At the spring 2025 PCC event in McLean, Virginia, speakers had many best practices tips and lessons learned to highlight, but their overall message to attendees was that ethics and integrity matter, data analytics are your friend, ongoing monitoring is expected, and it’s time for compliance to partner with business-line functions.

As one panelist phrased it – and it was echoed several times later at the event – “enforcement doesn’t drive what we do; we try to do the right thing all the time.” Meaning, we all know what is happening in terms of regulatory agencies losing funding, enforcement priorities shifting and “uncertainty” being the word of the day in regulatory compliance discussions these days.

But as we wait to see more regulatory clarity from the Trump administration, the panelists beseeched attendees to not wait for the directives and enforcement actions to craft a strong risk-management program, and continue surveilling for fraud of all kinds.

Indeed, speakers across a number of panels felt that funding being pulled from certain areas of the Department of Justice (DOJ), such as the Foreign Corrupt Practices Act group and Consumer Protection branch, plus from Medicare and Medicaid at the Health and Human Services Department, signaled that greater resources and attention would be paid to fraud investigations and enforcement activity.

Speakers were drawn from federal agencies such as the DOJ, the Centers for Medicare and Medicaid Services, and the US Attorney’s Office for the Eastern District of Pennsylvania, powerhouse pharmaceutical businesses such as Merck, Novo Nordisk, GSK, Sanofi, Bayer, Purdue and AstraZeneca, and large law firms such as King & Spalding, Sidley Austin and DLA Piper.

Proactive partnerships prevent problems

The idea behind compliance professionals forging partnerships across the business came up during day one of the conference event in several ways.

Panelists discussed having their company subject to a corporate integrity agreement (CIA) as part of a settlement order, and how merging from them has lead to a number of positive results for their businesses, especially by creating a compliance program more firmly embedded in the many layers of the firm. And by reminding the upper levels of executive leadership that their voice (and not just compliance) in articulating a vision of doing right is essential.

Indeed, as the words in this subhead imply (articulated by a panelist), the best way forward can sometimes be by getting business unit heads to communicate compliance messaging to their own teams. The result can mean less of an information overload from the compliance team that can make more serious messages get diluted.

“You cannot work just off of principles – you need to know your organizations’ specific risks. And that means knowing what each department is grappling with in terms of challenges,” a panelist counseled. “Your role is to help these departments jog before they sprint,” said another speaker. “They will still get to their destination.”

The compliance department relies on business units to do the right thing, just as much as those units expect compliance to outline what the right thing is. This interdependency is summed up by one speaker’s rhetorical question: “How fast would a race car driver go if the race car driver didn’t trust the brakes?”

False Claims Act cases

These cases and whistleblowers often go together – as private people, known as qui tam relators, are able under the law to prosecute a lawsuit for the government and receive a reward – and they often do so in healthcare-related cases for alleged False Claims Act (FCA) abuses.

These are big cases for plaintiffs’ attorneys, the panelists, often encompassing cases involving the submission of false claims to Medicare or Medicaid or other insurance providers for tests that were not medically necessary or were procured through kickbacks to certain individuals or organizations.

The kickbacks can take the form of speaker programs, meals, and debt forgiveness, among others.

Key cases in the FCA arena in 2024 and early 2025 that offer lessons to compliance officers include healthcare subsectors such as telehealth/digital health, private equity, and cases involving kickbacks and controlled substances violations.

Here’s a sampling of the cases, which panelists found to be illustrative of the type of settlement actions we could continue to see, given the strong bipartisan commitment to the FCA, intolerance of kickback schemes and the important role qui tam cases are likely to play in the enforcement arena.

Done Global Inc: The founder and CEO of a California-based digital health company and its clinical president were arrested last June in connection with their alleged participation in a scheme to distribute Adderall over the internet, conspire to commit healthcare fraud in connection with the submission of false and fraudulent claims for reimbursement for Adderall and other stimulants, and obstruct justice. The digital health company was accused of exploiting the COVID-19 pandemic to develop and carry out a $100m scheme to defraud taxpayers and provide easy access to Adderall and other stimulants for no legitimate medical purpose.

McKinsey & Company Inc: The global management consulting firm agreed to pay $650m to resolve a criminal and civil investigation into the firm’s consulting work with opioids manufacturer Purdue Pharma. The company’s resolution with DOJ pertained to McKinsey’s advice to Purdue concerning the sales and marketing of Purdue’s extended-release opioid drug, OxyContin, including a 2013 engagement in which McKinsey advised on steps to “turbocharge” sales of OxyContin.

The DOJ’s settlement with McKinsey marked the first time a management consulting firm was held criminally responsible for advice resulting in the commission of a crime by a client and reflected DOJ’s determination to hold actors accountable for their roles in the opioid crisis. The resolution was also the largest civil recovery for such conduct.

But most notable for compliance and surveillance readers to bear in mind with this case is that one of the felony charges was related to McKinsey “knowingly destroying records, documents and tangible objects with the intent to impede, obstruct, and influence the investigation.” Their actions demonstrated a clear understanding of the importance of reducing or eliminating records in order to potentially avoid responsibility and accountability.

As part of the resolution, McKinsey agreed to implement a newly invigorated compliance program, including a system of policies and procedures designed to identify and assess high-risk client engagements and create a newly independent role for its chief compliance officer, with direct reporting to the board.

Walgreens Boots Alliance, Walgreens Company: The parties resolved allegations earlier this year that the national chain pharmacy illegally filled millions of invalid prescriptions for opioids and other controlled substances in violation of the Controlled Substances Act, and then sought payment for many of those invalid prescriptions by Medicare and other federal health care programs in violation of the FCA.

The civil settlement were brought under the qui tam, whistleblower provisions of the FCA by former Walgreens employees.

Like the McKinsey case above, Walgreens’s compliance officials also allegedly squashed internal data to cover up their misdeeds – in the Walgreens case this pertained to certain prescriptions and prescribers, preventing pharmacists from warning one another about certain problematic prescribers and drug orders.

Biohaven (now part of Pfizer): The settlement resolved allegations – brought by a 2021 whistleblower lawsuit – that Biohaven induced doctors to write Nurtec prescriptions by paying “improper remuneration,” including through speaker payouts and meals at “high-end restaurants,” including some of those perks being extended to spouses and other family members, according to the DOJ press release about the settlement action earlier this year.

Lessons learned from the cases

The deletion of key communications in a couple of the cases above are illustrative of US law enforcement being capable of forensically examining devices to detect deletions, especially they have any whistleblower information. It might be best to assume they have the technology and the informant, the panelists cautioned.

Moreover, in fraud cases, where a person’s mindset is a significant question for a jury, deleting documents is a surefire signal that you knew that what you were doing was wrong. 

And no matter how technology and innovation-focused the new Trump administration might be, healthcare innovators should be mindful in crafting new models for providing healthcare, such as the risks associated with digital health offerings, especially if they restrict the physician-patient relationship or when physicians are being paid to order specific products or drugs.

As part of its settlement with authorities, Walgreens agreed to implement new compliance measures, including staff training, increased staffing, and enhanced systems to monitor prescription validity. This latter point is an important one, panelists stressed; here, pharmacists were allegedly prevented from sharing information about suspicious prescribers, leaving a siloed system that allowed dangerous prescriptions to be filled unchecked.

The right compliance protocols, with systems and employees monitored closely for adherence, and controls that would signal when deviations occurred would have been instrumental in preventing some of these alleged infractions.