Executive Summary

In today’s challenging health care enforcement environment, hospitals and health systems are facing increasing exposure related to violations of the physician self-referral law, commonly known as the Stark Law. In recent years, the federal government has ramped up its efforts to identify Stark Law violations and has recovered Medicare overpayments from providers with increasing success. In addition to its own efforts, the government has used the damage-sharing provisions of the Federal False Claims Act (FCA) to incentivize whistleblowers to bring arrangements that violate the Stark Law to its attention. Penalties for Stark Law violations, particularly those that also constitute violations of the Anti-Kickback Statute and the FCA, can be significant. Because Stark Law liability can be transferred to buyers in hospital transactions, sellers are facing growing pressures to resolve actual and potential violations as a condition to closing affiliation transactions. One way to resolve actual or potential Stark Law violations is through the Centers for Medicare and Medicaid Services (CMS) special program known as the Self-Referral Disclosure Protocol (SRDP). Disclosing violations through the SRDP can help providers reduce their damages associated with both Medicare overpayments for Stark Law violations and potential lawsuits brought under the FCA.


The Stark Law governs financial relationships between physicians and providers of designated health services (DHS), which include inpatient and outpatient hospital services, clinical lab services and radiology services. Specifically, the Stark Law prohibits patient referrals between physicians and DHS providers unless their relationship meets numerous specific substantive and technical requirements. These requirements apply to a broad range of physician-provider relationships, including personal service arrangements, leases, and recruitment agreements. Stark Law violations can range from the unintentional and technical (i.e. expired or unsigned physician contracts) to the intentional and substantive (i.e. compensation based on referral volume), all of which are subject to the same penalties.

Since 2010, DHS providers have been able to resolve actual or potential Stark Law violations with CMS using the SRDP. The SRDP represents a substantial change in CMS’s settlement authority. Previously, CMS had limited authority to mitigate overpayment penalties imposed on providers for Stark Law violations. Now, although it has no obligation to do so, CMS has full authority to reduce overpayment penalties for providers who disclosure Stark Law violations under the SRDP. CMS’s settlement decisions are primarily based on the agency's balance of (1) the amount of Medicare overpayments a provider owes the federal government, and (2) the nature of the disclosing party’s violations, and (3) its good faith and cooperation in enrolling under the SRDP. As discussed in detail below, one of the SRDP’s key benefits involves avoiding future liability under the FCA, a statute which has quickly developed into one of the greatest concerns facing hospitals and health care systems today. By making an SRDP disclosure, a provider can avoid liability under the FCA stemming from a whistleblower’s disclosure of a Stark Law violation to the federal government. The following are 9 points of consideration that hospitals and health systems should evaluate when considering making disclosures of actual or potential Stark Law violations under the SRDP.

9 Core Considerations for Hospitals Considering the SRDP

Technical Stark Law Violations are Common but can Still Lead to Large Penalties 

Technical violations of the Stark Law are very common among hospitals. In fact, according to some sources, nearly 95% of entities that provide DHS have arrangements with referring physicians that are technically non-compliant with the Stark Law.1 CMS considers any payments to or billing by providers in violation of the Stark Law to be overpayments of Medicare funds that must be reported and returned to the federal government, and regards its enforcement duties as critical to protecting the Medicare program. 2 While CMS evaluates technical violations more favorably than substantive violations when making settlement offers under the SRDP, unintentional violations can result in the same Medicare overpayment penalties as intentional violations. 

Stark Law Violations Can Negatively Impact Hospital Transactions

Because penalties for Stark Law violations are imposed on the current party to a Medicare provider agreement (regardless of its actual responsibility for the violation), hospital buyers and affiliation partners now commonly require that sellers resolve actual or potential Stark violations or set aside financial reserves for an SRDP settlement as a condition to closing a transaction. This is driving many sellers to make SRDP disclosures, either before searching for a buyer or before finalizing a purchase agreement. While the SRDP process can involve substantial provider time and resources, it has several positive aspects for sellers. First, CMS may be able to expedite disclosures where a transaction's closing or key provisions are dependent on a seller’s successful settlement with the government. Second, CMS has also proposed—but not yet finalized—an expedited SRDP process for technical violations. 3 These actions indicate the agency understands the tensions between buyers’ desires to reduce their liability for Stark Law violations and the need for efficiency in health care transactions.

Public and Private Stark Law Enforcement are on the Rise

While in the past hospitals often chose to simply resolve non-compliant arrangements internally and move on, today’s enforcement climate has led DHS providers to consider the SRDP as a viable alternative approach. In addition to potential enforcement actions brought by CMS, providers can face substantial liability for violations disclosed by internal or external whistleblowers under the FCA. Under the FCA, providers who are found liable for receiving Medicare overpayments (resulting from a Stark Law violation) can be subject to penalties of up to $11,000 per violation or claim from a suspect arrangement and up to three times the amount a provider owes the government in Medicare overpayments. Under the FCA, whistleblowers who disclose a provider’s failure to return overpayments related to Stark Law violations may share in the government’s damages. In recent years, FCA claims against hospitals and health systems have risen significantly, and many have resulted in staggering settlement and damage amounts. For example, Halifax Hospital and Intermountain Health Care have settled cases involving FCA claims for $85 million and $25.5 million, respectively. Resorting to litigation under the FCA poses even greater risks for providers. In 2013, Tuomey Healthcare System was ordered to pay $235.5 million after losing an FCA case at trial. In comparison to these numbers, SRDP settlements represent a more affordable method of resolving actual or potential Stark Law liability.

The Federal Government Considers Health Care Fraud an Enforcement Priority

Providers should expect enforcement pressures to continue in the future. In 2009, the federal government created a joint task force—between the U.S. Department of Health and Human Services (HHS) and the Department of Justice (DOJ)—to boost recovery of Medicare overpayments that has achieved “historic results.”4 The Health Care Fraud Prevention and Enforcement Action Team (HEAT) has helped the federal government recover over $9.5 billion from providers over the past five years. HEAT’s success, combined with continued incentives for whistleblowers, indicates that enforcement trends are likely to continue in the future. For that reason, providers should take all steps possible to reduce the risk of an FCA case, including the disclosure of actual or potential Stark Law violations under the SRDP.

The SRDP Helps Providers Avoid Future Liability Under the FCA

Using the SRDP is one way for providers to minimize their settlements with the federal government and avoid future FCA claims brought by whistleblowers. Once providers disclose Stark Law violations under the SRDP, such behavior is effectively protected from liability in cases brought by whistleblowers under the FCA. Because Stark Law violations disclosed under the SRDP are considered “public,” whistleblowers cannot be the “original source” of information related to the overpayment as required by the FCA. While making a disclosure to CMS can be time and resource intensive, and will likely result in payment of penalties, the relative predictability in SRDP settlements makes the financial risks associated with self-disclosure preferable to the potentially crushing damages of an unknown, future FCA case. While there is no assurance of a rational settlement with CMS, most of the self-disclosures made under the SRDP have resulted in settlements of less than $1 million. All of those settlements have been specific to the provider, the severity of their actual or potential Stark Law violation, and the overpayment amount owed to Medicare. For these reasons, the SRDP has been increasingly viewed as a viable way for providers to resolve Stark Law violations.

CMS’s SRDP Overlaps with Other Federal Agencies’ Enforcement Areas

Providers should note that the SRDP may only be used to clear potential liability with CMS (stemming from the agency’s authority over the Medicare program). Providers who are confident their disclosures include only technical Stark violations can generally limit their disclosures to the SRDP. Providers who discover other concerns, such as substantive Stark Law or Anti-Kickback Statute violations, should know that they may need to make multiple disclosures to other federal agencies. CMS and the HHS Office of Inspector General (OIG) collaborate to resolve related disclosures but require that providers make separate disclosures under their respective protocols. 5 For example, if a provider discovers both technical and substantive Stark Law violations, it should consider using the SRDP and make a separate disclosure under HHS OIG’s Provider Self-Disclosure Protocol (SDP) (because substantive Stark Law violations may also trigger liability under the Anti-Kickback Statute). Providers also facing potential liability under the FCA should be aware that the DOJ addresses FCA claims separately from Stark Law and Anti-Kickback violations, even if they involve the same or similar conduct disclosed under the SRDP and/or the SDP.

The SRDP Tolls the Period for Reporting Medicare Overpayments under the ACA

The Affordable Care Act (ACA) mandates that providers report known (not potential) Medicare overpayments to the federal government by (i) either 60 days after the overpayment was discovered or (ii) if applicable, the date on which a corresponding cost report is due. Providers with overpayments that they have identified, or should have identified, must abide by this time frame for disclosure or else face civil liability under the FCA. CMS has not yet adopted this provision by regulation, but because of its overlap with providers’ self-disclosures under the SRDP, CMS has accordingly suspended the ACA's self-reporting requirement for providers enrolled in the SRDP. This tolling of the ACA's self-reporting requirement for violations disclosed under the SRDP allows providers to avoid liability under the FCA for failure to return known overpayments to the Medicare program.

CMS has Discretion in Evaluating the Nature of Disclosures Made Under the SRDP and Determines Settlement Amounts Accordingly

Under the SRDP, CMS balances the amount a provider owes the government with the provider’s behavior and determines settlement amounts by considering: (1) the nature and extent of the improper or illegal practice; (2) the timeliness of such disclosure; (3) the disclosing party’s cooperation in providing additional information related to the disclosure; and (4) other factors that the Secretary considers appropriate. For example, providers who enter the SRDP in good faith and remain forthcoming with the government throughout the disclosure process are more likely to have a favorable settlement outcome. Similarly, providers who demonstrate robust efforts in identifying non-compliant arrangements and developing robust compliance policies are also likely also be viewed more favorably by CMS.

Reported SRDP Settlement Amounts are Provider and Behavior Specific

CMS does not publicly release the names of settling parties, nor does it release the actual amount of Medicare overpayments associated with its settlements. But CMS does describe the type of provider involved, its location, the type and number of Stark law violations (including whether they are actual or potential) and the final settlement amount. The lack of commonality between settlements, particularly for providers with similar types and numbers of Stark Law violations, combined with CMS’s ability to take the individual circumstances of a provider’s disclosure, suggests that SRDP settlements are highly fact-dependent. For example, CMS’s first reported settlement under the SRDP dealt with non-compliant personal service arrangements at a hospital in Massachusetts. News reports suggested the potential Stark liability could have been as high as $14 million, but the reported settlement amount was $578,000. This suggests that the SRDP may be a method of substantially reducing the overpayment amount, particularly where a provider’s Stark Law violation is more technical than substantive in nature.

* * *

Providers concerned about actual or potential Stark Law violations should bear in mind the previous considerations when evaluating enrollment in the SRDP. While the SRDP can involve significant provider time and financial resources, it represents a viable way for providers to settle with CMS (likely for far less than the amount of Medicare overpayments due) and foreclose potential future FCA liability.

Kathleen Fisher