DOJ's Top 3 FCA Targets for 2025: Is Your Small Practice at Risk? (31 U.S.C. § 3729)

The federal False Claims Act (FCA) at 31 U.S.C. § 3729 imposes treble damages and per-claim penalties for knowingly submitting false or fraudulent claims to federal programs. For small healthcare practices, FCA exposure often arises from routine operational missteps, documentation gaps, billing rule misunderstandings, or vendor-influenced marketing arrangements, that can appear “knowing” when records are weak. In 2025, three risk themes remain front-and-center for small practices: telehealth and E/M billing accuracy, remuneration arrangements that implicate anti-kickback principles, and failure to identify and return overpayments tied to claim errors. This article translates the statute into a practical playbook, showing how to harden processes, maintain defensible evidence, and respond decisively when issues surface. Following these steps helps reduce exposure under § 3729 and positions your practice for more favorable outcomes if enforcement action occurs.

Small practices operate on thin margins and tight schedules, which makes them particularly vulnerable to FCA pitfalls embedded in everyday workflows. The FCA reaches any claim submitted “knowingly”, a term that includes actual knowledge, deliberate ignorance, or reckless disregard of the truth. That breadth means that unclear policies, inconsistent training, and little auditing can transform ordinary mistakes into legal risk. This guide breaks down the FCA’s core standards and highlights where small-clinic processes typically fail, then supplies a step-by-step compliance approach and a self-audit toolkit you can execute with limited staff and budget.

Understanding the FCA Focus in 2025 Under 31 U.S.C. § 3729

The FCA’s liability provision, 31 U.S.C. § 3729(a), creates civil liability for anyone who knowingly submits, or causes to be submitted, a false or fraudulent claim for payment to the United States. Key elements relevant to a small clinic are:

Knowingly: Includes actual knowledge, deliberate ignorance, or reckless disregard of the truth or falsity of information. The government need not prove specific intent to defraud.

Materiality: The falsehood must be material to the government’s payment decision; operationally, this often turns on whether documentation and coding requirements were central to coverage/payment.

Damages and penalties: Liability includes treble damages and per-claim civil penalties, adjusted for inflation.

With that framework, here are the Top 3 FCA risk themes for small practices in 2025, each tightly linked to § 3729:

Telehealth & E/M Billing Integrity.
Expanded telehealth coverage and persistent E/M coding variability create a high-volume, error-prone environment. When documentation does not substantiate time, complexity, or incident-to supervision rules, patterns can look reckless, implicating the “knowing” standard.

Remuneration & Marketing Arrangements.
Payments or in-kind benefits that influence referrals (e.g., “free” services, gift cards, aggressive speaker programs, sham consulting) can taint claims. Even though anti-kickback enforcement has its own statute, kickback-tainted claims are false under the FCA when submitted to federal programs.

Overpayments & Retention.
Once your practice identifies an overpayment, failing to promptly quantify and refund it risks FCA liability for reverse false claims. Inadequate tracking and delayed remediation can be characterized as reckless disregard.

Why this legal framing matters: The FCA does not require proof that an owner intended to cheat; it punishes patterns that a reasonable practice should have detected and corrected. Your best defense is operational: policies, training, audits, and fast corrective actions that show diligence rather than disregard.

The HHS Office for Civil Rights (OCR) enforces HIPAA privacy and security rules, not the FCA. FCA investigations are led by the U.S. Department of Justice (DOJ), often with the HHS Office of Inspector General (OIG), CMS program integrity contractors, and, for Medicaid, state partners. Practical triggers that can touch a small practice include:

Qui tam whistleblower suits filed by current or former staff under 31 U.S.C. § 3730.

Data analytics identifying outlier billing patterns in E/M distributions, modifier use, or telehealth volumes.

Payer or OIG referrals after audits, overpayment trends, or hotline complaints.

Self-disclosures that reveal broader patterns requiring government coordination

While OCR is not the FCA enforcer, OCR-driven documentation discipline (access logs, risk analysis, incident tracking) strengthens your overall compliance posture and your ability to prove diligence if an FCA review occurs.

Each step below ties directly to FCA risk management under 31 U.S.C. § 3729. For every action, build evidence that demonstrates your clinic’s diligence.

1) Publish a One-Page FCA Policy Addendum.

How to comply: Define “knowingly” in plain terms; list top FCA risks (telehealth/E/M, remuneration, overpayments); require staff to report concerns without retaliation.

Evidence: Staff acknowledgments; dated policy; periodic refresh log.

Low-cost: Use your EHR’s broadcast or team messaging to capture electronic signatures.

2) Install a Two-Channel Speak-Up System.

How to comply: Provide an internal form and an anonymous option; triage weekly.

Evidence: Event log with timestamps, owner assignment, and closure notes.

Low-cost: Free survey tools feeding a protected spreadsheet; access restricted to owner and compliance lead.

3) Launch a Telehealth & E/M Micro-Audit Cadence.

How to comply: Sample 10–20 encounters per provider each month; verify time or complexity, chief complaint, history, exam/MDM, and telehealth-specific attestations.

Evidence: Checklists; error taxonomy; coaching records; re-audit results.

Low-cost: Peer review rotations with standardized templates.

4) Formalize “Incident-To” Supervision Rules.

How to comply: Document supervision type, supervising provider presence/availability, and documentation that supports billing at the physician rate.

Evidence: Visit notes with clear supervisory notation; routing logs showing involvement.

Low-cost: Add a mandatory “supervision attestation” smart phrase in the EHR.

5) Control Remuneration & Marketing Arrangements.

How to comply: Pre-approve any vendor or patient-facing incentives; evaluate commercial reasonableness and referral influence; maintain written agreements.

Evidence: Arrangement register; fair-market-value rationale; approvals.

Low-cost: A single-page intake form; calendar reminders for annual renewals.

6) Create an Overpayment “Day 0 to Day 60” Playbook.

How to comply: Start a clock the day an overpayment is identified; quantify scope; coordinate payer refunds; confirm receipt.

Evidence: Overpayment file with timeline, calculation worksheets, refund confirmation.

Low-cost: Spreadsheet tracker; weekly huddles until closure.

7) Train in Short, Role-Based Sprints.

How to comply: 20-minute modules for front desk, coders, clinicians; emphasize real clinic examples.

Evidence: Attendance, quiz scores, remediation plans.

Low-cost: Staff meetings; slide decks saved to a shared folder.

8) Strengthen Documentation at the Source.

How to comply: Add EHR prompts for time, MDM elements, telehealth location/consent, and supervising provider.

Evidence: Template change log; sample encounters showing completeness.

Low-cost: Configure existing EHR fields; no add-on purchase required.

9) Decide Early on Self-Disclosure vs. Remediation.

How to comply: Use a decision tree that considers scope, duration, and scienter indicators; document rationale and counsel input when needed.

Evidence: Decision memo; CAP; proof of repayment or disclosure submission.

Low-cost: A simple template plus an hour of outside advice as needed.

10) Drill Document Production Twice a Year.

How to comply: Simulate a subpoena: pull policies, micro-audit results, CAPs, overpayment files, and training records within 72 hours.

Evidence: Drill checklist; time-to-produce metric; gap list with fixes.

Low-cost: Internal dry run during a scheduled admin afternoon.

Case Study

A three-provider primary care clinic expanded telehealth follow-ups. Six months later, an internal micro-audit found numerous level-4 E/M telehealth visits without time statements or sufficient MDM detail. A medical assistant also reported a device company offering $25 gift cards to “encourage patient engagement” after visits.

Clinic response: The compliance lead opened an event file, added a litigation hold for relevant records, and reviewed three months of claims. The team identified a subset of upcoded telehealth claims and processed refunds to the applicable payers. The owner canceled the gift-card pilot, documented the rationale, and updated the arrangements policy to require pre-approval and FMV review.

Outcome: When a payer requested records for a focused review, the clinic produced the micro-audit results, corrective training materials, refund confirmations, and the arrangements register showing the discontinued incentive plan. The payer accepted refunds and closed the probe without escalation. By moving quickly and documenting each decision, the clinic converted a potential FCA exposure into a controlled remedial episode aligned with § 3729’s scienter and materiality concepts.

Avoided consequences: Prolonged investigation, qui tam risk by disgruntled staff, and higher damages based on pattern/duration.

This checklist keeps your controls aligned with the statute’s core themes, knowledge, materiality, and diligence, while producing evidence that supports favorable consideration if reviewed.

Common Pitfalls to Avoid Under 31 U.S.C. § 3729

Lists are most useful when they point to outcomes investigators care about: knowledge, materiality, duration, and remediation.

Treating staff reports as HR noise rather than legal risk. When concerns stall without triage, you risk reckless disregard. Practical consequence: stronger scienter narrative and larger damage window.

Telehealth documentation that omits time or MDM elements. Missing anchors make level selection indefensible. Practical consequence: denials, repayments, and potential extrapolation.

Unvetted incentives or “patient engagement” perks. Benefits tied to referrals or utilization can taint claims. Practical consequence: claims characterized as false if remuneration influenced care.

Overpayment, “we’ll get to it next month.” Delayed refunds undermine diligence. Practical consequence: reverse-false-claim theory and heightened penalties.

Incident-to billing without real supervision. If supervision is absent or poorly documented, billing at a higher rate becomes a misrepresentation. Practical consequence: exposure across many claims.

Preventing these errors shortens duration, strengthens your materiality argument, and demonstrates good-faith remediation, each central to § 3729 risk.

Best practices should be affordable and easy to repeat. They also need to produce artifacts that show diligence.

The 10–10–10 Review: For every provider, review 10 telehealth and 10 in-person E/M encounters from the last 10 days; fix errors and log lessons learned.

Micro-learning nudges: Push a two-minute “code pearl” twice monthly (e.g., time documentation in telehealth; supervision phrasing). Keep a repository for auditors.

Arrangements one-pager: Require a one-page summary before any vendor or community program starts, purpose, FMV, referral neutrality, renewal date.

Refund Fridays: A weekly 30-minute slot to close open overpayment items and update the tracker.

Evidence parceling: For every issue, maintain a single folder with intake, analysis, CAP, training, and proof-of-closure; this compresses response time during inquiries.

Together, these practices raise your clinic’s baseline and produce the kind of contemporaneous proof investigators and payers respect

Culture turns policy into muscle memory. Embed FCA awareness into daily operations:

Leadership tone: Owners reiterate quarterly that accuracy and integrity outrank volume; thank reporters and share de-identified “fixes we made.”

Role clarity: Assign a part-time compliance lead to run triage, audits, and CAPs; back them with owner authority.

Rituals: Keep standing agendas for huddles, events, micro-audit deltas, open refunds, and training uptake.

Transparency: Track and display a simple dashboard (training completion, audit error rates, CAP closure times).

Positive reinforcement: Recognize teams or individuals who broke error chains or improved metrics.

These moves demonstrate that your practice neither ignores nor normalizes risk. That narrative matters if a whistleblower emerges or a data outlier draws scrutiny.

Summary: Under 31 U.S.C. § 3729, the biggest FCA exposures for small practices in 2025 cluster around telehealth/E/M documentation, remuneration arrangements, and overpayment management. The difference between a correctable error and an FCA problem is often your evidence of diligence: a speak-up channel, micro-audits, fast refunds, and clean documentation of supervision and time.

Advisers:

DOJ FCA resources for understanding enforcement priorities and case trends.

HHS-OIG compliance program guidance and the Provider Self-Disclosure Protocol for structured remediation when appropriate.

CMS manuals and transmittals for coverage and documentation specifics that anchor your micro-audit criteria.

OCR HIPAA guidance to strengthen log discipline and incident documentation that doubles as diligence evidence.

Low-cost tools: Shared drives with restricted folders, simple forms/surveys for event intake, spreadsheet dashboards, and EHR template prompts, no new software required.

An effective way to reinforce compliance is through a regulatory platform. Such systems track evolving requirements, generate ongoing risk insights, and ensure your practice remains audit-ready, minimizing liabilities while strengthening patient trust.

• False Claims Act, 31 U.S.C. §§ 3729(DOJ)
• Justice Manual—Civil Resource Manual: The False Claims Act (DOJ)
• HHS-OIG Provider Self-Disclosure Protocol