To a compliance officer, the words “corporate integrity agreement” (CIA) can send a chill up and down the spine. When you look at the true meaning and goal of a CIA though, you can see that its intent is not punitive, but instead a road map to make a healthcare organization more compliant. There is no doubt that it remains one of the most powerful weapons in the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) toolkit to resolve and monitor for compliance.
Purpose and Intent of a CIA
The purpose of a CIA is to improve the quality of healthcare and promote compliance with healthcare regulations; they are not meant to instill punishment, but instead to drive compliant behavior and set minimum standards for which a healthcare provider/entity should be held accountable. An organization wishing to settle a government investigation is not guaranteed the option of a CIA and settlement; rather, it is at the discretion of the OIG whether to agree to such an arrangement.
A CIA is typically entered into in conjunction with a civil settlement between the U.S. government and a healthcare provider/entity arising under the False Claims Act, or when an organization has been found guilty of defrauding the Centers for Medicare & Medicaid Services (CMS) (Medicare, Medicaid, CHIP, TRICARE, etc.) or any other federal healthcare program. The CIA is negotiated as well as monitored through the Office of Counsel to the HHS OIG. The agreements are designed to mirror the federal sentencing guidelines established in 1995 while also reflecting the individual scope and size of the provider and the specific allegations that gave rise to the CIA.
A CIA allows such providers/entities to continue participating in federal healthcare programs. According to the OIG website, the OIG enters into CIAs and integrity agreements (IAs) with healthcare providers and other entities as part of the settlement of federal healthcare program investigations arising under a variety of civil false claims statutes. The breach of a CIA/IA and default provisions allow the OIG to impose certain monetary penalties (referred to as stipulated penalties) for failure to comply with certain obligations outlined in the CIA/IA. In addition, a material breach of the CIA/IA constitutes an independent basis for the provider's exclusion from participation in federal healthcare programs.
Interesting facts about CIAs
The first CIA was executed by the HHS OIG in 1994. Earlier CIAs concentrated more on training and certifying attendance by employees of the OIG. Over the next decade, the OIG began to add "integrity" provisions that required the provider/entity to establish an effective compliance program that mirrored the practices outlined in the federal sentencing guidelines. The guidelines required seven steps to provide a minimum level of compliance. In addition, the OIG added requirements allowing inspection and review of compliance programs, plus requiring annual reporting from the provider/entity to the OIG regarding their CIA compliance efforts.
From 2013-2016, the OIG (according to its website) entered into 329 CIAs/IAs with providers and/or entities:
2012 - 54
2013 - 51
2014 - 87
2015 - 88
2016 - 49
In recent years, the OIG has issued quality-of-care CIAs, particularly related to long-term care companies. These types of CIAs focus on cases for which the provider was alleged to have provided essentially no care or insufficient care, resulting in what the OIG terms “worthless service.”
The OIG has also stipulated penalties for non-compliance, which includes fines/sanctions as well as excluding a provider/entity.
Typical Components of a CIA
A CIA specifically outlines compliance requirements that a provider or entity must implement, follow, and be held accountable for during the term of the CIA. The CIA is in effect for a defined term, typically five years. Although most of the CIAs contain common elements, each is tailored to address certain facts surrounding a case and may incorporate parts of a preexisting compliance program.
A CIA also contains penalties for non-compliance that can be imposed on a per-day basis if the organization fails to comply with the CIA requirements. Certain violations are considered a “material breach” of the CIA, such as failure to engage and use an independent review organization (IRO) and/or repeated violations of CIA obligations.
The core sections of a CIA typically include:
- Term and scope
- Corporate integrity obligations, which outline many important requirements, such as:
- Responsibilities of the compliance officer
- Composition of the compliance committee
- Board responsibilities
- Written standards requirements
- Training requirements
- IRO or quality monitor requirements
- Reporting obligations
- Successor liability: Changes to business units or locations
- Implementation and annual reports
- Notification and submission of reports
- OIG inspection, audit, and review rights
- Document and record retention
- Breach and default provisions
- Effective and binding agreement
The OIG will negotiate specific and relevant sections that are unique to each situation and will make the organization more compliant going forward.
New Provisions in CIAs
- Management Certifications
In previous versions of a CIA, each organization would have to complete an annual report to the OIG that outlines numerous CIA-related activities completed throughout the year. As part of the submission, the chief compliance officer and chief executive or chief financial officer would have to attest/certify to the accuracy of the report.
In the new CIAs, there has been a drastic change in that they now require management certifications. This requirement represents a significant effort, and in my opinion, provides a clear message from the OIG that compliance isn’t just the responsibility of the compliance department. In this new element, it requires management at all levels (such as corporate, area, region, division, and district leaders) to not only certify their commitment to compliance, but to document how they have promoted compliance within their job responsibilities.
- Risk assessment process
In the new model CIA, an organization is required to conduct a thorough risk assessment on an annual basis. This risk assessment is to be shared with the OIG, and if applicable, with the IRO.
If shared with the IRO, the risk areas will typically be used to determine the general focus for the IRO audit later in the year. There are also a variety of changes in recent CIAs that relate to the IRO audit process, error rates, repayment, etc.
This same risk assessment may also be used to develop a training plan under the new CIAs. This is a change from the previously mandated training element, which was based on the “covered conduct” as defined within the settlement between the organization and the OIG. Under the new CIA, the organization has the ability to recommend a training plan to the OIG for its approval. It no longer defines a set number of hours and topics of training.
- Compliance experts
Although a new requirement of a compliance expert has been added, not all CIAs will feature this new element. Such an expert comes in and conducts an initial assessment of the compliance program to set a baseline, and then completes further assessments on either an annual or every-other-year basis. This new requirement helps the OIG gather additional, unbiased information on the status of the compliance program.
The OIG’s position on CIAs
At the recent annual Health Care Compliance Association (HCCA) Compliance Institute, the OIG’s emphasis on the need for exclusion monitoring was highlighted again. In the OIG’s eyes, failure to demonstrate effective monthly exclusion monitoring and the lack of documented and effective compliance programs are hallmarks of organizations that find themselves in the OIG hot seat, or worse. The OIG reiterated the importance of having a formalized process in place to monitor pre-hire operations and continuing employment.
The second element is utilization of the self-disclosure protocol. The OIG has indicated that they believe the use of this protocol by a healthcare organization is evidence of an effective compliance program. If you are operating under a CIA, you will have numerous reporting requirements and methods with which to report to the OIG.
At the recent annual HCCA Compliance Institute, a senior member of the OIG commented that the purpose of a CIA is to protect the integrity of payment of CMS dollars as well as ensure ongoing compliance and oversight of healthcare companies that have reached the OIG radar for alleged fraud-related matters. The OIG reiterated that the goal of a CIA is to help an organization resolve a pending matter and to set in place certain minimum compliance requirements.
The CIA is not put in place just to memorialize the seven elements of an effective compliance plan, without teeth. A positive outcome of a CIA, she stated, “is to teach a provider about self-assessment and good compliance governance.” The speaker referred to this as efficient and effective oversight by the OIG and an IRO.
CIAs are a great resource to compliance officers who are not currently under a government investigation or an impending CIA settlement. A CIA is a roadmap for providers of what the OIG sees as basic requirements of a compliance program.
Take a few minutes every month to check the OIG website to see if any new CIAs may relate to your type of healthcare organization.