On September 23, 2010, the Centers for Medicare and Medicaid Services (CMS) released its long-awaited self-referral disclosure protocol (SRDP), which is effectively immediately. The SRDP (available here) is intended as a mechanism for health care providers and suppliers to resolve liability arising from noncompliance with the Stark law, with at least the possibility of having to pay an amount less than the sometimes extremely high amounts required under current law. As described below, the SRDP contains substantial limitations and raises significant questions.


The Stark law prohibits physicians from referring Medicare beneficiaries for “designated health services” to entities (generally hospitals) with which they have a financial relationship, unless an exception applies. As important, Stark also prohibits entities from submitting claims to Medicare for services that arise from prohibited referrals. The Stark prohibitions are strict, and its exceptions are highly technical and seldom intuitive. Stark violations are thus easy to commit, but can trigger significant and often disproportionate financial and legal consequences.

Entities that discover even inadvertent Stark noncompliance often have no good options. Repayment of prohibited claims can be unaffordable, but failure to repay can expose an entity to False Claims Act liability and attendant qui tam suits. Moreover, with very few exceptions, negotiated settlement has not been an option: the HHS OIG’s self-disclosure protocol is no longer available for Stark violations, and, until now, CMS has provided no similar avenue for redress.

The Patient Protection and Affordable Care Act (PPACA), enacted earlier this year, directed the Secretary of HHS to develop a protocol under which health care providers and suppliers could self-disclose Stark violations and potentially reduce their repayment obligations. The SRDP is that protocol.

The Self-Referral Disclosure Protocol

The SRDP provides a framework for entities to self-disclose “actual or potential violations” of Stark. The framework has significant procedural requirements and limitations and raises substantial questions:

  • Consistent with similar frameworks developed by the OIG, disclosure is required within 60 days after an “overpayment was identified.” The SRDP states that parties generally may not make repayments while a self-disclosure is pending, but that timely disclosure will suspend the 60-day period during which parties otherwise are required to repay overpayments under PPACA. CMS has not indicated how quickly it will process self-disclosures, but has “encouraged” parties to place anticipated repayments in an “interest-bearing escrow account” — a potentially impossible task for some hospitals with limited liquidity and large potential liability.
  • CMS will not make a legal determination as to whether a violation actually occurred, reserving those determinations for the advisory opinion process. However, the SRDP — which contemplates self-disclosure of “potential violations” — does not address the timing implications of a party’s sequential use of the advisory opinion process and the self-disclosure protocol. This, combined with PPACA’s 60-day repayment obligation, increases the importance for a hospital to clearly determine when and if it has “identified” an overpayment.
  • Parties may not disclose “the same conduct” to both CMS under the SRDP and the HHS OIG under its self-disclosure protocol. CMS may, however, refer a disclosure to the Department of Justice or the HHS OIG “for consideration under . . . civil and/or criminal authorities,” and self-disclosure under the SRDP does not release parties from liability under other laws. Hospitals concerned about matters that could present both Stark and Anti-Kickback liability therefore will have to consider carefully how to proceed.
  • The disclosure must include a “description of the existence and adequacy of a pre-existing compliance program.” This requirement adds to the importance of implementing effective compliance programs as part of ongoing operations.
  • While CMS asserts that it will not request privileged materials “[i]n the normal course of verification,” it nonetheless suggests that it may demand production of privileged documents. Any self-disclosing party and its counsel would have to consider very carefully the significant ramifications of a voluntary privilege waiver.
  • The disclosure must identify the total amount “due and owing” from the entire period “during which the disclosing party may not have been in compliance with the physician self-referral law.” Similarly, in order to self-disclose, a party may be required to consent to the reopening of claims that otherwise would no longer be subject to reopening under existing law. The SRDP thus appears to disregard the limitations periods under applicable laws, which may be highly relevant for noncompliant arrangements that have gone undetected for many years.
  • PPACA authorizes the agency to reduce parties’ repayment obligations under Stark. In promulgating the SRDP, however, CMS did not adopt the recommendation of commenters, including the American Hospital Association, to set a stipulated penalty for technical noncompliance. A self-disclosing party therefore will not know at the outset of the process whether self-disclosure will result in a reduced repayment obligation. Factors that CMS has said it will consider in determining the repayment amount include:
    • the nature and extent of the violation;
    • the timeliness of self-disclosure (in practice, because self-disclosure must be made within 60 days of discovery, this likely refers to the timeliness of discovery);
    • the disclosing party’s cooperation (which CMS may view as including a waiver of privilege);
    • litigation risk; and
    • the disclosing party’s financial condition.


While providing a process for self-disclosure and possible reduction in Stark penalties, the SRDP fails to provide relief for hospitals and other providers confronting the strictness of the Stark law even when violations are occasioned by nothing more than administrative oversight. Indeed, by requiring parties to consent to reopening of claims that otherwise may be closed or time-barred, self-disclosure could increase a party’s potential liability. In any event, availability of the process significantly changes the calculus as to how parties should address Stark noncompliance, and continues the increased pressure — including that arising from the recent changes to the False Claims Act — to have in place effective preventive and compliance mechanisms.

A report regarding disclosures made and amounts collected pursuant to the SRDP should be forthcoming. PPACA requires that the Secretary of HHS submit this report to Congress within 18 months of the date of establishment of the SRDP.