Compliance 360® GRC Software Successfully Addresses the Requirements of a Corporate Integrity Agreement

This case study focuses on a large healthcare network with more than 100 affiliated physician practices and healthcare facilities located in multiple states. The organization provides comprehensive management services to its affiliated practices, enabling them to reduce administrative overhead to focus on providing high quality healthcare services and growing their businesses. To protect their interests, the name of the healthcare organization has been withheld from this case study. The accounts of the case study describe the actual experiences and results achieved using Compliance 360 to address the requirements of their Corporate Integrity Agreement.

Summary of the Business Issue

  • More than 100 affiliated physician practices and healthcare facilities
  • Operations in multiple states
  • MOre than 2,000 "Covered Persons" under the CIA
  • Successful completion of CIA 90-day milestones and 120-day Implementation Status Report to OIG
  • Expanding use of Compliance 360 to full Enterprise Risk Management


Recently, the healthcare organization entered into a Corporate Integrity Agreement (CIA) with the Office of the Inspector General (OIG) of the United States Department of Health and Human Services (HHS).

The OIG often negotiates compliance obligations with healthcare providers and health insurance organizations as part of a settlement of federal healthcare program investigations arising under a variety of civil false claims statutes. A healthcare provider may consent to these obligations as part of the civil settlement, in exchange for the OIG's agreement not to seek an exclusion of that provider from participation in Medicare, Medicaid and other Federal healthcare programs.

The typical term of a corporate integrity agreement is five years. These compliance measures seek to ensure the integrity of Federal healthcare program claims submitted by the provider. The more comprehensive integrity agreements typically include requirements to:

  • Hire a compliance officer and appoint a compliance committee
  • Develop and distribute a written code of conduct, standards and policies; and collect attestations of understanding from all Covered Persons in the organization
  • Implement a comprehensive employee training program and collect attestations of training from all Covered Persons in the organization
  • Establish a confidential disclosure program
  • Restrict employment of ineligible persons
  • Report overpayments, reportable events, and ongoing investigations/legal proceedings
  • Provide implementation status reports and annual reports to the OIG on the status of the entity's compliance activities

The Covered Persons in a corporate integrity agreement generally include all officers, directors and employees of the healthcare provider as well as 3rd-party contractors, subcontractors, agents and vendors that may impact the Federal healthcare program. This can include contractors or service providers that provide coding and billing services. The inclusion of non-employees in the compliance stipulations of a CIA creates an additional management challenge. Even when the organization is confident that all direct and indirect employees are acting in accordance with the CMS regulations, they must still collect, organize and provide the evidence of compliance for all Covered Persons. The burden of proof of compliance with the CIA rests solely with the healthcare organization.

The CIA for healthcare organization in this case study will be in effect for 5 years from the effective date, and requires the healthcare organization to:

  • Develop, implement and distribute their Code of Conduct to all Covered Persons within 90 days of the effective date of the CIA. The CIA also required that all Covered Persons certify in writing that they had received, read, understood and would abide by the Code of Conduct.
  • Implement written policies and procedures regarding the operation of the healthcare organization's compliance program and its compliance with Federal healthcare program requirements. Within 90 days of the effective date of the CIA, the healthcare organization was required to distribute relevant portions of the policies and procedures to the appropriate individuals whose job functions are relevant to the policies and procedures.
  • Provide general and specific compliance training to each Covered Person within 90 days of the effective date of the CIA. Each individual who was required to attend training must certify in writing that he or she has received the required training.
  • Establish a disclosure program within 90 days of the effective date of the CIA. Upon the receipt of a disclosure, the Compliance Officer was required to gather all relevant information and make a preliminary good-faith inquiry into the allegations. The Compliance Officer was also required to maintain a disclosure log that could be made available to the OIG upon request.
  • The healthcare organization was required to provide an implementation status report to the OIG within 120 days of the effective date of the CIA. The status report was to summarize the implementation of the CIA, including all of the above requirements.

Consistent with most corporate integrity agreements, the healthcare organization was essentially given 90 days to implement comprehensive compliance programs with another 30 days to produce the initial status reports containing detailed evidence of compliance as required by the OIG. The healthcare organization needed to move quickly and also be thorough in their accountability or risk further sanctions including the suspension of, or exclusion from, Federal healthcare programs.

Racing Against the CIA Clock

The healthcare organization first created the new position of Vice President of Quality Improvement and Regulatory Affairs and with the CIA clock ticking, quickly moved forward with recruiting the new position. They found an individual with prior experience establishing compliance programs for one of the nation's largest health insurance organizations. Based on this prior experience, the VP knew that their CIA compliance process could not be supported using e-mail and spreadsheets. With so much at stake, the manual overhead of e-mail and spreadsheets would be overwhelming and the risk of errors and omissions would be too high. Also based on prior experience and success, with Compliance 360, VP decided to forego the time-consuming evaluation of other systems.

As an added benefit, the Compliance 360 solution is provided as a hosted online service on the Internet. As a result, the expensive and time-consuming process of installing hardware and software was eliminated. Instead, the project was kicked off with a focus on solving the business issues of the CIA. The first step was a scoping process to identify the specific configuration that would be optimal for the healthcare organization.



With Compliance 360, each individual compliance program is monitored and managers are immediately alerted to any underlying issues, such as individual conflicts of interest. With this new-found visibility, detailed status updates are proactively provided to the executive team and the board of directors.

Planning and scoping of the project was completed within 60 days, and the rapid deployment completed within 40 days. This left the healthcare organization with approximately 20 calendar days to prepare and deliver their first CIA status update to the OIG.


Challenges Addressed with Compliance 360


Management of the Code of Conduct and Other Policies


The healthcare organization started with their Code of Conduct and policies. As these were loaded into Compliance 360, the advanced workflow capabilities of the system were used to manage the process of reviewing, editing and sign-offs with the appropriate people throughout the organization. Multiple revisions were automatically tracked by Compliance 360 with each version of the documents saved in the event that any prior revisions needed to be retrieved. Detailed status reports provided visibility into any delays and other potential issues throughout the process. This was critical as delays in this first step in the process would have resulted in missed CIA deadlines later on.


Surveys and Attestations


Once their Code of Conduct and relevant policies were finalized in the Compliance 360 central repository, the healthcare organization used the Compliance 360 Projects and Surveys tools to send e-mail notifications to their Covered Persons with requests for their action in reviewing the Code of Conduct and each relevant policy. Using the highly configurable workflow in Compliance 360, the healthcare organization was able to target the e-mail messages to ensure that Covered Persons throughout their diverse organization were only asked to review and attest to policies that were relevant to them. The configurable workflow of Compliance 360 was an important contributor to the success of our project. Without this capability, it would have been virtually impossible to target attestation requests to the appropriate people. As an added bonus, the healthcare organization avoided additional delays because they were able to up the workflow within the Compliance team, without the need for technical assistance.


Recipients of the e-mails accessed the Code of Conduct and policies through a simple, secure Internet screen that didn't require a user ID and login. Removing common obstacles, such as setting up accounts and passwords for every employee, further enhanced the response rates and timeliness of the employee reviews and attestations of compliance with the regulations.


Throughout the Code of Conduct , policy survey and attestation process, the Compliance team used detailed status reports to monitor the progress and any issues that arose. They monitored each individual program and were immediately alerted to any underlying detail compliance issues, such as individual conflicts of interest as they arose. With this visibility, they were able to provide detailed status updates to the rest of the Executive tean and the board of directors throughout the process.


As the healthcare organization rolled out the training required by the corporate integrity agreement, the Compliance team used the Compliance 360 system to verify individual class completions just as they had collected the attestations for the Code of Conduct. With all of their attestations collected into one central repository, broad visibility into the status of their overall compliance program was greatly facilitated.


Disclosures, Reportable Events and Investigations


In addition to the policy management, survey management and status reporting capabilities of Compliance 360, the Incident Management system was used to help establish the disclosure and investigation process as mandated by the CIA. The Incident Management system helps healthcare providers manage a wide variety of healthcare issues such as slips and falls, hotline tips, potential fraud and abuse occurrences, audit findings and potential conflicts of interest.


As potential issues were identified through the survey process within the healthcare organization, the Incident Management system was used to collect and store relevant documents and set up the review process using the workflow capabilities of Compliance 360. As an investigation progressed, Incident Management was used to manage team collaboration and provide a complete audit trail of actions and signoffs for accountability. Incident-specific status reports provide both operational and management visibility into the status of individual incidents as well as the overall status to support the request of a disclosure log by the OIG. Additionally, Compliance Managers will frequently use this capability for audit committee meetings and board meeting presentations.


120-Day Implementation Status Report and Proof of Compliance


With success achieved in policy management, surveys, and attestations for the Code of Conduct and training, as well as disclosures, reportable events and investigations, the healthcare organization still had to produce and deliver the 120-day implementation status report as required by the CIA. A significant misstep with the status report could result in further sanctions from the OIG, regardless of the actual compliance improvements achieved.


Because the healthcare organization had centrally managed the CIA project using the Compliance 360 platform, their status information was readily accessible. To collect all the compliance data and link it to the relevant CIA stipulations, the healthcare organization used the unique Virtual Evidence Room™ in Compliance 360.


The Virtual Evidence Room provides a central location where all compliance activities and documents are easily tracked and linked back to the related laws, regulations and standards. The Virtual Evidence Room facilitates audits, investigations and surveys such as a CMS audits, state audits, Joint Commission tracer surveys or OIG (Office of the Inspector General) investigations related to claims errors.


Using the Virtual Evidence Room, the healthcare organization linked surveys, attestations, conflicts of interest, compliance gaps, remediation plans and summary reports to each stipulation in the corporate integrity agreement. Should any ad hoc compliance questions arise, the healthcare organization is audit-ready with all proof of compliance organized in the Virtual Evidence Room. The supporting information needed to prepare the 120-day implementation status report was also consolidated in the Virtual Evidence Room.


The volume of detailed information in the healthcare organization's implementation status report turned out to be too much for e-mail. They found a work-around for e-mail and sent the status report to the OIG on time. However, because of that unexpected challenge, the healthcare organization plans to provide direct access to the Virtual Evidence Room, for the OIG inspector the future. Doing so will streamline the transmission to the OIG and should also enhance their credibility by displaying confidence and cooperation with an “open door policy”.


CIA Status


The healthcare organization is still early in the 5-year term of their corporate integrity agreement, but they have already made significant strides to ensure compliance with CMS and OIG guidelines. They have also successfully passed the initial checkpoints. Very few issues were identified by the OIG and with the help of Compliance 360 the healthcare organization has laid the foundation for a very strong compliance program going forward.


Looking Ahead


With the risks of the initial hurdles of the CIA now behind them, the healthcare organization is diligently continuing with the CIA process and also looking at additional opportunities for using their Compliance 360 system.


The healthcare organization must cope with regulations that vary from state to state. Compliance 360 will serve as their platform for collecting and managing these regulations in a central repository and help them efficiently establish and mange their corresponding compliance policies. The success of the healthcare organization's business model depends on their ability to relieve the individual physician practices of the overhead of regulatory compliance. They can accomplish this goal by centralizing and streamlining the management of compliance programs as much as possible. This strategy, enabled by Compliance 360, is expected to be more efficient and help ensure a more consistent approach to compliance across the company going forward.


Looking beyond the scope of compliance programs, the healthcare organization's VP of Risk Management has completed an evaluation of systems to help manage the risks associated with malpractice claims. Through the evaluation, they concluded that Compliance 360 will address these new requirements. The comprehensive platform is expected to efficiently support the healthcare organization's broad requirements in compliance, incident management and risk management.