Featured Article

Beyond Fines, Corporate Integrity Agreements Compound Compliance Costs

Posted By: Bret S. Bissey, MBA, FACHE, CHC, CMPE and Jennifer Shimek / May 13, 2016

pharmaceutical-compliance-monitor-squareHealthcare organizations accused of violating a federal law often find themselves in the settlement agreement process with the Department of Health and Human Services’ Office of the Inspector General (OIG), leading the company to comply with rigorous terms of a corporate integrity agreement (CIA). Those involved in particularly egregious or consistent violations of federal law governing the manufacturing and marketing of pharmaceuticals may even be obligated to enter into a deferred prosecution agreement with the U.S. Department of Justice (DOJ).

Costs and organizational mandates from CIAs compound the financial penalties paid for violations of laws, such as the False Claims Act or those governing current Good Manufacturing Processes, and rarely receive the attention that fines generate. However, CIA compliance costs can accumulate and leave healthcare and life sciences executives surprised about expenses for a duration that often spans as long as five years.

The potential for significant CIA expenses may serve as a catalyst for a new line of thinking among executives regarding their compliance programs: Compliance should be considered an investment within the organization rather than a cost. Compliance failures can result in corporate challenges and upheaval beyond the fines and penalties, such as leadership changes, reputational damage, and harm to shareholder value. Under a CIA, life sciences companies also require additional regulatory compliance audits[i] by third parties, technology spending, training requirements, mandated employee education, executive attestation, and potential additional compliance hiring — all of which takes the organization’s focus and resources away from improving the public’s health and wellness.

Lapses in compliance judgment or a breakdown in compliance practices, which can result in CIAs and DPAs reflect the complexity of healthcare laws and regulations.

The main differences between the two are as follows:

  • CIAs are process-driven agreements that focus on the elements of compliance and testing the controls of an organization. Work plans are created to identify and test risk areas, and report findings back to the OIG on an annual basis. These tend to follow a much regimented pattern detailing the compliance steps for a company to follow.
  • DPAs are a specific response to a particular action(s) and come from the DOJ. Companies under DPAs design their own monitoring and reporting mechanisms, policies and procedures, compliance programs, employee training, vendor training, incident reporting, corrective action, etc. The information reported to the DOJ during the DPA period is aimed at correcting the identified deficiency.


Healthcare reimbursement, operations, sales and marketing, interactions with healthcare providers (HCPs), product manufacturing, third-party intermediaries, distributors, and a variety of other functional elements all are affected by a variety of focused regulations and regulatory agencies. Pharmaceutical companies find the main causes for investigations and regulatory actions are connected with off-label marketing, sales and marketing activities, the False Claims Act, FCPA and attempts to influence the medical judgment or decision making of healthcare providers. The amount spent on healthcare leads to greater scrutiny of the interactions between life sciences companies and healthcare providers and various intermediaries and payers that may cause undue influence over the care delivered to the patient.

Life sciences companies and providers bear the brunt of that in future interactions with authorities. A CIA or DPA can make routine matters less subjective about whether authorities need to be notified about a potential transgression. In fact, one DPA spells it out this way for a life sciences company:

The Company shall truthfully disclose all factual information not protected by a valid claim of attorney-client privilege or work product doctrine with respect to its activities, those of its subsidiaries and affiliates, and those of its present and former directors, officers, employees, agents, and consultants, including any evidence or allegations and internal or external investigations, about which it has any knowledge or about which the Offices may inquire. This obligation of truthful disclosure includes, but is not limited to, the obligation of the Company to provide to the Offices, upon request, any document, record or other tangible evidence about which the Offices may inquire of the Company.

Many CIAs have a standard “reportable event” requirement which obligates the organization to the make a judgment on what is a “substantial overpayment” or a matter “that a reasonable person would consider probably a violation of criminal, civil or administrative laws applicable to any Federal health care program or for which penalties or exclusion may be authorized.? This obligation can lead to authorities to be notified about more issues than the organization ever could have anticipated, with associated legal, audit and operational expenses accompanying each disclosure.

Regulatory actions in the United States can cross borders adding another layer of complexity to compliance programs of international companies. More junior people may be required to attest to adhering to a CIA, which can lead to retention and recruitment challenges for key positions. More resources overseas may be required to further develop appropriate internal audit or compliance programs.

Under the monitoring and reporting requirements of these agreements, authorities normally opt not to reveal some of the sensitive business information at life sciences companies. Authorities say this notion of protecting information encourages cooperation and makes these monitoring programs viable.

The agreements with regulators and prosecutors have a certain appeal compared with contesting the allegations, since a lengthy trial can be costly and batter the reputation of a life sciences company in an industry that is highly regulated. No organization wants to be seen as a “bad actor,” especially if its products are awaiting FDA approval or needs a regulatory blessing to complete an acquisition. A CIA or DPA may look bad, but a court verdict will factor a perceived lack of cooperation with authorities in levying fines and penalties.

Difficulties that potentially can result in a mandated CIA or DPA could be mitigated if an effective and pro-active compliance program was in place within all aspects of the organization. It would be best to make the initial investment into a fully-funded regulatory compliance program, prior to having authorities impose one upon the organization due to violations or inappropriate behaviors.

The terms “audit” and “auditing” as used herein are to be understood as such terms are used in the context of healthcare laws and regulations not as such terms are defined by the AICPA or other local regulatory authorities in connection with, among other things, audits, reviews, compilations or other attestation services rendered by Certified Public Accountants.

Read the original article published by Pharmaceutical Compliance Monitor >

Bret S. Bissey, MBA, FACHE, CHC, CMPE

Prior to joining MediTract, Mr. Bissey was the SVP, chief ethics and compliance officer at UMDNJ, where he successfully led the compliance program to adherence with a rigorous five-year Corporate Integrity Agreement with the DHHS/OIG that occurred following a Deferred Prosecution Agreement. Prior to UMDNJ, Bissey served as the director of the Regulatory Compliance Practice at IMA Consulting, the chief compliance and privacy officer at Deborah Heart and Lung Center (operating under a CIA) and the VP of compliance at Cabot Marsh/QuadraMed. Mr. Bissey earned a Bachelor of Science in business administration and marketing from Shippensburg University of Pennsylvania and an MBA in marketing and healthcare administration from Wilkes University. Mr. Bissey is a frequent national speaker on healthcare compliance and is the author of The Compliance Officer’s Handbook. He is a Fellow of the American College of Healthcare Executives and a member of the Health Care Compliance Association (CHC), American College of Medical Practice Executives and the Healthcare Financial Management Association.

About the Author: Jennifer Shimek

Jennifer Shimek

Jennifer Shimek is a principal in the Short Hills office of KPMG’s U.S. Forensic Advisory Services practice, where she specializes in regulatory enforcement and compliance.