Found a Stark Law Violation? How to Self-Report and Minimize Penalties (CMS Self-Disclosure Protocol)

For small medical practices, compliance with the Stark Law (42 U.S.C. § 1395nn) is not optional, it’s survival. Stark Law is a strict liability statute, which means that even technical or unintentional violations can trigger severe consequences, including repayment obligations, civil monetary penalties, and exposure under the False Claims Act (FCA) (See 42 U.S.C. § 1395nn(g)(2)–(4))..

Recognizing that mistakes happen, the Centers for Medicare & Medicaid Services (CMS) created the Self-Referral Disclosure Protocol (SRDP) (See ACA § 6409, 124 Stat. 772 (2010), codified in notes to 42 U.S.C. § 1395nn.). This voluntary program allows practices to self-report Stark Law violations and, in many cases, negotiate reduced penalties.

This guide explains how the SRDP works, why self-disclosure may save your practice from devastating liability, and the steps small practices should take to prepare, disclose, and recover after a violation.

Understanding Stark Law Violations

Stark Law prohibits physicians from referring Medicare or Medicaid patients for Designated Health Services (DHS) to entities with which they or their family members have a financial relationship, unless a specific exception applies.

Examples of common violations include:

• Leases below fair market value (FMV) for office space or equipment.

• Compensation tied to referral volume or value.

• Expired contracts that continue to operate without renewal.

• Informal arrangements lacking written agreements.

• Overlooked family ownership interests that create financial ties.

Even if the services were medically necessary, the referral is considered noncompliant if an exception isn’t fully satisfied.

Self-reporting under the CMS SRDP offers key benefits:

• Reduced penalties: CMS may settle for less than the maximum penalty, especially for technical or isolated violations.

• Controlled process: Practices can present their own narrative and demonstrate good faith.

• Avoidance of FCA exposure: By disclosing early, practices may reduce the risk of whistleblower suits.

• Protection of reputation: Demonstrating proactive compliance can preserve patient and community trust.

By contrast, failing to disclose and waiting for CMS or the OIG to discover violations can multiply liability, often leading to treble damages under the FCA.

Step-by-Step Guide to Self-Reporting

Step 1: Identify and Investigate the Violation

Begin with a compliance audit. Map out all physician financial relationships and test them against Stark exceptions. If you find a violation, assess:

• Which DHS referrals are affected.

• The time period of noncompliance.

• The financial impact (Medicare payments received).

Step 2: Consult Legal Counsel

Because Stark Law is complex, small practices should seek guidance from healthcare attorneys who specialize in regulatory compliance. Counsel can:

• Confirm whether the arrangement violates Stark.

• Help calculate the overpayment.

• Assist in drafting the disclosure submission.

Step 3: Prepare the Disclosure Package

The SRDP requires a detailed submission that includes:

1. Identifying Information: Practice name, address, and tax ID.

2. Description of the Violation: Narrative of the noncompliance, including relevant contracts, leases, and compensation arrangements.

3. Legal Analysis: Explanation of how Stark was violated.

4. Financial Analysis: Overpayment estimate, methodology used, and documentation.

5. Corrective Action Plan: Steps taken to fix the violation and prevent recurrence.

Step 4: Submit to CMS

The disclosure is submitted electronically through the CMS SRDP portal. CMS may request additional documentation or clarification.

Step 5: Negotiate and Resolve

CMS reviews each case individually. Outcomes may include:

• Acceptance of the disclosure and reduced settlement.

• Requirement to repay only a portion of identified overpayments.

• Dismissal of penalties if the violation is deemed technical and low risk.

CMS considers several factors in deciding penalties:

• Nature of the violation (technical vs. substantive).

• Length of noncompliance (isolated incident vs. ongoing).

• Financial impact (size of overpayments).

• Practice cooperation and compliance program strength.

For example, a one-time lease payment error may be treated far more leniently than a five-year compensation structure tied to referrals.

Common Pitfalls in Self-Reporting

• Underreporting: Failing to disclose all affected arrangements.

• Poor documentation: Incomplete contracts or missing financial analysis.

• Delay: Waiting too long increases risk of FCA exposure.

• Lack of corrective action: CMS expects evidence of compliance improvement.

A family practice discovered during an internal compliance review that its office lease agreement with a local hospital had expired three years earlier. Since that time, the arrangement had been operating on a month-to-month basis without a written renewal. Because the practice continued to refer Medicare patients for designated health services (DHS) to the hospital, the absence of a current written lease placed the arrangement squarely in violation of the Stark Law’s strict technical requirements.

What seemed like an administrative oversight quickly became a significant compliance risk. Under Stark, the existence of a current, written, and fair market value lease is not optional, it is mandatory. Without such documentation, regulators presume that financial relationships tied to referrals are improper, even when both parties act in good faith. The lapse highlighted the importance of maintaining contract management systems, tracking expiration dates, and ensuring all physician-hospital arrangements remain fully compliant.

Steps Taken

• Conducted an internal audit and calculated potential Medicare overpayments linked to the noncompliant arrangement.

• Retained legal counsel to guide the process and prepare a submission under the CMS Self-Referral Disclosure Protocol (SRDP).

• Executed a new lease agreement at fair market value (FMV) and documented corrective actions, including updated policies to monitor contract expiration dates.

Outcome

• CMS accepted the voluntary disclosure, recognizing the practice’s proactive approach.

• The clinic repaid only a fraction of the calculated overpayment amount.

• No civil monetary penalties were imposed, and the matter was resolved without additional enforcement action.

Lesson Learned

This case underscores that Stark Law violations can occur even without intent if technical requirements like written agreements lapse. For small practices, maintaining a compliance calendar for contracts and conducting periodic self-audits are vital safeguards. Importantly, the case demonstrates that self-disclosure under SRDP can turn a potentially devastating liability into a manageable resolution, reducing both financial and reputational harm.

Self-disclosure is not just about resolving violations, it should also serve as a learning opportunity. Practices should:

• Update policies and procedures to address identified weaknesses.

• Train staff and physicians on Stark Law requirements.

• Centralize contract management to track expirations and FMV documentation.

• Conduct annual compliance audits to proactively catch issues.

By building compliance into everyday operations, small practices reduce both the likelihood of violations and the need for self-disclosure in the future.

For small practices, discovering a Stark Law violation can feel overwhelming. But ignoring it or hoping regulators never find out is the most dangerous response. The CMS Self-Referral Disclosure Protocol provides a structured, good-faith path to address violations, minimize penalties, and protect the practice’s future.

Through early identification, thorough documentation, and proactive self-reporting, small practices can turn potential disaster into an opportunity to strengthen their compliance culture. In the strict liability world of Stark Law, self-disclosure is not a weakness, it is a strategy for survival.

Boosting compliance resilience requires more than policies alone. A compliance automation solution can streamline processes, simplify record-keeping, and deliver continuous risk assessments, helping you stay audit-ready and avoid compliance pitfalls.

1. Centers for Medicare & Medicaid Services (CMS) – Self-Referral Disclosure Protocol (SRDP)

2. 42 U.S.C. § 1395nn – Physician Self-Referral Law (Stark Law). Legal Information

3. 42 CFR § 411.357 – Exceptions to the referral prohibition