On August 22, 2016, the Department of Health and Human Services Office of the Inspector General ("OIG") released additional guidance ("IRO Guidance") on relevant principles that should be used to assess the independence of Independent Review Organizations ("IROs") performing reviews required as a condition of Corporate Integrity Agreements ("CIAs"). This most recent update reflects the Government Accounting Office's ("GAO's") 2011 revisions to its auditing standards.
OIG enters into CIAs with health care entities and providers as part of settlements of federal health care program investigations for civil false claims. In exchange for avoiding exclusion from federal health care programs, OIG monitors the settling entities under the terms of CIAs. CIAs require the health care entities to engage an independent IRO to review the entity's compliance with the terms of the CIA throughout the term of the agreement. Each IRO must furnish a certification that it has evaluated its independence and concluded that it is independent and objective. OIG has the authority to reject a provider's choice of IRO if it determines that it is not independent or qualified.
OIG first published guidance on IROs in 2004 as a response to increased inquiries regarding the Sarbanes-Oxley Act and a focus on auditor independence. The GAO updated its auditing standards (referred to as the "Yellow Book") in 2007, and OIG then updated its IRO Guidance in 2010 to reflect these GAO standards.
The GAO updated the Yellow Book again in 2011; thus, OIG has released its most recent IRO Guidance according to these new standards. The IRO Guidance summarizes standards of objectivity, independence and professional judgment and competence. The IRO Guidance also provides several examples of nonaudit services that would and would not impair an IRO's independence.
Objectivity. The Yellow Book has previously stated that objectivity includes "independence of mind and appearance when providing audits." The updated IRO Guidance adds that impairments in independence can also impact objectivity.
Independence. The updated IRO Guidance describes independence as: "(1) independence of mind; and (2) independence in appearance." Further, the additional guidance defines "threats to independence" as circumstances that could impair independence, which could vary with the nature and significance of the threat and the safeguards applied to eliminate or reduce the threat. Two specific threats to independence identified by the Yellow Book are self-review and management participation. The "self-review threat" occurs when an auditor has previously provided nonaudit services to the entity. In such cases, the independence of the auditor's judgment could be impaired by the results of its own prior judgments or services. The "management participation threat" refers to the potential that the independence of an auditor's judgment could be impaired when the auditor takes on the role of management or performs a management function on behalf of the entity. An auditor that participates in leading and directing an entity, including making decisions about the acquisition, deployment and control of human, financial, physical and intangible resources would not meet OIG's standard of independence or objectivity.
OIG provides examples of previous nonaudit services that likely would or would not impair an auditor's independence.
- Nonaudit Services that Likely Would Not Impair the IRO's Independence and Objectivity. OIG did not update the list of services not likely to impair independence and objectivity from the 2010 IRO Guidance. These services continue to include general compliance training, routine tasks relating to the provider's confidential disclosure program, ineligible persons screening and evaluation of the existing compliance program, along with other services.
- Nonaudit Services that Likely Would Impair the IRO's Independence and Objectivity. Many of the services in this category were updated for the 2016 IRO Guidance. Examples of services likely to impair the IRO's independence and objectivity include: a provider uses a billing system or coding software developed or designed by the IRO the IRO personnel furnishes specific training addressing the subject matter of the CIA review; the IRO develops the entity's policies, procedures or internal control systems; the IRO participates in decision-making regarding the confidential disclosure program; the IRO performs an assessment of the health care entity's internal controls for specific CIA risk areas; the provider outsources its internal audit function to the IRO; or the IRO is engaged to provide consulting services to the provider during the term of the CIA on a CIA-related matter.
Professional Judgment and Competence. The professional judgement and competence guidance was added for the 2016 IRO Guidance and is based on the 2011 Yellow Book revisions. The Yellow Book provides that auditors should be using professional judgement. OIG further outlines that professional judgement should be used in: following independence standards; maintaining objectivity and credibility; assigning competent staff to the audit; defining the scope of work; evaluating, documenting and reporting results of the work; and maintaining quality control over the audit process.
Health care entities and providers engaged in CIA settlements with OIG should take note of this new IRO Guidance in order to comply with the terms of CIAs. Providers should ensure that any IROs engaged to provide CIA services meet the standards of objectivity, independence and professional judgment and competence outlined in the IRO Guidance. In addition, providers should be sure that any IROs they engage are technically qualified to perform the needed monitoring. IROs play a crucial role in establishing compliance with CIA terms, so selecting an IRO is an important task.