What Is the Real Difference Between an Overpayment and a Reportable Violation?
An overpayment is money received in error with no underlying violation of federal law; a reportable violation is conduct that potentially breaches a criminal, civil, or administrative statute such as the False Claims Act or the Anti-Kickback Statute. Only the second category belongs in the OIG’s Self-Disclosure Protocol.
Most compliance guides skip past this distinction entirely, and it’s the single most consequential decision point in the whole process. A biller who upcoded once by mistake, on one claim, has an overpayment. A practice that kept billing the higher code for eighteen months after an internal audit flagged the pattern has something closer to reckless disregard, which is a different animal.
Confusing the two wastes resources in both directions. Practices that route ordinary billing errors into the OIG’s formal protocol invite scrutiny, legal fees, and minimum settlement amounts they never needed to pay. Practices that route genuine fraud indicators into a quiet contractor refund hope nobody notices the pattern. Neither approach ages well.
When Does the 60-Day Rule Apply Instead of the OIG Self-Disclosure Protocol?
The 60-day rule under 42 U.S.C. § 1320a-7k(d) governs simple overpayments, a distinct statutory track from the False Claims Act itself: providers must report and return identified Medicare or Medicaid overpayments within 60 days of identification, or by the date a corresponding cost report is due, whichever is later, through the standard contractor refund process, not the OIG.
This is where the keyword phrase “when to report” actually splits into two separate answers depending on what was found. If a coding review turns up a batch of claims billed at the wrong level with no evidence of intent or pattern, the correct channel is the Medicare Administrative Contractor’s voluntary refund process. That satisfies the statutory obligation and closes the matter.
The OIG has said plainly that overpayments or errors not implicating a civil monetary penalty are not eligible for its Self-Disclosure Protocol. Sending a routine coding correction through the OIG’s formal channel is not just unnecessary. It can actively signal that the practice suspects something worse than a coding error.
What Financial Benefit Does the SDP Actually Deliver?
The OIG applies a minimum damages multiplier of 1.5 times single damages for cooperative self-disclosures, compared to potential treble damages in a government-initiated investigation, and it maintains a presumption against requiring a Corporate Integrity Agreement for parties who voluntarily disclose.
That gap between 1.5x and 3x damages is the entire financial argument for using the protocol when fraud indicators exist. A $400,000 damages calculation resolved through self-disclosure lands around $600,000. The same conduct, discovered by a government audit instead, could reach $1.2 million before penalties and exclusion risk are even factored in.
Between 2016 and 2020, the OIG resolved 330 SDP settlements, and every single one avoided a Corporate Integrity Agreement, according to OIG’s own protocol history. That track record matters to a practice weighing whether disclosure invites permanent oversight or actually helps avoid it.
What Are the Minimum Settlement Amounts Under the Current Protocol?
Since the November 2021 update, the OIG requires a minimum settlement of $100,000 for disclosed Anti-Kickback Statute violations and $20,000 for all other matters accepted into the protocol, both doubled from the prior thresholds set in 2013. These floors apply regardless of the disclosing party’s actual calculated damages.
This detail changes the math for smaller practices. If a reasonable damages estimate for a disclosed matter comes in under $20,000, the SDP isn’t a cost-effective path even when a technical violation exists; the disclosing party still owes the minimum settlement regardless of how small the underlying conduct was. Some practices in that position choose instead to make a direct repayment and forgo the formal release, accepting the tradeoff of no listed settlement on OIG’s public disclosure page.
Kickback-adjacent conduct almost never falls under that $20,000 floor. A single improper medical directorship arrangement running for even a few months routinely produces damages well above the minimum, which pushes most Stark-and-AKS overlap cases squarely into SDP territory rather than a simple refund.
One nuance competitor content routinely skips: a disclosure involving only the Stark Law, with no kickback element, doesn’t go to the OIG at all. It belongs in CMS’s Self-Referral Disclosure Protocol, a separate program with its own submission requirements. Filing a Stark-only matter with the wrong agency can delay resolution by months.
Can a Single Coding Error Turn Into a False Claims Act Violation?
Yes. Once an identified overpayment is knowingly retained past the 60-day deadline, the retention itself becomes an “obligation” under the False Claims Act, independent of whether the original billing error involved any intent to defraud. That conversion happens automatically, by operation of statute, with no separate finding required.
This is the mechanism that converts a clerical mistake into federal exposure, and it’s the piece competitor content glosses over almost entirely. The statute doesn’t care that the original error was innocent. It cares that the provider knew about the overpayment and sat on it. A compliance team that discovers an error in March and finalizes repayment in September has, on paper, converted an accident into a retained obligation.
Filing a timely self-disclosure to the OIG for genuinely fraud-adjacent conduct also tolls that 60-day clock. Once the OIG acknowledges receipt of the submission, the repayment obligation is suspended until the matter resolves, which gives compliance teams room to complete a proper investigation instead of racing a deadline.
What Should Compliance Officers Do in the First 30 Days After Discovery?
Compliance officers should conduct a reasonable internal assessment within days of discovery, itemize potential damages by federal program, and formally decide between the contractor refund process and the OIG protocol before the 60-day clock forces a rushed decision. Waiting for a complete audit before making that classification call is the most common early misstep.
Start by separating the factual question from the legal one. What happened, and how much money is involved, is a data question your billing team can answer quickly. Whether the conduct rises to the level of a reportable violation is a legal judgment that needs counsel experienced specifically with the SDP, not general healthcare counsel handling it as a side matter.
Document the internal investigation timeline meticulously from day one. The OIG requires disclosing parties to complete their internal investigation and damages calculation within 90 days of the initial submission, and a compliance team that already has clean audit trail data moves through that window far faster than one starting from scratch.
Finally, never assume silence is a safe default. An unaddressed pattern discovered during a merger, a system migration, or a new compliance hire’s first audit carries the same statutory clock as one discovered through routine internal review. The calendar doesn’t wait for convenient timing.
The Bottom Line for Compliance Teams
The question “when to report” has two correct answers, not one. Simple overpayments go through the payer’s voluntary refund process within 60 days. Conduct that potentially violates the Anti-Kickback Statute, the False Claims Act, or the exclusion rules belongs in the OIG’s Self-Disclosure Protocol, where cooperation buys a lower damages multiplier and a real shot at avoiding an integrity agreement.
Getting that classification wrong in either direction costs money. Practices that build a documented, repeatable decision process for every discovered overpayment consistently do better than the ones improvising it case by case under deadline pressure.


Leave a Reply