25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

What is an OIG Corporate Integrity Agreement?

Posted By on Feb 7, 2024

An OIG Corporate Integrity Agreement in healthcare is a contract between the Department of Health and Human Services (HHS) Office of Inspector General (OIG) and an organization that has violated a fraud and abuse law, that outlines the future compliance obligations of the organization. The OIG Corporate Integrity Agreement is often part of a civil settlement for violating a fraud and abuse law that prevents the organization from being added to the HHS OIG Exclusions List.

Software For Compliance OfficersHHS OIG investigates cases of potential fraud and misconduct related to HHS programs, operations, and beneficiaries. When violations of a fraud and abuse law (i.e., the False Claims Act, the Stark Law, the Anti-Kickback Statute, etc.) are identified, the HHS OIG has the authority to pursue a criminal prosecution, a civil prosecution, and/or administrative penalties such as license penalties, revocation of billing privileges, or exclusion from Medicare, Medicaid, and other federal health care programs.

When a civil prosecution results in a civil monetary penalty (or settlement) AND exclusion from federal health care programs, organizations may be offered the option of accepting an OIG Corporate Integrity Agreement depending on the nature of the violation and the organization’s previous compliance record. The OIG Corporate Integrity Agreement will outline what measures and practices the organization will be expected to implement and comply with over the following five years.

Being offered an OIG Corporate Integrity Agreement can be a lifeline for organizations that would otherwise cease to trade if they were excluded from federal health care programs. However, if an organization fails to comply with the terms of the OIG Corporate Integrity Agreement, the amount of the original civil monetary penalty can be increased, new civil monetary penalties can be imposed (“Stipulated Penalties”), and the organization will be added to the HHS OIG Exclusions List.

HHS OIG Exclusions List
What You Need To Know

Get The 6 Essentials Checklist For Compliance Officers

A link to your download will be sent to your email address

Your Privacy Respected

HIPAA Journal Privacy Policy

What an OIG Corporate Integrity Agreement Consists Of

OIG Corporate Integrity Agreements are tailored to address the cause(s) of the original investigation and any further compliance shortcomings that have been identified during the OIG investigation. They may also take into account elements of an existing compliance program (i.e., to comply with HIPAA). While each OIG Corporate Integrity Agreement may be unique, many have common core elements. These include:

  • Hire a compliance officer (rather than designate the role to an existing employee).
  • Appoint a compliance committee under the governance of the compliance officer.
  • Develop written policies and procedures for issues noted in the Agreement.
  • Implement a comprehensive training program for all members of the workforce.
  • Retain an Independent Review Organization to conduct annual compliance reviews.
  • Establish a confidential disclosure program to facilitate internal whistleblowing.
  • Check each existing and new hire against the HHS OIG Exclusion List.
  • Report overpayments, reportable events, and ongoing investigations/legal proceedings.
  • Provide an Agreement implementation report and annual compliance reports to OIG.

With regards to retaining an Independent Review Organization (IRO), because each OIG Corporate Integrity Agreement is unique, there is no one-size-fits-all IRO. It may also be the case that more than one IRO is necessary if the requirements of the Agreement require an organization to retain (for example) experts in Medicare and State Medicaid programs, AND experts in the HIPAA Part 162 coding requirements, AND licensed healthcare professionals with specialized expertise.

The necessary qualifications for an IRO will be outlined in the OIG Corporate Integrity Agreement. However, once they enter into an OIG Corporate Integrity Agreement, organizations usually have 30 days to retain an IRO and send the details to HHS OIG – which reviews the IRO’s qualifications and either approves the IRO or requests that the organization terminates its relationship with the existing IRO and retains a new one. HHS OIG has published guidance on IRO independence and objectivity.

The Different Types of OIG Integrity Agreements

There are three types of OIG Integrity Agreements – the OIG Corporate Integrity Agreement as described above, an OIG Integrity Agreement for individual practitioners, small group practices, and small providers that will be less comprehensive than a Corporate Agreement, and an OIG Quality of Care Integrity Agreement for when a civil investigation and prosecution has found evidence of fraud that has impacted the quality of patient care.

In this third type of OIG Integrity Agreement, the organization will be required to retain an IRO with clinical expertise to perform relevant quality-related reviews in addition to an IRO with the qualifications to perform compliance-related reviews. In most cases, the IRO with clinical expertise will review the organization’s delivery of care and evaluate the organization’s ability to prevent, detect, and respond to patient care problems. The IRO’s review may also require peer reviewing.

The Difference between OIG CIAs and HHS CAPs

Software For Compliance OfficersThe difference between OIG Corporate Integrity Agreements (CIAs) and HHS Corrective Action Plans (CAPs) is that OIG CIAs most often form part of an investigation settlement that includes a civil monetary penalty, whereas a CAP is most often imposed by the Office of Civil Rights (OCR) or the Centers for Medicare and Medicaid Services (CMS) in lieu of a civil monetary penalty. In addition, while an OIG CIA is usually five years in length, an HHS CAP is often concluded within a year.

If you are concerned that your organization – or someone within your organization – may be in violation of a fraud and abuse law or failing to comply with an HHS healthcare regulation, it is best to seek professional compliance advice. If you are a member of a healthcare organization’s workforce, you can also raise your concerns with your organization’s compliance officer, or contact HHS directly via the HHS OIG fraud hotline, the HHS OCR Complaint Portal, or the HHS CMS Complaint Service.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist