ARTICLE
16 July 2025

False Claims Act: Preparing For And Navigating Internal Complaints

BB
Bass, Berry & Sims

Contributor

Bass, Berry & Sims logo
Bass, Berry & Sims is a national law firm with nearly 350 attorneys dedicated to delivering exceptional service to numerous publicly traded companies and Fortune 500 businesses in significant litigation and investigations, complex business transactions, and international regulatory matters. For more than 100 years, our people have served as true partners to clients, working seamlessly across substantive practice disciplines, industries and geographies to deliver highly-effective legal advice and innovative, business-focused solutions. For more information, visit www.bassberry.com.
Explore Firm Details
An employee at a medical facility emails a supervisor with concerns that the facility is improperly billing the government for certain services.
United States Compliance
John Eason

An employee at a medical facility emails a supervisor with concerns that the facility is improperly billing the government for certain services. The supervisor, uncertain of what to do in response, assumes that the employee is mistaken about the situation or that the concerns have little merit. Ultimately, the supervisor decides to ignore the email, and unfortunately, such decisions can become extraordinarily costly for healthcare providers.

The False Claims Act (FCA) is a federal statute that allows individuals to file suit on behalf of the government against a person or entity that has allegedly submitted false claims to government programs, such as Medicare, Medicaid, and Tricare. These private persons—known as qui tam whistleblowers or relators—can obtain a percentage of any government recovery resulting from a lawsuit they file. Defendants in these lawsuits can be liable for three times the damages incurred by the government and penalties ranging from about $14,000 to $28,000 for each false claim, in addition to costs for the whistleblower's attorneys.1

The healthcare industry remains the primary focus of the federal government's FCA enforcement efforts and qui tam lawsuits. On average, over the last five years, the U.S. Department of Justice (DOJ) has recovered nearly $2.5 billion annually in FCA settlements and judgments from healthcare providers and entities.2 The driving force behind those billions of dollars is qui tam lawsuits, which usually account for 80% of total recoveries. Looking ahead, there are no signs that FCA activity is slowing. Last year, whistleblowers filed 979 new qui tam lawsuits (the highest number ever recorded), and DOJ filed 423 new FCA actions on its own (the second highest number ever).3

In this environment, healthcare providers must consider when—not if—they will confront an internal complaint relating to the FCA. Inadequate responses or delays in addressing these complaints can cause significant issues. Such failures can create potential FCA liability—especially if a provider fails to investigate potential overpayments from Medicare. Under Medicare rules, a provider "has identified an overpayment" when it "knowingly receives or retains an overpayment," at which point it "must report and return the overpayment" within a specified time period. 4 The term "knowingly" is significant regarding the FCA: "in cases where a provider or supplier acts in deliberate ignorance or reckless disregard of the existence of the overpayment," it has just 60 days to report and return the overpayment (or risk FCA exposure), starting "on the date that the provider or supplier acted in deliberate ignorance or reckless disregard of the truth or falsity of information regarding the overpayment."5 By contrast, when a provider is conducting a "timely, good faith investigation," the 60-day window to return overpayments may be suspended for up to 180 days after the date the initial overpayment was "identified."6

A lack of internal investigation can frustrate employees and encourage them to report outside the organization (whether to the government or the media) or file a qui tam lawsuit—all of which can bring additional costs, reputational harm, and liability risk. Furthermore, should a related government investigation ensue, such inaction would come under additional scrutiny and could undercut a provider's defenses. A provider that delays its response can also miss opportunities with the government to voluntarily self-disclose improper conduct or receive cooperation credit for actions taken in advance of a government investigation.7

As such, providers should take steps now to prepare for an internal FCA-related complaint and understand how to navigate the response. Doing so enables an organization to act promptly and reasonably when—not if—that moment arrives.

Proactive compliance: Planning ahead

Internal complaints alleging FCA violations can arise unexpectedly and carry significant legal, financial, and reputational risks. Proactive preparation is essential to ensure a prompt, effective, and compliant response.

The following are some key measures healthcare providers can take to prepare for such situations.

Develop a culture of compliance that encourages internal reporting

No provider can address an employee's FCA concern if they never raise it internally. Healthcare providers, therefore, must promote internal reporting—rather than external escalation—to identify and remedy problems early. Building this culture requires an organization to view compliance complaints as an opportunity—not something to suppress—thus, creating a feedback loop that encourages honest communications from employees. To help achieve this environment, a healthcare organization can take several measures, many of which have the added benefit of preparing the organization to effectively address internal FCA-related concerns:

  • Confidential reporting channels. Create and publicize multiple avenues for employees to report concerns, including anonymous hotlines, online portals, and direct access to compliance personnel.
  • Timely follow-up. Follow up and report back to anyone raising compliance concerns in a timely fashion.
  • Non-retaliation policy. Implement and adhere to a policy of no retaliation for reporting suspected compliance concerns, and discipline anyone engaging in retaliatory conduct.
  • Evaluate employee compliance. Include compliance and self-reporting as part of the employee evaluation process.
  • Incentivize compliance efforts. Offer monetary and nonmonetary benefits to employees for reporting good faith compliance concerns and to management who demonstrate significant leadership in compliance efforts.
  • Benchmark compliance protocols. Compare internal compliance processes against industry standards to assess whether they effectively encourage internal reporting and mitigate risks.
  • Clear and consistent disciplinary standards. Ensure disciplinary standards are well-defined and fairly enforced so that employees are confident the company will address concerns objectively and impartially.
  • Exit interviews. Conduct exit interviews with departing employees, as they might reveal unknown concerns.

DOJ recently emphasized the importance of having a compliance program that incentivizes and protects whistleblowers through its policies, training, and actions—as the above measures do—when it revised (in September 2024) its Evaluation of Corporate Compliance Programs guidance,8 detailing how prosecutors evaluate corporate compliance programs during government investigations.

Routinely train management and employees about the FCA

A healthcare organization should provide regular training to all staff—including leadership—on the requirements of the FCA, whistleblower protections, and compliance policies. Compliance officers, HR personnel, and other employees should know how to identify red flags within a complaint that may implicate the FCA. In addition to references to "false claims," "illegal billing," or "fraud" involving federal healthcare programs like Medicare and Medicaid, such complaints would include ones that allege or suggest:

  • Billing for services not rendered. Submitting claims for services, tests, or procedures that were not actually provided to the patient.
  • Upcoding, unbundling, or double billing. Billing for a more expensive service than was provided, billing separately for services that should have been bundled, or billing twice for the same services.
  • Kickbacks. Offering or receiving something of value to influence the referral of medical services violates the Anti-Kickback Statute.
  • Self-referrals. Referring patients or clients to entities in which the referring provider has a financial interest is in violation of the Stark Law.
  • Falsification of records. Altering or fabricating medical records or documentation to support the services billed.
  • Lack of medical necessity. Billing for services that are not medically necessary.
  • Unqualified or unsupervised providers. Submitting claims for services provided by individuals who were unlicensed, unqualified, or not properly supervised.
  • Cost report fraud. Misrepresenting costs or expenses in reports submitted to federal healthcare programs.

Establish investigation protocols and staffing

Any healthcare organization should have written procedures that clearly outline how the organization will receive, investigate, and respond to internal complaints that may involve FCA violations. In providing training on these procedures, staff should be instructed on key elements related to their participation in any investigation, including providing access to relevant information, not destroying relevant records, participating in interviews, maintaining confidentiality, and prohibiting retaliation against individuals who raise concerns. A healthcare provider should have clear documentation preservation policies in place and know when and how to preserve relevant information in response to a complaint.

It is important to determine in advance who will be responsible for overseeing an investigation of an internal FCA-related complaint (e.g., board committee, in-house counsel, or compliance officer) and, generally, how to staff any investigation. By maintaining a well-defined and smaller control group for any inquiry and establishing clear channels of communication, a company can better preserve the confidentiality of its investigative efforts. Staffing considerations should also include identifying internal resources that could be leveraged (and/or need improvements) for an internal investigation, including IT, internal audit, HR, and accounting. To avoid improper influences on the process, a healthcare organization should have a policy in place to address potential conflicts of interest (e.g., the individuals managing an investigation should not be implicated in the alleged misconduct at issue).

In general, appropriately staffing an investigation is critical to ensure the effort is completed in a timely and effective manner. If necessary, it can also serve as evidence to a government enforcement agency that the company took the matter seriously. To that point, when DOJ assesses a company's compliance program during an investigation, it considers "whether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation's compliance efforts," and whether compliance program's internal audit functions are "conducted at a level sufficient to ensure their independence and accuracy."9

Prepare for legal engagement

Healthcare providers should identify in advance legal counsel with expertise in handling internal investigations, government enforcement actions, and FCA matters, so that they can be engaged immediately upon receipt of an FCA-related complaint. Often, outside counsel can more readily identify any potential liability or legal theories at issue from an internal complaint to enable an organization to better navigate the investigative process. Outside counsel can also protect the confidentiality of materials created and communications made during the investigation through the attorney–client privilege and work product doctrines. In addition, outside counsel can assist healthcare providers in thinking through the need for self-disclosure following an investigation and the various channels for doing so, as well as preparing a provider for a potential government investigation or litigation should that appear likely following an internal complaint.

Effectively responding to internal complaints

The timeline and steps taken for an internal investigation into FCA allegations can vary widely based on the complexity of the issues, the scope of the alleged misconduct, and the organization's size. However, a typical investigation may unfold over several months, with the following general phases:

  • Initial response and assessment. Acknowledge and triage the complaint, identify and secure relevant documents, assemble the investigation team, and determine if any immediate action is necessary (e.g., halting certain billing practices or suspending an employee). Evaluate whether there are immediate reporting obligations to government agencies, auditors, insurers, or other stakeholders.
  • Plan and scope the investigation. Clarify the allegations at issue, develop an investigation plan, identify legal issues implicated, and collect key documents and data.
  • Conduct a formal investigation. Conduct document review, witness interviews, and data analysis to determine the validity and scope of the allegations. If necessary, engage outside consultants for complex billing or regulatory issues to conduct medical record reviews, billing data analysis, or similar assessments.
  • Legal analysis and findings. Assess whether the facts support any finding of FCA violations or other legal noncompliance. Determine whether there are any overpayments to federal healthcare programs and, if so, estimate financial exposure.
  • Internal reporting. Prepare a report of the findings (e.g., written or oral presentation) that details the investigative process, any individuals responsible for misconduct related to an FCA violation, an estimation of any potential overpayments, and recommendations for corrective action.
  • Corrective action and remediation. If violations are found, take corrective action, which may include self-disclosure to government agencies, repayment of overpayments, revisions to internal policies, additional training, and disciplinary measures.
  • Ongoing monitoring. Implement enhanced compliance measures as necessary and monitor for recurrence of similar issues.

Promptly define scope of the investigation

Defining the scope of an internal investigation at the outset enables a healthcare provider to focus its investigative efforts to avoid unnecessary costs, disruptions, and delays chasing down tangential or irrelevant issues—while at the same time ensuring that the investigation identifies any broader, systemic issues and underlying root causes.

While the scope of any investigation is fact-dependent, at a minimum, setting the scope requires identification of the main allegations, relevant time period, the specific parties and potential witnesses involved, internal and external stakeholders, the legal issues and federal healthcare programs at play, and the potential sources of information regarding the allegations. Drafting an investigative plan can further clarify an investigation's scope and avoid mission creep. An effective plan outlines main objectives, relevant witnesses to interview, potential targets or bad actors, key sources of information, investigative methods, and anticipated timelines.

As an investigation progresses, its scope may need to be updated based on new information gathered from interviews and document review. For example, initial allegations may only reference one physician, time period, or type of procedure, and subsequent information gathered in the investigation reveals that similar practices occur in a broader period, with several physicians, or with other similar procedures. By contrast, investigations into complaints that are quite broad can be narrowed to certain discrete areas if a preliminary assessment recommends it.

Communicating with complainants during investigation

Any internal complaint should be promptly acknowledged, and the complainant should be assured that the matter will be taken seriously. A healthcare provider should never assume that an internal complaint is baseless, but instead, enter with an open mind as to what may have happened, and who might be credible. For lengthy investigations, companies should consider providing updates to the reporting employee so that they do not feel ignored. Such transparency and feedback to a reporting employee can demonstrate a provider's good faith efforts to resolve any compliance concerns.

At the same time, it is necessary to consider what aspects of the investigation must remain confidential and whether the employee's background suggests that the individual is building a qui tam and/or retaliation lawsuit. Companies need to be aware of the possibility that otherwise privileged communications with a potential whistleblower may not remain protected if that employee later brings a whistleblower retaliation claim. It is critical that legal counsel, compliance, and HR work together throughout this process and are aligned to ensure there are no delays or mixed messages in these communications and mitigate any potential concerns of privilege waiver.

Resolving the investigation and next steps

When an internal investigation uncovers potential FCA violations, taking prompt and effective corrective action is not only prudent but essential. Corrective action could include implementing procedures to cease and correct illegal conduct, taking appropriate disciplinary actions against individuals responsible for the conduct, and revising compliance protocols and training.

Specific to the FCA, other remedial measures a provider should consider are whether to disclose any identified misconduct to the government and make repayments to government healthcare programs. Healthcare providers are advised to work with experienced counsel to carefully assess these options and obligations and how they apply to any specific set of facts. For example, Medicare overpayment regulations require a provider to return an overpayment within 60 days of identifying it, and failure to return an identified overpayment may subject a provider to FCA liability. But, this 60-day deadline is suspended for 180 days if the provider is conducting a timely, good-faith investigation to determine if related overpayments exist.10 Regarding self-disclosure, a provider may consider repaying any affected funds to the relevant government agency, which is a straightforward and more subtle approach but does not protect a provider from FCA liability or administrative liability under the Civil Monetary Penalties Law. Other routes include voluntarily disclosing conduct directly to DOJ, or through specific self-disclosure protocols with the U.S. Department of Health and Human Services Office of Inspector General and the Centers for Medicare & Medicaid Services.11

Prior to closing any investigation, a provider should make certain it has maintained proper documentation of its response to any complaint and investigative process. Having a defensible audit trail of your organization's efforts will be crucial should the organization subsequently face a whistleblower lawsuit or government investigation. For example, did you provide additional training in response to the complaint? Did you terminate responsible employees? Conduct an audit of alleged billing issues and make a difficult decision on its scope? Maintain any documentation regarding such efforts, as they will be helpful should the provider need to defend its response to the government in the future.

Following any investigation, a provider should monitor its employees to confirm no retaliation has occurred against the complainant. Consider whether to conduct intermittent check-ins with the complainant and the complainant's supervisors after resolving the complaint to ensure no retaliatory efforts are detected. A provider should also assess what lessons were learned after the investigation (e.g., internal process improvements, resource additions, revised training, system changes). DOJ has recently highlighted the need for compliance programs and training to adapt based on lessons learned from both the company's own prior issues and those at other companies in similar industries and geographies.12 Incorporating lessons learned from an internal investigation should also build trust among employees about the effectiveness of a company's compliance program and its reporting protocols.

Takeaways

  • The U.S. Department of Justice enforcement actions and qui tam whistleblower lawsuits under the False Claims Act (FCA) are at an all-time high, remain largely targeted at the healthcare industry, and can leave defendants with significant costs.
  • For most healthcare providers, it is a matter of when—not if—an FCA-related complaint will arise. Take proactive steps now to establish investigation protocols to ensure a quick and thorough response when such a complaint does arrive.
  • Dismissing internal compliance complaints or creating a culture where internal complaints are discouraged can lead to increased liability, scrutiny from government agencies, and reputational harm—particularly as it relates to the FCA. Every internal allegation of FCA violations should be treated with the utmost seriousness and initially viewed with an open mind.
  • Healthcare providers must act quickly to assess and scope any internal allegations implicating the FCA and determine how to staff an investigation, including the involvement of outside counsel.
  • Use any investigation as an opportunity to strengthen compliance practices, educate staff, and reduce future risk.

Footnotes

1. 31 U.S.C. § 3729(a)(1); Civil Monetary Penalties Inflation Adjustments of 2024, 89 Fed. Reg. 9,764 (Feb. 12, 2024), https://www.govinfo.gov/content/pkg/FR-2024-02-12/pdf/2024-02829.pdf.

2. U.S. Department of Justice, Civil Division, "Fraud Statistics – Overview: October 1, 1986 – September 30, 2024," accessed May 13, 2025, https://www.justice.gov/archives/opa/media/1384546/dl.

3. U.S. Department of Justice, Office of Public Affairs, "False Claims Act Settlements and Judgments Exceed $2.9B in Fiscal Year 2024," news release, updated February 6, 2025, https://www.justice.gov/archives/opa/pr/false-claims-act-settlements-and-judgments-exceed-29b-fiscal-year-2024.

4. 42 C.F.R. § 401.305(a)(2).

5. Medicare and Medicaid Programs; CY 2025 Payment Policies Under the Physician Fee Schedule and Other Changes to Part B Payment and Coverage Policies; Medicare Shared Savings Program Requirements; Medicare Prescription Drug Inflation Rebate Program; and Medicare Overpayments, 89 Fed. Reg. 97,710, 98,336 (Dec. 9, 2024), https://www.govinfo.gov/content/pkg/FR-2024-12-09/pdf/2024-25382.pdf.

6. 42 C.F.R. § 401.305(b)(3); see also Medicare and Medicaid Programs; CY 2025 Payment Policies Under the Physician Fee Schedule and Other Changes to Part B Payment and Coverage Policies; Medicare Shared Savings Program Requirements; Medicare Prescription Drug Inflation Rebate Program; and Medicare Overpayments, 89 Fed. Reg. 97,710, 98,336-98,337 (Dec. 9, 2024), https://www.govinfo.gov/content/pkg/FR-2024-12-09/pdf/2024-25382.pdf.

7. U.S. Department of Justice, "4-4.000 – Commercial Litigation: 4-4.112 – Guidelines for Taking Disclosure, Cooperation, and Remediation into Account in False Claims Act Matters," Justice Manual, May 2019, https://www.justice.gov/jm/jm-4-4000-commercial-litigation#4-4.112 .

8. U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs, updated September 2024, https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl?inline=.

9. U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs.

10. 42 C.F.R. § 401.305(b)(3)(ii).

11. U.S. Department of Health and Human Services, Office of Inspector General, "OIG's Health Care Fraud Self-Disclosure Protocol," amended November 8, 2021, https://oig.hhs.gov/documents/self-disclosure-info/1006/Self-Disclosure-Protocol-2021.pdf; Centers for Medicare & Medicaid Services, "Self-Referral Disclosure Protocol," last modified September 10, 2024, https://www.cms.gov/medicare/regulations-guidance/physician-self-referral/self-referral-disclosure-protocol .

12. U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs.

Originally published by Compliance Today.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of John Eason
John Eason
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More