Systems Reviews versus Transaction Reviews in CIAs: Takeaways for Compliance Officers

Cornelia Dorfschmid | October 2010

Most compliance officers do not have to face the scrutiny and challenges of operating a compliance program under a Corporate Integrity Agreement (CIA) with the US Department of Health and Human Services (HHS) Office of Inspector General (OIG).  But those who do, typically have their programs undergo an annual review by an OIG-approved Independent Review Organization (IRO) that assess the organization’s compliance efforts.  A similar type of scrutiny may eventually become the future for all programs.  Health care reform made “mandatory” compliance programs the standard.  In essence, the Patient Protection and Affordable Care Act (PPACA) makes compliance programs mandatory as they become a requirement for participation in the federal health care programs.  PPACA requires that they contain the core elements established in compliance program guidance by the Secretary of HHS in consultation with the Inspector General, with respect to provider or supplier and industry or category. [1]

One may speculate that if there exists a condition of “compliance program effectiveness” that must be met, one day some accredited body or approved entity will be assigned the duty to check whether the condition is met and how it is to be interpreted.  In the meantime, it would be prudent to learn from those compliance programs that are already mandatory, namely those under a CIA, and examine standards and requirements applied to them by the IROs.

The more comprehensive CIAs include requirements to:

  • Hire a compliance officer/appoint a compliance committee;
  • Develop written standards and policies;
  • Implement a comprehensive employee training program;
  • Retain an IRO to review claims submitted to federal health care programs;
  • Establish a confidential disclosure program;
  • Restrict employment of ineligible persons;
  • Report overpayments, reportable events,and ongoing investigations/legal proceedings; and
  • Provide an implementation report and annual reports to the OIG on the status of the entity’s compliance activities.

The approaches taken by IROs that review these mandated programs under a CIA [2] may be indicators as to what exactly counts toward an effective compliance programs and can be mined for strategies to be emulated.  Furthermore, under the US Sentencing Commission Guidelines, all entities-not just health care organizations- are required to evaluate compliance program periodically and exercise due diligence and proper oversight, which include periodic risk assessment to prevent and detect criminal conduct. [3] Such risk assessments are part of an effective compliance program and should be considered in conjunction with the well-known seven elements described int he compliance program guidance by OIG.  Because IRO-type reviews can also support risk assessment efforts, they make an interesting case study.

IRO duties

Although many CIAs have common elements, each agreement is tailored to the specifics of the violation that occurred, which in turn will affect the content of the CIA.  The IRO’s review scope is therefore also related to the specific violations or problems that lead to the CIA. In CIAs, the OIG also uses the concept of “monitors” rather than IRos.  Independent monitors are performing a surveillance function in CIAs related to quality-of-care issues.  They tend to monitor on an ongoing basis with on-site visits, receive regular reports on quality measures, and review more frequently during the year, rather than auditing only once at the end of each implementation year, as a typical IRO would.  One could interpret this monitoring as concurrent review that freezes a period of time and examines the results of the process for that period. [4]  The IRO is not an agent of the government and, while approved by OIG and under contract with the health care organization under review, it acts as an independent external reviewer.

[1] See Sec 6201.  This provision is consistent with recent state developments that have made compliance program mandatory for Medicaid providers.   See also Lewis Morris, Chief Counsel to the IG: Testimony to Subcommittees on Health and Oversight of the U.S. House Ways and Means Committee on Reducing Fraud, Waste, and Abuse in Medicare.  Available at:

[2] See, OIG’s webpage on Corporate Integrity Agreements at

[3] United States Sentencing Commission Guidelines Manual  § 8B2.1 (November 2005), p. 482.

[4] See also, HHS Office of Inspector General: Notice for Potential Monitors for Quality-of-Care Corporate Integrity Agreements.  Available at

About the Author

Dr. Cornelia M. Dorfschmid has over 30 years of private and government sector experience in health care compliance consulting, the majority of which was in management and executive capacities. She is a recognized expert in the areas of claims auditing, overpayment analysis and risk management and corporate health care compliance.