OIG Requires Independent Review Organizations (IROs) To Meet GAO Standards
A high percentage of the Corporate Integrity Agreements (CIAs) negotiated by the Department of Health and Human Services (HHS) Office of Inspector General (OIG) require an Independent Review Organization (IRO) to act as a guarantor. CIAs contain a number of compliance requirements, including the retention of an independent review organization (IRO) to review future claims submitted to federal health care programs, or to perform other system, arrangement, or transaction reviews. IROs ensure that the entity remains in compliance with the terms and conditions of the agreement. A CIA usually spans a five-year period and aims “to ensure the integrity of Federal health care program claims submitted by [a] provider” in future years. Retaining a properly qualified IRO to audit/review a provider’s compliance with the terms of a CIA is a critical issue. During the selection process, providers often overlook the IRO obligation to conduct its review in accordance with Generally Accepted Government Audit Standards (GAGAS), as established by the U.S. Government Accountability Office (GAO). The failure of an IRO to understand and apply these standards may result in continued problems.
is an unparalleled expert on IROs due to his previous experience negotiating CIAs and monitoring compliance on behalf of the OIG. Subsequent to his time at the OIG, Herrmann has served as a consultant for many years and has been involved in more than a dozen IRO engagements. In a recent presentation, Herrmann offered sage advice concerning the selection of an IRO. He noted that the OIG obligation for an IRO to comply with GAGAS standards is in two parts – one for financial audits and the other for performance reviews. Herrmann stated that few CIAs mandate financial audits, and rather focus on performance audits involving claims, systems, or arrangements with referral sources that may implicate the Anti-Kickback Statute and Stark Law. He said that from the perspective of the OIG, it is essential that an IRO conduct its reviews with both independence and objectivity. Herrmann also noted the OIG requirement that the “IRO must perform [its] review in a professionally independent and objective fashion, as appropriate to the nature of the engagement, taking into account any other business relationships or engagements…” Typically, the IRO must provide a certification regarding its professional independence and objectivity. Further, the standard CIA specifies that “[i]n the event OIG has reason to believe that the IRO…is not independent and objective…, the OIG may, at its sole discretion, require” the engagement of a new IRO.
Herrmann stated that IROs are subject to the independence standards set forth by the GAO. The OIG stated that the two overarching principles to consider when assessing independence are: (i) ensuring audit organizations do not perform management functions or make management decisions; and (ii) ensuring audit organizations do not audit their own work or “provide non-audit services in situations where the non-audit services are significant/material to the subject matter of the audits.” Herrmann stated that the OIG further underscores the importance of independence by requiring the IRO to maintain independence so that its opinions, findings, conclusions, judgments and recommendations will be objective and viewed as impartial by objective third parties with knowledge of the relevant information. Herrmann advises that any health care entity subject to a CIA should address the following questions when selecting an IRO:
- Does a prospective IRO have knowledge of and past experience in applying the GAGAS standards to its audits and reviews?
- Are there any constraints on an organization’s independence and objectivity in conducting OIG-mandated reviews under a CIA, either in terms of past or current engagements with the health care organization or other industry activities?
- Does the firm have the capability, capacity, and competence to perform the OIG-required performance audits, g., claims, systems, or arrangements review?
- Does the organization have quality control and assurance procedures to ensure the reliability and integrity of its audits/reviews?
- Can the IRO certify and attest that it will conduct its review in accordance with GAGAS?