2017 was slightly above average for new corporate integrity agreements (CIAs), with 46 entered into by the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) and companies and individuals settling health care fraud investigations. Several of these set forth new controls around key risk areas for particular industry sectors. For example, manufacturers have been struggling to define appropriate parameters for interactions with independent charitable foundations (ICFs), as the government has remained tight-lipped about best practices. Two CIAs provide an up-to-date perspective on the OIG’s scrutiny of company controls and compliance programs in this key risk area.
OIG also revealed a new risk area for the industry by entering into a CIA with a provider of electronic health record software. The CIA involves extensive obligations to comply with the health information technology certification requirements issued by the Office of the National Coordinator for Health Information Technology (ONC) and the engagement of an external software quality oversight program. Software control systems and patient data safety may prove to be a new focus of OIG enforcement.
The OIG also continued its enforcement efforts in connection with pre-existing CIAs. In 2017, the OIG entered into four resolutions related to conduct that was self-disclosed pursuant to the reportable events provisions in the companies’ respective CIAs. Similarly, in two matters, health care providers and their respective practices stipulated to penalties for failure to meet certain CIA requirements.
Consistent with the 2016 trend, a number of Department of Justice (DOJ) settlements did not result in CIAs. The use of CIAs continues to reflect the impact of the OIG’s April 2016 guidance, which states that HHS will not require a CIA to resolve every health care fraud investigation. For example, of the nine settlements involving drug and device makers in 2017, only three resulted in CIAs.
The Year in Numbers: 2017
The number of new CIAs in 2017 is broadly consistent with that of past years, which has varied from a low of 34 in 2012 to a high of 58 in 2015, with an average of 43. Specifically, the number of CIAs entered into each year is as follows:
The CIAs in 2017 spanned the health care industry:1
Presumption of a CIA Following a DOJ Settlement No Longer Applies
Of the nine DOJ settlements involving drug and device makers last year, only three resulted in new CIAs. This reflects the April 2016 guidance2 but is also, in part, because settlements were either with companies already operating under a CIA or with companies that were purchased by one with a CIA. Generally, it appears that the OIG has continued to push for CIAs in cases involving significant losses to the government or widespread compliance problems, settlements involving criminal misconduct, and situations where the OIG has not issued any compliance program guidance and the imposition of a CIA provides guidance to other companies in the sector about potential risk areas and corresponding compliance controls.
In 2017, CIAs provided guidance to companies in key risk areas in the industry. Although CIAs do not bind nonsigning companies, the CIAs themselves provide OIG’s thinking about, and scrutiny of, developing themes in the industry. CIAs can guide companies when establishing policies or compliance programs.
CIAs Involving Pharmaceutical Manufacturer Relationships With Independent Charitable Foundations
Of the three drug and device maker CIAs last year, two resulted in CIA provisions regulating the company’s relationship with ICFs, which provide co-pay assistance to patients. The United Therapeutics CIA, as well as the Aegerion CIA, provide guidance to the industry around a key risk area. While the requirements in the two CIAs differed slightly, the themes were consistent. Manufacturers should establish an independent charity group, wholly outside of the commercial organization, that is solely responsible for donation-related activities. This includes: budgeting decisions, assessing ICF requests for additional or supplemental funding, and communicating with ICFs. The CIAs limit the companies’ interactions with ICFs, namely restricting the solicitation or receipt of data to correlate donations with support of company products, prohibiting any attempt to influence the identification or delineation of disease state funds, and prohibiting the collection of information about ICFs in a manner that attempts to exert control over the ICF or its programs. Legal and compliance officers are expected to be heavily involved in establishing the independent charity group’s processes. In contrast, the commercial organization should not be involved in any aspect of ICF relationships.
OIG Ventures Into Compliance Oversight of Health IT Vendors
In 2017, OIG entered into a new enforcement area — electronic health record software — which could prove to be a major risk area for companies. OIG has emphasized, both in public statements and via the 2017 CIA, that it takes electronic health record software certification very seriously. The CIA provides notice to companies of the strict requirements the OIG may put into place should the capabilities of software be misrepresented. The CIA imposes a number of obligations on the company, including retaining an independent software quality oversight organization to assess the software quality control systems and providing reports to OIG regarding the reviews. Additionally, customers may obtain updated versions of software free of charge and will have the option to transfer data to another electronic health record software provider without a penalty. Finally, the vendor must retain an independent review organization to ensure compliance with the Anti-Kickback Statute.
OIG Makes Good on Promise (or Threat) to Enforce CIA Compliance
In 2017, OIG enforced compliance with pre-existing CIA requirements, entering into four resolutions for conduct disclosed as “reportable events” under their respective CIA and two settlements involving stipulated penalties.
In three instances, companies disclosed conduct covered under a pre-existing CIA that allegedly violated the Civil Monetary Penalties Law — namely by employing individuals the company knew or should have known were excluded from participation in federal health care programs. Each company agreed to pay a sum under $300,000. In the fourth resolution, Daiichi Sankyo disclosed under a 2015 CIA that two subsidiaries provided improper remuneration to a health care practitioner and her practice in the form of payments and services in connection with a management pilot program. The OIG and the company entered into a $1.24 million settlement agreement to resolve the allegations.
In the two matters involving stipulated penalties, health care providers and their practices admitted to a failure to screen covered persons against the OIG and/or General Services Administration exclusion lists. The violations resulted in a penalty of $12,000 each.
The OIG’s activity in 2017 referenced perhaps the most important recent trend in CIAs: There is no longer a presumption that the OIG will insist on, and health care companies will agree to enter into, a CIA in connection with a health care fraud settlement with DOJ. While most criminal health care fraud resolutions involve a CIA, in the past few years several companies have resolved civil DOJ investigations involving tens of millions of dollars without a CIA. Companies in the midst of DOJ health care fraud investigations should consider this trend early in the development of their defense strategy and avoid acting in a manner that makes a CIA inevitable when resolving the investigation.