In today’s healthcare regulatory environment, Corporate Integrity Agreements (CIAs) have become one of the most powerful enforcement tools the Office of Inspector General (OIG) uses to address noncompliance. A CIA may originate from a settlement related to a specific organizational misstep or compliance failure. However, its implications extend beyond a single issue, targeting not only executive decision making but also day-to-day operational compliance, particularly in documentation and coding.
The first 120 days following entry into a CIA often determine whether an organization will meet its obligations or struggle under prolonged regulatory scrutiny. The most consequential work occurs immediately, including rapid compliance program remediation, enterprise risk assessment, and operational stabilization.
This article outlines what healthcare organizations need to know about the CIA process, including working with Independent Review Organizations (IROs) and implementing sustainable strategies to help improve coding, documentation, and the overall compliance framework.
What Is the Purpose of a Corporate Integrity Agreement?
A CIA is an agreement, typically for a period of five years, between a healthcare organization and the OIG, designed to correct systemic compliance failures and prevent future violations. CIAs generally stem from negotiated settlements related to alleged fraud or noncompliance with federal healthcare program requirements, often under the False Claims Act. Common areas of noncompliance a CIA may address include billing, physician compensation, and contractual arrangements.
Hospitals, physician groups, skilled nursing facilities, home health agencies, billing companies, and pharmaceutical companies are all examples of organizations that may be subject to CIAs. Each CIA is tailored to the organization and the nature of the allegations, but they share a common objective to embed compliance into the organization’s culture, operations, and governance.
A CIA requires the organization to build and sustain a comprehensive compliance infrastructure, including written policies and procedures, designated compliance leadership, board‑level oversight, mandatory training programs, ongoing auditing and monitoring activities, and annual reporting to the OIG. Contrary to common assumptions, CIAs do not allow for a prolonged ramp-up period. The OIG expects demonstrable progress almost immediately, which is why the first 120 days are a critical inflection point.
What Is the Role of an IRO in a Corporate Integrity Agreement?
One of the most consequential CIA requirements is the engagement of an IRO. The IRO functions as an objective third party, tasked with evaluating whether the organization is complying with federal program requirements and the terms of the CIA.
During the CIA period, the IRO’s role is far-reaching. It includes assessing organizational policies and procedures, conducting interviews with leadership and operational staff, and comparing documented processes to actual practices. The IRO records instances of misalignment it uncovers and reports compliance findings to the OIG.
Another core component of the IRO’s work is claims testing. Using statistically valid sampling methodologies, IROs review medical records, claims, and remittance data to identify coding, documentation, and billing errors. They then calculate the financial impact, often through extrapolation, and include these findings in their formal reports to the OIG. Organizations subject to a CIA should be aware that even when the agreement originates from allegations unrelated to coding, downstream review of documentation and coding practices may likely be pulled into the scope.
In many engagements, IROs also perform arrangement reviews to evaluate physician compensation, fair market value, approval workflows, and regulatory compliance related to leased space, equipment, or services.
How Can Healthcare Organizations Take a Strategic Approach to Compliance Under a CIA?
The stakes are high for organizations subject to a CIA. Those that fail to demonstrate progress toward compliance may face additional enforcement actions, penalties, or extension of the CIA, not to mention risk to their reputation with regulators, payors, and patients. Focusing on a few key points can help organizations avoid these negative consequences and successfully navigate the CIA period.
- Conduct a Proactive Compliance Risk Assessment: A risk assessment should be one of the organization’s top priorities during the first 120 days of the CIA period. Conducting an assessment serves as a defensive tool that helps organizations identify and mitigate compliance issues before they surface as findings in an IRO review or OIG inquiry.
- Prioritize Execution & Rigor in the First Reporting Period: Once the IRO is engaged and the first reporting period begins, the review process accelerates, with data requests, record reviews, sampling, rebuttals, extrapolation, and reporting all happening under a compressed timeline. Maintaining rigor in responding to requests and meeting deadlines helps establish credibility with the IRO and OIG and sets the stage for the remainder of the CIA.
- Establish Strong Documentation & Coding Practices: The OIG views claims data as a reflection of how an organization operationalizes compliance. As such, documentation and coding practices are typically subject to scrutiny in a CIA regardless of the nature of the initial allegations. Investing in strong documentation and accurate coding that supports medical necessity and services rendered helps demonstrate the organization’s commitment to developing sustainable compliance practices and fulfilling the expectations of the CIA.
How Forvis Mazars Can Help With Compliance & Corporate Integrity Agreements
Forvis Mazars brings deep, practical experience to support organizations navigating CIAs and in need of an IRO. Our multidisciplinary healthcare compliance professionals understand the urgency, regulatory expectations, and operational complexity that a CIA entails. We work alongside leadership, compliance teams, and operational stakeholders to support early risk assessment, compliance program implementation, IRO readiness, and sustainable remediation. If you have questions or would like assistance, please reach out to our team today.