OIG Releases Revised Guidance on Independent Review Organization Independence and Objectivity

On August 22, 2016, the Office of Inspector General of the Department of Health and Human Services (OIG) released updated guidance on Independent Review Organization (IRO) independence and objectivity (the “Guidance”). The Guidance replaces an earlier version (issued in 2004) in order to incorporate revised Government Accountability Office auditing standards, commonly known as the “Yellow Book.” The Guidance is available here.

The Guidance is of particular significance for providers that are subject to a corporate integrity agreement (CIA). If the OIG deems an IRO to lack objectivity and/or independence, then the IRO will not be able to certify its work under the CIA. Further, the OIG is able to reject a provider’s choice of IRO or require a provider to retain a new IRO if the OIG determines that the IRO is not independent. As such, observation of the Guidance is crucial to providers operating under a CIA.

Adoption of Yellow Book Principles

In the Guidance, the OIG adopts the ethical principles and general standards of the Yellow Book. These principles and standards serve as the basis for determining objectivity and independence. Under the Yellow Book principles, objectivity includes “independence of mind and appearance when providing audits, maintaining an attitude of impartiality, having intellectual honesty, and being free of conflicts of interest.” Objectivity standards are closely intertwined with the Yellow Book’s independence standards; the Yellow Book requires “independence of mind” and “independence in appearance.”

Threats to Objectivity and Independence

IROs must maintain objectivity and independence so that their findings are viewed as impartial, and thus accepted by, the OIG. The Guidance identifies two categories of “threats” to objectivity and independence. The two categories of threats are: (1) the threat that an IRO that has provided non-auditing service to the provider and will not appropriately evaluate the provider because the provider is implementing those non-audit services (the “Self-Review Threat”); and (2) the threat that results when the IRO performs management functions for the provider (the “Management Participation Threat”).

The Management Participation Threat is generally deemed by the OIG to be fatal. That is, no amount of safeguards or firewalls would likely reduce the Management Participation Threat to an acceptable level. Providers subject to a CIA should thus not engage their IRO to assist with management functions or decisions, and should not retain an IRO that was involved in the provider’s management in the past.

However, the Guidance indicates that there are certain non-audit services that an IRO can perform for a provider without crossing the Self-Review Threat threshold. The Guidance identifies specific examples of such services that are deemed acceptable and also identifies services that would constitute a fatal threat.

The Threats in Action: Acceptable and Unacceptable Non-Audit Services

The Guidance identifies the following examples of acceptable non-audit services. That is, an IRO may perform these additional services for a provider without the services constituting an unacceptable threat. If an IRO performs these services, it should still be able to certify its work under a CIA:

  • IRO personnel furnish general compliance training that addresses the requirements of the provider’s CIA and introduces employees to the provider’s overall compliance program.
  • The IRO performs routine tasks relating to the provider’s confidential disclosure program, such as answering the confidential hotline or transcribing the allegations received via the hotline.
  • The IRO performs the ineligible persons screening by entering the employee names into the exclusion databases and providing the screening results back to the provider.
  • The IRO evaluates the provider’s existing compliance program before the provider’s CIA is executed, presents its conclusions regarding the strengths and weaknesses of the provider’s existing compliance program, and makes recommendations regarding areas for improvement.
  • The IRO provides personnel to perform work plan procedures that are developed by the provider’s internal audit department and are not related to the subject matter of the CIA reviews.
  • The IRO furnishes consulting services to the provider under an engagement that is completed prior to the start of the CIA reviews and the services (1) are not related to the subject matter of the CIA reviews and (2) do not involve the performance of management functions.
  • The IRO performs an assessment of the strengths and weaknesses of the provider’s internal controls, even if those controls relate to the subject matter of the CIA review, as long as the IRO is not responsible for designing or implementing corrective action based on its internal controls assessment, or otherwise performing management functions.

In contrast, the Guidance identifies the following examples of unacceptable non-audit services. If an IRO performs these services for a provider, the IRO may not be considered to be objective and independent, and therefore, the OIG could reject the IRO’s certification under a CIA:

  • A provider uses a billing system or coding software that was developed or designed by the IRO and the IRO is being engaged to perform a claims review (the Self-Review Threat).
  • IRO personnel furnish specific training that addresses the subject matter of the CIA review (the Self-Review Threat).
  • The IRO develops the provider’s policies, procedures, or internal control systems (the Management Participation Threat and also possibly the Self-Review Threat if the policies and procedures address the risk areas that are the subject of the IRO review).
  • The IRO participates in decision making relating to the confidential disclosure program, such as determining which allegations warrant further investigation or the appropriate corrective action to take in response to compliance allegations (the Management Participation Threat).
  • The IRO performs an assessment of the strength and weaknesses of the provider’s internal controls associated with the specific risk areas that are addressed in the CIA and is engaged by the provider to design or implement new processes or internal controls that relate to the subject matter of the CIA reviews (the Management Participation Threat).
  • The provider outsources its internal audit function to the IRO (the Management Participation Threat).
  • The IRO is engaged to provide consulting services to the provider during the term of the CIA on a matter that is related to the subject matter of the CIA reviews (the Self-Review Threat).


Providers who have executed a CIA with the OIG should carefully review the Guidance and the underlying Yellow Book to ensure that the IRO they have retained will be acceptable to the OIG. If the provider identifies a potential threat to independence or objectivity, the provider should either alleviate that threat so that the IRO can continue its CIA work, or identify an alternate IRO.

To review the entire document and formatting for this alert (e.g., footnotes), please access the original below:

Related Services