A corporate integrity agreement (CIA) is a document that outlines the obligations to which an entity agrees as part of a civil settlement. An entity agrees to the CIA obligations in exchange for the Office of Inspector General's (OIG) agreement that it will not seek to exclude the entity from participation in Medicare, Medicaid, or other Federal health care programs. CIAs have common elements, but each one is tailored to address the specific facts of the case and may incorporate elements of a preexisting compliance program.

An integrity agreement (IA) is a document that outlines the obligations to which an individual practitioner, small group practice, or small provider agree as part of a civil settlement.

The OIG Web site contains copies of current CIAs and IAs.

Providers under CIAs must promptly notify the appropriate payor of all identified overpayments and must promptly repay the overpayment amount in a manner consistent with the payor's policies and in accordance with 42 U.S.C. § 1320a-7k(d) and 42 C.F.R. §§ 401.301-305 (the CMS overpayment rule). Providers under CIAs are expected to develop and implement written policies and procedures to ensure that overpayments are identified, quantified, and repaid in accordance with the CMS overpayment rule and other applicable Federal health care program requirements. Although all identified overpayments should be refunded to the appropriate payor, a provider under a CIA does not need to report to OIG all identified overpayments at the time it reports such amounts to the payor. However, the provider must report to OIG within 30 days all "reportable events" as defined by the CIA. A "reportable event" generally means anything that involves:

• a substantial overpayment;
• a matter that a reasonable person would consider a potential violation of criminal, civil, or administrative laws applicable to any Federal health care program for which penalties or exclusion may be authorized;
• the employment of or contracting with an ineligible person (as defined in the CIA); or
• the filing of a bankruptcy petition.

A reportable event may be the result of an isolated event or a series of occurrences.

OIG does not maintain a list of recommended or approved independent review organizations (IROs), and we will not indicate which IROs we believe are most qualified. It is up to the provider to determine the most appropriate accounting firm, law firm, or consultant to engage as its IRO. However, most CIAs include language that gives OIG the opportunity to notify a provider that its choice of IRO is unacceptable within 30 days after OIG receives written notice of the identity of the IRO. If during the term of the CIA, OIG has concerns about the quality of the review or the qualifications or independence of the IRO, OIG will make those concerns known to the provider and may request that the provider terminate its agreement with the existing IRO and retain a new one.

OIG Guidance on IRO Independence and Objectivity

The qualifications for an IRO are outlined in an appendix to the CIA. In general, with respect to a claims review, the IRO must (1) assign individuals to perform the claims review who have expertise in the applicable Medicare and State Medicaid program requirements, (2) assign individuals to design and select the claims review sample who are knowledgeable about appropriate statistical sampling techniques, (3) for the coding portion of the claims review, assign individuals who have a nationally recognized coding certification, and, for CIAs that require a review of medical necessity, (4) assign licensed nurses or physicians with relevant education, training, and specialized expertise (or other licensed health care professionals acting within their scope of practice and specialized expertise) to make the medical necessity determinations required by the claims review.

The OIG's Self-Disclosure Protocol (Protocol) is available to facilitate the resolution of matters that, in the disclosing party's reasonable assessment, potentially violate Federal criminal, civil, or administrative laws for which OIG CMPs are authorized. As indicated in the Protocol, OIG's general practice in resolving self-disclosures is to require a multiplier of 1.5 times the single damages amount and to require a minimum $100,000 settlement amount to resolve kickback-related submissions and a minimum $20,000 to resolve other matters. With respect to Reportable Events that implicate OIG's CMP authorities, OIG will resolve such matters in a manner similar to disclosures submitted under the Protocol. In other words, a provider under a CIA may resolve its CMP liability associated with conduct that is disclosed as a Reportable Event without making a separate disclosure through the Protocol. The CIA monitor will work with the provider to resolve the matter consistent with the Protocol. In the event that a provider elects to make a disclosure both as a Reportable Event and to the Protocol, the provider must note in its submission to the Protocol that it is subject to a CIA and provide a copy of its Protocol submission to its OIG CIA monitor.

No. OIG defines the term "reportable event" in its CIA by noting that it could be:

• a substantial overpayment,
• a matter that a reasonable person would consider a probable violation of criminal, civil, or administrative laws applicable to any Federal health care program for which penalties or exclusion may be authorized;
• the employment of or contracting with an ineligible person (as defined in the CIA); or
• the filing of a bankruptcy petition.

Such a situation may be the result of an isolated event or a series of occurrences. Therefore, a provider under a CIA must determine if an identified matter requires disclosure under the CIA based on the totality of the facts and the context of the surrounding circumstances. OIG believes that a percentage or numeric threshold simply constitutes the initial step in determining materiality and therefore reliance solely on such a rule of thumb threshold is inappropriate and should not replace a detailed analysis of all the relevant facts and circumstances.

No. If the employee or contractor is not also excluded from participation in the Medicare program and is not providing services that are paid for by the State Medicaid program for which the individual has been excluded, then the CIA does not require the termination of the employee or contractor.

OIG typically does not terminate a CIA or IA prior to the end of the provider's CIA or IA term based on the provider's performance under the CIA or IA. All providers are expected to fully comply with the requirements of the provider's CIA and IA; therefore, successful completion of the applicable CIA or IA requirements would not serve as a basis for early termination of such requirements. However, providers may request modifications to the terms of their CIA or IA. For example, a provider that has demonstrated its capability to perform claims audits using internal personnel may be permitted to perform its annual claims reviews using internal auditing personnel instead of being required to engage an IRO. Any such modification requests would need to be submitted in writing to the provider's OIG monitor, and the parameters of such a request should be discussed with the monitor in advance of submitting a written request.

A provider's CIA or IA may be terminated early in the event that the provider ceases participating in the Federal health care programs or ceases its operations altogether as a result of a closure, sale, bankruptcy, etc.

In the event that, during the term of its CIA or IA, the provider decides to sell any or all of its business that is subject to the CIA or IA (whether through an asset sale, a sale of stock, or other type of transaction), the CIA or IA shall be binding on the purchaser of the business unless the provider obtains a written determination from OIG that the proposed purchaser and the business will not be subject to the requirements of the CIA or IA following the closing of the transaction. To obtain such a determination, the provider must notify OIG in writing at least 30 days in advance of the proposed sale and provide a description of the business being sold, the terms of the transaction, and the identity of the prospective purchaser. A determination regarding successor liability will depend on the facts and circumstances of the proposed transaction and other information determined to be relevant by OIG.

Providers who are having difficulty completing a CIA or IA requirement within the time frames provided in the CIA or IA may be granted an extension of time to comply. However, the provider must submit a written request for an extension to OIG at least 5 days prior to the deadline specified in the CIA or IA that explains the reason(s) why the provider is unable to meet the deadline. The OIG has the discretion to grant or deny any such request.

The CIA or IA sets forth specified monetary penalties (referred to as stipulated penalties) that may be imposed on a per day basis for the provider's failure to comply with the obligations specified in the CIA or IA. The CIA or IA includes specific procedures relating to notifying the provider of its failure to comply and OIG's determination that stipulated penalties are appropriate. Certain violations of the CIA or IA requirements are specified as a "material breach" of the CIA or IA, including, for example, the provider's failure to engage and use an IRO or repeated violations of any CIA or IA obligations. In the event that OIG determines a provider to be in material breach of its CIA or IA, notice will be provided in accordance with the specific terms of the CIA or IA. A provider may be subject to exclusion from participation in the Federal health care programs based on a material breach of the provider's CIA or IA.

As described in detail in the claims review appendix to the CIA or IA, the claims review report must include a description of the claims review methodology, statistical sampling documentation, and the claims review findings, including both narrative and quantitative results.

OIG does not have a standard format for reporting claims review findings as part of an annual report. The content and length of reports vary depending on, among other factors, provider type, provider size, and the complexity of the required review(s). (See question What information should be reported to the OIG in the Claims Review findings as part of an entity's Annual Report?.)

In some IAs, OIG requires the IRO to use RAT-STATS, a statistical software package developed by OIG's Office of Audit Services. RAT-STATS is publicly available in downloadable form through the OIG Web site. The user's manual can be downloaded from the same site. Both the software and the user's manual are free.

In CIAs and IAs that do not require the use of RAT-STATS when performing claims reviews, if the IRO chooses to use another program, the IRO should provide a description of the software package used to conduct the claims review and provide the supporting documentation generated from the software package (e.g., random number printouts and sample-size estimate printouts) to support its sampling methodology and results.

The following components of RAT-STATS should be used to perform a CIA Claims Review:

• "Random Numbers" to draw random samples for both the Discovery Sample and the Full Sample (See response to How is RAT-STATS used to select a random sample? for specific guidance on how to use this feature);
• "Variable Appraisals" to calculate the mean and standard deviation of the overpayment amount in the sample (See response to How is the Variable Appraisals component of RAT-STATS used for the Discovery Sample analysis? for specific guidance on how to use this feature); and
• "Sample Size Estimator" to estimate the size of the Full Sample (See response to How is RAT-STATS used to determine the Full Sample size? for specific guidance on how to use this feature).

Before RAT-STATS can be used to generate the sample, the population from which the sample will be selected must be defined. Once the population has been identified, each paid claim in the population should be assigned a number (these assigned numbers will correspond to the numbers generated by RAT-STATS). Begin at the "Random Numbers" tab of RAT-STATS and select "Single Stage Random Numbers." The program then asks for:

• the seed number (this field should be left blank unless reproducing a previous sample);
• the name of the audit;
• the number of random numbers to be generated;
• the number of spares to be generated; and
• the universe range, the number of the first paid claim (e.g., 1), and the number of the last paid claim.
• Choose "disk" to save results to a disk or "printer" to print the results.

The generated results will be a list of numbers. The numbers generated by RAT-STATS are the numbers of those paid claims that have been selected for review.

Once the paid claims have been reviewed, a text file detailing the amount of the overpayment for each paid claim must be created. If there is no overpayment or if there is an underpayment, a zero should be associated with the corresponding paid claim. Each line of the text file should include the paid claim number, a space, and the amount of the overpayment (dollar sign is not necessary).

After creating the text file of overpayments based on the results of the discovery sample, select the Variable Appraisals component of RAT-STATS to calculate the mean and standard deviation of the overpayment amount in the sample. To calculate the mean and standard deviation of overpayments in the sample, the paid claims from the discovery sample should be reviewed, and a dollar difference determination should be made on each paid claim (i.e., the difference between what was reimbursed and what should have been reimbursed based on the IRO's determination). The mean and standard deviation of the overpayment amount in the discovery sample is used to determine the full sample size.

To use the Variable Appraisals feature:

• Choose the "Unrestricted" option.
• Input the name and location of the text file (e.g., c:/probe.txt).
• Enter the universe size.
• Choose "Difference Values" for the data file format (the text file created is composed of the dollar difference of what was paid and what should have been paid).
• Choose the format of the data output (text file, printer, or screen).

Many CIAs require a sample of 100 paid claims. For these CIAs, the IRO does not need to use RAT-STATS to identify the sample size. For CIAs that require determining a sample size using a probe sample, the IRO should calculate the mean and standard deviation of the overpayment amount in the discovery sample, select the "Sample Size Determination" tab on the main menu, and then select "Variable Sample Size Determination," "Unrestricted," and "Using a Probe Sample."

RAT-STATS will ask for the following information:

• Probe sample format (e.g., text file, Excel file, etc.)
• Universe size (i.e., the total number of paid claims from which the discovery sample was selected)
• Required confidence and precision levels
• Format of the data output (text file, printer, or screen).

Once this information is provided, the results will indicate the estimated number of paid claims that should be sampled to achieve the specified confidence and precision levels for the given population. The number of paid claims to be selected for the full sample should correspond to the confidence level and precision set out in the CIA. For CIAs that require a sample size of 100, no precision calculation is necessary prior to pulling the sample, and no changes to the sample size are required after the sample has been selected and reviewed.

The population should include only claims that the provider has submitted and for which the provider has received reimbursement (full or partial) from the Medicare program or (as applicable) a State Medicaid program.

Many current CIAs and IAs require that, as part of its claims review, the IRO should ensure that the paid claims were correctly coded, submitted, and reimbursed. More recent CIAs and IAs require the IRO to determine whether the items and services furnished were medically necessary and appropriately documented and whether the claim was correctly coded, submitted, and reimbursed. Documentation that should be relied upon to make these determinations include, but are not limited to, national policies, local policies, program memoranda from the Centers for Medicare & Medicaid Services, Medicare carrier or intermediary manuals or bulletins, medical records, claim forms, and any other supporting documentation.

For claims reviews that require a discovery sample, the purpose of conducting the discovery sample is to determine the net financial error rate of the sample that is selected. If the net financial error rate equals or exceeds 5 percent, the results of the discovery sample are used to determine whether a full sample is required.

For purposes of calculating the full sample size, paid claims that have been underpaid in the discovery sample should be considered as a zero. (Note: If conducting a discovery sample, a full sample size is only required if the net financial error rate of the discovery sample equals or exceeds 5 percent). This is because the objective of the claims review is to determine the amount of overpayments in the population. Given this objective, neither a dollar difference of zero nor an underpayment are considered to be overpayments; thus a zero should be entered into the calculation for that particular paid claim.

In a discovery sample, each paid claim is evaluated to determine the dollar difference between the amount that was reimbursed and the amount that should have been reimbursed. Once all paid claims have been reviewed, the results of each paid claim are added together (underpayments may be netted or offset from overpayments). The resulting calculation is the net overpayment. The IRO divides the net overpayment by the total dollar amount of the sample. The resulting calculation is the error rate.

For most CIAs, the IRO must conduct a single sample of 100 paid claims. For CIAs that require a discovery sample, if the net financial error rate of this sample equals or exceeds 5 percent, the IRO must conduct a full sample.

For most CIAs the IRO must conduct a single random sample of 100 claims. For CIAs that require a discovery sample, there is no set number of claims that the IRO is required to examine in the full sample. In these CIAs, the full sample size is based on the mean and standard deviation of the overpayment amount as calculated in the discovery sample, and the full sample must include a sufficient number of paid claims to meet the confidence and precision levels set out in the CIA.

OIG will allow, if statistically appropriate, the discovery sample (as a whole) to be used as part of the full sample.

For example, if the IRO must examine 200 paid claims in the full sample, the IRO may use the results from each of the 50 paid claims in the discovery sample. Therefore, the IRO only has to randomly select and review an additional 150 paid claims. The results of all paid claims reviewed as part of the complete full sample should be reported, i.e., 200 paid claims.

No. Estimating the sample size based on paid amounts will yield an estimate of the sample size needed to determine the actual amount paid, a figure already known. Instead, the objective is to estimate the amount of the overpayment; thus the figures entered into the full sample size calculation must be overpayment amounts.

If the provider cannot produce documentation for a paid claim that was selected (e.g., the underlying medical record and/or billing documentation cannot be located), this paid claim should be considered an error and the total amount paid should be considered the overpayment. It is not permissible for the provider to remove this paid claim from the sample, to replace this paid claim with a spare, or to consider that the service was properly coded, billed, and reimbursed.

If the documentation for a paid claim cannot be located, the IRO should consider this claim to be an error/overpayment and may not replace the selected claim with an alternate or spare. However, alternates or spares may be used in certain limited situations in which the IRO determines that a paid claim was incorrectly included in the population for the claims review and the IRO is able to identify and eliminate all similar claims in the sampling frame (e.g., the population includes a claim that was paid by a private payor instead of the Medicare program, and the IRO can identify and remove all claims paid by private payors in the sampling frame). If this or another situation arises in which the IRO proposes to use a spare, the provider or the IRO should contact their OIG monitor for further guidance.

The purpose of the systems review is to identify problems and weaknesses that resulted in overpayments. A systems review is a walk-through of the system(s) and process(es) that generated the paid claim determined to be in error.

For example, if a paid claim was overpaid, the IRO should begin by determining whether it was initially coded correctly. If it was incorrectly coded, the provider should discuss the incorrect code assignment with the person responsible for assigning the code and take appropriate actions (e.g., training). If the code was correctly assigned on the source document, the IRO should verify that it was correctly entered into the system. If correctly entered into the system, the IRO may need to review the charge master or other computer software to ensure the code entered was correctly "cross-walked" to the code that should have been billed. The goal of the systems review is to identify at what point the error that resulted in the overpayment occurred and to determine why. The provider should then take any necessary steps to prevent such problems in the future.

In CIAs that require an initial discovery sample, if a full sample is required based on the results of the discovery sample, a systems review also is required. See In what circumstances should the IRO review a Full Sample? to determine when a Full Sample is required.

In CIAs that require a review of a single sample of paid claims (typically 100 paid claims), no separate systems review is required. However, for each paid claim in the sample that results in an overpayment, the IRO is required to review the system(s) and process(es) that generated the paid claim and identify any problems or weaknesses that may have resulted in the identified overpayment and provide any observations and recommendations on suggested improvements.

The systems review report should include the IRO's observations, findings, and recommendations on possible improvements to the system(s) and process(es) that generated the overpayments. For CIAs without a separate systems review report requirement, the claims review report should include any recommendations for improvements to the provider's billing and coding systems or other controls for ensuring that all items and services billed are medically necessary and appropriately documented, coded, billed, and reimbursed.

In CIAs and IAs with a claims review that includes a discovery sample and, if the error rate for the discovery sample is 5 percent or greater a full sample, the IRO must extrapolate the results of the full sample to the population, and the provider is required to repay that extrapolated overpayment amount to the appropriate payor(s) (e.g., Medicare contractor, State Medicaid program, etc.).

In CIAs with a 100 paid claim sample (or IAs with a quarterly 30 paid claims sample), the provider must repay within 60 days any overpayment identified by the IRO in the claims review sample. In addition, the IRO must identify the potential extrapolated overpayment amount in its claims review report. However, it is up to the provider to determine, based on the claims review results, whether the CMS overpayment rule requires repayment of an extrapolated overpayment amount or some other corrective action, such as additional sampling.

OIG does not have a standard format for implementation reports or annual reports. These reports should include the information required by the applicable section of the CIA or IA (usually Section V). As a general guideline, the report should be organized in the order of the reporting requirements outlined in the CIA. In addition, it is helpful if all the materials are collected in a binder or other organized format and if a narrative report is included that is supplemented by attachments of any relevant supporting documents. Any questions about specific information to be included in an implementation report or annual report should be directed to the OIG monitor.

To verify the entity's compliance with the terms of its CIA and to provide OIG with an opportunity to observe an entity's compliance program in practice. The firsthand observations obtained while on site provide OIG with a more accurate and comprehensive assessment of an entity's compliance program. The site visit also offers the entity the unique, one-on-one opportunity to educate us regarding the entity's operations. OIG has also found that site visits help foster more effective communication between the entity and OIG.

Any provider, practitioner, or entity currently under a CIA or IA with OIG is potentially subject to a site visit. Entities previously visited include hospitals, physician offices, nursing facilities, laboratories, third-party billing companies, Medicare contractors, ambulance companies, durable medical equipment suppliers, pharmaceutical manufacturers, and home health agencies.

Entities selected are chosen based on specific criteria developed by OIG. Factors considered include whether stipulated penalties have been issued under a CIA or IA, issues raised in annual reports, whether the provider has had difficulties implementing its CIA or IA requirements, whether OIG has received information alleging noncompliance, whether there is a deferred prosecution agreement, high claims review error rates, changes in the provider's ownership or leadership, the reporting of reportable events, the comprehensiveness of the compliance program, size of operation, provider type/industry sector, and degree of cooperation when reporting or responding to OIG requests for information.

The visits are conducted by attorneys and/or program analysts from the Office of Counsel to the Inspector General.

The average site visit lasts between 1.5 to 2 days. Occasionally, for large entities, site visits may last for 2 or 3 days.

Each site visit is tailored to reflect the particular structure of the entity and the issues identified by OIG in monitoring the entity's compliance with the CIA or IA. Therefore, no two site visits are exactly alike. Discussions and issues during an OIG site visit often include:

• a presentation by the entity that includes an overview of the entity's corporate structure and operational organization and an overview of the entity's compliance efforts;
• a tour of the pertinent portions of the facility;
• a review of the disclosure log, training documentation, ineligible persons screening results, and other pertinent documentation;
• employee interviews regarding the entity's compliance program and its adherence to the terms of its CIA or IA, including interviews of the compliance officer and members of senior leadership;
• a discussion of the entity's annual report, reportable events, and corrective actions; and
• a discussion of OIG's site visit observations.

Because one of the primary purposes of a site visit is to provide us with an opportunity to observe the daily operations of the entity and its compliance program, we do not expect or encourage entities to spend excessive time or resources developing slide presentations or preparing employees for interviews. Instead, our main recommendation regarding site visit preparation is that the entity arrange to have employees reasonably available for discussions or to answer questions and to have relevant department heads and senior leaders available to discuss the entity's operations and compliance program. Typically, the entity's compliance officer and often one other member of senior management accompany the OIG representatives throughout the site visit and are available to answer questions. Through this less formal approach, we have found that site visits cause minimal disruption to the entity's normal business operations.

During our site visits, we encourage a candid exchange of information. Thus, we often conduct employee interviews one on one. Employees may, if they so choose, have a representative from the entity present during the interview. We often request that the entity representative be someone other than the compliance officer because questions asked during the interview may specifically relate to the performance of the compliance officer and the Compliance Department.

We typically do not conduct claims reviews during site visits. However, OIG or a duly authorized representative does have the authority in accordance with the OIG Inspection, Audit, and Review Rights section of the CIA and IA to conduct a claims review at any time during the course of the CIA or IA.