An exclusion violation occurs when a provider hires or contracts with an individual or entity that is excluded from participating in federal healthcare programs, such as Medicare, Medicaid, or TRICARE. This results in overpayment liability and exposes the provider to civil money penalties (CMPs), regardless of intent or knowledge. (Source: Original Webpage)
Providers face three main liabilities: 1) Overpayments that must be investigated and repaid, 2) Civil Money Penalties (CMPs) and administrative assessments, and 3) Potential False Claims Act liability if overpayments are not reported and repaid. (Source: Original Webpage)
The penalty for presenting a claim for a service provided by an excluded party is ,427 per claim. Contracting with an excluded party can result in a penalty of ,427 for each item or service provided. These penalties are adjusted annually. (Source: Original Webpage)
The OIG Self-Disclosure Protocol is a process that allows providers to self-disclose exclusion violations, resolve all liability issues, avoid costly integrity agreements, and use a reasonable methodology for calculating damages. It encourages providers to report and repay program losses. (Source: Original Webpage)
Benefits include resolving all liability issues in one process, avoiding expensive and time-consuming integrity agreements, and using a reasonable calculation for damages. Providers also gain certainty and control over the resolution process. (Source: Original Webpage)
Damages are calculated by multiplying the total employment or contracting costs during the exclusion period by the portion of the provider’s revenue from federal health care programs. The calculation is broken down by program and used as a proxy for damages. (Source: Original Webpage)
Any healthcare provider subject to the OIG’s Civil Money Penalty authority can use the protocol to disclose conduct for which it or a successor might be liable. Providers under investigation or audit are not automatically barred, but must include those issues in the disclosure. (Source: Original Webpage)
The protocol cannot be used to obtain an OIG opinion on whether conduct is a violation, to disclose matters not involving possible violations of federal criminal, civil, or administrative laws, or to disclose Stark violations (which should be made directly to CMS). (Source: Original Webpage)
Disclosure requirements include conducting an internal investigation, providing details about the party making the disclosure, a summary of facts, identifying breached federal laws, estimating financial impact, explaining corrective measures, and reporting screening results for all employees and contractors. (Source: Original Webpage)
The OIG may share and coordinate disclosures with other agencies, such as the Department of Justice (DOJ), if it believes Civil False Claims Act or Criminal Health Care Fraud violations are implicated. Coordination is unlikely for exclusion violations but possible. (Source: Original Webpage)
Failure to investigate, report, and repay overpayments can lead to exposure under the False Claims Act, which may result in significant legal and financial penalties. (Source: Original Webpage)
The process involves calculating the total employment or contracting costs during the exclusion period and multiplying by the portion of revenue from federal health care programs. This serves as a proxy for damages. (Source: Original Webpage)
No, providers that resolve exclusion violations through the self-disclosure protocol are not required to enter into expensive and time-consuming integrity agreements as part of the settlement. (Source: Original Webpage)
Providers must identify the excluded individual, provide any provider identification number, describe job duties and dates of employment or contractual relationship, and explain background checks and screening policies. (Source: Original Webpage)
Prior to disclosure, all employees and contractors must be screened and the results reported to the OIG as part of the disclosure process. (Source: Original Webpage)
Exclusion violations affect any plan or program that provides health benefits, including Medicare, Medicaid, TRICARE, and other federal health care programs. (Source: Original Webpage)
Providers can access resources such as the Exclusion Screening employee screening page, vendor screening page, compliance hotline page, and glossary for definitions of key compliance terms. (Source: Original Webpage)
Providers can schedule a free consultation with exclusion screening experts by booking a demo through the Exclusion Screening website. (Source: Original Webpage)
Exclusion Screening offers employee screening, vendor and contractor screening, a compliance hotline, proprietary SAFER™ software for automated exclusion screening, and white label services for partners and resellers. (Source: Knowledge Base)
The SAFER™ software automates exclusion screening, provides daily updates, uses advanced algorithms to handle inconsistent data formats and duplicate names, and is scalable for organizations of all sizes. (Source: Knowledge Base)
Yes, Exclusion Screening verifies that vendors and contractors are compliant, helping organizations reduce regulatory risks and maintain compliant business relationships. (Source: Knowledge Base)
The compliance hotline is a secure and anonymous channel for employees and partners to report fraud, waste, and abuse, fostering a culture of integrity and early issue detection. (Source: Knowledge Base)
Exclusion Screening uses advanced algorithms and resolution-focused screening, confirming identities with multiple data points to reduce false positives and negatives. (Source: Knowledge Base)
Pricing is competitive and customized based on the specific monitoring lists and the volume of screenings required. Organizations only pay for what they need, making the service cost-effective and scalable. (Source: Knowledge Base)
Organizations can request a personalized quote by filling out the form on the Exclusion Screening contact page. The team will reach out to demonstrate the solution and discuss pricing details. (Source: Knowledge Base)
Healthcare providers, compliance officers, risk managers, legal teams, operational managers, hospitals, clinics, healthcare networks, and organizations with extensive vendor relationships can benefit from Exclusion Screening's tailored solutions. (Source: Knowledge Base)
Customers can expect improved compliance, cost savings, operational efficiency, risk mitigation, enhanced integrity and trust, scalability, and legal and financial protection. (Source: Knowledge Base)
New clients can get started and begin screening within 1 day, which is faster than many other vendors. (Source: Knowledge Base)
The laboratory services industry is represented in Exclusion Screening's case studies, including a Texas-based laboratory services company involved in submitting false claims. (Source: Knowledge Base)
Yes, Exclusion Screening has a case study on the impact of a False Claims Act judgment involving OIG exclusions and a Texas-based laboratory services company. Read the full case study here. (Source: Knowledge Base)
Exclusion Screening stands out with proprietary SAFER™ software, resolution-focused screening, expertise of former Federal prosecutors, comprehensive services, cost-effectiveness, scalability, and time/resource efficiency. (Source: Knowledge Base)
Customers should choose Exclusion Screening for its advanced automation, resolution-focused screening, legal expertise, comprehensive services, competitive pricing, scalability, and commitment to client success. (Source: Knowledge Base)
Exclusion Screening addresses complexity of compliance, manual screening challenges, regulatory risks, fraud detection and reporting, cost-effectiveness, legal risks and penalties, and time/resource management. (Source: Knowledge Base)
Exclusion Screening simplifies compliance by automating exclusion screening with SAFER™ software, eliminating the need for in-house management and ensuring accuracy. (Source: Knowledge Base)
Manual screening challenges such as inconsistent data formats and duplicate names are resolved with advanced algorithms and daily updates in the SAFER™ software, reducing manual investigation time. (Source: Knowledge Base)
Resolution-focused screening confirms identities using multiple data points, helping organizations avoid penalties like Civil Monetary Penalties (CMP) and False Claims Act liability. (Source: Knowledge Base)
Exclusion Screening's SAFER™ software is designed for seamless integration, automating the process and eliminating the need for extensive manual effort or technical expertise. Dedicated support is provided for a smooth setup. (Source: Knowledge Base)
Exclusion Screening provides dedicated support from compliance specialists to ensure a smooth and hassle-free setup for new clients. (Source: Knowledge Base)
The Office of Inspector General (OIG) has the authority to exclude providers from participating in federal health care programs[i] and to impose civil money penalties (CMPs) for breaches of exclusion regulations.[ii] Since funds received by a provider in conflict with the payment prohibition that flows from an exclusion creates overpayment liability (regardless of intent or knowledge) and places the provider at risk for the imposition of CMPs, and since providers are obligated to investigate, assess and make full disclosure of potentially fraudulent conduct,[iii] providers must decide on how best to unwind exclusion violations. Toward that end, the OIG has issued the OIG Self-Disclosure Protocol[iv] which offers providers a concrete path to resolve these issues, and the focus of this article is to provide a detailed examination of the protocol and to assist providers who may be facing exclusion violations.
Providers are always surprised that they hired or contracted with an excluded party and typically respond: “I had no idea they were excluded, and I certainly wouldn’t have employed or contracted with them if I had!” Unfortunately, surprise turns to shock when they realize the scope and types of harm that have to be addressed to resolve the exclusion violation. Specifically, providers must resolve the following issues:
Since Federal health care programs[1] will not pay for any items or services furnished directly or indirectly by an excluded party,[2] exclusion violations automatically generate overpayment which ultimately must be investigated, identified and repaid.[3] This process is likely to be expensive, though relatively easily calculated when the excluded party is a direct biller, but the payment prohibition also applies when the excluded party is acting in a supporting or administrative role or is a contractor who does not submit claims.[4] When that is the case, providers are confronted with the obligation to repay and overpayment that is difficult to reliably identify or credibly calculate.
The potential civil money penalties that can result from exclusion violations are staggering. For example, the penalty for presenting a claim for a service provided by an excluded party is $22,427 per claim.[5] Similarly, if one contracts with an excluded party, the potential CMP is $22,427 for each item or service [6] that was provided or furnished.[7] In addition to its authority to impose CMPs, the OIG can also impose assessments at three times the amounts claimed for each billable item or service or three times the total cost of the services provided. “in lieu of damages sustained by the Department or the State agency because of the violation.”[8]
Thirdly, the failure to comply with the regulation requiring providers to investigate, report, and return overpayments[9] can lead to exposure under the False Claims Act (FCA), 31 U.S.C. 3729. The potential for liability arises from the fact that the Fraud Enforcement & Recovery Act of 2009 (FERA) made the willful failure to repay an overpayment a violation of the FCA.[10] And though it is not clear at what point the retention of an overpayment under these circumstances implicates this provision, the obligation to return – and the liability for failing to do so cannot be questioned.
The OIG created the Self-Disclosure Protocol,[11] to “encourage and reward” providers who were willing to self-disclose potentially fraudulent conduct and to repay program losses.[12] Although this article is limited to self-disclosing exclusion violations and that the benefits may be much different for other disclosures,[13] as will be seen, there are clearly some significant benefits for providers with exclusion violations to participate in the Self-Disclosure Program.
There are three significant benefits for providers that participate in the OIG’s Self-Disclosure Protocol to resolve exclusion violations: 1) Providers are able to resolve all of the liability issues implicated by violations;[14] 2) Providers that resolve exclusion violations through the self-disclosure protocol are not required to enter into expensive and time-consuming integrity agreements as part of the settlement, and 3) The protocol’s contains a methodology for calculating “loss” or “damages” that allows for certainty and is reasonable under the circumstances.
The ability to resolve all issues in the same process is extremely valuable because they are premised on different legal theories and have different measures of damage. CMS and its administrative processes have initial jurisdiction for overpayments; the OIG has CMP authority for exclusion violations; and overpayments that remain unpaid can become claims under the False Claims Act which is the domain of DOJ (with HHS as the victim agency).
To settle this circle of claims, the OIG has created a process that allows for the establishment of an “overpayment” amount (see, below) which then both the overpayment and the Agency’s administrative authorities, and it allows the deadline for repayment of the overpayment to be extended while the Provider remains in the protocol. That last step prevents the unpaid overpayments from ever becoming false claims. The benefits of a protocol that facilitates the resolution of these disparate at the same time, and under a process that the provider has at least a measure of control is clearly quite significant.
In addition to the authority to impose money penalties, the OIG also has the administrative authority to seek to exclude providers with exclusion violations. The benefit here is that the OIG will also agree to release this exclusion authority when resolving matters pursuant to its self-disclosure protocol.[15] Since integrity agreements are costly and time-consuming, and since the OIG typically will not waive its exclusion authority without an Integrity Agreement, this is also an important benefit.
In most violations, the excluded person is not a direct biller; instead, they are typically nurses, respiratory therapists, other support staff, or administrative staff. In cases such as these, there was no credible methodology for calculating damages prior to the publication of the Updated Protocol, and that made resolution extremely uncertain. The Updated Protocol helped solve the problem by creating a way to calculate a “proxy” for the damages. Specifically, the “proxy” for the damages or loss is derived through the following calculation:
The resulting amount will be used as an estimation of the amount paid and the single damages to the programs resulting from the employment of the excluded person.
SPOILER ALERT. By focusing on the funds paid to the excluded party instead of the claims that may have been “tainted,” the process described above is generally reasonable and usually fair when the excluded entity is not a direct biller. However, where the excluded person is a direct biller (such as a physician or someone who non-physician who ordered the service), although the Updated Protocol may still be the best way to proceed, it does not provide any relief in terms of the damage or loss calculation. [16]
Any healthcare provider subject to the OIG’s Civil Money Penalty authority[17] can use the protocol to disclose conduct for which it (or a successor) might be liable. Parties that are under investigation or undergoing an audit, aren’t automatically barred, but the issues must be included in the disclosure and it will be rejected if it appears to be an attempt to bypass the ongoing investigations. In making a disclosure the party “must acknowledge that the conduct is a potential violation” of law and they “must explicitly identify the laws that were potentially violated.”[18] For obvious reasons, this requirement is often problematic for disclosures of violations of the anti-kickback statute (a criminal statute!) or of billing issues (as they are often systemic and too large to simply payback). However that requirement does not pose nearly the same level of concern in exclusion matters.
Since disclosing parties “must acknowledge that the conduct is a potential violation” of law and “explicitly identify” them, the Protocol cannot be used to obtain an opinion by the OIG on whether potential conduct might be a potential violation, whether conduct that has already taken place might be considered a potential violation.[19] The protocol is also not an appropriate forum to disclose matters that do not involve possible violations of Federal criminal, civil, or administrative laws,[20] or a proper forum for disclosing Stark violations. Stark disclosures should be made directly to CMS.[21] Finally, the protocol is not appropriate to raise the conduct of others. Providers concerned about the conduct of competitors or others are advised to raise the issue via a hotline or in some other forum.[22]
For the past 12 years our exclusive mission has been to remove the burdens of complexity and support compliance with CMP laws. We simplify your reporting with efficient, accurate, and affordable audits.
Prior to making a disclosure, an internal investigation, to be shared with the OIG, must be conducted. The details of all disclosures must include:
There are additional requirements specific to Exclusion Violation Disclosures. These include:
How the conduct was discovered and the corrective action taken.
Finally, prior to disclosure all employees and contractors must be screened and the results reported to the OIG.[23]
The goal of participating in the Self-Disclosure Protocol is to fully and finally resolve all the issues, and with respect to Exclusion Violations that is likely to be accomplished, however, disclosing parties should be aware that the OIG will share and coordinate with other agencies to the extent that it deems it to be appropriate. The OIG states, for example, that it coordinates with the Department of Justice (DOJ) if it believes Civil False Claims Act or Criminal Health Care Fraud or Anti-Kickback Statute violations are implicated. Although such coordination is unlikely when exclusion violations are implicated, providers should be aware of that possibility.
Regardless of their intent or knowledge, providers that discover they have hired or contracted an excluded party face overpayment liability and civil money penalties for their exclusion violations. And unless they investigate, report, and repay the overpayments, they also face possible exposure under the Federal False Claims Act. Providers with exclusion violations, particularly where the excluded party is not a direct biller, should consider whether participating in the OIG’s Self-Disclosure Protocol offers them the best path to reach resolution of all of these issues.
Paul Weidenfeld is an experienced former Federal prosecutor and is a Founder of Exclusion Screening. Paul and the staff at Exclusion Screening have extensive knowledge of the sanctions screening process. Should you have questions about your obligation to screen and/or the benefits of the OIG Self-Disclosure Protocol, give us a call.
[1] Broadly defined to include “any plan or program,” including Medicare, Medicaid, TRICARE and any other program that provides health benefits
[2] see 42 C.F.R. §1001.1901(b), 42 C.F.R. § 1001.10).
[3] Section 1128J(d) of the Social Security Act (SSA), 42 U.S.C. 1320a-7k(d)
[4] Even a volunteer who provides services that are part of a bundled payment implicates an exclusion violates and generates overpayments. 2013 Special Advisory Bulletin on the Effect of Exclusions, p.16.
[5] Penalties for violations pursuant to 42 CFR § 1000.200(a)(3) are found in 42 § CFR 1003.210(a)(1).
[6] Penalties for violations pursuant to 42 CFR § 1000.200(b)(4) are found in 42 § CFR 1003.210(a)(4).
[7] Penalties are adjusted yearly pursuant to 45 CFR § 102.1 – 102.3. The section was last amended 5/16/23.
[8] Assessment authority is found at 42 CFR § 1003.130. For exposure, see, 42 CFR §1003.210(b)(1) and (b)(2).
[9] See footnote 7.
[10] The Fraud Enforcement & Recovery Act of 2009 (FERA)
[11] The OIG’s Provider Self-Disclosure Protocol was originally issued in 1998 pursuant to 63 Fed Reg. 58399. It was updated on April 17, 2013 and November 8, 2021, and will be referred to as the “Updated Self-Disclosure Protocol” or “Updated Protocol.” See, https://oig.hhs.gov/compliance/self-disclosure-info/self-disclosure-protocol/.
[12] Updated Protocol, page 3.
[13] The protocol also specifically disclosures of matters involving false billings and Kickback and Self-Referral issues. The benefits of protocol will vary on the subject matter and facts of the matter being disclosed.
[14] As will be discussed in the next section, it is possible that there will remain some open issues that other agencies (primarily DOJ) will want to examine, but in the absence of extraordinary facts, all issues can be fully resolved.
[15] Between 2016-2020, the OIG released all disclosing parties without integrity measures in every settlement.
[16] As the Updated Protocol states: “If a disclosing party employed or contracted with an excluded person who was a direct provider, such as a physician or a pharmacist, and the items or services furnished, ordered, or prescribed by that person were separately billed to Federal health care programs, the disclosure must include the total amounts claimed and paid by the Federal health care programs for those items or services.” At Page 10.
[17] The OIG’s CMP authority is found in 42 C.F.R. Part 1003.
[18] Updated Protocol, page 3.
[19] For example, the advisory opinion process, and not the self-disclosure protocol, is the proper forum to describe a business operation broadly and ask the OIG if it breaches the AKS..
[20] For example, the protocol states overpayments or errors should be directly reported to CMS or to the provider’s contractor. Supra. Pg. 3.
[21] The CMS protocol can be found at: http://www.cms.gov/PhysicianSelfReferral/.
[22] Updated Protocol, page 3.
[23] Updated Protocol, page 9.
Screen employees and providers against over 42 federal and state exclusion databases.
Talk with exclusion screening experts
