A corporate integrity agreement (“CIA”) is frequently a part of settlements between the Office of the Inspector General of the US Department of Health and Human Resources (the “OIG”) and pharmaceutical companies or other entities. By entering into the CIA, a company agrees to various obligations and, in exchange, the OIG agrees not to seek its exclusion from participation in federal health care programs, including Medicare and Medicaid i.

While the focus of a CIA will be the specific compliance failure at the subject company, all CIAs have common elements. A comprehensive CIA typically lasts five years and requires the company to (1) enhance its compliance program by developing, implementing and monitoring various compliance areas, and (2) hire an Independent Review Organization (the “IRO”) to conduct annual reviews and assessments.

The CIA clearly identifies what areas of the company’s compliance program need to be enhanced. While these are tailored to the specific compliance challenges uncovered at the subject company, the CIA frequently requires the company to:

  • Hire a compliance officer/appoint a compliance committee
  • Develop written standards and policies
  • Implement a comprehensive employee training program
  • Establish a confidential disclosure program
  • Restrict employment of ineligible persons
  • Report overpayments, reportable events and ongoing investigations/legal proceedings
  • Provide an implementation report and annual reports to the OIG on the status of the entity’s compliance activities ii

Importantly, a CIA will usually require the subject company to engage an IRO that will monitor the company, conduct annual reviews and prepare annual reports. The CIA will specify the minimum requirements for the IRO. Typically, the IRO must:

  • Have expertise in the pharmaceutical industry and in federal health care program requirements (including the Federal Anti-Kickback Statute and the False Claims Act) iii
  • Assign individuals to design and select samples for transactions reviews who are knowledgeable about statistical sampling techniques and testing appropriate for the industry and customized for the company
  • Have sufficient staff and resources to conduct the reviews required by the CIA on a timely basis

Additionally, the CIA usually requires the IRO to (1) conduct a review assessment of the company’s system, processes and procedures twice during the duration of the CIA, and (2) conduct annual transactional reviews, which includes testing of selected areas defined in the CIA.

Selecting the IRO

Selecting the right IRO is a crucial decision. The company must not only ensure that the IRO can fulfill the requirements set forth in the CIA, but also that the IRO is one it can work with successfully. Selecting the wrong IRO can lead to a very painful five years, requiring more company personnel dedicated to CIA compliance and ultimately costing the company more money.

The IRO and its professionals must have an in-depth understanding of the life sciences and pharmaceutical/biotech industry and especially federal health care programs, rules and regulations. They must also have an awareness of the demands a CIA places on a company. Ideally, the IRO have should have a mix of professionals with backgrounds such as compliance professionals, forensic accountants and auditors, investigators, attorneys with prior governmental experience, professionals with in-house experience, etc. Additionally, the IRO should have technology and data science professionals who can select and analyze the testing samples. A working knowledge of the OIG-recommended statistics software RAT-STATS iv is essential.

Another factor to consider is whether the IRO has prior experience with CIA or monitorship engagements—specifically with the logistics of managing these projects. An experienced IRO will be better able to provide a workplan with realistic timelines and accurate budgets. This will help the company allocate its resources efficiently.

While the overall size of the IRO may not be as important, it is imperative that the IRO have enough resources to conduct the transactional testing for the duration of the CIA. The testers do not need to be auditors, but it is preferable for them to have a prior understanding of transactional sample testing and the requirements for creating and retaining workpapers. Transactional testing, conducted annually for the duration of the CIA, places significant demands on the company’s senior management and other employees from the areas that are being tested. Not only does senior management need to provide the supporting documentation for the samples selected by the IRO, they also often need to educate the IRO’s testers about the types of documentation provided as evidence and answer questions. There is a learning curve for the IRO testers, so it is important that the IRO limit changing the testers from year to year. Frequent changes within the IRO testing team only place more demands on senior management to educate new testers each year.

Working with the IRO

Working with the IRO to comply with the CIA requires significant effort and coordination on the part of the company. The company should appoint a project manager who will serve as the main point of contact with the IRO and the IRO team. This will not only streamline logistics but will also ensure that the IRO is not contacting company employees directly without senior management’s knowledge and coordination. Changing this project manager should be done only in very exceptional circumstances.

Prior to the IRO’s commencement, the company and the IRO will need to agree upon a workplan. The workplan should be as detailed as possible and should cover the review, assessment, relevant systems and transactional testing protocols. The protocols should be tailored to the subject matters set forth in the CIA. When negotiating the workplan, the company needs to ensure that it has the resources to comply with the demands the IRO places on the company and its employees as related to, among other things, the production of documents and employee interviews. While it is important that the company approach the IRO cooperatively, it should also make sure that it has the resources to fulfill the demands placed on it by the workplan.

What to expect during the IRO’s first year

The typical CIA requires that during its first year, the IRO conduct a systems review and assessments of selected areas. As part of this review, the IRO will likely request that the company provide its policies, standard operating procedures (SOPs), working instructions and other documentation that will help the IRO gain an understanding of the company’s operations. The IRO will review these documents and assess whether they are comparable to industry best practice and follow the required rules and regulations.

The IRO will then conduct interviews with senior management and other relevant employees to see if employees are familiar with the policies and procedures and follow them. For many employees this will be the first time they will have gone through interviews of this type, and they may not be comfortable with the process. The company can help the selected employees prepare by asking the employees to read the policies and procedures and working with them to understand how the policies and procedures relate to their daily tasks. Additionally, the company should consider conducting mock interviews for the employees; an outside service provider could be engaged to conduct these interviews if the company does not have the expertise in-house.

As part of the systems review, the IRO may also conduct a review and assessment of the company’s relevant IT systems. The scope of the review should be specified in the workplan. The company should be vigilant to ensure that the IRO does not deviate from the scope of work and focuses only on the systems that support the area covered by the CIA; otherwise, this can significantly increase the cost of the review.

What to expect in subsequent years

In subsequent years the IRO will conduct annual transactional testing during which it will select a sample of transactions and request supporting documentation. One of the most important steps for the company during this process is to determine what type of supporting documentation they should provide. It is not always necessary to provide every document related to the transaction, but it is important to agree with the IRO on the type and the number of documents that would satisfy the requirements of the transactional testing. The company needs to organize the documents as much as possible ahead of time, which will make the testing for the IRO easier and, ultimately, reduce questions and related costs. Many companies choose to conduct their own testing of samples of transactions in order to anticipate the results of the IRO testing. This will allow them to spot any weaknesses in the supporting documentation and to remediate any gaps and weaknesses. In addition, the IRO will conduct at least one more system review during the remaining years of the CIA.

Managing the requirements of a CIA is never an easy task; it requires significant human and financial resources to successfully fulfill all its obligations. The critical first step is selecting the right IRO, since the company will be working closely with this group of professionals for the five years of the CIA. The failure to select an IRO with sufficient industry knowledge and IRO or monitorship experience could lead to a difficult relationship between the company and the IRO and significant increased cost.


1. Select an IRO who is experienced and has a diverse and qualified team.

2. Develop a clear workplan with the IRO and ensure you have resources to manage demands.

3. Appoint a project manager to work directly with the IRO and prepare internal staff and data.

4. Identify internal resources and additional help. Even the largest organizations need dedicated assistance.

5. Use the CIAs as a training tool. Seek continual improvement that leaves your organization stronger at the end of the term.

i"Corporate Integrity Agreements." Work Plan | Reports & Publications | Office of Inspector General | U.S. Department of Health and Human Services. Available at: https://oig.hhs.gov/compliance/corporate-integrity-agreements/index.asp.


iiiDepartment of Health and Human Services. "A Roadmap for New Physicians Fraud & Abuse Laws." Work Plan | Reports & Publications | Office of Inspector General | U.S. Department of Health and Human Services. Available at: https://oig.hhs.gov/compliance/physician-education/01laws.asp.

iv"RAT-STATS - Statistical Software." Work Plan | Reports & Publications | Office of Inspector General | U.S. Department of Health and Human Services. Available at: https://oig.hhs.gov/compliance/rat-stats/index.asp

Monthly Briefing

Receive our analysis and insights straight to your inbox every month


You may also be interested in

Get in touch

Can our experts help you?