Corporate Integrity Agreements: Relevance and Lessons for Compliance
This paper has been prepared in connection with the “Corporate Integrity Agreements: Lessons Learned from Implementation, for Companies With and Without a CIA” presentation given by Michael Lampert (Ropes & Gray LLP), Tom O’Neil (The Saranac Group), and Wes Porter (Wright Medical Technology) at the American Health Lawyers Association’s September 2015 Fraud and Compliance Forum, by Michael Lampert and Josef Weimholt (Ropes & Gray LLP).
A. Corporate Integrity Agreements (“CIAs”): Background.
A Corporate Integrity Agreement (“CIA”) is a contract between a health care organization (or, less commonly, an individual health care provider) and the Office of Inspector General of the U.S. Department of Health and Human Services (“OIG”). A common feature of health care fraud settlements, CIAs essentially are bargains in which OIG foregoes the immediate exercise of its discretionary authority to exclude the health care company from participation in federal health care programs, in exchange for the organization’s commitment to assume certain compliance and reporting obligations for the duration of the agreement. If a company breaches its CIA, it is exposed to stipulated penalties, which can include exclusion.
B. Relevance of CIAs for Companies Without CIAs.
The contents of a CIA are of obvious significance for the individuals and organizations subject to its requirements. But CIAs offer important lessons for health care companies in every sector of the industry.
1. OIG Expectations. It is true that CIAs are negotiated, but the negotiation is around the periphery. By and large, CIAs reflect OIG’s current thinking and expectations for the features of an effective compliance program. In this way, CIAs update and expand on the “seven elements” set forth in the various compliance program guidance documents issued by OIG since 1998.
2. Benchmarking. CIAs are public documents, available on OIG’s website. As such, they provide readily available benchmarking data for the structure and developing requirements of compliance programs in various sectors of the industry.
3. Risk Assessment. CIAs can inform risk assessments. Organizations with effective compliance programs must assess their vulnerabilities in order to determine how to address them, and CIAs can be a valuable source of information for identifying potential vulnerabilities.
4. Protection Against Permissive Exclusion (and the Imposition of a CIA). Attention to CIAs can help companies avoid the harshest penalties if compliance trouble strikes. As reflected above, OIG is authorized to exclude individuals and entities from participating in federal health care programs, such as Medicare and Medicaid. Exclusion is a severe penalty—no federal health care program may make a payment for items or services furnished, directly or indirectly, by an excluded entity—from which many health care companies cannot recover. Reinstatement in program participation is not automatic. An excluded entity must apply for reinstatement. Recently, OIG published a paper describing the broader effects of federal health care program exclusion, which notes that the prohibition on payment extends to items or services ordered by an excluded person, and includes administrative and management services that are not separately billable. The bulletin also notes that non-excluded individuals and entities can face liability under the Civil Monetary Penalty Law for employing or contracting with an excluded person. While the scope and effectiveness of a company’s compliance program cannot avoid so-called mandatory exclusion (other, of course, than by avoiding initial noncompliance), it can help to avoid exercise of OIG’s permissive exclusion authority. This can be seen in particular in one of the four categories of factors that OIG considers in determining whether to exercise its permissive exclusion authority: the likelihood that the misconduct will occur again. Among the questions considered by OIG in evaluating the likelihood of recurrence are:
(a) What prior measure had been taken to ensure compliance with the law? Can the defendant demonstrate that it had an effective compliance plan in place when the activities that constitute cause for exclusion occurred?
(b) Did the defendant make any efforts to contact the OIG, [CMS], or its contractors to determine whether its conduct complied with the law and applicable program requirements? Were any contacts documented?
(c) Did the defendant bring the activity in question to the attention of the appropriate Government officials prior to any Government action, e.g., was there any voluntary disclosure regarding the alleged wrongful conduct?
(d) Did the defendant have effective standards of conduct and internal control systems in place at the time of the wrongful activity, e.g., was there a corporate compliance program in place? If there was an existing corporate compliance plan:
(i) How long had the compliance plan been in effect?
(ii) What problems had been identified as a result of the compliance plan?
(iii) Were any overpayments or systemic changes made if problems were identified?
(iv) Were appropriate staff sufficiently trained in applicable policies and procedures pertaining to Medicare and other Federal and State health care programs?
(v) Was there a corporate compliance officer and an effective corporate compliance committee in place (if appropriate to the size of the company)?
(vi) Were regular audits undertaken at the time of the unlawful activity?
(e) What measures have been taken, or will be taken, to ensure compliance with the law? Has the defendant agreed to implement adequate compliance measures, including institution of a corporate integrity plan?
62 Fed. Reg. 67,392, 67,393-94 (Dec. 24, 1997).
Because CIAs reflect OIG’s thinking on best practices for effective compliance programs, as discussed above, it stands to reason that a company with a CIA-grade compliance program would be less likely to be excluded by OIG under its permissive exclusion authority, and may be better positioned even to seek to avoid imposition of a CIA.
II. Common Themes from Recent CIAs
Specific CIA obligations will vary based on the nature of the conduct giving rise to the CIA (although such variation will occur toward the edges, and does not affect a CIA’s core elements), and on the sector within the health care industry (i.e., a CIA for a pharmaceutical manufacturer will differ from one entered into by a hospital). However, all CIAs tend to share certain common themes and a common structural framework.
A. Corporate Governance
1. Board Oversight of Compliance Programs
The fiduciary duties of care, loyalty, and obedience generally apply to the work of a board of directors, or an analogous governing body. Board members must take reasonable care in making decisions and in monitoring ongoing organizational activities, including the development and implementation of a compliance program. The “Business Judgment Rule” presumes that board decisions are well informed, rational, and made independently. It serves as a defense to a claim that a board member failed adequately to exercise her duty of care when acting on behalf of the organization.
At the heart of the duty of care lies the obligation to act in good faith. In a seminal decision, In re Caremark International, Inc. Derivative Litigation, the Delaware Court of Chancery interpreted this good faith duty to include a monitoring and oversight responsibility. Board members are expected to attempt, in good faith, to ensure that the senior management team has created an effective information and reporting system, and compliance risk assessment process. Liability can arise when a director knew, or should have known, of compliance violations and failed to act in good faith to address the situation.
Given these duties, depending on the size of the organization and the complexity of the business, CIAs often require, as described below in Part II.B.2, and a board of an organization not subject to a CIA may wish to consider forming, a standing compliance and ethics committee to oversee and monitor the performance of the compliance program. Delegation of compliance program oversight responsibility to a board committee enables those directors to develop greater expertise and to devote more time to compliance matters. Core duties of such a committee include oversight of the performance of the Chief Compliance Officer, the Compliance Department and the organization’s Compliance Committee, and annual review and approval of the Compliance Department’s budget. The responsibilities of a board compliance and ethics committee should be set forth in a succinct charter that is approved by the board.
It is critical that the board be timely informed of key legislative regulatory developments in the sector. In addition to requesting periodic updates from the management team, board members should consider attending relevant outside educational programs and/or consulting with an experienced compliance or legal professional.
To ensure that the Chief Compliance Officer (“CCO”) has sufficient stature and independence to perform her duties, best practices in the health care sector, and common CIA requirements, include the appointment of an executive who is not subordinate to the Chief Legal or Chief Financial Officer and who reports jointly to the Chief Executive Officer and the board or its compliance and ethics committee. The CCO should make regular presentations to the board or its committee, which should provide data and other information regarding the structure, operation and effectiveness of the compliance program. It can be helpful to align those presentations and reports with the key elements and functions of the compliance program, and CIA requirements, such as the information received and addressed through the organization’s Disclosure Program. Dashboards and scorecards that facilitate the board’s assessment of the effectiveness of the identification, assessment and mitigation of compliance risks can be particularly helpful.
2. OIG’s Practical Guidance
Beginning in 2003, the OIG and the American Health Lawyers Association have collaborated on the publication of educational resources to assist directors of health care organizations in performing their duties. See Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors (2003); An Integrated Approach to Corporate Compliance: A Resource for Health Care Organization Boards of Directors (2004); Corporate Responsibility and Health Care Quality: A Resource for Health Care Boards of Directors (2007); and Practical Guidance for Health Care Boards on Compliance Oversight (2015 – published in collaboration with the AHLA, the Association of Healthcare Internal Auditors; and the Health Care Compliance Association). The most recent of these materials, Practical Guidance, focuses on the board’s oversight of compliance program functions, including the roles of, and relationships between, an organization’s internal audit, compliance, and legal departments; channels and mechanisms for reporting compliance concerns and issues; identification and mitigation of regulatory risks; and approaches for fostering individual and organizational accountability for compliance initiatives and the success of the compliance program.
B. Structure and Oversight of a Compliance Program
1. Chief Compliance Officer and Compliance Committee
(a) As noted in Part I, one of the factors considered by OIG in exercising its permissive exclusion authority is whether there is “a corporate compliance officer and an effective corporate compliance committee in place.” It is not surprising, therefore, that CIAs require companies to appoint a Chief Compliance Officer (“CCO”) and to create a Corporate Compliance Committee.
(b) CIAs require that the CCO must be a member of senior management who reports to the Board directly (or a committee thereof), the Chief Executive Officer, or both (i.e., she generally must not be subordinate to the General Counsel or the Chief Financial Officer). The CCO is responsible for monitoring the day-to-day compliance activities of the company, and must file an annual report with the OIG each year, certifying that the company is in compliance with all provisions of the CIA. The Corporate Compliance Committee is also comprised of members of senior management, and exists to support the CCO in fulfilling her responsibilities.
2. Board Oversight
(a) While not one of the factors identified by OIG in its original 1997 guidance on exercise of its permissive exclusion authority, a key theme of recent CIAs is active oversight by the company’s Board of Directors, as discussed above. The Board (or a duly authorized Board committee) is required to acknowledge its oversight responsibility with respect to the company’s compliance program, its compliance with federal and state health care laws and regulations and internal compliance policies, and the company’s timely and complete fulfillment of its obligations under the CIA. To that end, CIAs typically require that at the end of each annual reporting period, each Director or member of the appropriate Board committee, sign a resolution confirming that she has made reasonable inquiry into the operations and efficacy of the compliance program, including the performance of the CCO and the compliance department, and that, to the best of her knowledge, the company has implemented an effective compliance program that satisfies both federal health care program requirements and the provisions of the CIA. If the Board or board committee is unable to provide such a resolution, it is required to provide a written explanation for its inability to do so and a summary of the steps it is taking to implement an effective compliance program.
(b) Apart from the certification requirement, CIAs impose additional responsibilities on the Board, and on directors individually. For example, directors are often “Covered Persons,” and therefore must complete the general compliance training required under the CIA. In addition to the general training, CIAs in many industries increasingly require directors to undergo board member trainings in the areas of director responsibilities and corporate governance.
(c) Consistent with a Board’s oversight responsibilities, CIAs often require the CCO to submit quarterly reports to the Board (or Board committee) concerning compliance issues. Such quarterly reports might include information about the status of the annual compliance work plan, results of monitoring and auditing activities, updates on investigation activities, any “Reportable Events” that have occurred during that quarter, and updates on the disclosure program and disclosure logs (as described in Part II.F).
(d) Additionally, some CIAs require the Board (or responsible committee of the Board) to conduct an annual review of, and to draft and submit to the OIG a report on, the effectiveness of the company’s compliance program. Some CIAs require the Board to retain an independent expert to help the Board with this assessment.
C. Individual Responsibility
1. CCO Certifications
(a) A second broad theme is individual responsibility: CIAs increasingly seek to hold individuals accountable for potential corporate misconduct. This manifests itself most obviously in the requirement that companies submit, in each of the five years of a CIA’s term, certifications signed by specified individuals. For example, CCOs must certify that the compliance reports submitted to OIG each year are “accurate and truthful,” and that the company has complied with the CIA terms. To see how this certification requirement plays out, consider that CIAs require companies to establish and maintain hotlines and other avenues for personnel to report suspected noncompliance (as discussed in Part II.F below), and require the CCO to review and, where appropriate, to investigate each disclosure. The company must record all such disclosures, along with findings from any such investigations (or status of the investigation, if ongoing), and any corrective actions implemented by the company. Each annual report submitted by the company must include a summary of this disclosure log. The certification therefore requires the CCO to affirm, first, that the company has a hotline and other mechanisms for employees to communicate compliance concerns; second, that the CCO has investigated appropriately; and, third, that the disclosure log as submitted to OIG is complete.