On September 23, 2010, the Department of Health and Human Services (HHS) issued the Medicare self-referral disclosure protocol (SRDP) as mandated by section 6409 of the Patient Protection and Affordable Care Act (ACA).1 The SRDP is now the vehicle by which providers and suppliers may self-disclose actual or potential violations of the physician self-referral statute (Stark law).

The Centers for Medicare and Medicaid Services (CMS) has stated that conduct implicating both Stark and the anti-kickback statute together should continue to be disclosed via the Office of the Inspector General’s (OIG) Self-Disclosure Protocol. The SRDP is to be used strictly for conduct falling under Stark. CMS has also cautioned against wanton use of the SDRP, as CMS may further refer self-disclosing parties to the OIG or the Department of Justice (DOJ) as it deems necessary and appropriate. Further, disclosing parties must agree to drop appeal rights pertaining to claims that are settled via the SRDP.

Contents of the SRDP

An initial submission under the SRDP must include:

  • A description of the matter being disclosed and the type of financial relationship(s) involved;
  • The specific time periods during which the disclosing party may have been out of compliance, including the date whereby the conduct was cured, if applicable;
  • The names and explanation of roles of the entities and individuals "believed to be implicated";
  • A statement regarding why the disclosing party believes a Stark violation may have occurred, including a "complete legal analysis" of the Stark law as applied to the disclosed conduct that includes a description of the potential causes of the incident or practice;
  • The circumstances surrounding the disclosed matter and the measures taken to address the issue and prevent further abuses;
  • An accounting of the history of any similar conduct by the disclosing party, including a statement as to whether the party has any prior criminal, civil, or regulatory enforcement actions (including payment suspensions) against it;
  • A description of the existence and adequacy of any pre-existing compliance programs and all efforts taken to prevent a recurrence of the incident in "the affected division as well as in any related health care entities";
  • A listing of all notices provided to other governmental agencies in connection with the conduct;
  • A financial analysis of the conduct that includes:
    • A The total amount, itemized by year, that is actually or potentially due based upon the applicable "look-back period", defined as the time during which the disclosing party may not have been in compliance with Stark;
    • The methodology used to determine the amount, including a description of any estimates and estimation methodologies; and
    • A summary of any auditing activities undertaken.
  • A certification by an authorized representative that "to the best of the individual’s knowledge, the information provided contains truthful information and is based on a good faith effort to bring the matter to CMS’ attention for the purpose of resolving any potential liabilities" relating to Stark.

Verification by CMS

Upon receipt of the initial submission, CMS will commence verification of the disclosed information. Intensity of the verification process will vary based on the quality and thoroughness of the initial submission. CMS will request access to all financial statements, notes, disclosures, and other supporting documents. CMS will not request attorney-client privileged documents, but may request documents covered by the work product doctrine, provided CMS believes the documents are critical to resolution of the disclosure, and has pledged to work with the provider’s counsel during this analysis. Disclosing parties will have at least thirty days to respond to any requests or follow-up questions.

Verification by CMS

Despite the fact that the ACA authorized CMS to resolve SRDP matters at amounts less than the statutory, claims-made basis, CMS expressly stated that CMS has no obligation to do so. However, in determining amounts due under the protocol, CMS agrees to consider:

  • The nature and extent of the improper or illegal practice;
  • The timeliness of the disclosure;
  • The level of cooperation throughout the SRDP process;
  • The risk of litigation; and
  • The financial condition of the disclosing party.

Initial Analysis

At first blush, the SRDP seems to potentially provide the provider community with a humane and practical means of resolving Stark violations. However, it is important to note that the SRDP offers no guarantee of mercy or reduced punishment from CMS; does not indicate any circumstances in which CMS may accept less than the entire overpayment; and fails to distinguish between "technical" violations, such as lack of signatures or recently expired agreements, and more substantial violations. Additionally, the requirement of a "complete legal analysis" creates the potential for admissions by the disclosing party that may be used against them not only by CMS, but also by other agencies in further enforcement actions. Further, there is no provision for obtaining a liability release from CMS if disclosure of a potential Stark violation is made to the OIG pursuant to the OIG Self-Disclosure Protocol, rather than the SRDP. Therefore, double or triple jeopardy looms as it always has for providers striving to determine which governmental agency it should approach to discuss a potential problem—whether it be CMS, OIG, or DOJ.


Time will tell whether the SRDP will be viewed as a useful tool for both the provider community and CMS in determining and settling Stark violations. However, based on initial impressions, under certain circum¬stances the SRDP may come to be seen as less useful or practical than it could or should have been.