Should I Report Discovered Issues to CMS?

You found something in your billing. Maybe it was an internal audit that flagged unusual patterns. Maybe a departing employee mentioned something on their way out. Maybe you just noticed that the numbers dont add up. Welcome to Spodek Law Group. Our goal is to give you real information about CMS self-disclosure - not the sanitized version you find on other websites. Because heres the uncomfortable truth that nobody wants to tell you: the moment you "discover" a billing problem, you've entered a trap with no good exits. Every option from this point forward carries significant risk. The question isnt whether to report. Its which set of consequences you can survive. Thats not a scare tactic. Thats the reality that healthcare providers face when they stumble onto overpayment issues. And most of them have no idea how bad their options actualy are until its far too late to do anything about it.

The 60-Day Clock You Might Have Already Missed

Heres the first thing that catches people off guard. Federal law requires you to report and return overpayments within 60 days of identification. Sounds straightforward enough. But "identification" doesnt mean when you personaly discovered the problem. It means when you "should have known" - a standard thats retroactive and completly subjective. Think about what that realy means for your situation. If the government decides that a reasonable provider in your position should have caught this issue six months ago, your 60-day clock started six months ago. Youre already past the deadline and you didnt even know it. And once that deadline passes, every single claim becomes a potential False Claims Act violation. Every single one. The penalties under the False Claims Act are not theoretical numbers on a page. Were talking $13,508 to $27,018 per claim - not per billing cycle, not per patient, per individual claim submitted. Plus triple damages on top of that. A billing error that resulted in $50,000 in overpayments can quickley become a seven-figure liability once you multiply it out. Thats not an exageration. Thats basic arithmetic that destorys healthcare practices every year. Todd Spodek has seen this pattern repeatedly in his practice. Providers who thought they were being proactive by starting an investigation end up creating documentation that proves they "should have known" earlier than they claimed. The investigation itself becomes evidence against them. The very act of trying to do the right thing creates the paper trail that establishes liability.

Self-Disclosure Is NOT Immunity

Heres were most providers make a fatal miscalculation that costs them everything. They assume that self-disclosure to CMS will protect them from consequences. It wont. It absolutly, definitly wont. The CMS Self-Referral Disclosure Protocol - the SRDP - explicitly states in its own documentation that it does not release you from liability to the Office of Inspector General, the Department of Justice, or False Claims Act qui tam relators. Read that sentence again because it matters. You can walk into CMS, confess everything, cooperate fully with there investigation, and still face criminal prosecution. Still face OIG civil monetary penalties. Still get sued by a whistleblower who files before you disclosed. The SRDP is designed specificaly for Stark Law violations - the physician self-referral statute that restricts certain referals. It addresses one specific type of problem and nothing else. But most healthcare billing issues dont fit neatley into a single legal category. If theres Anti-Kickback Statute implications buried in your situation, the SRDP dosent cover you. If theres potential Medicare fraud allegations possible, the SRDP dosent cover you. If a disgruntled employee is already talking to a qui tam attorney down the street, the SRDP definitly dosent cover you becuase that ships already sailed. At Spodek Law Group, we see this confusion constantley in calls from panicked providers. They think disclosure equals immunity. It dosent. Disclosure means youve created a documented confession that can be used in subsequent proceedings against you. Thats not protection - thats evidence production on a silver platter.

The Dual-Track Problem Nobody Mentions

Heres something most compliance consultants completley fail to explain to there clients. CMS and the OIG operate completly separate disclosure programs with different requirements and different outcomes. The SRDP handles Stark violations. The OIG Self-Disclosure Protocol handles Anti-Kickback violations. Most providers have potential issues under both statutes simultaniously and dont even realize theyre dealing with two different legal frameworks. A physician who refers patients to a facility they have ownership interest in - thats a Stark issue on its face. But if theres any element of remuneration or compensation for those referals beyond fair market value - thats Anti-Kickback territority. One set of facts, two different agencies with two different enforcement priorities, two different disclosure protocols with different timelines, two different sets of consequences cascading down on you. And heres the kicker that makes it even worse. Neither program talks to the other in any meaningfull way. You could self-disclose to CMS and think your completley covered, only to get a letter from OIG six months later about the Anti-Kickback component you didnt even know existed in your situation. Youve already admitted to the underlying conduct. Now your explaining why you only told half the story. That looks like concealment even when it was just confusion. This dual-track problem catches providers who think theyve done everything right. They hired a compliance consultant. They disclosed to CMS. They thought the matter was resolved. Then OIG comes knocking with questions about the arrangement they already admitted to. The partial disclosure actualy makes things worse than no disclosure at all.

The Qui Tam Race You Dont Know Your Running

In 2024, whistleblowers filed 979 qui tam lawsuits under the False Claims Act. Thats a record number. The highest in the history of the statute. And those suits are filed under seal - meaning the government investigates for months or even years before anyone tells you theres a case pending against you. Your operating normally while a lawsuit with your name on it sits in a federal court file somewhere. Whistleblowers - called relators in legal terminology - get 15 to 30 percent of whatever the government eventaully recovers. On a million-dollar settlement, thats $150,000 to $300,000 going directly to the person who reported you. Your compliance officer, your biller, your practice manager, even the employee you just fired for poor performance - any of them could be talking to a qui tam attorney right now while your reading this. Heres the paradox that traps providers. The moment you discover a billing issue, you want to investigate it thoroughley. You want documentation. You want to understand the scope. But investigation creates documentation. Documentation creates witness knowledge in the people conducting the investigation. Witnesses become potential relators. You literaly cant fully investigate your own billing problems without creating the very evidence and witnesses that could be used against you in a qui tam suit. Todd Spodek always tells clients the same thing about this particular situation. The race isnt between you and the government. Its between you and the person in your organization who might beat you to the courthouse with a qui tam complaint. And you probaly dont even know your running that race. The person sitting in your next staff meeting could be your future legal adversary.

What Actually Happens When You Self-Disclose

Lets talk about what self-disclosure actualy looks like in practice. Because most providers have a fantasy version in there heads that dosent match the reality of how these matters proceed at all. You submit a disclosure to CMS or OIG with all supporting documentation. Then you wait. And wait. And wait some more. The government has absolutley no deadline to respond to your disclosure. You could be in limbo for years without any resolution. During that entire time, your operating under a cloud of uncertainty. You cant close the books on the issue. You cant move forward with confidence. Your just waiting to find out how much this is going to cost you ultimatley. When the government finaly responds - maybe six months later, maybe two years later - they dont just accept your numbers and calculations. They conduct there own independant investigation using your disclosure as a starting point. They request additional documentation you didnt anticipate. They interview employees about practices you didnt think were relevent. They might expand the scope of inquiry far beyond what you originaly disclosed. That billing issue you thought was limited to one service line? Now there looking at everything across your entire practice. The OIG requires a minimum of 1.5 times single damages in any settlement they reach. Thats the floor, not the ceiling. Cooperation might affect timing and maybe the final number at the margins, but it dosent affect that minimum baseline. Your not negotiating from a position of strength - your hoping for the least-bad outcome possible. In 2024, CMS processed 314 SRDP settlements totaling $24.7 million in recoveries. The average settlement was $78,781 per case. But thats just the average obscuring the range. Some settlements are in the hundreds of thousands. Some are in the millions. And none of those headline numbers include the legal fees you paid to get there, the operational disruption to your practice, or the reputational damage that follows you afterwards.

When Silence Is Actually Worse Than Disclosure

Heres the uncomfortable calculus that providers have to work through. Self-disclosure carries enormous documented risk. But silence might actualy be worse in many situations. The "repay and forget" strategy - where you just return the overpayment quietley and hope nobody notices - provides absolutley zero legal protection. If the government discovers the issue later through other means, you face the same penalties you would have faced anyway. Plus they can now argue you tried to hide the problem from them. That $50,000 repayment becomes evidence of knowledge rather then evidence of good faith cooperation. You knew enough to repay but not enough to disclose - thats concealment in there eyes. Silence works only if nobody ever finds out what happened. Given the 6-year lookback period for overpayment claims, the explosion of qui tam suits to record numbers, and the governments increasing sophistication in data analytics and pattern detection, thats a bet your making against increasingley bad odds. Every year more providers lose that bet. And silence dosent stop the 60-day clock from running. Every day that passes after you "should have known" is a day of potential False Claims Act liability accumulating silentley. Your not avoiding consequences by staying quiet - your letting them compound with interest. Heres the trap that destroys providers who think they can figure this out themselves: Investigation creates evidence. Disclosure creates confession. Silence creates accumulating liability. There is no path forward that dosent carry major risk. The only question is which risk profile matches your situation.

The Settlement Math You Need To Understand

Lets be concrete and specific about what your actualy facing in real numbers. If you have an overpayment of $100,000:

• Simple repayment only: $100,000 returned (but absolutley no legal protection going forward)
• OIG settlement minimum: $150,000 (1.5x single damages as the floor)
• False Claims Act potential: $300,000+ (treble damages) plus per-claim penalties stacked on top

Free Consultation

Need Help With Your Case?

Our experienced attorneys are standing by to help. Get a free, confidential case evaluation.

• ✓ 100% Confidential
• ✓ Response Within 1 Hour
• ✓ No Obligation Consultation

Or call us directly: (888) 291-1365

Get Your Free Consultation →

Those per-claim penalties are were the math gets truley terrifying. If that $100,000 overpayment came from 200 individual claims over time, your potential FCA exposure is 200 times $13,508 - or $2.7 million minimum - before you even count the treble damages on the underlying amount. This is why qui tam relators get such large payouts for reporting. A 20% share of a $2.7 million recovery is $540,000 going to the whistleblower. Thats life-changing money for a former employee with a grudge and a lawyer willing to work on contingency. They have every incentive to report you. At Spodek Law Group, we've watched providers try to calculate whether disclosure is "worth it" financially without understanding this full math. The calculation isnt whether disclosure is expensive - its obviously expensive. The calculation is whether disclosure is less catastrophic than the alternative of being discovered through other means.

The Criminal Referral Reality Nobody Wants To Discuss

We need to talk about something most providers dont want to think about at all. Criminal prosecution. CMS can refer cases to the Department of Justice at any point in the process. The information you provide in a civil self-disclosure becomes part of your criminal evidence file automaticaly. Your trying to resolve a billing issue cooperatively, and instead your creating a detailed roadmap for criminal investigators to follow. Everything you disclosed is now in there hands. Not every overpayment leads to criminal charges - most dont. But the distinction between civil fraud and criminal fraud often comes down to factors completley outside your control and impossible to predict - like whether a particular US Attorney is making healthcare fraud a priority this year, or whether your case fits a pattern they want to publicize for deterence. The question "should I self-disclose to CMS" cant be answered responsibley without understanding your criminal exposure first. And evaluating criminal exposure requires the kind of sophisticated analysis that goes far beyond compliance protocols and internal audits.

What You Should Actually Do Right Now

Heres what Spodek Law Group tells clients who call us in exactly this situation. First, stop the bleeding immediatley. If theres an ongoing billing practice thats generating new overpayments every day, fix it today. Not next week, not after you finish your analysis, today. Every additional claim submitted is additional liability accumulating. Second, document carefully - but understand that documentation cuts both ways and always has. You need records of what you discovered and when you discovered it. But those same records can be used to establish when you "should have known" under the legal standard. Third, get proper counsel involved before you decide anything about disclosure or non-disclosure. Not a compliance consultant who does this as a sideline. Not your regular healthcare attorney who handles contracts. Someone who understands False Claims Act litigation, OIG negotiations, and criminal defense work simultaniously. This is definitly not the time for generalists. Fourth, conduct a realistic assessment of your qui tam exposure. Who in your organization knows about this issue already? Who have you told? Who might talk to an attorney? The answer to that question often determines the timeline for everything else you do. Fifth - and this is absolutley critical - understand that theres no decision you can make that eliminates risk entirely. Your choosing between different risk profiles. The goal is to make an informed choice based on your actual situation rather then a panicked one based on incomplete information.

The Clock Is Ticking Every Day

Every day you wait is a day the 60-day clock is either running or has already expired. Every day you wait is a day a potential qui tam relator might be meeting with an attorney about your practice. Every day you wait is a day the documentation in your files becomes staler and harder to reconstruct accuratley. Spodek Law Group handles these situations because we understand that providers facing CMS disclosure decisions need honest assessments rather then false reassurance. We've seen how these cases develop over time. We know what the government prioritizes in there investigations. We can help you understand which path forward makes sense for your specific factual situation. Call us at 212-300-5196 before you make any decisions about disclosure. The consultation is free. The mistake of waiting isnt. Because heres the final uncomfortable truth about this entire situation. By the time your asking "should I report discovered issues to CMS," you've already lost the ability to make this problem disappear completley. The only question now is how you manage the consequences going forward. And that question deserves a real answer - not the sanitized version you find everywhere else.