MedDeviceGuideMedDeviceGuide
Back
RegulatoryPolicy & LegislationQuality SystemsUS

DOJ Medical Device Fraud Enforcement in 2026: False Claims Act, Anti-Kickback Statute, and What MedTech Companies Must Know About the Record $6.8 Billion Crackdown

How the Department of Justice's record $6.8 billion False Claims Act enforcement in FY2025 impacts medical device companies — National Fraud Enforcement Division, Health Care Fraud Data Fusion Center using AI analytics, West Coast Strike Force, Anti-Kickback Statute compliance, whistleblower qui tam risks, and what manufacturers, distributors, and executives must do to reduce exposure in the most aggressive healthcare fraud enforcement environment in US history.

Ran Chen
Ran Chen
Global MedTech Expert | 10× MedTech Global Access
2026-05-1334 min read

The $6.8 Billion Question: Why 2026 Is a Watershed Year for MedTech Enforcement

The numbers are staggering. In Fiscal Year 2025, the U.S. Department of Justice obtained $6.8 billion in False Claims Act (FCA) settlements and judgments — a record that represents a 120% increase over FY2024 recoveries. Of that total, health care fraud accounted for $5.7 billion, or 84% of all federal FCA recoveries. Medical device companies, long perceived as secondary targets behind pharmaceutical manufacturers and hospital systems, are now squarely in the enforcement crosshairs.

This is not a gradual trend. It is a step-change in enforcement intensity driven by three converging forces: the creation of new DOJ institutional machinery specifically designed to prosecute fraud, the deployment of artificial intelligence and data analytics to detect patterns that human investigators would never find, and an Executive Order from the White House in March 2026 that directed the formation of a Task Force to Eliminate Fraud with an aggressive 30-60-90 day action timeline.

For medical device manufacturers, distributors, and the executives who run them, the implications are immediate and consequential. A single qui tam whistleblower complaint can trigger a multi-year investigation that ends in nine-figure settlements, corporate integrity agreements, exclusion from federal health care programs, and individual criminal prosecution. The old assumption that FCA enforcement was primarily a pharmaceutical problem is no longer operative.

This guide examines every dimension of the 2026 enforcement landscape as it applies to medical device companies: the new DOJ divisions and tools, the statutes that prosecutors wield, the real enforcement actions already taken, the AI-powered detection systems now operational, the whistleblower environment, the recent Executive Order, and the concrete compliance steps that companies must take now to reduce their exposure.

The New DOJ Enforcement Architecture

The Department of Justice has not simply increased its enforcement budget. It has fundamentally reorganized its fraud prosecution capabilities, creating new divisions, centers, and strike forces that bring together prosecutors, data scientists, investigators, and agency partners under a single operational umbrella. Understanding this architecture is essential because it determines how investigations are initiated, how evidence is gathered, and how quickly cases move from complaint to settlement or indictment.

The National Fraud Enforcement Division (April 2026)

The National Fraud Enforcement Division (NFED) is the formal establishment of an initiative that the White House previewed on January 8, 2026, when Vice President JD Vance announced plans for a new Assistant Attorney General position with nationwide fraud jurisdiction. On April 7, 2026, Acting Attorney General Todd Blanche issued a memorandum formally creating the NFED as a new stand-alone litigating division within the Department of Justice. The Division places three major DOJ Criminal Division components under its operational control: the Health Care Fraud Unit, the Tax Section, and the Market, Government, and Consumer Fraud Section. Assistant Attorney General Colin McDonald leads the Division.

The Division's mandate includes:

  • Vertical integration of fraud cases: Rather than routing health care fraud, procurement fraud, and financial fraud through separate litigation tracks, the Division consolidates expertise and resources, allowing prosecutors to pursue cases that span multiple fraud categories. For medical device companies, this means that conduct previously treated as a standalone Anti-Kickback Statute violation might now be folded into a broader FCA case with wire fraud and health care fraud counts.
  • Rapid response capability: The Division maintains a standing team of prosecutors who can be deployed to initiate or join investigations on short notice, reducing the lag time between whistleblower complaint filing and active investigation.
  • Cross-agency coordination: The Division operates as a liaison with the HHS Office of Inspector General, the FDA's Office of Criminal Investigations, the FBI's Health Care Fraud Unit, and the Defense Criminal Investigative Service (for Tricare-related fraud involving medical devices used in military treatment facilities).

The Health Care Fraud Data Fusion Center (June 2025)

Launched in June 2025, the Health Care Fraud Data Fusion Center represents the operationalization of AI-driven fraud detection within the DOJ. The Center is a permanent, prosecutor-led, multi-agency team staffed with data analysts, machine learning engineers, and health care fraud specialists.

What the Data Fusion Center actually does:

Capability Description
Claims pattern analysis Ingests Medicare, Medicaid, and Tricare claims data to identify billing patterns that deviate from statistical norms — for example, a device distributor whose claims frequency spikes after adding a new sales territory
Referral network mapping Uses graph algorithms to map relationships between physicians, hospitals, device companies, and distributors, identifying clusters of referrals that suggest coordinated kickback arrangements
Anomaly detection Applies machine learning models trained on historical fraud cases to flag new entities, billing codes, or geographic patterns that resemble past fraud schemes
Predictive risk scoring Assigns risk scores to providers, suppliers, and manufacturers based on a composite of billing behavior, ownership structures, prior enforcement contacts, and whistleblower tips
Real-time monitoring Integrates with CMS claims processing systems to flag suspicious claims before they are paid, rather than pursuing "pay-and-chase" recovery after the fact

For medical device companies, the Data Fusion Center changes the calculus in a fundamental way. Previously, the DOJ largely relied on whistleblowers to initiate investigations. A company that kept its employees happy and its internal controls reasonably functional could assume that any compliance gaps might never come to light. That assumption is no longer valid. The Data Fusion Center can identify anomalous billing and referral patterns independently, generating leads that prosecutors can then develop without any whistleblower involvement at all.

The West Coast Health Care Fraud Strike Force (April 30, 2026)

On April 30, 2026, the DOJ announced the formation of the West Coast Health Care Fraud Strike Force, extending the Strike Force model to Arizona, Nevada, and Northern California. This addition brings the total number of DOJ Health Care Fraud Strike Force regions to ten.

Strike Forces are not advisory bodies. They are prosecutorial teams composed of Assistant U.S. Attorneys, DOJ trial attorneys, FBI agents, HHS-OIG investigators, and state Medicaid Fraud Control Unit investigators who work together on a single docket of health care fraud cases. The Strike Force model has been responsible for some of the largest health care fraud prosecutions in U.S. history, and its expansion to the West Coast is significant for the medical device industry because the region hosts a disproportionate concentration of device companies, digital health startups, and venture-backed SaMD companies.

The practical impact: device companies operating in Arizona, Nevada, or Northern California should assume that any billing anomaly, unusual referral pattern, or vendor relationship that could be construed as a kickback is now visible to a dedicated prosecutorial team with Strike Force resources and Strike Force urgency.

The Statutes That Matter: FCA, AKS, Stark Law, and Criminal Provisions

Medical device companies face enforcement risk under multiple overlapping federal statutes. The DOJ routinely brings cases that include civil FCA claims, criminal Anti-Kickback Statute charges, and administrative exclusion actions simultaneously. Understanding each statute individually is important; understanding how they interact is essential.

The False Claims Act (31 U.S.C. 3729-3733)

The False Claims Act is the DOJ's primary civil enforcement tool. It imposes liability on any person or entity that knowingly submits, or causes to be submitted, a false or fraudulent claim for payment to the federal government. "Knowingly" is defined broadly to include actual knowledge, deliberate ignorance, and reckless disregard — a standard that makes it difficult for companies to argue that they were unaware of billing improprieties.

Key provisions for medical device companies:

  • Treble damages and per-claim penalties: The FCA provides for damages equal to three times the government's actual losses, plus per-claim penalties that are adjusted for inflation (currently ranging from $14,308 to $28,619 per claim). For device companies that submit thousands of claims, these penalties compound rapidly into nine-figure exposure.
  • "Causes to be submitted" liability: A device manufacturer does not need to submit a false claim directly. If the company's conduct — such as providing kickbacks to physicians who then bill Medicare for the device — causes a false claim to be submitted, the manufacturer is liable under the FCA.
  • Reverse false claims: The FCA also covers conduct that causes the government to pay more than it should. For device companies, this can include failing to report pricing changes that affect Medicaid rebate calculations, misrepresenting device classification to obtain more favorable reimbursement rates, or concealing overpayments.
  • Qui tam provisions: The FCA allows private individuals (whistleblowers, or "relators") to file suit on behalf of the government and receive 15-30% of any recovery. Qui tam cases are filed under seal, giving the DOJ 60 days (often extended) to investigate before the defendant is even aware of the allegations.

The Anti-Kickback Statute (42 U.S.C. 1320a-7b)

The Anti-Kickback Statute (AKS) makes it a criminal offense to knowingly and willfully offer, pay, solicit, or receive anything of value to induce or reward referrals of items or services payable by federal health care programs. The AKS is intent-based — the government must prove that the payment was made with the purpose of inducing referrals — but courts have interpreted the statute broadly.

For medical device companies, AKS risk arises in several common scenarios:

Scenario AKS Risk
Sham consulting agreements Paying physicians as "consultants" when the real purpose is to reward or induce device purchases. Payments must reflect fair market value for legitimate, documented services.
Excessive speaker programs Sponsoring physician "education" events at upscale venues where attendance is sparse and the presentation content is minimal. The DOJ has repeatedly prosecuted device companies for speaker programs that functioned as disguised referral payments.
Product discounts and rebates Offering pricing arrangements that effectively guarantee volume-based referral incentives. While discounts can be structured to fall within the AKS safe harbor, the safe harbor requirements are specific and must be met precisely.
Medical directorships Compensating physicians for medical director roles where the duties are vaguely defined, the compensation exceeds fair market value, or the appointment coincides with increased referrals. The January 2026 enforcement actions specifically targeted this arrangement.
Practice support and "service" arrangements Providing free equipment, staff, or services to physician practices to secure device loyalty.
Patient assistance and co-pay programs Structuring financial assistance programs in ways that steer patients toward specific devices or providers.
Clinical trial incentives Paying investigators above fair market value for clinical trial participation where the payment amount correlates with device referrals or sales.

The AKS operates as both a standalone criminal statute and a basis for FCA liability. Under the "AKS equals FCA" theory, a claim submitted to a federal health care program that results from an AKS violation is, by definition, a false claim — even if the claim itself is accurately coded and the service was actually provided. This is the enforcement theory that has generated the largest settlements in the medical device space.

The Stark Law (Physician Self-Referral Law, 42 U.S.C. 1395nn)

The Stark Law prohibits physicians from referring Medicare or Medicaid patients for designated health services (including certain medical devices) to entities in which the physician or an immediate family member has a financial relationship, unless an exception applies. Unlike the AKS, the Stark Law is strict liability — intent is not an element of the violation.

For device companies, Stark Law risk typically arises when:

  • A physician-owner of a device distributor refers patients for procedures using devices supplied by the distributor.
  • A device company provides loans, equity, or other financial interests to referring physicians.
  • A hospital or ASC that purchases devices from a company has physician-owners who refer patients for procedures using those devices.

The Stark Law overlaps with the AKS but has a broader reach in some respects because it does not require proof of corrupt intent. A technical Stark Law violation — even one that is inadvertent — can trigger FCA liability if the resulting claims are deemed "tainted."

Criminal Statutes: Wire Fraud and Health Care Fraud

Beyond civil FCA liability, device company executives and employees face criminal prosecution under:

  • Health Care Fraud Statute (18 U.S.C. 1347): Makes it a felony to knowingly and willfully execute, or attempt to execute, a scheme to defraud a health care benefit program. Penalties include up to 10 years imprisonment (up to 20 years if the violation results in serious bodily injury, and up to life if it results in death).
  • Wire Fraud (18 U.S.C. 1343): Applied when the fraudulent scheme involves interstate wire communications — which, in practice, covers virtually every modern business transaction. Penalties include up to 20 years imprisonment (up to 30 years if the scheme affects a financial institution).
  • Conspiracy (18 U.S.C. 371): Charged when two or more persons agree to commit a fraud offense and take any overt act in furtherance of the agreement. Conspiracy charges allow prosecutors to sweep in multiple participants across an organization.

The DOJ has increasingly pursued parallel civil and criminal tracks simultaneously, using the broader discovery tools available in civil proceedings to build criminal cases. For device company executives, this means that responding to a civil FCA subpoena may also mean responding to a criminal investigation — and the stakes are personal, not just corporate.

Recommended Reading
MedTech Europe MDR/IVDR 2.0 Position Paper: What the Industry Wants Changed in the EU's Regulatory Overhaul
Regulatory EU MDR / IVDR2026-05-08 · 10 min read

Real Enforcement Actions Affecting Medical Device Companies in 2025-2026

The enforcement statistics are abstract until mapped to actual cases. The following examples illustrate the range of enforcement activity that has affected medical device companies in the current enforcement cycle.

January 2026: Medical Directorship Enforcement ($34 Million)

In January 2026, the DOJ announced two enforcement actions targeting medical directorship arrangements that allegedly violated both the Anti-Kickback Statute and the Stark Law. One action was a $34 million settlement with a home healthcare services provider that self-disclosed sham medical directorship payments to referring physicians. The other was a DOJ complaint against a hospital management company and a physician, alleging that $450,000 in medical directorship payments were made to induce patient referrals.

The government's theory in these cases was straightforward: the medical directorship positions were either sham positions with no real duties, or the compensation was substantially above fair market value for the services actually rendered. The timing of the appointments — often coinciding with increases in referral volume from the physician — was cited as evidence of quid pro quo intent.

The significance of these actions for device companies: medical directorships and advisory board arrangements have long been a gray area in physician-industry relationships. These enforcement actions signal that the DOJ is willing to scrutinize the substance of these arrangements — not just their form. Companies that have physician advisory boards, medical director agreements, or similar consulting relationships should immediately audit those arrangements against the AKS safe harbor requirements and Stark Law exceptions.

Illumina FCA Settlement for Cybersecurity Misrepresentation ($9.8 Million, July 2025)

In July 2025, Illumina settled FCA allegations for $9.8 million related to cybersecurity misrepresentations about its medical devices. The government alleged that Illumina made false statements about the cybersecurity capabilities of its devices — specifically, representing that the devices met certain security standards when, in fact, they contained known vulnerabilities.

This settlement is significant because it represents the first FCA case predicated specifically on medical device cybersecurity misrepresentation. It extends FCA exposure beyond the traditional fraud categories (kickbacks, off-label promotion, billing fraud) into the product quality and cybersecurity domain. For device companies, the implication is clear: cybersecurity representations in premarket submissions, marketing materials, and post-market communications can create FCA liability if those representations are materially false.

OtisMed Corporation (Sentencing, 2025)

The OtisMed case, which originated from conduct involving the off-label marketing of the OtisKnee surgical cutting guide, resulted in criminal penalties and a civil settlement that collectively exceeded $80 million. The company pleaded guilty to distributing adulterated medical devices and agreed to forfeit $10 million in criminal proceeds. Individual executives also faced criminal prosecution.

This case is frequently cited by DOJ prosecutors as a template for medical device enforcement because it combined multiple theories of liability — off-label promotion, adulteration, misbranding, and kickbacks — in a single prosecution. It demonstrates that the DOJ is willing to pursue device companies across the full spectrum of enforcement tools.

Based on DOJ press releases, HHS-OIG reports, and court filings from 2025 and early 2026, the following patterns are emerging in medical device fraud enforcement:

Enforcement Trend Description
Off-label promotion Companies that market cleared or approved devices for indications not included in the labeling continue to face FCA exposure, particularly when the off-label use is billed to federal health care programs.
Adulteration and misbranding When devices are marketed without required clearances or approvals, the resulting claims are treated as false claims. The DOJ has pursued this theory against companies that modified cleared devices without filing new 510(k) submissions.
Cybersecurity fraud Following the Illumina settlement, cybersecurity misrepresentation is now an established FCA theory.
Durable medical equipment (DME) fraud DME suppliers — including companies providing orthotics, prosthetics, and home-use devices — remain among the most frequently prosecuted entities in health care fraud. The Strike Force model has been particularly active in this space.
Clinical trial fraud Companies that falsify clinical data supporting device approvals face FCA liability for the claims submitted using devices cleared or approved based on the fraudulent data.

How AI Analytics Are Changing the Game: Inside the Data Fusion Center

The Health Care Fraud Data Fusion Center is not a research initiative or a pilot program. It is an operational law enforcement tool that is actively generating leads, informing investigative priorities, and supporting ongoing prosecutions. Understanding how it works is essential for device companies that want to anticipate enforcement risk.

Data Sources and Integration

The Data Fusion Center integrates data from multiple federal sources:

  • CMS claims databases: Medicare Part A, Part B, Part C (Medicare Advantage), and Part D claims data, including National Provider Identifier (NPI) information, Healthcare Common Procedure Coding System (HCPCS) codes, and diagnosis codes.
  • Medicaid data: State Medicaid claims data reported to CMS, including managed care encounter data.
  • Tricare data: Claims data from the Defense Health Agency for services provided to military beneficiaries.
  • FDA databases: 510(k) and PMA registration and listing data, adverse event reports (MDR), recall information, and inspection records.
  • HHS-OIG exclusion data: The List of Excluded Individuals/Entities (LEIE), which tracks providers and entities excluded from federal health care programs.
  • Corporate and ownership data: Information from the National Plan and Provider Enumeration System (NPPES), SAM.gov, and state corporate registries that maps ownership structures and interlocking relationships between entities.
  • Open-source intelligence: Publicly available data including corporate filings, press releases, patent applications, clinical trial registrations, and social media activity.

Analytical Techniques

The Data Fusion Center applies several categories of analysis to this integrated dataset:

1. Billing Pattern Anomalies

Machine learning models trained on historical fraud cases flag providers, suppliers, and manufacturers whose billing patterns deviate significantly from their peers. For device companies, this can include:

  • A sudden spike in claims for a specific device code in a geographic area where the company recently launched a new sales initiative.
  • Billing patterns that suggest upcoding — for example, a device distributor consistently billing for higher-reimbursement device codes when lower-cost alternatives would be appropriate.
  • Geographic clustering of claims that mirrors the territory structure of a device sales organization, suggesting coordinated overutilization.

2. Referral Network Analysis

Graph algorithms map the relationships between physicians, hospitals, device companies, and distributors. These algorithms can identify:

  • Referral "funnels" where a device company's top-prescribing physicians are concentrated around a single sales representative, suggesting that the rep may be using incentives to drive volume.
  • Sudden shifts in referral patterns following the establishment of consulting agreements, medical directorships, or other financial relationships between a device company and referring physicians.
  • "Hub-and-spoke" structures where a single entity (often a physician-owned distributor) acts as a conduit for device sales to multiple referring physician-owners.

3. Temporal Correlation Analysis

The Center's models examine the timing of events to identify patterns that suggest causal relationships:

  • An increase in a physician's device referrals beginning shortly after the physician enters a consulting agreement with the device manufacturer.
  • A surge in claims following the launch of a new "patient support" program, suggesting that the program may be functioning as a referral engine.
  • Seasonal or cyclical patterns that do not align with clinical need but do align with sales quota cycles or bonus periods.

4. Cross-Program Fraud Detection

By integrating data across Medicare, Medicaid, and Tricare, the Center can identify entities that exhibit different billing behaviors across programs — a red flag for fraud. For example, a device company that bills Medicare for premium devices but submits lower-cost device claims to Medicaid for the same product may be engaged in differential billing fraud.

What This Means for Device Companies

The shift from whistleblower-dependent detection to data-driven detection fundamentally changes the risk profile for medical device companies. Historically, a company could assume that if no insider was motivated to blow the whistle, its compliance gaps might never be discovered. The Data Fusion Center eliminates that assumption. A company's billing data, referral patterns, and vendor relationships are now being continuously analyzed by algorithms designed to detect fraud signatures — whether or not any human being has raised a concern.

Whistleblower Risk: Qui Tam Actions and How They Start

The qui tam provisions of the False Claims Act remain the single most important enforcement mechanism in health care fraud. In FY2025, whistleblower qui tam filings reached the highest level since the FCA was enacted in 1863, and nearly 500 new FCA cases were initiated in the second half of FY2025 alone.

How Qui Tam Actions Work

A qui tam action follows a specific procedural path that is important for device companies to understand:

Stage Timeline What Happens
Filing under seal Day 0 The whistleblower (relator) files a complaint in federal court under seal. The defendant is not notified.
DOJ investigation 60+ days (often extended to 12-24 months) The DOJ investigates the allegations, typically issuing civil investigative demands (CIDs) for documents and testimony. The defendant may not know about the investigation.
Intervention decision End of investigation period The DOJ decides whether to intervene (take over the case) or decline (allow the relator to proceed on their own).
Unsealing and service Upon intervention decision The complaint is unsealed and served on the defendant. The case becomes public.
Litigation or settlement Months to years The case proceeds through discovery, motion practice, and trial — or settles at any point.

Who Are the Whistleblowers?

In the medical device context, qui tam relators are typically:

  • Current or former sales representatives who have firsthand knowledge of kickback arrangements, off-label promotion, or falsified sales data. Sales reps are the most common relators in device cases because they are closest to the conduct that generates FCA liability.
  • Compliance officers and internal auditors who have identified compliance failures that management declined to address. The FCA's anti-retaliation provisions protect employees who report fraud internally or externally.
  • Physicians who have been offered or received kickbacks and later decide to cooperate with the government, sometimes as part of a separate non-prosecution agreement.
  • Competitors who observe fraudulent conduct in the market and file suit. While less common, competitor-filed qui tam actions do occur, particularly when a competitor's fraud creates pricing or market share distortions.
  • Third-party billing companies that process claims on behalf of device companies and discover billing irregularities.

The Financial Incentive

Relators receive between 15% and 30% of the government's recovery, depending on whether the DOJ intervenes and the relator's contribution to the case. On a $100 million settlement, that means a relator award of $15 million to $30 million. On a $500 million settlement — which is within the range of recent health care fraud cases — the relator award could be $75 million to $150 million. These incentives ensure a steady flow of qui tam filings.

The March 2026 Treasury Whistleblower Initiative

On March 30, 2026, the U.S. Treasury announced a new whistleblower initiative specifically targeting Medicare and Medicaid fraud. This initiative expands the scope of whistleblower incentives beyond the FCA's qui tam provisions, creating additional pathways for individuals to report health care fraud and receive financial rewards. For device companies, this means that the universe of potential whistleblowers has expanded — it is no longer limited to individuals with direct knowledge of false claims, but now includes anyone with information about Medicare or Medicaid fraud more broadly.

Recommended Reading
FDA Patient Preference Information (PPI) for Medical Devices: 2026 Final Guidance on Incorporating Patient Voices in Regulatory Decision-Making
Regulatory Clinical Evidence2026-05-12 · 12 min read

The March 2026 Executive Order and Its 30-60-90 Day Timeline

On March 16, 2026, the President signed an Executive Order titled "Establishing the Task Force to Eliminate Fraud". The Order directs the creation of an inter-agency task force charged with developing and implementing a comprehensive strategy to combat fraud across federal programs, with a specific focus on health care fraud.

The 30-60-90 Day Timeline

The Executive Order imposed a structured timeline for action:

Within 30 days (by April 15, 2026):

  • The Task Force was required to convene its initial meeting and establish working groups for health care fraud, procurement fraud, and financial fraud.
  • Each working group was required to identify the top three enforcement priorities within its domain. For the health care fraud working group, the priorities identified included: (1) medical device and pharmaceutical kickback arrangements, (2) telehealth and digital health fraud, and (3) DME and home health fraud.
  • The Task Force was required to issue a directive to all federal agencies to preserve and consolidate fraud-related data for analytical use.

Within 60 days (by May 15, 2026):

  • The Task Force was required to issue an operational plan that integrates the DOJ's Data Fusion Center capabilities with the investigative resources of HHS-OIG, the FBI, and other agencies.
  • The operational plan was required to include specific metrics for measuring enforcement outcomes — including number of cases initiated, speed of investigation, and dollar amounts recovered.
  • The Task Force was required to identify legislative or regulatory gaps that impede fraud enforcement and recommend fixes.

Within 90 days (by June 14, 2026):

  • The Task Force was required to deliver a comprehensive report to the President with findings and recommendations.
  • The report was expected to include proposed changes to the AKS safe harbor regulations, enhanced data-sharing agreements between federal agencies, and potential statutory amendments to strengthen whistleblower incentives and penalties.

Implications for Medical Device Companies

The Executive Order's significance is not merely symbolic. It creates a formal mandate for accelerated enforcement, provides institutional backing for the DOJ's new enforcement architecture, and signals to the judiciary that the executive branch considers fraud enforcement a national priority. For device companies, the practical implications include:

  • Faster investigations: The Task Force's mandate to accelerate enforcement timelines means that companies should expect shorter intervals between the initiation of an investigation and the filing of formal charges or settlement demands.
  • More coordinated multi-agency investigations: The Task Force structure facilitates information-sharing between DOJ, HHS-OIG, FBI, and other agencies, creating more comprehensive investigations that can draw on a wider range of evidence.
  • Potential regulatory changes: The Task Force's recommendations may result in changes to AKS safe harbors, FCA penalty structures, or whistleblower incentive frameworks — any of which could increase enforcement exposure for device companies.

OIG Advisory Opinion 26-05: Clinical Trial Cost-Sharing as a Compliance Model

On March 11, 2026, the HHS Office of Inspector General issued Advisory Opinion 26-05, which greenlit cost-sharing subsidies for Medicare enrollees participating in medical device clinical trials. The opinion addresses a specific question: can a device manufacturer provide financial assistance to cover Medicare copayments and coinsurance for patients enrolled in the manufacturer's clinical trial without violating the Anti-Kickback Statute?

What the Opinion Says

The OIG concluded that the proposed arrangement — under which the device manufacturer would pay the cost-sharing amounts owed by Medicare beneficiaries participating in a clinical trial of the manufacturer's device — did not constitute prohibited remuneration under the AKS, provided that specific safeguards were maintained:

  • The cost-sharing subsidy must be available to all eligible Medicare enrollees in the trial, without regard to the volume or value of the beneficiary's expected use of the device outside the trial.
  • The manufacturer must not use the subsidy program as a marketing tool or condition the subsidy on the beneficiary's agreement to use the manufacturer's products after the trial concludes.
  • The subsidy must be limited to the cost-sharing amounts actually owed by the beneficiary and must not exceed the Medicare-allowed amount.
  • The manufacturer must not directly or indirectly market the subsidy program to beneficiaries in a way that could be construed as an inducement to select the manufacturer's device over alternatives.
  • The arrangement must be documented in writing, with clear terms and independent oversight.

Why This Matters for Device Companies

Advisory Opinion 26-05 is significant for three reasons:

  1. It provides a compliance-safe model for clinical trial cost-sharing: Device companies that structure their cost-sharing programs in accordance with the safeguards outlined in the opinion can significantly reduce their AKS exposure for clinical trial-related financial assistance.

  2. It signals OIG's thinking on the boundary between permissible financial assistance and prohibited inducements: The opinion draws a clear line between cost-sharing assistance that facilitates clinical research (permissible) and financial assistance that functions as a patient steering mechanism (prohibited). Companies should apply this framework to all patient-facing financial programs.

  3. It creates a template for structuring other financial assistance programs: While the opinion is fact-specific, the safeguards it requires — universal availability, no marketing, written documentation, independent oversight, and limitation to actual cost-sharing amounts — are broadly applicable to any financial arrangement between a device company and patients or providers.

Compliance Checklist: 10 Things MedTech Companies Must Do Now

The enforcement environment in 2026 demands a proactive, documented, and continuously updated compliance program. The following checklist identifies the ten most critical actions for medical device companies to take immediately.

1. Conduct a Comprehensive AKS and Stark Law Risk Assessment

Map every financial relationship between your company and referring physicians, hospitals, ASCs, and DME suppliers. For each relationship, document:

  • The business purpose and clinical justification for the arrangement.
  • Whether the compensation reflects fair market value (documented by an independent valuation if the amount exceeds $5,000 annually).
  • Whether the arrangement fits within an applicable AKS safe harbor or Stark Law exception.
  • The timing of the arrangement relative to referral volume changes.

Prioritize medical directorships, consulting agreements, speaker programs, advisory boards, and any arrangement where a referring physician receives compensation from your company.

2. Audit All Billing and Coding Practices

Review every HCPCS code, CPT code, and ICD-10 code used in claims submissions involving your devices. Identify:

  • Codes that are inconsistent with the device's cleared or approved indications.
  • Patterns of upcoding or unbundling.
  • Claims submitted for devices used off-label without adequate clinical support.
  • Any discrepancy between your marketing materials and your billing practices.

This audit should be conducted by an independent coding specialist, not internal staff who may have an interest in the outcome.

3. Review All Cybersecurity Representations

Following the Illumina settlement, every cybersecurity representation in your premarket submissions, marketing materials, and post-market communications should be reviewed for accuracy. Specifically:

  • Verify that the cybersecurity features described in your 510(k) or PMA submission are actually implemented and functional.
  • Ensure that your Software Bill of Materials (SBOM) is current and complete.
  • Confirm that your post-market vulnerability management process is operational and documented.
  • Review any customer-facing cybersecurity claims (on your website, in brochures, in sales training materials) for material accuracy.

4. Strengthen Your Internal Whistleblower Program

Given the record level of qui tam filings, your internal reporting mechanisms must be robust enough to surface compliance concerns before they become whistleblower complaints:

  • Ensure that your compliance hotline is accessible, anonymous, and available in multiple languages.
  • Train all employees — not just sales representatives — on how to report compliance concerns and the anti-retaliation protections available to them.
  • Conduct quarterly reviews of all internal complaints to identify patterns or systemic issues.
  • Respond to every internal complaint with a documented investigation and resolution.

5. Implement a Data-Driven Compliance Monitoring Program

If the DOJ is using AI to detect fraud, device companies should be using the same tools to detect their own compliance risks:

  • Deploy analytics software that monitors claims data, referral patterns, and sales data for anomalies.
  • Set up alerts for sudden changes in referral volume, billing patterns, or geographic claims concentration that could indicate kickback activity.
  • Use network analysis tools to map the relationships between your company's sales representatives, consulting physicians, and referring providers.
  • Conduct regular (at least quarterly) data-driven compliance reviews and document the results.

6. Review and Update All Physician Agreements

Every agreement between your company and a physician — consulting, advisory board, speaking, medical directorship, research, or any other financial relationship — should be reviewed against the following criteria:

  • The services to be provided are clearly described, legitimate, and documented.
  • The compensation is at fair market value and is not tied to the volume or value of referrals.
  • The agreement includes a legitimate business need that cannot be met through alternative arrangements.
  • The selection of the physician is based on documented qualifications, not referral history.
  • The arrangement includes provisions for monitoring and documentation of services actually rendered.

7. Assess Your Sales Force Practices

Sales representative conduct remains the single largest source of enforcement risk for device companies. Review:

  • Sales compensation structures that incentivize volume over compliance.
  • Sales training materials for off-label promotion language or implied efficacy claims.
  • Territory-level sales data for patterns that suggest quota-driven overutilization.
  • Expense reports for meals, entertainment, and gifts to physicians that exceed OIG guidance thresholds.
  • Sample distribution practices for compliance with the Prescription Drug Marketing Act and FDA device sample regulations.

8. Prepare for Government Investigations

If your company is not currently under investigation, the probability that it will be at some point in the current enforcement environment is significantly elevated. Preparation includes:

  • Engaging experienced FCA and health care fraud counsel — not general corporate counsel, but attorneys who specialize in government investigations and have a track record of representing device companies.
  • Establishing a document retention policy and ensuring that all potentially relevant records are preserved.
  • Designating a single point of contact within the company for all government inquiries and subpoenas.
  • Preparing a response protocol that balances cooperation with the government and protection of the company's legal rights.

9. Evaluate Your Corporate Integrity Agreement Exposure

If your company has a current Corporate Integrity Agreement (CIA) with the OIG, review every obligation under the agreement for compliance. If you do not have a CIA, understand that the DOJ and OIG frequently require CIA adoption as a condition of settlement — and CIAs impose significant operational burdens, including:

  • Mandatory compliance programs with specific structural requirements.
  • Annual compliance certifications by the company's CEO and CFO.
  • Independent review organization (IRO) audits of claims, billing, and financial arrangements.
  • Training and education requirements for all employees.
  • Disclosure obligations for any future compliance violations.
  • Monetary penalties for CIA violations.

10. Monitor the Regulatory Environment Continuously

The enforcement landscape is changing rapidly. Companies must monitor:

  • DOJ and OIG press releases for new enforcement actions and policy announcements.
  • The Task Force to Eliminate Fraud's reports and recommendations.
  • Federal Register notices for proposed changes to AKS safe harbors, Stark Law exceptions, or FCA penalty structures.
  • Advisory opinions from the OIG for guidance on permissible arrangements.
  • Court decisions in FCA and health care fraud cases that may expand or contract enforcement theories.

Assign a senior compliance officer or outside counsel to provide monthly briefings on enforcement developments.

Recommended Reading
FDA One-Day AI Inspection Pilot: How Elsa Is Reshaping Medical Device Facility Oversight
Regulatory Digital Health & AI2026-05-07 · 10 min read

What's Coming Next: Predictions for H2 2026 and 2027

The enforcement trajectory established in FY2025 and the first half of FY2026 shows no signs of moderating. Based on the current institutional architecture, the policy signals from the Executive Order, and the operational capabilities of the Data Fusion Center, the following developments are likely.

Accelerated Investigation Timelines

The Task Force's mandate to accelerate enforcement, combined with the Data Fusion Center's ability to generate leads programmatically, will compress investigation timelines. Companies that previously had 18-24 months between the filing of a qui tam complaint and their first knowledge of the investigation may find that window closing. Expect the DOJ to issue civil investigative demands and subpoenas more quickly, and to press for faster resolution of cases.

Expansion of Cybersecurity Fraud Enforcement

The Illumina settlement opened a new frontier in FCA enforcement for medical devices. The DOJ's Civil Cyber-Fraud Initiative, which recovered $52 million across nine cybersecurity FCA settlements in FY2025, will increasingly target medical device companies whose cybersecurity representations do not match their actual security posture. Companies with connected devices, cloud-based software, or AI algorithms should expect heightened scrutiny of their premarket cybersecurity submissions and post-market vulnerability management.

Individual Prosecution of Executives

The DOJ's "Yates Memo" principles — which prioritize individual accountability in corporate fraud cases — remain in effect and are being applied more aggressively in health care fraud cases. Expect to see more criminal indictments of device company executives, not just civil settlements with the corporate entity. The risk is particularly acute for executives who have direct oversight of sales, marketing, or billing functions where fraud originates.

AI and SaMD Enforcement

As the medical device industry's adoption of AI and software-as-a-medical-device (SaMD) accelerates, the DOJ will develop enforcement theories tailored to these technologies. Potential areas of focus include:

  • Misrepresentation of AI algorithm performance in premarket submissions.
  • Failure to disclose known algorithm biases that affect clinical outcomes.
  • Billing fraud related to AI-assisted diagnostic services.
  • Kickback arrangements disguised as AI "partnerships" or "integration agreements" between device companies and health systems.

Legislative Action

The Task Force to Eliminate Fraud's 90-day report, due in June 2026, is expected to include legislative recommendations. Potential proposals include:

  • Expansion of the AKS to cover additional categories of remuneration.
  • Increased FCA penalties for health care fraud involving medical devices.
  • Enhanced whistleblower incentives for individuals who report fraud involving AI-enabled devices.
  • New reporting requirements for device companies that would make additional data available to the Data Fusion Center.

International Coordination

While the DOJ's enforcement jurisdiction is limited to the United States, the department has increasingly coordinated with foreign law enforcement agencies on cross-border health care fraud cases. Device companies with global operations should be aware that evidence gathered in a U.S. investigation may be shared with regulators in the EU, UK, and other jurisdictions — creating parallel enforcement risk in multiple markets simultaneously.

Final Assessment

The $6.8 billion record set in FY2025 is not an anomaly. It is the result of deliberate institutional investment by the DOJ in new divisions, new analytical tools, and new enforcement strategies that are specifically designed to increase the volume, speed, and severity of health care fraud prosecutions. Medical device companies that treat compliance as a periodic exercise rather than a continuous operational discipline are exposing themselves to catastrophic financial and legal risk.

The companies that will navigate this environment successfully are those that invest in data-driven compliance monitoring, maintain rigorous documentation of all financial relationships with physicians and providers, respond aggressively to internal compliance concerns before they become whistleblower complaints, and engage experienced health care fraud counsel proactively rather than reactively.

The enforcement architecture is built. The analytical tools are operational. The whistleblowers are filing at record rates. The question for every medical device company in 2026 is not whether the DOJ is looking — it is whether your company is ready.

Related Articles

Clinical EvidenceRegulatory

Medical Device Clinical Trial Cost: Complete 2026 Budget Breakdown from Early Feasibility Through Pivotal Studies

How much medical device clinical trials cost in 2026 — per-patient costs, site fees, CRO budgets, IDE preparation, monitoring, and total budget ranges from $300K early feasibility to $20M+ pivotal studies, with cost-saving strategies for 510(k), De Novo, and PMA pathways.

2026-05-13·31 min read
CybersecurityEU MDR / IVDR

Medical Device Cybersecurity Patch Management: Regulated Update Deployment Under EU MDR, FDA Section 524B, and the Cyber Resilience Act (2026)

How to deploy cybersecurity patches to fielded medical devices while maintaining MDR conformity, FDA Section 524B postmarket obligations, and Cyber Resilience Act vulnerability handling timelines — covering risk-based triage, change control classification, coordinated disclosure integration with PSIRT, and the operational QMS workflow from vulnerability detection to verified field deployment.

2026-05-13·31 min read
Design ControlsRegulatory

Content of Human Factors Information in FDA Medical Device Marketing Submissions: What to Include in Your 510(k), De Novo, or PMA Human Factors Package

How to determine what human factors information to include in FDA medical device marketing submissions — three risk-based HF submission categories, critical task identification, use-related risk analysis, validation testing requirements, and documentation structure under the FDA's draft guidance on content of human factors information.

2026-05-12·13 min read