By: Christopher Parrella, Esq., CPC, CHC, CPCO
Parrella Health Law, Boston, MA.
A Health Care Provider Defense and Compliance Firm.

The Department of Justice just changed the rules of the game for corporate criminal enforcement and healthcare providers should pay close attention. In March, 2026, DOJ released its first ever department-wide corporate enforcement policy governing how prosecutors handle corporate misconduct. The policy applies across the entire department in criminal matters except antitrust and it replaces the patchwork of policies that previously existed within different DOJ components and U.S. Attorney’s Offices.

The message from DOJ is simple and blunt. Companies that self-report misconduct cooperate fully and remediate quickly may avoid criminal prosecution altogether. Companies that do not should expect aggressive enforcement. For healthcare organizations that participate in Medicare, Medicaid, TRICARE or other federal programs, this development is particularly important because it directly affects how False Claims Act investigations healthcare fraud matters and other criminal investigations may unfold.

Under the new policy, a company can receive a declination of prosecution if three core requirements are met. First, the company must voluntarily disclose the misconduct before the government discovers it. Second, the company must fully cooperate with the investigation, including providing documents, data and witness access. Third the company must remediate the misconduct which can include discipline of responsible employees improvements to compliance programs and repayment of ill-gotten gains. If those elements are satisfied and there are no aggravating factors, DOJ prosecutors are directed to decline prosecution although the company will still be required to pay disgorgement forfeiture and restitution tied to the misconduct.

The policy also introduces a concept DOJ calls a “near miss.” This applies when a company cooperates and remediates but does not qualify for a full declination because it did not voluntarily self-disclose early enough. In those situations DOJ may offer a non-prosecution agreement lasting fewer than three years and reduce penalties by 50 percent to 75 percent below the sentencing guideline range. Independent compliance monitors may also be avoided depending on the circumstances. Even when aggravating factors exist such as serious misconduct or repeat violations prosecutors still retain discretion to reward cooperation and remediation with significant penalty reductions.

This is a meaningful shift in tone from DOJ. Historically companies often hesitated to self-report because there was no guarantee of leniency and disclosure frequently triggered massive investigations. The new policy attempts to remove that uncertainty by clearly outlining the benefits of early disclosure and cooperation.

For healthcare providers the implications are significant. Many enforcement matters begin as internal compliance concerns coding irregularities billing errors kickback risks or documentation problems. Under this new framework organizations must carefully evaluate whether early disclosure may be the safest path rather than waiting for a whistleblower complaint or government subpoena. And remember, whistleblowers are everywhere in healthcare. Billing staff, coders, clinicians, compliance officers and vendors all have access to internal practices and the False Claims Act continues to reward insiders who report suspected fraud. When an employee reports to DOJ first, the opportunity for voluntary disclosure disappears.

This is the call to action for healthcare leadership and compliance teams. Internal compliance programs must be designed to identify issues early escalate them quickly and investigate them thoroughly. Organizations should establish clear protocols for evaluating when voluntary disclosure may be appropriate. Compliance committees should be empowered to act decisively rather than allowing potential problems to linger unresolved.

The DOJ’s new corporate enforcement policy is designed to change corporate behavior. For healthcare providers, that means compliance programs can no longer operate in the background. They must function as real risk management systems capable of detecting problems early and guiding leadership toward responsible decisions before the government does it for them. If you have any questions or comments about the subject of this blog or want help evaluating how this new DOJ policy affects your organization’s compliance and disclosure strategy, please contact Parrella Health Law at 857.328.0382 or Chris directly at cparrella@parrellahealthlaw.com.