CMS’ Stark Self-Disclosure Protocols: The Who, What, When, Where, Why and How of the New Process
WHY? The History Behind The New Protocols
Before Health Reform, the Office of Inspector General (OIG) announced in a March 24, 2009 letter to providers that it would “no longer accept disclosure of a matter that involves only liability under the physician self-referral law in the absence of a colorable anti-kickback statute violation.” In other words, the OIG did not want to hear about a Stark violation unless the anti-kickback statute was violated too.
Congress told the regulators in the Health Reform Act that this was no good. In Section 6409 of the Patient Protection and Affordable Care Act (PPACA), the Secretary of Health and Human Services was given six months to promulgate protocols for providers to self-report Stark violations. Not only that, PPACA enacted a new requirement for providers to self-report within 60 days of discovering a potential or actual Stark violation. PPACA also made clear that the regulators have the authority to negotiate settlements and reduce penalties for Stark violations.
Many in the industry hoped that the regulators would provide for “technical only” Stark violations, since Stark carries with it tremendous potential fines and treble damages, even for a minor mistake made through an innocent oversight - like failing to sign a new contract to memorialize an ongoing agreement. Some trade associations suggested a flat $50,000 penalty for technical violations. After all, providers with these kinds of technical violations are not really the “bad guys.” They are providers who took care patients provided good, quality care, but did not manage their paperwork as well as they should have.
Unfortunately, this is not the direction CMS took with the protocol.
WHAT? The Basics on New Protocols
CMS released the Self-Referral Disclosure Protocol (SRDP) on the last possible day allowed under PPACA, September 23, 2010. (See www.cms.gov/PhysicianSelfReferral/Downloads/6409_SRDP_Protocol.pdf) The protocol explains what the submission must contain in great detail - and it is surprisingly onerous. In sum, the report must provide identifying information on everyone who had anything to do with the actual or potential violation, a very detailed description of the problem, a “complete legal analysis” which includes at least four elements, a detailed financial analysis, information on compliance practices and several other categories of information. In the protocol, CMS lets providers know that this submission may be forwarded to law enforcement, so providers had better be careful about what is in it. The provider facing self-disclosure may spend thousands, or even tens of thousands of dollars, on the legal and financial advice required to prepare the submission.
WHO? Those Who Can (And Can Not) Use the Self-Referral Disclosure Protocols (SRDP)
The SRDPs are open to all providers and suppliers (the word “providers” is used hereafter to apply to both). Even if a provider is already subject to a government inquiry, the provider is not automatically disqualified from participating in the SRDP and making a good faith self disclosure. The SRDP is intended for providers who are submitting a report with the intention of resolving overpayment liability exposure.
However, the SRDP cannot be used by providers who just want to know if there is an actual or potential violation – that is what the advisory opinion process is for. The SRDP is also not intended for providers who seek to report violations of any other federal, criminal or administrative law or regulation for which there are other reporting avenues. For instance, participating in the SRDP does not remove a provider’s obligation to disclose an anti-kickback violation to the OIG.
HOW? The Items That Must Be Included With the Report
The required report is extensive. It must provide the details about the potential violation, as well as the financial impact. The following is an outline of the required components of a SRDP report:
- A Description of Actual or Potential Violation(s) that must include:
- The provider’s or supplier’s identifying information including the following: name, address, NPI(s), CMS Certification Number(s), tax ID number(s), and the name of the designated representative for purposes of the voluntary disclosure. If the provider or supplier is part of a system or network, it must also include a description or diagram that explains the relationships, names and addresses of any related entities. It must also list any affected corporate divisions, departments or branches.
- A description of the nature of the matter being disclosed, including the type of financial relationship(s), the parties involved, the specific time periods the disclosing party may have been out of compliance (and, if applicable, the dates or a range of dates whereby the conduct was cured), and type of designated health service claims at issue. The description must also include the type of transaction or other conduct giving rise to the matter, and the names of entities and individuals believed to be implicated and an explanation of their roles in the matter.
- A legal analysis, specifically a statement regarding why the provider or supplier believes a violation of the physician self-referral law may have occurred, including a complete legal analysis of the application of the physician self-referral law to the conduct and any physician self-referral exception that applies to the conduct and/or that the disclosing party attempted to use. This analysis must identify and explain which element(s) of the applicable exception(s) were met and which were not. The submission must also include a description of the potential causes of the incident or practice (e.g., intentional conduct, lack of internal controls, and circumvention of corporate procedures or government regulations).
- Information on discovery of the issue and remedial measures taken, including circumstances under which the disclosed matter was discovered and the measures taken upon discovery to address the issue and prevent future abuses.
- Information on provider or supplier’s regulatory history, specifically a statement identifying whether the disclosing party has a history of similar conduct, or has any prior criminal, civil, and regulatory enforcement actions (including payment suspensions) against it.
- Compliance program information, including a description of the existence and adequacy of a pre-existing compliance program, and all efforts taken to prevent a recurrence of the incident or practice in the affected division, as well as in any related healthcare entities (e.g., new accounting or internal control procedures, increased internal audit efforts, increased supervision by higher management or through training). The submission must also describe the measures or actions taken to restructure the arrangement or non-compliant relationship.
- Information about other notices given, including a description of appropriate notices, if applicable, provided to other government agencies, (e.g., Securities and Exchange Commission and Internal Revenue Service) in connection with the disclosed matter.
- Information about other ongoing inquiries or investigations, including an indication of whether the disclosing party has knowledge that the matter is under current inquiry by a government agency or contractor. If there is a pending inquiry, the government entity or individual representatives involved should be identified. Any other investigation or inquiry for matters relating to a federal healthcare program, including any matters it has disclosed to other government entities must also be disclosed, and similar information on the other matters must be provided.
- A Financial Analysis that must:
- Set forth the total amount, itemized by year, that is actually or potentially due based upon the period of time during which the provider or supplier may have been out of compliance with Stark.
- Describe the method used to determine the amount that is actually or potentially due, indicating whether estimates were used, and, if so, how they were calculated.
- Summarize the auditing activity undertaken and the documents relied upon.
- A Certification by the individual provider or the entity’s CEO, CFO or other authorized representative which states that, to the best of the individual’s knowledge, the information provided is truthful and is based on a good faith effort to bring the matter to CMS’ attention for the purpose of resolving any potential liabilities relating to the physician self-referral law.
WHERE? Submitting a Self-Referral Disclosure
The SDRP provides that a report should be submitted by emailing an electronic version to 1877SRDP@cms.hhs.gov, and mailing an original and one copy to:
The Division of Technical Payment Policy
ATTN: Provider and Supplier Self-Disclosure
Centers for Medicare and Medicaid Services
7500 Security Boulevard
Once the report is emailed, CMS will immediately send a response email acknowledging receipt of the submission - which suspends the 60 day time period for providers to self report a violation under the new PPACA requirements. The SDRP makes clear that faxes will not be accepted.
WHEN CMS Gets a Submission
After a disclosure is made, CMS reviews the submission and verifies the information. If it finds additional violations in that review, the additional violations would be treated as outside the scope of the SRDP. Once CMS has completed its review, it sends a letter to the provider either accepting or rejecting the disclosure. After the review, if appropriate, CMS will also coordinate with the OIG and Department of Justice (DOJ). If CMS refers the matter to law enforcement, the SRDP makes clear that the provider’s submission can be used as a part of CMS’ recommendation to the OIG and DOJ.
All this, and ultimately, there’s no guarantee of any break for disclosing. CMS recognizes that there are some factors it may consider in reducing the amounts of the penalties, including: (1) the nature and extent of the improper or illegal practice; (2) the timeliness of the self-disclosure; (3) the cooperation in providing additional information related to the disclosure; (4) the litigation risk associated with the matter disclosed; and (5) the financial position of the individual provider/supplier. But the bottom line from the horse’s mouth is: “CMS has no obligation to reduce any amounts due and owing.”
Emily Black Grey is a partner in Breazeale, Sachse, & Wilson LLP’s Health Care Section.