Overview
On March 10, 2026, the US Department of Justice (DOJ) released its first-ever department-wide corporate enforcement policy for nearly all criminal cases, sans antitrust violations. The policy, designed to enhance transparency in criminal enforcement and incentivize responsible corporate behavior, outlines DOJ’s self-disclosure requirements to qualify for declination under its Corporate Enforcement and Voluntary Self-Disclosure Policy.
Because the DOJ policy applies to all business entities seeking to self-disclose criminal misconduct, health industry companies are eligible to utilize its incentive structure. But health industry companies also remain eligible to disclose certain criminal, civil, and administrative violations under the US Department of Health and Human Services (HHS) Office of Inspector General’s (OIG) Health Care Fraud Self-Disclosure Protocol. Originally created in 1998 and amended most recently in 2021, the OIG protocol provides a distinct set of criteria and benefits for entities disclosing healthcare fraud and other violations.
This alert provides guidance to entities subject to both the DOJ policy and the OIG protocol. We outline the various prerequisites to qualify under each program and the distinct benefits and downsides of self-disclosure under both. While self-disclosure is a thorny challenge for companies that have identified potential misconduct and the path forward is not always clear, this client alert provides clear, actionable guidance for health industry companies to consider when responding to increasingly active fraud enforcement from federal agencies.
In Depth
DOJ’s Corporate Enforcement and Voluntary Self Disclosure Policy
The DOJ policy creates an incentive structure for companies to affirmatively and proactively disclose misconduct, and provides a clear upside for companies facing potential criminal prosecution: DOJ will, for certain qualifying self-disclosures, decline to criminally prosecute the misconduct. For healthcare companies facing potential criminal liability exposure, it is essential to be aware of how the DOJ policy works in order to make an informed decision about whether and how to self-disclose.
To be eligible under the DOJ policy, the disclosing company must meet the following four criteria:
- Voluntarily self-disclose the misconduct to an appropriate DOJ criminal component
- Fully cooperate with DOJ’s investigation
- Timely and appropriately remediate the misconduct
- Have no aggravating factors or corporate recidivism
Aggravating factors include especially serious or pervasive misconduct within the company or severe harm caused by the misconduct. Corporate recidivism, as defined by the policy, refers to a criminal adjudication or resolution within the past five years or based on similar misconduct by the same entity involved in the current misconduct.
When each of these four criteria are met, DOJ will decline to prosecute the disclosed criminal misconduct, subject to the approval of the assistant US attorney general for the relevant division and/or the US attorney for the relevant district. The disclosing company will still be required to pay disgorgement, forfeiture, and/or restitution where applicable.
The DOJ policy still provides incentives, albeit lesser ones, for near-miss self-disclosures as defined in the policy. In cases where the company self-disclosed in good faith but the conduct did not qualify under the DOJ policy (e.g., DOJ was already aware of the misconduct disclosed), the self-disclosing entity will still benefit from a 50% – 75% reduction of the fine identified at the low end of the applicable guidelines published by the United States Sentencing Commission (USSC). Entities that fail to self-disclose will receive no more than a 50% reduction of the assessed fine.
The DOJ policy is designed to encourage voluntary self-disclosure of potential wrongdoing “at the earliest possible time.” The conduct must be disclosed “within a reasonably prompt time,” and the company bears the burden of demonstrating its timeliness. Because conduct eligible for declination under the DOJ policy cannot have been previously known to the department, self-disclosing potential misconduct to the appropriate DOJ criminal component to as early as feasible presents significant potential liability reduction and financial benefits.
OIG’s Health Care Fraud Self-Disclosure Protocol
As noted, healthcare entities may also remain eligible for self-disclosure under the longstanding OIG protocol. Housed within HHS, the OIG protocol operates separately from the department-wide DOJ policy.
Similar goals underpin the OIG protocol, which is designed to facilitate cooperation and disclosure. But unlike the DOJ policy, which applies to companies in any industry, the OIG protocol is more narrowly focused on entities engaged with Medicare and other federal healthcare programs.
To be eligible under the OIG protocol, the disclosing company must meet the following four criteria:
- Be a healthcare provider, supplier, or person subject to OIG’s Civil Monetary Penalty authorities under 42 C.F.R. Part 1003
- Believe, after a reasonable assessment, that the disclosed conduct potentially violates federal criminal, civil, or administrative laws subject to a Civil Monetary Penalty
- Ensure the conduct has ended, or in the case of an improper kickback arrangement, that corrective action will be taken and the improper arrangement will be terminated within 90 days of submission of the self-disclosure
- Include in the self-disclosure the information outlined in section III of the OIG protocol, with additional required information for conduct involving false billing, excluded persons, the Anti-Kickback Statute, or the Stark law.
Unlike the DOJ policy, self-disclosures under the OIG protocol, which applies to criminal, civil, and administrative misconduct, always result in a damages penalty assessed against the company. While OIG’s general practice requires a multiplier of 1.5 times the single damages calculation, the OIG protocol provides that “persons that use the [self-disclosure protocol (SDP)] and cooperate with OIG during the SDP process deserve to pay a lower multiplier of single damages than would normally be required in resolving a Government-initiated investigation.” The key incentive for disclosing eligible conduct under the OIG protocol, then, is a lower damages assessment. By contrast, a declination under the DOJ policy avoids both criminal prosecution and fines, requiring only disgorgement/forfeiture and restitution or victim compensation traceable to the misconduct.
Self-disclosure under the OIG protocol also leads to a presumption against OIG requiring integrity agreement obligations to resolve the matter, reduces the amount of time required to reach a resolution, and suspends the obligation to report overpayments so long as the submission is timely made.
For a healthcare entity facing civil or administrative liability but not criminal liability – and thus ineligible under the DOJ policy – the OIG protocol presents some, albeit more limited, benefits that entities should consider.
Key differences between the DOJ policy and the OIG protocol
| DOJ policy | OIG protocol | |
|---|---|---|
| Eligible disclosing parties | All companies (any type of business organization) | All health care providers, suppliers, or persons subject to OIG’s Civil Monetary Penalty authorities |
| Type of misconduct | Criminal | Criminal, civil, or administrative |
| Ineligible misconduct | Criminal antitrust violations | Conduct not involving healthcare laws and Stark law-only conduct |
| Benefits of self-disclosure | Declination to prosecute | Lower damages multiplier, presumption against integrity agreement obligations, streamlined process, suspended overpayment reporting requirements |
| Monetary assessment | There is no fine if the disclosed misconduct fully qualifies for declination. The disclosing party must still pay disgorgement/forfeiture and/or restitution traceable to the misconduct. For “near-miss” disclosures, DOJ will reduce the fine calculated based on the U fine range by 50% – 75% | There is a lower multiplier on single damages, even though. OIG’s general practice is to require a minimum of 1.5 times the single damages resultant from the misconduct |
| Timing requirements | “Reasonably prompt”: Disclosure at the “earliest possible time,” even before the company has conducted an internal investigation | “Timely” disclosure to be eligible to suspend the obligation to report overpayments |
| Relevance of existing government inquiry | Leads to a “near-miss” self-disclosure, making the misconduct ineligible for declination | Does not preclude use of the protocol, provided the self-disclosure is made in good faith and not as an attempt to circumvent an ongoing inquiry |
| Relevance of internal investigation pre-disclosure | Should be used to “timely and appropriately [remediate] the misconduct,” including the implementation of an effective compliance and ethics program | Should be conducted and its findings reported in the self-disclosure, or a certification made that an internal investigation will be completed within 90 days of the initial submission |
| Degree of cooperation required | The disclosing party must disclose all facts and non-privileged information relevant to the conduct, including details about “all individuals involved in or responsible for the misconduct at issue.” | The disclosing party must provide a “concise statement of all details relevant to the conduct disclosed.” |
Importance of understanding the DOJ policy and the OIG protocol for healthcare entities
For healthcare entities, the DOJ policy adds a new tool companies can use to minimize their liability for misconduct, offering the carrot of a declination (i.e., DOJ will decline to prosecute) as a best-case scenario for companies at risk of criminal prosecution for misconduct.
Companies should be aware that DOJ retains concurrent enforcement jurisdiction for criminal misconduct in the healthcare space, and under the OIG protocol, OIG will coordinate with DOJ in resolving SDP matters. As a result, conduct disclosed to OIG may end up with DOJ regardless.
The potential for declination comes at a time when DOJ has ramped up fraud prosecutions. As noted in the Fraud Section’s Year in Review | 2025, the department increased prosecution of white-collar crimes by more than 10% compared to 2024, conducting 25 trials in 17 districts across the country. “Corporate accountability,” per the report, “remained a central pillar of the Section’s work.” This included the “largest ever National Health Care Fraud Takedown,” which targeted hundreds of defendants and involved billions of dollars in intended losses, resulting in the forfeiture and return of more than $560 million to the public itself.
So too with OIG. As evident from OIG’s Semiannual Report to Congress released in fall 2025, rooting out healthcare fraud remains a key priority. OIG completed more than 900 investigations between April and September 2025, leading to more than 1,400 criminal referrals, 350 criminal actions, and 480 civil actions by OIG itself.
The Trump administration has focused notably on fraud prevention, as evidenced by the March 2026 establishment of the Task Force to Eliminate Fraud chaired by the vice president, the April 2026 creation of the National Fraud Enforcement Division and the new division’s subsequent formation of the West Coast Health Care Fraud Strike Force to bring “enhanced federal enforcement resources to one of the nation’s most significant health care technology hubs in the Northern District of California and what data analytics show is the migration of fraud schemes to Arizona and Nevada.” In light of this Executive Branch emphasis, entities that fail to self-disclose potential healthcare misconduct may be severely disadvantaged in a subsequent investigation – not only because of the missed benefits afforded in the DOJ policy and the OIG protocol, but also as a matter of negative signaling to enforcers. In other words, because both DOJ and OIG have sought to incentivize self-disclosure, it may reflect even more poorly on companies that fail to self-disclose when their misconduct ultimately surfaces.
Actions healthcare entities can take now to mitigate exposure
The best way for healthcare entities to mitigate civil and criminal exposure is to prevent misconduct in the first instance. One way to help mitigate risk is to invest resources in a robust internal compliance department. Not only do effective compliance departments help establish a culture of compliance and identify misconduct in its infancy, but both the DOJ policy and the OIG protocol mandate effective internal controls to investigate misconduct. This is a core requirement to meaningfully take advantage of the DOJ and OIG self-disclosure incentives, even beyond the benefit of helping reduce the need to use either in the first instance.
If you have questions or would like assistance in establishing or enhancing your compliance department, or if we can assist with internally investigating potential healthcare misconduct, please contact your regular McDermott Will & Schulte lawyer or one of the authors.