Everything You Need to Know About Corporate Integrity Agreements

Complying with the federal False Claims Act is serious business. Abiding by this law, which imposes liability on persons and companies who defraud government programs, helps avoid patient harm, reputational damage, and monetary penalties.

It’s the reason why you ensure employees can instantly report issues, for example. It’s why your coders and billers are trained on revenue integrity, and why your clinicians commit to providing and billing for only medically necessary services. 

Sometimes, though, providers or staff make mistakes, some of which could result in a civil settlement with the U.S. government. 

As part of that settlement, healthcare organizations may have the option to enter what’s called a corporate integrity agreement (CIA) with the Office of Inspector General (OIG) so they can continue to participate in federal healthcare programs, including Medicare, Medicaid, and others.

Compliance, risk management, and CIAs

It’s not surprising that healthcare organizations struggle with compliance. Rules and regulations change constantly. In 2021, the OIG entered into 30 new CIAs, the majority of which were with physicians and small healthcare organizations. Other entities entering CIAs included drug or device makers, testing companies, hospitals and health systems, laboratories, nursing homes, rehab facilities, long-term care facilities, pharmacies, pharmacists, and others. To avoid CIAs, healthcare organizations actively monitor and remediate compliance risk—and must be nimble in their responses to avoid OIG scrutiny.

We address frequently asked questions about CIAs and offer tips for healthcare organizations that may be entering one for a claims review or other matters. 

What is a corporate integrity agreement (CIA)?

A CIA is a document that specifies all of a healthcare organization’s obligations under a civil settlement for violating the False Claims Act. It serves as a binding contract between the healthcare organization and the OIG.  

A CIA sends this important message to a healthcare provider organization: Your compliance efforts require immediate attention because your compliance program isn’t working as intended. The takeaway? You’re about to embark on a years-long journey with the government to fix it. 

What is a certification of compliance agreement (CCA)?

A CCA is similar to a CIA; however, it’s shorter in duration and generally less onerous on the healthcare provider/provider organization. Typically, a CIA is an option only for those healthcare organizations that enter into a civil settlement with the OIG but already have an effective compliance program in place. 

What is the purpose of a CIA?

The purpose of a CIA is to improve the quality of healthcare provided. CIAs are not meant to punish healthcare providers or healthcare organizations. Instead, the goal is to drive compliant behavior and set minimum compliance standards. 

What is the normal duration of a CIA?

A comprehensive CIA usually lasts about five years.

Will every healthcare organization have the option to enter a CIA?

In short, not every provider or organization will have the option to enter a corporate integrity agreement. The OIG determines case by case whether it will permit a CIA. As part of this determination, the office asks questions such as: 

  • Did the healthcare provider self disclose the wrongdoing? 
  • What is the amount of loss to the Medicare or Medicaid trust fund as a result of the healthcare provider’s wrongdoing? 
  • Is the healthcare provider likely to repeat the unlawful conduct? 

What are key features of a CIA?

Each CIA is tailored to the specific healthcare organization and underlying issues associated with the civil settlement. However, CIAs have many common elements. For example:

  • CIAs often require healthcare provider organizations to hire a compliance officer and/or appointment a compliance committee 
  • They require the development of written standards and policies
  • They demand the creation of a comprehensive employee training program to ensure that the healthcare organization provides educational content to address the alleged misconduct 
  • Most CIAs also require healthcare providers/provider organizations to retain an independent review organization (IRO) to conduct annual reviews and monitor the areas the OIG has identified in the civil settlement 

In addition, healthcare providers must establish a confidential disclosure program, restrict employment of ineligible persons, notify the OIG of any overpayments and repay those amounts, and submit a variety of reports to the OIG regarding the status of the healthcare organization’s compliance program and compliance activities. 

What are reportable events under a CIA?

Overpayments are important reportable events under a CIA. Healthcare providers in a CIA must develop and implement written policies and procedures to ensure they can identify, quantify, and promptly repay any overpayments. Further, healthcare organizations must notify the OIG of any substantial overpayments within 30 days. They also have 30 days to report potential violations of criminal, civil, or administrative laws applicable to any federal healthcare program for which penalties or exclusion may be authorized. 

 The same is true for employment of or contracting with an ineligible person, and for the filing of a bankruptcy petition. These requirements are in place regardless of whether the reportable event happens only once or multiple times.

What is an independent review organization (IRO) and what role does it play?

An IRO is an entity—often an accounting firm, law firm, or consultant—that a healthcare organization hires pursuant to a CIA mandate. The IRO must be qualified and experienced in the scope of work defined under the CIA. In addition an IRO must also meet the General Accepted Government Audit Standards of the General Accountability Office for independence and objectivity. Although the OIG doesn’t recommend or approve specific IROs, it may request a healthcare organization to retain a new one if it has concerns about the quality of the review or the IRO’s qualifications.

The IRO plays an important role because it identifies areas for improvement and provides compliance guidance. To do this, the IRO assigns Medicare and Medicaid experts to select and review claims. For example, this might mean bringing in coders with nationally recognized coding certification and/or licensed nurses or physicians with relevant education, training, and specialized experience. The IRO supplies the necessary professionals. 

Does a CIA ever terminate early?

The OIG doesn’t usually terminate a CIA early. Successful completion of the requirements is an expectation—not a basis for early termination. The only exception is when a healthcare organization stops participating in the federal healthcare programs or ceases its operations altogether. This could occur as a result of a closure, sale, or bankruptcy, for example.

What are consequences of a CIA violation or failing to comply with a CIA?

Failing to comply with a CIA may result in exclusion from federal healthcare programs. This would be a significant blow to nearly any hospital: 34% of the average payer mix for hospitals in 2022 is from Medicare and Medicaid.  

Healthcare providers could also face monetary penalties on a per-day basis for their failure to comply. The good news is that the OIG may grant an extension to healthcare organizations that fail to comply. However, healthcare providers must apply for this extension at least five days prior to the deadline specified in the CIA and are required to explain the reason why they can’t meet the deadline. 

What do healthcare organizations need to know about OIG site visits?

OIG site visits may be part of a CIA. The visits are intended to gauge whether the healthcare provider or healthcare organization is complying with the terms of the CIA. They give the OIG a chance to observe employees and offer education. Any healthcare provider currently under a CIA is potentially subject to a site visit. However, not all healthcare organizations will receive one. The OIG decides whether it will perform a site visit based on a variety of factors such as: 

  • Whether the healthcare provider has had trouble complying with the CIA
  • Whether it has high claims review error rates
  • The size of its operation
  • The degree to which it’s cooperating with OIG requests for information

During an OIG site visit, an attorney and/or program analyst from the OIG visits the healthcare organization for one to three days. Healthcare organizations don’t need to prepare extensively for these visits. However, employees should be reasonably available for discussions or to answer questions. The healthcare organization’s compliance officer and often another member of senior management typically accompany OIG representatives during the visit. 

What does the OIG site visit actually entail? 

It could include things like a presentation about the healthcare organization’s corporate structure and compliance program efforts, a tour of the facility, a review of the important documents (e.g., the disclosure log, training documentation, and ineligible persons screening results), employee interviews, and a discussion of the healthcare organization’s annual report as well as its reportable events and corrective actions.

Are there other important aspects of a CIA that healthcare organizations must understand?

Yes. There are other requirements related to successor liability. More specifically, if a healthcare organization in a CIA decides to sell any of its business, the CIA will be in effect on the purchaser of the business unless the OIG decides otherwise. There are also additional requirements related to CIA claims reviews and much more. The OIG’s website provides an extensive list of FAQs to help healthcare organizations navigate this complex topic. 

What are some CIA examples?

Healthcare organizations can view all recent CIA updates on the OIG’s website. This site provides a complete CIA list organized alphabetically by healthcare provider. The most recent examples of CIAs? 

  • A clinical lab entered a five-year CIA to resolve allegations it submitted false claims for payment to Medicare for medically unnecessary urine drug testing. 
  • A primary care doctor entered a three-year CIA to resolve allegations he billed for excessive ultrasounds. 

What can healthcare organizations do to avoid a CIA?

The most effective strategy to avoid a CIA is to focus on coding and billing compliance. Perform internal and external audits and develop a compliance plan. The annual OIG Work Plan is a great place to start because it highlights common errors and areas of vulnerability. Being able to securely track and manage compliance issues, conduct risk assessments, and ensure the proper and timely handling of audits is critical, and healthcare technology can help.

 CIAs play an important role in helping the OIG resolve allegations of fraud and settle a False Claims Act case without having to exclude a healthcare provider from federal healthcare programs. CIAs aren’t meant to be punitive and can actually be a helpful resource for healthcare organizations striving to improve their compliance program.

Ensure that your healthcare organization can confidently manage risk and drive healthcare compliance by contacting symplr today.   

Let's Get Started


Request a Demo