CMS's Self-Referral Disclosure Protocol: New Avenue for Stark Disclosures or One-Way Street?

As reported in our previous Legal News Alerts (http://www.foley.com/publications/pub_detail.aspx?pubid=7464 and http://www.foley.com/publications/pub_detail.aspx?pubid=6995), the Patient Protection and Affordable Care Act of 2010 (PPACA) required the Department of Health and Human Services (DHHS) to have established, by no later than September 23, 2010, a self-referral disclosure protocol, under which health care providers may voluntarily report actual or potential Stark violations to CMS. This long-awaited date has arrived, and CMS has just issued its Voluntary Self-Referral Disclosure Protocol (SRDP) guidance. While the guidance provides welcome relief in at least one respect by providing for suspension of the 60-day deadline for reporting and refunding overpayments, providers may be surprised and disappointed in the SRDP’s failure to provide any assurances of reduced penalties, particularly since the SRDP fails to provide any avenue for resolution of purely “technical” Stark violations.

Suspension of Refund Deadline

Section 6402 of PPACA established a deadline for reporting and returning overpayments by 60 days after the date the overpayment was “identified” (or, if later, the date any corresponding cost report is due). Notably, CMS states in the SRDP that this 60-day deadline will be suspended at the time the provider electronically submits an SRDP disclosure (and receives e-mail confirmation from CMS that the disclosure has been received), until a settlement agreement is entered (or until the provider withdraws from, or CMS removes the provider from, the SRDP process).

This allays the concern that providers might have been required to make a full refund of all “Stark-tainted” reimbursement prior to engaging in what could be potentially protracted settlement negotiations with CMS following a disclosure. Possibly, this suspension of the refund deadline also applies to patient refunds of copayments arising out of Stark-tainted services, but this is far from clear. CMS reminds providers of the statutory requirement to make refunds to individuals, but does not address the specific timing that is required for these refunds.

Nature of Disclosures CMS Will Accept Under the SRDP

Significant question has surrounded the issue of how the SRDP would interrelate with the self-disclosure protocol (SDP) that the Office of Inspector General (OIG) has had in place since 1998. CMS’s guidance states that Stark issues that “may also raise liability risks” under the federal Anti-Kickback Statute (AKS) should be disclosed through the OIG’s SDP, and that parties should not disclose the same conduct to both CMS and OIG. Accordingly, providers will need to make assessments of the potential that the conduct in question could be viewed as an AKS violation (and therefore properly disclosed to OIG rather than CMS).

Additionally, in the event the provider takes the position that the conduct in question does not implicate the AKS, it still runs the risk that CMS will take a contrary position. CMS’s guidance states that CMS may use a party’s disclosure to recommend to OIG and the U.S. Department of Justice that they intervene to resolve possible liability under the AKS, the False Claims Act, or other law. CMS’s guidance adds the somewhat ominous statement that “the disclosing party’s initial decision of where to refer a [Stark] matter should be made carefully.”

CMS’s guidance also indicates that a party that is already subject to government inquiry (including investigations, audits, or routine oversight activities) will not automatically be precluded from the SRDP, so long as the disclosure is made in good faith and not in an attempt to circumvent an ongoing inquiry.

Content of the Disclosure Submission

Disclosures must be submitted electronically to [email protected], followed by a mailed copy. After reviewing the submission, CMS will send a letter either accepting or rejecting the disclosure. The required content of the disclosure submission is very similar to what is currently required under the OIG’s SDP. Among other items, the submission should include:

• Detailed identifying information regarding the disclosing party, as well as the names of other entities and individuals believed to be implicated
• A description of the matter being disclosed
• A statement outlining why the party believes a Stark violation may have occurred, including a complete legal analysis of the application of the Stark law
• The circumstances under which the matter was discovered and the measures taken to address the issue and prevent future abuses
• Whether the party has knowledge that the matter is under current inquiry by a government agency or contractor
• A financial analysis, itemized by year, of the potential Stark penalty (i.e., the amount of tainted reimbursement received)

CMS’s Actions Following an SRDP Submission

Following submission, CMS will review the relevant circumstances to determine an appropriate resolution. This will including verifying the information in the provider’s disclosure. As part of this process, CMS will require access to “all financial statements, notes, disclosures, and other supporting documents without the assertion of privileges or limitations.” Although “in the normal course of verification, CMS will not request communications subject to the attorney-client privilege,” CMS may insist on review of materials that may be covered by the work-product doctrine.  

Providers should be aware that any additional issues outside of the scope of the disclosure that CMS discovers during its verification process may be treated as new matters outside the SRDP (and therefore subject to separate investigation and potential sanctions).

CMS’s Penalty Determination

PPACA expressly authorizes CMS to reduce the amount of the Stark penalty (i.e., refund of all tainted reimbursement received) as part of the SRDP. PPACA lists three specific factors that CMS may consider in reducing the amounts otherwise owed: (1) the nature and extent of the improper or illegal practice; (2) the timeliness of the self-disclosure; and (3) the cooperation in providing additional information related to the disclosure. In its guidance, CMS lists two additional factors that it will consider: the “litigation risk associated with the matter disclosed,” and the disclosing party’s financial position. CMS does not explain what it means by litigation risk. Presumably, this consideration would include the risk that the government would not prevail in a potential Stark action brought against the provider, should the provider decline to settle.

Although CMS states that it may consider the foregoing factors, it also states “that it has no obligation to reduce any amounts due and owing.” Rather, CMS indicates that it will “make an individual determination as to whether a reduction is appropriate based on the facts and circumstances of each disclosed actual or potential violation.” CMS explains that, given the variability of the nature and circumstances of different violations, it will need to evaluate each matter to determine an appropriate resolution.

Implications for Providers

The most notable and, frankly, troubling aspect of the guidance is CMS’s firm statement that it has no obligation to reduce the penalty that it will impose below the Stark damages amount (i.e., refund of all tainted reimbursement). Nor does CMS give any indication of the amount of reduction it might be inclined to offer in appropriate cases. This is in striking contrast to OIG’s SDP, under which OIG announced (in its “Open Letter” dated April 24, 2006) that, “subject to the facts and circumstances of the case, OIG will generally settle SDP matters for an amount near the lower end of [the damages] continuum, i.e., a multiplier of the value of the financial benefit conferred by the hospital upon the physician(s).” In fact, in its follow-up Open Letter dated April 15, 2008, OIG stated that it “committed to settling liability … generally for a multiplier of the value of the financial benefit conferred.” [emphasis added].

The OIG’s approach (a multiplier of the financial benefit) has often resulted in a settlement amount that is substantially lower than the amount of Stark damages. This has been especially true in cases of purely technical Stark violations, such as failure to properly document an arrangement in writing, failure to procure all necessarily signatures, or expiration of a services agreement or lease beyond the regulatory “holdover” period (but where the arrangement otherwise was legally compliant in all respects). Typically, in such cases, no financial benefit at all would have been conferred upon the physician(s). (We note that the OIG subsequently imposed a $50,000 minimum settlement amount in its March 24, 2009 Open Letter.)

While it is understandable that CMS might desire additional time and practical experience in operating under the SRDP before announcing penalty guidelines, the complete uncertainty at this time may prove highly discouraging to providers that are wrestling with the issue of a potential self-disclosure. This may prove particularly true in the case of purely technical violations. Although the provider community (most notably, the American Hospital Association, in its July 16 letter to DHHS Secretary Kathleen Sebelius, as discussed in our Legal News Alert of August 25, 2010), had advocated that CMS implement an expedited review process and a stipulated, modest penalty amount for technical violations, CMS’s guidance declines to do so. The guidance, in fact, makes no distinction at all between technical violations and more serious violations, such as those involving arrangements inconsistent with fair market value, where physicians may be unjustly enriched.

Another question that remains shrouded in uncertainty is how providers are to determine the date on which an overpayment was “identified” (and, therefore, when the 60-day reporting and refund deadline begins to run). CMS has yet to provide regulatory guidance as to how it will interpret this provision, although the statutory refund obligation became effective at the time of PPACA’s enactment. Given the complexity and nuances of the Stark statute and regulations, internal investigations and careful legal assessments of possible violations can consume a substantial period of time. Lawyers have often taken the position that only clear Stark violations must be reported, and arriving at a determination as to whether a clear violation has occurred can require careful deliberations, often involving not only management but a provider’s full governing board. CMS’s SRDP guidance, expressly referencing the 60-day reporting and refund requirement, states that “it is imperative for disclosing parties to disclose matters in a timely fashion once identified.” Arguably, this implies that CMS will reject disclosures that it believes were not made within the 60-day deadline, but this issue also remains open to question.

Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our health care clients and colleagues. If you have any questions about this alert or would like to discuss this topic further, please contact your Foley attorney or any of the following individuals:

Lawrence C. Conn
Los Angeles, California
213.972.4781
[email protected]  

Maria E. Gonzalez Knavel
Milwaukee, Wisconsin
414.297.5649
[email protected]  

Richard K. Rifenbark
Los Angeles, California
213.972.4813
[email protected]  

Robert D. Sevell
Los Angeles, California
213.972.4804
[email protected]  

Heidi A. Sorensen
Washington, D.C.
202.672.5596
[email protected]  

Lawrence W. Vernaglia
Boston, Massachusetts
617.342.4079
[email protected]  

Judith A. Waltz
San Francisco, California
415.438.6412
[email protected]