The Feds Are Telling You How to Mitigate FCA Liability; Have You Paid Attention?

Last year saw a record-breaking $6.8 billion in recoveries through False Claims Act (FCA) settlements and judgments, according to the DOJ’s yearly report. This included 1,297 qui tam lawsuits filed last year and 401 new FCA investigations opened. 

While unprecedented, this announcement is hardly an anomaly. The DOJ has touted record-breaking FCA recoveries for several years now across different administrations. Given the government’s unparalleled success and the record numbers of whistleblowers coming forward, what can companies do to avoid ending up in the department’s yearly FCA recovery report?

Since the FCA exists to provide recovery to the government for fraud against it, any company looking to avoid FCA liability would be wise to closely adhere to guidance published by the government, of which there is plenty.

Select federal compliance guidance

An obvious starting point regarding compliance for all US corporations is the DOJ Criminal Division’s “Evaluation of Corporate Compliance Programs,” most recently updated in 2024. The ECCP details factors federal prosecutors consider when (1) investigating, (2) determining whether to bring charges against and (3) negotiating a plea with a corporation. It focuses on three basic compliance questions prosecutors are to consider:

• Is the corporation’s compliance program well-designed?
• Is the program being applied earnestly and in good faith?
• Does the corporation’s compliance program work in practice?

Companies should ask these questions on a regular basis and make concrete and demonstrable changes when vulnerabilities are detected. The ECCP guidance spells out the kind of compliance program elements that might be the difference between a criminal charge and merely an administrative enforcement action or fine. These elements include:

• Risk assessment: Must be ongoing and dynamic. Programs that regularly review and update risk assessments and apply lessons learned may get special prosecutor consideration.
• Policies and procedures: Must be comprehensive, subject to regular review and edit and accessible to all, with managers responsible for implementation and monitoring.
• Training and communications: Regular and repeated training with constant communication and reinforcement of policies.
• Confidential reporting structure and investigation process: An effective reporting and investigation process.
• Third-party management: The compliance program also governs third-party relationships, including regular vendors and contractors.  
• Mergers and acquisitions: Comprehensive pre- and post-due diligence of acquisition targets, and a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.

Similarly, the Department of Health and Human Services Office of Inspector General (OIG) published its own compliance program guidance in 2023. While this guidance is specifically for the healthcare industry, companies in other sectors can easily extrapolate, learn from and tailor it to their specific industries.

The guidance discusses the seven elements of a successful compliance program:

• Written policies and procedures.
• Compliance leadership and oversight.
• Training and education.
• Effective lines of communication with the compliance officer and disclosure program.
• Enforcing standards: consequences and incentives.
• Risk assessment, auditing and monitoring.
• Responding to detected offenses and developing corrective action initiatives.

Both of these sets of federal guidelines have concrete ideas and policies that can and should be generalized for any company.

Common compliance mistakes and missteps

Some obvious themes exist across multiple compliance guides published by the federal government. When a company misses or ignores them, its risk of ending up defending an FCA case increases.

First, a common failure of companies that end up in DOJ’s crosshairs is not typically that they entirely lack a compliance program but that the program exists in name only. The DOJ manual refers to this as a “paper program.” Any earnest, good-faith compliance program is implemented, resourced, reviewed and revised in an effective manner. If a compliance program exists in name only and is not living, learning and adapting, the company risks civil and criminal consequences. While documentation is important, the reality of corporate culture is paramount. This is why two of the three questions for prosecutors is whether the company is earnestly applying its compliance program in good faith and whether it works in practice. No matter the written policy, company culture must earnestly encourage and foster compliance, an anti-retaliation environment, regular audits and ongoing training.

Compliance

The DOJ Wants Strong FCA Whistleblower Lawsuits From Data Miners

by Selina P. Coleman, Lesley C. Reynolds, Thomas H. Suddath Jr., David A. Bender and Matthew K. Loughran

May 14, 2026

The FOCUS initiative sets parameters for the DOJ’s support of data miners’ qui tam complaints.

Read moreDetails

Second, an experienced compliance officer who is fully supported by management and the board is often the best tool to prevent fraud and avoid an FCA lawsuit. An empowered compliance officer should design, update and implement the compliance policy on a regular, ongoing basis. Companies get into trouble when a compliance officer is siloed off from major decisions, excluded from management discussions, not allowed to provide trainings as they see fit or hamstrung from fully implementing written compliance policies. A lot of federal guidance focuses on whether a company’s compliance program is adhered to in practice and whether it is, in fact, effective. Most FCA cases test this proposition as well, and in the ones in which the whistleblower and the government are successful, there is usually a lapse in compliance or a divesting of the compliance officer of authority to train and implement compliance policies. Like the paper program, if the compliance officer’s purview is mostly decorative, or existing just to check a box, a company is at risk.

Third, a compliance officer should always be removed from operations and be independent of the revenue cycle. The HHS-OIG counsels that an independent compliance officer should not report internally to either legal or operations. Instead, they should either report to the CEO with direct and independent access to the board of directors or report directly to the board. Likewise, compliance policies must be wholly independent of revenue considerations. Companies face serious risk when they exclusively tie training to revenue.

For example, Medicare and Medicaid regulations direct that every healthcare service provided must be medically necessary. This involves an independent, fact-intensive analysis of each individual patient and their needs on that day. A good compliance program at a healthcare company would teach the various levels of medical decision-making and will harp on medical necessity as the driving force for patient encounters. Companies that instead focus on the number of patient visits in a day, week or month, devoid of patient medical need considerations, risk liability. If a provider’s job or bonus is tied to nothing more than the number of services they render, that policy actively encourages upcoding and overutilization, which leads to false claims. These types of performance and financial incentives bring down dozens of companies every year.

Another emerging area is the use of AI. If AI is helping to bolster a compliance program and recognize problem areas, it could be one of many useful tools. However, if AI is scanning medical records to add in codes and diagnoses that were not considered by the provider, it’s highly problematic. What we train AI to do, it will do. Compliance and legal need to be integrated into the adoption, implementation and ongoing monitoring of any new AI systems. Companies that actively and honestly ask, “What are we incentivizing with this policy?” have a better chance of objectively analyzing their policies, correcting problem areas and staying compliant.

Lastly, take a hard look at the process for reporting suspected fraud, investigation and follow-up procedures. These are crucial after any internal reports of suspected fraud. In many successful FCA cases, whistleblowers first question, investigate and try to address suspected fraud internally long before they ever reach the step of retaining outside counsel and reporting to the government. It is only when these employees are gaslit, deterred from speaking up or retaliated against that they will often feel compelled to go outside the company for accountability. 

As the HHS-OIG says in its program guidance, “How an entity responds when it finds a violation resulting in a substantial overpayment or serious misconduct sets apart those that have a strong compliance program from those with a compliance program that is more form than substance.” Millions of dollars are paid to the government each year because companies did not thoroughly and honestly investigate fraud tips when they were first received internally. By conducting meaningful and thorough internal investigations into fraud allegations and voluntarily disclosing potential wrongdoing, companies may be able to avoid costly and high-profile investigations, FCA litigation, fines, penalties and more.

Compliance policies should be dynamic and evolving. They should be independent of operations and revenue and supported by management and the governing board. A robust compliance policy does not deter or retaliate against whistleblowers, nor does it shrink from complaints of possible violations. Effective and honest review, updating and constant vigilance of a compliance program by an independent and supported compliance professional is often the best way to avoid FCA liability all together. 

Many times, demonstrating the strength and breadth of an effective compliance program can save millions of dollars in fines, or could even lead to a government declination of a FCA case. Do not become another compliance-light company that ends up a statistic in the DOJ’s yearly FCA report.