Skip Ribbon Commands
Skip to main content

Corporate Integrity Agreements (CIAs)

Corporate integrity Agreements 


The Corporate Integrity Agreement (CIA) is an enforcement tool used by the Office of the Inspector General (OIG) within the Department of Health and Human Services (HHS), to improve the quality of health care and to promote compliance to health care regulations.  Similarly, the term Integrity Agreement (IA) is used for smaller health care providers such as physicians.  


The CIA is usually entered into contemporaneously with a civil settlement between the Government, and a health care provider (individual and entity), who has been the subject of investigations arising under the False Claims Act as amended in 1986, or who has been found guilty in acts of, defrauding Medicare, Medicaid or any other Federal health care programs.  A provider or entity consents to these obligations as part of the civil settlement and in exchange for the OIG's agreement not to seek an exclusion of that health care provider or entity from participation in Medicare, Medicaid and other Federal health care programs.”  (See, 


CIAs are negotiated and monitored through the Office of Counsel to the Inspector General.  They are detailed agreements that are constructed to mirror the Federal Sentencing Guidelines of 1995 while remaining individualized to reflect (i) the scope and size of the health care provider and (ii) the specific charges that gave rise to that particular CIA. 


A CIA allows a provider who has engaged in fraudulent conduct to continue participating in Federal health care programs (Id.). The average time period for a CIA is typically five years (Id.). If the health care provider breaches the CIA, the OIG reserves the right to impose additional sanctions including stipulated penalties and permissive exclusion pursuant to its authority under  42 U.S.C.1320a-7(b)(7) (Id.).



The OIG was created in 1976, in the department then known as Health Education and Welfare (HEW), to implement effective action against fraud and abuse that was rampant in Federal health care programs at that time.  (See, Protecting Public Health and Human Services Programs: A 30 Year Retrospective, Department of Health and Human Services, Office of the Inspector General, 2000.)  Since then, because of a number of laws (e.g., the False Claims Act of 1986, and Health Insurance Portability and Accountability Act of 1996), OIG initiatives and a series of industry collaborative, the OIG has expanded and refined its role in the fight against fraud waste and abuse.  (See, Out of those efforts has come the broader and more collaborative use of the statutorily granted enforcement tools including civil monetary penalties (CMP), assessments and exclusions.  CIAs are used in lieu of exclusions and when the OIG deems a health care provider redeemable under the program.


In fact, a provider may avoid the implementation of a CIA if it self-reports any and all violations of law related to the Federal health care program and demonstrates the implementation of an adequate compliance program.


In an Open Letter to Healthcare Providers in 1997, the OIG promoted the use of Compliance Programs for which, by then, it had developed a template Compliance Program Guide (CPG) for Clinical Laboratories.  (See, By 1998, with the supplemental guidance for Clinical Laboratories and the new guidance for Home Health Care and Hospitals, the OIG had introduced the use of CIAs as part of the civil settlement arrangement to resolve the allegations of fraud and abuse faced by the provider.  While CIAs are primarily enforcement tools, the OIG views them as “a mechanism to advise [health care providers] concerning what [the OIG] feels are acceptable practices to ensure compliance with applicable Federal and State statues, regulations and program requirements.”  See,


Further policy developments, aimed at improving compliance were evidenced in another Open Letter to Health Care Providers in 2001.  Here the OIG stated its goal to continue to improve the relationships between providers and the OIG.  (See, An Open Letter to Health Care Providers, November 20, 2001.)  The Open Letter contained the criteria it would use to determine whether or not a CIA was a useful alternative to exclusion, recognizing the issues raised by the use of its enforcement tools.  “Where the best interests of the programs are served by allowing the provider that has engaged in serious misconduct to continue participating in the health care programs, we generally require that the provider enter into an agreement to adopt certain integrity measures.”  (See, An Open Letter to Health Care Providers, March 9, 2000.)


The criteria are:  (1) whether the provider self-disclosed the alleged misconduct; (2) the monetary damage to the Federal health care programs; (3) whether the case involves successor liability; (4) whether the provider is still participating in the Federal health care programs or in the line of business that gave rise to the fraudulent conduct; (5) whether the alleged conduct is capable of repetition; (6) the age of the conduct; (7) whether the provider has an effective compliance program and would agree to limited compliance or integrity measures and would annually certify such compliance to the OIG; and (8) other circumstances, as appropriate.  (See, An Open Letter to Health Care Providers, November 20, 2001.)


The OIG continued to modify its policy on CIAs as the collaborative industry discussions provided feedback on the usefulness of CIAs.  In its November 2000 Open Letter to Health Care Providers, the OIG addressed the financial impact of CIAs on providers by modifying the provisions of CIAs that addressed billing reviews and the use of IROs.  It was careful to note that these changes were not meant to weaken the integrity of the provider’s compliance program that includes internal auditing but the changes were meant to address the costs associated with the sampling techniques required by the OIG. (Id.)


The Open Letter to Health Care Providers written in April 2006 looked at reducing the obligations of providers with “robust and effective compliance programs, which include internal auditing mechanisms.”  Rather than implementing a CIA, the OIG has looked at implementing Compliance Certification Agreements (CCA) that come with less stringent obligations on the provider.  Here, CCAs require providers to certify that they will continue to operate their existing compliance programs for a lesser term than a CIA and with less reporting obligations. (Id.)



The authority for corporate integrity agreements is derivative of the OIG’s authority to sanction fraud and abuse through the various enforcement techniques it has acquired to accomplish its mission.  In 1976, President Ford signed into law legislation creating an Office of Inspector General (OIG) at the Department of Health, Education and Welfare. (See “Protecting Public Health and Human Services Programs; A 30-Year Retrospective.”)  The Inspector General Act of 1978 (5 U.S.C. App) established the responsibilities and duties of the Inspector General as that of detecting and preventing fraud, waste, abuse, and violations of law and to promote economy, efficiency and effectiveness in the operations of the Federal Government. 


In 1994, the OIG executed its first four CIAs (30 Year Retrospective, p. 39). These initial CIAs only required the provider to attend training and certify such to the OIG. As CIAs gained popularity over the next decade, the OIG added “integrity” provisions and required that the provider establish an effective compliance program following the practices set forth in the Guidelines. According to the Guidelines, the “hallmark of an effective program” necessitates the following seven steps to provide a minimum level of organizational due diligence:


(1) Written Policies and Procedures: The organization must establish compliance standards and procedures to be followed by its employees and other agents that are effective in reducing the potential criminal conduct.


(2) Designation of a Compliance Officer and a Compliance Committee: Certain high-level personnel within an organization must be appointed to oversee compliance with the appropriate written policies and procedures. The organization must use due care to avoid delegating any substantial discretionary authority to individuals whom the organization knew, or should have known through its due diligence, with a propensity to engage in illegal activity.


(3) Conducting Effective Training and Education: The organization must take steps to effectively communicate its standards and procedures to all employees and other agents including required training and/or the dissemination of publications that practically explain what is required.


 (4) Developing Effective Lines of Communication:  The organization must have an “open line of communication” between the compliance officer and organization personnel. Additionally, the use of hotlines, memoranda, newsletters and other forms of information exchange is encouraged to maintain those open lines of communication.


(5) Enforcing Standards Through Well-Publicized Disciplinary Guidelines: The organization must take reasonable steps to achieve compliance with its standards through the implementation of monitoring and auditing systems designed to effectively detect criminal conduct by its employees and other agents and by having and publicizing a reporting system whereby employees and other agents could report criminal conduct by others within the organization without fear of retaliation. 


The standards must be consistently enforced through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect an offense. The form of such discipline should be on a case-by-case basis.


(6) Auditing and Monitoring: The organization must have and ongoing evaluation system to ensure a successful compliance program. Such monitoring would include regular reporting of suspected non-compliance to corporate compliance officers who will share such information to  senior management.


(7) Responding to Detected Offenses and Developing Corrective Action Initiatives: After a violation of law has been detected, the organization must take all reasonable steps to respond appropriately to the offense and to prevent further similar offenses including any necessary modifications to its program to prevent and detect violations of law.


In addition to these seven elements, the OIG added other provisions in its agreements to allow its officials to inspect and review a provider’s compliance program along with an annual reporting requirement to the OIG. To provide guidance in the creation of a compliance program, the OIG prepared a number of model compliance programs guidelines for use by various health care providers including hospitals, individual and small group providers, among others. These guidelines are available on the OIG website.


In order to carry out its responsibilities effectively the OIG was granted certain enforcement tools including but not limited to those under 42 U.S.C. § 1320a-7 giving the OIG authority to exclude certain individuals and entities from participation in Medicare and State health care programs.  The Code further states that the OIG may waive exclusion if it would present hardship on those entitled to the health benefits or even on the provider whose services may be essential to the community.  It is this authority which the OIG uses to negotiate CIAs.


Agency Guidance

Guidance is provided by HHS in many forms.  There are thirteen CPG documents where the role of CIAs in enforcing compliance is explained.  (See,


Further guidance on CIAs may be found at  CIAs almost always include provisions incorporating the seven elements of an effective compliance program as is found in the CPGs, but the specific terms of a particular CIA depend on the facts and circumstances related to that case and that provider. Among the relevant factors considered in crafting a CIA are the severity and extent of the underlying misconduct, the nature and resources of the provider, the provider's existing compliance capabilities, and whether the case resulted from a self-disclosure.

All CIAs contain standard components distinguished one from the other by the specifics for the particular allegations and vendor involved.


1.      The Preamble establishes the statutory basis for the CIA and the date it was first entered.  It includes the statement that the CIA is intended to “promote compliance with the statutes, regulations and written directives of Medicare, Medicaid, and all other Federal health care programs … .”  (See, Corporate Integrity Agreement Between The Office Of Inspector General Of The Department Of Health And Human Services And Eli Lilly And Company.)


2.      The Term and Scope of the CIA is that section that identifies the length of the agreement (usually three to five years but could be as little as two years and as much as eight years); and gives certain definitions to explain the scope and coverage of the CIA.  This section usually is tailored to the respective provider.


3.      Corporate Integrity Obligations cover the elements of the CPG or the Federal Sentencing Guidelines, identifying the content and persons obligated to ensure compliance of the provider integrity Program.   For example, the Eli Lilly CIA placed certain obligations on Board members in addition to the organization principals, employees and the Compliance Officer.  The Obligations section also includes information on the Compliance Officer, the Compliance Committee, internal quality auditing, written standards (policies and Code of Conduct), training and education requirements (including number of hours and type of training to be conducted), and required certification of all persons trained. 


4.      Independent Monitor is the section that specifies the details of the Independent Review Organization (IRO), that most CIAs require, as well as the responsibilities of the provider towards the IRO.  The reader may be able to glean, from this section, some specifics of the reasons the provider is now under the CIA. 


5.      The Disclosure Program component of the CIA spells out the details of a disclosure program that would include a toll-free number and non-retaliation and other policies.  The Compliance Officer plays an important role in maintaining records of such disclosures. 


6.      The section entitled Ineligible Person provides definitions on the types of persons that must be excluded from dealing with the provider under the CIA.  There is also a list of databases available to track such excluded persons or entities.  This does not include exclusions databases that may also be maintained by State agencies such as the New York State Office of the Medicaid Inspector General (OMIG). (See, )


7.       The Reporting section provides for reporting of overpayments and other reportable events as is defined in the section.  This is one of the sections that may include additional reporting details as to the types of providers and the allegations of fraud.  For example, a drug manufacturer may have to monitor and report to the OIG on the Food and Drug Administration regulations and marketing practices a sole physician practice may need to focus only on health department regulations and overpayments.  (See, Eli Lilly, and the Integrity Agreement of Labmberto M. Arellano MD.)   


8.      New Business Units or Locations – obligates providers under CIAs to make reports whenever they have a new business unit or location furnishing items provided by a Federal health care program.


9.      Implementation and Annual Reports include information on the types of reports to be submitted on implementation of the CIA and for the duration of the agreement.  It is the quality of these reports that will determine if a provider continues through the term of the CIA or if the OIG will exercise its “right to impose sanctions, including stipulated penalties and program exclusion, for a material breach of the agreement.”  (See, An Open Letter to Health Care Providers, March 9, 2000.)


10.  OIG Inspection, Audit and Review Rights is a standard boiler plate clause that includes language on the rights of the OIG to inspect any aspect of the provider’s business, at any time.


11.  Document and Record Retention – notwithstanding the documentation retention requirements of health care providers’ records, the OIG requires that documents relating to the CIA be kept one year after the term of the CIA.


12.  Disclosures explain that reports submitted under the CIA are subject to disclosure under the Freedom of Information Act (FOIA) as set forth in 45 C.F.R. Part 5.  To the extent the reports include trade secrets or other confidential or proprietary information; the provider should state this to avoid disclosure of those parts of the report.


13.  Breach and Default Provisions include the terms of the sanctions should the provider breach the CIA.  Stipulated fines are generally the same for the large providers and smaller for the individual providers.  This section includes the statement that providers could be excluded under the OIG’s permissive authority should there be a material breach of the CIA.


14.  Effective and Binding Agreement section merely stipulates as other contracts do, that the agreement is binding and the sole source of the contents of the agreement.


15.  The Signatory page includes the signatures of the provider representatives (Counsel and the Compliance Officer and/or President) as well as the representative from the OIG.


16.  There may be appendices to the CIA.


Future of CIAs

One of the most recent and notable and changes to CIA provisions are additional liabilities placed on a providers’ board of directors as demonstrated by a CIA with Eli Lilly and Company signed on January 14, 2009. Generally, a board of directors has a duty of care and loyalty to its organization. When doing business with federal health care programs, either directly or indirectly, those duties have been extended to the directors in the maintenance of an effective compliance program. These new provisions have added the requirement of board meetings to review and oversee the company’s compliance with federal health care programs requirements and CIA obligations and other application laws and regulations.



The role of CIAs in fighting fraud waste and abuse is growing even as alternative enforcement actions such as CCAs are being explored.  It is obvious that the OIG sees benefits in working with health care providers to ensure continuity of services and to acknowledge when a fraudulent claim is due to carelessness or negligence but not an intentional act. 



AHLA would like to thank Joan Hogarth and Roselyn Tyson for their work in the original creation of this article.