Related Practices
Making a Voluntary Disclosure in Order to Avoid a Corporate Integrity Agreement: Is It Worth the Risk?
Harold Damelin and C. Anthony Russo
Originally published in White Collar Crime 2001, a publication of The American Bar Association Criminal Justice Section
INTRODUCTION
As the Medicare and Medicaid programs have grown, the federal government has become increasingly aggressive in its attempt to protect the integrity of these programs from provider fraud and abuse. Realizing that it alone cannot police the health care industry, the federal government has created incentives for providers to police themselves through the establishment of effective compliance programs and the voluntary disclosure of possible criminal and civil violations.
Making a voluntary disclosure, however, is not something that a provider should do without careful consideration. While providers sometimes have a duty to voluntarily disclose certain conduct (e.g., the duty to disclose overpayments pursuant to 42 U.S.C. § 1320a-7b(a)(3)), the decision to voluntarily disclose is generally at the provider's discretion. A provider must therefore give serious thought to the risks and incentives involved in voluntarily disclosing a wrongdoing - that ultimately may never be discovered - because such a disclosure could expose it to criminal and/or civil liability and exclusion from participation in federal health care programs.
The newest incentives for voluntary disclosure, and arguably the most attractive, were announced by the Health and Human Services' Inspector General, June Gibbs Brown, on March 9, 2000, through an open letter to all health care providers.1 In that letter, Inspector General Brown asserted that the Office of the Inspector General ("the OIG") would consider the possibility of foregoing the exclusion remedy for a material breach of a corporate integrity agreement ("CIA") where the provider voluntarily discloses a violation of law. Additionally and more importantly, Inspector General Brown stated that if the provider demonstrates that its "compliance program is effective and agrees to maintain its compliance program as part of the False Claims Act settlement," then the OIG would consider the possibility of imposing no CIA or imposing a CIA much less onerous than it usually imposes.2 Given the burdensome nature of CIAs, this is a tremendous incentive for providers to disclose their wrongdoing.
CIAs are imposed by the OIG on providers as part of settlements of OIG and other governmental investigations and audits arising under a variety of false claims statutes. Lasting as long as 8 years and requiring a provider to implement a long list of costly and time consuming compliance measures, a CIA is an onerous and costly penalty for failing to comply with the health care fraud laws.3 The possibility of realizing a settlement that does not involve a CIA, or that involves a less onerous CIA than is normally imposed by the OIG, is therefore a factor that providers must seriously consider when determining whether or not to make a voluntary disclosure.
This article's main focus is on the possibility of fully or partly avoiding a CIA pursuant to Inspector General Brown's March 2000 letter. Specifically, the article discusses the protocol established by the OIG for making voluntary disclosures, addresses in further detail the incentives offered in Inspector General Brown's March 2000 letter, describes the basic elements of a CIA, and explains some of the various factors and strategies that a provider should consider in deciding if, when and how to make a voluntary disclosure.
THE OIG'S OCTOBER 1998 SELF-DISCLOSURE PROTOCOL
The OIG's current voluntary disclosure program, the Provider Self Disclosure Protocol, was announced in October 1998.4 The origins of this current program, however, can be traced back to 1995. In 1995, as part of the Operation Restore Trust (ORT) initiative, HHS and the Department of Justice (DOJ) announced a pilot voluntary disclosure program that embraced the OIG's long-standing policy favoring voluntary self-disclosure.5 This pilot program was developed in coordination with representatives of the OIG, DOJ, various United States Attorneys' Offices, the Federal Bureau of Investigation (FBI) and the Health Care Financing Administration (HCFA)*. The pilot program was limited to five States (New York, Florida, Illinois, Texas and California) and four different types of providers (home health agencies, skilled nursing facilities, durable medical equipment suppliers, and hospice providers). It gave those qualifying entities a formal mechanism for disclosing and seeking the resolution of matters relating to the Medicare and Medicaid programs.
In 1997, the pilot voluntary disclosure program ended. In total, 20 providers made self-disclosures under the pilot program, and only 14 of these were eventually accepted into the program.6 While participation in the pilot program was very limited, it gave the OIG an opportunity to gain valuable insight into the variables influencing the decision to voluntarily make a disclosure to the Government.
In late October 1998, the OIG attempted to further encourage the health care industry to conduct voluntary self-evaluations and make voluntary disclosures through its announcement of the Provider Self-Disclosure Protocol ("the Protocol"), a new "expanded and simplified" protocol for voluntary disclosure.7 Designed to address and correct a number of the key problems that existed with the pilot program, the OIG's Protocol is available to all health care providers in all fifty states and suggests specific steps that a provider should undertake if it wishes to make a voluntary disclosure to the OIG. Specifically, it provides detailed guidance on how to investigate a matter and comprehensive instructions on what information should be disclosed to the OIG. Providers may choose not to follow all of the Protocol's guidance, however, the OIG makes it clear that failure to closely follow the Protocol will likely delay the resolution of the matter and reduce the provider's chances of receiving favorable treatment from the OIG.
In order to participate in the OIG's self-disclosure program, providers are expected to disclose specific information regarding the potential violation and to engage in self-evaluative steps to identify and remedy the violation. The Protocol states that the initial disclosure should be made in writing and submitted to the OIG. In addition to basic background information concerning the provider, the initial disclosure should also contain: an indication as to whether the provider has knowledge that the matter is under current inquiry by a Government agency or contractor; a full description of the nature of the matter being disclosed, including the type of claim, transaction or other conduct giving rise to the matter; the names of entities and individuals believed to be implicated and an explanation of their roles in the matter; the relevant periods involved; the type of health care providers implicated; any provider billing numbers associated with the matter disclosed; the Federal health care programs affected, including Government contractors such as carriers, intermediaries and other third-party payers; the reasons why the disclosing provider believes that a violation of Federal criminal, civil or administrative law may have occurred; and a certification by the provider that the disclosure contains truthful information and "is based on a good faith effort to bring the matter to the Government's attention for the purpose of resolving any potential liabilities with the Government."8
Once the initial disclosure is made, the Protocol directs the provider to conduct an internal investigation and a self-assessment, and to disclose the findings of these internal reviews to the OIG. The matter cannot be fully resolved until this comprehensive internal review and self-assessment is completed and the results are reported to the OIG. The Protocol states that the internal review must be completed pursuant to the Internal Investigation Guidelines set forth in the Protocol, and strongly recommends that the self-assessment conform to the Self-Assessment Guidelines also set forth in the Protocol.
After the initial disclosure and the submission of the self-assessment and internal investigation reports, the OIG begins the process of verifying the disclosed information. The extent of the verification process largely depends on the quality and thoroughness of the reports provided to the OIG. The Protocol provides that in order to facilitate the OIG's verification and validation process, the OIG must have access to all audit work papers and other supporting documents without the assertion of privileges or limitations on the information produced. The Protocol further states, however, that the OIG will not request the production of written communications subject to the attorney-client privilege in the normal course of verification. Yet, in contrast, the Protocol emphasizes that the "diligent and good faith cooperation" of the disclosing entity is essential throughout the entire process.9 In fact, the OIG makes it clear that it expects "to receive documents and information from the entity that relate to the disclosed matter without the need to resort to compulsory methods."10 Moreover, the Protocol states that "[a] lack of cooperation or the failure to act in good faith will be considered an aggravating factor when the OIG attempts to resolve the incident."11
While voluntary disclosure represents a viable option for providers who discover they have been involved in possible criminal or civil misconduct, the Protocol offers no guarantee that the OIG will decide to grant lenient treatment to the provider. The Protocol clearly states that the OIG is not bound by the findings of the disclosing provider and is "not obligated to resolve the matter in any particular manner."12 Indeed, the Protocol states that "upon review of the provider's disclosure submission and/or reports, the OIG may conclude that the disclosed matter warrants a referral to the DOJ for consideration under its civil and/or criminal authorities."13 Thus, there is the ever-present risk that a provider may disclose a potential violation to the government that the government may never have discovered, and/or the provider's disclosure may provide the government with much of the evidence necessary for a successful criminal or civil prosecution of the corporate entity or its employees. It is this risk of the unknown that has prevented many attorneys from recommending that health care providers make a voluntary disclosure under the OIG's Protocol. In fact, from the time that the Protocol was announced in October 1998 to the date of Inspector General Brown's March 2000 letter, only 55 providers have self-disclosed and only 50 of those have been accepted into the program.14
THE INSPECTOR GENERAL'S MARCH 2000 LETTER
In an attempt to encourage providers to overcome some of the apprehension involved in deciding whether or not to make a voluntary disclosure, Inspector General June Gibbs Brown published an open letter to the health care community on March 9, 2000 offering providers some very significant additional incentives to voluntarily disclose improper conduct.15
Among the incentives that Inspector General Brown announced was that the OIG would consider the possibility of foregoing the exclusion remedy for a material breach of a CIA where the provider voluntarily discloses a violation of law. There are two major categories of exclusion - mandatory and permissive exclusion. The Inspector General, acting on behalf of the Secretary of the Department of Health and Human Services, must impose exclusion if a provider commits any of the four violations set forth for mandatory exclusion in 42 U.S.C. § 1320a-7(a). The length of a mandatory exclusion is set by the statute, and in some situations the exclusion is permanent. As for permissive exclusion, it is the Inspector General's discretion to exclude a provider if it has engaged in any of the fifteen types of conduct that trigger permissive exclusion under 42 U.S.C. § 1320a-7(b). It is also within the Inspector General's discretion to determine length of a permissive exclusion.
Typically, CIAs include a provision to exclude a provider from participation in the federal health care programs if the OIG determines that the provider has materially breached the terms of the agreement. Generally, this provision is necessary to ensure that the OIG maintains the ultimate remedy to protect the federal health care programs from problem providers. Many providers entering into CIA's have complained about the exclusion remedy. In response to these complaints, the Inspector General has agreed to forego the exclusion remedy in appropriate self-disclosure cases where the provider demonstrates sufficient trustworthiness to allow the OIG to conclude that the federal health care programs can be safeguarded without the exclusion remedy for a material breach of the CIA.
Even more enticing than the possibility of not being excluded for a material breach of a CIA, however, is the possibility offered by the Inspector General, of avoiding a CIA altogether. According to Inspector General Brown's letter, if a provider demonstrates that its "compliance program is effective and agrees to maintain its compliance program as part of the False Claims Act settlement," then the OIG may consider not imposing a CIA, or imposing a CIA much less severe than it usually requires.16 Consequently, the importance of having an "effective" compliance program in place at the time of the disclosure cannot be overemphasized. Indeed, Providers interested in maintaining an "effective" compliance program should familiarize themselves with the compliance program guidance issued by the OIG.
In 1997, the OIG began producing specific compliance program guidance for individual segments of the health care industry. To date, the OIG has issued 10 compliance program guidances concerning: hospitals; home health agencies; clinical laboratories; third-party billing companies; the durable medical equipment, prosthetics, orthotics and supply industry; hospice providers; Medicare + Choice organizations; nursing home facilities; and individual and small group physician practices.17
In addition to the existence of an "effective" compliance program, the Inspector General's letter states that the decision not to impose a CIA is also influenced by a number of other variables, including "the scope and seriousness of the misconduct, the risk of recurrence, whether the disclosed matter was identified and reported as a result of the provider's compliance measures and the degree of the provider's cooperation during the disclosure verification process."18 In weighing the pros and cons of making a voluntary disclosure, providers must therefore not forget that it is entirely within the OIG's discretion whether or not to impose a CIA as part of the overall settlement.
In those instances where the OIG believes that a voluntarily disclosing provider must nevertheless still enter into a CIA, Inspector General Brown's letter states that the OIG may need to make only limited changes to its existing policies and procedures in order to meet most of the requirements of the CIA. For example, in cases where the provider's own audits detected the disclosed problem, the OIG may consider alternatives to the CIA's auditing provisions. Inspector General Brown's letter explains that in such an instance, the OIG may permit a provider who voluntarily discloses to perform some or all of the billing audits through its internal auditors rather than require the retention of an Independent Review Organization. (The auditing requirements of the typical CIA are discussed below in more detail). Inspector General Brown's letter further provides that in appropriate cases the OIG may narrow the scope and focus of the claims review to the areas found out of compliance or allow alternate audit methodologies in lieu of the statistical sampling methodology that the OIG generally requires. Furthermore, the letter states that in appropriate circumstances the OIG may eliminate the need for an external evaluation of the provider's compliance with the terms of the CIA.
Overall, these concessions on the part of the OIG are very significant and should encourage more providers to make voluntary disclosures. Again, however, providers should not be dazzled by these potential incentives and blindly make a voluntary disclosure. Rather, providers should be prudent in placing the OIG's incentives high on a list of consideration that must be thoroughly reviewed before deciding whether to make a voluntary disclosure in attempt to fully or partly avoid a CIA.
WHY CORPORATE INTEGRITY AGREEMENTS SHOULD BE AVOIDED
As stated above, the compliance obligations mandated by CIAs are onerous and costly. The OIG imposes compliance obligations on health care providers as part of its settlements of federal health care program investigations arising under a variety of false claims statutes. A provider consents to these obligations as part of the overall civil settlement that is made in exchange for the OIG's agreement not to exclude the provider from participation in Medicare, and other federal health care programs or impose civil money penalties.19 Currently, the OIG is monitoring more than 450 CIAs. While some existing CIA's run for as long as eight years, the number of years could be even longer given that the length of a CIA is at the OIG's discretion.21
CIAs require a provider to implement a variety of compliance measures to ensure the integrity of federal health care program claims submitted by the provider. These compliance measures generally include requirements to:
In addition to these common requirements, below is a detailed discussion of some other provisions that are required by the OIG in most CIAs. The discussion of these additional provisions should alone serve as ample motivation for a provider to maintain an effective compliance program in the hope of avoiding a CIA.22
External Reviews
Extensive auditing is one of the key requirements of CIAs. The OIG perceives that the only way for it to determine whether or not a provider is continuously in compliance with the terms of a CIA is through an ongoing evaluation of the provider's compliance program. Consequently, the review procedures in many recent CIAs require that the provider engage an Independent Review Organization ("IRO"), such as an accounting, auditing, or consulting firm, to annually assess the adequacy of both the provider's billing and compliance practices under the CIA.
The billing review typically requires the IRO to assess all types of claims submitted to federal health care programs, rather than only those claims related to the settlement. In addition, the CIA requires that the billing review meet certain sampling criteria and statistical validity thresholds.
The compliance review requires the IRO to analyze whether the provider's operations and procedures comply with all the terms of the CIA. Notably, CIAs generally include obligations to comply with all rules and laws in addition to the specific requirements mandated by the CIA and generally require the Compliance Officer to certify that, to the best of his/her knowledge, compliance has been achieved. Therefore, an IRO needs to become familiar with almost every aspect of a provider's operations in order to give similar assurances. This requirement is exceptionally burdensome and costly to providers.
On-Site Visits
In addition to the invasive and burdensome requirements mentioned above, the OIG has expanded its oversight of certain providers to include on-site visits that are often performed with very little advance notice. An on-site visit typically includes interviews of employees that the OIG uses to assess whether the provider is in day-to-day compliance with all Federal program requirements. Furthermore, audit work papers are reviewed during an on-site visit to determine whether the prescribed methodologies were followed and the results were accurately reported. While on-site visits are disruptive to the provider's business operations, more importantly they increase the potential for the OIG to discover new problems which might merit further investigation.
Stipulated Penalties
A failure to fulfill the requirements of the CIA can also lead to significant monetary penalties. Under recent CIAs, providers are subject to the imposition of specific monetary penalties, called stipulated penalties, for failure to comply with the basic obligations under the agreement (e.g., appointing a compliance officer or developing policies and procedures). The violations triggering these stipulated penalties include: the provider's failure to timely submit an implementation report or an annual report; the provider's failure to timely implement the compliance provisions of the CIA; the provider's improper hiring or employing of ineligible persons; the provider's failure to grant access to information required by the CIA; and the provider's failure to comply with any obligation of the CIA. Stipulated penalties accrue for each day of a violation and their amount varies depending on the described violation. In typical CIAs, the OIG has set these penalties from anywhere between $500 to $3,000 per day.
Material Breach
Far worse than the penalty for failure to comply with the basic obligations of the CIA is the penalty for a material breach. A material breach of a CIA (e.g., failure to report a material deficiency, take corrective action and pay appropriate refunds) constitutes an independent basis for exclusion. The exclusion remedy is necessary since the primary reason that the OIG releases a provider from liability for submitting false claims is because the provider agreed to implement compliance measures. As previously discussed, the Inspector General may be willing to waive this provision for certain providers who have self-disclosed. Ideally, however, the best way for a provider to avoid a material breach is not to agree to a CIA that it cannot satisfy.
CIAs address the specific facts of the conduct at issue and are theoretically tailored to the existing capabilities of the provider. A provider faced with having to enter into a CIA should therefore evaluate its operations and the particular circumstances of the case being settled, and should attempt to negotiate the terms and conditions of the CIA with the OIG before agreeing to sign it. The last thing a provider wants to do is enter into a CIA with which it will be unable to comply. Realistically, however, it is an uphill battle for providers to negotiate the terms of a CIA since they generally have very little leverage with the OIG. Therefore, providers want to avoid being in the position of facing a CIA altogether -- which makes the incentives offered in Inspector General Brown's March 2000 letter so very enticing.
OTHER CONSIDERATIONS IN DECIDING WHETHER TO SELF-DISCLOSE
In addition to the incentives provided by the Inspector General's letter, there exist other considerations that providers must ponder when weighing whether or not to make a voluntary disclosure. Notable among such considerations are the Department of Justice's Prosecution Guidelines for Criminally Charging Corporations.
Potential Effect on Criminal Prosecution
In evaluating the potential benefits of making a voluntary disclosure, providers should note that while the OIG's Self-Disclosure Protocol offers no amnesty from prosecution, and in fact specifically reserves the right to refer self-disclosed matters to the Department of Justice for potential criminal and/or civil action,23 the Department of Justice itself offers a significant incentive for potential leniency as a result of a provider making a voluntary disclosure. In June 1999, the Department of Justice issued a set of guidelines entitled "Federal Prosecution of Corporations" ("the Guidelines") which instructed federal prosecutors to take into account eight specific factors in considering whether to bring criminal charges against a corporation.24 While the Guidelines are not mandatory, they should play a meaningful role in the charging decisions of individual prosecutors. According to the Guidelines, one of the factors that prosecutors should consider in deciding whether to bring charges is "[t]he corporation's timely and voluntary disclosure of wrongdoing and its willingness to cooperate in the investigation of its agents…."25
Indeed, while the Guidelines offer the potential for a corporate provider to avoid criminal prosecution as a result of making a voluntary disclosure, the cooperation that the Department of Justice will expect following the self-disclosure is very significant. For example, the Department will expect the corporation to identify individual wrongdoers, including senior executives; disclose the complete results of its internal investigations; and possibly waive attorney-client and work product privileges. Furthermore, the Guidelines specifically state that the efforts to protect culpable individuals will weigh against a corporation. Some of the factors to be considered in assessing whether a corporation is protecting culpable employees include whether the corporation is paying the individual's attorney's fees, not terminating employment, or participating in a joint defense agreement.26
DISCLOSURE STRATEGIES
Once a provider has weighed all the pros and cons and decides to make a voluntary disclosure, the central questions then become when and to whom to make the disclosure. This is the point at which strategy truly comes into play in the voluntary disclosure process. Providers must put aside the literal reading of some of the OIG's guidance and shift into self-preservation mode. In fact, the way a Provider makes a voluntary disclosure can be just as important as what it has to disclose.
When to Disclose
The decision regarding when to disclose is critical. The OIG's Protocol states that a provider that uncovers an ongoing fraud scheme within its organization should immediately contact the OIG prior to commencing an internal investigation, or else "there is a substantial risk that the Government's subsequent investigation will be compromised."27 The OIG obviously would like to be notified of possible wrongdoing by the provider as early as possible. The early notification, however, oftentimes may not be in the best interest of the provider. The Protocol sets forth the ideal way that the OIG would like self-disclosures to be made, but as noted previously, the failure to comply with each element of the protocol does not mean that the OIG will decline to accept the provider into the self-disclosure program, or grant the provider the favorable treatment offered by the program.
As a general rule, a provider should not make a disclosure until it has conducted a thorough internal investigation to be sure that it has identified the full extent of the problem, and if possible, taken effective prophylactic measures to assure against any recurrence. Because, as part of the Protocol, a provider must agree to cooperate fully in any subsequent governmental investigation or audit of the matter, it would be unwise for a provider to open itself to such intrusions without having a full understanding of the problem and assurance of its resolution before making a disclosure. Indeed, it should be the exception, rather than the rule, that a provider make a self-disclosure before fully understanding, and hopefully correcting the problem.
Where To Disclose
While timing is important, probably even more critical to the voluntary disclosure decision is determining where to make the disclosure. This can have a tremendous effect on what action may subsequently be taken against the provider by the government. Notably, the OIG states that the Self-Disclosure Protocol is intended to facilitate the resolution of only matters that, in the provider's reasonable assessment, are potentially violative of Federal criminal, civil or administrative laws.28 The OIG further states that matters exclusively involving overpayments or errors that do not suggest that violations of law have occurred should be brought directly to the attention of the entity (e.g., a contractor such as a carrier or an intermediary) that processes claims and issues payment on behalf of the Government agency responsible for the particular Federal health care program (e.g., HCFA for matters involving Medicare)."29 Accordingly, in many situations the facts will be such that the provider will have a reasonable amount of discretion in deciding whether the matter involves an overpayment or error, rather than a violation of law.
If a provider decides to make a disclosure to the program contractor, the protocol instructs the contractor to review the facts surrounding the disclosure and refer the matter to the OIG if the contractor concludes that the disclosure raises questions about the integrity of the provider.30 The OIG's position on this matter is beneficial to providers because a carrier or intermediary may simply accept the overpayment or explanation of the error, and never notify the OIG about the disclosure. Thus, a provider has the potential of making a disclosure in the hope of resolving the problem, and ultimately never coming under the scrutiny of the OIG.
CONCLUSION
While the decision to voluntarily disclose is difficult, and providers oftentimes decide not to disclose, providers and their counsel must be careful to look beyond the wrongdoing and consider the incentives offered by the Inspector General and the Department of Justice to providers who make a voluntary disclosure. As discussed in this article, the possibility of avoiding a CIA is a tremendous incentive for a provider to voluntarily disclose a wrongdoing. Any provider or counsel considering the option of voluntary disclosure would be wise to carefully peruse some recent CIAs - the hesitance to disclose may quickly be overcome by a strong desire to avoid the imposition of a CIA.31
ENDNOTES
4. Provider Self-Disclosure Protocol, 63 Fed. Reg. 58399 (Oct. 30, 1998).
7. Provider Self-Disclosure Protocol, supra note 4.
19. Civil Money Penalty Statute, 42 U.S.C. § 1320a-7a.
23. Provider Self-Disclosure Protocol, supra note 4 at 58403.
24. United States Attorneys' Manual, supra note 22.
27. Provider Self-Disclosure Protocol, supra note 4 at 58400.
