UK: HHS OIG Closes 2018 With New Fraud Risk Indicator For Corporate Integrity Agreements

While the number of new corporate integrity agreements (CIAs) declined since last year, and was below the trailing five-year average, 2018 was an important year on the policy front for the Office of Inspector General (OIG), U.S. Department of Health and Human Services (HHS). The HHS OIG rolled out a new fraud risk indicator and related transparency initiatives aimed at companies that refuse to enter into CIAs following a civil health care fraud settlement. Entities negotiating CIAs are likely to experience a tougher, less flexible approach from the HHS OIG as it continues to rely on model agreement templates as the starting point in CIA negotiations. If recent history is a guide, companies that violate existing CIAs may face stiff stipulated penalties for such breaches.

While the model CIA approach may provide welcome predictability, the HHS OIG should consider adopting one or more provisions from the Skadden-drafted Model Corporate Integrity Agreement template published last year in Law360. The Skadden Model CIA incorporates modern corporate drafting conventions, maintains core CIA requirements while providing more flexibility to companies in meeting these obligations, and bolsters provisions for risk assessment and oversight.

Key Takeaways

  • The number of new and amended CIAs and integrity agreements dropped to 38 in 2018, down from 40 in 2017 and below the five-year average from
  • There were 243 open CIAs as of December 19, 2018.
  • CIAs in 2018 continued to include detailed obligations on boards of directors and executive management to oversee compliance programs — and to certify to their efforts in doing so. CIAs also reinforced the separation of compliance from legal and other functions.
  • One CIA incorporated DEA (i.e., Controlled Substances Act) requirements
    into the company's compliance program, and similar (or more burdensome) obligations are likely to be included in future CIAs with controlled substances manufacturers or distributors.
  • The HHS OIG's new Fraud Risk Indicator — and public identification of companies that refuse to enter into CIAs — is a major policy development, which raises questions as to fairness and due process as it does not
    involve a court determination of unlawful conduct.

The Year in Numbers:  CIA Statistics

Number of Corporate Integrity Agreements*

The HHS OIG entered into 37 new CIAs and integrity agreements (IAs) in 2018,1 a modest decline from the 46 new agreements in 2017 and the lowest number of new agreements since 2012. As of December 19, 2018, there were 243 open CIAs according to the HHS OIG's website. Of the 38 agreements in 2018, 22 were new CIAs, one was an amendment to a prior CIA and the remainder (14) were IAs. The agency has explained that it does not require CIAs in all situations where one might be appropriate; rather, the HHS OIG focuses its limited CIA negotiating and monitoring resources on entities that pose a significant program integrity concern following a civil health care fraud settlement.2 As in prior years, the clear majority of the IAs were with individual, small group practices, or small providers; none of the IAs were with significant corporate or institutional entities.

Sector Breakdown

After physician practices, the second-highest number of CIAs by sector involved hospitals and health systems. Ambulance providers and nursing home/rehab/long-term care facilities were the next most common, with three CIAs in each sector.

Several large federal civil health care fraud cases were resolved without a CIA. Two settlements involved companies that resolved civil fraud allegations that occurred prior to the companies' acquisitions by large corporations.3 In both instances, the acquirer was operating under a pre-existing CIA. Another significant settlement not resulting in a CIA involved a medical device maker alleged to have sold diagnostic devices that it knew produced erroneous results that adversely affected clinical decision-making but as to which it did not take action until an FDA inspection prompted a nationwide recall.4

Notable CIAs and Trends

DEA Requirements, CCO Reporting Provisions. The AmerisourceBergen Corporation (ABC) CIA appears to be the second open CIA (and only the second CIA to date) to include explicit obligations to incorporate compliance with DEA regulations (i.e., Controlled Substance Act requirements).5 The DEA requirements are extensive and must be incorporated throughout the company's compliance program. It is also notable that the ABC CIA provides for the chief compliance officer to report "directly" to the audit committee of the board of directors and only "administratively" to the chief executive officer.

External Compliance Expert. The CIA with Lincare (a national durable medical equipment provider) includes an infrequently imposed requirement for the board of directors to engage an external compliance expert. The compliance expert must create a work plan for and then conduct a review of the effectiveness of the company's compliance program. The report of the expert must be reviewed by the board of directors as part of the board's compliance program review efforts. The Lincare CIA requires the compliance expert to be engaged for each of the CIA's five reporting periods. While this framework is common in FDA consent decrees, it is less common in CIAs; only one recent CIA requires the engagement of a compliance expert and, even there, only for the first reporting period.6

Other Notable Trends. In 2018, several provisions that had appeared in some but not all recent CIAs appear to have become standard requirements. For example, the majority of 2018 CIAs, and every new 2018 CIA with a large corporate or institutional entity, include a provision that bars the chief compliance officer from having "any responsibilities that involve acting in any capacity as legal counsel or supervising legal counsel functions."7 This formally implements the HHS OIG's long-held view that compliance and legal functions in a health care organization should be completely separate. In addition, CIAs with life sciences companies now routinely require some type of risk assessment and mitigation program (RAMP), which is consistent with the addition of risk assessment as the "eighth" element of an effective compliance program as defined by the U.S. Sentencing Commission.8

OIG Actions for CIA Violations

In 2018, the HHS OIG continued its scrutiny of companies' compliance with CIA obligations and imposed sanctions against five companies.9 Four companies were assessed stipulated penalties that ranged from $15,000 — for failure of the compliance officer to make a quarterly report directly to the company's governing body — to a $132,500 penalty for failure to file reportable events. One company — a prosthetics supplier — was excluded by the HHS OIG for material CIA breach for failure to repay an overpayment identified by its independent review organization in an annual report. The company did not contest the material breach notice or request a hearing, and the exclusion went into effect on September 14, 2018.

New Fraud Risk Indicator is the Major Policy Initiative of 2018

The most significant new HHS OIG policy initiative in 2018 was the agency's publication of a new Fraud Risk Indicator, which explains when it will seek to impose a CIA following a health care fraud settlement and what the agency will do in situations where settling companies refuse to sign an agreement. Most settling companies have agreed to enter into such an agreement in exchange for a release of the HHS OIG's permissive exclusion authority.10 But in some instances, companies have foregone the exclusion authority release and refused to sign a CIA even when the OIG thinks a CIA is appropriate. While it is difficult to generalize, companies have refused to sign CIAs where they believed the underlying conduct giving rise to the settlement did not reflect a systemic breakdown in the company's compliance program, the costs and burdens of a CIA would put the company at a major disadvantage to its competitors, the company believed its compliance program at the time of settlement was sufficient and would be unduly constrained by the inflexibility of a five-year CIA, or some combination of such reasons.

In response to congressional concerns that the HHS OIG was not being tough enough in the imposition of CIAs and had entered into multiple CIAs with the same company over time,11 in September 2018, the HHS OIG announced that it would publish the names of companies that refused to sign CIAs when the HHS OIG thought a CIA was appropriate. HHS OIG explained its policy by stating:

OIG applies published criteria12 to assess future risk and places each party to an FCA settlement into one of five categories on a risk spectrum. OIG uses its exclusion authority differently for parties in each category (as described in the criteria and below). OIG bases its assessment on the information OIG has reviewed in the context of the resolved FCA case and does not reflect a comprehensive review of the party. Because OIG's assessment of the risk posed by a FCA defendant may be relevant to various stakeholders, including patients, family members, and healthcare industry professionals, OIG makes public information about where a FCA defendant falls on the risk spectrum.13

According to HHS OIG, entities that refuse to sign CIAs in such circumstances will be deemed "high risk" and listed publicly on a web page maintained by the OIG.14 Such entities will be subject to increased scrutiny, which can include (depending on the circumstances and the type of company) HHS OIG audits, evaluations, stepped-up investigative activities, or referral to the Centers for Medicare and Medicaid Services for claims review.15

In addition, the HHS OIG is now maintaining on its website a list of companies that had entered into a CIA in the past 10 years and whose CIA is now closed. The HHS OIG states that this list of closed CIAs "may be relevant to patients, family members, health care industry professionals, and other stakeholders," although the OIG's primary audience for this transparency effort is probably Congress, as several members of Congress called on the OIG to publish such a list of prior offenders.

Since the HHS OIG's September 2018 announcement, two entities — ImmediaDent of Indiana, LLC and Samson Dental Partners, LLC — have been added to the list of entities that refused to enter into a CIA and will be subject to heightened scrutiny. According to the U.S. Department of Justice (DOJ), these entities agreed to pay $5.139 million to resolve civil False Claims Act allegations that they improperly billed Indiana's Medicaid program for dental services.16 The DOJ press release on the settlement noted that "the companies have been determined to continue to be a high risk to the United States health care programs and their beneficiaries," which is consistent with the HHS OIG's listing of these companies. Notably, these entities are subject to the DOJ's statements and HHS OIG's listing even though no court has found them guilty of committing any crime nor of being liable under the FCA or any other federal civil statute.


The HHS OIG's most important policy initiative of 2018 — its new Fraud Risk Indicator and the public identification of companies that have refused to enter into CIAs when the OIG believes a CIA was necessary — continued to attract congressional interest into how the agency uses its exclusion and other enforcement and program integrity authorities. While the pace of new CIAs was down slightly from 2017, the HHS OIG continued to focus on provisions that impose integrity oversight obligations at the highest levels of the company — particularly the board of directors — and on reinforcing the separation of compliance from legal and other functions. Obligations to implement risk assessment processes also have become common in CIAs with life science companies, as reflected by both 2018 CIAs with pharmaceutical companies. As the OIG relies more and more on standard CIA templates, we would encourage the agency to update these templates, as outlined in a Model CIA Skadden drafted last year. The Model CIA incorporates modern corporate drafting conventions, maintains core CIA requirements while providing more flexibility to companies in meeting these obligations, and bolsters provisions for risk assessment and oversight. Given the importance of CIAs to the OIG's program integrity responsibilities, an updated CIA template would further the agency's goals of promoting the development and implementation of effective compliance programs in companies that have resolved federal health care fraud investigations.


1 Unless otherwise noted, the term Corporate Integrity Agreement or CIA refers to both Corporate Integrity Agreements and Integrity Agreements.

2 GAO, GAO-18-322, Department of Health and Human Services Office of Inspector General's Use of Agreements to Protect the Integrity of Federal Health Care Programs 10 (Apr. 2018), available here (hereinafter GAO Report).

3 See Press Release, Department of Justice, "Drug Maker Actelion Agrees to Pay $360 Million to Resolve False Claims Act Liability for Paying Kickbacks" (Dec. 6, 2018) (Actelion was acquired by another manufacturer in June 2017 and the acquirer had an open CIA at the time of the Actelion settlement), available here; Press Release, Department of Justice, "Medicare Advantage Provider to Pay $270 Million To Settle False Claims Act Liabilities" (Oct. 1, 2018) ("DaVita voluntarily disclosed to the government various practices that were instituted by HealthCare Partners, a large California-based independent physician association that DaVita acquired in 2012") (DaVita is operating under a previous CIA entered into on October 22, 2014), available here.

4 Press Release, Department of Justice, "Alere to Pay U.S. $33.2 Million to Settle False Claims Act Allegations Relating to Unreliable Diagnostic Testing Devices" (Mar. 23, 2018), available here.

5 The PharMerica CIA is the only other open CIA that incorporates Controlled Substances Act requirements (and appears to be the first CIA to do so). The PharMerica CIA requires the company to inter alia, implement policies and procedures designed to ensure compliance with the CSA and establish a controlled substances policy task force. It also requires the board to summarize its review and oversight of compliance with CSA requirements. See PharMerica Corp., HHS CIA (May 11, 2015).

6 United Therapeutics Corp., HHS CIA (Dec. 18, 2017) (§ III.A.3.d, Board of Directors Compliance Obligations).

7 See, e.g., Signature Healthcare, LLC, HHS CIA (May 25, 2018) (§III.A.1, Compliance Officer). The same language is included in all CIAs in 2018.

8 See, e.g., Aegerion Pharmaceuticals, Inc., HHS CIA (Sept. 22, 2017) (§ III.D, Risk Assessment and Mitigation Process); AmerisourceBergen Corp., HHS CIA (Sept. 28, 2018) (§ III.D, Risk Assessment and Internal Review Process).

9 According to the GAO, for agreements entered into from July 2005 through July 2017, the HHS OIG issued 41 letters demanding stipulated penalties and collected approximately $5.4 million in such penalties. Penalty amounts demanded ranged from $1,000 to $3 million with a median of $18,000. GAO Report at 24-25.

10 In limited circumstances, the OIG will provide a permissive exclusion release without a corresponding CIA, such as when the entity self discloses the conduct at issue or where the entity agrees to integrity obligations with the U.S. Department of Justice or a state law enforcement or oversight agency. See GAO Report at 7.

11 See Letter from Senators McCaskill and Wyden to Daniel Levinson, HHS Inspector General (May 10, 2018), available here. Letter from Daniel Levinson, HHS inspector general, to Sens. McCaskill and Wyden (Sept. 27, 2018) available here.

12 "Criteria for Implementing Section 1128(b)(7) Exclusion Authority," HHS OIG (Apr. 18, 2016), available here.


14 The publication of such a list raises serious questions of fairness and due process. By definition, entities on the list will have settled civil health care fraud settlements with the U.S. Department of Justice, which generally do not include any admission of liability by the settling entity and where no court has found the entity guilty of a crime or liable under any civil law. The HHS OIG has made no provision for a process by which companies can challenge their listing, although presumably companies can issue a press release or other external communication that explains their side of the story. It is not clear how such an unresolved situation of "did so, did not" will benefit "patients, family members, health care industry professionals, and other stakeholders" as the agency has suggested its approach will do.

15 GAO Report at 6-7.

16 Press Release, Department of Justice, "$5.1 Million Dollar Settlement Reached with Indiana Dental Firm to Resolve False Claims Allegations" (Nov. 6, 2018), available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions