OIG Self-Disclosure Protocol: When to Use It, When to Hold Back
10 min read · Last reviewed May 23, 2026
The OIG Self-Disclosure Protocol (SDP) is the established federal pathway for healthcare entities to voluntarily disclose conduct that may violate the Anti-Kickback Statute, False Claims Act, or Civil Monetary Penalties Law. The Provider Self-Disclosure Protocol was originally created in 1998, substantially updated April 17, 2013, and amended November 8, 2021. It is published at https://oig.hhs.gov/compliance/self-disclosure-info/protocol.asp. It is a powerful resolution tool when used correctly, and the wrong tool for several common scenarios. Counsel decides; the practice never files alone.
What the OIG SDP is — and what it is not
The SDP is a structured process by which a healthcare entity discloses identified misconduct to OIG, quantifies the damages, and negotiates a resolution. The November 8, 2021 amendment increased the minimum settlement amounts and refreshed several procedural provisions. Key features:
- Eligibility. Anti-Kickback Statute (AKS) violations under 42 USC § 1320a-7b(b), False Claims Act exposure traceable to AKS violations under 42 USC § 1320a-7b(g), Civil Monetary Penalty matters under 42 USC § 1320a-7a, and conduct that may be the basis for OIG exclusion.
- Exclusions. Pure Stark Law (Physician Self-Referral) matters go to the CMS Self-Referral Disclosure Protocol (SRDP), not OIG SDP. Matters that are nothing more than simple overpayments without AKS, CMP, or fraud overlay go through normal MAC or commercial-payer overpayment channels.
- Resolution multiplier. OIG typically settles SDP matters at 1.5x single damages, versus the statutory authority for up to 3x damages plus per-claim penalties under 42 USC § 1320a-7a and the False Claims Act multipliers.
- Suspension of the 60-day clock. Once OIG acknowledges receipt of the SDP submission, the 60-day report-and-return obligation is suspended under 42 CFR § 401.305(b)(2)(i) while the matter is pending. This is one of the SDP's most material practical benefits.
- CIA presumption. OIG generally agrees not to require a Corporate Integrity Agreement for SDP-accepted matters. The presumption is rebuttable, but the default is meaningful.
- Minimum settlement amounts. $100,000 for kickback-related matters; $20,000 for non-kickback matters. Matters below the minimums are returned without acceptance.
The SDP is not amnesty. OIG retains exclusion authority. DOJ retains False Claims Act authority. State Medicaid Fraud Control Units and state Attorneys General are not bound by OIG's resolution.
AKS versus Stark — sort this first
The substantive theory dictates the protocol. Counsel must sort it before filing.
| Theory | Resolution path | Statute / Regulation | | --- | --- | --- | | Anti-Kickback Statute (intentional remuneration to induce referrals) | OIG SDP | 42 USC § 1320a-7b(b) | | Stark Law (physician self-referral, strict liability) | CMS SRDP | 42 USC § 1395nn, with SRDP authority at § 1395nn(g)(5) | | False Claims Act tainted by AKS | OIG SDP plus possible DOJ track | 42 USC § 1320a-7b(g) | | Pure overpayment (no AKS, no Stark, no fraud) | MAC or commercial payer channels | 42 CFR § 401.305 | | Civil Monetary Penalty (e.g., employment of excluded individual) | OIG SDP | 42 CFR Part 1003 |
A mixed matter — AKS plus Stark overlap on the same arrangement — goes to OIG SDP, not SRDP. A Stark-only matter (e.g., a documentation defect on an office-space lease with a referring physician, no intent issue) goes to SRDP. Filing in the wrong forum delays resolution and can foreclose the SDP's benefits.
When the SDP is the right move
The SDP is the appropriate path when most of the following are true:
- The conduct is identified, quantifiable, and traceable to specific claims
- The conduct touches AKS, FCA-via-AKS, or CMP exposure
- The damages exceed the relevant minimum ($100,000 AKS / $20,000 non-AKS)
- The practice has the documentation to support a credible single-damages calculation
- The matter is internal — no current OIG, DOJ, UPIC, or qui tam relator activity that the practice is aware of
- Counsel and leadership have aligned on a self-disclosure strategy
- The practice can commit to the SDP's required workforce-cooperation and document-production obligations
- The matter has been concluded internally — no ongoing misconduct, control remediated, individuals counseled or separated as appropriate
A clean SDP submission resolves the OIG-side exposure at the lower multiplier, tolls the report-and-return clock, generally avoids a CIA, and creates a documented good-faith record for state board, payer, and credentialing inquiries.
When the SDP is the wrong move
The SDP is rarely the right move in these scenarios:
- Matter is purely Stark. Use SRDP instead.
- Damages are below the minimum. Use the MAC or commercial-payer overpayment process. The 60-day rule still applies independent of SDP.
- DOJ already has the matter. A pending qui tam, a Civil Investigative Demand, or a subpoena materially changes the analysis. Self-disclosure to OIG after DOJ is engaged generally cannot capture the SDP benefits and may complicate DOJ resolution. Counsel coordinates the parallel track.
- UPIC, ZPIC, or I-MEDIC is already investigating the same conduct. Self-disclosure mid-investigation is sometimes strategic; more often it is poorly timed. Counsel coordinates.
- The practice cannot defend the single-damages calculation. Submitting a number OIG considers undercounted erodes credibility for the entire submission.
- The control has not been remediated. OIG requires evidence that the conduct has been corrected. A submission with ongoing misconduct will be returned or used against the practice.
- The matter is more credibly characterized as a billing error than fraud. Misclassifying an honest mistake as SDP-worthy creates an admission that can be used by other regulators, state boards, payers, and qui tam relators.
What an SDP submission contains
The 2023 protocol's submission requirements are specific:
- Identification. Name, address, EIN, NPI(s), provider type, and the disclosing entity's relationship to the conduct.
- Description of conduct. A complete, detailed description of the conduct disclosed, including legal theory (AKS, CMP, FCA), the individuals involved, and the time period.
- Federal healthcare programs affected. Medicare, Medicaid, TRICARE, and any other federal payer.
- Damages calculation. A single-damages calculation with the methodology, the underlying data, and the supporting documentation. OIG expects the disclosing entity to do this work; the calculation is the basis for the negotiated multiplier.
- Corrective action. A description of how the conduct has been remediated — control changes, personnel actions, policy updates, training.
- Workforce cooperation. A commitment to cooperate with OIG, including making relevant individuals available for interview.
- Certification. Signed certification by an authorized officer that the submission is true and complete to the best of the disclosing entity's knowledge.
Submission is electronic through the OIG SDP portal referenced on the protocol page. The November 8, 2021 amendment formalized the electronic-submission process and reaffirmed the certification requirement.
What NOT to do
- Do not submit without counsel. The certification, the damages calculation, and the legal characterization are all decisions with material downstream consequences.
- Do not minimize the damages calculation. OIG will independently validate. Understating the number is a credibility hit that follows the matter through every stage.
- Do not over-include. Disclose what is identified and quantifiable. Disclosing speculative or unsupported conduct widens the surface area.
- Do not communicate with OIG informally during the SDP review. All communication runs through counsel and is documented.
- Do not stop running compliance controls during the SDP review. OIG will look at the practice's compliance posture during the SDP review window. Lapses during that window are deeply damaging.
- Do not assume tolling extends to state and DOJ obligations. The 60-day rule tolling is OIG-specific. State Medicaid agencies, state Attorneys General, DOJ, and qui tam timelines run independently.
How the SDP process unfolds
`` Day 0 Internal identification and quantification. Counsel engaged. Control remediation begun. Day 0–60 Damages calculation built. SDP submission drafted. Day 60 SDP submission filed via OIG portal. Day 60–90 OIG acknowledges receipt; on acknowledgement, the 60-day report-and-return clock is suspended. Day 90–180 OIG initial review. Case assignment. Often a request for additional information. Day 180–360 OIG verification. Disclosing entity produces supporting documentation. OIG may interview individuals. Day 360–540 Settlement negotiation. Multiplier (typically 1.5x), payment schedule, certification of remediation. Day 540+ Settlement agreement executed. Payment. SDP closure letter. Suspension of the 60-day clock lifts on closure. ``
Timelines vary materially. Simple matters with clean damages calculations resolve in 9-12 months; complex matters involving multiple providers or extended time periods routinely take 18-30 months.
Parallel-track considerations
An SDP matter rarely sits alone. Counsel must concurrently manage:
- The 60-day report-and-return rule under 42 CFR § 401.305 for any overpayment portion of the damages, with the OIG acknowledgement-based suspension under § 401.305(b)(2)(i) documented
- DOJ False Claims Act exposure under 31 USC § 3729, independent of OIG resolution, with consideration of whether voluntary disclosure to DOJ is also appropriate
- State Medicaid Fraud Control Unit interest on Medicaid claims, listed by state on the OIG MFCU page
- State medical or pharmacy board self-reporting obligations triggered by the underlying conduct
- NPDB reporting if any individual is the subject of an adverse action arising from the conduct
- Payer notification obligations under commercial-payer contracts, which often require notice of investigations
- D&O and E&O insurance notice under applicable policy provisions
The SDP resolution is one piece of a larger compliance and risk picture. Counsel maps each parallel exposure at submission, not after.
State-law overlay
State Medicaid Fraud Control Units operate under 42 USC § 1396b(q) authority and are not bound by OIG SDP. The OIG SDP is a federal program; state false-claims or anti-kickback authorities pursue separate state-side resolutions. State Attorneys General have independent qui tam and false claims authority under state false claims acts modeled on the federal statute. Some states (California, New York, Texas) have particularly active MFCUs and AG enforcement. Counsel should evaluate whether a parallel state self-disclosure is appropriate; some states have their own disclosure protocols, others handle voluntary disclosure case-by-case.
State medical and pharmacy board self-reporting may be triggered by the underlying conduct or by the SDP submission itself; many state boards require self-reporting of federal civil monetary penalties or settlements within 30-60 days of resolution.
Restraint about outcomes
No protocol guarantees a result. The SDP improves the posture materially when used in the right matter, at the right time, with counsel-led preparation and a defensible damages calculation. It does not foreclose state enforcement, DOJ action, qui tam exposure, exclusion in serious matters, or payer recoupment. Practices considering self-disclosure work the decision through counsel, not through internal compliance committees alone.
This guide is not legal advice. The decision to self-disclose to OIG is a strategic legal decision; consult outside healthcare counsel before initiating a submission.
How d3rx fits
The d3rx compliance binder assembles the source-grounded administrative documentation a self-disclosure submission is built from — coding policy, internal audit log, training records, exclusion screening evidence, BAA inventory, financial relationships log. The d3rx audit defense workflow supports the parallel-investigation handling that often runs alongside an SDP matter. d3rx does not represent the practice in any OIG, DOJ, CMS, or state proceeding, does not provide legal advice, and does not replace counsel; it is a point-in-time administrative documentation aid that counsel and the practice work from.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — OIG Self-Disclosure Protocol: When to Use It, When to Hold Back. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Does an SDP submission stop the OIG CMP clock?
Once OIG acknowledges receipt of the SDP submission, the obligation to report and return is suspended under [42 CFR § 401.305(b)(2)(i)](https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-401/subpart-D/section-401.305) while the matter is pending with OIG. That suspension is one of the SDP's most important practical benefits. It does not extinguish underlying civil monetary penalty exposure under [42 CFR Part 1003](https://www.ecfr.gov/current/title-42/chapter-V/subchapter-B/part-1003); it positions the matter for negotiated resolution at OIG's posted multiplier — typically 1.5x single damages in SDP matters, versus the up-to-3x available outside SDP.
Can I use the SDP for a Stark Law violation?
No. The OIG SDP at [https://oig.hhs.gov/compliance/self-disclosure-info/protocol.asp](https://oig.hhs.gov/compliance/self-disclosure-info/protocol.asp) explicitly excludes matters that are pure Stark (Physician Self-Referral Law) violations. Stark-only matters go through the CMS Self-Referral Disclosure Protocol (SRDP), authorized at [42 USC § 1395nn(g)(5)](https://www.law.cornell.edu/uscode/text/42/1395nn). A matter with both Anti-Kickback Statute and Stark exposure goes to OIG SDP; a Stark-only matter goes to CMS SRDP. Counsel must sort the substantive theory before filing.
What is the minimum settlement amount under the OIG SDP?
The November 8, 2021 amendment to the SDP set minimum settlement amounts of $100,000 for kickback-related submissions and $20,000 for other matters. Below those thresholds, the matter is generally returned without acceptance into the SDP and the practice is directed to handle the overpayment through normal MAC or commercial-payer channels. The minimums are floors, not ceilings — many SDP resolutions settle well above the minimums.
If I self-disclose, am I safe from exclusion?
Not automatically. The OIG retains exclusion authority under [42 USC § 1320a-7](https://www.law.cornell.edu/uscode/text/42/1320a-7) and [42 CFR Part 1001](https://www.ecfr.gov/current/title-42/chapter-V/subchapter-B/part-1001). The SDP framework operates against a backdrop where OIG generally agrees not to require a Corporate Integrity Agreement or pursue exclusion for SDP-accepted matters, but exclusion remains available for serious conduct. The protocol resolves the matter; it does not write a blanket release on the underlying authority.
What if the matter involves both False Claims Act and Anti-Kickback exposure?
AKS-tainted claims are False Claims Act-impacted by operation of [42 USC § 1320a-7b(g)](https://www.law.cornell.edu/uscode/text/42/1320a-7b). The SDP at OIG addresses the OIG-side resolution. Parallel DOJ resolution under the False Claims Act may be required for some matters, and DOJ has independent authority. Counsel should anticipate a parallel-track conversation and coordinate the SDP submission with any contemplated DOJ-side strategy.
Can I self-disclose anonymously?
No. The SDP requires the disclosing entity to identify itself, name the providers and individuals involved, and certify the accuracy of the submission. Anonymous reports through the OIG Hotline are a different process under [42 USC § 1320a-7c](https://www.law.cornell.edu/uscode/text/42/1320a-7c) and do not provide the resolution benefits of SDP. The certification requirement is a material part of why OIG accepts the lower 1.5x multiplier in SDP matters.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- https://oig.hhs.gov/compliance/self-disclosure-info/protocol.asphttps://oig.hhs.gov/compliance/self-disclosure-info/protocol.asp
- 42 CFR § 401.305(b)(2)(i)https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-401/subpart-D/section-401.305
- 42 CFR Part 1003https://www.ecfr.gov/current/title-42/chapter-V/subchapter-B/part-1003
- OIG MFCU pagehttps://oig.hhs.gov/fraud/medicaid-fraud-control-units-mfcu/
- protocol.asphttps://oig.hhs.gov/compliance/self-disclosure-info/protocol.asp](https://oig.hhs.gov/compliance/self-disclosure-info/protocol.asp
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
The Medicare 60-Day Overpayment Rule: How to Comply (and What Triggers Worse)
8 min readEmergency ResponseUPIC Audit Response: What to Do First (and What Not to Touch)
7 min readCompliance FoundationsThe OIG's 7 Elements of an Effective Compliance Program (Applied to a Small Practice)
8 min readRelated across the archive
- ComplianceThe Medicare 60-Day Overpayment Rule: How to Comply (and What Triggers Worse)The 60-day clock starts at identification. Miss it, and the overpayment becomes a False Claims Act violation. Here is the actual procedure.
- ComplianceUPIC Audit Response: What to Do First (and What Not to Touch)A UPIC letter signals suspected fraud, not a routine review. Engage counsel before responding. Here is the procedure that preserves the practice.
- ComplianceRecent OCR Settlements: What HHS Actually Penalizes (2025)Risk Analysis Initiative, ransomware, right-of-access. The deficiency patterns driving recent OCR Resolution Agreements and what they cost.
- ComplianceThe OIG's 7 Elements of an Effective Compliance Program (Applied to a Small Practice)The OIG's seven elements of an effective compliance program, what each one looks like in a 1–15-clinician practice, and how to document each in 2026.
- ComplianceOIG LEIE Monthly Exclusion Screening: Process + Audit-Ready LogsMonthly OIG LEIE and SAM.gov exclusion screening for every workforce member and vendor: the workflow, the log fields auditors require, and the escalation path.
- ComplianceAdditional Documentation Request (ADR): How to Respond Inside the WindowMedicare ADR response windows are contractor-specific (45 days for MAC/SMRC/RAC, 30 days for UPIC). Miss the window and the claim auto-denies. Here is the procedure that actually works.
- ComplianceRAC Audit Response: First 14 Days After the LetterA Recovery Audit Contractor (RAC) letter starts a 45-day documentation clock and a 30-day discussion-request window (separate from the 120-day Redetermination appeal clock). Sequence the first 14 days correctly.
- GlossaryOIG Self-DisclosureThe HHS-OIG Self-Disclosure Protocol allowing providers to disclose actual or potential violations of federal fraud and abuse laws.