This week brings three significant developments that every healthcare compliance officer should read carefully: a DOJ memo that changes the timeline and trajectory of False Claims Act qui tam litigation, an OCR annual report revealing the scale of the 2024 healthcare breach landscape, and a final rule that substantially reforms the No Surprises Act’s dispute resolution process in ways that will impact providers. Here’s what matters and what to do about it.

Table of Contents

DOJ Puts a 120-Day Clock on False Claims Act Whistleblower Cases — Healthcare Organizations Should Take Notice

On May 27, 2026, the DOJ Civil Division announced significant changes to how it handles False Claims Act (FCA) qui tam complaints involving fraud against Medicare, Medicaid, and other federal government programs (including other healthcare programs) fraud. The changes, outlined in a memo from Assistant Attorney General Brett Shumate titled “Accelerating Review and Enhancing Enforcement in Benefits Fraud Matters,” were issued in connection with President Trump’s March 2026 Executive Order establishing the Task Force to Eliminate Fraud. The practical effect is straightforward: qui tam cases that previously could languish in procedural limbo for years are now on a strict internal enforcement clock.

Key Details

To understand why this matters, it helps to understand how qui tam litigation has typically worked. Under the False Claims Act, a private individual, known as a “relator,” can file a lawsuit (called a qui tam lawsuit) on behalf of the federal government against an entity alleged to have defrauded a federal program. When filed, the complaint is placed under seal, meaning the defendant is unaware of its existence. The government then has a 60-day statutory window to decide whether to intervene, though in practice courts have routinely granted extensions at the government’s request, stretching investigations out over years. The DOJ would take the cases it considered strongest and decline the rest — and declined cases rarely proceeded to successful resolution without government backing.

The Shumate Memo departs from that model in two important ways. First, it creates an explicit fast-track pathway for meritorious cases that the DOJ considers below a certain size or complexity threshold: rather than declining these cases entirely, DOJ will now permit relators to actively litigate them under government supervision, with DOJ retaining ultimate control. This means more qui tam complaints will proceed to active litigation than before.

Second, the memo imposes strict internal timelines on cases requiring further investigation. When DOJ concludes that a qui tam suit warrants further investigation rather than giving the relator an immediate go-ahead, DOJ attorneys assigned to the case must complete that investigation within 120 days. Extensions will only be granted by the Deputy Assistant Attorney General of the Commercial Litigation Branch, and extensions beyond those within the Deputy’s authority must be approved by the Assistant Attorney General of the Civil Division directly. This internal escalation structure is designed to prevent cases from drifting without resolution, as they previously could.

The scale of the landscape this memo operates in is significant. In fiscal year 2024, DOJ collected $2.9 billion from 558 FCA settlements and judgments, $1.67 billion of which related to healthcare fraud, and FCA enforcement has intensified since then. 

What This Means for You

The compliance implication of this memo is direct. Entities that defraud federal benefits programs often rely on the volume and complexity of their billing activity to avoid being detected.  For healthcare organizations, the memo signals that qui tam complaints filed by individuals with inside knowledge (including former or current employees) of billing irregularities, documentation deficiencies, or other compliance gaps are now far more likely to result in active litigation, and to do so quickly. 

The days of a qui tam complaint slowly working its way through DOJ’s queue with no practical consequence are effectively over in the benefits fraud space. Healthcare entities should develop and maintain compliance programs that identify and correct billing errors, documentation failures, and other practices creating FCA exposure, before a whistleblower reaches the courthouse. This means investing in internal audit processes, anonymous reporting mechanisms that employees actually trust and use, and a genuine culture of correcting rather than concealing compliance issues. The organizations most exposed under this new framework are those with known internal compliance gaps and no systematic process for addressing them.

Frequently Asked Questions

What is a qui tam lawsuit under the False Claims Act? A qui tam lawsuit is a legal action filed by a private individual, called a relator, on behalf of the federal government against an entity alleged to have submitted false or fraudulent claims for federal funds. If the government recovers money, the relator receives a portion of the proceeds, typically between 15% and 30% depending on the government’s level of involvement. The False Claims Act does not require intent to defraud – actual knowledge, deliberate ignorance, or reckless disregard for the accuracy of a claim is sufficient to trigger liability.

What does the DOJ Shumate Memo change about how qui tam cases are handled? The memo imposes a 120-day internal deadline on DOJ investigations of benefits fraud qui tam cases that require further review before an intervention decision, with extensions requiring escalating levels of senior approval. It also creates an explicit pathway for smaller but nonetheless meritorious cases to proceed as relator-driven litigation under government supervision, rather than being declined or left to languish without resolution. The practical result is that more qui tam complaints will move forward, and more quickly than they historically have.

OCR’s 2024 Annual Breach Report: 242 Million Americans Affected, and the Same Compliance Failures Keep Appearing

In late May 2026, OCR released its Annual Report to Congress on Breaches of Unsecured Protected Health Information for calendar year…..2024. The central finding is not the scale of the breaches of unsecured PHI, though that scale is significant. It is this: the technical failures that resulted in the largest breaches in 2024 are the same failures that OCR has been documenting and acting on for years. The 2024 report is evidence of what happens when OCR’s guidance is ignored.

Key Details

OCR received 663 breach reports involving 500 or more individuals in 2024, affecting approximately 242.9 million people in total. That massive total was largely due to a single ransomware attack on Change Healthcare, which affected an estimated 192 million individuals. 

Change Healthcare is but one illustration of an underlying trend. Hacking and IT incidents accounted for 81% of large breaches and affected 99% of the individuals whose PHI was compromised. Ransomware, malware, and phishing were the primary attack methods. In its investigations, OCR found a recurring structural vulnerability: once attackers gained access to a network, organizations had few controls in place to limit how far or how quickly the attackers could move. In many cases, exploiting a single compromised account allowed hackers to access multiple systems containing PHI. 

The smaller breach data tells a different, but equally familiar story. OCR also received approximately 74,299 reports of breaches involving fewer than 500 individuals in 2024, with unauthorized access or disclosure accounting for the majority of those incidents, mainly involving paper PHI improperly accessed through misdirected faxes, employees accessing records without authorization, and test results sent to the wrong patient.  

OCR resolved 785 breach investigations in 2024, ultimately resolving 22 investigations through monetary resolution agreements or civil monetary penalties totaling $9,944,612.  A recurrent theme appeared throughout the investigations: incomplete risk analyses that focused narrowly on specific applications rather than the complete ePHI environment. Other specific failures documented across the investigations included failure to implement multi-factor authentication (MFA), failure to limit administrative account access to staff whose roles actually required it, failure to review audit logs, and failure to terminate former workforce member credentials in a timely manner.

These are not new findings. OCR has documented them in prior Annual Reports. The 2024 report is the latest chapter in a volume of failure to stop cybersecurity threats from becoming headlines.

What This Means for You

The Change Healthcare breach was not caused by a newfangled or novel attack. It was caused by an attacker who gained access through a compromised account on a system that did not have MFA. The controls that would have stopped this attack or at least slowed its path are the same controls OCR has been citing in enforcement actions for years – and is now scrutinizing through its risk analysis and risk management initiatives.

Healthcare organizations should treat this report as a prompt for a concrete technical checklist. Conduct an enterprise-wide risk analysis that covers every system where PHI resides, including clinical systems, email, servers, backup servers, and legacy systems. Deploy MFA, including on systems that allow remote access. Establish a documented schedule for audit log review and stick to it. Audit your access control lists to confirm that administrative account privileges are limited to staff whose current role requires them, and build (and execute on) a process for promptly terminating credentials when workforce members depart. And, adopt the mindset if you have not already: Risk analysis is not a one-time exercise; it must be ongoing and documented.

Frequently Asked Questions

What were the most common causes of large HIPAA breaches in 2024? According to OCR’s 2024 Annual Report to Congress, hacking and IT incidents accounted for 81% of large breaches affecting 500 or more individuals, with ransomware, malware, and phishing as the primary attack methods. A single ransomware attack on Change Healthcare accounted for approximately 192 million of the 242.9 million individuals affected across all large breaches reported during the year.

What specific HIPAA compliance failures did OCR identify most frequently in its 2024 breach investigations? OCR’s investigations repeatedly identified incomplete risk analyses that covered only specific applications rather than the full ePHI environment, failure to implement multi-factor authentication, failure to restrict administrative account access to staff who actually required it, failure to conduct regular audit log reviews, and failure to terminate access credentials for former workforce members in a timely manner. These failures are now the focus of OCR’s risk analysis and risk management initiatives.

No Surprises Act IDR Process Overhauled: 85% Fee Reduction, New Batching Rules, and a Centralized Gateway Platform

On May 28, 2026, HHS, CMS, the Departments of Labor and Treasury, and the Office of Personnel Management jointly issued the Federal Independent Dispute Resolution Operations final rule, making the most significant structural reforms to the No Surprises Act’s IDR process since the program launched in April 2022. The changes reduce the cost and administrative burden of the IDR process, standardize how payers communicate with providers about out-of-network payment disputes, and lay the groundwork for a new centralized IDR Gateway platform.

Key Details

The IDR process was designed as a mechanism for providers and payers to resolve payment disputes over out-of-network charges after the patient has paid their cost-sharing obligation. The process has been substantially more active than anticipated. Since May 2025 alone, the Federal IDR process has recorded 5.3 million administrative fees paid, and the Departments project that number will rise to approximately 6.91 million as the reduced fee makes the process accessible to a broader range of providers and claims. The volume of submissions has created delays, and the $115 administrative fee per party per dispute has proven too costly for smaller healthcare entities. 

The most immediately impactful change made by the final rule is the administrative fee reduction. The final rule reduces the administrative fee from $115 to $15 per party per dispute, a reduction of more than 85%. The lower fee applies to disputes initiated on or after June 11, 2026. The prior $115 fee created a meaningful deterrent for smaller providers disputing lower-value claims, effectively pricing some legitimate disputes out of the IDR process entirely. At $15, the economics of pursuing IDR are now viable for a substantially broader range of claims. 

The rule also introduces standardized claim adjustment reason codes that payers must use when communicating out-of-network payment information to providers. This standardization allows providers to determine earlier in the process whether a claim qualifies for IDR, reducing confusion and decreasing the number of ineligible disputes entering the system — a meaningful operational improvement for billing staff who currently spend significant time evaluating eligibility for disputes that ultimately cannot proceed. 

On batching, the rule expands flexibility while introducing structure. The final rule allows up to 50 items and services to be included in a single payment dispute, while introducing limits designed to improve processing efficiency and reduce review bottlenecks. For providers who currently file large numbers of related disputes individually, the expanded batching capacity creates a meaningful efficiency gain. 

Finally, the rule establishes a Federal IDR Registry and announces the phased implementation of a new centralized IDR Gateway platform. The IDR Gateway will allow parties to initiate disputes, track status, and manage communications in one place, with payer registration requirements and in-portal negotiation features rolling out over time to improve accountability and reduce unnecessary filings. 

What This Means for You

These changes require operational updates from providers who participate in the IDR process. The reduced fee structure and expanded batching rules change the cost-benefit calculus for which disputes are worth pursuing. The new standardized claim adjustment reason codes create an affirmative obligation for billing staff to understand what information payers must now provide, and to use that information to assess IDR eligibility earlier and more accurately.

Review your current IDR workflows against the final rule and identify which processes need updating. Train billing staff on the new claim adjustment reason codes and what they signal about IDR eligibility. If your organization regularly batches disputes, review the new batching consolidation rules to ensure your current approach is compliant with the updated limits. Monitor CMS guidance announcements regarding the availability of the IDR Gateway platform and plan your transition to the centralized system well before the phased implementation reaches your workflows.

Frequently Asked Questions

What is the No Surprises Act’s Federal Independent Dispute Resolution process? The Federal IDR process is a federal arbitration mechanism established under the No Surprises Act that allows healthcare providers and payers to resolve disputes over payment rates for certain out-of-network charges after the patient has paid their applicable cost-sharing amount. Both parties submit to a certified IDR entity, which selects between the submitted offers and issues a binding payment determination. The process applies to emergency services, non-emergency services at in-network facilities involving out-of-network providers, and air ambulance services, among other categories.

When does the reduced $15 IDR administrative fee take effect? The reduced administrative fee of $15 per party per dispute, down from $115, applies to disputes initiated on or after June 11, 2026. The fee reduction applies regardless of the dollar amount in dispute or the eligibility outcome of the case. Details are available in the CMS final rule fact sheet.

Healthcare compliance regulations move fast. Check back every Wednesday for the developments that impact your healthcare business.

Have a question about how these developments affect your organization?