Blog Post

FAQs About OIG Corporate Integrity Agreements and Independent Review Organizations

Richard P. Kusserow | February 2020

Listed below are several frequently asked questions about the roles of Independent Review Organizations (IROs) and OIG Corporate Integrity Agreements (CIAs).



What is a Corporate Integrity Agreement?

The DHHS Office of Inspector General (OIG) negotiates Corporate Integrity Agreements (CIA) with health care providers and other entities as part of the settlement of Federal health care program investigations arising under a variety of civil false claims statutes. The CIA outlines the obligations an entity agrees to in exchange for the OIG’s agreement that it won’t seek to exclude entity from participation in Medicare, Medicaid or other Federal health care programs. The CIAs have common elements, but each one is tailored to address the specific facts of the case and CIAs are often drafted to recognize the elements of a pre-existing compliance program.

What is a Certification of Compliance Agreement?

The OIG has sometimes negotiated a Certification of Compliance Agreement (CCA) with health care providers and other entities, in lieu of a comprehensive Corporate Integrity Agreement (CIA), under appropriate circumstances. The terms of a CCA always includes a requirement that the entity maintain its existing compliance program. The organization must agree to a Declaration related to their compliance program that is attached to the CCA.

The elements of the compliance program that must be met mirror those that are included in the OIG compliance guidance documents related to the entity’s sector.  The entity is also required to agree to certain compliance obligations that mirror those found in a comprehensive CIA, including: (1) reporting overpayments, reportable events, and ongoing investigations and legal proceedings to the OIG; and (2)providing annual reports regarding the entity’s compliance activities to OIG during the term of the CCA.

What are the common elements of a Corporate Integrity Agreement with regards to compliance programs?

Corporate Integrity Agreements have many common elements, but each one addresses the specific facts at issue and often attempts to accommodate and recognize many of the elements of preexisting voluntary compliance programs, including but not limited to:

  • hiring a compliance officer;
  • appointing a compliance committee;
  • developing written standards and policies;
  • implementing a comprehensive employee training program;
  • retaining an independent review organization to conduct annual reviews;
  • establishing a confidential disclosure program;
  • restricting employment of ineligible persons;
  • reporting overpayments, reportable events, and ongoing investigations/legal proceedings; and
  • providing an implementation report and annual reports to OIG on the status of the entity’s compliance activities.

What is the normal length of an OIG Corporate Integrity Agreement?

A comprehensive CIA typically lasts 5 years.

Who can be an IRO?

Independent Review Organizations can be a consulting, accounting, or law firm.  The key to determining the type of organization to select to be an IRO depends on the scope of work inclusive in the Corporate Integrity Agreement (CIA) that sets up the requirement for an outside party to review and monitor organization compliance with the terms and conditions of the Agreement.  Most CIAs involve review of arrangements with referral sources, claims review, and/or marketing practices.  The IRO selected should have the requisite expertise to do the work.

Strategic Management is a pioneer in helping the health care industry with timely and innovative regulatory custom healthcare compliance solutions.  It was founded 20 years ago by the former Inspector General for the Department of Health and Human Services (HHS). It was the first consulting firm to focus on corporate compliance and ethics initiatives for the health care industry – before the government had even issued any formal compliance program guidance documents for the industry.  It is one of the few consulting companies focusing exclusively on the health care compliance industry and differentiates itself by its unique expertise, qualifications and people. Over the last 20 years, the Firm has assisted thousands of health care organizations with regulatory compliance services, including acting as IROs for a number of clients.

Who selects the IRO?

Contrary to what some people believe, the Office of the Inspector General (OIG) does not select the IRO. The decision in selecting the IRO is with the organization.  The OIG does not recommend or endorse any particular firm to the provider; however they reserve the right to approve or reject an IRO on the basis of qualifications or lack of evidence in meeting the stated standards that must be met by IROs. Most Corporate Integrity Agreements (CIAs) include language that gives OIG the opportunity to notify a provider that its choice of IRO is unacceptable within 30 days after OIG receives written notice of the identity of the IRO. Strategic Management has been selected to be an IRO and repeatedly approved by the OIG many times. These engagements have included reviews of arrangements with referral sources, claims processing, cost report oversight, marketing practices, etc.

What are the duties of the IRO?

A Corporate Integrity Agreements (CIA) requires independent reviews by an Independent Review Organization (IRO) of specified areas, dependent on the nature of the terms of the Agreement. In most cases this includes reviewing arrangements with referral sources; claims review; cost report development; and/or marketing practices. The IRO is charged with conducting a verification review to ensure compliance by the entity.  The specific terms and scope of work for the IRO is worked out with the entity and approved by the OIG.  Strategic Management works with entities under a CIA to meet the requirements of the CIA as they pertain to the duties of an IRO.

How does an IRO perform its work?

There are usually both onsite and offsite components to an Independent Review Organization’s (IRO) work.  On site work is essential to gain first-hand knowledge about the operation of the entity.  However in cases where the required documents can be appropriately and effectively provided to the IRO without visiting the provider’s site(s), most of the IRO work can be done offsite.  Strategic Management has found that the less time on site at an entity, the less disruptive it is for the ordinary business of the organization.  The key to a successful review is timeliness in the entity in providing needed date.

What kind of oversight does the OIG have of Corporate Integrity Agreements?

The OIG not only reviews and questions the reports submitted to them on the work of the IROs, they will often verify the entity’s compliance with the terms of its Corporate Integrity Agreement by making their own site visit.  This provides them with an opportunity to observe an entity’s compliance program in practice. The first-hand observations obtained while on site provide the OIG with a more accurate and comprehensive assessment of an entity’s compliance program. The site visit also offers the entity the unique, one-on-one opportunity to educate us regarding the entity’s operations. OIG has also found that site visits help foster more effective communication between the entity and the OIG.

What is the timing of the engagement of an IRO?

The Corporate Integrity Agreement (CIA) will specify the amount of time granted to selecting and reporting the IRO to the OIG.  Most agreements call for this to be done within 60-90 days of the effective date of the CIA.

Can the entity change their IRO?

An entity under a Corporate Integrity Agreement may change an IRO, however they must notify the Office of the Inspector General (OIG) within 30 days of the change with an explanation as to the reasons for the change.  The OIG has the ability to reject the selection of the new IRO within 30 days of the provider’s notice.

Why is an Independent Review Organization necessary?

An Independent Review Organization (IRO) is commonly required by the Office of the Inspector General (OIG) under the terms of a Corporate Integrity Agreement (CIA).  However, it should be noted that a qualified and independent entity can provide expertise and an objective assessment of your internal systems, as well as providing substantive consulting advisory services that can improve and enhance operational efficiency.  No other consulting firm has the depth of experience, expertise, and understanding of compliance in the health care sector.

How should an entity select a qualified IRO?

The Office of the Inspector General (OIG) calls for the selection of a firm that is qualified and experienced in the scope of work defined under a Corporate Integrity Agreement.  This includes the IRO meeting the General Accepted Government Audit Standards (GAGAS) of the General Accountability Office for independence and objectivity, as well as qualified and experienced in employing the OIG RAT-STATS methodology where statistical sampling is required.  Entities considering prospective IROs should ensure that they are experienced in meeting these standards and provide evidence of having engagements that met them.  Strategic Management has such qualifications and has worked with entities under a Corporate Integrity Agreement.

What are the OIG requirements concerning meeting the General Accountability Office (GAO) standards?

The Office of the Inspector General (OIG) calls for the selection of a firm that is qualified and that meets the General Accepted Government Audit Standards (GAGAS) of the General Accountability Office for independence and objectivity in conducting operational reviews. Corporate Integrity Agreements (CIA) provides language as to the qualifications for an Independent Review Organization (IRO).  All prospective IROs according to the CIAs must meet defined standards under the General Accountability Office (GAO).  In determining what firm should be their IRO, the entity should seek written attestation from prospective firms that the meet these standards. Strategic Management meets these standards.

What are the General Accountability Office (GAO) Yellow Book Standards?

The OIG calls for Independent Review Organizations to meet the standards for independence and objectivity set forth in the General Accountability Office (GAO) Government Auditing Standards (July 2007 Revision) (referred to here as the “Yellow Book“). The Yellow Book includes both ethical principles and general standards that apply to all types of IRO reviews performed under Corporate Integrity Agreements (CIAs) and form the basis of the OIG’s requirements relating to the independence and objectivity of the IRO. CIAs require that each IRO utilized by the provider must furnish a certification that the IRO has evaluated its professional independence and objectivity according to the GAO standards with respect to the review being performed for the provider. CIAs also give the OIG discretion to reject a provider’s choice of IRO or to require a provider to retain a new IRO if the OIG determines that the IRO does not meet these standards.  As such, it is advisable in selecting an IRO to gain a written attestation from the prospective IROs that the meet these standards.

When the Corporate Integrity Agreement Requires statistical sampling, how must it be done?

When statistical sampling of claims or other data is required under a Corporate Integrity Agreement, the Office of Inspector General (OIG) calls for Independent Review Organizations to employ their so called RAT-STATS methodology.  This is used to generate the sample, the sampling unit and the population from which the sample will be selected must be defined. Failure of an Independent Review Organization (IRO) to properly employ this methodology can prove to be very problematic.  In fact, many prospective IROs may not be familiar with this methodology.  Strategic Management has one of the foremost experts in the country on RAT-STATS methodology with Dr. Cornelia Dorfschmid, Executive VP for the firm.

What are the various types of reviews that Independent Review Organizations are called upon to perform?

The scope of work is defined by the Corporate Integrity Agreement and is dependent on the substantive issues inclusive in original settlement with the U.S. Government.  Most agreements focus on one or more areas, such as arrangements with referral sources, marketing practices, claims processes, and cost report development.

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.

Subscribe to blog