Publication of the OIG's Provider Self-Disclosure Protocol

[Federal Register Volume 63, Number 210 (Friday, October 30, 1998)]
[Notices]
[Pages 58399-58403]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-29064]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of Inspector General


Publication of the OIG's Provider Self-Disclosure Protocol

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: This Federal Register notice sets forth the OIG's recently-
issued Provider Self-Disclosure Protocol. This Self-Disclosure Protocol 
offers health care providers specific steps, including a detailed audit 
methodology, that may be undertaken if they wish to work openly and 
cooperatively with the OIG to efficiently quantify a particular problem 
and, ultimately, promote a higher level of ethical and lawful conduct 
throughout the health care industry.

FOR FURTHER INFORMATION CONTACT: Ted Acosta, Office of Counsel to the 
Inspector General, (202) 619-2078.

SUPPLEMENTARY INFORMATION: The OIG has long stressed the role of the 
health care industry in combating health care fraud, and believes that 
health care providers can play a cooperative role in identifying and 
voluntarily disclosing program abuses. The OIG's use of voluntary self-
disclosure programs, for example, is premised on a belief that health 
care providers must be willing to police themselves, correct underlying 
problems and work with the Government to resolve these matters. Based 
on insights gained from a pilot program undertaken as part of Operation 
Restore Trust, discussions with the provider community and the growing 
need for an effective disclosure mechanism, the OIG has now developed a 
more open-ended process, or protocol, for making a disclosure and 
allowing a health care provider to cooperative work with the OIG. 
Unlike the previous voluntary disclosure pilot programs, this self-
disclosure protocol gives detailed guidance to the provider on what 
information is appropriate to include as part of an investigative 
report and how to conduct an audit of the matter, while setting no 
limitations on the conditions under which a health care provider may 
disclose information to the OIG.
    A reprint of the OIG's Provider Self-Disclosure Protocol follows.

Provider Self-disclosure Protocol

I. Introduction

    The Office of Inspector General (OIG) of the United States 
Department of

[[Page 58400]]

Health and Human Services (HHS) relies heavily upon the health care 
industry to help identify and resolve matters that adversely affect the 
Federal health care programs (as defined in 42 U.S.C. 1320a-7b(f)). The 
OIG believes that, as participants in the Federal health care programs, 
health care providers have an ethical and legal duty to ensure the 
integrity of their dealings with these programs. This duty includes an 
obligation to take measures, such as instituting a compliance program, 
to detect and prevent fraudulent, abusive and wasteful activities. It 
also encompasses the need to implement specific procedures and 
mechanisms to examine and resolve instances of non-compliance with 
program requirements. Whether as a result of voluntary self-assessment 
or in response to external forces, health care providers must be 
prepared to investigate such instances, assess the potential losses 
suffered by the Federal health care programs, and make full disclosure 
to the appropriate authorities. To encourage providers to make 
voluntary disclosures, the OIG issues this Provider Self-Disclosure 
Protocol (Protocol).
    The concept of voluntary self-disclosure is not new to the OIG. For 
many years, the OIG has worked informally with providers and suppliers 
that came forward to cooperate with OIG to resolve billing, marketing 
or quality of care problems. In 1995, as part of the Operation Restore 
Trust (ORT) initiative, HHS and the Department of Justice (DOJ) 
announced a pilot voluntary disclosure program, which embraced OIG's 
longstanding policy favoring voluntary self-disclosure. The 
demonstration program was developed in coordination with 
representatives of the OIG, DOJ, various United States Attorneys' 
Offices, the Federal Bureau of Investigation and the Health Care 
Financing Administration (HCFA). The pilot program was limited to five 
States (New York, Florida, Illinois, Texas and California) and four 
different types of providers (home health agencies, skilled nursing 
facilities, durable medical equipment suppliers, and hospice 
providers). It gave those qualifying entities a formal mechanism for 
disclosing and seeking the resolution of matters relating to the 
Medicare and Medicaid programs. In 1997, the pilot voluntary disclosure 
program was concluded. While there was limited participation in the 
pilot, the OIG gained valuable insight into the variables influencing 
the decision to make a disclosure to the Government.
    The OIG believes it must continue encouraging the health care 
industry to conduct voluntary self-evaluations and providing viable 
opportunities for self-disclosure. By establishing this Protocol, the 
OIG renews its commitment to promote an environment of openness and 
cooperation. The Protocol has no rigid requirements or limitations. 
Rather, it provides the OIG's views on what are the appropriate 
elements of an effective investigative and audit working plan to 
address instances of non-compliance. Providers that follow the Protocol 
expedite the OIG's verification process and thus diminish the time it 
takes before the matter can be formally resolved. Failure to conform to 
each element of the Protocol is not necessarily fatal to the provider's 
disclosure, but will likely delay the resolution of the matter.
    The OIG's principal purpose in producing the Protocol is to provide 
guidance to health care providers that decide voluntarily to disclose 
irregularities in their dealings with the Federal health care programs. 
Because a provider's disclosure can involve anything from a simple 
error to outright fraud, the OIG cannot reasonably make firm 
commitments as to how a particular disclosure will be resolved or the 
specific benefit that will enure to the disclosing entity. In our 
experience, however, opening lines of communication with, and making 
full disclosure to, the investigative agency at an early stage 
generally benefits the individual or company. In short, the Protocol 
can help a health care provider initiate with the OIG a dialogue 
directed at resolving its potential liabilities.
    The decision to follow the OIG's suggested Protocol rests 
exclusively with the provider. While the OIG can offer only limited 
guidance on what is inherently a case-specific judgement, there are 
several considerations that should influence the decision. First, a 
provider that uncovers an ongoing fraud scheme within its organization 
immediately should contact the OIG, but should not follow the 
Protocol's suggested steps to investigate or quantify the scope of the 
problem. If the provider follows the Protocol in this type of situation 
without prior consultation with the OIG, there is a substantial risk 
that the Government's subsequent investigation will be compromised.
    Second, the OIG anticipates that a provider will apply the 
Protocol's suggested steps only after an initial assessment 
substantiates there is a problem with non-compliance with program 
requirements. The initial identification of potential risk areas should 
be less intensive and need not conform to the Protocol's suggested 
procedures. Similarly, when the OIG conducts a national review of a 
particular billing practice, providers should consider the option of 
conducting a limited assessment of the practice under OIG review, 
rather than incur the expense of a comprehensive audit. In such cases, 
an audit that conforms to the Protocol's guidelines may be appropriate 
only in instances where a preliminary assessment suggests the provider 
has in fact engaged in the practices under OIG scrutiny.

II. The Provider Self-Disclosure Protocol

    Unlike the earlier pilot program, there are no pre-disclosure 
requirements, applications for admission or preliminary qualifying 
characteristics that must be met. The Provider Self-Disclosure Protocol 
is open to all health care providers, whether individuals or entities, 
and is not limited to any particular industry, medical specialty or 
type of service. While no written agreement setting out the terms of 
the self-assessment will be required, the OIG expects the commitment of 
the health care provider to disclose specific information and engage in 
specific self-evaluative steps relating to the disclosed matter. In 
contrast to the pilot disclosure program, the fact that a disclosing 
health care provider is already subject to Government inquiry 
(including investigations, audits or routine oversight activities) will 
not automatically preclude a disclosure. The disclosure, however, must 
be made in good faith. The OIG will not continue to work with a 
provider that attempts to circumvent an ongoing inquiry or fails to 
fully cooperate in the self-disclosure process. In short, the OIG will 
continue its practice of working with providers that are the subject of 
an investigation or audit, provided that the collaboration does not 
interfere with the efficient and effective resolution of the inquiry.
    The Provider Self-Disclosure Protocol is intended to facilitate the 
resolution of only matters that, in the provider's reasonable 
assessment, are potentially violative of Federal criminal, civil or 
administrative laws. Matters exclusively involving overpayments or 
errors that do not suggest that violations of law have occurred should 
be brought directly to the attention of the entity (e.g., a contractor 
such as a carrier or an intermediary) that processes claims and issues 
payment on behalf of the Government agency responsible for the 
particular Federal health care program (e.g., HCFA for matters 
involving Medicare). The program contractors are responsible for 
processing the refund and will review the circumstances surrounding the 
initial overpayment. If

[[Page 58401]]

the contractor concludes that the overpayment raises concerns about the 
integrity of the provider, the matter may be referred to the OIG. 
Accordingly, the provider's initial decision of where to refer a matter 
involving non-compliance with program requirements should be made 
carefully.
    The OIG is not bound by any findings made by the disclosing 
provider under the Provider Self-Disclosure Protocol and is not 
obligated to resolve the matter in any particular manner. Nevertheless, 
the OIG will work closely with providers that structure their 
disclosures in accordance with the Provider Self-Disclosure Protocol in 
an effort to coordinate any investigatory steps or other activities 
necessary to reach an effective and prompt resolution. It is important 
to note that, upon review of the provider's disclosure submission and/
or reports, the OIG may conclude that the disclosed matter warrants a 
referral to DOJ for consideration under its civil and/or criminal 
authorities. Alternatively, the provider may request the participation 
of a representative of DOJ or a local United States Attorney's Office 
in settlement discussions in order to resolve potential liability under 
the False Claims Act or other laws. In either case, the OIG will report 
on the provider's involvement and level of cooperation throughout the 
disclosure process to any other Government agencies affected by the 
disclosed matter.

III. Voluntary Disclosure Submission

    The disclosing provider will be expected to make a submission as 
follows.
A. Effective Disclosure
    The disclosure must be made in writing and must be submitted to the 
Assistant Inspector General for Investigative Operations, Office of 
Inspector General, Department of Health and Human Services, 330 
Independence Avenue, SW, Cohen Building, Room 5409, Washington, DC 
20201. Submissions by telecopier, facsimile or other electronic media 
will not be accepted.
B. Basic Information
    The submission should include the following--
    1. The name, address, provider identification number(s) and tax 
identification number(s) of the disclosing health care provider. If the 
provider is an entity that is owned, controlled or is otherwise part of 
a system or network, include a description or diagram describing the 
pertinent relationships and the names and addresses of any related 
entities, as well as any affected corporate divisions, departments or 
branches. Additionally, provide the name and address of the disclosing 
entity's designated representative for purposes of the voluntary 
disclosure.
    2. Indicate whether the provider has knowledge that the matter is 
under current inquiry by a Government agency or contractor. If the 
provider has knowledge of a pending inquiry, identify any such 
Government entity or individual representatives involved. The provider 
must also disclose whether it is under investigation or other inquiry 
for any other matters relating to a Federal health care program and 
provide similar information relating to those other matters.
    3. A full description of the nature of the matter being disclosed, 
including the type of claim, transaction or other conduct giving rise 
to the matter, the names of entities and individuals believed to be 
implicated and an explanation of their roles in the matter, and the 
relevant periods involved.
    4. The type of health care provider implicated and any provider 
billing numbers associated with the matter disclosed. Include the 
Federal health care programs affected, including Government contractors 
such as carriers, intermediaries and other third-party payers.
    5. The reasons why the disclosing provider believes that a 
violation of Federal criminal, civil or administrative law may have 
occurred.
    6. A certification by the health care provider or, in the case of 
an entity, an authorized representative on behalf of the disclosing 
entity stating that, to the best of the individual's knowledge, the 
submission contains truthful information and is based on a good faith 
effort to bring the matter to the Government's attention for the 
purpose of resolving any potential liabilities to the Government.
C. Substantive Information
    As part of its participation in the disclosure process, the 
disclosing health care provider will be expected to conduct an internal 
investigation and a self-assessment, and then report its findings to 
the OIG. The internal review may occur after the initial disclosure of 
the matter. The OIG will generally agree, for a reasonable period of 
time, to forego an investigation of the matter if the provider agrees 
that it will conduct the review in accordance with the Internal 
Investigation Guidelines and the Self-Assessment Guidelines set forth 
below.

IV. Internal Investigation Guidelines

    All disclosures to the OIG under the Provider Self-Disclosure 
Protocol should include a report based on an internal investigation 
conducted by the health care provider. While a provider is free to 
discuss its preliminary findings with the OIG prior to completion of 
its investigation, the matter cannot be resolved until a comprehensive 
assessment has been completed pursuant to the following guidelines:
A. Nature and Extent of the Improper or Illegal Practice
    A voluntary disclosure report should demonstrate that a full 
examination of the practice has been conducted. The report should 
contain a written narrative that--
    1. Identifies the potential causes of the incident or practice 
(e.g., intentional conduct, lack of internal controls, circumvention of 
corporate procedures or Government regulations);
    2. Describes the incident or practice in detail, including how the 
incident or practice arose and continued;
    3. Identifies the division, departments, branches or related 
entities involved and/or affected;
    4. Identifies the impact on, and risks to, health, safety, or 
quality of care posed by the matter disclosed, with sufficient 
information to allow the OIG to assess the immediacy of the impact and 
risks, the steps that should be taken to address them, as well as the 
measures taken by the disclosing entity;
    5. Delineates the period during which the incident or practice 
occurred;
    6. Identifies the corporate officials, employees or agents who knew 
of, encouraged, or participated in, the incident or practice and any 
individuals who may have been involved in detecting the matter;
    7. Identifies the corporate officials, employees or agents who 
should have known of, but failed to detect, the incident or practice 
based on their job responsibilities; and
    8. Estimates the monetary impact of the incident or practice upon 
the Federal health care programs, pursuant to the Self-Assessment 
Guidelines below.
    B. Discovery and Response to the Matter
    The internal investigation report should relate the circumstances 
under which the disclosed matter was discovered and fully document the 
measures taken upon discovery to address the problem and prevent future 
abuses. In this regard, the report should--

[[Page 58402]]

    1. Describe how the incident or practice was identified, and the 
origin of the information that led to its discovery.
    2. Describe the entity's efforts to investigate and document the 
incident or practice (e.g., use of internal or external legal, audit or 
consultative resources).
    3. Describe in detail the chronology of the investigative steps 
taken in connection with the entity's internal inquiry into the 
disclosed matter including the following--
    (a) A list of all individuals interviewed, including each 
individual's business address and telephone number, and their positions 
and titles in the relevant entities during both the relevant period and 
at the time the disclosure is being made. For all individuals 
interviewed, provide the dates of those interviews and the subject 
matter of each interview, as well as summaries of the interview. The 
health care provider will be responsible for advising the individual to 
be interviewed that the information the individual provides may, in 
turn, be provided to the OIG. Additionally, include a list of those 
individuals who refused to be interviewed and provide the reasons 
cited;
    (b) A description of files, documents, and records reviewed with 
sufficient particularity to allow their retrieval, if necessary; and
    (c) A summary of auditing activity undertaken and a summary of the 
documents relied upon in support of the estimation of losses. These 
documents and information must accompany the report, unless the 
calculation of losses is undertaken pursuant to the Self-Assessment 
Guidelines, which contain specific reporting requirements.
    4. Describe the actions by the health care provider to stop the 
inappropriate conduct.
    5. Describe any related health care businesses affected by the 
inappropriate conduct in which the health care provider is involved, 
all efforts by the health care provider to prevent a recurrence of the 
incident or practice in the affected division as well as in any related 
health care entities (e.g., new accounting or internal control 
procedures, increased internal audit efforts, increased supervision by 
higher management or through training).
    6. Describe any disciplinary action taken against corporate 
officials, employees and agents as a result of the disclosed matter.
    7. Describe appropriate notices, if applicable, provided to other 
Government agencies, (e.g., Securities and Exchange Commission and 
Internal Revenue Service) in connection with the disclosed matter.
    C. The internal investigation report must include a certification 
by the health care provider, or in the case of an entity an authorized 
representative on behalf of the disclosing health care provider, 
indicating that, to the best of the individual's knowledge, the 
internal investigation report contains truthful information and is 
based on a good faith effort to assist the OIG in its inquiry and 
verification of the disclosed matter.

V. Self-Assessment Guidelines

    To estimate the monetary impact of the disclosed matter, the health 
care provider also should conduct an internal financial assessment and 
prepare a report of its findings. This self-assessment may be performed 
at the same time as the internal investigation, or commenced after the 
scope of the non-compliance with program requirements has been 
established. In either case, the OIG will verify a provider's 
calculation of Federal health care program losses and it is strongly 
recommended that, at a minimum, the review conform to the following 
guidelines.
    A. Approach
    The self-assessment should consist of a review of either--(1) all 
of the claims affected by the disclosed matter for the relevant period; 
or (2) a statistically valid sample of the claims that can be projected 
to the population of claims affected by the matter for the relevant 
period. This determination should be based on the size of the 
population believed to be implicated, the variance of characteristics 
to be reviewed, the cost of the self-assessment, the available 
resources, the estimated duration of the review, and other factors as 
appropriate.
B. Basic Information
    Regardless of which of these two approaches is used, the disclosing 
provider should submit to the OIG a work plan describing the self-
assessment process. The OIG will review the proposal and, where 
appropriate, provide comments on the plan in a timely manner. At its 
option, the OIG may choose to carry out any necessary activities at any 
stage of the review to verify that the process is undertaken correctly 
and to validate the review findings. While the OIG is not obligated to 
accept the results of a provider's self-assessment, findings based upon 
procedures which conform to the Protocol will be given substantial 
weight in determining any program overpayments. In addition, the OIG 
will use the validated provider self-assessment report in preparing a 
recommendation to DOJ for resolution of the provider's False Claims Act 
or other liability. Among the issues that should be addressed in the 
plan are the following--
    1. Review Objective--There should be a statement clearly 
articulating the objective of the review and the review procedure or 
combination of procedures applied to achieve the objective.
    2. Review Population--The plan should identify the population, 
which is the group about which information is needed. In addition, 
there should be an explanation of the methodology used to develop the 
population and the basis for this determination.
    3. Sources of Data--The plan should provide a full description of 
the source of the information upon which the review will be based, 
including the legal or other standards to be applied, the sources of 
payment data and the documents that will be relied upon (e.g., 
employment contracts, rental agreements, etc.).
    4. Personnel Qualifications--The plan should identify the names and 
titles of those individuals involved in any aspect of the self-
assessment, including statisticians, accountants, auditors, consultants 
and medical reviewers, and describe their qualifications.
C. Sample Elements
    If the provider, in consultation with the OIG, determines that the 
financial review will be based upon a sample, the work plan should also 
include the sampling plan as follows--
    1. Sampling Unit--The plan should define the sampling unit, which 
is any of the designated elements that comprise the population of 
interest.
    2. Sampling Frame--The plan should identify the sampling frame, 
which is the totality of the sampling units from which the sample will 
be selected. In addition, the plan should document how the audit 
population differs from the sampling frame and what effect this 
difference has on conclusions reached as a result of the audit.
    3. Sample Size--The size of the sample must be determined through 
the use of a probe sample. Accordingly, the plan should include a 
description of both the probe sample and the full sample. At a minimum, 
the full sample must be designed to generate an estimate with a ninety 
(90) percent level of confidence and a precision of twenty-five (25) 
percent. The probe sample must contain at least thirty (30) sample 
units and cannot be used as part of the full sample.
    4. Random Numbers--Both the probe sample and the sample must be 
selected through random numbers. The source of

[[Page 58403]]

the random numbers used must be shown in the sampling plans. The OIG 
strongly recommends the use of its Office of Audit Services' 
Statistical Sampling Software, also known as ``RAT-STATS,'' which is 
currently available free of charge through the ``internet'' at 
``www.hhs.gov/progorg/oas/ratstat.html''.
    5. Sample Design--Unless the disclosing provider demonstrates the 
need to use a different sample design, the self-assessment should use 
simple random sampling. If necessitated, the provider may use 
stratified or multistage sampling. Details about the strata, stages and 
clusters should be included in the description of the audit plan.
    6. Estimate of Review Time per Sample Item--The plan should 
estimate the time expended to locate the sample items and the staff 
hours expended to review a sample item.
    7. Characteristics Measure by the Sample--The sampling plan should 
identify the characteristics used for testing each sample item. For 
example, in a sample drawn to estimate the value of overpayments due to 
duplicate payments, the characteristics under consideration are the 
conditions that must exist for a sample item to be a duplicate. The 
amount of the duplicate payment is the measurement of the overpayment. 
The sampling plan must also contain the decision rules for determining 
whether a sample item entirely meets the criterion for having 
characteristics or only partially meets the criterion.
    8. Missing Sample Items--The sampling plan must include a 
discussion of how missing sample items were handled and the rationale.
    9. Other Evidence--Although sample results should stand on their 
own in terms of validity, sample results may be combined with other 
evidence in arriving at specific conclusions. If appropriate, indicate 
what other substantiating or corroborating evidence was developed.
    10. Estimation Methodology--Because the general purpose of the 
review is to estimate the monetary losses to the Federal health care 
programs, the methodology to be used must be variables sampling using 
the difference estimator. To estimate the amount implicated in the 
disclosed matter, the provider must use the mean point estimate. The 
statistical estimates must be reported using a ninety (90) percent 
confidence level. The use of RAT-STATS to calculate the estimates is 
strongly recommended.
    11. Reporting Results--The sampling plan should indicate how the 
results will be reported at the conclusion of the review. In preparing 
the report, enough details must be provided to clearly indicate what 
estimates are reported.
D. Certification
    Upon completion of the self-assessment, the disclosing health care 
provider, or in the case of an entity its authorized representative, 
must submit to the OIG a certification stating that, to the best of the 
individual's knowledge, the report contains truthful information and is 
based on a good faith effort to assist OIG in its inquiry and 
verification of the disclosed matter.

VI. OIG's Verification

    Upon receipt of a health care provider's disclosure submission, the 
OIG will begin its verification of the disclosure information. The 
extent of the OIG's verification effort will depend, in large part, 
upon the quality and thoroughness of the internal investigative and 
self-assessment reports. Matters uncovered during the verification 
process, which are outside of the scope of the matter disclosed to the 
OIG, may be treated as new matters outside the Provider Self-Disclosure 
Protocol.
    To facilitate the OIG's verification and validation processes, the 
OIG must have access to all audit work papers and other supporting 
documents without the assertion of privileges or limitations on the 
information produced. In the normal course of verification, the OIG 
will not request production of written communications subject to the 
attorney-client privilege. There may be documents or other materials, 
however, that may be covered by the work product doctrine, but which 
the OIG believes are critical to resolving the disclosure. The OIG is 
prepared to discuss with provider's counsel ways to gain access to the 
underlying information without the need to waive the protections 
provided by an appropriately asserted claim of privilege.

VII. Payments

    Because of the need to verify the information provided by a 
disclosing health provider, the OIG will not accept payments of 
presumed overpayments determined by the health care provider prior to 
the completion of the OIG's inquiry. However, the provider is 
encouraged to place the overpayment amount in an interest-bearing 
escrow account to minimize further losses. While the matter is under 
OIG inquiry, the disclosing provider must refrain from making payment 
relating to the disclosed matter to the Federal health care programs or 
their contractors without the OIG's prior consent. If the OIG consents, 
the disclosing provider will be required to agree in writing that the 
acceptance of the payment does not constitute the Government's 
agreement as to the amount of losses suffered by the programs as a 
result of the disclosed matter, and does not affect in any manner the 
Government's ability to pursue criminal, civil or administrative 
remedies or to obtain additional fines, damages or penalties for the 
matters disclosed.

VIII. Cooperation and Removal from the Provider Self-Disclosure 
Protocol

    The disclosing entity's diligent and good faith cooperation 
throughout the entire process is essential. Accordingly, the OIG 
expects to receive documents and information from the entity that 
relate to the disclosed matter without the need to resort to compulsory 
methods. If a provider fails to work in good faith with the OIG to 
resolve the disclosed matter, that lack of cooperation will be 
considered an aggravating factor when the OIG assesses the appropriate 
resolution of the matter. Similarly, the intentional submission of 
false or otherwise untruthful information, as well as the intentional 
omission of relevant information, will be referred to DOJ or other 
Federal agencies and could, in itself, result in criminal and/or civil 
sanctions, as well as exclusion from participation in the Federal 
health care programs.

    Dated: October 21, 1998.
June Gibbs Brown,
Inspector General.
[FR Doc. 98-29064 Filed 10-29-98; 8:45 am]
BILLING CODE 4150-04-P