Recent corporate integrity agreements (CIAs) and integrity agreements (IAs) include changes to the U.S. Department of Health & Human Services, Office of Inspector General (OIG) CIA and IA model language. These revisions reflect OIG’s evolving expectations concerning compliance program design and effectiveness and are noteworthy for all healthcare providers—not just those subject to integrity agreements. Among other changes, key revisions signal an increased focus on the compliance committee’s role in core compliance functions, compliance controls designed to promote compliance with the Stark Law and Anti-Kickback Statute, and how providers calculate overpayment refunds in connection with independent review organization (IRO) reviews.
The changes to the CIA model have implications for all providers. For providers currently under a CIA—while their existing CIA contractual requirements will not change—it is helpful to understand the evolution of the agency’s thinking because, for example, that may influence potential questions raised by their OIG monitor. For providers currently under a False Claims Act (FCA) investigation, it is important to understand the new CIA language to demonstrate relevant compliance controls and structure if negotiating with OIG to avoid a CIA, assess potential CIA obligations in the future, and evaluate the approach to CIA language negotiation strategy if a CIA is ultimately required as part of the resolution. Other providers can look to these CIA model requirements to understand agency expectations for compliance program design and oversight.
CIA and IA background
By way of background, OIG may negotiate a CIA or IA with a healthcare company in connection with the settlement of a civil false claim investigation. The provider agrees to CIA obligations, and, in exchange, OIG agrees not to seek their exclusion from participation in federal healthcare programs under OIG’s permissive exclusion authority. CIAs are considered a type of industry guidance that provides insight into OIG’s expectations for compliance program design and effectiveness. CIAs involve larger healthcare entities, whereas IAs typically involve individual practitioners, small group practices, or smaller providers. Although this article focuses on CIAs, many of the developments discussed also apply to IAs.
Not every FCA settlement requires a CIA. OIG uses specific factors identified in its Social Security Act § 1128(b)(7) exclusion authority guidance to assess future risk and, based on those factors, places each party to a FCA settlement into one of five categories on a risk spectrum.[1] The five categories from highest risk to lowest risk are (1) exclusion, (2) heightened scrutiny, (3) integrity obligations (i.e., a CIA or IA), (4) no further action, and (5) release, self-disclosure. The second category, heightened scrutiny, is for providers that OIG determined needed a CIA, but the provider refused to enter a CIA. For providers that reached settlements finalized in October 2018 or later, OIG lists parties in the “high risk” category because they refused to enter a CIA on OIG’s website.[2]
OIG also releases information about its resolution of FCA settlements and how, for each fiscal year, it has categorized entities in connection with FCA settlements.[3]
Common CIA elements
While CIAs have many common elements, they are tailored to focus on the specific circumstances at issue in the underlying matter, particularly as it relates to the type of IRO testing required by the CIA. A CIA typically lasts five years and includes the following requirements:
-
Maintaining a compliance officer.
-
Appointing a compliance committee.
-
Developing written standards and policies.
-
Implementing a comprehensive training program.
-
Retaining an IRO to conduct annual reviews (e.g., claims reviews, medical necessity reviews, arrangements reviews, quality of care reviews).
-
Establishing and maintaining a confidential disclosure program.
-
Restricting employment of or contracting with ineligible persons.
-
Conducting an annual risk assessment and developing internal audit work plans.
-
Obtaining compliance certifications from certain management employees and a board compliance resolution.
-
Reporting overpayments, reportable events, and ongoing investigations and legal proceedings.
-
Providing reports to OIG on the status of the entity’s compliance activities following the implementation period and on an annual basis.
More recently, OIG has also required some providers to engage an independent compliance expert to advise the board. In addition, the agency appoints an OIG employee as an OIG monitor who is charged with overseeing the company’s compliance with the CIA. The monitor can also serve as a resource to collaborate with the company regarding CIA implementation questions.
Changes to OIG’s model CIA language
Compliance officer
Historically, OIG has acknowledged that a provider’s compliance officer may have noncompliance job responsibilities. Previously, CIAs required that any noncompliance job responsibilities of the compliance officer should be “limited and not interfere with the corporate compliance officer’s ability to perform the duties outlined in [the] CIA.” Recent CIA model language narrows the ability of the compliance officer to hold noncompliance responsibilities and allows OIG enhanced oversight. The new model language states that the compliance officer “shall not have any noncompliance job responsibilities that, in OIG’s discretion, may interfere or conflict with the Compliance Officer’s ability to perform the duties outlined in [the] CIA.”[4] Practically speaking, this new language suggests OIG will need to approve any noncompliance responsibilities. This change signals that OIG is becoming more focused on the compliance officer’s job responsibilities and whether the compliance officer has adequate resources and time to oversee and implement an effective compliance program; this is in addition to ensuring that the compliance officer does not have any perceived conflicts of interest that may arise from noncompliance job responsibilities.
Compliance committee
OIG has also made changes to model language reflecting the obligations and responsibilities of the obligated entity’s compliance committee. Historically, CIAs provided that the compliance committee should support the compliance officers in fulfilling their responsibilities. More recent CIA model language indicates that OIG views the compliance committee’s role as evolving into a more active posture. Specifically, new language provides that the “Compliance Committee shall be responsible [emphasis added] for, among other things, reviewing the policies and procedures required . . . at least annually, reviewing the training required . . . at least annually, implementation and oversight of the risk assessment and internal review process . . . , and the development and implementation of the Transition Plan.”[5] The compliance committee’s expanded role is reflected in additional specific provisions throughout the CIA, including the compliance committee’s review of policies and procedures, the training plan, and board training. This language indicates that the agency’s expectations for the compliance committee have evolved from the support of the compliance officer and general oversight to more direct interaction and involvement in the compliance program.
Exclusion screening lists
OIG also revised the definition of exclusion lists to include state Medicaid exclusion lists. For context, CIAs typically have three different types of obligations for ineligible persons. First, CIA-obligated providers must conduct screenings of identified screening lists at regular intervals. Second, CIA-obligated providers must report as a reportable event the employment of or contracting with or having as a member of the active medical staff a covered person who is an ineligible person. Third, CIA-obligated providers must remove excluded individuals from certain job responsibilities.
Historically, the “Exclusion List” for purposes of CIA exclusion screenings was defined as the OIG List of Excluded Individual and Entities (LEIE)[6] and, for certain older CIAs, the OIG LEIE and the General Services Administration’s System for Award Management (SAM). However, the definition of “ineligible person” (which serves as the basis for reportable event obligations and removal requirements) was defined to include someone who is “currently excluded from participation in any Federal health care program.” That definition would presumably include individuals excluded from a state Medicaid program even though the explicit screening obligations did not include requirements to screen such lists.
Recent CIAs define “Exclusion Lists” for purposes of required screenings as the LEIE and state Medicaid program exclusion lists that are publicly available.[7] This change reflects an increasing focus on screening state exclusion lists.
Arrangements controls
The Anti-Kickback Statute and Stark Law continue to be an area of focus for government enforcement; changes to OIG’s model CIA language reflect the government’s heightened expectations for how providers implement controls to mitigate risk involving arrangements. Historically, CIAs for matters resolving arrangements-related allegations and/or involving arrangements IRO reviews contained language specific to arrangements-related controls. In contrast, CIAs focused on claims and/or medical necessity did not typically include specific arrangements requirements. This approach has changed, and recent OIG CIAs that are not arrangements-based still contain the following arrangements controls and requirements:
-
Developing and implementing policies and procedures that address compliance with the Anti-Kickback Statute and the Stark Law and include a written review and approval process for arrangements.[8]
-
Implementing a centralized annual risk assessment and internal review process to identify and address risks including, but not limited to, the risks associated with submitting claims for items and services furnished to Medicare and Medicaid program beneficiaries and the Anti-Kickback Statute and Stark Law risks associated with arrangements.[9]
OIG’s expansion of its expectations related to arrangements compliance controls underscores the significance of providers having arrangements contracting protocols and oversight.
IRO review of underpayments
Another change in the model language relates to IRO reviews and the application of underpayments concerning error rates. Historically, OIG took the position that underpayments should not be used to reduce the error rates in IRO reviews. However, the new model adds language to explicitly permit the subtraction of underpayments in calculating the error rate for IRO reviews. Specifically, the model language states: “‘Error Rate’ means the percentage of net Overpayments identified in the Claims Review Sample. The net Overpayment shall be calculated by subtracting all underpayments identified in the Claims Review Sample from all Overpayments identified in the Claims Review Sample.”[10] This change is beneficial to providers whose CIAs include this language because it permits those providers to reduce the error rate in the IRO review based on potential underpayments identified by the IRO.
IRO extrapolation
Claims reviews conducted by IROs are typically limited to a sample of claims per review period. Historically, CIAs contained a 5% threshold for extrapolation; specifically, CIAs provided that if the net financial error rate of a sample of 50 claims met or exceeded 5%, then a full sample must be reviewed with enough claims to extrapolate results to the population of claims at issue. Providers had to repay any extrapolated overpayment amount from the full sample at the point estimate. In recent years, OIG removed its bright-line 5% error rate threshold and updated CIA language to state that the company was responsible for determining whether the 60-day overpayment rule requires an extrapolated repayment to be repaid. As such, obligated entities retained discretion to evaluate the facts and circumstances of each review to determine whether they had any additional review and/or repayment obligations consistent with the 60-day overpayment rule. OIG has again revised its approach to extrapolation in its new model CIA. Current language now requires automatic extrapolation of the IRO results, regardless of the error rate. Specifically, the current model language states:
“The findings of the Claims Review Sample shall be used by the IRO to estimate the actual Overpayment in the Population with the point estimate and a two-sided 90% confidence interval. Within 60 days of receipt of the Claims Review Report, [Provider] shall repay the lower limit of the two-sided 90% confidence interval (Estimated Overpayment) to CMS.”[11]
Although OIG now requires automatic extrapolation in claims reviews in its CIAs, we expect that many providers and suppliers will continue to conduct audits and assess potential extrapolation and repayment obligations in line with the 60-day overpayment rule commentary, which states, “providers and suppliers will need to review the specific facts and circumstances [of audits], including the billing and coverage rules, to determine the required scope of their reasonable diligence.”[12]
In response to a comment regarding instances where overpayment size “. . . is small and does not warrant the expense of creating a statistical sample to calculate a refund amount,” OIG replied, “We structured the final rule to have certain flexibilities for providers and suppliers to account for the various circumstances that may involve an overpayment . . .. This final rule expressly anticipates that providers and suppliers may, but are not required to, use statistical sampling and extrapolation for calculating the overpayment amount.”[13]
As described, OIG’s position has evolved as it pertains to extrapolation in CIA IRO claims reviews. Accordingly, this is an important area for providers to monitor to assess agency positions and potential enforcement risks related to auditing and overpayments.
Transition plan
New CIAs also include a requirement for the development and submission to OIG of a transition plan. The transition plan must outline whether and how the provider’s compliance program will continue to include the compliance program requirements contained in the CIA following the end of the CIA’s term.[14] The transition plan must be reviewed and approved by the board of directors and be included in the provider’s penultimate annual report.
Key points
Compliance program expectations for providers continue to increase, and agencies, including OIG and the U.S. Department of Justice, focus on how providers approach compliance. As such, it is advisable for providers to periodically assess compliance program design. As providers undertake that analysis, one consideration is changes to OIG CIA’s template; the updates provide valuable insight into the agency’s real-time thinking on compliance program design and effectiveness issues. Healthcare providers of all types can benefit from understanding these changes to the model language. For example, these changes may impact how providers approach noncompliance job responsibilities for compliance officers and the role of the compliance committee. OIG’s updates also reflect the increasing focus on state Medicaid exclusion list screening efforts. Further, the new CIA model language underscores the significant emphasis on Stark Law and Anti-Kickback Statute arrangements controls—consistent with the enforcement focus in this area.
Takeaways
-
Recent corporate integrity agreements (CIAs) and integrity agreements (IAs) include changes to the Office of Inspector General (OIG) CIA and IA model language.
-
These revisions reflect OIG’s evolving expectations concerning compliance program design and effectiveness for all healthcare providers—not just those subject to integrity agreements.
-
Revisions signal more limited compliance officer noncompliance job responsibilities and an increased focus on the compliance committee’s role in core compliance functions.
-
In addition, OIG emphasizes compliance controls designed to promote compliance with the Stark Law and Anti-Kickback Statute.
-
Further, OIG’s model language changes how CIA-obligated organizations are expected to calculate overpayment refunds for purpose of independent review organization reviews.