Inside OIG’s New CIA Template: What Kinex Means for Life Sciences and Healthcare Compliance

Overview

At the Health Care Compliance Association’s 2026 Compliance Institute on April 30, 2026, the U.S. Department of Health and Human Services, Office of Inspector General (OIG) publicly walked through its newly modernized Corporate Integrity Agreement (CIA) template,¹ using the Kinex Medical Company CIA, executed on March 2, 2026, as an example.² The new template carries forward the seven elements of an effective compliance program that have long anchored OIG’s guidance, while introducing substantive enhancements that signal where the agency’s expectations are heading.

Although a CIA technically binds only the entity that signs it, OIG has long treated the CIA as a vehicle for publicly articulating its expectations across the life sciences and healthcare industry. Together with OIG’s updated General Compliance Program Guidance³ (and follow-on industry-specific guidance), the Kinex CIA offers the clearest picture to date of what OIG considers an effective compliance program. These changes offer meaningful insight into how OIG will likely measure the effectiveness of compliance programs going forward. The discussion that follows summarizes seven enhancements with broad applicability beyond entities operating under a CIA.

Compliance Officer: Independent Reporting Lines, Direct Board Access, and Prohibited Dual Roles

In the Kinex CIA, OIG substantially elevated the role of the Compliance Officer (CO) and prohibited certain conflicting job functions. Specifically, the CO must report directly to either the CEO or the Board, have direct and independent access to the Board, and possess “sufficient stature” to interact as an equal with other senior leaders. The CO may not lead or report to the legal or financial functions, provide legal or financial advice, or hold operational responsibility for healthcare delivery, billing and coding, claims submission, medical review, administrative appeals, or contracting. In sum, the revised structure outlined in the new CIA template reflects OIG’s view that the CO should function as an independent senior leader, not a part-time function layered onto another role.

Internal Reporting: Capturing All Channels and Allowing Direct Access to Compliance

The Kinex CIA includes a useful window into what OIG considers the hallmarks of a functioning internal reporting system, echoing similar elements included in OIG's General Compliance Program Guidance. In particular, OIG highlights the importance of tracking a wide range of internal reports — including emails, manager escalations, and ethics inbox messages, in addition to formal complaints made to an ethics hotline. OIG also emphasizes that at least one of these channels should allow employees to reach the compliance function directly, without having to route their concerns through a supervisor or the operational chain of command, so that reports cannot be filtered or diverted before reaching compliance.

Board Oversight: Independent Members, Quarterly Executive Sessions, and an Independent Compliance Expert

The CIA now requires an entity’s Board to include at least one independent member — meaning a non-owner, non-employee, and non-executive — closing a structural gap that allowed all-insider boards at many privately held and private equity-backed entities. The Board must also meet at least quarterly in executive session with the CO, without entity leaders, counsel, or employees present. Further emphasizing the importance of the Board’s role in compliance, OIG formalized the Board Compliance Expert as a standard requirement: the Board must retain an independent expert to evaluate program effectiveness, and the Board must respond with a written report and an approved corrective action plan. Together, these requirements signal that Board oversight cannot rest on management’s representations alone.

Arrangements With Healthcare Professionals and Organizations (HCPs): Verification That Services Are Actually Performed and Resources Actually Used

OIG is moving beyond paper compliance and now expects active verification that arrangements are functioning as documented. Tracking service and activity logs to confirm that parties are performing the services required, and monitoring actual use of leased space, supplies, devices, equipment, and other patient care items for consistency with the arrangement’s terms, are key aspects of verification expected by OIG. The Kinex CIA also directs the CO to audit — not merely review — compliance with these requirements annually, and to report results to the Compliance Committee. These shifts reflect OIG’s expectation that compliance programs answer not only whether a control exists, but whether it works.

Fair Market Value: Expanded Documentation and an Ongoing Reassessment Obligation

The new CIA template introduces more stringent standards for assessing and documenting fair market value (FMV), offering OIG's most direct guidance to date on this important topic. Through these enhancements, OIG has substantially expanded the documentation expectations around FMV determinations for arrangements with referral sources, HCPs, and customers. Entities must document the FMV amount or range, the corresponding time period, the date of completion, the parties that performed the valuation, and the names and positions of personnel involved. Importantly, entities must document FMV not only before signing or renewing an arrangement, but also during its pendency, as appropriate — meaning FMV is no longer a one-time analysis but a continuing obligation. For multi-year arrangements, entities will need new processes to revisit FMV over the life of the arrangement.

Risk Assessment: A Prescribed Five-Step Methodology Owned by the Compliance Committee

While prior CIAs required annual risk assessments, OIG’s new model now prescribes a specific five-step methodology: identify potential risks, assess their severity, evaluate and prioritize them, develop work plans or audit plans tied to identified risk areas, and monitor the effectiveness of those plans. The Compliance Committee is responsible for implementation and oversight. The methodology transforms the risk assessment into an auditable, repeatable exercise, reflecting OIG’s expectation that programs surface and address risks proactively rather than reactively.

Generative AI: Defined, Disclosed, and Represented at the Compliance Committee Table

For the first time, OIG expressly addressed artificial intelligence (AI) in a CIA. The new model defines Generative Artificial Intelligence (GAI) and, for organizations under a CIA, requires disclosure of whether they used GAI in connection with the compliance program or in preparing reports to OIG; if so, to explain how they used it, and to verify the accuracy of any GAI-assisted content. OIG also expects the Compliance Committee to include leaders from enumerated functional areas, including AI — recognizing AI as a compliance discipline in its own right. Even outside the CIA context, these provisions offer a useful reference point for how OIG is thinking about AI in compliance.

Practical Recommendations

The standards reflected in the new CIA template provide a helpful benchmark for self-assessment. Organizations reviewing their programs may want to consider:

• Conducting a gap assessment, to compare current structure, policies, and practices against the new template, and prioritize remediation of structural gaps in reporting lines, Board composition, or dual-hatted CO responsibilities.
• Enhancing internal reporting mechanisms, to ensure the program covers reports through any channel; consider eliminating requirements that employees raise concerns with a supervisor first, and update the disclosure records to capture investigation outcomes, remedial actions, and any external referrals, to the extent the forms do not already.
• Further empowering the CO, in order to reinforce structural safeguards to support the independence and authority of the CO, consistent with applicable OIG guidance, including appropriate reporting lines and Board access (such as executive sessions), clear separation from operational responsibilities, and formalization through a written charter, while also underscoring the Board’s oversight role.
• Moving from review to verification for arrangements with HCPs, including by assessing whether current tracking systems confirm, on an ongoing basis, that parties are performing the services required and that leased space, equipment, and supplies are being used as the arrangement contemplates; enhancing those systems as needed; and treating FMV as a continuing obligation rather than a one-time analysis.
• Developing an AI governance policy, to align with the increasing focus on the use of AI in compliance functions, including appropriate validation practices and consideration of AI expertise at the Compliance Committee level.
• Investing in compliance infrastructure, to sustain core compliance activities, support proactive risk assessment, and embed compliance as a core business function.

*             *             *

For questions about this Advisory, please contact the authors.

© Arnold & Porter Kaye Scholer LLP 2026 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.