Glossary · Compliance

Self-disclosure (OIG/CMS)

Self-disclosure (OIG/CMS) is a voluntary process by which a healthcare provider proactively reports a self-discovered potential fraud, abuse, or Stark Law violation to the OIG (via the Provider Self-Disclosure Protocol) or to CMS (via the Self-Referral Disclosure Protocol) before a government investigation begins.

Verified May 8, 2026 · 10 sources ↓

Drawn from OigCMSBakerdonelsonDoctorsmanagementJdsupra

Definition

Source · Editorial summary grounded in 10 cited references ↓

When an orthopedic practice or health system uncovers a potential compliance violation—upcoding, billing for services rendered by an excluded or unlicensed provider, an improper financial arrangement under the Anti-Kickback Statute, or a prohibited Stark Law referral—it has two primary voluntary-disclosure pathways. The OIG Provider Self-Disclosure Protocol (SDP), in place since 1998, is the route for potential violations subject to Civil Monetary Penalties (CMP) authority, including Anti-Kickback Statute and False Claims Act exposure. The CMS Self-Referral Disclosure Protocol (SRDP), created under the Affordable Care Act, is reserved specifically for actual or potential Stark Law violations. These are parallel but distinct programs: conduct that implicates only Stark goes to CMS; conduct that implicates broader fraud and abuse—or both statutes simultaneously—may require OIG disclosure or a coordinated dual-pathway strategy.

The financial mechanics differ meaningfully between the two programs. Under the OIG SDP, the standard damages multiplier is reduced from the statutory treble (3×) to 1.5× for good-faith disclosers, and permissive exclusion from federal programs is typically released without integrity measures attached. Under the CMS SRDP, CMS has authority to reduce the total overpayment amount based on the provider's cooperation and the totality of circumstances. Both programs suspend the 60-day overpayment repayment clock—meaning the deadline to return identified Medicare or Medicaid overpayments is tolled while the disclosure is pending settlement, preventing an automatic False Claims Act violation from accruing during the resolution period.

For orthopedic practices specifically, recurring self-disclosure triggers include employment or contracting with OIG-excluded individuals, billing under a surgeon's NPI for procedures actually performed by an uncredentialed or unlicensed provider, compensation arrangements with referring physicians that lack fair-market-value support, and systematic upcoding discovered during internal audit. The OIG maintains a public database of self-disclosure settlement summaries; reviewing it reveals that musculoskeletal and surgical specialties appear with regularity, underscoring that these issues are not hypothetical for orthopedic compliance officers.

Why it matters

Failing to self-disclose a known violation—or disclosing too late—transforms a correctable compliance problem into potential False Claims Act liability. Under the 60-day rule, once a provider has 'identified' an overpayment (meaning reasonable diligence would have quantified it), the clock starts. Missing that deadline converts the retained overpayment into a reverse false claim carrying penalties of up to $27,894 per claim plus treble damages. For an orthopedic group that discovers three years of systematic coding errors affecting hundreds of Medicare claims, the difference between proactive OIG self-disclosure (1.5× multiplier, no exclusion) and a government-initiated investigation (3× multiplier, potential exclusion, reputational damage) can be existential. Additionally, practices operating under a Corporate Integrity Agreement that discover a new violation must disclose it or risk CIA breach.

Common mistakes

Where people most often go wrong with this concept.

Source · Editorial brief grounded in cited references ↓

  • Routing a Stark Law violation through the OIG SDP instead of the CMS SRDP—these are separate protocols and using the wrong one does not toll the 60-day overpayment clock under the applicable program.
  • Treating a simple Medicare overpayment (no fraud element) as an SDP matter—overpayments without CMP-triggering conduct go directly to the Medicare Administrative Contractor, not OIG.
  • Referring broadly to 'the False Claims Act' or 'federal law' in the disclosure narrative without identifying the specific statute violated—OIG treats vague submissions as incomplete and will not extend penalty mitigation.
  • Assuming the 60-day clock is automatically tolled the moment an internal audit begins—the clock is tolled only after a compliant SDP or SRDP submission is accepted, not upon internal discovery alone.
  • Failing to account for the full employment-cost proxy when billing involved an unlicensed provider—OIG does not discount by federal payor mix in this scenario, meaning total employment costs are the damages baseline.
  • Continuing to submit claims for designated health services while a known Stark violation is unresolved—doing so converts the violation into knowing false-claim submission, escalating liability beyond the SRDP settlement pathway.
  • Waiting to disclose until after a government audit notice arrives—entities already under investigation may still disclose but lose the strongest goodwill credit; the window for maximum mitigation is pre-audit.

Frequently asked questions

Source · Generated from the editorial pipeline, verified against 10 cited references ↓

01What is the difference between the OIG SDP and the CMS SRDP?
The OIG Provider Self-Disclosure Protocol covers potential violations subject to Civil Monetary Penalties authority—primarily Anti-Kickback Statute and False Claims Act issues. The CMS Self-Referral Disclosure Protocol is specifically for actual or potential Stark Law (physician self-referral) violations. Stark-only matters go to CMS via the SRDP; conduct involving broader fraud and abuse goes to OIG via the SDP. Some situations require both.
02Does filing a self-disclosure stop the 60-day overpayment clock?
Yes, but only after a compliant submission is accepted. CMS suspends the 60-day repayment deadline once a provider submits a complete SRDP disclosure; OIG similarly tolls the obligation during SDP resolution. Internal discovery alone does not stop the clock—the formal submission must be filed.
03What penalty reduction can an orthopedic practice expect from an OIG self-disclosure?
OIG typically reduces the damages multiplier from the statutory treble (3×) to 1.5× for good-faith disclosers who cooperate fully. In nearly all settled cases, OIG also releases its permissive exclusion authority without attaching integrity measures. The actual settlement amount is negotiated case by case.
04What happens if a practice billed for procedures performed by an unlicensed surgical assistant?
OIG treats services provided by unlicensed individuals as non-payable by any federal health care program regardless of payor. If those services were directly billed, damages equal total federal program payments received. If not separately billed, OIG uses total employment or contract costs as the damages proxy—and does not reduce that figure by the practice's federal payor mix.
05Can a practice self-disclose if it is already under a government audit?
Yes. Being under investigation or audit does not automatically disqualify a provider from using the SDP or SRDP, but the disclosure must be made in good faith. Practices in this situation should involve healthcare counsel immediately, as the mitigation benefits are reduced compared to pre-audit disclosure.
06Are coding errors alone—without any fraudulent intent—eligible for OIG self-disclosure?
Not necessarily. Pure overpayments resulting from coding errors without a CMP-triggering element should be reported directly to the Medicare Administrative Contractor, not OIG. The SDP is reserved for conduct that could give rise to civil monetary penalties—such as upcoding with knowledge, billing for excluded providers, or kickback-tainted claims. If the retained overpayment has aged past 60 days it may cross into False Claims Act territory, at which point OIG becomes the appropriate channel.

Sources & references

Editorial content was developed using the following public sources. Last verified May 8, 2026.

  1. 01
    oig.hhs.gov
    https://oig.hhs.gov/compliance/self-disclosure-info/self-disclosure-protocol/
  2. 02
    oig.hhs.gov
    https://oig.hhs.gov/compliance/self-disclosure-info/
  3. 03
    cms.gov
    https://www.cms.gov/medicare/regulations-guidance/physician-self-referral/self-referral-disclosure-protocol
  4. 04
    bakerdonelson.com
    https://www.bakerdonelson.com/proactive-compliance-when-should-an-internal-finding-become-an-oig-self-disclosure
  5. 05
    doctorsmanagement.com
    https://www.doctorsmanagement.com/blog/when-things-go-wrong-a-practical-guide-to-the-oig-self-disclosure-protocol-for-medical-practices/
  6. 06
    jdsupra.com
    https://www.jdsupra.com/legalnews/a-provider-s-guide-to-oig-s-self-2895959/
  7. 07
    providertrust.com
    https://www.providertrust.com/blog/quick-guide-to-the-oig-self-disclosure-protocol/
  8. 0842 U.S.C. § 1320a-7a (Civil Monetary Penalties Law)
  9. 0942 U.S.C. § 1320a-7k(d) (60-Day Overpayment Rule)
  10. 1031 U.S.C. § 3729 (False Claims Act)

Related terms

Medicare Administrative Contractor (MAC) Compliance

A Medicare Administrative Contractor (MAC) is a private insurance company under contract with CMS to process and pay Medicare Part A and Part B fee-for-service claims within an assigned geographic jurisdiction. MACs are the primary point of contact for providers on coverage policies, claims adjudication, and local coverage determinations.

Ready?

Ready to transform your orthopedic practice?

See how orthopedic practices are running documentation, billing, and operations on a single voice-first platform.

Get started for free