When And Why: Choosing Self-Disclosure

Since its debut in a 1995 pilot program, the Office of Inspector General (OIG) for the Department of Health and Human Services has worked to make the Provider Self Disclosure Protocol (SDP) an attractive alternative when fraudulent activities occur in a health care organization. This article will review the history and progression of the SDP, as well as outline the steps an organization must take in making a self-disclosure based on guidance from CCH's Corporate Governance Manual.1

Before the adoption of the SDP, the OIG worked largely on an informal basis with providers and suppliers that voluntarily disclosed billing, marketing, and quality issues within their respective organizations. In 1995, the Department of Justice (DoJ) and OIG announced a voluntary disclosure pilot program, which gave qualifying entities a formal mechanism for disclosing and seeking the resolution of matters relating to the Medicare and Medicaid programs. In 1998, based on information gathered from the pilot program, OIG published the current SDP, which included some, but not all, of the elements in the pilot program.2

Initially, the SDP was directed at resolving a provider's permissive exclusion liability resulting from the submission of false claims in violation of the False Claims Act (FCA). Since its creation in 1998, the OIG has issued two open letters to providers through which the SDP was revised and expanded. In the 2001 open letter the OIG discussed concern regarding the financial impact of corporate integrity agreements (CIAs) on providers. In particular, the OIG announced that it would modify billing reviews and the use of independent review organizations to reduce the financial impact of CIAs.3

In the 2006 open letter, the OIG further expanded the SDP to include an initiative promoting the use of the SDP to resolve civil money penalty (CMP) liability under the physician self-referral and anti-kickback statutes for financial arrangements between hospitals and physicians.4 The OIG announced it will waive its exclusion authority concurrent with the resolution of monetary liability under the FCA and CMP laws when providers demonstrate the requisite level of trustworthiness and have in place, or are willing to develop, an effective compliance program.

When To Follow The Protocol

While the decision to make a voluntary disclosure rests ultimately with the provider, the OIG offered some guidance on what the provider should consider before making a disclosure. First, the SDP was not intended to resolve an ongoing fraud scheme. Should an organization uncover such a scheme, as opposed to an incidence of noncompliance, it should not follow the SDP's steps to self-investigate or self-quantify the scope of the problem.

Second, the OIG anticipates that a provider will apply the SDP's suggested steps only after an initial assessment substantiates there is a problem with noncompliance with federal health care program requirements. The initial identification of potential risk areas should be less intensive and need not conform to the SDP's suggested procedures.

Other considerations. The OIG may require access to certain documents that are covered by the attorney work product doctrine, and has stated that it is prepared to work with the provider's counsel on ways to gain access to that information without the need to waive any privileges. The organization, however, should take steps to appropriately segregate privileged communications and protected work product from information that it intends to share with the OIG.5

Finally, the OIG warns in the 1998 notice that it is not bound by any findings made by the disclosing provider under the SDP and is not obligated to resolve the matter in any particular manner. Consequently, the organization should consider that the OIG could refer the matter to the DoJ for consideration under its civil and criminal authorities.

The Protocol

The SDP provides "guidance" to providers on voluntary disclosure and, therefore, does not contain rigid requirements or limitations.

Initial communication with the OIG. Once it is determined that a disclosure should be made, the provider should write an introductory letter to notify the OIG of the provider's intention to voluntarily disclose. The letter should identify the disclosing entities and provide a general description of the noncompliant circumstances.

Internal investigation and self-assessment. The disclosing provider will be expected to conduct an internal investigation and a self-assessment of the financial impact of the fraudulent activities and report the findings to the OIG. The internal review may be conducted after the initial disclosure, and the OIG will generally agree to forego an investigation for a reasonable time if the provider agrees to conduct the internal investigation in accordance with the OIG guidelines set out in the SDP.6

Self-assessment work plan. The provider also will need to submit to the OIG a work plan describing the self-assessment process. Because the OIG will verify the provider's calculation of program losses, it is strongly recommended that the provider conform to the guidelines in the SDP. The OIG is not obligated to accept the results of the provider's self-assessment. Consequently, findings based on the procedures outlined in the SDP will be given substantial weight in determining the amount of overpayments to the provider.

Disclosure report. To the extent possible, the disclosure report should simply and factually address the nature and scope of the noncompliance and why the organization believes there is a potential violation.

While failure to conform to each element of the SDP is not fatal to the disclosure, the OIG stresses that it will likely delay the resolution of the matter. OIG guidance states that the report should demonstrate that a full examination has been conducted and suggests that the report:

identify the potential causes of the incident;

describe the incident or practice in detail, including how the incident or practice arose and continued;

identify the division, departments, branches or related entities involved or affected;

identify the impact on, and risks to, health, safety, or quality of care posed by the matter disclosed with sufficient information to allow the OIG to assess the immediacy of the impact and risks, the steps that should be taken to address them, as well as the measures taken by the disclosing entity;

delineate the period during which the incident or practice occurred;

identify the corporate officials, employees or agents who knew of, encouraged, or participated in, the incident or practice and any individuals who may have been involved in detecting the matter;

identify the corporate officials, employees or agents who should have known of, but failed to detect, the incident or practice based on their job responsibilities; and

estimate the monetary impact of the incident or practice upon the federal health care programs, pursuant to the self-assessment guidelines.

The report should relate the circumstances under which the matter was discovered. Measures taken to address the problem and prevent future problems should be fully documented as well. OIG guidance suggests that the report include:

a list of all individuals interviewed in connection with the matter;

a description of files, documents and records reviewed; and

a summary of auditing activities and a summary of documents relied upon in support of the estimation of losses.

In addition, the report must include a "Certification of Truthfulness" signed by a person who is responsible for handling the matter.

Verification. After the disclosure report is submitted, an OIG special agent and an attorney from the Office of Counsel to the Inspector General (OCIG) will be assigned to verify the information. The OIG agent is responsible for interviewing witnesses, reviewing documents, validating the voluntary disclosure report, and doing general investigative work. It is incumbent on the provider to set the tone of this relationship by cooperating as fully as reasonably possible, being forthcoming at all times, and offering necessary and relevant information.7

Upon completion of the initial investigation, the OIG agent provides feedback to the OCIG attorney. The OCIG attorney reviews and weighs the OIG agent's recommendations and then decides on an appropriate course of action. The final stage of this process usually involves a discussion with the provider to negotiate the next steps or a resolution.8

Benefits Of Disclosure

Because the provider's disclosure could involve anything from simple error to fraud, the OIG cannot make firm commitments as to how a matter will be resolved or what benefits will be achieved from the disclosure. In general, self disclosure leads to a less restrictive three-year certification of compliance agreement rather than a CIA, which lasts five years and requires an independent review organization to conduct and verify audits or claim reviews. According to Daniel Levinson, HHS Inspector General, provider liability falls along a continuum. When an organization follows the SDP, there is a greater chance the organization can settle at the lower level of the continuum.

Corporate integrity agreements. The 2001 open letter continues to guide the OIG in determining whether to require a CIA. First and foremost, the OIG will consider whether the provider self-disclosed the alleged misconduct. In addition, the OIG will consider (1) the monetary damage to federal health care programs; (2) whether the case involves successor liability; (3) whether the provider is still participating in the federal health care programs or in the line of business that gave rise to the fraudulent conduct; (4) whether the alleged conduct is capable of repetition; (5) the age of the conduct; (6) whether the provider has an effective compliance program and would agree to limited compliance or integrity measures and would annually certify such compliance to the OIG; and (7) other circumstances, as appropriate.


During fiscal year 2005, the OIG excluded a total of 3,804 individuals and entities, barring them from participating in Medicare, Medicaid, and other federal and state health care programs. In addition, the Department of Health and Human Services collected $423 million in disallowances of improperly paid health care funds, based on OIG recommendations.9 Clearly, seeking out and combating waste and abuse of federal health care funds continues to be a top priority. While prevention of fraud and abuse through an effective compliance program should be the primary approach to addressing these issues, providers need to be familiar with the SDP process should a situation arise in their organization that requires disclosure.

Published March 1, 2007.