Publications

The Office of Inspector General (OIG) of the United States Department of Health and Human Services (DHHS) recently issued the Provider Self-Disclosure Protocol (the Protocol) for health care providers involved with federal health care programs, including Medicare and Medicaid. The Protocol offers providers specific steps and audit procedures to facilitate working with the OIG to quantify and resolve possible program abuses. The Protocol follows a two-year pilot self-disclosure program run under DHHS’ Operation Restore Trust anti-fraud initiative. The Protocol, unlike its predecessor pilot, is not restricted to specific provider types or specific states, and lacks pre-disclosure requirements or qualifications. 

 

The goal of the Protocol is to promote self-assessment and cooperation in the identification and resolution of program abuses, not matters exclusively involving overpayments or errors that are not suggestive of violations of law. The Protocol gives specific guidance in the areas of internal investigation, auditing, and disclosure reporting requirements to facilitate a dialog with the OIG. Following all of the Protocol’s steps and procedures is not required. However, failure to follow the Protocol’s steps may delay resolution of the matter.

In issuing the Protocol, OIG continues to stress the importance of internal compliance programs and audits, stating that health care providers’ legal and ethical duty “includes an obligation to take measures, such as instituting a compliance program, to detect and prevent fraudulent, abusive, and wasteful activities.” The OIG therefore anticipates that a provider will apply the Protocol’s suggested steps only after an initial assessment by the provider substantiates that there is a non-compliance problem with program requirements. The Protocol is not to be used, however, if a provider uncovers an ongoing fraud within its organization, which OIG suggests be disclosed immediately rather than following the Protocol’s suggested steps.

The Protocol requires that a voluntary disclosure submission be provided in writing. An initial disclosure should include basic information about the provider, its corporate relationships, type, provider numbers, and the names, positions, and roles of individuals implicated in the matter. A description of the matter being disclosed and the reason the provider believes it violates the law is also required.

A substantive disclosure following a provider’s internal investigation is also required. The internal investigation may occur after the initial disclosure of the matter. The OIG will likely agree to forgo its own investigation of the matter for a reasonable time to allow the provider to conduct its investigation, conditioned on the provider agreeing to follow the Protocol’s Internal Investigation Guidelines and Self-Assessment Guidelines.

The Internal Investigation Guidelines describe the substantive information to be reported to the OIG. This information describes both the nature and extent of the improper or illegal practice and the provider’s discovery and response to the matter. A detailed description of the matter, how it arose and continued, identification of the divisions or departments involved or affected, the time period over which the matter occurred, identification of corporate officials, employees, or agents who knew of, encouraged or participated in the incident or practice and those who should have known of, but failed to detect the matter are described in the Protocol. An estimate of the monetary impact of the incident or practice should also be included, calculated pursuant to the Protocol’s detailed Self-Assessment Guidelines. Other suggested information includes a detailed description of the circumstances under which the disclosed matter was discovered and documented, the measures taken upon its discovery, and steps taken to address the problem and prevent future abuses.

Once the OIG has received a provider’s self-disclosure submission, it will begin its own verification of the information. The quality and thoroughness of the disclosure will dictate the extent of the verification process. The OIG requires, as part of its verification, access to all audit work papers and other supporting documents. While OIG with not request access to written attorney-client communications, it may require access to information that is otherwise privileged under the work product doctrine but which OIG believes is critical to resolving the matter.

Voluntary disclosure of potentially fraudulent or abusive practices to the OIG can significantly reduce a provider’s potential liability and penalties. Cooperation with the OIG can result in lessening the amount or imposition of permissive sanctions or exclusions. The Protocol provides a detailed roadmap for opening a dialog with the OIG in such matters. However, because of the high stakes involved in any such disclosure, and because of the potential waiver of certain attorney-client protections during the process of disclosures, any such disclosures should be pursued through and with the assistance of legal counsel.