To a compliance officer, the words “corporate integrity agreement” (CIA) can send a chill up and down the spine. When you look at the true meaning and goal of a CIA though, you can see that its intent is not punitive, but instead a road map to make a healthcare organization more compliant. There is no doubt that it remains one of the most powerful weapons in the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) toolkit to resolve and monitor for compliance.
Purpose and Intent of a CIA
The purpose of a CIA is to improve the quality of healthcare and promote compliance with healthcare regulations; they are not meant to instill punishment, but instead to drive compliant behavior and set minimum standards for which a healthcare provider/entity should be held accountable. An organization wishing to settle a government investigation is not guaranteed the option of a CIA and settlement; rather, it is at the discretion of the OIG whether to agree to such an arrangement.
A CIA is typically entered into in conjunction with a civil settlement between the U.S. government and a healthcare provider/entity arising under the False Claims Act, or when an organization has been found guilty of defrauding the Centers for Medicare & Medicaid Services (CMS) (Medicare, Medicaid, CHIP, TRICARE, etc.) or any other federal healthcare program. The CIA is negotiated as well as monitored through the Office of Counsel to the HHS OIG. The agreements are designed to mirror the federal sentencing guidelines established in 1995 while also reflecting the individual scope and size of the provider and the specific allegations that gave rise to the CIA.
A CIA allows such providers/entities to continue participating in federal healthcare programs. According to the OIG website, the OIG enters into CIAs and integrity agreements (IAs) with healthcare providers and other entities as part of the settlement of federal healthcare program investigations arising under a variety of civil false claims statutes. The breach of a CIA/IA and default provisions allow the OIG to impose certain monetary penalties (referred to as stipulated penalties) for failure to comply with certain obligations outlined in the CIA/IA. In addition, a material breach of the CIA/IA constitutes an independent basis for the provider’s exclusion from participation in federal healthcare programs.
Interesting facts about CIAs
The first CIA was executed by the HHS OIG in 1994. Earlier CIAs concentrated more on training and certifying attendance by employees of the OIG. Over the next decade, the OIG began to add “integrity” provisions that required the provider/entity to establish an effective compliance program that mirrored the practices outlined in the federal sentencing guidelines. The guidelines required seven steps to provide a minimum level of compliance. In addition, the OIG added requirements allowing inspection and review of compliance programs, plus requiring annual reporting from the provider/entity to the OIG regarding their CIA compliance efforts.
From 2013-2016, the OIG (according to its website) entered into 329 CIAs/IAs with providers and/or entities:
2012 – 54
2013 – 51
2014 – 87
2015 – 88
2016 – 49
In recent years, the OIG has issued quality-of-care CIAs, particularly related to long-term care companies. These types of CIAs focus on cases for which the provider was alleged to have provided essentially no care or insufficient care, resulting in what the OIG terms “worthless service.”
The OIG has also stipulated penalties for non-compliance, which includes fines/sanctions as well as excluding a provider/entity.
Typical Components of a CIA
A CIA specifically outlines compliance requirements that a provider or entity must implement, follow, and be held accountable for during the term of the CIA. The CIA is in effect for a defined term, typically five years. Although most of the CIAs contain common elements, each is tailored to address certain facts surrounding a case and may incorporate parts of a preexisting compliance program.
A CIA also contains penalties for non-compliance that can be imposed on a per-day basis if the organization fails to comply with the CIA requirements. Certain violations are considered a “material breach” of the CIA, such as failure to engage and use an independent review organization (IRO) and/or repeated violations of CIA obligations.
The core sections of a CIA typically include:
The OIG will negotiate specific and relevant sections that are unique to each situation and will make the organization more compliant going forward.
New Provisions in CIAs
In previous versions of a CIA, each organization would have to complete an annual report to the OIG that outlines numerous CIA-related activities completed throughout the year. As part of the submission, the chief compliance officer and chief executive or chief financial officer would have to attest/certify to the accuracy of the report.
In the new CIAs, there has been a drastic change in that they now require management certifications. This requirement represents a significant effort, and in my opinion, provides a clear message from the OIG that compliance isn’t just the responsibility of the compliance department. In this new element, it requires management at all levels (such as corporate, area, region, division, and district leaders) to not only certify their commitment to compliance, but to document how they have promoted compliance within their job responsibilities.
In the new model CIA, an organization is required to conduct a thorough risk assessment on an annual basis. This risk assessment is to be shared with the OIG, and if applicable, with the IRO.
If shared with the IRO, the risk areas will typically be used to determine the general focus for the IRO audit later in the year. There are also a variety of changes in recent CIAs that relate to the IRO audit process, error rates, repayment, etc.
This same risk assessment may also be used to develop a training plan under the new CIAs. This is a change from the previously mandated training element, which was based on the “covered conduct” as defined within the settlement between the organization and the OIG. Under the new CIA, the organization has the ability to recommend a training plan to the OIG for its approval. It no longer defines a set number of hours and topics of training.
Although a new requirement of a compliance expert has been added, not all CIAs will feature this new element. Such an expert comes in and conducts an initial assessment of the compliance program to set a baseline, and then completes further assessments on either an annual or every-other-year basis. This new requirement helps the OIG gather additional, unbiased information on the status of the compliance program.
The OIG’s position on CIAs
At the recent annual Health Care Compliance Association (HCCA) Compliance Institute, the OIG’s emphasis on the need for exclusion monitoring was highlighted again. In the OIG’s eyes, failure to demonstrate effective monthly exclusion monitoring and the lack of documented and effective compliance programs are hallmarks of organizations that find themselves in the OIG hot seat, or worse. The OIG reiterated the importance of having a formalized process in place to monitor pre-hire operations and continuing employment.
The second element is utilization of the self-disclosure protocol. The OIG has indicated that they believe the use of this protocol by a healthcare organization is evidence of an effective compliance program. If you are operating under a CIA, you will have numerous reporting requirements and methods with which to report to the OIG.
Summary
At the recent annual HCCA Compliance Institute, a senior member of the OIG commented that the purpose of a CIA is to protect the integrity of payment of CMS dollars as well as ensure ongoing compliance and oversight of healthcare companies that have reached the OIG radar for alleged fraud-related matters. The OIG reiterated that the goal of a CIA is to help an organization resolve a pending matter and to set in place certain minimum compliance requirements.
The CIA is not put in place just to memorialize the seven elements of an effective compliance plan, without teeth. A positive outcome of a CIA, she stated, “is to teach a provider about self-assessment and good compliance governance.” The speaker referred to this as efficient and effective oversight by the OIG and an IRO.
CIAs are a great resource to compliance officers who are not currently under a government investigation or an impending CIA settlement. A CIA is a roadmap for providers of what the OIG sees as basic requirements of a compliance program.
Take a few minutes every month to check the OIG website to see if any new CIAs may relate to your type of healthcare organization.
The Centers for Medicare & Medicaid Services (CMS) is continuing its multi-year push toward payment accuracy, documentation integrity, and value-based care. While the most visible
The 30th Annual Compliance Institute for the Health Care Compliance Association (HCCA) is scheduled to take place in Orlando next week. If you are there,
Please log in to your account to comment on this article.
Breast biopsy procedures may be clinically straightforward but accurately translating them into compliant billing can be anything but. In this focused webcast, Shawn Blackburn, CPC, CPMA, CIC, CRC, CCS-P breaks down how imaging guidance, lesion count, laterality, and payer expectations all impact how these procedures should be reported. Through clear explanations and real-world scenarios, you’ll gain practical insight into aligning clinical workflows with billing requirements, avoiding common pitfalls, and ensuring your documentation supports accurate reimbursement and compliance.
Gain clarity and confidence in OB‑GYN coding with this expert‑led webcast featuring Sherri L. Clayton, RHIT, CSS. You’ll learn how to apply global maternity package rules accurately, select the right CPT codes for procedures and visits, and identify documentation gaps that lead to denials. With practical guidance and real examples, this session helps you strengthen compliance, reduce audit risk, and ensure accurate reimbursement for women’s health services.
Uncover essential coding insights with nationally recognized coding authority Kay Piper, RHIA, CDIP, CCS. Through ICD10monitor’s interactive, on‑demand webcast series, Kay walks you through the AHA’s 2026 ICD‑10‑CM/PCS Quarterly Coding Clinics, translating each update into practical, easy‑to‑apply guidance designed to sharpen precision, ensure compliance, and strengthen day‑to‑day decision‑making. Available shortly after each official release.
Uncover critical guidance on the ICD-10-CM/PCS code updates. Kay Piper reviews and explains ICD-10-CM/PCS coding guidelines in the AHA’s fourth quarter 2026 ICD-10-CM/PCS Coding Clinic in an easy to access on-demand webcast.
Traditional utilization management models can no longer keep pace with regulatory shifts, payer scrutiny, and operational pressures. In this webcast, Tiffany Ferguson, LMSW, CMAC, ACM, ACPA-C, introduces an Adaptive Model strategy that modernizes UM through role specialization, technology-driven workflows, and proactive, team-based processes. Attendees will learn how to restructure programs to improve efficiency, strengthen clinical collaboration, and enhance financial performance in a rapidly changing healthcare environment.
Federal auditors are intensifying their focus on inpatient psychiatric facilities, using advanced data analytics to spotlight outliers and pursue high‑dollar repayments. In this high‑impact webcast, Michael Calahan, PA, MBA, Compliance Officer and V.P., Hospital & Physician Compliance, breaks down what regulators are really targeting in IPF-PPS admissions, documentation, treatment and discharge planning. Attendees will learn practical steps to tighten processes, avoid common audit triggers and protect reimbursement and reduce the risk of multimillion-dollar repayment demands.
In this timely session, Stacey Shillito, CDIP, CPMA, CCS, CCS-P, CPEDC, COPC, breaks down the complexities of Medical Decision Making (MDM) documentation so providers can confidently capture the true complexity of their care. Attendees will learn practical, efficient strategies to ensure documentation aligns with current E/M guidelines, supports accurate coding, and reduces audit risk, all without adding to charting time.
Join Ronald Hirsch, MD, FACP, CHCQM for The PEPPER Returns – Risk and Opportunity at Your Fingertips, a practical webcast that demystifies the PEPPER and shows you how to turn complex claims data into actionable insights. Dr. Hirsch will explain how to interpret key measures, identify compliance risks, uncover missed revenue opportunities, and understand new updates in the PEPPER, all to help your organization stay ahead of audits and use this powerful data proactively.
Celebrate Lab Week with MedLearn! Sign up to win one year of our Laboratory All Access Pass! Click here to learn more →
Have a Medicare regulation question you’d love Dr. Hirsch to answer? Now is your chance! CLICK HERE to learn more→
Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 1 with code CYBER25
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24
