Skip to Main Content

November 01, 2021

Health Law Connections

Compliance Corner—Lessons Learned from the Performance of IRO Arrangements Reviews Under Corporate Integrity Agreements

  • November 01, 2021
  • Chris Roane , Bennett Thrasher LLP
  • Jeffrey Wilson , Lexington Medical Center

The Corporate Integrity Agreement (CIA) has long been the government’s primary tool for parties that have settled and/or litigated suits related to alleged violations of federal health care laws and regulations including, but not limited, to the False Claims Act, Stark Law, and Anti-Kickback Statute. A CIA mandates a multitude of requirements upon an organization, over a three to five-year period, with the intention of strengthening the organization’s compliance program. It typically emphasizes certain compliance program elements like federal health care program billing or arrangements that could potentially generate concerns related to compliance with federal health care program requirements. The scope of this article is those CIAs that focus on an organization’s arrangements that could potentially generate compliance concerns with federal health care program requirements (Arrangements Review CIAs).

All active CIAs are posted on the U.S. Department of Health and Human Services Office of Inspector General (OIG) website. While the requirements are mandatory for the organizations entering into the CIAs, all organizations can benefit from studying the information contained in CIAs and using the requirements to evaluate and enhance their own compliance programs.

The organization’s compliance with the CIA is overseen by a monitor from OIG. The obligations of an organization’s CIA will vary based on their specific business, but it is the organization that is solely responsible for ensuring compliance with the CIA. Most CIAs have common requirements that are based on OIG’s Seven Fundamental Elements of an Effective Compliance Program: (1) written policies, procedures, and standards of conduct; (2) designation of a compliance officer and compliance committee; (3) conducting effective training and education; (4) developing effective lines of communication; (5) conducting internal monitoring and auditing; (6) enforcing standards through well-publicized disciplinary guidelines; and (7) responding promptly to detected offenses and undertaking corrective action.1 Almost every CIA also requires the engagement of an Independent Review Organization (IRO) to perform periodic reviews (typically annually or quarterly) of certain components of the organization’s compliance program and submit reports with their findings to OIG. All CIAs require robust and well-defined written policies and procedures that are instrumental in adhering to federal laws and regulations.

The scope of the IRO review is based on the laws or regulations that the organization allegedly violated, and the most common IRO reviews focus on the organization’s policies, procedures, systems, and processes relating to arrangements with actual sources of health care business or referrals (Arrangements Reviews) and/or claims submitted to federal or state agencies (e.g., Medicare, Medicaid, Tricare). The IRO reviews also generally require the performance of procedures around actual arrangements entered into with referral sources and/or claims submitted to federal or state agencies. It is essential that the entity and IRO establish a collaborative working relationship to ensure that the entity is continuously improving and evolving its compliance program.

The government’s expectations regarding the design and operation of an effective compliance program have evolved and become more demanding over time. It is no surprise therefore that the requirements of CIAs have also evolved and become more rigorous over the years. In addition to the Seven Elements summarized above, more recent CIAs have also included requirements around the performance of annual compliance risk assessments, annual management certifications to the effectiveness of the organization’s compliance program, annual compliance program effectiveness reviews conducted by a compliance expert, and the adoption of annual resolutions by the organization’s board of directors as to the oversight of the compliance program. Not unexpectedly, the IRO review procedures, which are outlined in CIAs, have also become more robust and specific to the organization and health care sector they operate within.

Arrangements Review CIAs define Focus Arrangements as arrangements between an organization and any actual source or recipient of health care business or referrals and involve, directly or indirectly, the offer, payment, or provision of anything of value.2 An appendix to the standard Arrangements Review CIA describes the review procedures to be performed by the IRO, which are focused on the organization’s Focus Arrangements policies, procedures, systems, and processes, and periodic reviews of a sample of Focus Arrangements that were entered into during a predetermined period of time stipulated in the CIA (typically a year). The IRO’s review also entails reporting requirements to inform the user of the specific review procedures performed, the documentation relied upon, and the results of those procedures.

Included below are key takeaways and lessons learned from the recent performance of Arrangements Reviews.

Contracts Management System & Automated Approval Workflow

It is imperative that organizations invest in a reliable and functional contracts management system that allows users to input and track key information and terms about its contracts, store supporting documentation within the system, and have automated workflows for notifying, reviewing, and approving Focus Arrangements. Arrangements Review requirements in CIAs typically describe this as a Focus Arrangements Tracking System. The system should have capabilities to summarize and report on key terms and details for each arrangement, assign and limit user access, audit user access, establish review and approval workflows and an approval authorization framework, notify key stakeholders of arrangements nearing expiration or renewal, and audit and monitor the organization’s arrangements. Organizations with sophisticated contracts management systems are able to reduce contracting risks by formalizing key contracting, review, and oversight processes, which provides for a more efficient compliance program and reduces administrative burden. There are a multitude of off-the-shelf options available and many companies have successfully developed their own systems. Key stakeholder buy-in around the contracts management system acquisition and implementation is essential in a successful system being effectively utilized in an entity. The ability to search and choose key words and phrases along with a vast array of other pertinent data is instrumental in providing reliable, compliant support to the policies and procedures implemented under the CIA and for years to come after the CIA ends.

Document Retention

A lack of recorded and/or documented evidence is one of the most common observations noted during Arrangements Reviews. And if something isn’t recorded and/or documented, it didn’t happen. Policies, procedures, training, contract approval and signatory authorizations, legally approved contract templates, audit and monitoring protocols, and other important factors relating to the initiation, creation, and execution of Focus Arrangements should be clearly documented and periodically reviewed. Focus Arrangements and the information related to them should be documented and stored, preferably within the contracts management system, including, but not limited to, tracking and identifying individuals who are reviewing, changing, and approving the contract, fair market value analysis and those responsible for reviewing and authorizing the analysis, reasons for entering into the arrangement and the assessment of commercial reasonableness, monitoring criteria, any amendments or addendums to the agreement, and all else that might be required by applicable laws, regulations, or the organization’s Focus Arrangements policies and procedures. It is essential that organizations maintain sufficient documentation to support any decisions made or actions taken, which are at risk of being subject to regulatory or legal scrutiny.

The only documentation relating to a Focus Arrangement that is not typically stored in the contracts management system is support for payments to or receipts from contracting parties (e.g., timesheets, activity logs, payroll reports, check copies). This information is generally managed and maintained by the organization’s Accounting function but the organization should ensure that its policies and procedures address the risks and requirements around remuneration relating to Focus Arrangements. It’s a best practice to regularly audit this information (along with the other aspects of your organization’s Focus Arrangements). Moreover, the Accounting function should be trained on the organization’s Focus Arrangements policies and procedures, which should include approval and reconciliation processes that ensure any payments or receipts are accurate and supported by applicable arrangement(s).

Approvals Prior to Payment

It has always been considered a best practice that Focus Arrangements were fully approved prior to being executed and executed prior to any payment or receipt pursuant to a Focus Arrangement. However, this was not explicitly stated in Arrangements Review CIAs until recently. Arrangements Review CIAs now include language that Focus Arrangements must be subject to the organization’s review and approval processes—which are required to include, at a minimum, legal review by counsel with expertise in the Anti-Kickback Statute and Stark Law, business review by authorized/designated employee, documentation of the business rationale for entering into the arrangement, and documentation of the fair market value of the remuneration specified in the arrangement3—and signed by all parties to the arrangement prior to any payment or receipt of payment pursuant to the Focus Arrangement. The CIA language in this section once again reminds the organization that documentation of the review and approval must be maintained.

Another requirement that was recently added relating to the review and approval of Focus Arrangements is that the organization is now charged with ensuring that all existing Focus Arrangements are also subject to the aforementioned review and approval processes that the organization establishes to comply with the CIA requirements. In effect, any Focus Arrangements that are active as of the time the CIA is entered into by the organization should be reviewed to ensure that the appropriate approvals were obtained, and that documentation has been maintained. This exercise is also important because it gives the organization an opportunity to assess any of its contracts that may include auto-renewal provisions to ensure that these Focus Arrangements are also compliant with the review and approval requirements prior to renewal.

Compliance with the requirements of an organization’s CIA is essential as noncompliance will cost the organization in future fines and sanctions, and possible exclusion from participation in government programs like Medicare and Medicaid. However, the listing of CIAs included on the OIG website4 represents one of the most comprehensive and actionable resources for organizations seeking to establish, maintain, or enhance their compliance policies, procedures, systems, and processes around contracting with actual sources or recipients of health care business or referrals. For this reason, and many others, it is imperative that organizations utilize Arrangements Review CIAs as a tool or gauge to assess the effectiveness of their own compliance programs, as it relates to Focus Arrangements, and stay abreast of developments to Arrangements Review CIA requirements to ensure that their compliance programs are keeping up with the government’s ever-increasing expectations.


Chris Roane is a Director in Bennett Thrasher’s Disputes, Valuation & Forensics practice. He oversees a variety of Independent Review Organization engagements as part of Corporate Integrity Agreements for health systems and other organizations in the health care and life sciences industries. He also assists health care clients with compliance program assessments, litigation support, economic damage analysis, internal investigations, and other forensic matters. He began his career at a Big 4 accounting firm working in their Forensics practice and later moved to Alere Inc., a global health care diagnostic device company, where he performed compliance audits and special investigations for its Internal Audit department. Chris is a Certified Public Accountant (CPA) licensed in Georgia. He also holds certifications in Healthcare Compliance (CHC) and Fraud Examination (CFE). He graduated from the University of Georgia with a Bachelor of Business Administration degree in accounting and then obtained a Master of Professional Accountancy degree from Georgia State University.

Jeffrey (Jeff) S. Wilson joined Lexington Health, Inc. (“Lexington Medical Center”), Columbia, SC in 2016 as Senior Vice President & General Counsel. He has been a licensed attorney for over 19 years with over 16 years of experience as a health care attorney. He has expertise in all aspects of health care law including but not limited to complex case management and litigation, regulatory issues, medical malpractice, medical staff, antitrust, Stark and anti-kickback, electronic medical records, labor and employment, and more. He began his career prior to law in the medical field, where he worked as an emergency medical technician, an orthopedic tech, and a research microbiologist in the areas of immunology and microbial ecology. Mr. Wilson served in the U.S. Marine Corps for four years and was honorably discharged with distinguished honors. He earned his undergraduate degree in microbiology at Michigan State University in East Lansing while completing masters’ level work in microbiology at Michigan State University. He holds a law degree from Michigan State University College of Law in East Lansing.


2 See, e.g., Corporate Integrity Agreement Between the Office of Inspector General of the Department of Health and Human Services and Alliance Parent, Inc., https://oig.hhs.gov/fraud/cia/agreements/Alliance_Parent_Inc_07082021.pdf.

3 Id.

ARTICLE TAGS
  • Compliance
  • Fraud and Compliance