FCA Working Group Reboot Signals EHR Compliance Risk

Leveraging enhanced cross-agency collaboration and sophisticated data mining, federal agencies are poised to generate new investigative leads, building on recent DOJ enforcement successes.

On July 2, the DOJ Civil Division and HHS announced the relaunching of their joint FCA working group. Leadership from the HHS’ Office of General Counsel, the Centers for Medicare & Medicaid Services Center for Program Integrity, the Office of Counsel to the HHS Office of Inspector General and the DOJ’s Civil Division will coordinate to streamline investigations, share data and consider parallel administrative remedies such as payment suspensions.

The revival of the working group signals that aggressive, coordinated healthcare enforcement is not only continuing but expanding into data-driven and technology-enabled frontiers.

Healthcare Fraud as an Administration Priority

On June 11, Assistant Attorney General Brett Shumate issued a memorandum describing the administration’s policy objectives and directing all DOJ Civil Division employees to prioritize investigations and enforcement actions advancing those priorities. Notably, healthcare enforcement was not among the categories listed.

The announcement of the DOJ HHS FCA working group expressly signals that this administration’s commitment to combating healthcare fraud is not waning. Indeed, the working group is just one tool in that commitment. Earlier this summer, a memorandum from Matthew Galeotti, head of the DOJ Criminal Division, directed those employees to prioritize investigative and prosecutorial efforts in the area of waste, fraud and abuse, including healthcare fraud.

Even though the DOJ’s Criminal Division is not included in the working group, where criminal conduct is suspected, investigations can easily be referred there by the DOJ’s Civil Division, and indeed, in some districts, Civil Division attorneys are cross-designated to work on criminal investigations.

And across the administration’s announcements, including with respect to the working group, is an encouragement to “whistleblowers to identify and report violations” through existing hotlines.

The government also continues to view qui tam filings as a critical pipeline and to promote the use of relators to develop investigative leads, notwithstanding several courts calling into question the constitutionality of the qui tam provisions of the FCA.

Traditional Fraud Theories Remain Front and Center

The July 2 working group announcement says the DOJ and HHS intend to strengthen “their ongoing collaboration to advance priority enforcement areas,” specifically citing alleged Anti-Kickback Statute violations, improper referral arrangements, drug and biologic pricing abuses, and schemes affecting Medicare Advantage risk-adjustment payments.

Recent FCA settlements, charges and convictions exceeding hundreds of millions of dollars in these areas underscore the potential financial exposure facing the healthcare industry.

New Focus on Electronic Data Manipulation

For the first time, the working group explicitly highlights the “manipulation of Electronic Health Records systems to drive inappropriate utilization of Medicare-covered products and services.” Healthcare IT vendors, data analytics firms and other technology providers — entities historically outside the traditional provider or manufacturer lens — may now find themselves squarely within the FCA crosshairs, if software design or implementation is alleged to upcode, expand utilization or conceal safety issues.

Heavy Reliance on Data Analytics

The working group plans on “leveraging HHS resources through enhanced data mining and assessment of HHS and OIG report findings” to detect anomalous billing, outlier coding patterns and suspect pricing arrangements. This technology-enabled approach has helped fuel the government’s record FCA recoveries, including $2 billion in 2023 and $2.9 billlion in 2024, and is expected to accelerate lead generation going forward.

Compliance Takeaways

In response to the government’s renewed and cross-agency emphasis on healthcare fraud enforcement, organizations should carefully examine their existing policies, training programs and auditing practices.

Below are recommended steps designed to help organizations mitigate FCA-related risk.

Refresh employee training on Anti-Kickback, FCA and whistleblower protections.

It is crucial to provide tailored training across all business lines, including clinical staff, sales teams and information technology personnel. Beyond setting the baseline for legal and regulatory requirements, training sessions must emphasize real-world examples illustrating how improper referral arrangements or electronic health records, or EHR, manipulation can trigger FCA exposure.

Organizations should also reinforce their understanding of internal reporting mechanisms and whistleblower protections to elevate the awareness of ethical and legal obligations. Enhanced training prevents culture creep and creates a culture of compliance that can detect and address misconduct at an early stage.

Expand third-party diligence to EHR vendors, data aggregators and analytics providers.

Hospitals, manufacturers and other healthcare entities should take a fresh look at who might now be deemed an enforcement target under the working group’s expanded profile. This includes revisiting contracts and diligence protocols for EHR and IT vendors for which software design or implementation could be viewed as inflating coding or encouraging overutilization.

Thorough diligence requires not only confirming that a third party complies with basic privacy and security standards, but also verifying that the third party’s technology cannot be adapted in ways that obscure critical clinical data or create false documentation.

Evaluate governance controls for EHR design and implementation.

New or upgraded EHR systems should include features that preserve comprehensive audit logs and, importantly, ensure that any delayed or after-the-fact entries remain transparent to auditors and regulators.

Leadership should confirm that internal quality testing procedures have examined whether the system promotes upcoding or fails to comply with Medicare documentation rules.

Sound governance frameworks should involve legal, compliance and IT stakeholders working together, with ongoing audits that observe how providers and staff actually use EHR functionalities in day-to-day practice.

Confirm compliance of all discount or rebate arrangements.

Because the government continues to place the Anti-Kickback Statute front and center of its enforcement priorities, all discounts should be thoroughly analyzed and documented.

Compliance analyses should evaluate whether any discount or arrangement is consistent with recognized safe harbors. Contemporaneous records and rationales for pricing decisions are crucial to mitigate future allegations of improper remuneration.

Critically evaluating discount or rebate agreements prior to implementation is essential, along with periodic rechecks to ensure that structuring and documentation remain current under ever-evolving guidance.

Scrutinize coding and billing algorithms in Medicare Advantage and fee-for-service lines.

With increased focus on both risk adjustment and utilization trends, healthcare entities must validate that coding accurately reflects patients’ clinical conditions and the services delivered.

Organizations should regularly monitor outlier analytics — either by using industry benchmarks or through third-party expertise — to spot suspicious patterns that could trigger government investigations. Particular attention should be paid to high-volume procedures and complex diagnoses that frequently drive elevated reimbursement, as these often invite scrutiny.

Implement proactive stress testing of billing and claims data.

Because the government is evolving its data analytics approach, organizations must do the same. Internal compliance or audit teams should adopt sophisticated methods — mirroring those used by the DOJ or HHS — to identify unexpected billing spikes, highly concentrated referral sources or anomalies in claims data.

Stress testing can be done periodically and should feed back into compliance risk assessments. When potential red flags arise, organizations should investigate promptly, documenting the process to demonstrate their good-faith efforts to address potential issues.

Bottom Line

The revived DOJ HHS FCA working group signals that aggressive, coordinated healthcare enforcement is not only continuing but expanding into data-driven and technology-enabled frontiers. All organizations in the healthcare industry should ensure their compliance controls are designed to detect and mitigate potential risks, especially around EHR functionality and data integrity.

Companies must also maintain and strengthen vigilant oversight of long-standing risk areas such as kickbacks and pricing. Those that do so will be better positioned to navigate the government’s sharpened focus, and mitigate the significant financial and reputational stakes inherent in FCA investigations.

ArentFox Schiff partners Stephanie Trunk and Nadia Patel, and associate Pascal Naples, contributed to this article.

Originally published by Law360.