Self-Disclosure of Stark Law Violations:  Devil or Deep Blue Sea??

Sandra P. Greenblatt, Esq.
Board Certified Health Lawyer

CMS recently issued the much-anticipated Stark Self-Referral Disclosure Protocol (“SRDP”), mandated by the Patient Protection and Affordable Care Act of 2010 (“PPACA”),  providing a process for health care providers and suppliers to self-disclose actual or potential violations of the federal Stark law.  Recall that Medicare payments for Stark “designated health services” provided as a result of a physician referral that violates the Stark law must be repaid to Medicare.

However, the SRDP leaves providers and suppliers “between the devil and the deep blue sea,” as CMS may, but is not required, to lower the recoupment amount owed and may make recommendations to the OIG, Justice or law enforcement, if warranted by the reported facts and circumstances.  What the SRDP does offer providers is suspension of the deadline to report and repay Medicare overpayments, which PPACA established as 60 days after an overpayment is identified or the date any corresponding cost report is due.  Failure to timely repay Medicare may result in criminal allegations to the extent a prosecutor construes inaction as fraudulent concealment, or False Claims Act liability if the government or a whistleblower alleges the provider improperly avoided repaying Medicare reimbursements resulting from prohibited referrals. The fact that a disclosing provider is already under investigation by the government does not preclude use of the SRDP is another benefit.

The SRDP requires that providers choose among the SRDP, CMS’s advisory opinion process and OIG’s Self-Disclosure Protocol—they cannot disclose the same conduct under more than one of these processes simultaneously.  The OIG will no longer accept Stark-only self-disclosures.  The SRDP states CMS will “review the circumstances surrounding the matter disclosed to determine an appropriate resolution,” yet warns that a provider has no appeal rights with respect to a matter settled through the SRDP.  Presumably a good faith disclosure will be viewed favorably by CMS.  The SRDP dictates that CMS will consider the following 5 mitigating factors in determining the Stark repayment amount: (1) nature and extent of the improper or illegal practice; (2) timeliness of self-disclosure; (3) cooperation in providing additional information; (4) litigation risk associated with the matter disclosed; and (5) the financial position of the disclosing party.
Providers or suppliers wishing to use the SRDP must submit their disclosure electronically with an original and one copy mailed to CMS’s Technical Payment Policy Division. Providers will receive immediate electronic confirmation, followed by a letter from CMS either accepting or rejecting the disclosure. The SRDP submission must include the following:

  • The name, address and other identifying information of the provider or supplier, including ownership and pertinent affiliations;
  • Description of the nature of the matter, including the financial relationships at issue, relevant dates, time-period of noncompliance, and “the names of entities and individuals believed to be implicated and an explanation of their roles in the matter;”
  • Provider’s full legal analysis as to why it believes it violated Stark, including the element(s) of any Stark exceptions that were and were not met;
  • How the matter was discovered, and measures the provider took to correct it;
  • Statement identifying whether the disclosing party has a history of similar conduct;
  • Description of the provider’s Corporate Compliance Program and efforts to prevent a recurrence of the matter;
  • Any notices provided to other government agencies;
  • Whether the provider is aware that the matter is under investigation by another government agency; and
  • Detailed financial analysis of the full amount actually or potentially due, based on the period of Stark non-compliance.

Post-disclosure, CMS will engage in a “verification effort,” presumably of relevant documents, payment data and the provider’s legal analysis. CMS expects full cooperation by disclosing parties “without the need to resort to compulsory methods” to obtain documentation.  Failure to cooperate could result in removal from the SRDP. CMS’s verification may conflict with the attorney-client privilege and work product doctrine. In such cases, CMS indicates that it is prepared to work with providers to obtain the underlying data without a waiver of privilege.  CMS also directs providers not to send repayment to CMS or the Medicare contractor after or as part of a disclosure submission, without CMS consent. Nevertheless, the SRDP “encourages” providers to place funds in an interest-bearing escrow account until a final settlement with CMS.

It was hoped that the SRDP would offer a more attractive, lenient process for resolving Stark violations—especially those stemming from mere “technical” violations where no fraud appeared (e.g., physician contracts with missing signatures, late signatures, expired contracts, etc.).  However, CMS declined to make any distinction between “technical” and more complex Stark violations in the SRDP.  The decision to self-disclose has always been a difficult one. Many questions remain and using the SRDP must be carefully evaluated by providers and suppliers with their competent health lawyers.


This article is an overview of the topic and is not intended nor does it constitute legal advice, which can only be given after engaging our firm and a thorough review of specific facts. Sandra Greenblatt is a 20 year Board Certified Health Lawyer and President of the health law firm of
Sandra Greenblatt, P.A. in Miami, Florida.