All News

OIG's Issuance of Provider Self-Disclosure Protocol

May 01 1999

PDF

On October 21, 1998, the Office of Inspector General (“OIG”) issued the Provider Self-Disclosure Protocol (the “Protocol”) to encourage health care providers to voluntarily disclose their noncompliance with the requirements of federal health care programs (“Programs”). The Protocol follows the OIG’s pilot program, Operation Restore Trust (“ORT”), which was initiated in 1995. Unlike ORT, which was limited to five states and four types of providers, the Protocol is available to all types of health care providers nationwide.

The Protocol is intended to give providers detailed guidance on the appropriate elements of the audit and investigation process, without creating rigid requirements or limitations. However, while the Protocol’s format may be helpful to providers seeking to resolve issues with the OIG, it does not give providers any commitment as to how their disclosure will be resolved or what, if any, benefits the provider will receive by following the Protocol.

Below is a summary of the Protocol and the recommended steps that a provider should follow when submitting a voluntary disclosure to the OIG.

When to Disclose under the Protocol

It is important to note that the Protocol is intended to help resolve only those matters that are potentially violative of the Federal False Claims Act or other federal, criminal or administrative laws. Matters involving overpayments or billing errors that do not suggest a violation of law should be brought to the attention of the carrier or fiscal intermediary. (The carrier or fiscal intermediary can, however, still refer the matter to the OIG if it believes there is a violation of law.) Determining whether a matter is in violation of the law requires a fact-intensive analysis. For each problematic circumstance, the provider should evaluate, in conjunction with legal counsel, whether use of the Protocol is appropriate. Factors to consider include: the provider’s intent and knowledge, the amount involved, disregard for accuracy, the level of cooperation, the duration of non-compliance, how the matter came to light, direction from the carrier or fiscal intermediary, and the individuals involved. 

The OIG suggests that the provider also consider two other factors before determining whether to follow the Protocol. First, if the provider uncovers an ongoing fraud scheme within its organization, it should not follow the Protocol. Instead, the OIG urges the provider to contact the OIG immediately so that “the Government’s subsequent investigation will not be compromised.” 

Second, the OIG assumes that before a provider determines whether to follow the Protocol, it will perform its own preliminary internal audit to substantiate the compliance problem. The OIG suggests that the provider does not need to follow the Protocol when it performs this preliminary audit. The provider should also not follow the Protocol if the activity in question is one that is already part of an ongoing national review by the OIG (unless the preliminary internal audit suggests that the provider has in fact engaged in such practices).

If a provider decides to make a voluntary disclosure after considering the above, it should follow the Protocol’s requirements described below.

Content of Submission Under the Protocol

Basic Information

If the provider decides to self-disclose under the Protocol, its submission must be made in writing and submitted to Assistant Inspector General for Investigative Operations, Office of Inspector General, Department of Health and Human Services, 330 Independence Avenue, SW, Cohen Building, Room 5409, Washington, DC 20201. Submissions by facsimile or other electronic media will not be accepted. The submission should also contain the following basic information:

  1. The name, address, provider number and tax identification number of the disclosing health care provider, along with the same information with respect to any controlling entity or network. In such cases, OIG also requests a diagram or description describing the pertinent relationships. The name and address of the provider’s designated representative for purposes of the voluntary disclosure should also be included.
  2. Whether or not the provider is currently under investigation by any governmental agency or contractor, or whether it is under investigation for other matters relating to the Programs. If so, the provider must identify the government entity or individual representatives involved.
  3. A full description of the nature of the matter being disclosed, including the type of claim, transaction or other conduct giving rise to the matter as well as the names of entities and individuals believed to be implicated, an explanation of their roles and the relevant time periods involved.
  4. The type of health care provider implicated, any provider billing numbers associated with the matter disclosed and the Programs affected, including government contractors and other third party payers.
  5. The reason why the disclosing provider believes that a violation of federal criminal, civil or administrative law may have occurred.
  6. A certification by the health care provider or its authorized representative that submission contains truthful information and is based on a good-faith effort to bring the matter to the government’s attention for the purpose of resolving any potential liabilities to the government.

Internal Investigation Guidelines

A provider following the Protocol must conduct an internal investigation and report its findings to the OIG upon completion. The provider can conduct this internal investigation either before or after its initial disclosure to the OIG. The OIG has stated that it will forego its investigation into the matter for a reasonable period of time, as long as the provider agrees to conduct its review in accordance with Protocol’s internal investigation guidelines. Under these guidelines, the provider must indicate the following:

Nature and Extent of the Improper or Illegal Practice

  • Identification of the potential causes of the incident or practice;
  • Description of the incident or practice in detail, including how the incident or practice arose and continued;
  • Identification of the division, department, branches or related entities involved;
  • Identification of the impact on, and risks to, health, safety or quality of care posed by the matter disclosed, with sufficient information to allow the OIG to assess the immediacy of the impact and risks, the steps that should be taken to address them as well as the measures taken by the disclosing provider;
  • Delineation of the time period involved;
  • Identification of the corporate officials, employees or agents who knew of, encouraged, or participated in the incident or practice and any individuals who may have been involved in detecting the matter;
  • Identification of the corporate officials, employees or agents who should have known of, but failed to detect, the incident or practice based on their job responsibilities; and 
  • Estimate of the monetary impact of the incident or practice upon the Programs, pursuant to the Self-Assessment Guidelines (further described below).

Discovery and Response to the Matter

The provider’s written report of its internal investigation should also describe how the disclosed matter was discovered and the measures the provider has taken since discovery to address the problem and prevent future abuses. Specifically, the provider’s report should indicate the following:

  • How the incident or practice was identified, and the origin of the information that led to its discovery;
  • The provider’s efforts to investigate and document the incident or practice;
  • A detailed chronology of investigative steps taken in connection with the provider’s internal inquiry into the disclosed matter, including the following:
  1. Identification of all individuals interviewed, including their business addresses, telephone numbers, positions and titles during the relevant time period, the dates of the interviews, the subject matter of each of the interviews, verification that the interviewee was advised that the information would be provided to the OIG, and a list of the individuals who refused to be interviewed or otherwise participate.
  2. A description of files, documents and records with sufficient specificity to allow retrieval if necessary.
  3. A summary of auditing activity undertaken in connection with the investigation and a summary of the documents relied upon in support of the estimation of losses.
  • The actions by the provider to stop the inappropriate conduct;
  • Any related health care businesses affected by the inappropriate conduct in which the provider is involved, all efforts by the health care provider to prevent a recurrence of the incident or practice in the affected division as well as in any related health care entities;
  • Any disciplinary action taken against corporate officials, employees and agents as a result of the disclosed matter; and
  • Appropriate notices, if applicable, provided to other governmental agencies.

Certification

The provider must also certify that its internal investigation report contains truthful information and is based on a good faith effort to assist the OIG in its inquiry and verification of the disclosed matter.

Self-Assessment Guidelines

Under the Protocol, the provider must also estimate the financial impact of its non-compliant activities on the Programs by conducting a financial self-assessment and incorporating its results into a written report. The provider can perform this financial self-assessment either concurrently with its internal investigation or after it establishes the scope of the non-compliance. The OIG strongly recommends that this self-assessment contain the following:

Approach

The provider’s financial self-assessment should consist of a review of either all claims affected by the disclosed matter for the relevant period, or of a statistically valid sample. The provider should make the determination based on the size of the population it believes to be implicated, the variance of characteristics to be reviewed, the cost of the self-assessment, the available resources and the estimated duration of review. In its self-assessment, the provider should indicate which approach it chose and provide a work plan describing the self-assessment process.

Basic Information

The Protocol recommends that the provider’s self-assessment work plan include the following basic information:

  • A statement that clearly articulates the objective of the review;
  • Identification of the population (or group about which the information is needed) to be reviewed and an explanation of the methodology used to develop this population;
  • A full description of the source of information upon which the review will be based, including the legal standards applied and any documents relied upon; and 
  • The names, titles and qualifications of those individuals involved in any aspect of the self-assessment.

Sample Elements

The Protocol devotes a significant amount of time describing the elements that should be included in a self-assessment work plan if the provider determines that the financial review will be based on a sample. The elements that must be included in a work plan using samples are as follows:

  • Sampling Unit
  • Sampling Frame
  • Sample Size
  • Random Numbers
  • Sample Design
  • Estimate of Review Time per Sample Item
  • Characteristics Measure by Sample
  • Missing Sample Items
  • Other Evidence
  • Estimation Methodology
  • Reporting Results

OIG Review

The OIG will review the provider’s work plan and can elect to carry out any of the activities listed therein, at any stage, to verify that the self-assessment process is undertaken correctly as well as to validate the results. The OIG is not obligated to accept the results of a provider’s self-assessment, however, it will give substantial weight to the results obtained by following the Protocol in determining any Program overpayments. The OIG also states that it will use the provider’s self-assessment report in preparing a recommendation to the Department of Justice (DOJ) for resolution of the provider’s False Claims Act or other liability.

Certification

As with the internal investigation, the provider must submit a certification stating that the self-assessment report contains truthful information and is based on a good faith effort to assist the OIG with its inquiry and verification of the disclosed matter.

OIG Verification

Upon receipt, the OIG will verify the information contained in the provider’s voluntary disclosure report. To facilitate this process, the OIG requires access to all of the provider’s audit work papers and other supporting documents. While the Protocol states that the OIG will not request information subject to any privilege (e.g., attorneyclient), it does reserve the right to request such work product if the OIG believes it is “critical to resolving the disclosure.”

The OIG also emphasizes that the extent of its verification effort will largely depend on the quality and thoroughness of the reports submitted by the provider. It is important to note that the Protocol clearly states that any matters uncovered during this verification process which are outside the scope of the matter disclosed may be treated as “new matters” outside the Protocol and investigated accordingly.

Payment

The OIG will not accept any estimated overpayments from the provider until the OIG has verified the information submitted and it has completed its inquiry. The OIG does, however, encourage the provider to place the estimated overpayment amounts in an interestbearing escrow account. This ensures the availability of such amounts and minimizes any further loss to the Programs. The Protocol also states that while the matter is under OIG inquiry, the provider must refrain from making payments related to the disclosed matter to the affected Programs without the OIG’s prior consent.

If the OIG does consent, the provider will be required to agree in writing that the Programs’ acceptance of this payment does not constitute the government’s agreement as to the amount of loss or affect the government’s ability to pursue criminal or civil remedies or seek additional penalties for the matter disclosed.

Provider Cooperation

The Protocol stresses that the provider’s diligent and good-faith cooperation throughout the entire process is essential. A provider’s failure to work in good faith will be considered an aggravating factor when the OIG assesses the appropriate resolution of the matter. Similarly, any intentional submission of false or other-wise untruthful information or the intentional omission of any relevant information will be referred to the DOJ and could result in criminal penalties as well as exclusion from the Programs.

Conclusion

Through the release of the Provider Self-Disclosure Protocol, the OIG is attempting to provide health care providers with guidance and a clear format in which they can voluntarily disclose non-compliance matters to the OIG. A provider’s decision to follow the Protocol should be made on a case-by-case basis in consultation with legal counsel to determine whether such disclosure is appropriate.

von Briesen Legal Update is a periodic publication of von Briesen & Roper, s.c. It is intended for general information purposes for the community and highlights recent changes and developments in the legal area. This publication does not constitute legal advice, and the reader should consult legal counsel to determine how this information applies to any specific situation.

provider self-disclosure protocol