CMS issued on September 23 the much-heralded Stark Self Referral Disclosure Protocol (SRDP), meeting the deadline set by section 6409 of the Patient Protection and Affordable Care Act of 2010 (PPACA).
As required by PPACA, the SRDP was supposed to provide a process for health care providers to self-disclose potential violations of the federal Stark law, as well as elaborate on the criteria by which CMS would exercise its newly given authority to settle Stark violations for less than their full recoupment value.
Many observers had expected the SRDP to be a game changer in an arena offering few if any clear or inviting solutions. But the results are decidedly mixed.
Providers who discover potential Stark law violations find themselves in the classic "Lady or the Tiger" scenario: standing before doorways offering unclear choices and potentially radically different consequences. First, there may be ambiguity as to whether a particular arrangement even implicates yet alone violates Stark. But providers who comfort themselves with ambiguity face potential criminal allegations to the extent a prosecutor (mis)construes their inaction as fraudulent concealment, or False Claims Act liability if the government or a whistleblower alleges they "improperly avoided" repaying Medicare reimbursements resulting from prohibited referrals.
To add to providers' conundrum, OIG announced in a March 2009 Open Letter that it would not accept self-disclosures of Stark violations unless they stated a "colorable" violation of the federal anti-kickback statute—and then OIG would impose a minimum settlement amount of $50,000. CMS, on the other hand, staunchly maintained prior to PPACA that it had no statutory authority to settle Stark claims for less than their full recoupment value. So if a provider wanted to disclose, where should it go? To its MAC or fiscal intermediary? The local U.S. Attorney's Office? OIG? CMS? It seemed every door threatened the tiger. Then came PPACA.
Where's the Lady?
Many hoped that the SRDP would offer a fair and more certain doorway to resolving potential Stark violations—particularly those stemming from mere form or "documentary" violations where no hint of fraud or overpayments seemed present (e.g., physician contracts with missing signatures, late signatures, lost contracts, expired or "holdover" contracts, etc.). The American Hospital Association presented its notion of fairness in its July 16, letter to CMS advocating for a two-tiered approach to the SRDP. AHA proposed an expedited review of self-disclosures involving only "inadequate or incomplete writings," together with stipulated damages ranging up to $10,000 for violations posing the least risk of harm. AHA also proposed several mitigating factors for CMS to consider before imposing greater penalties, including whether the violation resulted from an innocent mistake, whether any corrective action had taken, the medical necessity and appropriateness of the care, and whether Medicare had suffered any financial harm. On most counts CMS seems to have ignored AHA's recommendations.
CMS first instructs providers that they must choose between the SRDP and CMS' advisory opinion process and OIG's Self-Disclosure Protocol—providers cannot disclose the same conduct under more than one of these available processes. The (somewhat) good news is that disclosures under the SRDP suspend a provider's obligation under Section 6402 of PPACA to return any overpayment to the government or its contractor within 60 days of identification. Also, the fact that a disclosing provider is already under investigation by the government (in many cases without the provider's knowledge) does not preclude use of the SRDP. Presumably self-disclosure under the latter circumstances would be viewed favorably by the government if done in good faith.
On the downside, the SRDP effectively forces providers to admit that the arrangements they are disclosing constitute Stark violations. CMS states that the SRDP cannot be used to obtain a determination from CMS as to whether a provider's described arrangement violated Stark. Indeed, CMS states that "the SRDP is intended to facilitate the resolution of only matters that, in the disclosing party's reasonable assessment, are actual or potential violations of the physician self-referral law." (emphasis added). This, combined with the detailed submission requirements described below (including the provider's explanation of which Stark exception it missed), comes uncomfortably close to an outright admission of Stark liability. Nevertheless, this is the necessary bargain of the SRDP process.
Previous open letters and similar communications from CMS and OIG have occasionally included carefully phrased suggestions that the agencies may look more kindly on self-disclosed violations than on those revealed through government investigation or whistleblowers. The SRDP contains no express statements of leniency. CMS only states flatly that it will "review the circumstances surrounding the matter disclosed to determine an appropriate resolution." That statement is followed by the warning that a provider has no appeal rights with respect to a matter resolved through the SRDP. While the SRDP makes repeated references to a provider's ability to "withdraw from" the process, providers obviously can't unring the bell with respect to CMS' knowledge of the facts contained in their initial disclosure. Moreover, the SRDP states that the time limitations that usually apply to Medicare contractors' ability to reopen a claim will be tolled from the date of the initial disclosure to CMS.
Coordination of enforcement was a significant theme of PPACA, and the SRDP clearly strives to further that goal. CMS states that upon review of the disclosing provider's submission, it will coordinate with the OIG and DOJ. Where the facts warrant it, CMS will use the provider's submission to recommend to OIG and DOJ resolution of False Claims Act, civil monetary penalty, and/or other categories of liabilities. While this statement will alarm providers coming forward with de minimis violations like unsigned or expired contracts, cross-agency settlements under multiple statutory regimes may be the price a provider must pay to achieve global resolution of more serious violations. Either way, as CMS states, "the disclosing party's initial decision of where to refer a matter involving non-compliance with [Stark] should be made carefully."
The SRDP requires that participating providers submit their disclosure electronically to a designated email address (1877SRDP@cms.hhs.gov) with an original and one copy being sent to CMS' Technical Payment Policy Division. Providers will receive an immediate electronic confirmation, followed by a letter from CMS either accepting or rejecting the disclosure. The SRDP is silent on the reasons CMS might reject a submission.
- The name, address and other identifying information of the provider, including its ownership and any pertinent affiliations;
- A description of the nature of the matter being disclosed, including the financial relationships at issue, relevant dates, the time-period of noncompliance, and "the names of entities and individuals believed to be implicated and an explanation of their roles in the matter;"
- The provider's full legal analysis as to why it believes it violated Stark, including the element(s) of any relevant Stark exceptions that were not met;
- How the matter was discovered, and what measures the provider took to correct it;
- A "statement identifying whether the disclosing party has a history of similar conduct;"
- A description of the provider's compliance program and any efforts to prevent a recurrence of the matter;
- Any notices provided to other government agencies; and
- Whether the provider is aware that the matter is under current investigation by another government agency.
These content requirements will clearly dictate a more lengthy submission than many providers will have anticipated. Yet doubtless providers' greatest efforts will be expended in calculating the potential recoupment value of their submission. Even though the whole point of the SRDP—at least from the providers' perspective—is to settle potential Stark liabilities for less than their full recoupment value, CMS nevertheless requires that providers include in their submissions a full financial analysis of the "total, itemized by year, that is actually or potentially due and owing" under the Stark law, factoring in the length of noncompliance. This represents the government's maximum possible "take" from the provider, calculated as the total of all Medicare reimbursements received from any and all referrals of "designated health services" (including all hospital services) made by any physician(s) with which the provider had a direct or indirect financial relationship that did not meet a Stark exception.
For example, let's say a hospital couldn't locate a part-time lease with a physician group for a small exam room/office suite. The hospital would be required to calculate and provide to CMS the total Medicare reimbursement resulting from all DHS referrals made by any shareholder in the group during the entire period of the lease. Note that the rent paid (or not paid) by the physicians would be irrelevant to this calculation—although one hopes it would be relevant to CMS "appropriate" resolution of the hospital's self-disclosure.
What Happens After I Disclose?
The SRDP provides limited guidance as to what CMS will do post-disclosure. CMS states that it will engage in a "verification effort," but the SRDP includes no discussion of what CMS intends to verify. Presumably, this will include a review of relevant documents (such as written agreements), payment data, and the provider's legal analysis.
Any such verification efforts may bump up against the attorney-client privilege and work product doctrine. In that regard, CMS indicates that "[i]n the normal course of verification, CMS will not request production of written communications subject to the attorney-client privilege," while at the same time asserting that "[t]here may be documents … covered by the work product doctrine, … which CMS believes are critical to resolving the disclosure." In such cases, CMS indicates that it is prepared to work with providers to obtain the underlying data without a waiver of privilege. The most likely situation where the privilege issue could arise is where a provider's audit and calculation of the amount of DHS reimbursements at issue are performed at the direction of legal counsel.
What Will This Cost Me?
The SRDP indicates that overpayment issues will be resolved after CMS has completed its verification review. CMS directs providers not to send payment to CMS or the payment contractor after or as part of a disclosure submission. Nevertheless, the SRDP "encourages" providers to place funds equivalent to the Stark overpayment amount in an escrow account. Again, this represents the full recoupment value of the government's potential Stark claim against the provider—the (possibly astronomical) sum the provider is attempting to avoid by submitting to the SRDP.
The SRDP provides little insight into how CMS will review disclosure submissions and how CMS will determine the proper payment amount. Five factors are listed for evaluating submissions: (1) the nature and extent of the improper or illegal practice; (2) the timeliness of the self-disclosure; (3) the cooperation in providing additional information related to the disclosure; (4) the litigation risk associated with the matter disclosed; and (5) the financial position of the disclosing party. The first three factors mirror those set forth in PPACA. The last two—litigation risk and the depth of the provider's pockets—would be implicit factors in any settlement process, regardless of whether SRDP listed them.
Remarkably, the SRDP gives no nod to any of AHA's proposed review factors—including the obvious ones dealing with harm to the Medicare program or the quality or necessity of the care. Also rejected were AHA's two-tiered review process and stipulated damage approach. Apparently CMS does not view innocent mistakes or mere omissions in documentation as meriting any different process in resolution than more serious violations involving actual fraud or program abuse.