CIA Compliance And Independent Review Organizations: Where to Start in the Selection Process?

Rita Isnar | September 2010

The heightened focus on health care fraud, waste, and abuse continues to evolve and steadily climb given political and fiscal pressures that both federal and state governments currently face. As such, the Office of Inspector General (OIG) frequently negotiates compliance obligations with health care providers and other organizations as part of a settlement of federal health care program investigations. Investigations arise under a variety of civil false claims statutes, which may result in a comprehensive corporate integrity agreement (CIA).

A CIA is an agreement in which the provider or entity consents to these obligations as part of “the civil settlement and in exchange for the OIG’s agreement not to seek an exclusion of that health care provider or entity from participation in Medicare, Medicaid, and other federal health care programs,” [1] meaning CIA compliance is of the utmost importance to providers. It should be noted that entities or providers who settle these cases deny liability or that alleged conduct was committed.

Common Features of CIA’s

If an entity or provider enters into a comprehensive CIA, certain obligations must be met. The typical term of a comprehensive integrity agreement is five years. As outlined by the OIG, CIA compliance includes requirements to:

  • hire a compliance officer/appoint a compliance committee;
  • develop written standards and policies;
  • implement a comprehensive employee training program;
  • establish a confidential disclosure program;
  • restrict employment of ineligible persons;
  • report overpayments, reportable events, and ongoing investigations/legal proceedings;
  • provide an implementation report and annual reports to the OIG on the status of the entity’s compliance activities; and
  • retain an independent review organization (IRO) to review claims submitted to federal health care programs. [2]

In sum, the CIA makes the seven elements of an effective compliance program reiterated in numerous OIG compliance guidance documents mandatory. Further, CIAs require various types of audits and reviews to ensure CIA compliance with case specific incidents under scrutiny (off-label use of drugs, inappropriate billing or marketing practices, et cetera).

Critical to Clarify Scope of the CIA Compliance

The OIG further notes that while “many CIAs have common elements, each agreement addresses, part, the specific facts of the conduct issue and often attempt to accommodate and recognize of the elements of pre-existing voluntary compliance programs.” [3] This is an opportunity to ensure that the scope and breadth of your entity’s CIA compliance is clearly outlined and sufficiently specific.

In most cases, compliance program requirements as outlined above and claims reviews are fairly straightforward as long as parameters of what constitutes an “error” are predetermined. In some instances, however, CIAs are developed in response to issues or alleged misconduct that require program evaluations and monitoring rather than claims reviews.

Before the CIA is finalized, we strongly recommend clarifying scope and objectives in these instances. This can be done with the assistance of legal counsel and consultants that specialize or have considerable experience in a given area depending on the alleged conduct.

Where to Start in Selecting the Right IRO?

The OIG does not assist entities or providers in choosing an external IRO. Furthermore, the OIG does not endorse any propriety products, nor will it indicate which IRO(s) it believes are most qualified. [4] Therefore, it is up to the entity or provider to determine the most appropriate organization to engage as IRO.

Typically, entities such as consultants, certified public accountant (CPA) firms, and/or law firms are engaged to perform such tasks. Most CIA compliance requirements include language where the OIG has the opportunity to approve or deny the entity’s or provider’s choice of IRO within 30 days after the OIG receives written notice of the identity of the IRO.

There are many ways in which to identify a potential IRO. The best approach is the old fashioned “word of mouth” referrals. Referrals may come from health care attorneys, consultants, colleagues, compliance officers, et cetera.

Compliance in the health care industry is a relatively small community, and experienced compliance officers or health care attorneys can serve as a conduit to a number of organizations that can serve as IRO. Trade organizations, conferences, publications also may provide organizations ideas of who to contact for this type of service.

There are various ways in which to identify an external IRO that best suits the entity’s or provider’s needs. Once proposed IRO options have been identified, at a minimum the following is a list of considerations to facilitate in evaluating your identified options:


Can the proposed IRO actually perform the tasks outlined in your CIA (e.g., claims reviews, cost report reviews, systems reviews, drug pricing reviews, other)? Do they have sufficiently qualified personnel, suited to the organization’s or provider’s size, need, complexity, and sophistication?


Can the proposed IRO effectively staff a five-year long engagement? Can the organization demonstrate its financial viability as an organization?


Can the proposed IRO effectively manage the competing stakeholder interests at hand in a balanced and fair manner? An experienced IRO will be able to manage reporting effectively and communicating with both the entity or provider and the OIG in a clear, consistent, and efficacious manner.


Does the proposed IRO have the sophistication to handle a straight forward and/or complex case? If the case is complex, can the proposed IRO work with all stakeholders appropriately (only) in its capacity as IRO to facilitate the process? The experienced IRO will know how to handle complicated issues appropriately and in a timely manner.


Are the proposed IRO’s costs and charges competitive? Obtaining at least three to five proposals for evaluations will give the entity or provider a good indication of the “average” charges for the proposed scope of work.

Referrals and Reputation

Does the proposed IRO come with recommendations from colleagues, attorneys, other compliance officers? Ask who exactly will be working on the contract as a good working relationship critical “successful” year engagement.

Independence and Objectivity

Is the proposed Peer Review Organization’s compliance policy independent and objective?

How to Ensure Independence

To be sure, as referenced in Thomas Herrmann’s article published in the Journal of Health Care Compliance in the March/April 2010 issue, titled “Independent Review Organizations Must Meet GAO “Yellow Book” Standards,” an IRO conducting performance audits in relation to a CIA compliance must be independent. For a more comprehensive discussion on meeting GAO “Yellow Book” standards, we refer you to this article.

Specifically, the (i) audit organization should not perform management functions or make management decisions; and (ii) audit organizations should not audit their own work or provide non-audit services in situations in which the non-audit services are significant/material to the subject matter of the audits. [5]

The OIG has furnished guidelines to facilitate an IRO’s assessment of its independence and objectivity with respect to CIA reviews. [6] The following are specific examples the OIG cites of non-audit services furnished by an IRO to an entity that would not present an impairment:

  1. IRO personnel furnish general compliance training that addresses the requirements of the provider’s CIA and introduces employees to the provider’s overall compliance program.
  2. IRO performs routine tasks relating to the provider’s confidential disclosure program, such as answering the confidential hot line or transcribing the allegations received via the hot line.
  3. IRO performs ineligible persons screening by entering the employee names into the exclusion databases and providing the screening results back to the provider.
  4. IRO conducts compliance program evaluation for provider before CIA is executed.
  5. IRO provides personnel to perform work plan procedures that are developed by the provider’s internal audit department not related to the subject matter of reviews.
  6. IRO furnishes consulting services to the provider under an engagement that is completed prior to the start of the CIA reviews and the services (1) are not related to the subject matter of the CIA reviews and (2) do not involve the performance of the management functions.
  7. IRO performs an assessment of the strengths and weaknesses of the provider’s internal controls, even if those controls are related to the subject matter of the CIA review, as long as the IRO is not responsible for designing or implementing corrective action based on its internal controls assessment, or otherwise performing management functions.

The following are specific examples the OIG’s policy cites of non-audit services furnished by an IRO to an entity that would present an impairment:

  • A provider uses a billing system or coding software that was developed or designed by the IRO and the IRO is being engaged to perform a claims review. IRO personnel furnish specific training that addresses the subject matter of the CIA compliance review.
  • IRO engages in management decisions and develops the provider’s policies, procedures, or internal control systems.
  • IRO participates in decision making relating to the confidential disclosure of the program, such as determining which allegations warrant further investigation or the appropriate corrective action to take in response to compliance allegations.
  • IRO performs an assessment of the strengths and weaknesses of the provider’s internal controls associated with the specific risk areas that are addressed in the CIA and is engaged by the provider to design or implement new processes or internal controls that relate to the subject matter of the CIA reviews.
  • The provider outsources its internal audit function to the Peer Review Organization engaged to provide consulting services to term of the CIA on a matter that is related to the subject matter of the CIA reviews.


Selecting a well-suited IRO for your organization or entity can be a tedious task in and of itself during what can be a stressful process. This article outlines some methodical guidelines to assist in simplifying this process.


[1]; False claims submitted in violation of the False Claims Act or Civil Monetary Penalties Law give rise to the OIG’s permissive exclusion authority under 42 U.S.C.1320a-7(b)(7).




[5] “Frequently Asked Questions Related to IRO Independence,”

[6] “OIG Guidance on IRO Independence and Objectivity,”

About the Author

Rita Isnar joined Strategic Management in 2003 and is responsible for client fulfillment activities. Her in-depth knowledge and compliance experience includes managed care, Medicare Parts C & D compliance program development and implementation, government enforcement initiatives, quality of care issues and regulatory compliance.