Darned If You Do and Darned If You Don't: Perspectives on the Benefits and Dangers of the CMS Self-Referral Disclosure Protocol

January 1, 2012 Published Work
Fraud & Abuse, Volume 1, Issue 1

More than a year ago, on September 23, 2010, the Centers for Medicare & Medicaid Services (CMS) published the Self-Referral Disclosure Protocol (SRDP) that it developed in response to the Patient Protection and Affordable Care Act (PPACA) mandate that the U.S. Department of Health and Human Services (HHS) establish a protocol for the disclosure and resolution of violations of the Physician Self-Referral Law, more commonly known as Stark.1 Because disclosure under the protocol is voluntary, since its release, providers have struggled with deciding whether or not to disclose pursuant to the SRDP.

To date, there has been only one publicized SRDP settlement: on February 10, 2011, Saints Medical Center in Lowell, MA, announced that it agreed to pay $579,000 to resolve its Stark liability. Saints stated that this amount was "less than the reserve .. . set aside . . . to address this issue, which was based on management's estimate of the low end of the range of the potential obligation."2 According to a local newspaper, Saints Medical Centers' potential liability was $14 million,3 indicating that participation in the SRDP may be a favorable alternative for providers.

On April 7, 2011, CMS announced that it was processing sixty disclosures pursuant to the SRDP.4 As more of these cases are resolved, further information will become available regarding CMS' efforts to resolve Stark liability in a flexible, collaborative manner through use of the protocol. Until then, as providers review their physician relationships and consider disclosure under the SRDP, they should carefully evaluate the potential benefits and dangers outlined in the protocol.

The Stark Law
Stark prohibits a physician from making referrals for certain designated health services (DHS), payable by Medicare or Medicaid, to an entity with which he or she has a financial relationship, unless an exception applies. Because Stark is a strict liability law, its penalties may be imposed even for technical violations, including common mistakes such as failure to renew an expired contract. Penalties can be severe and may require a refund of all payments made for DHS referred by the physician while the relationship was not in compliance with Stark, plus penalties and interest. For example:

  • In March 2010, after a seven-year, whistleblower-initiated investigation, Rush University Medical Center in Chicago agreed to pay $1.5 million plus interest to resolve allegations that the facility violated Stark by entering into certain leasing arrangements for office space with physicians.5
  • In November 2010, Saint Joseph's Medical Center in Towson, MD, agreed to pay $22 million to settle allegations that it violated the Anti-Kickback Statute and Stark when it entered into a series of professional services contracts with a cardiology group. The payments under these contracts were allegedly higher than fair market value and for services not rendered or that were not commercially reasonable.6
  • In December 2010, Detroit Medical Center agreed to pay $30 million to resolve allegations involving improper financial relationships with referring physicians. According to the U.S. Department of Justice, "most of the relationships at issue . . . involved office lease agreements and independent contractor relationships that were either inconsistent with fair market value or not memorialized in writing."7

The SRDP is intended to facilitate the resolution of actual and potential Stark violations. According to CMS, a disclosing party should only make a submission pursuant to the SRDP with the intention of resolving its Medicare overpayment liability exposure. PPACA granted the HHS Secretary the authority to reduce the amount "due and owing" for all Stark violations and in the protocol, CMS stated that it will "work closely with a disclosing party that structures its disclosure in accordance with the SRDP to reach an effective and appropriate resolution."8

While the SRDP can serve as a helpful tool in resolving potential Stark liability, before taking advantage of the SRDP, healthcare providers should carefully consider the various factors outlined here when determining whether to disclose under the SRDP.

Participation in the SRDP is limited to actual or potential Stark violations. If the disclosure includes violations of other laws, such as the Anti-Kickback Statute, which is enforced by the Office of Inspector General (OIG), the SRDP cannot be used. The OIG Self Disclosure Protocol, which has been in place since 1999, should be considered in such instances.9 Because the SRDP and the OIG Self Disclosure Protocol cannot be used simultaneously, providers must carefully consider the proper avenue for disclosure.

Also, the SRDP cannot be used to obtain an advisory opinion as to whether certain circumstances violate Stark. According to CMS, if a disclosing party argues that the circumstances do not constitute a Stark violation, the disclosure will not be accepted into the SRDP. In addition, providers may not disclose through the SRDP and request an advisory opinion regarding the same arrangement concurrently. Therefore, providers must have concluded that a Stark violation occurred and should be prepared to enter a corresponding monetary settlement before disclosing pursuant to the SRDP.

Interestingly, a disclosing party that is already subject to government inquiry through investigations, audits, or routine oversight may still avail itself of the SRDP, so long as the disclosure is made in good faith. In addition, providers that are under Certification of Compliance Agreement (CCA) or Corporate Integrity Agreement (CIA) reporting obligations must disclose reportable events solely related to a Stark issue pursuant to the SRDP, with a copy to the disclosing party's OIG monitor.


Suspension of the Sixty-Day Reporting and Repayment Obligation
An initial immediate benefit to disclosing pursuant to the SRDP is that the submission of a disclosure suspends the obligation, under Section 6402 of PPACA, to return overpayments within sixty days of identification. This suspension of the sixty-day timeframe lasts until a settlement agreement is entered or the disclosing party withdraws from the SRDP or is removed from the SRDP by CMS. Damages Calculation In theory, the primary benefits of self-disclosure pursuant to the SRDP are that the provider can resolve the violation, potentially pay reduced monetary amounts, and avoid a costly government investigation. The SRDP provides the opportunity to disclose and enter a monetary settlement in order to avoid the risk of investigation and prosecution to the fullest extent of the law. PPACA, for the first time, provided CMS with the authority to reduce the amount owed, based on the following factors:

  • Nature and extent of the illegal practice;
  • Timeliness of the self-disclosure;
  • Cooperation in providing additional information related to the disclosure;
  • Litigation risk associated with the matter disclosed; and
  • The financial position of the disclosing party.

CMS additionally stated that it will consider the following sub-factors:

  • Agreement's commercial reasonableness;
  • Whether the agreement took into account the value or volume of referrals;
  • Whether the agreement's compensation terms were set in advance;
  • Length and pervasiveness of the noncompliance;
  • Steps taken to correct the noncompliance;
  • Whether the provider has a history of program abuse;
  • Presence and strength of the provider's compliance program;
  • Timeliness of the self-disclosure;
  • Provider's cooperation in providing additional information; and
  • Disclosing party's financial position.

These factors may operate for the benefit or to the detriment of the provider, depending on the circumstances. The SRDP does not set forth any formula or set methodology, and CMS has no obligation to reduce any overpayment amounts identified. Individual determinations will be made based on facts and circumstances.

CMS stated that it does not intend to issue press releases or otherwise publicize particular SRDP settlements; rather, it will leave the decision about whether or not to publicize to the disclosing party.10 The Saints' Medical Center settlement, described above, became public via a press release issued by the Hospital. That settlement is the only publicized settlement reached via the SRDP thus far and seemed very favorable to the provider.

In March 2012, CMS must submit a report to Congress on the SRDP detailing the number of settled self-disclosures, the amounts collected, and other data. Until then, other than anecdotal settlements that may become public, providers will likely have little precedent or other guidance to predict how their cases may be resolved, causing the greatest potential benefit of the SRDP to also be one of its greatest potential dangers.


Further Investigation
As explained above, the SRDP is to be used only for potential or actual Stark violations and not in cases where other laws may be implicated, such as the Anti-Kickback Statute. CMS makes it clear that once a disclosure is made, whether or not it is accepted into the SRDP, CMS may refer the case to OIG and the Department of Justice (DOJ) for resolution under the False Claims Act, civil monetary penalty, or other liability. Therefore, CMS warns that "the disclosing party's initial decision of where to refer a matter involving non-compliance with . . . [Stark] should be made carefully."11 Moreover, CMS states that if it uncovers matters during its verification process that are outside the scope of the matter disclosed, CMS may treat them as new matters outside the SRDP, subject to separate investigation by the appropriate authorities.

Period of Disallowance
The disclosing party is required to conduct a financial analysis of its Stark liabilities and disclose its findings to CMS. The financial analysis must set forth the total amount, itemized by year, that is actually or potentially "due or owing." Generally, this calculation will include all Medicare payments for DHS received by the disclosing party that were made as a result of referrals generated while the relationship was not Stark compliant. The calculation must cover the entire time period "during which the disclosing party may not have been in compliance with the physician self-referral law." When the disclosure involves longstanding arrangements, this period could cover many years and even go further back than the general four-year period in which CMS may reopen claims for good cause. Although CMS representatives publicly stated12 that they need to analyze the amounts paid over the entire period of noncompliance in order to fully understand the scope of the violations involved, providing a financial analysis for that entire time period will prove challenging for some providers and also might make it difficult for providers to negotiate smaller settlements.

Forfeiture of Right to Appeal
As a condition of disclosing a matter pursuant to the SRDP, the disclosing party must agree that no appeal rights attach to claims relating to the conduct disclosed if resolved through a settlement agreement. The forfeiture of appeal rights occurs only if a settlement is reached. If the party stops participating in the SRDP process at any point, by either withdrawing or by being removed by CMS, then the party may appeal any subsequent government action as appropriate.

Forfeiture of Attorney-Client Privilege
In the course of its verification of the disclosure, CMS may require access to all financial statements, notes, disclosures, and other supporting documents without the assertion of privileges or limitations on the information produced. While CMS states that it will not specifically request the production of written communications that are subject to attorney-client privilege, it further explains that it may demand to see documents or other materials covered by the work product doctrine when CMS believes the document will be critical to resolving the disclosure. In those instances, according to the SRDP, CMS will work with the disclosing party's counsel on ways to gain access to that information without the need for a waiver of the attorney-client privilege.

The decision to enter the SRDP is only the beginning. Providers must be meticulous in ensuring that all submissions are accurate and complete. All submissions must be accompanied by a certification stating that the information is truthful and is based on a good-faith effort to bring the matter to CMS' attention to resolve any potential liabilities. According to CMS, "the intentional submission of false or otherwise untruthful information, as well as the intentional omission of relevant information, will be referred to DOJ or other Federal agencies and could, in itself, result in criminal and/or civil sanctions, as well as exclusion from participation in Federal health care programs."13 Also, providers must be prepared to cooperate fully with CMS' verification of the disclosure, including providing additional information. CMS stated it is "essential" to show "diligent and good faith cooperation throughout the entire process."14 A perceived lack of cooperation could result in CMS' removal of the case from the SRDP and referral to other government authorities.

As a condition of entering the SRDP, providers must agree that if they are denied acceptance in the SRDP, withdraw from the SRDP, or are removed from the SRDP by CMS, the reopening rules at 42 CFR 405.980 through 405.986, which allow government contractors to reopen claims after a binding payment decision has already been made, apply from the date of the initial disclosure to CMS. This is significant because it means that by virtue of the disclosure, the provider is essentially allowing CMS to re-examine paid claims that would otherwise be closed. Note, however, that in a fraud investigation, the government may reopen a claim at any time if there exists reliable evidence that the initial payment determination was procured by fraud or similar fault.

The SRDP can be effective if used appropriately. In cases where a provider is aware of an overpayment due to Stark noncompliance and where no other laws are implicated, the SRDP is an attractive option as it may result in reduction of the overpayment and will, at the very least, result in resolution of the matter with HHS. Use of the SRDP can also be disastrous, however, if the provider is oblivious to its potential dangers. Providers must not only ensure that their cases are eligible for submission to the SRDP, but also analyze the unique facts and circumstances involved and conduct a thorough risk-benefit analysis before proceeding.

Simply put, the SRDP might cause providers to feel stuck in a "darned if you do, darned if you don't" quagmire. Although proceeding with the SRDP has inherent dangers, failing to disclose potential Stark liability may put a provider in significant jeopardy as well. As more information, particularly about specific SRDP settlements, is released, hopefully, providers will feel more comfortable taking advantage of the benefits the SRDP is intended to provide.

Note: After this article was submitted, a new SRDP settlement was posted on the CMS website. According to CMS: "On November 11, 2011, CMS settled several violations of the physician self-referral statute disclosed by a critical access hospital located in Mississippi (Hospital) under the SRDP. The Hospital disclosed under the SRDP that it violated the physician self-referral statute by failing to satisfy the requirements of the personal services arrangements exception for arrangements with certain hospital and emergency room physicians. All violations disclosed were settled for $130,000.00.

Also note that a version of this article was originally published in the May 16, 2011, Vol. 37, No. 20 issue of the Connecticut Law Tribune.

1 The CMS SRDP is available at

2 See

3 Nina Youngstrom, First Stark Case Is Resolved Through CMS Self-Disclosure; Is the OIG Option Gone?, AISHealth, February 21, 2011, available at

4 The New Stark Self-Disclosure Protocol: A New Solution, The American Bar Association Health Law Section and the ABA Center for Continuing Legal Education Teleconference, April 7, 2011.

5 See

6 See

7 See

8 CMS Voluntary Self-Referral Disclosure Protocol, OMB Control Number: 0938-1106, at page 2. The CMS SRDP is available at

9 The OIG Self Disclosure Protocol is available at

10 The New Stark Self-Disclosure Protocol: A New Solution, The American Bar Association Health Law Section and the ABA Center for Continuing Legal Education Teleconference, April 7, 2011.

11 CMS Voluntary Self-Referral Disclosure Protocol, OMB Control Number: 0938-1106, at page 3. The CMS SRDP is available at

12 Stark Self Disclosure: Understanding and Working with CMS's New Self Referral Disclosure Protocol: A Conversation with the Regulators, Health Care Compliance Association Teleconference, January 2011; The New Stark Self-Disclosure Protocol: A New Solution, The American Bar Association Health Law Section and the ABA Center for Continuing Legal Education Teleconference, April 7, 2011.

13 CMS Voluntary Self-Referral Disclosure Protocol, OMB Control Number: 0938-1106, at page 6. The CMS SRDP is available at

14 Id.