Trends in Corporate Integrity Agreements Reflect New HHS OIG Guidance on Use of Exclusion Authority

Skadden, Arps, Slate, Meagher & Flom LLP

John T. Bentivoglio Jennifer L. Bragg Maya P. Florence Michael K. Loucks Gregory M. Luce Alexandra M. Gorman

At 40, the number of new corporate integrity agreements (CIAs) in 2016 remained in line with the average in recent years, but some important new trends have emerged. First, a number of Department of Justice (DOJ) health care fraud settlements did not result in new CIAs. This trend reflects the influence of April 2016 guidance from the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG), which explained HHS’ new “risk spectrum” analysis for determining how to exercise its permissive exclusion authority, including its decision not to require exclusion or a CIA where the risk of a continuing fraud is low. 1Second, the OIG rolled out its “model” CIA template standardizing many core CIA provisions, some of which are now non-negotiable. Other provisions, including those relating to monitoring and auditing in key risk areas, remain subject to negotiation.

Beyond these general trends, several 2016 CIAs set forth new controls around key risk areas for particular industry sectors. Since many industry guidance documents have not been updated in years, CIAs can provide an up-to-date perspective on the OIG’s priorities and concerns in a particular sector. Companies should stay current on CIA trends as they assess and seek to continuously improve their compliance programs.

Key Takeaways

  • The OIG entered into 40 new CIAs or addenda to existing CIAs — roughly in line with the 43 average for 2012-15.
  • A number of DOJ settlements did not result in CIAs, reflecting the impact of the OIG’s April 2016 guidance, which states that HHS will not require a CIA to resolve every health care fraud investigation. For example, of the 11 DOJ settlements involving drug or device makers in 2016, only three resulted in new CIAs.
  • <li">Without any public announcement or fanfare, the OIG also has begun to use a “model” CIA template. Under its new approach, the OIG considers many core terms and provisions in the model to be nonnegotiable, including requirements relating to the roles, responsibilities and reporting relationships of the board of directors, CEO and senior executives, and chief compliance officer. However, important provisions relating to controls around monitoring, auditing, and budget and needs assessments are negotiable and can be tailored to a company’s particular business model and risk profile. </li">

The Year in Numbers: CIAs in 2016

According to the OIG, 214 CIAs opened in the last five years remained active at the end of 2016, three of which involved amendments or addenda to prior CIAs.2

The number of new CIAs in 2016 is broadly consistent with that of past years, which has varied from a low of 34 in 2012 to a high of 58 in 2015, with an average of 43.3 Specifically, the number of CIAs opened each year is as follows:


The 40 CIAs in 2016 spanned the health care industry and included physician practices and clinics (13), elder and home care (13), hospitals and health care systems (6), medical device manufacturers (3), distributors and suppliers (2), dental practices (2) and pharmacy (1).4 Notably, despite at least four significant DOJ settlements with pharmaceutical makers in 2016, none resulted in a new or amended CIA (though one, with B. Braun Medical, Inc., included CIA-like compliance obligations in a non-prosecution agreement).

Presumption of a CIA Following a DOJ Settlement No Longer Applies

Of the 11 DOJ settlements involving drug or device makers last year, only three resulted in new CIAs. This reflects the April 2016 guidance but is also, in part, because settlements were either with companies already operating under a CIA or with companies that were purchased by one with a CIA. Generally, it appears that the OIG has pushed for CIAs in cases involving significant losses to the government or widespread compliance problems, settlements involving criminal misconduct, and situations where the OIG has not issued any compliance program guidance and the imposition of a CIA provides guidance to other companies in the sector about potential risk areas and corresponding compliance controls.

Model CIA Template Standardizes Core CIA Provisions

Although not publicly announced, in 2016 the OIG began to use a new “model” CIA template. As part of this approach, the OIG has sent letters to companies at the outset of CIA negotiations outlining what provisions it does and does not consider negotiable.

Non-Negotiable CIA Provisions

Recent CIAs with major health care organizations contain standardized language with respect to the obligations and reporting relationships of the board of directors, senior management (including CEO), chief compliance officer and compliance committee. The obligations make clear that the board ultimately is responsible for overseeing the company’s health care compliance program and must enact an annual resolution attesting to the board’s review of the program. All members of the senior management team must sign annual certifications, and the compliance officer must report directly to the CEO and report periodically to the board. The OIG has asserted that these compliance program structure and oversight provisions are non-negotiable.

Other non-negotiable provisions, in the view of the OIG, include the terms of the CIA and obligations relating to ineligible persons, the company’s disclosure program, reportable events, successor liability, and boilerplate provisions on OIG audit and inspection rights, administrative provisions for the independent review organization (IRO) engagement, initial and annual reports, and breach.

Negotiable CIA Provisions

The OIG has expressed a willingness to negotiate other core CIA terms, including the preamble (which often contains important descriptions of a company’s past compliance efforts), certain definitions (though not, apparently, the definition of “covered person”), monitoring and auditing requirements, the scope of the IRO’s engagement, and annual budget and needs assessment processes.

Recent CIAs Address Controls for Medical Device Makers

Particularly in light of the standardization of some CIA terms, the controls implemented around industry-specific risk areas can provide insight for other companies in the sector. For example, the Olympus Corporation of the Americas (OCA) CIA imposes obligations in several areas common to medical device manufacturers. These obligations include a requirement to implement processes and controls around the provision of travel and expense reimbursement by OCA to health care professionals for training and product demonstration purposes. The CIA also includes requirements for the tracking of “Field Assets,” which the CIA defines to include products or equipment that are provided to health care providers on a temporary basis for demonstration or evaluation, product replacement, or trade show demonstration purposes.

In addition, although not among the CIA sections that the OIG considers non-negotiable, several recent medical device CIAs appear to have standardized the list of risks for which some companies — particularly device makers and distributors — must (1) develop policies and training, (2) develop and implement internal tracking and review procedures, and (3) perform period risk assessments. Both the Respironics and Byram Healthcare CIAs, for example, require the companies to develop and implement a centralized annual risk assessment and internal review process to identify and address issues arising from any financial relationship with a potential referral source. Both CIAs couple the needs assessment with an obligation to implement a centralized tracking system for all arrangements with such sources. Arrangement tracking systems and database requirements have become relatively common in recent CIAs with a range of health care organizations, including pharmacies and distributors.5 Such tracking systems or databases, while burdensome, can provide much-needed internal visibility to compliance officers and others in risk areas involving large numbers of relationships with potential referral sources (e.g., health care providers engaged as consultants, contractual provisions with distributors or suppliers).


Despite some new trends, the 40 CIAs in 2016 largely reflect a year of continuity. CIAs no longer automatically follow a settlement with DOJ but are imposed in cases of criminal wrongdoing and widespread or serious misconduct; in sectors where the OIG believes it helpful to offer de facto compliance standards in the form of CIA obligations; and in other cases where the OIG deems a CIA to be appropriate. CIAs continue to push reporting and accountability to the highest levels of health care organizations — i.e., boards of directors and senior management. In negotiating CIAs, the OIG is likely to push companies to implement internal review and approval and tracking systems that provide compliance officers and others with more information about and visibility into relationships with potential referral sources posing high risks of improper activity.


1 For additional discussion of the OIG’s updated guidance on its permissive exclusion authority, see our April 21, 2016, client alert “New HHS OIG Criteria to Guide Resolution of Health Care Investigations.”

2 The OIG’s website still lists a number of CIAs opened before 2012, but these CIAs presumably are awaiting close-out letters or otherwise nearing closure. Indeed, the number of pre-2012 CIAs listed decreases on a near-daily basis.

3 The numbers in this client alert vary slightly from the analysis in our February 1, 2016, client alert “Recent Corporate Integrity Agreements Highlight HHS OIG’s Compliance Program Priorities.” We believe the discrepancy is due to the fact that a number of CIAs from 2016 were posted to the OIG website in 2017.

4 Placing each company within a single sector is sometimes more art than science. We generally relied on DOJ press releases and company websites to determine a company’s primary type of business.

5 See, e.g., CVS Health Corp., HHS CIA, (Oct. 11, 2016) (§ III.D.1, Focus Arrangements Procedures).

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.