The Office of Inspector General (OIG) has the authority to exclude providers from participating in federal health care programs[i] and to impose civil money penalties (CMPs) for breaches of exclusion regulations.[ii] Since funds received by a provider in conflict with the payment prohibition that flows from an exclusion creates overpayment liability (regardless of intent or knowledge) and places the provider at risk for the imposition of CMPs, and since providers are obligated to investigate, assess and make full disclosure of potentially fraudulent conduct,[iii] providers must decide on how best to unwind exclusion violations. Toward that end, the OIG has issued the OIG Self-Disclosure Protocol[iv] which offers providers a concrete path to resolve these issues, and the focus of this article is to provide a detailed examination of the protocol and to assist providers who may be facing exclusion violations.
II. Exclusion Violations: The 3-Headed Liability Monster:
Providers are always surprised that they hired or contracted with an excluded party and typically respond: “I had no idea they were excluded, and I certainly wouldn’t have employed or contracted with them if I had!” Unfortunately, surprise turns to shock when they realize the scope and types of harm that have to be addressed to resolve the exclusion violation. Specifically, providers must resolve the following issues:
Since Federal health care programs will not pay for any items or services furnished directly or indirectly by an excluded party, exclusion violations automatically generate overpayment which ultimately must be investigated, identified and repaid. This process is likely to be expensive, though relatively easily calculated when the excluded party is a direct biller, but the payment prohibition also applies when the excluded party is acting in a supporting or administrative role or is a contractor who does not submit claims. When that is the case, providers are confronted with the obligation to repay and overpayment that is difficult to reliably identify or credibly calculate.
Civil Money Penalties and Administrative Assessments:
The potential civil money penalties that can result from exclusion violations are staggering. For example, the penalty for presenting a claim for a service provided by an excluded party is $22,427 per claim. Similarly, if one contracts with an excluded party, the potential CMP is $22,427 for each item or service  that was provided or furnished. In addition to its authority to impose CMPs, the OIG can also impose assessments at three times the amounts claimed for each billable item or service or three times the total cost of the services provided. “in lieu of damages sustained by the Department or the State agency because of the violation.”
Potential False Claims Act Liability
Thirdly, the failure to comply with the regulation requiring providers to investigate, report, and return overpayments can lead to exposure under the False Claims Act (FCA), 31 U.S.C. 3729. The potential for liability arises from the fact that the Fraud Enforcement & Recovery Act of 2009 (FERA) made the willful failure to repay an overpayment a violation of the FCA. And though it is not clear at what point the retention of an overpayment under these circumstances implicates this provision, the obligation to return – and the liability for failing to do so cannot be questioned.
III. Benefits of The OIG’s Self-Disclosure Protocol for Exclusion Violations:
The OIG created the Self-Disclosure Protocol, to “encourage and reward” providers who were willing to self-disclose potentially fraudulent conduct and to repay program losses. Although this article is limited to self-disclosing exclusion violations and that the benefits may be much different for other disclosures, as will be seen, there are clearly some significant benefits for providers with exclusion violations to participate in the Self-Disclosure Program.
There are three significant benefits for providers that participate in the OIG’s Self-Disclosure Protocol to resolve exclusion violations: 1) Providers are able to resolve all of the liability issues implicated by violations; 2) Providers that resolve exclusion violations through the self-disclosure protocol are not required to enter into expensive and time-consuming integrity agreements as part of the settlement, and 3) The protocol’s contains a methodology for calculating “loss” or “damages” that allows for certainty and is reasonable under the circumstances.
Resolution of all Issues.
The ability to resolve all issues in the same process is extremely valuable because they are premised on different legal theories and have different measures of damage. CMS and its administrative processes have initial jurisdiction for overpayments; the OIG has CMP authority for exclusion violations; and overpayments that remain unpaid can become claims under the False Claims Act which is the domain of DOJ (with HHS as the victim agency).
To settle this circle of claims, the OIG has created a process that allows for the establishment of an “overpayment” amount (see, below) which then both the overpayment and the Agency’s administrative authorities, and it allows the deadline for repayment of the overpayment to be extended while the Provider remains in the protocol. That last step prevents the unpaid overpayments from ever becoming false claims. The benefits of a protocol that facilitates the resolution of these disparate at the same time, and under a process that the provider has at least a measure of control is clearly quite significant.
Settlement without an Integrity Agreement
In addition to the authority to impose money penalties, the OIG also has the administrative authority to seek to exclude providers with exclusion violations. The benefit here is that the OIG will also agree to release this exclusion authority when resolving matters pursuant to its self-disclosure protocol. Since integrity agreements are costly and time-consuming, and since the OIG typically will not waive its exclusion authority without an Integrity Agreement, this is also an important benefit.
An Overpayment Calculation Process that is Certain and Generally Reasonable
In most violations, the excluded person is not a direct biller; instead, they are typically nurses, respiratory therapists, other support staff, or administrative staff. In cases such as these, there was no credible methodology for calculating damages prior to the publication of the Updated Protocol, and that made resolution extremely uncertain. The Updated Protocol helped solve the problem by creating a way to calculate a “proxy” for the damages. Specifically, the “proxy” for the damages or loss is derived through the following calculation:
- The total employment or contracting costs during the exclusion period are calculated (by adding the entire salary, including benefits, taxes, etc.)
- This total cost is then multiplied by the portion of the disclosing party’s revenue that comes from Federal health care programs
- The disclosure should then break down the cost by program (for example, if 60% of the payer’s revenue is from Federal Programs, the disclosure should specify how that 60% is divided among the different federal programs
The resulting amount will be used as an estimation of the amount paid and the single damages to the programs resulting from the employment of the excluded person.
SPOILER ALERT. By focusing on the funds paid to the excluded party instead of the claims that may have been “tainted,” the process described above is generally reasonable and usually fair when the excluded entity is not a direct biller. However, where the excluded person is a direct biller (such as a physician or someone who non-physician who ordered the service), although the Updated Protocol may still be the best way to proceed, it does not provide any relief in terms of the damage or loss calculation. 
IV. Who Can Enter the Protocol? What Can’t Be Raised in It?
Who May Enter the Self-Disclosure Protocol.
Any healthcare provider subject to the OIG’s Civil Money Penalty authority can use the protocol to disclose conduct for which it (or a successor) might be liable. Parties that are under investigation or undergoing an audit, aren’t automatically barred, but the issues must be included in the disclosure and it will be rejected if it appears to be an attempt to bypass the ongoing investigations. In making a disclosure the party “must acknowledge that the conduct is a potential violation” of law and they “must explicitly identify the laws that were potentially violated.” For obvious reasons, this requirement is often problematic for disclosures of violations of the anti-kickback statute (a criminal statute!) or of billing issues (as they are often systemic and too large to simply payback). However that requirement does not pose nearly the same level of concern in exclusion matters.
What Can’t Be Raised in the Protocol?
Since disclosing parties “must acknowledge that the conduct is a potential violation” of law and “explicitly identify” them, the Protocol cannot be used to obtain an opinion by the OIG on whether potential conduct might be a potential violation, whether conduct that has already taken place might be considered a potential violation. The protocol is also not an appropriate forum to disclose matters that do not involve possible violations of Federal criminal, civil, or administrative laws, or a proper forum for disclosing Stark violations. Stark disclosures should be made directly to CMS. Finally, the protocol is not appropriate to raise the conduct of others. Providers concerned about the conduct of competitors or others are advised to raise the issue via a hotline or in some other forum.
V. Disclosure Requirements:
Prior to making a disclosure, an internal investigation, to be shared with the OIG, must be conducted. The details of all disclosures must include:
- Details about the party making the disclosure (provider ID numbers, tax ID numbers, payers and contractors involved, etc.). This would also include an org chart, identifying related entities and any affected divisions.
- Detailed summary of all important facts.
- Identifying the federal laws potentially breached by the disclosed conduct and the federal health care programs affected.
- An estimate of the financial impact on each affected federal health care program.
- An explanation of the corrective measures that were taken.
- Whether there is an investigation underway for the matter being disclosed – or for any other matter – and the details of the investigation.
There are additional requirements specific to Exclusion Violation Disclosures. These include:
- Identifying the excluded individual and any provider identification number.
- The job duties and dates of the individual’s employment or contractual relationship.
- A description of background checks, screening processes and screening policies in place; and whether the violation was related to a flaw or breakdown in that process.
How the conduct was discovered and the corrective action taken.
Finally, prior to disclosure all employees and contractors must be screened and the results reported to the OIG.
VI. OIG Coordination with Other Agencies:
The goal of participating in the Self-Disclosure Protocol is to fully and finally resolve all the issues, and with respect to Exclusion Violations that is likely to be accomplished, however, disclosing parties should be aware that the OIG will share and coordinate with other agencies to the extent that it deems it to be appropriate. The OIG states, for example, that it coordinates with the Department of Justice (DOJ) if it believes Civil False Claims Act or Criminal Health Care Fraud or Anti-Kickback Statute violations are implicated. Although such coordination is unlikely when exclusion violations are implicated, providers should be aware of that possibility.
Regardless of their intent or knowledge, providers that discover they have hired or contracted an excluded party face overpayment liability and civil money penalties for their exclusion violations. And unless they investigate, report, and repay the overpayments, they also face possible exposure under the Federal False Claims Act. Providers with exclusion violations, particularly where the excluded party is not a direct biller, should consider whether participating in the OIG’s Self-Disclosure Protocol offers them the best path to reach resolution of all of these issues.
Paul Weidenfeld is an experienced former Federal prosecutor and is a Founder of Exclusion Screening. Paul and the staff at Exclusion Screening have extensive knowledge of the sanctions screening process. Should you have questions about your obligation to screen and/or the benefits of the OIG Self-Disclosure Protocol, give us a call.
 Broadly defined to include “any plan or program,” including Medicare, Medicaid, TRICARE and any other program that provides health benefits
 see 42 C.F.R. §1001.1901(b), 42 C.F.R. § 1001.10).
 Section 1128J(d) of the Social Security Act (SSA), 42 U.S.C. 1320a-7k(d)
 Even a volunteer who provides services that are part of a bundled payment implicates an exclusion violates and generates overpayments. 2013 Special Advisory Bulletin on the Effect of Exclusions, p.16.
 Penalties for violations pursuant to 42 CFR § 1000.200(a)(3) are found in 42 § CFR 1003.210(a)(1).
 Penalties for violations pursuant to 42 CFR § 1000.200(b)(4) are found in 42 § CFR 1003.210(a)(4).
 Penalties are adjusted yearly pursuant to 45 CFR § 102.1 – 102.3. The section was last amended 5/16/23.
 Assessment authority is found at 42 CFR § 1003.130. For exposure, see, 42 CFR §1003.210(b)(1) and (b)(2).
 See footnote 7.
 The Fraud Enforcement & Recovery Act of 2009 (FERA)
 The OIG’s Provider Self-Disclosure Protocol was originally issued in 1998 pursuant to 63 Fed Reg. 58399. It was updated on April 17, 2013 and November 8, 2021, and will be referred to as the “Updated Self-Disclosure Protocol” or “Updated Protocol.” See, https://oig.hhs.gov/compliance/self-disclosure-info/self-disclosure-protocol/.
 Updated Protocol, page 3.
 The protocol also specifically disclosures of matters involving false billings and Kickback and Self-Referral issues. The benefits of protocol will vary on the subject matter and facts of the matter being disclosed.
 As will be discussed in the next section, it is possible that there will remain some open issues that other agencies (primarily DOJ) will want to examine, but in the absence of extraordinary facts, all issues can be fully resolved.
 Between 2016-2020, the OIG released all disclosing parties without integrity measures in every settlement.
 As the Updated Protocol states: “If a disclosing party employed or contracted with an excluded person who was a direct provider, such as a physician or a pharmacist, and the items or services furnished, ordered, or prescribed by that person were separately billed to Federal health care programs, the disclosure must include the total amounts claimed and paid by the Federal health care programs for those items or services.” At Page 10.
 The OIG’s CMP authority is found in 42 C.F.R. Part 1003.
 Updated Protocol, page 3.
 For example, the advisory opinion process, and not the self-disclosure protocol, is the proper forum to describe a business operation broadly and ask the OIG if it breaches the AKS..
 For example, the protocol states overpayments or errors should be directly reported to CMS or to the provider’s contractor. Supra. Pg. 3.
 Updated Protocol, page 3.
 Updated Protocol, page 9.