What You Need to Know About Healthcare Compliance and Shifting Federal Enforcement Priorities

Nearly six months into the current presidential administration, we are getting a clearer picture of certain federal enforcement priorities, including those that affect healthcare compliance practitioners. The new, shifting and continued enforcement trends cover matters like the False Claims Act (FCA), FCPA, Racketeer Influenced and Corrupt Organizations Act (RICO) and healthcare privacy laws. 

These risk areas — and proactive assessment and implementation of compliance programs — will be key for entities operating across virtually any industry.

False Claims Act (FCA)

The DOJ topped $2.9 billion in recoveries under the FCA in Fiscal Year 2024. Over the past decade, healthcare issues, including kickbacks, billing and other fraud, typically comprised 80% to 88% of the total amount recovered under the FCA. In Fiscal Year 2023, this percentage dropped to 66%, and then in Fiscal Year 2024, this percentage dropped again to 57%. 

That reduction notwithstanding, DOJ officials continue to stress that healthcare remains (and is likely to continue to remain) an area of enforcement priority. To wit: On July 2, the DOJ announced the reinvigoration of the False Claims Act working group, a partnership with the Department of Health and Human Services (HHS), and identified a number of priority enforcement areas, including Medicare Advantage, drug, device and biologics pricing, barriers to patient access to care, kickbacks and electronic health record manipulation.

In contrast, recoveries from defense contractors, although a smaller piece of the pie in recent years (3% of FY 2024 recoveries), is also historically a mainstay of enforcement efforts. We expect that hallmark of the DOJ’s civil fraud initiatives to continue as well.

Moreover, the DOJ has signaled its intent to open new fronts as well, including pursuing tariff-related violations, and separately, scrutinizing recipients of federal funds, particularly colleges and universities, and their policies related to affirmative action and DEI. 

In recent years, the DOJ has pursued cases related to the avoidance of customs duties through false statements to customs officials and resolved such claims, involving the misclassifications of imports, in large settlements. In light of the administration’s new tariffs — a specific type of customs duty — compliance risks abound. 

In recent months, DOJ officials expressed the department’s commitment to utilizing the FCA as a tool in tackling trade and customs fraud-related issues. One vehicle for this enforcement is likely to be based on the theory that, in addition to companies making false certifications to the government by knowingly misrepresenting the value or classifications of their imports, investigation targets are also unlawfully retaining money the government is entitled to (also known as “reverse” false claims). These scenarios often apply to healthcare entities that identify overpayments under federal healthcare programs, and they are likely to apply across industries to situations where tariffs and custom duties are evaded or circumvented.

In May, the DOJ announced the Civil Rights Fraud Initiative and explained that it will “utilize the False Claims Act to investigate … and pursue claims against any recipient of federal funds that knowingly violates federal civil rights laws.” The department’s press release specifically mentions “inherently divisive policies like DEI.” The initiative will see the DOJ’s Civil Fraud Section work in tandem with the Civil Rights Division, and the full memorandum signals that, among other things, gender identity and college sports-related matters are forms of discrimination that will be in the investigative crosshairs. 

The DOJ’s press release also encourages whistleblowers to come forward. With strong financial incentives and robust protections, whistleblowers continue to be the leading source for the DOJ’s enforcement actions. But the qui tam provisions of the FCA are currently being challenged before the Eleventh Circuit in an action that could result in a finding that the provisions are unconstitutional.

Ultimately, we expect that FCA activity will remain vibrant into the foreseeable future with a potential use of this statute, long focused uniquely on healthcare and government defense industries, to advance policy goals of the current administration.

Ethics

Are We at Risk of Automating Ethics Out of Healthcare Decisions?

by Vera Cherepanova

April 21, 2025

When profit-driven algorithms make medical decisions, vulnerable populations may suffer disproportionately

Read moreDetails

FCPA

A February executive order signaled the administration’s concern that American enterprises were losing business to other companies because of laws like the FCPA. The order paused FCPA enforcement by the DOJ for 180 days, giving the department time to issue new guidance. Now that the new guidelines have been issued, reports of the death of the FCPA seem premature. The DOJ is instead sharpening its focus, using resources more efficiently and identifying new priorities.

Published in June and building on the concerns expressed in the executive order, the new guidelines emphasize that prosecutors will focus on protecting US economic and national security interests and signal the DOJ’s intent to focus on “serious misconduct” without attacking routine business practices. The guidelines also provide a non-exhaustive set of factors for determining whether to proceed with an investigation or ultimately, enforcement actions.

These factors include considering whether the alleged misconduct is linked to cartels or criminal organizations, harms US national security interests, involves serious misconduct rather than low-dollar “generally accepted business courtesies” or whether enforcement otherwise vindicates the interests of domestic companies. Overall, the guidelines suggest that priorities and enforcement decisions will be more streamlined moving forward, with more oversight of decisions from the leadership of the DOJ’s Criminal Division. Some investigations, and ongoing enforcement actions, have already been closed, and new matters will be opened only with the pre-authorization of the assistant attorney general for the Criminal Division.

Because the guidelines emphasize prioritizing serious misconduct, some industries may present less risk than defense contracts or national security-related contracts involving “critical minerals, deep-water ports, or other key infrastructure or assets.” In turn, transactions involving certain geographic locations, including Mexico and Latin America, may involve heightened risk due to the administration’s focus on the elimination of cartels and transnational criminal organizations. These enforcement initiatives will also occur in tandem with efforts by other DOJ divisions. 

For example, because many cartels and criminal organizations have now been designated as foreign terrorist organizations, as the FCPA guidelines explain, separate federal laws will also apply to activity implicating the FCPA. FCPA violations can also implicate RICO. 

RICO renders it unlawful to operate or manage an enterprise through a pattern of racketeering activity, defined to include certain FCPA violations. RICO typically requires at least two related predicate offenses within a 10-year period. 

RICO was originally intended to combat organized crime. But enforcement has broadened to include enterprise conduct across a range of sectors, including pharmaceuticals and cryptocurrency as examples. Even if DOJ enforcement of the FCPA slows, companies may still face exposure through private civil RICO actions. 

Competitors, business partners or other market participants may pursue claims based on corruption-related injuries. The possibility of treble damages, attorneys’ fees and protracted litigation presents a substantial risk. These cases can be costly to defend, even when ultimately defended successfully, and should be factored into compliance risk assessments.

Healthcare privacy laws

In recent years, the HHS Office for Civil Rights (OCR) has prioritized patient access to protected health information (PHI) in a timely and reasonable manner. While that emphasis will continue, HHS has begun shifting enforcement attention to ransomware attacks in response to a sharp uptick in data breaches, as well as high-profile, record-setting healthcare data breaches announced within the past two years. 

In enforcing the HIPAA security rule, OCR is ensuring covered entities and their business associates are properly prepared for security incidents by meeting the standards of the risk analysis provision, and, when subject to a ransomware attack, are subject to monitoring and corrective action plans.

In October 2024, OCR launched its risk analysis initiative and has continued to steadily announce enforcement actions related to risk analysis failures, as well as ransomware attacks. Where a failure to meet risk analysis standards lead to a ransomware attack, OCR has announced enforcement actions against a single entity for both failures.

With regard to risk analyses, OCR has announced enforcement actions against entities that fail to conduct a risk analysis on a regular basis as required, or at all. While enforcement of the current HIPAA security rule standards continues, proposed modifications to the security rule would modernize and heighten standards and, among other things, update technical requirements like multi-factor authentication and encryption practices. The proposed rule would also require the implementation of training programs that address and raise awareness about new and sophisticated threats, including social engineering. Thus far, the changes, proposed in January, have not been championed by the new administration and are unlikely to go into effect.

Before-the-incident compliance efforts are critical to getting ahead of healthcare data breach risks and the reputational harm they entail. Healthcare cybersecurity teams should keep a close eye on continued enforcement in this space and developments in updates to key regulations, including the security rule.

Conclusion

These enforcement initiatives underscore the strategic importance of maintaining a well-designed and effectively implemented compliance program. While the new FCPA guidelines don’t mention compliance programs, policies and procedures that proactively identify and remediate corruption risks effectively reduce civil (and potentially criminal) liability under a host of federal statutes including, but not limited to, the FCA, FCPA, RICO and various state and federal privacy laws.