When a health care entity is faced with permissive exclusion from participation in federal health care programs, the Health and Human Services Office of Inspector General (OIG) has the discretion to offer a Corporate Integrity Agreement (CIA) in lieu of exclusion.  A CIA allows an organization to continue participating in federal health care programs for so long as the terms of the CIA are met. Because exclusion can be financially devastating, most organizations take the CIA option if it is offered and most successfully complete the process.  However, recently are organizations that have surprisingly declined entering into a CIA as part of a civil settlement with the OIG.

This article reviews the history of CIAs and the implications of entering into a CIA.  Finally, there is a summary of recent changes to CIA requirements and as mentioned above, exploring the reasons why an organization would decline a CIA considering the alternative.  

History of Corporate Integrity Agreements

The HHS -OIG was created by Congress in 1976 to fight fraud, waste and abuse in Medicare, Medicaid and other HHS programs through increased program integrity.  (A recent article provides more information about the history of the OIG.)  One way to promote program integrity is to remove problematic providers and entities from participation in (and reimbursement from) these federal health programs.  Exclusion is an administrative remedy that accomplishes this goal.

Exclusion in a Nutshell. The primary impact of exclusion from federal health care programs is that an individual or organization can receive no reimbursement, directly or indirectly, for services rendered or supplies provided to federal health care program recipients. Mandatory exclusion is triggered by felony convictions related to health care fraud, patient abuse/neglect, professional performance and financial integrity. Permissive exclusion is triggered by misdemeanor convictions related to health care services as well as loss or surrender of professional license due to misconduct. 

The first CIA was executed by the OIG for HHA in 1994.  The focus of early CIAs was quite limited, often on compliance training of an organization’s employees. In the following decade, with the development of the Federal Sentencing Guidelines of 1995 (“Guidelines”), the scope broadened to mirror the Guidelines-specific requirements related to establishing an effective compliance program. The Guidelines set forth the seven pillars of compliance that remain foundational to all health care compliance programs to this day.  Over time, CIAs have continued to evolve to require more transparency, leadership accountability, and increased reporting to the OIG.

Meeting the Requirements of a CIA

As stated on the OIG website, the OIG enters into CIAs with health care providers and other entities as part of the civil settlement of Federal health care program investigations arising under a variety of civil false claims statutes.  While the purpose of a CIA is ostensibly to help a health care organization develop or refine its compliance program rather than to punish misdeeds, the work required to comply with the terms of a CIA can be punishing for an organization unprepared to meet the expectations. And the stakes are high – as stated by the OIG, CIAs include breach and default terms which allow the OIG to impose certain monetary penalties (referred to as Stipulated Penalties) for the failure to comply with

certain obligations outlined in the CIA. In addition, a material breach of the CIA constitutes an independent basis for an organization’s exclusion from participation in federal health care programs.

The duration of a comprehensive CIA is generally five years. CIAs are comprised of many common elements so that all organization are held to the same standards but are also customized to address the issues that gave rise to the potential for exclusion.  Common CIA provisions include requirements to:

• Designate a compliance officer/create a compliance committee. Demonstrated engagement and oversight by a compliance committee is critical.  
• Develop written standards and policies. This includes a code of conduct as well as policies that inform staff of federal and state regulatory requirements.
• Implement a comprehensive employee training program so that staff understand their compliance duties consistent with federal and state requirements.  
• Retain an independent review organization (IRO) to conduct annual reviews. A CIA will usually require that an IRO be hired by the health care entity to monitor the efforts of the entity to fulfil the CIA. IROs conduct annual reviews and report their findings to the OIG.
• Establish a confidential disclosure program. An anonymous hotline offers employees, vendors and patient to report potential compliance issues.
• Restrict employment of ineligible persons. This requires that an organization regularly screen its employees, contractors and vendors against federal and state exclusion lists.
• Report overpayments, reportable events, and ongoing investigations/legal proceedings.
• Provide an implementation report and annual reports to OIG on the status of the entity’s compliance activities.

The standard CIA provisions continue to evolve, as indicated by some of the recent changes noted below. From a compliance perspective, these agreements provide valuable information on the OIG’s expectations of a compliance program.  CIAs are publicly available and staying current on the terms and conditions is a worthwhile investment of time to understand changes that might affect a compliance officer’s organization.  

Recent CIA Revisions and Trends  

In the last few years, there have been several significant changes to the OIG’s approach to CIAs:

1. Introduction of the OIG’s Fraud Risk Indicator.
   
   The OIG published a new policy regarding how the agency assesses the level of future risk posed by an organization, and introduced the  Fraud Risk Indicator, The OIG evaluates health care fraud cases on a risk continuum and has published criteria for each category on this spectrum. The OIG assesses the future trustworthiness of the settling parties for purposes of deciding whether to exclude them from the federal health care programs or take other action.
   
   Under this new policy, organizations deemed highest risk are excluded from federal health care programs for a specified duration.  Next are organizations deemed “high risk” and include those that refuse to enter into a CIA.  Deemed “medium risk” are organizations that enter into a CIA. Interestingly, organizations that self-disclose potential fraud and cooperate with OIG are considered low risk because these actions demonstrate the presence of an effective compliance program.
   
2. Management Certifications.
   
   Historically, certification of an organization’s CIA annual report to the OIG was required from an organization’s compliance officer and CEO or CFO. When the OIG determined that senior leaders were shifting organizational compliance accountability to compliance officers, management certifications were introduced. These certifications are statements signed by operational leaders taking responsibility for compliance with federal health care requirements and the CIA in the areas they supervise and must also include documentation how they promote compliance within their areas. This change drives home the message that compliance is not owned by one department but is the responsibility of all. 
   
   This certification also extends to members of an organization’s board of directors.  For each reporting period of the CIA, each board member must personally sign a resolution attesting that the board believes, to the best of its knowledge, that the company has implemented an effective compliance program and followed federal law and requirements, as well as the obligations of the CIA. Under the CIA, there are stipulated penalties for false certification.  The OIG, in conjunction with the American Health Lawyers Association (AHLA) published guidance for health care boards to understand their responsibility to meet compliance requirements.
   
3. Annual Risk Assessment.
   
   Annual risk assessments are a regular element of many compliance programs. Recently, annual risk assessments have been included as a new standard element in CIAs. When conducted under the terms of a CIA, the risk assessment results can drive both an organization’s IRO audit plan as well as customized training programs. Historically, a CIA would mandate a specific number of hours of training required by workforce and leadership based on the conduct at issue in the CIA. By using the results of a risk assessment, training recommendations can be made to the OIG that tailor both training focus and duration to mitigate the risk identified.
   
4. Compliance Experts.
   
   A recent trend in CIAs is the requirement that a board engage an external compliance expert to review their organization’s compliance program.  An independent evaluation by a third party provides a baseline assessment that serves two purposes: first, it sets a baseline against which progress can be measured both by the organization and the OIG; and second, an organization can focus its remediation efforts in areas which need the most attention.

Declining the Offer of a Corporate Integrity Agreement

Recently, several organizations have declined to enter into a CIA offered by the OIG. The reasons range from a fundamental difference of opinion on the state of an organization’s compliance program and the cost to an organization to meet the terms of a CIA both in terms of competitive advantage and financial outlay. Per the OIG website, organizations that refuse to sign a CIA fall into the “High Risk” category, and are subject to heightened scrutiny because they pose a significant risk to Federal healthcare programs and beneficiaries.  These organizations chose instead to pay the fines imposed and be placed on a public list of high-risk organizations. Heightened scrutiny can subject an organization to increased audits by the OIG, claims review by CMS and investigations by the OIG when allegations are made.

Conclusion

Often, organizations that find themselves on the receiving end of OIG sanctions and CIAs do not set out to intentionally make bad choices. Instead, they fail to have mechanisms and compliance resources in place to identify and actively address risky practices or fail to create business processes to reduce risk. Compliance in many cases is a secondary priority. Therefore, being on a CIA or under potential exclusion is highly avoidable if compliance is well-resourced, at the leadership table, and has access to the board.

Fulfilling the requirements of a CIA requires full engagement at the leadership and operational levels. An organization must face and address its deficiencies in a very public forum. While the intent of the OIG is not to penalize but to instead support an organization’s development of a compliance program, the process is long and expensive. The alternative is arguably worse – exclusion and penalties, and if an organization fails to meet the terms of a CIA, exclusion and stipulated penalties await. As noted by recent OIG comments, screening against the federal exclusion lists and reviewing OIG search results remains an important demonstration of a high functioning compliance program. Streamline Verify can assist organizations with this requirement so that they can focus on other elements of their compliance program.