On October 21, 1998, the Office of Inspector General ("OIG") of the Department of Health and Human Services ("HHS") released the Provider Self-disclosure Protocol ("Protocol"), which sets forth detailed guidance for providers that choose to disclose to HHS their noncompliance with federal health care program requirements. The Protocol is effective immediately and applies to all types of health care providers nationwide. It replaces the Voluntary Disclosure Program ("VDP"), a two-year pilot program initiated in 1995 that was rarely used by the providers to whom it applied. Although the Protocol eliminates some of the problems with the VDP, it is not a risk-free procedure for disclosing noncompliance. Health care providers should carefully consider the risks and benefits of voluntary disclosure under the Protocol.

This memorandum provides historical background on the VDP, describes the Protocol guidelines, and analyzes the risks and benefits associated with voluntary disclosure under the Protocol.

The VDP was launched in 1995 as part of Operation Restore Trust, a health care fraud and abuse project initially applicable to nursing homes, durable medical equipment suppliers, home health agencies, and hospices in New York, Florida, California, Texas, and Illinois. The program was designed to provide incentives for providers in those states to voluntarily disclose noncompliance before becoming the subject of an audit or investigation in their region. Such incentives included the possibility of more favorable treatment during settlement negotiations and the potential (but no guarantee) to reduce or avoid criminal prosecution and permissive exclusion from the Medicare or Medicaid programs.

Despite the potential benefits of self-disclosure under the VDP, a number of concerns may have discouraged providers from availing themselves of the program:

• Providers were required to apply for admission to the VDP and to sign a standard agreement granting the OIG and Department of Justice ("DOJ") broad authority to seek additional information and undertake subsequent actions, including those regarding unrelated incidents of noncompliance that were inadvertently discovered during the VDP process.

• Because only corporate entities could apply for admission, individuals involved in the wrongdoing remained at risk of prosecution.

• The benefits of voluntary disclosure inured only to those matters that were not at the time of disclosure already the subject of a legal proceeding or an audit or investigation by any of a number of government agencies.

• The verification procedures used to assess a volunteer's disclosure could approximate those used in a typical federal investigation.

• Many uncertainties existed with respect to the privileged status, disclosure, and subsequent use of documents submitted in the VDP process.

• VDP offered no relief from either False Claims Act liability or the Social Security Act provisions that mandate exclusion from Medicare and Medicaid in the event of what is broadly defined as a "conviction."

Although the government collected $8 million as a result of the VDP, only 19 providers in the five-state initiative volunteered for the program, and six of those providers were disqualified because they were already under investigation. In short, the VDP could be characterized as a disappointment to both providers and the OIG.

In drafting the Protocol, the OIG has created an expanded and, in some ways, more flexible successor to the VDP. All health care providers nationwide, regardless of industry, specialty, or type of service provided, are eligible to participate in the Protocol. In addition, the program is open to both corporate entities as well as individuals, and participants will not be automatically rejected if they are already the subject of an investigation. The Protocol should prove more appealing to providers, because according to the OIG, it contains no pre-disclosure requirements, applications for admission, or qualifying criteria. Moreover, there is no requirement that providers sign a written agreement with respect to their participation in the program, but the government expects good faith disclosure and cooperation.

Although the Protocol eliminates some of the undesirable features of the VDP, other VDP provisions remain, as noted below.

• The OIG makes no commitment in the Protocol with respect to how a particular matter will be resolved because resolution of voluntary disclosure matters will depend on the nature and severity of the disclosed noncompliance.

• The OIG will not be bound by any of the findings made by the provider in the course of its internal investigation, and it may conduct its own investigation, although the provider's findings made pursuant to the Protocol procedures will be given "substantial weight" in determining program overpayments.

• The OIG will report the provider to any government agencies affected by the disclosed matter, including the DOJ if the matter warrants consideration of civil or criminal penalties. The provider may request that the DOJ or the local United States Attorney participate in settlement discussions regarding False Claims Act liability.

• Unrelated instances of noncompliance discovered as a result of participation in the Protocol process may be treated as new matters outside the scope of the Protocol.

• The confidentiality of information and documents disclosed to the OIG is not addressed by the Protocol, so one can only assume that the Protocol offers no additional protections over the VDP regarding confidentiality.

Procedurally, voluntary disclosure under the Protocol involves a written disclosure statement, an internal investigation as to the facts of the matter, an internal assessment of the financial impact of the disclosed matter, OIG verification of the provider's disclosure information, and resolution of the matter (i.e., settlement). Each of these procedures is discussed more fully below.

A. Disclosure Submission

The initial disclosure submission is to be made to the OIG's Assistant Inspector General for Investigative Operations, and must include such information as:

• Name and address of the disclosing party(ies) and any related or affiliated entities;

• Whether the provider is aware of any inquiry or investigation by a government agency with respect to the disclosed matter or any other noncompliance issue;

• A description of the nature of the disclosed matter, including how it arose, what federal programs were affected, and the relevant time period;

• The names of entities and individuals believed to be implicated in the matter and their role in the matter; and

• A certification by the provider that, to the best of its knowledge, the submission is truthful and based on a good faith effort to disclose the matter for purposes of resolving any potential liabilities to the government.

The Protocol does not specify how soon after discovering noncompliance a provider should voluntarily report the wrongdoing. However, the OIG Compliance Program Guidance documents for hospitals, home health agencies, and clinical laboratories specify that providers should report wrongdoing within 60 days after determining that there is credible evidence of a violation of law, and in some cases, the OIG expects immediate notification. The Compliance Program Guidance documents further state that prompt reporting of noncompliance will demonstrate the provider's good faith and constitute a mitigating factor for purposes of determining administrative sanctions. Thus, it appears that voluntary disclosure under the Protocol may not result in favorable treatment by the OIG if a provider has failed to initiate Protocol procedures within 60 days of discovering noncompliance.

B. Internal Investigation

The Protocol provides that the OIG will generally agree, for a reasonable period of time, not to investigate the matter if the provider agrees to conduct an internal review in accordance with the Protocol's Internal Investigation Guidelines and guidelines for determining the monetary impact of the noncompliance ("Self-assessment Guidelines"). The results of the internal review must be summarized in a written report certified by the provider to be truthful and made in good faith. In general, the report must set forth the nature and extent of the noncompliance, as well as the circumstances under which the disclosed practice was discovered and the provider's response to the matter. More specifically, the report must include such information as:

• The potential causes of the practice;

• The divisions, departments, and related entities involved or affected;

• The impact on and risks to the health and safety of patients and their quality of care;

• The names of corporate officials, employees, or agents who knew of, should have known of, encouraged, or participated in the practice, and the names of individuals who detected the matter;

• The monetary impact of the noncompliance, as based on the Self-assessment Guidelines discussed below;

• The chronology of investigative steps taken in connection with the internal investigation, including a list of the individuals interviewed and interview summaries, a description of the records reviewed, and a summary of audit activity; and

• Actions taken to stop the practice and prevent its recurrence, as well as a description of any disciplinary actions taken against the provider's employees, officials, and agents.

The Protocol does not specify the time frame within which the internal investigation must be completed and a report submitted.

C. Self-Assessment Guidelines

The Protocol permits providers to calculate the monetary impact of their noncompliance on the affected federal health care programs, and it sets forth very specific guidance regarding the methods to be used in quantifying such impact. Although not obligated to accept the results of the provider's calculation, the OIG states that it will give "substantial credibility" to a financial assessment conducted in accordance with Protocol guidelines, and it will use the provider's self-assessment report in preparing a recommendation to DOJ, if False Claims Act or other liability is involved.

The provider may base the financial assessment on a review of either all affected claims or a statistically valid sample of such claims. The provider should submit for OIG review a work plan describing its self-assessment process, including a description of the review population, sources of data to be relied upon, and the qualifications of those individuals who will conduct the self-assessment. The Protocol provides that the full sample must be designed to generate a financial impact estimate with a 90 percent confidence level and a precision of 25 percent. The size of the full sample must be determined through the use of a probe sample, which must contain at least 30 sample units (e.g., patient records and corresponding invoices). Accordingly, it appears that the size of the full sample will be rather large.

Finally, upon completion of the self-assessment, the provider must submit a written report to the OIG, certified as to its truthfulness, and setting forth the methodology and conclusions of the financial self-assessment. Again, the Protocol does not specify the time period within which a provider must complete the self-assessment or submit the self-assessment report.

D. OIG Verification

The OIG asserts that it retains broad authority to undertake any action at any time during the review to verify the process and validate the provider's findings. According to the Protocol, the OIG's verification of disclosed information will depend on the quality and thoroughness of the internal investigation and self-assessment reports. Again, noncompliance unrelated to the disclosed matter and discovered during the verification process may be treated as a new matter outside the scope of the Protocol.

As in the VDP, the Protocol provides that the OIG must have access to all audit work papers and other documents without the assertion of attorney-client or other privileges. However, the Protocol states somewhat ambiguously that the OIG will not request documents subject to attorney-client privilege "in the normal course of verification." Where documents protected by the work product doctrine are believed to be critical to resolving the matter, the OIG states that it is willing to discuss with the provider's counsel alternative ways to gain access to the underlying information without necessitating the waiver of privilege. Although the Protocol is more flexible than the VDP with respect to privileged documents, providers should be aware of and seriously consider the implications of what is clearly only a general guideline on a critical matter.

E. Resolution

According to the OIG, good-faith cooperation will assure favorable treatment during resolution. In making a recommendation or referral to the DOJ, the OIG states that it will report on the provider's level of cooperation and diligence throughout the disclosure process. Failure to work in good faith with the OIG during its verification process or the remainder of the Protocol process will be considered an aggravating factor by the OIG in its resolution of the disclosure. Intentional submission of false information or omission of relevant information will be referred to the DOJ for criminal and/or civil penalties as well as program exclusion.

Although the new Protocol is an improvement over the VDP, providers still will need to consider carefully the appropriateness and risks of voluntary disclosure pursuant to Protocol procedures. If a provider has received an overpayment through no fraud or fault of its own, a refund in the normal course of business may be more appropriate than using the Protocol process. On the other hand, if the provider is at fault in any way, the Protocol process may prove to be a viable mechanism for notifying the government and arriving at a palatable resolution. However, the OIG asserts that the Protocol should not be invoked by a provider who discovers an "ongoing fraud scheme" within its organization, because "there is a substantial risk that the Government's subsequent investigation will be compromised." How broadly the OIG will define "ongoing fraud scheme" is uncertain, and the stated rational for its position on this matter conflicts with the government's purported commitment to promote "an environment of openness and cooperation."

Providers cannot expect confidential treatment of the disclosed information or other information gained by the OIG through its verification process. The Health Insurance Portability and Accountability Act of 1996 called for sharing of information between private health plans and the federal government. According to guidelines issued October 9, 1998 by the U.S. Office of the Attorney General, the DOJ will provide to private health plans such public and non-public information concerning its enforcement activities, including provider-specific information that may have been received from the OIG as a result of the Protocol process.

Whether or not a provider will receive favorable treatment by the OIG may depend on the timing of the provider's disclosure. In light of the OIG's Compliance Program Guidance documents issued to date, it appears that providers may not receive favorable treatment if they fail to report wrongdoing within 60 days of its discovery (a failure that the OIG apparently considers tantamount to bad faith). Moreover, providers must be aware that even good-faith disclosure and cooperation with the OIG cannot guarantee freedom from mandatory exclusion, investigation by the OIG regarding unrelated noncompliance discovered during disclosure, prosecution by another state or federal agency regarding the disclosed matter, or disclosure of sensitive information.

Please do not hesitate to contact Joan Dailey (202/414-9418) or any member of the Reed Smith health care group with whom you work if you would like additional information, or if you would like a copy of the Protocol.

The contents of this Memorandum are for informational purposes only, and do not constitute legal advice.