On September 23, 2010 the Centers for Medicare and Medicaid Services (CMS) released the Voluntary Self-Referral Disclosure Protocol (SRDP) to facilitate the resolution of matters that are actual or potential violations of the Stark Law. In Section 6409 of the Patient Protection and Affordable Care Act (PPACA) passed earlier this year, Congress required the Secretary of Health and Human Services (HHS) to establish a Medicare self-referral disclosure protocol that provides a process for providers of services and suppliers to self-disclose actual or potential violations of the physician self-referral statute, which is generally referred to as the Stark Law.

The Stark Law prohibits an entity from billing Medicare for “designated health services” (DHS) that were referred to the entity by a physician who has (or whose immediate family member has) a financial relationship with the entity, unless an exception applies. Financial relationships, for purposes of the statute, are direct and indirect relationships, and include ownership/investment interests as well as compensation interests. The statute contains several exceptions to the general prohibition, and CMS has promulgated other exceptions. The basic penalty for prohibited referrals under the Stark statute is the denial of Medicare claims that were made as a result of the prohibited referrals. The Stark statute is a strict liability statute, meaning no intent to violate the statute is necessary for the government to deny claims (or to recover money already paid for allowed claims), and for the beneficiary refund obligation to be triggered. Where there has been a knowing violation, however, the statute also authorizes the government to impose civil monetary penalties and assessments per service, and exclusion from participation in federal and state health care programs. Further, a knowing violation can form the basis of liability under the False Claims Act.

The SRDP is open to all health care providers of service and suppliers, but is limited to violations of the Stark Law. The SRDP is separate from the CMS Stark Law advisory opinion process and cannot be used to obtain a CMS determination as to whether a violation of the Stark Law has occurred. Conduct that raises liability risks under both the Stark Law and the anti-kickback statute should be disclosed through the Office of Inspector General’s Self-Disclosure Protocol (and not through the SRDP). CMS may make referrals to the OIG and/or the Department of Justice when it concludes that the disclosed matter requires a referral to law enforcement for resolution of non-Stark violations. Thus, disclosing parties should carefully consider the appropriate place to disclose actual or potential violations.

SRDP disclosures must be submitted both electronically and by mail to CMS and include a signed certification that the submission contains truthful information and is based on a good faith effort to bring the matter to CMS’ attention for the purpose of resolving potential liabilities. The disclosure must describe the matter involved, a legal analysis of why the disclosing party believes a violation of the Stark Law may have occurred, the circumstances under which the disclosed matter was discovered, and any corrective action that has been taken. The disclosure must also include a description of any pre-existing compliance program that the disclosing party had, a statement identifying whether the disclosing party has a history of similar conduct or other enforcement actions being taken against it, a description of notices provided to other government agencies in connection with the disclosed matter, if applicable, and an indication of whether the disclosing party has knowledge that the matter is under current inquiry by a government agency or contractor or if the disclosing party is under investigation for any other matters relating to a federal health care program. In addition, the SRDP submission should include a financial analysis of the disclosed conduct. The financial analysis should set forth the total amount that is potentially due and owing, describe the methodology used to determine the stated amount, and provide a summary of the auditing activity undertaken and a summary of the documents relied upon.

CMS will verify the information submitted by the disclosing party. The extent of CMS’ verification efforts will depend on the quality and thoroughness of the submitted information. If CMS uncovers additional violations outside of the scope of the matter disclosed to CMS during its verification process, CMS may treat these matters as new matters outside of the SRDP. Thus, disclosing parties should make sure that initial submissions are complete so that CMS’ verification efforts can be minimized.

In determining whether to reduce the amounts owed by the disclosing party under the SRDP, CMS will consider (1) the nature and extent of the improper or illegal practice; (2) the timeliness of the self-disclosure; (3) the cooperation in providing additional information related to the disclosure; (4) the litigation risk associated with the matter disclosed; and (5) the financial position of the disclosing party. The SRDP states, however, that CMS has no obligation to reduce any amounts due and owing.

Note that the SRDP provides that the obligation to return overpayments within 60 days under section 6402 of PPACA1 is tolled until a settlement agreement is entered, the entity withdraws from the SRDP, or CMS removes the entity from the SRDP. Finally, the SRDP provides that “as a condition of entering the SRDP, providers . . . and suppliers agree that if they are denied acceptance into the SRDP, withdraw from the SRDP, or are removed from the SRDP by CMS, the reopening rules at 42 CFR §§ 405.980 through 405.986 shall apply from the date of the initial disclosure to CMS. This provision is intended to prevent the time period under which CMS must reopen a claim not procured by fraud or similar fault from expiring while CMS evaluates the disclosure.


The SRDP offers very little comfort for DHS entities that may consider disclosing a potential or actual Stark violation. The SRDP does not promise or even imply that CMS necessarily will reduce the amount of potential Stark liability for even “technical” violations (e.g., where a DHS entity failed to have signed, written agreements for medical directorships or leases with referring physicians). For this reason, it is unlikely that DHS entities are going to flood the CMS SRDP electronic mailbox with disclosures. One possible exception may be for those DHS entities that are concerned that a whistleblower suit is imminent, and are willing to roll the dice by disclosing, in the hopes that whatever liability CMS proposes through the SRDP is less than the catastrophic amount it might have to pay if the suit went forward.2

Likewise, some DHS entities may wish to self-disclose potential or actual knowing violations to head off a Department of Justice-initiated False Claims Act suit or an OIG action to assess civil monetary penalties (CMPs). However, one cannot discern from the SRDP whether CMS even allows knowing violations to be accepted into the SRDP,3 let alone whether it will reduce potential liability by any significant amount if it believes that the conduct likely would have come to light even if the self-disclosure was not made. The fact that DHS entities are required to provide a legal analysis also makes a disclosure risky even under the best of circumstances. That is, if an entity admits to a Stark violation in its disclosure, it is completely at the mercy of CMS to reduce the claims liability in a fair manner. If CMS does not make what the entity considers to be a fair settlement offer, the entity will have the choice of paying the proposed settlement amount, or declining the offer and waiting to see if CMS denies the claims at issue. Although the entity theoretically would have the right to appeal an ensuing claims denial, it effectively would have given up its appeal right by admitting to the violation. Therefore, DHS entities may have to temper their disclosure language with words such as “one could argue that” or “it could be seen that” or like words. There are two problems with this approach, however. First, if the legal analysis is complete enough to set forth a cogent position as to why there may be a Stark violation, CMS will have obtained, at the least, significant leverage in forcing a settlement, as the entity will be hard pressed to mount a defense to a claims denial if it rejects the settlement offer. On the other hand, if the entity goes too far in the other direction and does not present a sufficient acknowledgement that there may be a Stark violation, CMS could determine that the entity has not engaged in a good faith disclosure and expel the entity from the SRDP process. The overarching problem with the SRDP in this regard is that, whereas settlement negotiations are not admissible in a civil trial, the SRDP in no way indicates that the government will be precluded from using statements made in the disclosure against the entity in a civil or administrative action.


In sum, unless CMS provides more guidance on how and to what extent it will compromise potential liability, or until there is some track record of CMS reducing liability in a significant way (but who wants to go first to establish the history?), it is doubtful that the SRDP will result in any significant increase in self-disclosures of potential Stark violations. Because section 6409 of PPACA requires the HHS Secretary to issue a report to Congress not later than 18 months after establishing the SRDP on (among other things) the number of entities making disclosures pursuant to the SRDP and the amounts collected pursuant to the SRDP, CMS could be incentivized to revise the SRDP to make it more attractive, if its initial experience is that DHS entities are not coming forward to any significant degree. Conversely, CMS could leverage more self-disclosures under the SRDP if it decides to interpret (or, unbeknownst to the public, has already decided to interpret) the mandatory return of overpayments provision in section 6402 of PPACA to mean that DHS entities are required to report and return self-discovered overpayments.4

DHS entities contemplating making a self-disclosure under the SRDP need to proceed cautiously and engage competent legal counsel. The SRDP contemplates that disclosures will be made through counsel, and requires a legal analysis as part of the disclosure. Competent legal counsel is necessary for advising whether a disclosure should be made, and, if a disclosure is made, for crafting the legal analysis in the appropriate manner and for negotiating a settlement.

The CMS Voluntary Self-Referred Disclosure Protocol may be read by clicking here.