Healthcare Enforcement Roundup: What Providers Need to Know

By many indications, 2026 is shaping up to be a high-water mark for healthcare enforcement, with record-setting False Claims Act (FCA) recoveries and intensified government scrutiny reshaping the risk landscape for providers and hospitals. The Department of Justice’s (DOJ) creation of the National Fraud Enforcement Division underscores sustained focus on fraud targeting federal government programs. These trends reflect a broader push by the DOJ, U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) (HHS-OIG), and Centers for Medicare and Medicaid Services (CMS) toward increased audits and cross-agency coordination that providers should closely monitor.

New DOJ False Claims Act Enforcement Record

The DOJ’s annual FCA report for fiscal year 2025 shows record enforcement, with over $6.8 billion in settlements and judgements, more than double the prior year’s total and the highest ever under the FCA. Whistleblower actions were the major driver of this result: 1,297 qui tam lawsuits were filed, another record, and roughly $5.3 billion of the recoveries came from those relator-initiated matters. Healthcare fraud specifically continued to dominate recoveries, accounting for about $5.7 billion of the $6.8 billion recovered. The DOJ also highlighted enforcement in government procurement, cybersecurity and tariff/customs avoidance. While overall relator share awards declined, the report emphasized the DOJ’s focus on voluntary self-disclosure, cooperation and remediation in FCA enforcement. The findings suggest that FCA risk remains high across both traditional and emerging areas of government fraud enforcement.

For more information, read our client alert, DOJ Reports Historic False Claims Act Recovery in Fiscal Year 2025.

DOJ’s Fraud Section Year in Review

Last month, the DOJ’s Fraud Section also released its report on 2025, summarizing the accomplishments of its four units, which now include the Health Care Fraud (HCF) Unit (approximately 75 prosecutors) and the recently established Health & Safety Unit (HSU) (approximately 23 prosecutors, largely reassigned from the Consumer Protection Branch, which is responsible for Food, Drug and Cosmetic Act (FDCA) enforcement and consumer product safety). The Fraud Section reported that overall, it had 39 active resolutions covering 33 companies with self-reporting obligations and six independent monitorships.

According to the 2025 report, the HCF Unit charged cases asserting $10 billion in alleged losses and returned $560 million to the government. The HCF Unit brought 194 criminal cases against individuals and four corporate cases and expanded its Strike Force to New England in 2025. In keeping with the DOJ’s stated focus on “transnational” crime and foreign actors, the HCF Unit cases included Operation Gold Rush, a $10 billion scheme involving Estonian defendants who had defrauded Medicare and Medicaid for unnecessary urinary catheters and durable medical equipment, and a $703 million scheme involving Pakistani nationals, which involved the use of AI-generated patient consent audio recordings to facilitate fraudulent product orders and Medicare claims. The HCF Unit also touted a wound-care initiative that charged $1.1 billion in losses stemming from fraudulent use and billing of amniotic wound allografts, as well as enforcement actions against fraud implicating substance abuse treatment / centers, prescription drug abuse, and digital health technology or telemedicine fraud.

The recently formed HSU Unit reported four corporate enforcement actions in cases involving adulterated surgical gowns and skilled nursing facilities that fraudulently diverted government funds, and four individual cases. One of the cases involved clinical trial fraud and resulted in guilty pleas from owners of a Florida-based clinical research facility who had fabricated materials and made fraudulent statements to an asthma drug trial sponsor and a Food and Drug Administration (FDA) investigator.

Read the DOJ Fraud Section’s 2025 report here.

DOJ Division for National Fraud Enforcement

The new Division for National Fraud Enforcement is a DOJ initiative announced by President Donald Trump to strengthen fraud enforcement across federal programs including healthcare. According to a White House fact sheet, the division’s mandate is to pursue fraud affecting federal government programs and federally funded benefits, which encompasses Medicare, Medicaid and other health-related funding streams. The division is designed to coordinate multidistrict, multiagency fraud investigations and to centralize coordination on investigating civil and criminal fraud matters nationwide. For healthcare providers, this development signals closer federal scrutiny of billing practices, program integrity and more intense federal oversight of how government healthcare funds are utilized.

For more information, read the White House fact sheet on the division’s establishment.

HHS-OIG Report Urges Reform of Medicare Skin Substitute Payments

The advanced wound-care industry and everyone operating within it are the targets of intense enforcement and regulatory focus. However, many in the industry are not aware of the increased liabilities they now face. An HHS-OIG report in 2025 found that Medicare Part B spending on skin substitute products increased dramatically, rising nearly seven-fold from approximately $400 million in Q3 2022 to nearly $3 billion in Q3 2024, driven by higher utilization, rising prices and expanded use in home settings. The report raises concerns that the current reimbursement framework, combined with expedited FDA approval pathways, creates significant risk for fraud, waste and abuse.

The HHS-OIG urges CMS to reform payment methodologies while preserving beneficiary access to medically necessary products. It highlights structural issues such as average sales price (ASP) reporting delays and add-on payment incentives that may encourage excessive spending. The report concludes that enforcement alone is insufficient and that systematic payment reform is required to address the underlying drivers of growth. In practice, providers should reassess clinical protocols, documentation standards and vendor relationships now rather than waiting for CMS rulemaking or enforcement actions to follow.

For more information on the HHS-OIG report, read our client alert, Washington, We Have a Problem: OIG Calls for Skin Substitute Payment Reform.

DOJ Enforcement Actions Involving Medical Directorships

In January 2026, the DOJ announced two enforcement actions against entities that allegedly provided medical directorships to referring physicians in violation of the Anti-Kickback Statute (AKS) and Stark Law. One of the actions is a $34 million settlement with a home healthcare services provider that self-disclosed the directorships, while the other is a complaint that the DOJ filed against a hospital group. These cases illustrate the DOJ’s continued focus on scrutinizing compensation arrangements between healthcare providers and referring physicians and a renewed focus on medical directorship arrangements specifically.

In the first matter, the DOJ’s $34 million settlement with the healthcare service provider resolves allegations that it submitted Medicare claims for medically unnecessary services and that it paid remuneration to physician medical directors who referred business to the provider. The physicians were compensated for services that they may have failed to perform, that may not have been reasonable and necessary, or that were rendered before written agreements were fully executed. In connection with its self-disclosure, the provider received credit for cooperation by conducting an independent investigation, providing thorough disclosures and taking remedial action, such as removing responsible individuals, terminating medical director contracts, improving its compliance program and providing additional employee training.

In the second matter, the DOJ filed a complaint against a hospital management company, three long-term care hospitals and a physician, and concerns allegations of medically unnecessary care and an inappropriate medical directorship. The hospital defendants allegedly submitted claims for medically unnecessary care by holding Medicare patients at the long-term care hospitals for longer than medically necessary to maximize reimbursement. The medical directorship arrangement was between one of the longer-term care hospitals and the physician-defendant, and the hospital allegedly paid the physician $450,000 under the arrangement to induce patient referrals. According to the complaint, the arrangement included two directorships and a physician-on-call agreement, and the hospital paid the physician for these services even though they were not fair market value and the physician did not actually work the hours required by his contracts.

For more information on these enforcement actions, see here and here.

Courts Strike Down DOJ Subpoenas as Overbroad and Lacking Proper Purpose

Despite the substantial deference courts typically afford to federal prosecutors to issue broad administrative subpoenas to investigate federal healthcare offenses,[1] three federal courts recently quashed or partially quashed DOJ subpoenas seeking information to investigate gender-affirming care. These decisions are notable because courts generally enforce DOJ subpoenas, subject only to requirements that the subpoenas are issued for a proper purpose, that the information sought is adequately described and relevant to the proper purpose, and that the agency followed proper procedures in issuing the subpoena.[2]

The three (almost identical) subpoenas issued here were served by the DOJ within a day of its Civil Division announcing an initiative to prioritize investigations of possible violations of the FDCA and FCA involving the provision of gender-affirming care. The subpoenas sought a broad array of documents and information, including hospital personnel files, patient medical records and personal identification information, and manufacturer communications regarding the provision of gender-affirming care, among other sensitive information.

In quashing or partially quashing these subpoenas, federal judges found that the DOJ had sought information for an improper purpose of furthering its policy agenda to end gender-affirming care, with no actual evidence that the parties had engaged in conduct that violated the FDCA or FCA (i.e., fraudulent billing or off-label promotion). Also concerning to the judges was the breadth of information sought by the subpoenas, which had little to do with investigating violations of FDCA or FCA but was, instead, indicative of an attempt by the DOJ to go on a “fishing expedition” for information to further policy aims. These orders serve as a reminder that the DOJ’s subpoena power is not unlimited and that courts will strike down overbroad subpoenas that are not tied to a congressionally authorized purpose.

Read the court orders here, here and here.

Medicare Advantage Industry Segment-Specific Compliance Program Guidance

On Feb. 3, the HHS-OIG released its second Medicare Advantage Industry Segment-Specific Compliance Program Guidance (ICPG), focusing on risk areas for Medicare Advantage (MA) and compliance measures that entities and individuals in the Medicare Advantage industry can take to reduce risk. This ICPG describes risk areas for the wide range of entities and individuals participating in or engaged with the MA program (which the ICPG collectively refers to as “MA Parties”), recommendations and practical considerations for mitigating those risks, and other information that the HHS-OIG believes MA parties should consider when implementing, assessing and updating their compliance programs.

The selected risk areas relevant to MA Parties listed in the ICPG include:

• Access to Care (Network Adequacy and Prior Authorization)
• Marketing and Enrollment
• Risk Adjustment
• Quality of Care
• Oversight of Third Parties
• Compliance Programs Within Vertically Integrated Organizations and Other Ownership Structures
• Submission of Accurate Claims

The full Medicare Advantage ICPG is available here.

Telehealth and Hospital at Home Extension

Signed into law on Feb. 3, the Consolidated Appropriations Act of 2026 (H.R. 7148) extends some Medicare telehealth flexibilities through Dec. 31, 2027, while making others permanent. Now through the end of 2027, Medicare patients can continue to receive non-behavioral/mental health telehealth services in their homes, with no geographic restrictions for originating sites. Further, all eligible Medicare providers, including Federally Qualified Health Centers (FQHCs) and Rural Health Clinics (RHCs) serving as distant site providers, may provide these services. Non-behavioral/mental health telehealth may be delivered using audio-only communication platforms when video is not feasible. Also, in-person visits within six months of an initial behavioral or mental health telehealth service, and annually thereafter, are not required with the extended flexibilities. While some telehealth requirements were extended, others are now permanent. Medicare patients, including those in rural populations, can now permanently receive behavioral/mental health telehealth services at home without geographic restrictions. FQHCs, RHCs, marriage and family therapists, and mental health counselors may serve as distant site providers, and services may be delivered using video or audio-only platforms.

H.R. 7148 also extends the Acute Hospital Care at Home Program (Hospital at Home) through Sept. 30, 2030. Legislation for Hospital at Home has been on a recent rollercoaster ride. When waivers expired during the government shutdown of 2025, hospitals “discharged” patients receiving care at their homes back to inpatient facilities. With a previous deadline of Jan. 30, 2026, the recent Hospital at Home extension provides longer-term legislative stability. Health systems are already leveraging this extension by expanding their Hospital at Home programs. While the Hospital at Home model is designed to increase acute care capacity in the convenience of a patient’s home, growing programs should continue to be aware of compliance and regulatory risks around data security, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), staff licensure and integration into Quality Assurance and Performance Improvement (QAPI) programs.

When Customer Requirements Create Kickback Risk: Lessons From OIG Advisory Opinions 25-04 and 25-08

In reviewing 2025 trends from HHS-OIG advisory opinions, we identified two noteworthy opinions to medical device companies regarding an increasingly common scenario: customers, consisting of healthcare provider entities, requiring as a condition of doing business that companies engage specific third parties, at their cost, to facilitate routine billing or supplier qualification processes with the customer.

In both cases, the HHS-OIG issued negative opinions, concluding that these arrangements would generate prohibited remuneration under the AKS if the requisite intent were present, because the arrangements would provide financial benefits to sources of federal healthcare program business and create significant anti-competition and steering risks. These specific opinions address payments by medical device companies to third parties for exclusion screening services and access fees for billing portals used by the companies’ customers, but the opinions have broader implications for how life sciences companies and provider entities should evaluate AKS compliance in customer-required arrangements.

Our client alert, When Customer Requirements Create Kickback Risk: Lessons From OIG Advisory Opinions 25-04 and 25-08, analyzes these two advisory opinions and distills key compliance lessons for medical device companies, other types of life sciences companies and provider entities.

HHS-OIG Finds Lab Testing Spend Rose Again in 2024, Driven by Genetic Testing Claims

In January 2026, the HHS-OIG issued a report summarizing its review of Part B lab testing, as part of the agency’s effort to control Part B spending on lab tests. The Protecting Access to Medicare Act of 2014 mandates the HHS-OIG to publicly release an annual analysis of the top 25 lab tests and conduct appropriate analyses. According to the HHS-OIG, the key takeaways of its review of 2024 Part B lab test spending were that (1) Medicare Part B spending on clinical diagnostic lab tests totaled $8.4billion, a 5% increase from 2023. Part B spending is increasing even as the number of Part B enrollees with lab tests is decreasing; (2) Part B spending on lab tests is shifting increasingly towards genetic tests (for cancer, infections and epilepsy), but 43% of all Part B lab spending went towards genetic testing, for a total of $3.6 billion. Non-genetic test spending continues to decrease. The 2024 test with the highest expenditure was a genetic test with a median payment of $447 per claim.

Read the full report here.

HHS Updates HIPAA Requirements

Health privacy faces rapidly evolving legislation and regulation. At the federal level, HHS has issued final rules related to the HIPAA Privacy Rule and proposed regulations for updates to the Security Rule.

Specifically, HHS now requires certain healthcare providers to update their Notice of Privacy Practices (NPPs) by February 16. These changes are intended to align HIPAA with revised regulations under 42 C.F.R Part 2 (Part 2) governing substance use disorder (SUD) records. Specifically, if a covered entity creates or maintains SUD records covered by Part 2, the covered entity must update the NPP to address specific information on SUD records and individual rights, including:

• The use and disclosure of the individual’s SUD records, including a statement “adequate to put the individual on notice of the potential for information disclosed pursuant to [the Privacy Rule] to be subject to redisclosure by the recipient and no longer protected by [the Privacy Rule]” and an explanation that use or disclosure of SUD records for treatment, payment and/or healthcare operations generally require the patient’s written consent.
• The individual’s rights in relation to their records, including the requirement for written consent.
• The covered entity’s legal duties with respect to such records.
• A statement explaining the prohibition on the use of SUD records and testimony in civil, criminal, administrative and legislative proceedings against a patient, absent a specific patient consent or a court order.

HHS also developed model notices to reflect these changes.

Additionally, in January 2025, HHS issued a notice of proposed rulemaking (NPRM) on proposed updates to the HIPAA Security Rule, introducing more robust cybersecurity requirements, eliminating the “required vs. addressable” distinction, and mandating stronger technical controls. The comment period was open until March 7, 2025. HHS has yet to publish a final rule, but many anticipate that the final rule could be issued this year.

For more detail on the NPRM, read our previous article, HHS OCR Releases Proposed Updates to HIPAA Security Rule.

Life Sciences and Healthcare Consulting Group managers Tully Saunders and Anita Hanlon contributed to this client alert.