3.6 OIG Compliance & Provider Self-Disclosure
Key Takeaways
- The OIG publishes an annually updated Work Plan signaling the billing and program areas it intends to audit and investigate.
- An effective compliance program rests on seven core elements: written standards, a compliance officer, training, open communication, auditing, enforced discipline, and corrective action.
- The List of Excluded Individuals and Entities (LEIE) identifies people and organizations barred from federal programs; providers must screen staff and vendors before hiring and monthly thereafter.
- The OIG Self-Disclosure Protocol (SDP) lets providers voluntarily report potential fraud, often resolving with a lower damages multiplier and no Corporate Integrity Agreement.
- A Corporate Integrity Agreement (CIA) is a multi-year (typically five-year) compliance commitment imposed as part of settling a fraud case, with independent review and OIG reporting.
The OIG's Role
The Office of Inspector General (OIG) within the U.S. Department of Health and Human Services (HHS) is the chief watchdog over Medicare and Medicaid integrity. For billers, the OIG sets the expectations for compliance — the systems a practice uses to prevent, detect, and correct billing fraud and abuse.
The Annual OIG Work Plan
The OIG publishes a Work Plan, updated monthly, listing the audits, evaluations, and investigations it plans to conduct — for example, scrutiny of telehealth billing, evaluation-and-management upcoding, specific high-risk HCPCS codes, or particular payer programs. Think of it as a roadmap of where enforcement attention is heading. Compliance teams mirror it: when the Work Plan flags a code or service, the practice audits that exact area internally before the OIG does.
The Seven Elements of an Effective Compliance Program
The OIG's General Compliance Program Guidance (the consolidated GCPG issued in November 2023) and its older provider-specific guidance describe seven core elements:
- Written policies, procedures, and standards of conduct defining expected behavior.
- A designated compliance officer (and often a compliance committee) with authority and resources.
- Effective training and education on billing rules and compliance expectations.
- Effective lines of communication, including a confidential reporting channel (a hotline).
- Internal monitoring and auditing to detect billing errors and risk areas.
- Well-publicized disciplinary standards enforced consistently.
- Prompt response to detected problems and corrective action addressing root causes.
A biller is most directly involved in elements 3, 5, and 7 — being trained, auditing claims, and correcting the errors audits uncover.
Exclusion Lists and the LEIE
The OIG maintains the List of Excluded Individuals and Entities (LEIE) — a database of people and organizations excluded from federal health care programs for fraud, patient abuse, license loss, or other disqualifying conduct.
- A provider may not bill federal programs for items or services furnished, ordered, or prescribed by an excluded person.
- Practices must screen employees, contractors, and vendors against the LEIE before hiring and on an ongoing basis (commonly monthly).
- Employing an excluded individual can itself trigger civil monetary penalties (and repayment of amounts paid for that person's services).
Provider Self-Disclosure Protocol (SDP)
When a practice discovers potential fraud — not just a clerical overpayment — it can use the OIG's Self-Disclosure Protocol (SDP) to voluntarily report the conduct. Benefits:
| Feature | SDP advantage |
|---|---|
| Damages multiplier | Lower than litigation (often around 1.5x single damages) |
| Resolution | Faster, more cooperative |
| Corporate Integrity Agreement | OIG generally does not require one for SDP matters |
Self-disclosure also proves a functioning compliance program (elements 5 and 7 in action). Note: a simple, identified overpayment with no fraud question is returned through the Medicare contractor's overpayment-refund process within 60 days, not the SDP.
Corporate Integrity Agreements (CIA)
A Corporate Integrity Agreement (CIA) is a negotiated agreement a provider enters with the OIG, usually as part of settling a fraud case (often an FCA settlement). In exchange for not being excluded, the provider accepts a multi-year set of obligations:
- Maintaining or enhancing the seven compliance elements.
- Independent review of claims by an outside organization (an IRO).
- Regular reporting to the OIG.
- Typically a five-year term.
The distinction the exam loves: a CIA is imposed after wrongdoing is settled, whereas the SDP is a voluntary path the provider chooses before enforcement reaches that point.
SDP vs. the 60-Day Overpayment Refund
The single most-tested OIG decision point is which path a problem takes. Use this rule:
| Situation | Correct path |
|---|---|
| Simple, identified overpayment, no fraud question | Return via the Medicare contractor within 60 days |
| Potential fraud or AKS issue (HHS-OIG jurisdiction) | OIG Self-Disclosure Protocol (SDP) |
| Stark-only self-referral issue | CMS Self-Referral Disclosure Protocol (SRDP) |
| Wrongdoing already settled with the government | Corporate Integrity Agreement (CIA) imposed |
Choosing the SDP for a plain clerical overpayment is the wrong answer — that money simply goes back through the contractor. The SDP is reserved for conduct that could be fraud.
The OIG "Seven Pillars" Applied to a Biller's Day
The seven elements are not abstract. In a real billing department they look like this: you follow a written charge-capture policy (element 1), you report a suspicious pattern to the compliance officer or hotline (elements 2 and 4), you attend annual coding/compliance training (element 3), you run monthly claim audits and LEIE screening (element 5), you know staff face documented discipline for deliberate upcoding (element 6), and when an audit finds errors you correct, refund, and retrain (element 7). Examiners often hand you a workplace vignette and ask which element it illustrates.
LEIE Screening Mechanics
The LEIE is free and public on the OIG website and is updated monthly. Best practice is to screen all employees, contractors, and ordering/referring providers before hire and monthly thereafter, and to document each screen. The System for Award Management (SAM) exclusion database is a related federal list often screened alongside the LEIE. Reinstatement is not automatic — an excluded individual must apply to the OIG and be formally reinstated, so an old exclusion can still be active.
A Worked Scenario
A monthly audit reveals a coder has been adding modifier 25 to nearly every E/M billed with a procedure, with no separately identifiable service documented. This is a known OIG Work Plan risk area. The compliant response: stop the practice, quantify the overpayment, and decide the path — if it looks like an honest pattern of misunderstanding, refund through the contractor within 60 days and retrain; if it looks deliberate and systematic, escalate to counsel and consider the SDP. Either way, the seven-element program (audit → report → correct → retrain) is what protects the practice.
During an internal audit, a practice discovers a pattern of claims that may amount to fraudulent billing — beyond a simple keying error. Management wants to report it in a way that may reduce penalties and avoid a Corporate Integrity Agreement. What is the appropriate route?
A practice hires a new billing contractor without checking any exclusion database. Months later it learns the contractor appears on the LEIE. What is the consequence?