Corporate Integrity Agreements (CIAs) are among the most important tools in the U.S. Department of Health and Human Services Office of Inspector General’s (OIG) toolbox for promoting compliance in the health care industry. CIAs impose controls directly on companies or individuals resolving government investigations, ensuring those entities have the integrity to continue receiving reimbursement under federal health care programs. CIAs also promote compliance indirectly by providing nonbinding guidance to other entities in similar industry sectors as to what the OIG considers to be effective in terms of compliance program structure and controls. CIAs provide an up-to-date perspective on the OIG’s priorities and concerns in a particular industry sector. Companies should stay current on CIA trends as they assess and seek to continuously improve their compliance programs.
- As of December 31, 2015, there were 215 open CIAs. The number of CIAs in the past five years has varied from a low of 35 in 2012 to a high of 53 in 2015.
- CIAs in 2015 by industry sector: physician practices (19); hospice/elder care providers (13); pharma/device companies (9); hospitals and health systems (7); and ambulance/transportation companies (3).
- Recent CIAs have continued to include rigorous oversight responsibilities on boards of directors and senior management.
- CIAs provide important guidance as to what the OIG believes to be effective oversight and operational controls for health care organizations and should be reviewed by similarly situated companies as part of a periodic (at least annual) risk assessment process.
CIAs by the Numbers
As of December 31, 2015, there were 215 open CIAs (approximately 20 of which involved amendments or addendums to prior CIAs).1 The number of CIAs in the past five years has varied from a low of 35 in 2012 to a high of 53 in 2015. The average of the past five years is 43.2 The pace of CIAs varies with the number of settlements in a given year and whether the OIG pushes for a CIA in a particular case. OIG officials have noted that the negotiation and monitoring of CIAs is very time intensive, and it is becoming increasingly common for entities to resolve DOJ investigations without entering into a CIA. Recent examples include CR Bard’s $48.2 million settlement in May 2013 and Teva’s $27.6 million settlement in May 2014.3
Reflecting the broad focus of federal health care fraud enforcement efforts, the OIG negotiated CIAs in numerous industry sectors. CIAs with physician practices totaled 19 in 2015, followed by hospice/elder care providers (13); pharma/device companies (9); hospitals and health systems (7); and ambulance/transportation companies (3).
Board and Management Oversight
Recent CIAs have imposed increasingly stringent obligations on boards of directors and executive management, on the theory that it is at these senior levels that the compliance “tone” is set, business decisions are made regarding compliance risk, and resources for compliance programs are allocated. The DaVita Healthcare Partners CIA, for example, requires the board’s compliance committee to hold quarterly meetings (a portion of which shall be in executive session with the compliance officer), regularly review the company’s compliance program, maintain the authority to hire separate compliance counsel for the committee, and enact an annual resolution stating that the committee has conducted reasonable inquiry into the performance of the company’s compliance program and concluded that the company has an effective compliance program.4
An increasingly common CIA provision requires the board of directors to hire an outside compliance expert or adviser to assist the board in overseeing management’s implementation of the compliance program. The Millennium Health CIA contains such a provision, requiring the board to engage an outside expert to conduct an annual review of the effectiveness of the company’s compliance program. The expert must prepare a work plan and annual report (including recommendations, if any), and the board must review the report as part of its oversight obligations. A copy of the expert report must be included in each annual report submitted by the company to the OIG.5
The OIG also has emphasized the importance of accountability of senior management for compliance program effectiveness. The Tuomey Healthcare System CIA, for example, requires the chief executive officer, four additional senior executives, and any other person at the level of vice president or higher to sign a detailed annual certification. Each executive must certify that (1) he or she has “been trained on and understand the compliance requirements and responsibilities [that relate to the areas] under my supervision,” (2) his or her responsibilities include “ensuring that [his or her department or area] remains compliant with all applicable Federal healthcare program requirements,” (3) he or she “has taken steps to promote such compliance,” and (4) to the best of the certifier’s knowledge, and except as specified in writing, “Tuomey is in compliance with all applicable Federal health care program requirements and the obligations in the CIA.” Because the certification states explicitly that it is “being provided to and relied upon by the United States,” knowing false certifications could subject an individual to prosecution for a false statement under 18 U.S.C. §1001.6
Several recent CIAs have imposed special management structures to address the alleged misconduct giving rise to the settlement. In May 2015, PharMerica Corporation agreed to pay the United States $31.5 million to resolve a civil false claims act lawsuit alleging the company submitted claims to Medicare for Schedule II controlled substances that were provided to nursing home patients without a valid prescription. The CIA requires PharMerica to maintain for two years a Controlled Substances Policy Task Force to review, test, update and implement controls measures to ensure compliance with controlled substance laws.7
Several recent CIAs have followed allegations of misconduct by a subsidiary or operating division of a corporate parent. During CIA negotiations, the OIG will closely scrutinize where authority resides within a corporation’s structure to provide the management time and resources to implement an effective compliance program. Where the OIG believes that authority resides within the parent, even if the wrongdoing was confined to an operating division or subsidiary, the OIG has imposed significant oversight responsibilities on the parent’s board of directors and management.8
Incentive Compensation and Financial Clawbacks
The issue of incentive compensation for field sales representatives and executives has been the subject of substantial commentary by government officials, industry officials and lawyers representing companies in DOJ settlements and CIAs. Perhaps the first CIA to impose limits and requirements on such incentives was the GlaxoSmithKline (GSK) CIA in 2012. The first incentive limitation eliminates the tie between sales person compensation and the volume of business generated in a representative’s territory. The second, known colloquially as the “claw-back” and formally as the “executive financial recoupment program,” mandates that GSK establish a program that “puts at risk of forfeiture and recoupment an amount equivalent to up to three years of annual performance pay (i.e., annual bonus, plus long term incentives) for an executive who is discovered to have been involved in any significant misconduct.9” Two years later, similar executive recoupment provisions were incorporated into the Par Pharmaceuticals CIA.10 Although recent pharmaceutical CIAs routinely have required companies to implement policies to ensure that incentive compensation plans do not inappropriately encourage improper behavior, only the GSK and Par CIAs have included executive recoupment requirements. Of course, two instances over two years does not constitute a trend. It remains to be seen whether such requirements will become more common (or even routine) in future CIAs.
CIAs are important both to the companies operating under the CIAs’ obligations as well as to other companies in the same health care sector. They provide important guidance as to what the OIG believes to be effective oversight and operational controls for health care organizations. Companies should review new CIAs with similarly situated companies as part of a periodic (at least annual) risk assessment process.