, followed by more specific information that will be requested depending on the type of conduct being self-disclosed.
General Information
All providers submitting a self-disclosure should be prepared to provide the following information:
-
Basic identifying information about the provider
-
Information about the corporate structure and ownership of the provider
-
Information about the disclosing party’s authorized representative with whom the OIG will interface
-
A concise statement of the details surrounding the relevant conduct being disclosed
-
A statement of the federal laws and regulations that the conduct violates, identified by citation
-
The federal healthcare programs affected
-
Damages estimate for each affected program
-
A description of the party’s corrective action taken or begun after discovering the disclosed conduct
-
A statement as to whether the disclosing party has any knowledge about whether any investigation by the government may have already been initiated with respect to the disclosed conduct
-
The name of an individual who is authorized to settle the matter
-
A certification of truthfulness
Content for False Billing Disclosures
Any disclosure that involves a self-disclosure of improperly billed claims must include the following information:
-
The party must conduct a review of the claims that were billed improperly and prepare a report of its findings as well as a description of the review and its objectives.
-
The party must calculate the damages/overpayment.
-
If the damages are calculated by a statistically significant sample and extrapolation, the disclosing party must describe the process of the sample selection, the population of claims, and the extrapolation methods. When using a sample, the disclosing party must use a sample of at least 100 items and use the mean point estimate to calculate damages. The party should also describe who conducted the review, their qualifications, and all sources of data collection.
Content for Disclosures Involving Excluded Individuals
Any party self-disclosing for reasons related to any individual excluded from federal healthcare programs must include the following information:
-
Identity
-
Job duties
-
Dates of the individuals employment or contract
-
A description of the disclosing party’s screening process and what may have led to missing the exclusion
-
A description of how the conduct was discovered
-
A description of corrective actions
Content for Disclosures Involving the AKS
For self-disclosures involving violations of the AKS or Stark Law combined with the AKS, there are additional details to be included. The disclosing party must first state that the conduct constituted a violation of the AKS and Stark Law, if applicable. (For violations of the Stark Law alone that do not give rise to AKS liability, CMS Stark Law Self-Disclosure Protocol should be used.) The disclosing party must include a narrative statement of the relevant details of the conduct, the participants’ identities and relationships, the payment arrangements, the relevant time period, and the context or features of the arrangement that give rise to liability under the AKS or Stark Law. The OIG has provided a nonexhaustive list of the types of information that it finds helpful to include in the narrative statement in examining and resolving disclosures under the AKS and Stark Law. These include the following:
-
How fair market value was determined and why it is now in question
-
Why required payments from referral sources, under leases or other contracts, were not timely made or collected or did not conform to the negotiated agreement and how long such lapses existed
-
Why the arrangement was arguably not commercially reasonable (e.g., lacked a reasonable business purpose)
-
Whether payments were made for services not performed or documented and, if so, why
-
Whether referring physicians received payments from designated health service entities that varied with, or took into account, the volume or value of referrals without complying with a Stark Law exception
-
A description of the corrective action taken to remedy the suspect arrangement(s), as well as any safeguards implemented by the disclosing party to prevent the conduct from reoccurring
As with all disclosures, the disclosing party must include an estimate of the damages; meaning the amount paid by federal health programs for the items or services associated with the potential violation. The disclosing party should also include the total amount of remuneration involved in each arrangement, and any portion of the total remuneration should be excluded from penalties involved in a settlement.
Freedom of Information Act
Information provided to government entities is discoverable under the Freedom of Information Act (FOIA) unless it meets criteria for maintaining confidentiality under FOIA.[26] As such, if a disclosing party intends to submit information that it believes is a trade secret or otherwise confidential and exempt from disclosure, it should clearly identify the information as such.
Resolution
Following the self-disclosure, the OIG will closely examine the provider’s submission. It will involve other government entities as appropriate. One or more of these entities will work with the provider to obtain any additional information that may be needed and to hold meetings or conduct interviews as necessary.
Resolution will vary depending on which agencies are involved and the conduct reported. As a rule, however, a full and open disclosure followed by proactive and complete cooperation with government investigators will result in the best settlement possible under the unique circumstances. In general, some matters will be resolved only with imposition of civil monetary penalties. Others where DOJ is involved will be resolved consistent with DOJ’s authority under the FCA, usually with a repayment and fines based on a multiplier of the total overpayment. The OIG may additionally require a corporate integrity agreement. In rare cases, it is possible that criminal liability could be imposed by DOJ; however, this is uncommon when providers self-disclose. It is also possible, but unlikely, that the OIG could determine there is no evidence of violation of a fraud and abuse law and refer the matter down to the MAC for a refund.
CMS Self-Disclosure Protocol
The CMS Stark Law Self-Referral Disclosure Protocol (SRDP) is entirely separate, but similar, to the OIG protocol. CMS SRDP must be submitted through the CMS designated portal.[27] Parties must submit an SRDP Disclosure Form, a Physician Information Form for any physician involved, and a Financial Analysis Worksheet. Disclosing parties also submit a hard-copy certification signed by the CEO, CFO, or appropriate authorized individual.
The SRDP form requests the following categories of information:
-
Basic identifying information and designated representative information
-
An analysis of the pervasiveness of noncompliance between the parties (i.e., number of physicians/compensation arrangements/ownership interests at issue and length of time)
-
Whether the conduct is currently under investigation before any other agency
-
Any history of similar conduct
-
A plan to prevent future noncompliance
Each Physician Information Form requests identifying information about each physician and a detailed narrative description of the nature of the arrangement and Stark Law violation at issue and a narrative description of the plan to cure the violation. There are also certain yes-or-no questions and questions about the timeline of noncompliance.
Finally, the disclosing party must provide a financial analysis of all overpayments potentially at issue based on the Stark Law violation and in accordance with CMS methodology as provided.
Benefits and Risks of Self-Disclosure
When reporting and refunding a simple overpayment, providers are just returning funds dollar for dollar that did not belong to them. There is no extra penalty or fine when refunding an overpayment. This is not the case when self-disclosing under the AKS, CMP Laws, FCA, or Stark Law. In fact, each of these laws carries with them a fine or monetary penalty.[28] Therefore, providers self-disclosing either to CMS or the OIG should expect a fine or civil monetary penalty above and beyond the actual overpayment itself. For AKS-related disclosures, for example, the OIG has set a minimum settlement amount of $50,000 in addition to repayment of any overpayment that acts as a fine.[29]
However, self-disclosed conduct will, almost always, receive a much lower fine or penalty than the same conduct reported by a whistleblower or discovered by an enforcement authority. In other words, to encourage self-disclosure, the various enforcement agencies agree to impose a fairly light fine or penalty (the carrot), whereas the same conduct reported by a whistleblower would be much more likely to receive the full penalty allowed by law (the stick). When a fine under Stark Law can be $30,000 per inappropriate service, and AKS fines can be $100,000 per criminal violation, or FCA fines can demand treble damages or $20,000 per claim, the difference between partial or full fines can equal many millions of dollars.
In addition, self-disclosure usually extinguishes potential FCA liability that could arise from a qui tam lawsuit.[30] This allows providers to negotiate settlements cooperatively with the government without the threat of potential FCA qui tam lawsuits, which are not only costly but can also bring reputational damage.
In summary, the risk of self-disclosure is simply not knowing what the fine will be. However, the risk of not self-disclosing can result in potentially catastrophic fines or even criminal liability. Although providers tend to discount the chances of getting caught, it is important to remember that disgruntled employees work in every organization and significant incentives exist for whistleblowers to report violations. In addition, retaining known overpayment is in itself a legal violation. Thus, by failing to return overpayments or self-disclose, providers are actively choosing to break the law, which could carry criminal penalties in a worst-case scenario.