On May 18, 2010, the U.S. Department of Health and Human Services, Office of Inspector General (HHS OIG) issued revised guidance on independence and objectivity standards related to independent review organizations (IROs) that perform corporate integrity agreement (CIA) reviews. This revised guidance serves as a fresh reminder to entities under a CIA what independence and objectivity standards OIG will consider in connection with CIA monitoring, and by inference also provides some guidance on best practices in connection with compliance program effectiveness reviews.
This recent OIG guidance (OIG IRO Guidance) revises OIG's 2004 frequently asked questions (FAQs) issued on the heels of the Sarbanes-Oxley legislation. OIG indicates that it revised the OIG IRO Guidance because the U.S. Government Accountability Office (GAO) "Government Auditing Standards"-known as the "Yellow Book" and upon which OIG bases its IRO standards for auditor independence and objectivity-was revised in 2007. Additionally, CIA-mandated IRO review processes are more varied now than in 2004, when most IRO reviews related to coding, billing, and systems reviews. Since 2007, many of OIG's CIAs include IRO reviews focused on financial relationships with referral sources (stemming largely from Stark- and/or Anti-Kickback Law-related settlements) and drug manufacturer off-label marketing practice reviews. Indeed, the steady flow of pharmaceutical and medical device settlements and CIAs have led to IRO reviews that are qualitatively different than the CIA coding and billing IRO reviews of a decade ago. Notwithstanding these CIA changes and the revised Yellow Book (2007 update), the 2010 OIG IRO Guidance reflects largely the same views on applicable independence and objectivity standards espoused by OIG in 2004 in its FAQs.
The essence of the OIG IRO Guidance is that IROs have a continuing obligation to self-assess both their objectivity when performing IRO reviews as well as their independence. The two standards are closely interrelated, but in keeping with the Yellow Book's separate treatment of objectivity and independence, OIG addresses both separately as well. Quoting from the Yellow Book, OIG IRO Guidance states that objectivity includes "being independent in fact and in appearance when providing audit and attestation engagements, maintaining an attitude of impartiality, having intellectual honesty, and being free of conflicts of interest." OIG also cites Yellow Book standards that avoiding conflicts of interest in fact or appearance that may impair objectivity is essential to retaining credibility. Inasmuch as OIG is the final arbiter of IRO credibility as it relates to conducting IRO reviews, these conflict-of-interest concepts are critical for entities operating under CIAs and their IROs to assess.
As to the related standard of independence, OIG cites Yellow Book standards and notes that both "the audit organization and individual auditor must be free from personal, external, and organizational impairments to independence and must avoid the appearance of such impairments of independence." OIG wants IROs to assure independence (and indeed requires IROs to certify to such independence in each yearly IRO review) because it relies on the IRO review findings rather than its own independent reviews.
The objectivity and independence standards noted above are rather broad and subject to varying interpretations. Moreover, OIG and the Yellow Book do not go so far as to require a complete firewall between the IRO and the CIA entity such that the IRO can have no other interaction with the entity. Given the potential ambiguity, the OIG IRO Guidance, like its 2004 FAQ predecessor guidance, provides examples of services furnished by an IRO organization that would and would not impair IRO objectivity and independence. The examples are slightly repackaged but essentially the same as those OIG provided in its 2004 FAQs and they flow from two basic concepts-IROs should not review their own work and should not be involved in making the CIA entity's management decisions or performing management functions. What may be considered a management decision or function can involve judgment calls, and OIG retains the ability in its CIAs to determine whether an IRO's independence has been impaired by audit and nonaudit work it performs for the CIA entity.
Because CIAs grant OIG "veto power" over a CIA entity's choice of IRO and because OIG retains the right to seek removal of an IRO under certain circumstances, the OIG IRO Guidance reinforces that CIA entities and their IROs should pay close heed to the applicable Yellow Book standards on independence and objectivity. In this regard, CIAs require an IRO to provide a list of current and prior engagements that the IRO has with the CIA entity. Thus, it is important to examine the nature of these engagements to assess whether such engagements might impair an IRO's independence and/or establish the bases upon which these engagements do not impair the requisite independence.
One difference between the 2010 OIG IRO Guidance and the OIG's 2004 FAQs on IRO independence and objectivity is that the latter explicitly stated that "CIA reviews would be considered performance audits and IROs would be subject to the independence standards set forth in the Yellow Book that relate to performance audits." The OIG's updated IRO Guidance does not reference performance audits, which raises the question-what audit standards should IROs and their individual reviewers look to when conducting IRO reviews? Depending upon the nature of the IRO review and type of entity performing the review (e.g., coding, consulting, or law firm), different professional review standards may apply.
Finally, as we enter a period of healthcare reform (PPACA of 2010) implementation, including its enhanced focus on effective compliance programs, the Yellow Book standards on objectivity and independence discussed in the OIG IRO Guidance may serve as valuable references to providers and healthcare product manufacturers that engage in periodic compliance auditing, either with internal audit resources or external consultants. Key tenets for audit objectivity and independence should be considered when designing compliance audit and review protocols. The HHS Secretary's healthcare compliance program effectiveness requirements for enrollment, jointly established with the OIG, will likely embrace these auditor objectivity and independence standards in some fashion.
For additional information about the subject contained in this LawFlash, please contact the following attorneys in our FDA and Healthcare Practice:
 GAO-07-731G (July 2007 Revision), paragraph 2.10.
 Id. at paragraph 3.02.
 OIG Frequently Asked Questions Related to IRO Independence (2004), available at http://www.oig.hhs.gov/fraud/cia/docs/IRO_independence_FAQ_2004.pdf.
 Apart from CIA language and appendices related to IRO reviews, many consulting firms that were performing IRO reviews have looked to the American Institute of Certified Public Accountants (AICPA) Statement of Position (SOP) 99-1 on corporate compliance reviews in connection with CIAs. AICPA "Guidance to Practitioners in Conducting and Reporting on Agreed-Upon Procedures Engagement to Assist Management in Evaluating the Effectiveness of its Corporate Compliance Program," May 21, 1999. This SOP 99-1 was developed in the late 1990s with input from OIG as IROs struggled with identifying relevant standards for CIA reviews and stress "agreed-upon procedures" usually set forth in the IRO work plan.