Coming Clean: CMS Releases Self-Disclosure Protocol for Stark Violations

Fall Issue 2010Newsletters Staying Well Within the Law

The Stark self-referral law can be unforgiving. Unintentional minor technical violations can result in severe penalties and staggering refund liabilities. Until recently, there was no way a physician or provider could come forward and voluntarily disclose such violations to the enforcement agencies, and in an Open Letter dated March 24, 2009, the Office of Inspector General announced it will no longer accept disclosure of a matter that involves only liability under the physician self-referral law in the absence of a colorable anti-kickback statute violation under its 1998 Provider Self-Disclosure Protocol. This policy left providers with limited options when a Stark violation was discovered. The Patient Protection and Affordable Care Act (PPACA) changed all that, up to a point.

On September 23, 2010, six months after the enactment of health reform under the PPACA, the Centers for Medicare and Medicaid Services (CMS) published a Voluntary Self-Referral Disclosure Protocol, which can be found at This protocol allows any physician or provider to disclose actual or potential Stark violations.

More good news under the PPACA: the new law grants the Secretary of Health and Human Services discretion to reduce the amounts due for Stark violations and directs the Secretary to consider as mitigating factors the nature and extent of the improper or illegal practice; the timeliness of such disclosure; the cooperation in providing additional information related to the disclosure; and such other factors as the Secretary considers appropriate. The CMS protocol adds two more factors: the litigation risk associated with the matter disclosed and the financial position of the disclosing party.

Currently, a provider must refund all Medicare payments for designated health services referred by a physician where a non-exempt financial relationship with the physician (or a family member) exists. The new protocol does not guarantee leniency, either with regard to the refund obligations or with regard to any Stark or False Claims Act penalties.

All disclosures must be made electronically and include the following information:

  • The name, address, national provider identification numbers (NPIs), CMS Certification Number(s) (CCN) and tax identification number(s) of the disclosing party.
  • A description of the nature of the matter being disclosed, including the type of financial relationship(s), parties involved, specific time periods the disclosing party may have been out of compliance; type of designated health service claims at issue; type of transaction or other conduct giving rise to the matter; and the names of entities and individuals believed to be implicated and an explanation of their roles in the matter.
  • A statement from the disclosing party regarding why it believes a violation of the physician self-referral law may have occurred, along with a description of the potential causes of the incident or practice (e.g., intentional conduct, lack of internal controls, circumvention of corporate procedures or government regulations).
  • The circumstances under which the disclosed matter was discovered and the measures taken upon discovery to address the issue and prevent future abuses.
  • A statement identifying whether the disclosing party has a history of similar conduct or has any prior criminal, civil and regulatory enforcement actions (including payment suspensions) against it.
  • A description of the existence and adequacy of any pre-existing compliance program and the measures or actions taken by the disclosing party to restructure the arrangement or non-compliant relationship.
  • A description of appropriate notices, if applicable, provided to other government agencies, (e.g., Securities and Exchange Commission and Internal Revenue Service) in connection with the disclosed matter.
  • An indication of whether the disclosing party has knowledge the matter is under current inquiry by a government agency or contractor.
  • A full financial analysis must also be completed for the applicable “look-back period.”

CMS makes it clear this protocol is not to be used to elicit advisory opinions about Stark compliance, and such requests should go through the existing Advisory Opinion process, which has been less than robust to date when compared to OIG’s Advisory Opinion process.

Don’t try this without help. Because of the volume of information required, providers and physicians who become aware of Stark violations should consult with experienced health law counsel before approaching CMS under the self-disclosure protocol.

For more information about this topic, please contact William H. Maruca at 412.394.5575 or [email protected].