[Federal Register Volume 63, Number 210 (Friday, October 30, 1998)]
[Notices]
[Pages 58399-58403]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-29064]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of Inspector General
Publication of the OIG's Provider Self-Disclosure Protocol
AGENCY: Office of Inspector General (OIG), HHS.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: This Federal Register notice sets forth the OIG's recently-
issued Provider Self-Disclosure Protocol. This Self-Disclosure Protocol
offers health care providers specific steps, including a detailed audit
methodology, that may be undertaken if they wish to work openly and
cooperatively with the OIG to efficiently quantify a particular problem
and, ultimately, promote a higher level of ethical and lawful conduct
throughout the health care industry.
FOR FURTHER INFORMATION CONTACT: Ted Acosta, Office of Counsel to the
Inspector General, (202) 619-2078.
SUPPLEMENTARY INFORMATION: The OIG has long stressed the role of the
health care industry in combating health care fraud, and believes that
health care providers can play a cooperative role in identifying and
voluntarily disclosing program abuses. The OIG's use of voluntary self-
disclosure programs, for example, is premised on a belief that health
care providers must be willing to police themselves, correct underlying
problems and work with the Government to resolve these matters. Based
on insights gained from a pilot program undertaken as part of Operation
Restore Trust, discussions with the provider community and the growing
need for an effective disclosure mechanism, the OIG has now developed a
more open-ended process, or protocol, for making a disclosure and
allowing a health care provider to cooperative work with the OIG.
Unlike the previous voluntary disclosure pilot programs, this self-
disclosure protocol gives detailed guidance to the provider on what
information is appropriate to include as part of an investigative
report and how to conduct an audit of the matter, while setting no
limitations on the conditions under which a health care provider may
disclose information to the OIG.
A reprint of the OIG's Provider Self-Disclosure Protocol follows.
Provider Self-disclosure Protocol
I. Introduction
The Office of Inspector General (OIG) of the United States
Department of
[[Page 58400]]
Health and Human Services (HHS) relies heavily upon the health care
industry to help identify and resolve matters that adversely affect the
Federal health care programs (as defined in 42 U.S.C. 1320a-7b(f)). The
OIG believes that, as participants in the Federal health care programs,
health care providers have an ethical and legal duty to ensure the
integrity of their dealings with these programs. This duty includes an
obligation to take measures, such as instituting a compliance program,
to detect and prevent fraudulent, abusive and wasteful activities. It
also encompasses the need to implement specific procedures and
mechanisms to examine and resolve instances of non-compliance with
program requirements. Whether as a result of voluntary self-assessment
or in response to external forces, health care providers must be
prepared to investigate such instances, assess the potential losses
suffered by the Federal health care programs, and make full disclosure
to the appropriate authorities. To encourage providers to make
voluntary disclosures, the OIG issues this Provider Self-Disclosure
Protocol (Protocol).
The concept of voluntary self-disclosure is not new to the OIG. For
many years, the OIG has worked informally with providers and suppliers
that came forward to cooperate with OIG to resolve billing, marketing
or quality of care problems. In 1995, as part of the Operation Restore
Trust (ORT) initiative, HHS and the Department of Justice (DOJ)
announced a pilot voluntary disclosure program, which embraced OIG's
longstanding policy favoring voluntary self-disclosure. The
demonstration program was developed in coordination with
representatives of the OIG, DOJ, various United States Attorneys'
Offices, the Federal Bureau of Investigation and the Health Care
Financing Administration (HCFA). The pilot program was limited to five
States (New York, Florida, Illinois, Texas and California) and four
different types of providers (home health agencies, skilled nursing
facilities, durable medical equipment suppliers, and hospice
providers). It gave those qualifying entities a formal mechanism for
disclosing and seeking the resolution of matters relating to the
Medicare and Medicaid programs. In 1997, the pilot voluntary disclosure
program was concluded. While there was limited participation in the
pilot, the OIG gained valuable insight into the variables influencing
the decision to make a disclosure to the Government.
The OIG believes it must continue encouraging the health care
industry to conduct voluntary self-evaluations and providing viable
opportunities for self-disclosure. By establishing this Protocol, the
OIG renews its commitment to promote an environment of openness and
cooperation. The Protocol has no rigid requirements or limitations.
Rather, it provides the OIG's views on what are the appropriate
elements of an effective investigative and audit working plan to
address instances of non-compliance. Providers that follow the Protocol
expedite the OIG's verification process and thus diminish the time it
takes before the matter can be formally resolved. Failure to conform to
each element of the Protocol is not necessarily fatal to the provider's
disclosure, but will likely delay the resolution of the matter.
The OIG's principal purpose in producing the Protocol is to provide
guidance to health care providers that decide voluntarily to disclose
irregularities in their dealings with the Federal health care programs.
Because a provider's disclosure can involve anything from a simple
error to outright fraud, the OIG cannot reasonably make firm
commitments as to how a particular disclosure will be resolved or the
specific benefit that will enure to the disclosing entity. In our
experience, however, opening lines of communication with, and making
full disclosure to, the investigative agency at an early stage
generally benefits the individual or company. In short, the Protocol
can help a health care provider initiate with the OIG a dialogue
directed at resolving its potential liabilities.
The decision to follow the OIG's suggested Protocol rests
exclusively with the provider. While the OIG can offer only limited
guidance on what is inherently a case-specific judgement, there are
several considerations that should influence the decision. First, a
provider that uncovers an ongoing fraud scheme within its organization
immediately should contact the OIG, but should not follow the
Protocol's suggested steps to investigate or quantify the scope of the
problem. If the provider follows the Protocol in this type of situation
without prior consultation with the OIG, there is a substantial risk
that the Government's subsequent investigation will be compromised.
Second, the OIG anticipates that a provider will apply the
Protocol's suggested steps only after an initial assessment
substantiates there is a problem with non-compliance with program
requirements. The initial identification of potential risk areas should
be less intensive and need not conform to the Protocol's suggested
procedures. Similarly, when the OIG conducts a national review of a
particular billing practice, providers should consider the option of
conducting a limited assessment of the practice under OIG review,
rather than incur the expense of a comprehensive audit. In such cases,
an audit that conforms to the Protocol's guidelines may be appropriate
only in instances where a preliminary assessment suggests the provider
has in fact engaged in the practices under OIG scrutiny.
II. The Provider Self-Disclosure Protocol
Unlike the earlier pilot program, there are no pre-disclosure
requirements, applications for admission or preliminary qualifying
characteristics that must be met. The Provider Self-Disclosure Protocol
is open to all health care providers, whether individuals or entities,
and is not limited to any particular industry, medical specialty or
type of service. While no written agreement setting out the terms of
the self-assessment will be required, the OIG expects the commitment of
the health care provider to disclose specific information and engage in
specific self-evaluative steps relating to the disclosed matter. In
contrast to the pilot disclosure program, the fact that a disclosing
health care provider is already subject to Government inquiry
(including investigations, audits or routine oversight activities) will
not automatically preclude a disclosure. The disclosure, however, must
be made in good faith. The OIG will not continue to work with a
provider that attempts to circumvent an ongoing inquiry or fails to
fully cooperate in the self-disclosure process. In short, the OIG will
continue its practice of working with providers that are the subject of
an investigation or audit, provided that the collaboration does not
interfere with the efficient and effective resolution of the inquiry.
The Provider Self-Disclosure Protocol is intended to facilitate the
resolution of only matters that, in the provider's reasonable
assessment, are potentially violative of Federal criminal, civil or
administrative laws. Matters exclusively involving overpayments or
errors that do not suggest that violations of law have occurred should
be brought directly to the attention of the entity (e.g., a contractor
such as a carrier or an intermediary) that processes claims and issues
payment on behalf of the Government agency responsible for the
particular Federal health care program (e.g., HCFA for matters
involving Medicare). The program contractors are responsible for
processing the refund and will review the circumstances surrounding the
initial overpayment. If
[[Page 58401]]
the contractor concludes that the overpayment raises concerns about the
integrity of the provider, the matter may be referred to the OIG.
Accordingly, the provider's initial decision of where to refer a matter
involving non-compliance with program requirements should be made
carefully.
The OIG is not bound by any findings made by the disclosing
provider under the Provider Self-Disclosure Protocol and is not
obligated to resolve the matter in any particular manner. Nevertheless,
the OIG will work closely with providers that structure their
disclosures in accordance with the Provider Self-Disclosure Protocol in
an effort to coordinate any investigatory steps or other activities
necessary to reach an effective and prompt resolution. It is important
to note that, upon review of the provider's disclosure submission and/
or reports, the OIG may conclude that the disclosed matter warrants a
referral to DOJ for consideration under its civil and/or criminal
authorities. Alternatively, the provider may request the participation
of a representative of DOJ or a local United States Attorney's Office
in settlement discussions in order to resolve potential liability under
the False Claims Act or other laws. In either case, the OIG will report
on the provider's involvement and level of cooperation throughout the
disclosure process to any other Government agencies affected by the
disclosed matter.
III. Voluntary Disclosure Submission
The disclosing provider will be expected to make a submission as
follows.
A. Effective Disclosure
The disclosure must be made in writing and must be submitted to the
Assistant Inspector General for Investigative Operations, Office of
Inspector General, Department of Health and Human Services, 330
Independence Avenue, SW, Cohen Building, Room 5409, Washington, DC
20201. Submissions by telecopier, facsimile or other electronic media
will not be accepted.
B. Basic Information
The submission should include the following--
1. The name, address, provider identification number(s) and tax
identification number(s) of the disclosing health care provider. If the
provider is an entity that is owned, controlled or is otherwise part of
a system or network, include a description or diagram describing the
pertinent relationships and the names and addresses of any related
entities, as well as any affected corporate divisions, departments or
branches. Additionally, provide the name and address of the disclosing
entity's designated representative for purposes of the voluntary
disclosure.
2. Indicate whether the provider has knowledge that the matter is
under current inquiry by a Government agency or contractor. If the
provider has knowledge of a pending inquiry, identify any such
Government entity or individual representatives involved. The provider
must also disclose whether it is under investigation or other inquiry
for any other matters relating to a Federal health care program and
provide similar information relating to those other matters.
3. A full description of the nature of the matter being disclosed,
including the type of claim, transaction or other conduct giving rise
to the matter, the names of entities and individuals believed to be
implicated and an explanation of their roles in the matter, and the
relevant periods involved.
4. The type of health care provider implicated and any provider
billing numbers associated with the matter disclosed. Include the
Federal health care programs affected, including Government contractors
such as carriers, intermediaries and other third-party payers.
5. The reasons why the disclosing provider believes that a
violation of Federal criminal, civil or administrative law may have
occurred.
6. A certification by the health care provider or, in the case of
an entity, an authorized representative on behalf of the disclosing
entity stating that, to the best of the individual's knowledge, the
submission contains truthful information and is based on a good faith
effort to bring the matter to the Government's attention for the
purpose of resolving any potential liabilities to the Government.
C. Substantive Information
As part of its participation in the disclosure process, the
disclosing health care provider will be expected to conduct an internal
investigation and a self-assessment, and then report its findings to
the OIG. The internal review may occur after the initial disclosure of
the matter. The OIG will generally agree, for a reasonable period of
time, to forego an investigation of the matter if the provider agrees
that it will conduct the review in accordance with the Internal
Investigation Guidelines and the Self-Assessment Guidelines set forth
below.
IV. Internal Investigation Guidelines
All disclosures to the OIG under the Provider Self-Disclosure
Protocol should include a report based on an internal investigation
conducted by the health care provider. While a provider is free to
discuss its preliminary findings with the OIG prior to completion of
its investigation, the matter cannot be resolved until a comprehensive
assessment has been completed pursuant to the following guidelines:
A. Nature and Extent of the Improper or Illegal Practice
A voluntary disclosure report should demonstrate that a full
examination of the practice has been conducted. The report should
contain a written narrative that--
1. Identifies the potential causes of the incident or practice
(e.g., intentional conduct, lack of internal controls, circumvention of
corporate procedures or Government regulations);
2. Describes the incident or practice in detail, including how the
incident or practice arose and continued;
3. Identifies the division, departments, branches or related
entities involved and/or affected;
4. Identifies the impact on, and risks to, health, safety, or
quality of care posed by the matter disclosed, with sufficient
information to allow the OIG to assess the immediacy of the impact and
risks, the steps that should be taken to address them, as well as the
measures taken by the disclosing entity;
5. Delineates the period during which the incident or practice
occurred;
6. Identifies the corporate officials, employees or agents who knew
of, encouraged, or participated in, the incident or practice and any
individuals who may have been involved in detecting the matter;
7. Identifies the corporate officials, employees or agents who
should have known of, but failed to detect, the incident or practice
based on their job responsibilities; and
8. Estimates the monetary impact of the incident or practice upon
the Federal health care programs, pursuant to the Self-Assessment
Guidelines below.
B. Discovery and Response to the Matter
The internal investigation report should relate the circumstances
under which the disclosed matter was discovered and fully document the
measures taken upon discovery to address the problem and prevent future
abuses. In this regard, the report should--
[[Page 58402]]
1. Describe how the incident or practice was identified, and the
origin of the information that led to its discovery.
2. Describe the entity's efforts to investigate and document the
incident or practice (e.g., use of internal or external legal, audit or
consultative resources).
3. Describe in detail the chronology of the investigative steps
taken in connection with the entity's internal inquiry into the
disclosed matter including the following--
(a) A list of all individuals interviewed, including each
individual's business address and telephone number, and their positions
and titles in the relevant entities during both the relevant period and
at the time the disclosure is being made. For all individuals
interviewed, provide the dates of those interviews and the subject
matter of each interview, as well as summaries of the interview. The
health care provider will be responsible for advising the individual to
be interviewed that the information the individual provides may, in
turn, be provided to the OIG. Additionally, include a list of those
individuals who refused to be interviewed and provide the reasons
cited;
(b) A description of files, documents, and records reviewed with
sufficient particularity to allow their retrieval, if necessary; and
(c) A summary of auditing activity undertaken and a summary of the
documents relied upon in support of the estimation of losses. These
documents and information must accompany the report, unless the
calculation of losses is undertaken pursuant to the Self-Assessment
Guidelines, which contain specific reporting requirements.
4. Describe the actions by the health care provider to stop the
inappropriate conduct.
5. Describe any related health care businesses affected by the
inappropriate conduct in which the health care provider is involved,
all efforts by the health care provider to prevent a recurrence of the
incident or practice in the affected division as well as in any related
health care entities (e.g., new accounting or internal control
procedures, increased internal audit efforts, increased supervision by
higher management or through training).
6. Describe any disciplinary action taken against corporate
officials, employees and agents as a result of the disclosed matter.
7. Describe appropriate notices, if applicable, provided to other
Government agencies, (e.g., Securities and Exchange Commission and
Internal Revenue Service) in connection with the disclosed matter.
C. The internal investigation report must include a certification
by the health care provider, or in the case of an entity an authorized
representative on behalf of the disclosing health care provider,
indicating that, to the best of the individual's knowledge, the
internal investigation report contains truthful information and is
based on a good faith effort to assist the OIG in its inquiry and
verification of the disclosed matter.
V. Self-Assessment Guidelines
To estimate the monetary impact of the disclosed matter, the health
care provider also should conduct an internal financial assessment and
prepare a report of its findings. This self-assessment may be performed
at the same time as the internal investigation, or commenced after the
scope of the non-compliance with program requirements has been
established. In either case, the OIG will verify a provider's
calculation of Federal health care program losses and it is strongly
recommended that, at a minimum, the review conform to the following
guidelines.
A. Approach
The self-assessment should consist of a review of either--(1) all
of the claims affected by the disclosed matter for the relevant period;
or (2) a statistically valid sample of the claims that can be projected
to the population of claims affected by the matter for the relevant
period. This determination should be based on the size of the
population believed to be implicated, the variance of characteristics
to be reviewed, the cost of the self-assessment, the available
resources, the estimated duration of the review, and other factors as
appropriate.
B. Basic Information
Regardless of which of these two approaches is used, the disclosing
provider should submit to the OIG a work plan describing the self-
assessment process. The OIG will review the proposal and, where
appropriate, provide comments on the plan in a timely manner. At its
option, the OIG may choose to carry out any necessary activities at any
stage of the review to verify that the process is undertaken correctly
and to validate the review findings. While the OIG is not obligated to
accept the results of a provider's self-assessment, findings based upon
procedures which conform to the Protocol will be given substantial
weight in determining any program overpayments. In addition, the OIG
will use the validated provider self-assessment report in preparing a
recommendation to DOJ for resolution of the provider's False Claims Act
or other liability. Among the issues that should be addressed in the
plan are the following--
1. Review Objective--There should be a statement clearly
articulating the objective of the review and the review procedure or
combination of procedures applied to achieve the objective.
2. Review Population--The plan should identify the population,
which is the group about which information is needed. In addition,
there should be an explanation of the methodology used to develop the
population and the basis for this determination.
3. Sources of Data--The plan should provide a full description of
the source of the information upon which the review will be based,
including the legal or other standards to be applied, the sources of
payment data and the documents that will be relied upon (e.g.,
employment contracts, rental agreements, etc.).
4. Personnel Qualifications--The plan should identify the names and
titles of those individuals involved in any aspect of the self-
assessment, including statisticians, accountants, auditors, consultants
and medical reviewers, and describe their qualifications.
C. Sample Elements
If the provider, in consultation with the OIG, determines that the
financial review will be based upon a sample, the work plan should also
include the sampling plan as follows--
1. Sampling Unit--The plan should define the sampling unit, which
is any of the designated elements that comprise the population of
interest.
2. Sampling Frame--The plan should identify the sampling frame,
which is the totality of the sampling units from which the sample will
be selected. In addition, the plan should document how the audit
population differs from the sampling frame and what effect this
difference has on conclusions reached as a result of the audit.
3. Sample Size--The size of the sample must be determined through
the use of a probe sample. Accordingly, the plan should include a
description of both the probe sample and the full sample. At a minimum,
the full sample must be designed to generate an estimate with a ninety
(90) percent level of confidence and a precision of twenty-five (25)
percent. The probe sample must contain at least thirty (30) sample
units and cannot be used as part of the full sample.
4. Random Numbers--Both the probe sample and the sample must be
selected through random numbers. The source of
[[Page 58403]]
the random numbers used must be shown in the sampling plans. The OIG
strongly recommends the use of its Office of Audit Services'
Statistical Sampling Software, also known as ``RAT-STATS,'' which is
currently available free of charge through the ``internet'' at
``www.hhs.gov/progorg/oas/ratstat.html''.
5. Sample Design--Unless the disclosing provider demonstrates the
need to use a different sample design, the self-assessment should use
simple random sampling. If necessitated, the provider may use
stratified or multistage sampling. Details about the strata, stages and
clusters should be included in the description of the audit plan.
6. Estimate of Review Time per Sample Item--The plan should
estimate the time expended to locate the sample items and the staff
hours expended to review a sample item.
7. Characteristics Measure by the Sample--The sampling plan should
identify the characteristics used for testing each sample item. For
example, in a sample drawn to estimate the value of overpayments due to
duplicate payments, the characteristics under consideration are the
conditions that must exist for a sample item to be a duplicate. The
amount of the duplicate payment is the measurement of the overpayment.
The sampling plan must also contain the decision rules for determining
whether a sample item entirely meets the criterion for having
characteristics or only partially meets the criterion.
8. Missing Sample Items--The sampling plan must include a
discussion of how missing sample items were handled and the rationale.
9. Other Evidence--Although sample results should stand on their
own in terms of validity, sample results may be combined with other
evidence in arriving at specific conclusions. If appropriate, indicate
what other substantiating or corroborating evidence was developed.
10. Estimation Methodology--Because the general purpose of the
review is to estimate the monetary losses to the Federal health care
programs, the methodology to be used must be variables sampling using
the difference estimator. To estimate the amount implicated in the
disclosed matter, the provider must use the mean point estimate. The
statistical estimates must be reported using a ninety (90) percent
confidence level. The use of RAT-STATS to calculate the estimates is
strongly recommended.
11. Reporting Results--The sampling plan should indicate how the
results will be reported at the conclusion of the review. In preparing
the report, enough details must be provided to clearly indicate what
estimates are reported.
D. Certification
Upon completion of the self-assessment, the disclosing health care
provider, or in the case of an entity its authorized representative,
must submit to the OIG a certification stating that, to the best of the
individual's knowledge, the report contains truthful information and is
based on a good faith effort to assist OIG in its inquiry and
verification of the disclosed matter.
VI. OIG's Verification
Upon receipt of a health care provider's disclosure submission, the
OIG will begin its verification of the disclosure information. The
extent of the OIG's verification effort will depend, in large part,
upon the quality and thoroughness of the internal investigative and
self-assessment reports. Matters uncovered during the verification
process, which are outside of the scope of the matter disclosed to the
OIG, may be treated as new matters outside the Provider Self-Disclosure
Protocol.
To facilitate the OIG's verification and validation processes, the
OIG must have access to all audit work papers and other supporting
documents without the assertion of privileges or limitations on the
information produced. In the normal course of verification, the OIG
will not request production of written communications subject to the
attorney-client privilege. There may be documents or other materials,
however, that may be covered by the work product doctrine, but which
the OIG believes are critical to resolving the disclosure. The OIG is
prepared to discuss with provider's counsel ways to gain access to the
underlying information without the need to waive the protections
provided by an appropriately asserted claim of privilege.
VII. Payments
Because of the need to verify the information provided by a
disclosing health provider, the OIG will not accept payments of
presumed overpayments determined by the health care provider prior to
the completion of the OIG's inquiry. However, the provider is
encouraged to place the overpayment amount in an interest-bearing
escrow account to minimize further losses. While the matter is under
OIG inquiry, the disclosing provider must refrain from making payment
relating to the disclosed matter to the Federal health care programs or
their contractors without the OIG's prior consent. If the OIG consents,
the disclosing provider will be required to agree in writing that the
acceptance of the payment does not constitute the Government's
agreement as to the amount of losses suffered by the programs as a
result of the disclosed matter, and does not affect in any manner the
Government's ability to pursue criminal, civil or administrative
remedies or to obtain additional fines, damages or penalties for the
matters disclosed.
VIII. Cooperation and Removal from the Provider Self-Disclosure
Protocol
The disclosing entity's diligent and good faith cooperation
throughout the entire process is essential. Accordingly, the OIG
expects to receive documents and information from the entity that
relate to the disclosed matter without the need to resort to compulsory
methods. If a provider fails to work in good faith with the OIG to
resolve the disclosed matter, that lack of cooperation will be
considered an aggravating factor when the OIG assesses the appropriate
resolution of the matter. Similarly, the intentional submission of
false or otherwise untruthful information, as well as the intentional
omission of relevant information, will be referred to DOJ or other
Federal agencies and could, in itself, result in criminal and/or civil
sanctions, as well as exclusion from participation in the Federal
health care programs.
Dated: October 21, 1998.
June Gibbs Brown,
Inspector General.
[FR Doc. 98-29064 Filed 10-29-98; 8:45 am]
BILLING CODE 4150-04-P