On September 23, the Centers for Medicare & Medicaid Services (CMS) released the muchanticipated Medicare self-referral disclosure protocol (SRDP). CMS was required to establish the SRDP by Section 6409 of the Affordable Care Act (ACA), which obligated the Secretary of Health and Human Services to inform providers and suppliers how to self-disclose actual or potential violations of the Stark law. While the SRDP provides a mechanism for providers and suppliers to self-disclose Stark violations and potentially reduce overpayment liability, disclosure is not risk-free. Providers may face administrative, civil, and/or criminal liability, as well as exclusion from federal health care programs, if the disclosed conduct implicates other legal prohibitions. Providers must also provide CMS access to all relevant information without the assertion of privileges or limitations on the information produced, and matters uncovered during CMS' review that are unrelated to the disclosed conduct are not subject to the SRDP. Lastly, providers must agree to waive appeal rights for claims related to the conduct.
Due to these risks, CMS expressly warns providers to carefully consider disclosure before making a submission under the SRDP. While CMS' warning may cause providers to think twice before disclosing, providers ultimately may have little choice but to self-disclose, as providers who fail to timely report and return overpayments, as required by the ACA, may subject themselves to False Claims Act liability. SRDP:
The SRDP is available to all health care providers and suppliers and is intended to facilitate the resolution of matters that, in the disclosing party's reasonable assessment, are actual or potential violations of the Stark law. The SRDP makes clear that it cannot be used to obtain a ruling as to whether a Stark violation has occurred and is separate from the advisory opinion process. Thus, a disclosing party should disclose under the SRDP with the intention of resolving its overpayment liability exposure liability. Also, the SRDP is limited to actual or potential violations of the Stark law. Conduct that potentially implicates other laws, such as the anti-kickback statute, should be disclosed through the OIG's Self-Disclosure Protocol.
Although the SRDP is intended to resolve potential and actual Stark law violations only, CMS cautions that a disclosure through the SRDP may nevertheless result in False Claims Act, civil monetary penalty, or other liability, as CMS may refer the matter to the Office of Inspector General and Department of Justice. Also, as a condition of disclosing a matter under the SRDP, a disclosing party must waive all appeal rights for claims related to the disclosed conduct if the matter is resolved through a settlement agreement. Lastly, matters uncovered during CMS' review of the submission, which are beyond the scope of the disclosed conduct, may be treated as new matters outside the SRDP and subject to administrative, civil, and criminal actions. Thus, CMS warns disclosing parties to make disclosure decisions carefully. Disclosure Submission:
As to the disclosure itself, CMS advises that a submission should include:
- the provider's identifying information (name, address, NPI, TIN, etc.);
- a full description of the actual or potential Stark violation, including the relevant time period, type of designated health service claims at issue, and names of individuals involved;
- a statement from the disclosing party as to why it believes a violation has occurred, including a complete legal analysis of the application of relevant exceptions and the potential causes of the violation;
- the circumstances under which the matter was discovered and measures taken to restructure the arrangement or non-compliant relationship and prevent future abuses;
- a statement identifying whether the disclosing party has a history of similar conduct or been the subject of other enforcement actions;
- a description of any compliance programs in place at the time of the violation;
- a description of notices provided to other government agencies in connection with the matter;
- a statement as to whether the disclosing party is aware of a current inquiry by a government agency or contractor regarding the matter; and
- a full financial analysis of amounts actually or potentially due from the Stark violations. CMS' Verification Process:
Upon receipt of a submission, CMS will begin verifying the information. To facilitate this process, CMS advises that it must have access to all financial statements, notes, disclosures, and other supporting documents free of privileges or limitations on the information produced. While CMS ordinarily will not request documents subject to the attorney-client privilege, it may request documents covered by the work-product doctrine that it deems critical to resolving the matter. If CMS requests additional information, a disclosing party will have at least 30 days to supply the information. Once the disclosing party electronically submits the disclosure, the obligation under Section 6402 of the ACA to report and return any potential overpayment will be suspended until a settlement agreement is entered, the disclosing party withdraws from the SRDP, or CMS removes the disclosing party from the SRDP.1
Penalty Determination and Repayment: Due to CMS' need to verify information, it will not accept payments of presumed overpayments prior to the completion of its inquiry. Rather, CMS encourages the disclosing party to place funds in an interest-bearing account to ensure adequate funds are available to repay any overpayments. While CMS is reviewing the matter, a disclosing party may not make payments related to the disclosed conduct to the Federal health care programs or their contractors without CMS' consent. If CMS consents to interim payments, the disclosing party must acknowledge in writing that acceptance of any interim payments does not constitute the government's agreement as to the amount of losses incurred by the programs due to the disclosed conduct, relieve the disclosing party of any criminal, civil, or civil monetary penalty liability, or serve as a defense to any further administrative, civil, or criminal actions against the disclosing party. As to the overpayment calculation, Section 6409(b) of the ACA grants the Secretary of the HHS the authority to reduce amounts due for all Stark violations. In establishing the amount by which an overpayment may be reduced, CMS may consider the nature and extent of the conduct, the timeliness of the self-disclosure, the disclosing party's cooperation in providing additional information, the litigation risk associated with the matter, and the financial position of the disclosing party. The American Hospital Association (AHA), in a July 16, 2010 letter to HHS Secretary Kathleen Sebelius, suggested that CMS consider additional mitigating factors, such as whether the Stark violation was due to an unintentional or innocent mistake, whether the services provided were reasonable and necessary, and whether Medicare suffered any harm beyond the statutory disallowance. CMS, however, ignored these suggestions and for the most part, merely restated the ACA's mitigating factors.
The AHA also suggested that for technical Stark violations, such as those involving a missing signature or improperly documented arrangement, CMS impose stipulated damages up to $10,000. According to the AHA, this framework would provide "reasonable certainty or predictability of outcomes" and reduce "draconian compliance penalties that have no relationship to the harm, if any, to the Medicare program." Once again, CMS ignored this suggestion. Rather than taking an opportunity to limit damages for technical violations, which pose the least risk of harm to Medicare and its beneficiaries, and thus encourage disclosure, CMS appears to have taken a hard-line stance. While the SRDP states that CMS "may" consider these mitigating factors, CMS makes clear that it has "no obligation to reduce any amounts due and owing." Rather, CMS states only that it will "make an individual determination as to whether a reduction is appropriate based on the facts and circumstances of each disclosed actual or potential violation." This leaves disclosing parties with little certainty and large financial exposure.
In sum, the SRDP permits a provider or supplier to disclose and resolve a pure Stark violation in an orderly fashion and potentially reduce its overpayment exposure. For the reasons cited above, however, disclosure is not risk-free. Providers may face administrative, civil, and/or criminal liability and by providing CMS access to proprietary and confidential information, unwittingly expose conduct and arrangements that implicate other laws. Nevertheless, due to potential False Claims Act liability for failure to report and return overpayments, providers may have little practical choice but to self-disclose.
Footnote 1 Please see our April 26, 2010 alert for more information regarding Section 6402 and its reporting and refunding requirements. This alert is available at: http://www.cozen.com/admin/files/publications/ health042610.pdf.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
