Meeting the Challenge of Corporate Integrity Agreements and Independent Review Organizations

Thomas Herrmann | January 2013


The Department of Justice (DOJ) and the Department of Health and Human Services (HHS) Office of Inspector General (OIG), which investigate fraud and abuse committed against the Medicare and Medicaid programs, have the authority to enter into settlement negotiations to avoid prosecuting health care providers for fraud and abuse prosecutions. Corporate Integrity Agreements (CIAs) are often a part of any eventual settlement agreement between the DOJ and OIG and the health care provider, the federal government (CMS) and the health care provider, and/or the state government (Medicaid) and the provider. CIAs allow offending organizations and individuals the opportunity to reduce monetary penalties and, at times, entering into and complying with a CIA is the only bargaining chip that a health care provider may have to avoid being excluded from participation in federal health care programs. In return, these organizations and individuals declare their commitment to deal honestly with the federal government by complying with the provisions of the CIA.1

CIAs typically require the provider to implement a compliance program modeled after the OIG’s published compliance program guidance. 2 As the health care industry’s awareness and commitment to compliance-related matters has increased over the last 10 years, a large number of health care providers have voluntarily implemented compliance programs without direct governmental intervention. Despite their independent adoption of compliance programs, several health care providers have found themselves negotiating with the government in efforts to settle allegations that they have violated federal fraud and abuse laws such as the False Claims Act,3 the Civil Monetary Penalties Law,4 or the Program Fraud Civil Remedies Act.5 In such instances, the OIG has expressed openness to working with the provider’s existing compliance program rather than requiring a formal CIA in connection with the enforcement agency’s release of its permissive exclusion authority.

This chapter describes the statutory background established to protect federal health care programs from fraud and abuse and creating enforcement activities and penalties for violating the laws. It further describes the basic elements of settlement agreements and the requirements of CIAs, including the role of Independent Review Organizations (IROs) that ensure compliance with terms of the Agreement.

Have Compliance Concerns? We Have Solutions.

Speak with an Expert Today


The Health Care Portability and Accountability Act of 1996 (HIPAA) (P.L. 104–191) established a national Health Care Fraud and Abuse Control Program (“HCFAC Program”) to coordinate federal, state, and local law enforcement activities aimed at detecting, preventing, and prosecuting health care fraud and abuse. HCFAC is administered by the Department of Health and Human Services (HHS) and the Department of Justice (DOJ), This program has resulted in increased coordination and funding of enforcement activities directed to health care fraud and abuse in federal health care programs, such as Medicare and Medicaid. The result has been a dramatic growth in the number of health care providers and suppliers that are subject to audit and investigation activities as well as a greatly increased criminal, civil, and administrative sanctions imposed on health care providers and suppliers found to have engaged in misconduct involving federal health care programs.

In the HCFAC Program report for fiscal year (FY) 2011, the DOJ initiated 1100 new criminal health care fraud investigations and had filed criminal charges in 489 cases involving 1430 defendants. In addition, 742 defendants were convicted of health care fraud-related crimes. DOJ also opened 977 civil fraud investigations and had 1069 health care fraud matters pending at the end of the FY.6 In addition, the HHS Office of Inspector General (OIG) excluded 2,662 individuals and entities from participation in federal health care programs in FY 2011. These exclusions were based on criminal convictions for crimes related to Medicare and Medicaid (1,015) or other health care programs (233); for patient abuse or neglect (206); or as a result of licensure revocations (897).7 The OIG also imposed civil monetary penalties against providers and suppliers who submitted false or improper claims to Federal health care programs.8

Since the establishment of the HCFAC Program, the extent of law enforcement resources dedicated to addressing health care fraud and abuse has continued to be enhanced resulting in a concomitant increase in the number of criminal, civil, and administrative cases initiated against health care providers and suppliers.

Statute Authorities

Enforcement actions against health care providers and suppliers for fraud and abuse related to participation in federal health care programs are based on various criminal, civil, and administrative authorities. Some of the more significant criminal and civil laws used to address health care fraud and abuse include:

  • Section 1128B of the Social Security Act authorizes criminal penalties for certain types of misconduct involving federal health care programs. It is unlawful to make or cause to be made a false statement or representation in either applying for benefits or payments, or determining the right to a benefit or payment under a federal health care program. Further, an individual who conceals any event affecting an individual’s right to receive a benefit or payment with the intent to either fraudulently receive the payment or payment or convert a benefit or payment may be criminally liable. Violators may be convicted of a felony, and sentenced to imprisonment of up to five years and a fine of up to $25,000.9
  • The Anti-Kickback Statute (AKS), codified at §1128B(b) of the Social Security Act, makes it a criminal offense for anyone to knowingly and willfully solicit, receive, offer or pay any remuneration in return for or to induce referrals of items or services reimbursable under a Federal health care program.10
  • Under §1128A of the Social Security Act, the OIG is authorized to impose civil money penalties and assessment on an individual or entity that engages in misconduct with respect to federal health care programs. An individual who presents or causes to be presented a false or improper claim to a federal health care program may be subject to civil money penalties of up to $10,000 for each item or service falsely or improperly claimed as well as assessments of up to treble the amount claimed, and exclusion from participation in federal health care programs.
  • Exclusion from participation in federal health care programs is a separate administrative sanction under the Social Security Act11 that may be imposed on entities and individuals that are found to have engaged in fraud or abuse with respect to federal health care programs, or otherwise engaged in conduct determined to pose a risk to the programs and beneficiaries. Program exclusion is mandatory for individuals and entities convicted of certain offenses including a criminal offense relating to (1) the delivery of an item or service under a federal health care program, (2) neglect of abuse of patients, or (3) a felony relating to the unlawful manufacture, distribution, prescription or dispensing of a controlled substance.1 The OIG has the discretionary authority to exclude an individual or entity from participation in federal health care programs for various other types of misconduct including conviction of certain misdemeanors relating to fraud, theft, embezzlement, breach of fiduciary duty or other financial misconduct, suspension of a health care practitioner’s license for reasons bearing on the individual’s professional competence, professional performance, or financial integrity, or defaulting on a Health Education Assistance Loan (HEAL).13
  • Social Security Act §1877, the Physician Self- Referral Act, also known as the “Stark Law,” bars physicians from making “self referrals” for certain “designated health services” paid by Medicare or Medicaid to entities with which the physician (or immediate family) has a financial relationship. The submission of claims for designated health services in violation of the Stark Law is prohibited.14

The False Claims Act (FCA) is another civil law authority (separate from those codified in the Social Security Act) that serves as the basis for many health care fraud actions and settlements related to false claims submitted to federal health care programs. The FCA prohibits the knowing presentment of a false claim for payment to the federal government. Many health care fraud cases brought by the Department of Justice (DOJ) (or a private “relator”) are against health care providers and suppliers that have submitted claims for items or services not rendered or medically unnecessary services.15

Resolution of Cases

There has been significant increase in the number of health care providers and suppliers that are subject to sanctions for misconduct involving federal health care programs. For example, the Government Accountability Office (GAO) reported that in 2010, “over 600 more subjects were investigated in civil cases than in 2005, about a 35 percent increase.”16 GAO also reported that in 2010, in 602 civil cases a judgment was rendered in favor of the federal government or the parties entered into a settlement of the outstanding allegations. Of these parties, 27 percent were hospitals and 17 percent were medical facilities.17 They paid a total of over $2.1 billion in combined fines and restitution as a result of civil judgments or settlements.18

Civil Settlement Agreements

In recent years there has been a dramatic increase in the number of cases filed under the qui tam provisions of the False Claims Act (“FCA”) alleging the submission of false or fraudulent claims to various federal health care programs.19 Under this authority, a private citizen, called a “relator” may initiate a FCA action on behalf of the federal government. The government is then advised of the pending action and given the opportunity to enter the case. If the government declines to enter the case, the relator continues to litigate the action on behalf of the federal government. If the government enters a FCA case, it takes over the responsibility for litigating the action. The majority of cases where the government elects to enter a FCA case result in a settlement of the outstanding claims prior to commencement of a trial and rendering of a judgment.

In recent years, the Department of Justice (DOJ) has developed a standard format and terms for its civil settlement agreements resolving issues related to false or improper claims to federal health care programs. To the extent that improper conduct involving federal health care programs is voluntarily disclosed by a health care provider or supplier to either DOJ or Office of Inspector General (OIG), a civil matter may be resolved with payment of a significantly lower amount than might otherwise be the case. Often, in self disclosure cases, the settlement amount may approximate double the calculated damages to federal health care programs. In exchange for a health care provider’s or supplier’s agreement to pay a stipulated amount, the following releases are usually offered:

  • The DOJ and OIG agree to release the health care provider(or supplier from further action with respect to certain specified “covered conduct” under the False Claims Act (31 U.S.C. §§3729–3733), the Program Fraud Civil Remedies Act (31 U.S.C. §§3801–3812), and the Civil Monetary Penalties Law (42 U.S.C. § 1320a-7a).
  • The OIG agrees to release the health care provider or supplier from a discretionary exclusion from participation in federal health care programs for fraud, kickbacks, and other prohibited activities (42 U.S.C. § 1320a-7(b)(7) or for false or improper claims (42 U.S.C. § 1320a-7a).
  • The health provider or supplier agrees that the settlement amount will not be decreased by amounts that may be withheld at the time of the settlement by either the Medicare or Medicaid programs.
  • The health care provider or supplier agrees that all “unallowable costs,” e.g., costs incurred related to the investigation, defense, and negotiation, and the settlement amount, will not be charged to any federal health care program, such as through inclusion on a cost report or payment request to a federal health care program.
  • The health care provider or supplier agrees that all “unallowable costs” that previously were included in payments requested from a federal health care program will be identified and adjusted so as to delete those costs from the amounts previously received by the health care provider or supplier.
  • The federal government retains the right to audit or examine the health care provider or supplier’s books and records to confirm that no unallowable costs have been claimed and paid to the defendant.

While civil settlements entered into between DOJ and a health care provider or supplier often contain terms that are developed or customized to address the specific matters that were in dispute, the above reflect standard terms that usually are incorporated into such settlement agreements.20

Corporate Integrity Agreements

In cases in which there is a potential threat to the federal health care programs by a provider or supplier continuing to participate in those programs after settlement of outstanding government claims, the Office of Inspector (OIG) often addresses this risk through the negotiation and execution of a Corporate Integrity Agreement (CIA). CIAs have been common since the mid-1990s when the government began strengthening its efforts to enforce federal health care statutes and recoup funds lost as a result of fraud and abuse. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) significantly enhanced the resources and capabilities of federal agencies involved in these efforts, including the OIG. Since that time, OIG has entered into more than 1000 CIAs and similar agreements. CIAs have become tools utilized by the OIG for imposing terms and conditions on organizations who have settled with the Department of Justice (DOJ). The OIG posts all currently active CIAs on its web site.21

CIAs are written and executed agreements between the OIG and a health care provider or supplier after an investigation by the DOJ and/or the OIG reveals that the health care provider or supplier allegedly has submitted false claims under the False Claims Act (FCA). Although cumbersome and often expensive to comply with, CIAs guide organizations through the implementation of an effective compliance program that ultimately will lead to proper billing practices, including submission of accurate and complete claims for payment to federal health care programs, appropriate arrangements with physicians, and improved quality of care for program beneficiaries.

A CIA is essentially a contract between a health care entity and the OIG. Under a CIA, a health care provider agrees to assume certain compliance obligations in the context of a civil settlement with respect to its future participation in federal health care programs in exchange for the OIG’s agreement not to exclude the provider or supplier from Medicare, Medicaid and other federal health care program participation under its statutory authority. A CIA is usually five years in duration and is intended “to ensure the integrity of federal health care program claims submitted by [a] provider” in future years.22

Over the last several years, the OIG has entered into CIAs with numerous health care organizations, including pharmaceutical manufacturers, hospitals, physician practices, clinical laboratories, nursing homes, home health agencies, and durable medical equipment and pharmacy suppliers. Although the terms and conditions of these CIAs vary depending on the nature and extent of the alleged fraudulent or abusive activity, they have many similar elements. Each agreement addresses the specific facts of the conduct at issue and is intended to ensure the integrity of the federal health care programs and beneficiaries while allowing the provider or supplier to continue participating in the programs. In negotiating a CIA, the OIG attempts to recognize and be consistent with the elements of a provider’s preexisting voluntary compliance program.23 The OIG has sought to relieve the financial burden of compliance reviews and the use of independent review organizations (see ¶30,325) by exploring ways to increase reliance on providers’ internal audit capabilities and by offering flexibility on other requirements such as employee training.

Certificates of Compliance Agreements

In the past, the OIG negotiated a Certification of Compliance Agreement (CCA) with health care providers and other entities, in lieu of a comprehensive CIA under appropriate circumstances; however, the OIG recently moved away from CCAs and they no longer are being used. Self-disclosure as the result of an effective compliance program has been a key factor in securing a CCA over a CIA. The terms of a CCA included a requirement that the entity maintain its existing compliance program as described in a Declaration that was attached to the CCA. In addition, the entity was required to agree to certain compliance obligations that mirror those found in a comprehensive CIA, including: (1) reporting overpayments, reportable events, and ongoing investigations and legal proceedings to the OIG; and (2) providing annual reports regarding the entity’s compliance activities to OIG during the term of the CCA. CCAs typically had a term of only three years and required providers to certify that they will continue to operate their existing compliance programs for that period.

The discussions that follow will address the requirements generally set forth in a CIA:

  • standard CIA terms, see ¶ 30,320;
  • independent review organizations, see ¶ 30,325;
  • special CIA terms, see ¶ 30,330;

Standard CIA Terms

Corporate integrity agreements (CIAs) negotiated and entered into by the Office of Inspector General (OIG) have certain standard compliance requirements. Consistent with the United States Sentencing Commission’s “Federal Sentencing Guidelines Manual,” CIAs typically address the seven core elements of an effective compliance program. As a general rule, each CIA begins with a statement describing the reason that the health care entity is entering into the agreement. The statement confirms the provider’s desire to adhere to high standards of business ethics and demand the same of all of its employees, officers, agents, contractors, etc. It also affirms the provider’s commitment to adhere to the requirements for participation in Medicare, Medicaid, and all other federal health care programs. Next, the term and scope of the CIA is established, usually five years. The scope provides detailed guidance regarding which individuals and entities are subject to the terms of the CIA. These usually include officers, directors, employees, contractors, and agents of the organization. During the term of the CIA, the organization must follow the terms of the CIA or risk breaching the contract and being liable for fines detailed in the CIA as well as an extension of the period of exclusion from participation in federal and state health care programs.

Basic Elements

CIAs also include an agreement by the organization to comply with the basic elements of a compliance program that include:

  • hiring a compliance officer and establishing a compliance committee;
  • developing and implementing written standards and policies;
  • developing and implementing a comprehensive employee training program;
  • establishing and maintaining a confidential disclosure program;
  • restricting employment of “ineligible persons,” i.e. individuals who had been excluded from participation in federal health care programs;
  • reporting overpayments, certain key events, and ongoing investigations and legal proceedings;
  • repaying overpayments on a timely manner;
  • submitting an implementation report and annual reports to the OIG on the status of the its compliance activities; and
  • retaining an independent review organization (IRO) to undertake specified systems, arrangements, claims, transactions, and expenditures reviews.

The Annual Report

All CIAs carry a reporting obligation requiring the organization to submit an “annual report” regarding the provider’s compliance activities for the prior year. This includes the results of the independent review organization (IRO) review of the organization’s compliance with the terms of the CIA. The annual report is designed to keep the Office of Inspector General (OIG) informed of the provider’s compliance activities during the term of the Agreement.

The annual report must describe any changes to the structure of the provider’s compliance program and the level of resources dedicated to the program. In addition, among other things,, the annual report must include (1) a description of any reviews, audits, or analyses of the provider’s compliance program, (2) the provider’s response to such reviews, audits, or analyses; and a summary report of any overpayments refunded during the period. Furthermore, an officer of the provider must certify that the provider is meeting its obligations under the corporate integrity provisions of the CIA.

An initial annual report usually must be submitted within 60 days after the first anniversary of the effective date of the agreement. The “effective date” is generally defined in the agreement as a specific date or the date on which the Settlement Agreement with Corporate Integrity Provisions was fully executed. The provider should review the agreement carefully to determine the exact date on which its annual report will be due. The remaining annual reports due under the CIA must be submitted on each anniversary of the date of the initial report.

Have Compliance Concerns? We Have Solutions.

Speak with an Expert Today

Independent Review Organization Reviews

Health care and other organizations that enter into a CIA with the government usually are required to retain an independent review organization (IRO) to review a sample of the claims the organization submits to federal health care programs. IRO audits also may include an operational review of the organization’s process for compiling and submitting claims, including coding and medical necessity. The services of an IRO have become an integral part of CIAs.

There are usually both onsite and offsite components to an IRO’s work. On site work is essential to gain first-hand knowledge about the operation of the entity. In cases for which the required documents can be appropriately and effectively provided to the IRO without visiting the provider’s site(s), however, most of the IRO work can be done offsite. Typically, in the context of a five year CIA, when retention of an IRO is required by the OIG, it is specified that the IRO conduct a systems or arrangements review for the first and fourth years. In addition, the IRO is obligated to conduct a claims, transactions, or expenditures review on an annual basis. The IRO reviews are targeted toward assessing the program operations that had weaknesses resulting in issues that were resolved through a settlement agreement.

Notification of Government Investigations or Legal Proceedings

CIAs also require the provider to notify the OIG of any investigation or legal proceeding brought by a government entity or its agents involving allegations of criminal or fraudulent conduct. The provider is required to describe the nature of the allegations, the status of the investigation or legal proceeding, and which governmental entity is conducting such investigation. The notification requirement is limited to allegations of criminal or fraudulent conduct and does not include legal proceedings between private parties.

OIG Inspection, Audit, Review Rights, and Retention of Records

CIAs typically include provisions related to the OIG’s right to inspect and audit the provider and the retention of records. The inspection right provides the OIG contractual authority, in addition to any other right the OIG may have by statute, regulation, or otherwise, to examine the provider’s records and documentation and conduct on-site reviews to determine the provider’s compliance with terms of the CIA and with the federal health care program requirements. The OIG also may conduct employee interviews pursuant to this contractual provision and the provider is required to assist the OIG in arranging such interviews.

The record retention provisions of the CIAs generally require that the provider maintain all documents and records relating to reimbursement by federal health care programs and the compliance with the terms of the settlement for a specific period of time, such as four years, or longer if required by law. Most record retention policies are likely to exceed the contractual requirements. Hence, this provision is likely to fall within a provider’s existing compliance retention policy.

Breach and Default

CIAs include breach and default provisions that are standard and do not reflect anything specific to a particular provider’s compliance program. Generally, the breach and default provisions are not negotiable with the OIG. The nonnegotiable status presumably allows the OIG some level of consistency in application and enforcement of these provisions. The breach and default provisions address two general sets of noncompliance circumstances: (1) stipulated penalties, and (2) material breaches.

Stipulated Penalties

The breach and default provisions include contractual monetary fines or stipulated penalties that the provider must pay if it fails to comply with certain obligations of the CIA. The amounts of the stipulated penalties have changed over the years and may vary slightly depending on the provider type. Nevertheless, these obligations typically relate to the failure to maintain certain compliance program elements, such as a compliance officer, a code of conduct, written policies and procedures, training, auditing, and a disclosure program. Stipulated penalties also may be authorized if the provider fails to submit an annual report, violates the prohibition related to excluded individuals or fails to grant access as required under the terms of the CIA. The stipulated penalties are assessed for each day that the provider fails to comply. A demand letter is sent to the provider regarding the assessment of a stipulated penalty. The provider generally has ten days to cure the breach and pay the penalty or request a hearing before a HHS administrative law judge (ALJ) pursuant to certain dispute resolution provisions. If a hearing is requested, the stipulated penalties continue to accrue until the breach is cured. If a provider fails to respond to a demand letter, such failure to respond is considered a material breach.

Material Breach

In addition to being subject to stipulated penalties, a provider may be subject to exclusion from participation from federal health care programs for a “material breach” of the CIA. This exclusion authority is contractual, not statutory. A material breach is typically defined as one of three things: (1) failure by the provider to report a material deficiency, take corrective action, and make appropriate refunds; (2) repeated or flagrant violations of the CIA provisions; or (3) failure to respond to a demand letter for stipulated penalties. A provider is sent notice of a material breach, and is typically given 30 days to cure such material breach. Any cure must be made to the satisfaction of the OIG that the provider is in compliance. If the provider does not cure the material breach, the OIG may send a notice to the provider and exclude the provider from participation in federal health care programs, effective 30 days from the notice. The provider may appeal the exclusion through the contractual dispute resolution remedy.

Dispute Resolution

Both the assessment of stipulated penalties and the exclusion due to material breach are subject to certain dispute resolution provisions. The dispute resolution provisions are specifically stated as being contractual remedies even though these provisions reference certain regulatory appeal procedures. More specifically, the provider will have a right to a hearing before an ALJ and an appeal to the Department Appeals Board (DAB) under the terms of the CIA. The dispute resolution provisions do not adopt all of the regulatory appeal provisions. In addition, the dispute resolution provisions generally include an acknowledgment by the provider that a decision by the ALJ or DAB is not appealable as it would be under statute or regulation. Hence, providers should seek legal counsel to assist in adherence to the dispute resolution provisions and address their distinction from other regulatory provisions.

Independent Review Organizations

Hundreds of health care providers and plans that have entered into fraud settlements with the Department of Justice (DOJ) also have entered into Corporate Integrity Agreements (CIAs) with the HHS Office of Inspector General (OIG) that includes a requirement that the settling health care provider employ an Independent Review Organization (IRO) to monitor the provider’s compliance with the terms of the CIA and audit its compliance in areas that were the subject of the government’s investigation. In some cases, the DOJ will appoint a Monitor that is similar in duties and responsibilities to that of an IRO. There are over 300 CIAs in force that were negotiated with the OIG in the last couple of years that required an IRO to monitor compliance with the terms of the Agreement. These CIAs most often come about as result of a settlement of a civil false claims case with the DOJ and are now a common feature on the health care landscape.

An IRO can be an accounting auditing, or consulting firm that provides independent and objective reviews to ensure that the organization is complying with are the requirements of a CIA. Required IRO reviews may include a systems, transaction, or operational review. From the government’s perspective, the IRO serves as an extension of the government’s own auditing and monitoring functions. Though selected and paid by the entity, the IRO is accountable to the OIG.

On July 30, 2001, the OIG, in conjunction with the Health Care Compliance Association (HCCA), sponsored a Government-Industry Roundtable to discuss “issues surrounding the implementation and maintenance of effective compliance programs.”24 Specifically discussed, in the context of health care fraud and abuse settlements, was the OIG requirement that an independent organization or individual, also known as an IRO, be retained by health care provider or professional to perform annual billing, systems, or other compliance reviews. It was noted:

The OIG requires IROs because the OIG does not have the resources to conduct the level of review necessary to determine if a provider is meeting the requirements of the CIA, as well as other Federal health care program requirements. Additionally, a review by an independent entity provides the OIG with assurances that a provider’s compliance program and billing systems are objectively reviewed.25

Conference participants highlighted the positive attributes of an IRO. “IROs provide a broad industry perspective and expertise, are independent, help identify system weaknesses, make helpful recommendations, and their reviews serve as a useful benchmark for future reviews conducted by the provider.”26

Independence and Objectivity

From the perspective of the OIG, it is essential that an IRO conduct its reviews with both independence and objectivity. A standard requirement in a CIA is that “[t]he IRO must perform [its] review in a professioally independent and objective fashion, as appropriate to the nature of the engagement, taking into account any other business relationships or engagements.” Typically, the IRO is obligated to provide a certification regarding its professional independence and objectivity. Further, a CIA usually states that “[i]n the event OIG has reason to believe that the IRO . . . is not independent and objective…, the OIG may, at its sole discretion, require” the engagement of a new IRO.27

The OIG has stated that an IRO should follow “the standards for auditor independence set forth in the General Accountability Office (GAO), Government Auditing Standards (2007 revision)(referred to… as the ‘Yellow Book’. The Yellow Book includes both ethical principles and general standards that apply to all types of IRO reviews performed under CIAs and form the basis of the OIG’s requirements related to the independence and objectivity of the IRO.”28 The OIG has noted:

When assessing independence, the two overarching principles that must be considered are that: (i) audit organizations should not perform management functions or make management decisions and (ii) audit organizations should not audit their own work or provide non-audit services in situations where the non-audit services are significant/material to the subject matter of the audits.29

In July 2007, the GAO issued its fourth revision of the Yellow Book standards. With respect to performance audits, such as those performed by IROs, the new standards are applicable to those undertaken on or after January 1, 2008.30 This edition places increased emphasis on governing ethical principles, clarification of the impact of performing nonaudit services auditor independence, and enhancement of performance audit standards.

Selecting an Independent Review Organization

It is important to note that the OIG does not select the IRO. Furthermore, they do not provide advice on how to select one, nor do they endorse any organizations to be the IRO. It is entirely up to the entity or provider to determine the most appropriate organization to engage as IRO. The OIG, however, reserves the right to approve or deny the entities or provider’s choice of IRO within 30 days after the OIG receives written notice of the identity of the IRO. Typically, entities such as consultants, certified public accountant (CPA) firms, or law firms are engaged to perform such tasks. Whereas most of health care organizations that have entered into settlement agreements with the DOJ spent a great deal of time, effort, and money working to a settlement, they gave relatively little thought about the process of selecting an IRO that would be approved by the OIG. In many cases this has led to added problems and aggravation. The following discussion is designed to assist any organization confronted with the prospects of a CIA to think about how to go about finding and selecting a qualified IRO.

An integral part of the CIA is the provider or entity certifies compliance with the seven elements of an effective compliance program. The OIG, however, does not normally include verification of compliance with the seven elements within the IRO scope of work. What is included in the CIA require various types of reviews by an IRO to ensure compliance with case specific incidents under scrutiny (physician arrangements, off-label use of drugs, inappropriate billing or marketing practices, et cetera).

For those entities entering into a CIA, it is important to ensure that the scope and breadth of the Agreement is clearly outlined and specific defined. In most cases, compliance program and claims reviews are fairly straightforward as long as parameters of what constitutes an “error” are predetermined. In some instances, however, CIAs are developed in response to issues or alleged misconduct that require program evaluations and monitoring rather than claims reviews. Before final agreement with the CIA, it is advisable to have on hand a subject matter expert to assist in ensuring that the terms and conditions under the CIA are clear and that the scope and objectives of the IRO are also well defined.

Depending on the complexity of the CIA, it may be necessary to have more than one firm to be able to carry out all the terms and conditions of the reviews. In such cases, it is advisable to select one firm to project manage the entire engagement rather than hiring multiple IROs. Multiple IROs increase the costs and complexities in managing the process.

There are many ways in which to identify the best IRO to meet your entity’s specific needs.

  • First and foremost, ensure that there are no conflict of interest concerns for the prospective IRO. This is one of the criteria upon which the OIG insists. The OIG states that it would be a conflict of interest if the IRO is under engagement with the organization and is performing management functions or make management decisions. The OIG has enumerated many examples of conflict of interest, but in short this is means that the IRO cannot be involved in reviewing any work in which they had a role in developing. In short, the IRO must not have their work conflict with any previous work it has done with the entity.
  • Only engage a firm that will attest to experience in meeting the Government Accountability Office (GAO) “Generally Accepted Government Audit Standards” for operational reviews. Operational reviews and financial reviews are dealt with separately in those standards. The OIG requires IROs to meet certain of these standards.
  • The prospective IRO firm should have expertise in the specific areas that fall within the scope of work for the IRO. What the provider does not need is to pay a firm to learn about its business sector at its expense. Also the absence of program expertise in the provider’s area can lead with difficulties in execution of the agreement and possibly with the IRO’s credibility when the reports are submitted to the OIG.
  • Establish the firm’s experience in health care and its history in addressing the types of issues included in the terms and conditions of the CIA. There is a huge difference between a provider, managed care organization, and a pharmaceutical manufacturing company . Determine how long the firm has been in business in serving the provider’s particular sector. This should not be a learning opportunity for the firm at the provider’s expense. It is advisable to ask for specific experience in the provider’s sector.
  • Select a firm that has an established record of having been approved by the OIG as an IRO and serving successfully in that capacity. With so many CIAs on record there are many firms that have served as an IRO many times. The more the experience, the better, and the longer the track record, the higher the credibility with the OIG. As such, it is not unreasonable to expect a prospective firm to have so served as an IRO a half dozen times or more. An experienced firm will be able to manage reporting effectively and communicating with both the provider and the OIG in a clear, consistent, and efficacious manner.
  • Always ask for references with other organizations that the prospective firm has worked with in the past. Among the benefits of such referencing is to find out whether the firm was able to meet its obligations to their satisfaction and the OIG as well. It is worth finding out whether the IRO performed its services, in consideration of the organization’s need, economically , professionally, competently , and reasonably. The latter point goes to whether they performed their work openly or with a “gotcha” mentality.
  • Avoid a “bait and switch” wherein the people negotiating to become the IRO are quickly switched to lesser qualified individuals to perform the work. Insist that the prospective IRO specifically identify the key persons assigned to the engagement, along with their personal qualifications. Just because a firm has had multiple experiences as an IRO does not mean the individuals it intends to use in this instance are the ones with the experience.
  • Many CIAs have multiple requirements that cut across a number of skill and knowledge sets. For example, a CIA may have requirements related to coding and billing as well as review of cost reports and physician arrangements. It is far more cost effective and efficient to have a single IRO that will address all these areas rather than negotiating multiple IRO contracts for each area separately. Also, the OIG will review the work of each IRO separately and may have contacts with them. Having more than a single IRO multiplies the costs of the services and the complexity of the process. This point cannot be underscored enough.
  • Ensure that the prospective IRO has the program expertise and professionalism to handle the requirements of the engagement. If the case is complex, it is important that the prospective IRO be able to perform its duties efficiently to satisfy the needs of the provider as well as the OIG monitor overseeing the CIA. The experienced IRO will know how to handle complicated issues appropriately and in a timely manner.
  • Another major consideration is the fee rates and charges that can range considerably depending on the size of the prospective IRO organization and other factors. It is important to consider that costs right alongside of experi- ence, professionalism, and industry knowledge.

Selecting a proper IRO that meets the provider’s needs is a critical decision process that should not be taken lightly. Any problems the OIG finds with the IRO will reflect badly on the organization and could aggravate relations with the federal government. Having a CIA with an organization has predisposed the OIG to question the organization’s integrity and commitment to compliance. This is driven home by the requirement for an IRO to act as guarantor that the organization will comply with the terms of the Agreement. As such, it is important that the provider select a firm that has a strong and credible record as an IRO, has specific industry expertise in its area of operation, is free of any conflicts of interest or appearance of it, and assigns the right kind of professional staff to carry out the mandates of the CIA.

Special CIA Terms

In recent years, the Office of Inspector General (OIG) has “customized” corporate integrity agreements (CIAs) to specifically address and prevent the misconduct that was the basis for an organization’s or individual’s settlement with the federal government. Some of these specialized CIAs are highlighted below:

Beneficiary rights.

Under the CIA between the HHS OIG and Amerigroup Corporation, effective: August 13, 2008, the managed care organization must appoint a Beneficiary Rights Ombudsman to respond to complaints by Medicare and Medicaid beneficiaries and ensure that materials distributed to beneficiaries contain information regarding the company’s nondiscrimination policy.

Board oversight

Under the CIA between the HHS OIG and Christ Hospital, effective October 27, 2010, the Board of Trustees is charged with responsibility for the review and oversight of matters related to compliance with federal health care program requirements and compliance with the CIA. A Board Oversight Committee must be established, including at least three board members who are not officers or employees, and it must adopt a resolution for each reporting period summarizing the Board’s review and oversight of the organization’s compliance program.

Financial arrangements

Under the CIA between the HHS OIG and Exactech, Inc., effective December 7, 2010, all new consulting agreements andrenewals must require that a consultant disclose the financial arrangement with the company to patients and affiliated hospitals. In addition, the company is required to fully cooperate with any OIG investigations, including the provision of documents and records and testimony in any court or administrative proceeding.

Compliance monitoring and oversight activities at multiple locations

Under the CIA between the HHS OIG and WellCare Health Plans, Inc., effective April 26, 2011, this managed care organization is required to appoint a compliance liaison in each of its seven main locations, who must be independent of the company’s legal department. In addition, certain employees (“certifying employees”) must monitor and oversee activities in their area of authority and annually submit a certification that the area under their supervision meets federal health care program requirements and the CIA requirements, and they are not aware of any potential violations.

Annual review of compliance and clinical programs.

Under the CIA between HHS OIG and Maxim Healthcare Services, Inc., effective September 9, 2011, the company must engage a consultant to review and evaluate its compliance and clinical programs annually for each of five reporting periods.

Compliance with the prohibition of “off label” promotion of drugs

Under the CIA between HHS/ OIG and Abbott Laboratories, effective May 7, 2012, this pharmaceutical manufacturer must adopt policies and procedures to ensure that compensation will not be provided to improperly incentivize sales representatives to engage in “off label” promotion, marketing, and sales of government reimbursed drugs as well as prohibit incentive compensation for sales related to off label promotion of government reimbursed drugs. In addition, Abbott Laboratories must maintain its risk assessment and mitigation process.

Oversight by business units; policies and procedures on promotional, product-related, and payer-related functions; and funding of grants and compensation arrangements.

Under the CIA between HHS/OIG and GlaxoSmithKline LLC (“GSK”), effective June 28, 2012, certain GSK officers and employees are required to monitor and oversee activities within their area of responsibility and annually certify that the business unit under their supervision is compliance with federal health care program and Food and Drug Administration (FDA) requirements and the terms of the CIA. In addition, GSK must advise any related entity’s “third party personnel” of the company’s compliance program, obligations under the CIA, and requirements of federal health care programs and the FDA. GSK also is required to develop and adopt policies and procedures focusing on appropriate ways to conduct promotional functions, product related functions, and payer related functions; engagement in “off label” promotional activities; distribution of coupons or vouchers for government reimbursed products; education and training of sales personnel; review of promotion materials and information; consultant and other types of services arrangements; sponsorship or funding of grants to health care organizations; funding of educational activities; compensation of “covered persons;” recoupment of forfeiture of annual performance pay for employees and covered executives for misconduct; and sponsorship of human subject research. GSK must maintain a risk assessment program called TRACER (Targeted risk-based analysis compliance evaluations and review).

The OIG has indicated that it will continue to incorporate specific provisions in future CIAs to address the risks associated with the misconduct that led to a company’s settlement with the federal government to mitigate future exposure to federal health care programs and beneficiaries.

Future Directions

On August 7, 2012, the HHS Office of Inspector General (OIG) held a “roundtable” meeting with representatives of health care companies that had entered into a corporate integrity agreement (CIA) with the OIG. The roundtable, titled “Focus on Compliance – The Next Generation of Corporate Integrity Agreements” was intended to obtain information about compliance “best practices” and efforts to operate a legally compliant and effective manner consistent with the terms of a CIA. The discussion focused on various topic areas, including:

  • the definition of “covered persons” and “relevant covered persons” subject to a CIA’s requirements;
  • the definition of “focus arrangements;” • external review of arrangements;
  • code of Conduct;
  • written policies and procedures;
  • training;
  • role of the Compliance Officer;
  • role of internal audit;
  • Board of Directors’ involvement with the CIA; • claims review requirements; and
  • arrangements review requirements.

A complete summary of these topic area discussions may be found in a “White Paper” issued by the OIG in October 2012.31 While there was no consensus or specific recommendations made, it was reported that program “participants requested that OIG consider providing additional compliance guidance to the industry . . . .” It was suggested that “specific guidance outlining best practices would support the compliance officer’s role in the organization.”32

In light of the many points of view expressed on these and other CIA related issues, as well as the OIG’s articulated goal to protect federal health care programs and beneficiaries from future misconduct, it may be expected that there will be amendment and enhancement of CIAs by the OIG in coming years.

The continued governmental focus on health care fraud enforcement will undoubtedly lead to a greater number of civil settlements by health care providers and suppliers in the future. To ensure that a health care provider or supplier settling a False Case Act case with the government will abide by program participation requirements, there will be increased reliance on the OIG to protect the programs and beneficiaries from future risk through CIAs. Thus, enhanced specificity in CIAs, addressing claims accuracy, overall compliance by a settling health care provider or supplier, and Board/Management accountability will continue to be the focus of the OIG as a condition for continued participation in Federal health care programs.

Have Compliance Concerns? We Have Solutions.

Speak with an Expert Today

1 – See 42 U.S.C. § 1320a-7a; § 1320a-7(b)(7). 2 – The OIG has published a series of compliance program guidances directed at various health care providers and suppli- ers. A detailed listing of these OIG compliance program guid- ances can be found at the OIG’s website: fraud/complianceguidance.html. 3 – 31 U.S.C. § § 3729 through 3733. 4 – 42 U.S.C. § 1320a-7a. 5 – 31 U.S.C. § § 3801 through 3812. 6 – DOJ and HHS, HCFAC Program Annual Report for FY 2011, February 1, 2012. 7 – Id. 8 – Id. 9 – 42 U.S.C. § 1320a-7b. 10 – 42 U.S.C. § 1320a-7b(b). 11 – 42 U.S.C. § 1320b-6. 12 – 42 U.S.C. § 1320a-7(a). 13 – 42 U.S.C. § 1320a-7(b). 14 – 42 U.S.C. § 1395nn(a)(1). 15 – 31 U.S.C. § § 3729–3733. 16 – GAO Report , “Health Care Fraud – Types of Providers I Medicare, Medicaid, and the Children’s Health Insurance Cases,” GAO 12-820 at 27, September 7, 2012. 17 – Id. at 29. 18 – Id. at 31. 19 – False Claims Act, 31 U.S.C. § § 3729–2733. 20 – See settlement agreement between the United States and Temple University – Of the Commonwealth System of Higher Education, effective May 14, 2012. 21 – See 22 – Notice, 74 FR 52964, October 9, 2009. 23 – See Also for detailed infor- mation and Frequently Asked Questions regarding CIAs and IROs, see 24 – 24 “Building a Partnership for Effective Compliance,” The Third Government-Industry Roundtable, July 30, 2001, 25 – 25 Id. at 2. 26 – Id. at 3. 27 – See 28 – “Frequently Asked Questions Related to IRO Indepen- dence,” 29 – Id. at 1–2. 30 – GAO, Government Auditing Standards, July 2007 Revision (Yellow Book), GAO-07-731G, available at http:// 31 – OIG report, “Focus on Compliance – The Next Generation of Corporate Integrity Agreements,” October 9, 2012. 32 – Id.

About the Author

Thomas Herrmann advises health care clients on compliance and regulatory matters, with a focus on development and management of effective health care compliance programs. Mr. Herrmann is a recognized expert on issues related to the federal Anti-Kickback Statute, Stark Law and the False Claims Act.