News & Resources

Publications & Media

CMS Publishes Stark Law Self-Disclosure Protocol

Health Law Update Sarah E. Coyne, Lisa A. Lyons, Kevin J. Eldridge

Have you ever wanted to pay the federal government more money, but you just couldn't figure out how to do it? Come to think of it, neither have we. But if you are a health care provider that has identified a Stark Law violation in the past 18 months that did not also involve a potential Anti-Kickback Statute ("AKS") violation, you know the feeling. Well, the Centers for Medicare and Medicaid Services ("CMS") has come riding to the rescue. On September 23, CMS published a self-disclosure protocol for health care providers to report actual or potential violations of the Stark Law (also referred to as the "physician self-referral law") and to resolve any overpayments related to the violations.

As you will recall, since you surely read our March 2009 Health Law Update, providers used to be able to report potential Stark Law violations through the self-disclosure protocol managed by the Office of Inspector General of the U.S. Department of Health and Human Services ("OIG"). But in March 2009, OIG closed its self-disclosure protocol to Stark Law violations unless they also involved a potential AKS violation. Now, thanks to a congressional mandate in the Patient Protection and Affordable Care Act ("PPACA," i.e. the health care reform law), providers will now be able to report Stark Law-only violations to CMS. We're here to answer all of your questions about CMS's new Medicare self-referral disclosure protocol ("SRDP").

Who is eligible for the SRDP?

Any health care provider or supplier, whether an individual or an entity, may make disclosures under the SRDP if the provider or supplier believes that its conduct amounts to actual or potential violations of the Stark Law. CMS cautions that the SRDP is not to be used to check compliance with the Stark Law - CMS has a separate advisory opinion process for such inquiries.

Why should we disclose Stark Law violations through the SRDP?

Money, plain and simple. (What other reason could there be?) The Stark Law is a strict liability statute with huge potential penalties that could attach to even technical violations of the law, such as a lapsed contract or a missing signature. Thus, many providers would jump (and have jumped) at the opportunity to reduce potential exposure to Stark Law penalties, and through the SRDP, they have the chance to do so.

Through the SRDP, CMS has authority to reduce the amount that would otherwise have to be paid for Stark Law violations, based on a number of relevant factors:

  • the nature and extent of the improper or illegal practice,
  • the timeliness of the disclosure, the provider's cooperation in providing additional information related to the disclosure,
  • the litigation risk associated with the matter disclosed, and
  • the financial position of the disclosing party.

Of course, Uncle Sam makes no guarantees; although CMS may (and in most cases will) reduce a reporting provider's repayment obligation, CMS is always free to pursue the full penalties for a reported violation of the Stark Law.

What is the risk of failing to disclose the violations through the SRDP?

More money, thanks to potential liability under the False Claims Act ("FCA"). Under changes to the FCA by the Fraud Enforcement Recovery Act of 2009 and PPACA, a provider that knowingly and improperly retains an overpayment (such as an overpayment due to a Stark Law violation) could be subject to FCA liability unless the provider timely returns the overpayment. PPACA established a deadline for reporting and returning overpayments by the later of: (1) 60 days after the date on which the overpayment was identified; or (2) the date any corresponding cost report is due, if applicable.

Once CMS receives an SRDP disclosure (and a corresponding confirmation email has been received by the disclosing party), the obligation to return any potential overpayment within 60 days will be suspended until a settlement agreement is entered into, the disclosing provider withdraws from the SRDP or CMS removes the disclosing party from the SRDP.

Should we always disclose Stark Law violations only to CMS through the SRDP?

Not necessarily. If conduct represents violations of both the Stark law and the AKS, a disclosure should still be made under the OIG Self-Disclosure Protocol rather than the SRDP. Providers may not make disclosures under both the SRDP and the OIG protocol.

If a provider reports egregious conduct through the SRDP, CMS may refer the matter to law enforcement for consideration of civil or criminal penalties.

And if a provider is already under a corporate integrity agreement or certification of compliance agreement with OIG, it should report a violation of only the Stark Law to both CMS through the SRDP and the provider's OIG monitor.

Okay, we've decided that the SRDP is the correct process for us. How do we make a self-disclosure?

Those hoping for easy submission requirements will be disappointed, as CMS requires that the submission include (among other requirements):

  • the name, address, national provider identification numbers, CMS Certification Number and Tax Identification Number of the disclosing party (and if the disclosing entity is owned, controlled or is otherwise part of a system or network, the provider must include a diagram explaining the pertinent relationships and contact information for each entity);
  • a description of the nature of the matter being disclosed, including the type of financial relationship(s), the parties involved, the specific time periods of potential noncompliance, the type of designated health service claims at issue, the type of transaction or other conduct at issue and the names of individuals and entities believed to be implicated, along with an explanation of their roles;
  • a statement describing why the disclosing party believes a violation of the Stark Law may have occurred, including a complete legal analysis of the application of the Stark Law to the conduct and any self-referral exception that applies to the conduct and/or the disclosing party attempted to use (including which element(s) of the applicable exception(s) were met and not met);
  • circumstances under which the disclosed matter was discovered and any corrective action taken to prevent future abuses;
  • a statement identifying whether the disclosing party has a history of similar conduct or has any prior enforcement actions against it; and
  • an indication of whether the disclosing party has knowledge that the matter is under current inquiry by a government agency or contractor.

Disclosing parties are also expected to conduct a financial analysis as part of their submissions. This financial analysis should set forth the total amount, itemized by year, that is actually or potentially due based upon the applicable "look back" period, i.e. the time during which the parties were not in Stark compliance. Finally, the disclosing party or its authorized representative must certify that the information provided is true and based on a good faith effort to resolve liability under the Stark law.

CMS apparently endorses the belt and suspenders approach (or perhaps it is just worried that its email inbox will soon overflow with reports of Stark Law violations), so it requires that providers make the disclosure by both email and mail.

What happens after we make our disclosure through the SRDP?

CMS will verify the information submitted through the SRDP. CMS hints that providers making more thorough disclosures will be subject to less onerous requirements in the verification process. The disclosing party must grant access to CMS to all of its financial statements, notes, disclosures and other supporting documents without asserting privileges or limitations on the information produced. However, CMS will not normally request disclosing parties to produce written communications that are subject to the attorney-client privilege.

CMS will not accept payments of disclosed overpayments prior to it completing its inquiry. CMS does, however, encourage disclosing parties to place the funds in an interest-bearing escrow account in order to ensure that adequate resources have been set aside to repay amounts owed. During the CMS inquiry, the disclosing party must refrain from making related payments to Medicare contractors without CMS's prior consent.

Until the SRDP is up and running, we will not know how long the entire process will take or how flexible CMS will be in reducing payments.

The SRDP may be found at the CMS website.

If you are considering a voluntary disclosure of a Stark law violation or have any questions regarding the requirements of the SRDP, please contact Sarah Coyne at (608) 283-2435 /, Lisa Lyons at (414) 277-5679 /, Kevin Eldridge at (608) 283-2452 / or your Quarles & Brady attorney.