The OIG1 published a new Open Letter to Health Care Providers on April 15, 2008, continuing its intermittent public discussion of the OIG's Provider Self-Disclosure Protocol ("SDP") and related topics.2  Overall, the OIG's comments in its recent Open Letter are helpful and further inform provider decision-making as to the pros and cons and appropriate venue for self-disclosure; however, more detail and greater assurances from OIG likely are necessary to encourage full participation in the SDP. Below is a brief overview of the OIG's self-disclosure protocol and EBG's thoughts on the implications of the OIG's April 15, 2008 Open Letter for the health care industry.

Brief Overview of the OIG's Self-Disclosure Protocol

The current SDP was published in 1998 as a mechanism for health care providers to voluntarily report fraudulent conduct affecting Medicare, Medicaid, and other Federal health care programs. While not protected from civil or criminal action under the False Claims Act, providers disclosing fraud are advised in the SDP that the self-reporting of wrongdoing could be a mitigating factor in OIG's recommendations to prosecuting agencies. The SDP resulted from a pilot voluntary disclosure program that was introduced in 1995 as part of Operation Restore Trust (ORT), a major anti-fraud initiative aimed at dishonest durable medical equipment, home health care, nursing home, and hospice care providers in California, Florida, Illinois, New York and Texas. The Protocol offers a detailed step-by-step explanation of how a provider should proceed in reporting and assessing the extent of wrongdoing and how the OIG will go about verifying irregularities.

When the SDP was first published, the OIG touted it as an opportunity to minimize the potential cost and disruption of a full scale audit and investigation, to negotiate a fair monetary settlement, and to avoid an OIG permissive exclusion preventing the entity from doing business with the Federal health care programs. However, because a provider's disclosure can involve anything from a simple error to outright fraud, the OIG was careful not to make any commitments as to how a particular disclosure will be resolved or the specific benefit that will enure to the disclosing entity. Providers were simply told that full disclosure and cooperation generally benefits the individual or company, and that OIG will report on the provider's involvement and level of cooperation to the Department of Justice or other government agency affected by the disclosed matter.

OIG also explained that providers could benefit from using the self-disclosure protocol if resolution of the problem includes the imposition by the OIG of a Corporate Integrity Agreement (CIA). In 1998, the OIG stated that there are two distinct benefits which a provider may expect when it enters into a CIA as part of the resolution of a voluntary disclosure: (1) annual audits of an entity's billing operations that are required in CIAs, may be performed by internal or external auditors. Normally a CIA could require these annual audits to be performed by an independent review organization, such as a law firm or an accounting firm; and (2) to the extent that any obligations required by the CIA replicate provisions that already exist in an entity's own voluntary corporate compliance program, those provisions may be deemed acceptable for the purpose of the entity meeting its obligations under the CIA.

OIG's Comments in April 15, 2008 Open Letter are Helpful, but More Detail May Be Necessary to Encourage the Industry to Avail Itself of the SDP

Of great significance in the OIG's April 15, 2008 Open Letter is the government's acknowledgement that "the success of the SDP is contingent on OIG responding to the self-disclosure promptly and making resolution of the matter a priority." Accordingly, OIG represents that it has "streamlined" its "internal process for resolving these cases." In addition, OIG states that "[a] provider's submission of a complete and informative disclosure, quick response to OIG's requests for further information, and performance of an accurate audit are indications that the provider has adopted effective compliance measures." Accordingly, OIG continues, when negotiating the resolution of OIG's applicable administrative monetary and permissive exclusion authorities in exchange for an appropriate monetary payment, "we generally will not require the provider to enter into a Corporate Integrity Agreement or Certification of Compliance Agreement." OIG explains that it believes that this presumption in favor of not requiring a compliance agreement appropriately recognizes the provider's commitment to integrity and also advances the government's goal of expediting the resolution of self-disclosures.

This is welcome news, indeed. Early on, the OIG tended to view an organization's voluntary disclosure as the best evidence of an effective compliance program, and rarely imposed CIA obligations as part of settlement. More recently, with alarmingly greater frequency, the end result of a voluntary disclosure is an attempt to impose a full-blown CIA or CCA.

Similarly, more recent self-disclosures have involved years of re-investigation on the part of the OIG, with a lengthy and painful audit and verification process. This has been so even where providers have hired outside auditors to quantify damages and opened their books completely to OIG investigators and auditors.

What is needed is greater detail regarding precisely what in the OIG process has been streamlined. Health care organizations seek protection under the SDP primarily to serve business objectives. They seek greater control over the investigative process and the business disruption that occurs from government investigations, greater certainty regarding the range of outcomes to be expected (both financially and, even more important, as to operational oversight), and, especially, they seek to expedite the time frame of case resolution. Without assurances, in advance, regarding precisely what process will be followed in the future, health care organizations will continue to be reluctant to utilize the SDP and may seek other venues for self-disclosure.

For instance, it would be extremely helpful, at the outset of a self-disclosure, for the OIG staff to sit down with the disclosing organization and agree to a workplan and timetable to complete the investigation and reach resolution. Such a workplan, of course, would be subject to modification as the matter progresses, and would serve to manage expectations for all parties. An attempt several years ago to suggest a work plan and timetable to the OIG in the context of a self-disclosure was met with outrage on the part of the OIG that a disclosing organization would even attempt to dictate the terms of an investigation. Plainly, such a reaction is not conducive to health care organizations continuing to participate in the protocol.

Also disheartening is the OIG's mandate that providers "must be in a position to complete the investigation and damages assessment within 3 months after acceptance into the SDP." Under this standard, the protocol can only be utilized for the simplest of cases. Any self-disclosure involving complex issues of law or fact, requiring substantial auditing activity of company books and records, or involving numerous issues, cannot possibly be fully resolved and quantified within a 3 month period.

In one voluntary disclosure, for example, an internal whistleblower brought forth no less than thirty different issues that needed to be investigated, and, if substantiated, quantified. A preliminary self-disclosure was filed with the OIG just weeks before the whistleblower filed a qui tam suit under the false claims act (FCA). Another voluntary disclosure involved an audit of seven years of cost report workpapers, requiring forensic evaluation across a broad spectrum of company accounts. Under the OIG's new rules, neither of these cases could have been disclosed under the SDP for quite some time — perhaps three to six months — after they were in fact disclosed. Where a company's goal is to beat an internal whistleblower to the courthouse door, rules that keep providers from making timely disclosures may keep providers from making disclosures altogether, or from reaping the rewards of disclosure.

1  Office of Inspector General of the U.S. Department of Health and Human Services. Daniel R. Levinson currently is the Inspector General. 

2  Prior OIG Open Letters to Health Care Providers were issued on April 24, 2006, November 21, 2001, March 9, 2000 (entitled "Open Letter to Health Care Community") and February 1997.


Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.