What is an OIG Corporate Integrity Agreement?

Posted by Steve Alder

An OIG Corporate Integrity Agreement in healthcare is a contract between the Department of Health and Human Services (HHS) Office of Inspector General (OIG) and an organization that has violated a fraud and abuse law, that outlines the future compliance obligations of the organization. The OIG Corporate Integrity Agreement is often part of a civil settlement for violating a fraud and abuse law that prevents the organization from being added to the HHS OIG Exclusions List.

HHS OIG investigates cases of potential fraud and misconduct related to HHS programs, operations, and beneficiaries. When violations of a fraud and abuse law (i.e., the False Claims Act, the Stark Law, the Anti-Kickback Statute, etc.) are identified, the HHS OIG has the authority to pursue a criminal prosecution, a civil prosecution, and/or administrative penalties such as license penalties, revocation of billing privileges, or exclusion from Medicare, Medicaid, and other federal health care programs.

When a civil prosecution results in a civil monetary penalty (or settlement) AND exclusion from federal health care programs, organizations may be offered the option of accepting an OIG Corporate Integrity Agreement depending on the nature of the violation and the organization’s previous compliance record. The OIG Corporate Integrity Agreement will outline what measures and practices the organization will be expected to implement and comply with over the following five years.

Being offered an OIG Corporate Integrity Agreement can be a lifeline for organizations that would otherwise cease to trade if they were excluded from federal health care programs. However, if an organization fails to comply with the terms of the OIG Corporate Integrity Agreement, the amount of the original civil monetary penalty can be increased, new civil monetary penalties can be imposed (“Stipulated Penalties”), and the organization will be added to the HHS OIG Exclusions List.

What an OIG Corporate Integrity Agreement Consists Of

OIG Corporate Integrity Agreements are tailored to address the cause(s) of the original investigation and any further compliance shortcomings that have been identified during the OIG investigation. They may also take into account elements of an existing compliance program (i.e., to comply with HIPAA). While each OIG Corporate Integrity Agreement may be unique, many have common core elements. These include:

  • Hire a compliance officer (rather than designate the role to an existing employee).
  • Appoint a compliance committee under the governance of the compliance officer.
  • Develop written policies and procedures for issues noted in the Agreement.
  • Implement a comprehensive training program for all members of the workforce.
  • Retain an Independent Review Organization to conduct annual compliance reviews.
  • Establish a confidential disclosure program to facilitate internal whistleblowing.
  • Check each existing and new hire against the HHS OIG Exclusion List.
  • Report overpayments, reportable events, and ongoing investigations/legal proceedings.
  • Provide an Agreement implementation report and annual compliance reports to OIG.

With regards to retaining an Independent Review Organization (IRO), because each OIG Corporate Integrity Agreement is unique, there is no one-size-fits-all IRO. It may also be the case that more than one IRO is necessary if the requirements of the Agreement require an organization to retain (for example) experts in Medicare and State Medicaid programs, AND experts in the HIPAA Part 162 coding requirements, AND licensed healthcare professionals with specialized expertise.

The necessary qualifications for an IRO will be outlined in the OIG Corporate Integrity Agreement. However, once they enter into an OIG Corporate Integrity Agreement, organizations usually have 30 days to retain an IRO and send the details to HHS OIG – which reviews the IRO’s qualifications and either approves the IRO or requests that the organization terminates its relationship with the existing IRO and retains a new one. HHS OIG has published guidance on IRO independence and objectivity.

The Different Types of OIG Integrity Agreements

There are three types of OIG Integrity Agreements – the OIG Corporate Integrity Agreement as described above, an OIG Integrity Agreement for individual practitioners, small group practices, and small providers that will be less comprehensive than a Corporate Agreement, and an OIG Quality of Care Integrity Agreement for when a civil investigation and prosecution has found evidence of fraud that has impacted the quality of patient care.

In this third type of OIG Integrity Agreement, the organization will be required to retain an IRO with clinical expertise to perform relevant quality-related reviews in addition to an IRO with the qualifications to perform compliance-related reviews. In most cases, the IRO with clinical expertise will review the organization’s delivery of care and evaluate the organization’s ability to prevent, detect, and respond to patient care problems. The IRO’s review may also require peer reviewing.

The Difference between OIG CIAs and HHS CAPs

The difference between OIG Corporate Integrity Agreements (CIAs) and HHS Corrective Action Plans (CAPs) is that OIG CIAs most often form part of an investigation settlement that includes a civil monetary penalty, whereas a CAP is most often imposed by the Office of Civil Rights (OCR) or the Centers for Medicare and Medicaid Services (CMS) in lieu of a civil monetary penalty. In addition, while an OIG CIA is usually five years in length, an HHS CAP is often concluded within a year.

If you are concerned that your organization – or someone within your organization – may be in violation of a fraud and abuse law or failing to comply with an HHS healthcare regulation, it is best to seek professional compliance advice. If you are a member of a healthcare organization’s workforce, you can also raise your concerns with your organization’s compliance officer, or contact HHS directly via the HHS OIG fraud hotline, the HHS OCR Complaint Portal, or the HHS CMS Complaint Service.

The post What is an OIG Corporate Integrity Agreement? appeared first on HIPAA Journal.

Anna Jaques Hospital Suffers Christmas Day Cyberattack

Posted by Steve Alder

Anna Jaques Hospital in Newburyport, MA, experienced a cyberattack on Christmas Day that resulted in an outage of its medical record system. The decision was taken to divert ambulances to other hospitals in the area until systems could be restored. On December 26, 2023, the emergency department started accepting patients. Few details have been released at this stage about the exact nature of the cyberattack and it is too early to tell if the attackers gained access to patient information. Third-party cybersecurity experts have been engaged and are investigating the attack and further information will be released as the investigation progresses.

Volunteer at NYC Health + Hospitals Impermissibly Accessed Patient Data

NYC Health + Hospitals has recently announced there has been an unauthorized disclosure of patients’ protected health information. NYC Health + Hospitals said it discovered on October 23, 2023, that an employee of NYC Health + Hospitals/Kings County allowed a Kings County volunteer to assist with processing laboratory test specimens for Kings County patients; however, the volunteer was not authorized to work in the laboratory and was not permitted to access patients’ protected health information.

While assisting in the laboratory, the volunteer accessed patients’ names, dates of birth, medical record numbers, locations within the hospital, and the laboratory tests ordered. Affected individuals had laboratory tests performed between October 2, 2021, and August 14, 2023. While PHI was impermissibly accessed, there are no indications that any of that information has been misused.

NYC Health + Hospitals said it has taken steps to prevent similar incidents from occurring in the future, including notifying all laboratory personnel that they are not permitted to provide non-employees with access to any NYC Health + Hospitals laboratories. NYC Health + Hospitals has also confirmed that the employee no longer works for NYC Health + Hospitals and has been barred from future employment at NYC Health + Hospitals, and the volunteer is no longer volunteering at NYC Health + Hospitals and has been barred from future volunteer work at NYC Health + Hospitals.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

The post Anna Jaques Hospital Suffers Christmas Day Cyberattack appeared first on HIPAA Journal.