Two of the principles governing healthcare providers require them to self-monitor their compliance with various legal requirements and to self-report when they discover noncompliance.
First, the Department of Justice (DOJ) and Office of Inspector General (OIG) encourage self-disclosure if a provider discovers noncompliance with the Stark Law, Anti-Kickback Statute (AKS), False Claims Act (FCA), or Civil Monetary Penalties Law (CMP Law)—all four generally referred to as “fraud and abuse laws.” DOJ and the OIG are the primary enforcement agencies. However, other enforcement agencies (such as state Medicaid and the Department of Defense) work closely with DOJ and the OIG to resolve self-disclosures. Therefore, reference to DOJ and the OIG in this article also generally includes any other government payor or enforcement agency.
Second, government payor rules (such as Medicare’s myriad payment guidelines and rules) require that providers submit accurate bills for payment. If any noncompliance with these payment guidelines is discovered (such that the provider may have received an overpayment from any government payor), then the provider is required to pay the requisite government payor(s) back. These two principles go hand in hand and are codified in statute, regulation, and various guidance. When an issue of potential noncompliance is discovered, then healthcare providers should work with counsel to determine whether to repay an overpayment or enter into either the OIG’s or the Centers for Medicare & Medicaid Services (CMS) Self-Disclosure Protocol.
Legal Duty to Self-Disclose
The legal duty to self-disclose arises in several ways—both explicitly through federal law and implicitly through damage considerations under the fraud and abuse laws and other “carrots and sticks” offered by DOJ and the OIG. The obligations and principles described apply to payments made by any federal payment programs, including Medicare, Medicare Advantage, Tricare, and Medicaid (government payors or payors). Please note that the CMS’s 60-Day Rule described in this article applies specifically to Medicare Parts A and B. However, the Affordable Care Act repayment obligations and self-disclosure principles apply across all federal payors and Medicaid.
In 1995, the OIG, DOJ, and several other agencies piloted a precursor to OIG’s first self- disclosure protocol. The OIG issued its first Self-Disclosure Protocol in 1998, although the OIG had worked informally with providers to facilitate self-disclosure prior to that date. The crux of these programs was to encourage providers to implement compliance programs and come forward when they discovered noncompliance through the offer of incentives, such as reduced fines. These programs have evolved but retained the original goal of encouraging self-disclosure of compliance-related issues. Most recently, DOJ issued 2019 updated guidelines explaining that self-disclosure and other cooperation with the government will result in a reduction in potential damages.
FCA Repayment Obligations
The FCA also contains an explicit obligation not to retain overpayments. In 2009, Congress passed the Fraud Enforcement and Recovery Act. The relevant section of the law is an amendment to the FCA explicitly making retention of any government overpayment actionable under the FCA. This amendment to the FCA modified prior requirements that a false claim required an affirmative presentation of a false claim to the government. Now, any knowing retention of an overpayment is governed by the FCA. This amendment also codifies incentives for self-disclosure by providing by law that damages will be reduced from mandatory treble damages to double damages if a provider self-discloses and fully cooperates with any ensuing investigation.
Affordable Care Act 60-Day Rule Repayment Obligations
The Affordable Care Act and related regulations, more than any other law or regulation, codified and gave explicit instruction on the requirement to return overpayments and self-disclose behavior leading to an overpayment. Section 6402(a) of the Affordable Care Act established a new section 1128J(d) of the Social Security Act (SSA). In of the SSA, it requires a person who has received an overpayment to report and return the overpayment to the appropriate entity and to notify the entity to which the overpayment was returned in writing of the reason for the overpayment. The overpayment must be reported and returned by the later of:
The date that is 60 days after the date on which the overpayment was identified; or
The date any corresponding cost report is due, if applicable.
Failure to comply (meaning retention of a known overpayment or failure to investigate a suspected overpayment) can result in liability under the FCA.
CMS issued regulations governing the 60-Day Rule on February 12, 2016. The 60-Day Rule identifies several important concepts, including identification of an overpayment, what is an overpayment, required lookback period, and how to report the overpayment.
The 60-Day Rule requires healthcare providers to return an overpayment within 60 days of identification of the overpayment. CMS regulations define “identification” to mean the following:
A person has identified an overpayment when the person has, or should have through the exercise of reasonable diligence, determined that the person has received an overpayment and quantified the amount of the overpayment. A person should have determined that the person received an overpayment and quantified the amount of the overpayment if the person fails to exercise reasonable diligence and the person in fact received an overpayment.
From a practical standpoint, this means that an overpayment is identified when the provider becomes aware that an overpayment may exist, investigates it, and quantifies the amount. CMS stated in the final rule, “We believe that undertaking no or minimal compliance activities to monitor the accuracy and appropriateness of a provider or supplier’s Medicare claims would expose a provider or supplier to liability under the identified standard articulated in this rule based on the failure to exercise reasonable diligence if the provider or supplier received an overpayment.” The rule contains a “know or should have known” qualifier and a “reasonable diligence” qualifier. Both of these qualifiers serve to require healthcare providers to maintain a compliance program and to exercise diligence to proactively investigate any potential overpayment.
The 60-Day Rule also states that a healthcare provider has “identified” an overpayment once it has quantified the overpayment. Again, from a practical standpoint, this means that a provider will become aware of a potential overpayment and then must take steps to investigate the amount of the overpayment. The provider has “quantified” the overpayment once it has completed its internal or external review and identified the amount of the overpayment. CMS offers a time period of six months as a reasonable time period for conducting such an investigation absent extraordinary circumstances. Extraordinary circumstances could include very complex or difficult investigations or external forces, such as natural disaster or pandemic. Complex investigations could occur because the overpayment requires a particularly in-depth review of a very large number of charts. It could also result from technical issues, such as a need to manually retrieve data from a historical electronic medical record system that cannot produce the reports needed to conduct a review.
This is the point at which the 60-day clock begins ticking and the provider must either self-disclose or refund the overpayment.
The 60-Day Rule also discusses what an overpayment is. Overpayment means “any funds that a person has received or retained under title XVIII of the Act to which the person, after applicable reconciliation, is not entitled under such title.”
This definition is straightforward. If a provider receives funds to which it is not entitled, it is an overpayment. This is true regardless of whether there was a billing error by the provider or a payment error by a Medicare Administrative Contractor (MAC) or a violation of the Stark Law resulting in overpayment or any other means.
However, it is also important to note that there are some instances in which a provider may bill incorrectly, but no increase in reimbursement results. This may happen, for example, where an inpatient is classified under one diagnosis code where another diagnosis code may have been more appropriate, but because both codes fall under the same diagnosis-related group, no increase in reimbursement results. CMS has specified that in such cases where there is no change in reimbursement, there is no overpayment: “This rule concerns reporting and returning overpayments received by the provider or supplier. Therefore, if the error or non-reimbursable cost at issue did not result in an increase in reimbursement, then no overpayment was received and section 1128J(d) of the Act is not implicated.” 
The 60-Day Rule also discusses the investigative “lookback period” that providers should use when investigating an overpayment, setting the period at six years. This means that when providers receive information regarding potential overpayments, then the default position should be an investigation that reviews similar bills and practices going back for six years. As an example, if a provider becomes aware that its employed physicians may have been billing physician assistants (PAs) as incident-to, but that the building in which such services were performed did not comply with CMS “same suite” requirements to bill incident-to, then the provider should use a six-year lookback period determine the overpayment amount on improperly billed incident-to services.
However, a six-year lookback period may not be necessary where there is a specific reason for using a shorter period. Using the prior example, if the building in which the physicians were in a different suite than the PAs was built only three years prior to the issue coming to light, then a three-year lookback period would be appropriate.
By contrast, for example, if a hospital buys another hospital and the purchasing hospital assumed the liabilities of the purchased hospital by accepting assignment of the Medicare agreement, then the purchasing hospital is responsible for historical overpayments of the purchased hospital and must use a six-year lookback period as a default even though it may not have owned the purchased hospital at the time of the overpayments.
Method to Return Overpayments
The final element of the 60-Day Rule is a discussion of how to return the overpayment. Pursuant to, providers must either return the overpayment through a voluntary refund process or self-disclose after determining which method is appropriate.
The rule states, “A [provider] must use an applicable claims adjustment, credit balance, self-reported refund, or other reporting process set forth by the applicable Medicare contractor to report an overpayment, except as provided in paragraph (d)(2) of this section. If the person calculates the overpayment amount using a statistical sampling methodology, the person must describe the statistically valid sampling and extrapolation methodology in the report.” This requirement allows providers to return overpayments via a voluntary refund process or other applicable reporting process as permitted by a provider’s MAC.
The rule also states, “A person satisfies the reporting obligations of this section by making a disclosure under the OIG’s Self-Disclosure Protocol or the CMS Voluntary Self-Referral Disclosure Protocol resulting in a settlement agreement using the process described in the respective protocol.” Thus, the provider may also use the self-reporting protocols provided by the OIG or CMS, as appropriate, to report an overpayment and enter into a settlement to resolve the overpayment.
Choosing Whether to Self-Disclose or Repay
It states inthat a provider satisfies the requirements of the 60-day rule if it uses the MAC voluntary refund process or if it uses the CMS or OIG Self-Disclosure Protocols. How does a provider decide which to do?
The OIG typically only accepts providers into its Self-Disclosure Protocol when the provider believes that there may have been a violation of a fraud and abuse law. Likewise, CMS only accepts Stark Law self-disclosures when there is evidence that there was a breach of the Stark Law. Therefore, as a rule of thumb, a provider may ask whether the overpayment was indicative, or showed signs of, a breach of one of the above laws. In many cases, this may mean looking for intent to defraud in some manner or looking to determine whether there has been a specific breach of the CMP Laws, such as employing an excluded person or failing to return a known overpayment.
By contrast, for overpayments that do not implicate the Stark Law and that do not show signs of intentional fraudulent activity or violation of an element of the CMP Law, a voluntary refund to the MAC will usually suffice. These are mostly run-of-the-mill overpayments. For example, inadvertent supervision mistakes, documentation errors, or poor documentation missing certain elements tend to be billing mistakes that are usually not the result of any intent to defraud federal payor programs.