logo
Editor photo By Rachel V. Rose, JD, MBA  Rachel V. Rose - Attorney at Law, PLLC  |  View Bio
The May 12, 2025 U.S. Department of Justice Memo: What the Healthcare Industry Should Know

Security

The May 12, 2025 U.S. Department of Justice Memo: What the Healthcare Industry Should Know

Date Posted: Friday, August 08, 2025

 

On May 12, 2025, the U.S. Department of Justice (DOJ), Head of the Criminal Division, released a memorandum, “Focus, Fairness, and Efficiency in the Fight Against White Collar Crime” (see https://www.justice.gov/criminal/media/1400046/dl?inline). The first sentence states, “The core mission of the Department of Justice (Department) is to do justice, uphold the rule of law, protect the American public, and vindicate victims' rights.”

 

As updated in September 2024, the DOJ Criminal Division's “Evaluation of Corporate Compliance Programs” is equally as important to read as the May 12 memo. A couple of notable items include: (1) three “fundamental questions” prosecutors should ask; (2) “assessing whether the [compliance] program is adequately designed for maximum effectiveness”; and (3) management of emerging risks to ensure compliance with applicable law. A good starting point for implementing a new compliance program or revising an existing program is 42 CFR § 483.85.

 

As the U.S. Department of Health and Human Services Office of the Inspector General (HHS-OIG) has stated for years and re-emphasized in its November 2023 Compliance Guidance, the five main fraud, waste, and abuse laws (FWA) are as follows: (1) False Claims Act; (2) Anti-Kickback Statute; (3) Stark Law; (4) Exclusion; and (5) Civil Monetary Penalties. These five FWA laws are relevant to the May 2012 memo. What follows are some of the key highlights that companies, executives, and boards alike need to address and incorporate into their enterprise risk management (ERM) program.

 

Analysis

 

The Cybersecurity Infrastructure and Security Agency (CISA) identified 16 critical infrastructure sectors, including the Health and Public Health Sector, targeted by cyber criminals, which harm the federal fisc and United States citizens as a whole.

 

The “areas of focus” identified by the DOJ as being the most “urgent criminal threats to the country” include a variety of conduct. At the top of the list is “waste, fraud, and abuse, including healthcare fraud and federal program and procurement fraud that harm the public fisc” (emphasis added).

 

Other areas include, but are not limited to:

 

  • Trade and customs fraud, including tariff evasion;
  • Conduct that threatens the country's national security, including threats that harm the U.S. financial system;
  • Fraud that victimizes U.S. investors, individuals, and markets including, but not limited to, Ponzi schemes, investment fraud, elder fraud, servicemember fraud, and fraud that threatens the health and safety of consumers; and
  • Violations of the Controlled Substances Act and the Federal Food, Drug, and Cosmetic Act (FDCA), including the unlawful manufacture and distribution of chemicals and equipment used to create counterfeit pills laced with fentanyl and unlawful distribution of opioids by medical professionals and companies.

 

Armed with this knowledge, organizations, executives, and boards should commit to doing the following: (1) audits—cybersecurity, financial, and FWA; (2) adequate and ongoing training; (3) comprehensive policies and procedures; (4) encryption both at rest and in transit; and (5) adequate data use agreements, business associate agreements, or other similar agreements. Being able to substantiate an effective and adequate compliance program is critical for mitigating liability.

 

Conclusion

 

Government enforcement actions are not receding when it comes to the aforementioned areas of focus. To the contrary, with greater scrutiny comes the need for greater board governance and adequate compliance programs.

 

Three prudent steps to mitigate risk include:

 

  1. Review existing cybersecurity laws and regulations and ensure that an annual risk analysis is conducted.
  2. Ensure compliance programs are updated and that all seven core items required by 42 CFR § 483.85 are implemented.
  3. Train boards and executives to issue spot, understand industry and cyber vernacular, and recognize potential areas of FWA and criminal liability that relates to the business.

 

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate, and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston.

 

Rachel can be reached through her website: www.rvrose.com

 

 

 

 

Was this article helpful?

Your feedback goes directly to our editorial team and helps us decide what to cover next.

Search BCA Magazine

Search here

List Articles

Select below

Editorial Board

Rose, JD, MBA

Rachel V. Rose, JD, MBA

Principal
Rachel V. Rose - Attorney at Law, PLLC

www.rvrose.com"

Sponsor

 

 

RELATED CEU's / Webinars

CEUs / Webinars

Security

Safe Medical Device Act of 1990 and Related Compliance Items
CEUs / Webinars

Security

FDA Items for Patients, Providers, and Medical Companies to Appreciate
CEUs / Webinars

Security

HIPAA Updates: Clarifications, Reproductive Healthcare, and Items to Have on the Radar
CEUs / Webinars

Security

Texas S.B. 1188 & Other State Laws – From Data Storage to Medical Chart Documentation – Important Requirements Health Care Sector Participants Need to Know
CEUs / Webinars

Security

Understanding the Procurement Process from a Provider and Medical Device Company Vantage Point
CEUs / Webinars

Security

Cybersecurity in Healthcare: Effective Strategies to Identify and Mitigate Cybersecurity Threats in Healthcare

Memory used: 14.39 MB