Recent corporate integrity agreements (CIAs) and integrity agreements (IAs) include changes to the U.S. Department of Health & Human Services, Office of Inspector General (OIG) CIA and IA model language. These revisions reflect OIG’s evolving expectations concerning compliance program design and effectiveness and are noteworthy for all healthcare providers—not just those subject to integrity agreements. Among other changes, key revisions signal an increased focus on the compliance committee’s role in core compliance functions, compliance controls designed to promote compliance with the Stark Law and Anti-Kickback Statute, and how providers calculate overpayment refunds in connection with independent review organization (IRO) reviews.
The changes to the CIA model have implications for all providers. For providers currently under a CIA—while their existing CIA contractual requirements will not change—it is helpful to understand the evolution of the agency’s thinking because, for example, that may influence potential questions raised by their OIG monitor. For providers currently under a False Claims Act (FCA) investigation, it is important to understand the new CIA language to demonstrate relevant compliance controls and structure if negotiating with OIG to avoid a CIA, assess potential CIA obligations in the future, and evaluate the approach to CIA language negotiation strategy if a CIA is ultimately required as part of the resolution. Other providers can look to these CIA model requirements to understand agency expectations for compliance program design and oversight.
CIA and IA background
By way of background, OIG may negotiate a CIA or IA with a healthcare company in connection with the settlement of a civil false claim investigation. The provider agrees to CIA obligations, and, in exchange, OIG agrees not to seek their exclusion from participation in federal healthcare programs under OIG’s permissive exclusion authority. CIAs are considered a type of industry guidance that provides insight into OIG’s expectations for compliance program design and effectiveness. CIAs involve larger healthcare entities, whereas IAs typically involve individual practitioners, small group practices, or smaller providers. Although this article focuses on CIAs, many of the developments discussed also apply to IAs.
Not every FCA settlement requires a CIA. OIG uses specific factors identified in its Social Security Act § 1128(b)(7) exclusion authority guidance to assess future risk and, based on those factors, places each party to a FCA settlement into one of five categories on a risk spectrum.[1] The five categories from highest risk to lowest risk are (1) exclusion, (2) heightened scrutiny, (3) integrity obligations (i.e., a CIA or IA), (4) no further action, and (5) release, self-disclosure. The second category, heightened scrutiny, is for providers that OIG determined needed a CIA, but the provider refused to enter a CIA. For providers that reached settlements finalized in October 2018 or later, OIG lists parties in the “high risk” category because they refused to enter a CIA on OIG’s website.[2]
OIG also releases information about its resolution of FCA settlements and how, for each fiscal year, it has categorized entities in connection with FCA settlements.[3]
Common CIA elements
While CIAs have many common elements, they are tailored to focus on the specific circumstances at issue in the underlying matter, particularly as it relates to the type of IRO testing required by the CIA. A CIA typically lasts five years and includes the following requirements:
-
Maintaining a compliance officer.
-
Appointing a compliance committee.
-
Developing written standards and policies.
-
Implementing a comprehensive training program.
-
Retaining an IRO to conduct annual reviews (e.g., claims reviews, medical necessity reviews, arrangements reviews, quality of care reviews).
-
Establishing and maintaining a confidential disclosure program.
-
Restricting employment of or contracting with ineligible persons.
-
Conducting an annual risk assessment and developing internal audit work plans.
-
Obtaining compliance certifications from certain management employees and a board compliance resolution.
-
Reporting overpayments, reportable events, and ongoing investigations and legal proceedings.
-
Providing reports to OIG on the status of the entity’s compliance activities following the implementation period and on an annual basis.
More recently, OIG has also required some providers to engage an independent compliance expert to advise the board. In addition, the agency appoints an OIG employee as an OIG monitor who is charged with overseeing the company’s compliance with the CIA. The monitor can also serve as a resource to collaborate with the company regarding CIA implementation questions.