HHS OIG Closes 2018 With New Fraud Risk Indicator for Corporate Integrity Agreements

Skadden, Arps, Slate, Meagher & Flom LLP

Avia M. Dunn Maya P. Florence

While the number of new corporate integrity agreements (CIAs) declined since last year, and was below the trailing five-year average, 2018 was an important year on the policy front for the Office of Inspector General (OIG), U.S. Department of Health and Human Services (HHS). The HHS OIG rolled out a new fraud risk indicator and related transparency initiatives aimed at companies that refuse to enter into CIAs following a civil health care fraud settlement. Entities negotiating CIAs are likely to experience a tougher, less flexible approach from the HHS OIG as it continues to rely on model agreement templates as the starting point in CIA negotiations. If recent history is a guide, companies that violate existing CIAs may face stiff stipulated penalties for such breaches.

While the model CIA approach may provide welcome predictability, the HHS OIG should consider adopting one or more provisions from the Skadden-drafted Model Corporate Integrity Agreement template published last year in Law360. The Skadden Model CIA incorporates modern corporate drafting conventions, maintains core CIA requirements while providing more flexibility to companies in meeting these obligations, and bolsters provisions for risk assessment and oversight.

Key Takeaways

  • The number of new and amended CIAs and integrity agreements dropped to 38 in 2018, down from 40 in 2017 and below the five-year average from
  • There were 243 open CIAs as of December 19, 2018.
  • CIAs in 2018 continued to include detailed obligations on boards of directors and executive management to oversee compliance programs — and to certify to their efforts in doing so. CIAs also reinforced the separation of compliance from legal and other functions.
  • One CIA incorporated DEA (i.e., Controlled Substances Act) requirements
    into the company's compliance program, and similar (or more burdensome) obligations are likely to be included in future CIAs with controlled substances manufacturers or distributors.
  • The HHS OIG's new Fraud Risk Indicator — and public identification of companies that refuse to enter into CIAs — is a major policy development, which raises questions as to fairness and due process as it does not
    involve a court determination of unlawful conduct.

The Year in Numbers:  CIA Statistics

Number of Corporate Integrity Agreements*

HHS OIG Closes 2018 Number of Corporate Integrity Agreements

The HHS OIG entered into 37 new CIAs and integrity agreements (IAs) in 2018,1 a modest decline from the 46 new agreements in 2017 and the lowest number of new agreements since 2012. As of December 19, 2018, there were 243 open CIAs according to the HHS OIG's website. Of the 38 agreements in 2018, 22 were new CIAs, one was an amendment to a prior CIA and the remainder (14) were IAs. The agency has explained that it does not require CIAs in all situations where one might be appropriate; rather, the HHS OIG focuses its limited CIA negotiating and monitoring resources on entities that pose a significant program integrity concern following a civil health care fraud settlement.2 As in prior years, the clear majority of the IAs were with individual, small group practices, or small providers; none of the IAs were with significant corporate or institutional entities.

Sector Breakdown

HHS OIG Closes 2018 Sector Breakdown Graph

After physician practices, the second-highest number of CIAs by sector involved hospitals and health systems. Ambulance providers and nursing home/rehab/long-term care facilities were the next most common, with three CIAs in each sector.

Several large federal civil health care fraud cases were resolved without a CIA. Two settlements involved companies that resolved civil fraud allegations that occurred prior to the companies' acquisitions by large corporations.3 In both instances, the acquirer was operating under a pre-existing CIA. Another significant settlement not resulting in a CIA involved a medical device maker alleged to have sold diagnostic devices that it knew produced erroneous results that adversely affected clinical decision-making but as to which it did not take action until an FDA inspection prompted a nationwide recall.4

Notable CIAs and Trends

DEA Requirements, CCO Reporting Provisions. The AmerisourceBergen Corporation (ABC) CIA appears to be the second open CIA (and only the second CIA to date) to include explicit obligations to incorporate compliance with DEA regulations (i.e., Controlled Substance Act requirements).5 The DEA requirements are extensive and must be incorporated throughout the company's compliance program. It is also notable that the ABC CIA provides for the chief compliance officer to report "directly" to the audit committee of the board of directors and only "administratively" to the chief executive officer.

External Compliance Expert. The CIA with Lincare (a national durable medical equipment provider) includes an infrequently imposed requirement for the board of directors to engage an external compliance expert. The compliance expert must create a work plan for and then conduct a review of the effectiveness of the company's compliance program. The report of the expert must be reviewed by the board of directors as part of the board's compliance program review efforts. The Lincare CIA requires the compliance expert to be engaged for each of the CIA's five reporting periods. While this framework is common in FDA consent decrees, it is less common in CIAs; only one recent CIA requires the engagement of a compliance expert and, even there, only for the first reporting period.6

Other Notable Trends. In 2018, several provisions that had appeared in some but not all recent CIAs appear to have become standard requirements. For example, the majority of 2018 CIAs, and every new 2018 CIA with a large corporate or institutional entity, include a provision that bars the chief compliance officer from having "any responsibilities that involve acting in any capacity as legal counsel or supervising legal counsel functions."7 This formally implements the HHS OIG's long-held view that compliance and legal functions in a health care organization should be completely separate. In addition, CIAs with life sciences companies now routinely require some type of risk assessment and mitigation program (RAMP), which is consistent with the addition of risk assessment as the "eighth" element of an effective compliance program as defined by the U.S. Sentencing Commission.8

OIG Actions for CIA Violations

In 2018, the HHS OIG continued its scrutiny of companies' compliance with CIA obligations and imposed sanctions against five companies.9 Four companies were assessed stipulated penalties that ranged from $15,000 — for failure of the compliance officer to make a quarterly report directly to the company's governing body — to a $132,500 penalty for failure to file reportable events. One company — a prosthetics supplier — was excluded by the HHS OIG for material CIA breach for failure to repay an overpayment identified by its independent review organization in an annual report. The company did not contest the material breach notice or request a hearing, and the exclusion went into effect on September 14, 2018.

New Fraud Risk Indicator is the Major Policy Initiative of 2018

The most significant new HHS OIG policy initiative in 2018 was the agency's publication of a new Fraud Risk Indicator, which explains when it will seek to impose a CIA following a health care fraud settlement and what the agency will do in situations where settling companies refuse to sign an agreement. Most settling companies have agreed to enter into such an agreement in exchange for a release of the HHS OIG's permissive exclusion authority.10 But in some instances, companies have foregone the exclusion authority release and refused to sign a CIA even when the OIG thinks a CIA is appropriate. While it is difficult to generalize, companies have refused to sign CIAs where they believed the underlying conduct giving rise to the settlement did not reflect a systemic breakdown in the company's compliance program, the costs and burdens of a CIA would put the company at a major disadvantage to its competitors, the company believed its compliance program at the time of settlement was sufficient and would be unduly constrained by the inflexibility of a five-year CIA, or some combination of such reasons.

In response to congressional concerns that the HHS OIG was not being tough enough in the imposition of CIAs and had entered into multiple CIAs with the same company over time,11 in September 2018, the HHS OIG announced that it would publish the names of companies that refused to sign CIAs when the HHS OIG thought a CIA was appropriate. HHS OIG explained its policy by stating:

OIG applies published criteria12 to assess future risk and places each party to an FCA settlement into one of five categories on a risk spectrum. OIG uses its exclusion authority differently for parties in each category (as described in the criteria and below). OIG bases its assessment on the information OIG has reviewed in the context of the resolved FCA case and does not reflect a comprehensive review of the party. Because OIG's assessment of the risk posed by a FCA defendant may be relevant to various stakeholders, including patients, family members, and healthcare industry professionals, OIG makes public information about where a FCA defendant falls on the risk spectrum.13

According to HHS OIG, entities that refuse to sign CIAs in such circumstances will be deemed "high risk" and listed publicly on a web page maintained by the OIG.14 Such entities will be subject to increased scrutiny, which can include (depending on the circumstances and the type of company) HHS OIG audits, evaluations, stepped-up investigative activities, or referral to the Centers for Medicare and Medicaid Services for claims review.15

In addition, the HHS OIG is now maintaining on its website a list of companies that had entered into a CIA in the past 10 years and whose CIA is now closed. The HHS OIG states that this list of closed CIAs "may be relevant to patients, family members, health care industry professionals, and other stakeholders," although the OIG's primary audience for this transparency effort is probably Congress, as several members of Congress called on the OIG to publish such a list of prior offenders.

Since the HHS OIG's September 2018 announcement, two entities — ImmediaDent of Indiana, LLC and Samson Dental Partners, LLC — have been added to the list of entities that refused to enter into a CIA and will be subject to heightened scrutiny. According to the U.S. Department of Justice (DOJ), these entities agreed to pay $5.139 million to resolve civil False Claims Act allegations that they improperly billed Indiana’s Medicaid program for dental services.16 The DOJ press release on the settlement noted that "the companies have been determined to continue to be a high risk to the United States health care programs and their beneficiaries," which is consistent with the HHS OIG's listing of these companies. Notably, these entities are subject to the DOJ's statements and HHS OIG's listing even though no court has found them guilty of committing any crime nor of being liable under the FCA or any other federal civil statute.


The HHS OIG's most important policy initiative of 2018 — its new Fraud Risk Indicator and the public identification of companies that have refused to enter into CIAs when the OIG believes a CIA was necessary — continued to attract congressional interest into how the agency uses its exclusion and other enforcement and program integrity authorities. While the pace of new CIAs was down slightly from 2017, the HHS OIG continued to focus on provisions that impose integrity oversight obligations at the highest levels of the company — particularly the board of directors — and on reinforcing the separation of compliance from legal and other functions. Obligations to implement risk assessment processes also have become common in CIAs with life science companies, as reflected by both 2018 CIAs with pharmaceutical companies. As the OIG relies more and more on standard CIA templates, we would encourage the agency to update these templates, as outlined in a Model CIA Skadden drafted last year. The Model CIA incorporates modern corporate drafting conventions, maintains core CIA requirements while providing more flexibility to companies in meeting these obligations, and bolsters provisions for risk assessment and oversight. Given the importance of CIAs to the OIG's program integrity responsibilities, an updated CIA template would further the agency's goals of promoting the development and implementation of effective compliance programs in companies that have resolved federal health care fraud investigations.


1 Unless otherwise noted, the term Corporate Integrity Agreement or CIA refers to both Corporate Integrity Agreements and Integrity Agreements.

2 GAO, GAO-18-322, Department of Health and Human Services Office of Inspector General’s Use of Agreements to Protect the Integrity of Federal Health Care Programs 10 (Apr. 2018), available here (hereinafter GAO Report).

3 See Press Release, Department of Justice, “Drug Maker Actelion Agrees to Pay $360 Million to Resolve False Claims Act Liability for Paying Kickbacks” (Dec. 6, 2018) (Actelion was acquired by another manufacturer in June 2017 and the acquirer had an open CIA at the time of the Actelion settlement), available here; Press Release, Department of Justice, “Medicare Advantage Provider to Pay $270 Million To Settle False Claims Act Liabilities” (Oct. 1, 2018) ("DaVita voluntarily disclosed to the government various practices that were instituted by HealthCare Partners, a large California-based independent physician association that DaVita acquired in 2012") (DaVita is operating under a previous CIA entered into on October 22, 2014), available here.

4 Press Release, Department of Justice, “Alere to Pay U.S. $33.2 Million to Settle False Claims Act Allegations Relating to Unreliable Diagnostic Testing Devices” (Mar. 23, 2018), available here.

5 The PharMerica CIA is the only other open CIA that incorporates Controlled Substances Act requirements (and appears to be the first CIA to do so). The PharMerica CIA requires the company to inter alia, implement policies and procedures designed to ensure compliance with the CSA and establish a controlled substances policy task force. It also requires the board to summarize its review and oversight of compliance with CSA requirements. See PharMerica Corp., HHS CIA (May 11, 2015).

6 United Therapeutics Corp., HHS CIA (Dec. 18, 2017) (§ III.A.3.d, Board of Directors Compliance Obligations).

7 See, e.g., Signature Healthcare, LLC, HHS CIA (May 25, 2018) (§III.A.1, Compliance Officer). The same language is included in all CIAs in 2018.

8 See, e.g., Aegerion Pharmaceuticals, Inc., HHS CIA (Sept. 22, 2017) (§ III.D, Risk Assessment and Mitigation Process); AmerisourceBergen Corp., HHS CIA (Sept. 28, 2018) (§ III.D, Risk Assessment and Internal Review Process).

9 According to the GAO, for agreements entered into from July 2005 through July 2017, the HHS OIG issued 41 letters demanding stipulated penalties and collected approximately $5.4 million in such penalties. Penalty amounts demanded ranged from $1,000 to $3 million with a median of $18,000. GAO Report at 24-25.

10 In limited circumstances, the OIG will provide a permissive exclusion release without a corresponding CIA, such as when the entity self discloses the conduct at issue or where the entity agrees to integrity obligations with the U.S. Department of Justice or a state law enforcement or oversight agency. See GAO Report at 7.

11 See Letter from Senators McCaskill and Wyden to Daniel Levinson, HHS Inspector General (May 10, 2018), available here. Letter from Daniel Levinson, HHS inspector general, to Sens. McCaskill and Wyden (Sept. 27, 2018) available here.

12 "Criteria for Implementing Section 1128(b)(7) Exclusion Authority," HHS OIG (Apr. 18, 2016), available here.

13 https://oig.hhs.gov/compliance/corporate-integrity-agreements/risk.asp.

14 The publication of such a list raises serious questions of fairness and due process. By definition, entities on the list will have settled civil health care fraud settlements with the U.S. Department of Justice, which generally do not include any admission of liability by the settling entity and where no court has found the entity guilty of a crime or liable under any civil law. The HHS OIG has made no provision for a process by which companies can challenge their listing, although presumably companies can issue a press release or other external communication that explains their side of the story. It is not clear how such an unresolved situation of "did so, did not" will benefit "patients, family members, health care industry professionals, and other stakeholders" as the agency has suggested its approach will do.

15 GAO Report at 6-7.

16 Press Release, Department of Justice, “$5.1 Million Dollar Settlement Reached with Indiana Dental Firm to Resolve False Claims Allegations” (Nov. 6, 2018),  available here.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.