While the number of new corporate integrity agreements (CIAs) declined since last year, and was below the trailing five-year average, 2018 was an important year on the policy front for the Office of Inspector General (OIG), U.S. Department of Health and Human Services (HHS). The HHS OIG rolled out a new fraud risk indicator and related transparency initiatives aimed at companies that refuse to enter into CIAs following a civil health care fraud settlement. Entities negotiating CIAs are likely to experience a tougher, less flexible approach from the HHS OIG as it continues to rely on model agreement templates as the starting point in CIA negotiations. If recent history is a guide, companies that violate existing CIAs may face stiff stipulated penalties for such breaches.
While the model CIA approach may provide welcome predictability, the HHS OIG should consider adopting one or more provisions from the Skadden-drafted Model Corporate Integrity Agreement template published last year in Law360. The Skadden Model CIA incorporates modern corporate drafting conventions, maintains core CIA requirements while providing more flexibility to companies in meeting these obligations, and bolsters provisions for risk assessment and oversight.
The Year in Numbers: CIA Statistics
Number of Corporate Integrity Agreements*
The HHS OIG entered into 37 new CIAs and integrity agreements (IAs) in 2018,1 a modest decline from the 46 new agreements in 2017 and the lowest number of new agreements since 2012. As of December 19, 2018, there were 243 open CIAs according to the HHS OIG's website. Of the 38 agreements in 2018, 22 were new CIAs, one was an amendment to a prior CIA and the remainder (14) were IAs. The agency has explained that it does not require CIAs in all situations where one might be appropriate; rather, the HHS OIG focuses its limited CIA negotiating and monitoring resources on entities that pose a significant program integrity concern following a civil health care fraud settlement.2 As in prior years, the clear majority of the IAs were with individual, small group practices, or small providers; none of the IAs were with significant corporate or institutional entities.
After physician practices, the second-highest number of CIAs by sector involved hospitals and health systems. Ambulance providers and nursing home/rehab/long-term care facilities were the next most common, with three CIAs in each sector.
Several large federal civil health care fraud cases were resolved without a CIA. Two settlements involved companies that resolved civil fraud allegations that occurred prior to the companies' acquisitions by large corporations.3 In both instances, the acquirer was operating under a pre-existing CIA. Another significant settlement not resulting in a CIA involved a medical device maker alleged to have sold diagnostic devices that it knew produced erroneous results that adversely affected clinical decision-making but as to which it did not take action until an FDA inspection prompted a nationwide recall.4
Notable CIAs and Trends
DEA Requirements, CCO Reporting Provisions. The AmerisourceBergen Corporation (ABC) CIA appears to be the second open CIA (and only the second CIA to date) to include explicit obligations to incorporate compliance with DEA regulations (i.e., Controlled Substance Act requirements).5 The DEA requirements are extensive and must be incorporated throughout the company's compliance program. It is also notable that the ABC CIA provides for the chief compliance officer to report "directly" to the audit committee of the board of directors and only "administratively" to the chief executive officer.
External Compliance Expert. The CIA with Lincare (a national durable medical equipment provider) includes an infrequently imposed requirement for the board of directors to engage an external compliance expert. The compliance expert must create a work plan for and then conduct a review of the effectiveness of the company's compliance program. The report of the expert must be reviewed by the board of directors as part of the board's compliance program review efforts. The Lincare CIA requires the compliance expert to be engaged for each of the CIA's five reporting periods. While this framework is common in FDA consent decrees, it is less common in CIAs; only one recent CIA requires the engagement of a compliance expert and, even there, only for the first reporting period.6
Other Notable Trends. In 2018, several provisions that had appeared in some but not all recent CIAs appear to have become standard requirements. For example, the majority of 2018 CIAs, and every new 2018 CIA with a large corporate or institutional entity, include a provision that bars the chief compliance officer from having "any responsibilities that involve acting in any capacity as legal counsel or supervising legal counsel functions."7 This formally implements the HHS OIG's long-held view that compliance and legal functions in a health care organization should be completely separate. In addition, CIAs with life sciences companies now routinely require some type of risk assessment and mitigation program (RAMP), which is consistent with the addition of risk assessment as the "eighth" element of an effective compliance program as defined by the U.S. Sentencing Commission.8
OIG Actions for CIA Violations
In 2018, the HHS OIG continued its scrutiny of companies' compliance with CIA obligations and imposed sanctions against five companies.9 Four companies were assessed stipulated penalties that ranged from $15,000 — for failure of the compliance officer to make a quarterly report directly to the company's governing body — to a $132,500 penalty for failure to file reportable events. One company — a prosthetics supplier — was excluded by the HHS OIG for material CIA breach for failure to repay an overpayment identified by its independent review organization in an annual report. The company did not contest the material breach notice or request a hearing, and the exclusion went into effect on September 14, 2018.
New Fraud Risk Indicator is the Major Policy Initiative of 2018
The most significant new HHS OIG policy initiative in 2018 was the agency's publication of a new Fraud Risk Indicator, which explains when it will seek to impose a CIA following a health care fraud settlement and what the agency will do in situations where settling companies refuse to sign an agreement. Most settling companies have agreed to enter into such an agreement in exchange for a release of the HHS OIG's permissive exclusion authority.10 But in some instances, companies have foregone the exclusion authority release and refused to sign a CIA even when the OIG thinks a CIA is appropriate. While it is difficult to generalize, companies have refused to sign CIAs where they believed the underlying conduct giving rise to the settlement did not reflect a systemic breakdown in the company's compliance program, the costs and burdens of a CIA would put the company at a major disadvantage to its competitors, the company believed its compliance program at the time of settlement was sufficient and would be unduly constrained by the inflexibility of a five-year CIA, or some combination of such reasons.
In response to congressional concerns that the HHS OIG was not being tough enough in the imposition of CIAs and had entered into multiple CIAs with the same company over time,11 in September 2018, the HHS OIG announced that it would publish the names of companies that refused to sign CIAs when the HHS OIG thought a CIA was appropriate. HHS OIG explained its policy by stating:
OIG applies published criteria12 to assess future risk and places each party to an FCA settlement into one of five categories on a risk spectrum. OIG uses its exclusion authority differently for parties in each category (as described in the criteria and below). OIG bases its assessment on the information OIG has reviewed in the context of the resolved FCA case and does not reflect a comprehensive review of the party. Because OIG's assessment of the risk posed by a FCA defendant may be relevant to various stakeholders, including patients, family members, and healthcare industry professionals, OIG makes public information about where a FCA defendant falls on the risk spectrum.13
According to HHS OIG, entities that refuse to sign CIAs in such circumstances will be deemed "high risk" and listed publicly on a web page maintained by the OIG.14 Such entities will be subject to increased scrutiny, which can include (depending on the circumstances and the type of company) HHS OIG audits, evaluations, stepped-up investigative activities, or referral to the Centers for Medicare and Medicaid Services for claims review.15
In addition, the HHS OIG is now maintaining on its website a list of companies that had entered into a CIA in the past 10 years and whose CIA is now closed. The HHS OIG states that this list of closed CIAs "may be relevant to patients, family members, health care industry professionals, and other stakeholders," although the OIG's primary audience for this transparency effort is probably Congress, as several members of Congress called on the OIG to publish such a list of prior offenders.
Since the HHS OIG's September 2018 announcement, two entities — ImmediaDent of Indiana, LLC and Samson Dental Partners, LLC — have been added to the list of entities that refused to enter into a CIA and will be subject to heightened scrutiny. According to the U.S. Department of Justice (DOJ), these entities agreed to pay $5.139 million to resolve civil False Claims Act allegations that they improperly billed Indiana’s Medicaid program for dental services.16 The DOJ press release on the settlement noted that "the companies have been determined to continue to be a high risk to the United States health care programs and their beneficiaries," which is consistent with the HHS OIG's listing of these companies. Notably, these entities are subject to the DOJ's statements and HHS OIG's listing even though no court has found them guilty of committing any crime nor of being liable under the FCA or any other federal civil statute.
The HHS OIG's most important policy initiative of 2018 — its new Fraud Risk Indicator and the public identification of companies that have refused to enter into CIAs when the OIG believes a CIA was necessary — continued to attract congressional interest into how the agency uses its exclusion and other enforcement and program integrity authorities. While the pace of new CIAs was down slightly from 2017, the HHS OIG continued to focus on provisions that impose integrity oversight obligations at the highest levels of the company — particularly the board of directors — and on reinforcing the separation of compliance from legal and other functions. Obligations to implement risk assessment processes also have become common in CIAs with life science companies, as reflected by both 2018 CIAs with pharmaceutical companies. As the OIG relies more and more on standard CIA templates, we would encourage the agency to update these templates, as outlined in a Model CIA Skadden drafted last year. The Model CIA incorporates modern corporate drafting conventions, maintains core CIA requirements while providing more flexibility to companies in meeting these obligations, and bolsters provisions for risk assessment and oversight. Given the importance of CIAs to the OIG's program integrity responsibilities, an updated CIA template would further the agency's goals of promoting the development and implementation of effective compliance programs in companies that have resolved federal health care fraud investigations.