The 120-Day Sprint: What DOJ's $6.5B Fraud Sweep Means for Independent Practices
In June 2026 the DOJ charged 455 defendants across a $6.5B healthcare fraud takedown. In March, DOJ published a first-ever department-wide Corporate Enforcement Policy with a 120-day self-disclosure window. Together they change how an independent practice must handle an internal compliance report.

The 120-Day Sprint: What DOJ's $6.5B Fraud Sweep Means for Independent Practices
Two federal enforcement actions this year have changed how an independent healthcare practice must respond when an employee raises a compliance concern internally. Treated in isolation, either would be worth a compliance-officer's memo. Treated together — as they should be — they establish a much sharper expectation about how fast an independent practice must move.
The first, quieter action came March 10, 2026. The Deputy Attorney General issued the first-ever department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy, replacing a patchwork of policies that had varied by DOJ component and by U.S. Attorney's office. The updated policy applies to all corporate criminal matters handled by DOJ, with the sole exception of antitrust violations.
The second, louder action came June 30. DOJ announced the 2026 National Healthcare Fraud Takedown: 455 defendants, more than 90 licensed medical professionals, over $6.5 billion in alleged fraud, across 56 federal districts, 45 U.S. states and territories, and 50 state Medicaid Fraud Control Units — the most participating MFCUs in Department history.
The June headline gets the airtime. The March policy is the more consequential development for how an independent practice actually operates.
1 — The takedown, in specifics
The 2026 takedown is a scale point, but the mechanism is where the diagnostic value lives.
The record numbers. 455 defendants charged in connection with over $6.5 billion in false claims. 295 charged defendants and more than $518 million in false claims specifically related to Medicaid — a record. CMS suspended 1,079 providers and revoked billing privileges for 1,403. HHS-OIG initiated actions to restore over $10 billion of flagged and suspended payments back to the Medicare Trust Fund. Authorities seized more than $182 million in cash, luxury vehicles, jewelry, and other assets.
The detection engine. DOJ, HHS-OIG, and CMS credit the scale to advanced data analytics — a Data Fusion Center and a Financial Intelligence Review Team that flag outlier billing, open cases within days, and seize assets early. The categories most heavily targeted were wound care, behavioral health, genetic testing, telemedicine, and Medicaid. This is not a takedown driven by whistleblower tips arriving at a leisurely pace. It is a takedown driven by an outlier-detection system that identifies suspicious billing patterns and refers them to enforcement before payment.
What this means for the independent practice. The takedown's docket weighs toward high-volume fraud operations, but the detection engine that produced it does not distinguish between hospital-system billing volume and independent-practice billing volume. Both flow through the same claims infrastructure. Both get scored by the same outlier models. Independent practices with billing patterns that diverge from peer norms — for defensible clinical reasons or otherwise — should assume they are visible to the same analytical pipeline that produced 455 defendants this June.
2 — The 120-day sprint
The March 10 Corporate Enforcement Policy is where independent-practice operations actually meet the enforcement change. Three features matter.
A single, department-wide standard. The pre-2026 landscape had DOJ components — the Criminal Division, the Civil Division, individual U.S. Attorney's Offices — each running their own voluntary self-disclosure calculus. That patchwork is gone. Since March 10, the same three-part framework applies across DOJ (with the exception of antitrust). Companies no longer need to guess which policy governs their disclosure decision.
Three paths, sharply differentiated.
- Part I — Declination. A company that self-discloses, fully cooperates, and remediates timely — with no aggravating circumstances — will not be prosecuted. Full declination is a real outcome, not a hypothetical.
- Part II — "Near-miss." A good-faith disclosure that falls short of full declination still earns a non-prosecution agreement, a term under three years, no compliance monitor, and a 50-75% fine reduction.
- Part III — Other resolutions. Everything else falls to prosecutorial discretion, with possible reductions up to 50%.
The gap between Part I and Part III is the difference between "not prosecuted" and "significantly discounted but still prosecuted." That gap is what the 120-day window pays for.
The 120-day window itself. This is the operational detail that changes compliance program design. If a whistleblower has already reported misconduct to the company internally, the company can still qualify for Part I declination — but only if it self-discloses to DOJ within 120 days of receiving the whistleblower's internal report. Miss the window, or fail to complete the investigation in time, and Part I closes.
For a healthcare practice, that clock starts when an employee raises a concern internally — through HR, through a compliance hotline, in a supervisor's ear at the copy machine. It runs regardless of whether the practice has begun to investigate. It runs regardless of whether the practice recognizes the concern as significant. It runs regardless of whether the compliance officer is on vacation the week the report comes in.
3 — The qui tam parallel clock
There is a second clock that most independent practices do not see coming.
A qui tam False Claims Act complaint is filed under seal. The relator files with the court and serves the U.S. Attorney's Office, but not the defendant. The seal typically holds for at least 60 days while DOJ decides whether to intervene, and courts routinely extend the seal for months or even years. Throughout that window, the company under investigation may not know a case has been filed against it.
Part I declination under the new CEP requires that the misconduct be "not previously known" to DOJ. If a relator's complaint arrived at the U.S. Attorney's Office before the practice self-discloses, the practice cannot get Part I — regardless of how thorough its own investigation was.
The Civil Division has separately tightened the timeline on its side. As of May 27, 2026, DOJ attorneys assigned to a qui tam matter are required to complete their initial investigation within 120 days, with extensions requiring senior-level approval. The federal side of the case now moves faster than the standard seal extensions historically allowed. Practices that discover a qui tam mid-investigation have materially less runway than they used to.
The combined effect: the fastest-moving actor in the room is now the government. An independent practice that thinks it has months to organize its own inquiry is running against a clock that was never visible to it.
4 — What a 120-day sprint actually looks like
For a hospital system with a general counsel, a dedicated compliance department, an internal audit function, and a retained outside firm, 120 days is a workable window. For an independent practice with a part-time compliance officer, a practice manager wearing three hats, and a filing cabinet, 120 days is a sprint.
The operational reality of a defensible 120-day response looks approximately like the sequence below. DOJ has not published a day-by-day timeline; this is an illustrative framework built backward from the CEP's requirements — specific phases and cadence will differ by matter and by counsel, but the compressed weeks look similar in every real inquiry.
Days 0–7 · Intake and preservation. Concern is received and logged with time-stamped intake. Systems that could contain relevant evidence are put on litigation hold. Access logs are exported. Email preservation is enabled. Backup schedules are verified. A named investigator is assigned. The concern is triaged for whether it is (a) a compliance issue, (b) a HIPAA issue, (c) a False Claims Act issue, or (d) all three.
Days 7–30 · Scope and preservation review. The investigator identifies affected patient populations, billing periods, coding categories, and the individuals whose conduct is in scope. Chart-level review begins. Compliance controls that should have prevented the conduct are audited: were policies in place, were they trained on, were access controls enforced. Interviews are scheduled.
Days 30–75 · Fact-finding and root-cause analysis. Interviews are conducted. The billing pattern is mapped against peer norms and coding guidance. The root cause is documented — was this a training gap, a system misconfiguration, an isolated staff member, a knowing pattern. Remediation controls are designed and, where possible, deployed. If outside counsel is engaged, they conduct a privileged parallel review.
Days 75–105 · Disclosure decision and drafting. Leadership reviews the investigative record with counsel and makes the disclosure decision under the CEP framework. If disclosure is warranted, the disclosure package is drafted — factual chronology, root cause analysis, remediation completed and planned, cooperation commitments.
Days 105–120 · Filing and confirmation. Disclosure is filed with the appropriate DOJ component. Any parallel disclosures to CMS, HHS-OIG, or OCR are coordinated. The practice's response tracker is closed on the 120-day dial.
Any independent practice reading this list should recognize that the compressed weeks are not the fact-finding weeks — those are already tight. The compressed weeks are Days 0-7. A practice without an intake workflow, a documented preservation procedure, a named investigator, and an audit-log export capability will lose the first week to figuring out what to do. That week is the difference between a Part I outcome and a Part III outcome.
5 — Why this matters for HIPAA compliance specifically
The Corporate Enforcement Policy targets federal fraud broadly — False Claims Act violations, kickbacks, Stark violations, controlled-substance diversion. It is not a HIPAA statute.
But the operational overlap is substantial. Most internal compliance concerns at an independent practice do not arrive with a clean regulatory label. A staff member who reports that "billing has been coding office visits as higher levels than we saw" may have surfaced a False Claims Act issue, a HIPAA workforce-training gap (no compliance training on coding), a state medical board issue, and a data-integrity issue in the practice's EHR — all at once. The 120-day clock runs on the FCA piece; the HIPAA piece triggers its own reporting obligations under 45 CFR 164.400-414.
The controls that would let a practice respond well to a 120-day CEP window are largely the same controls that produce good HIPAA outcomes. A running risk assessment. A documented compliance program. Trained workforce with attestation records. Audit logs retained beyond the six-year HIPAA floor. Vendor BAA inventory. Access-control review. Incident response procedures rehearsed rather than filed.
A practice with those in place has the raw material to respond to a 120-day CEP inquiry. A practice without them is starting from zero, and the CEP clock does not stop while the starting materials are assembled.
6 — What Patient Protect changes
The compliance infrastructure required to survive a 120-day sprint is exactly the infrastructure Patient Protect maintains continuously. Patient Protect is not a self-disclosure tool. It is the running compliance program that makes self-disclosure decisions possible on the timeline the current DOJ policy contemplates.
The specific elements that compress the first 7-30 days of a 120-day response:
- Continuous risk assessment with dated, retained findings — no reconstruction from memory
- BAA inventory with executed status, scope, and renewal tracking — you know who the vendors are the moment the question comes up
- Workforce training records with attestation timestamps — training that happened is documented as such
- Audit-log retention beyond the six-year minimum — evidence for events older than the typical retention window
- Incident response workflow with documented preservation triggers — the first-week response is a procedure, not a scramble
- Policy inventory mapped to CFR citations — regulator asks "what policy governed this?" and the answer exists
For the independent practice reading a $6.5B headline and wondering whether the 2026 enforcement climate makes documentation-only compliance viable, the honest answer is that the CEP's 120-day window is the specific mechanism by which it stops being viable.
Sources and further reading
- DOJ Office of Public Affairs. National Health Care Fraud Takedown Results in 455 Defendants Charged in Connection with Over $6.5 Billion in Alleged Fraud. June 30, 2026.
- DOJ Criminal Division. Corporate Enforcement and Voluntary Self-Disclosure Policy. Department-wide policy effective March 10, 2026.
- HHS Office of Inspector General. 2026 National Health Care Fraud Takedown.
- DOJ Office of Public Affairs. Department of Justice Releases First-Ever Corporate Enforcement Policy for All Criminal Cases. March 10, 2026.
This analysis reflects the state of federal healthcare fraud enforcement as of July 2026. The Corporate Enforcement Policy is subject to interpretive guidance from DOJ components. Independent practices with specific self-disclosure questions should consult qualified healthcare enforcement counsel.

