Home > Insights > Regulatory Updates > False Claims Act Compliance Programs: How to Build DOJ-Defensible Documentation

False Claims Act Compliance Programs: How to Build DOJ-Defensible Documentation

False Claims Act Compliance Programs: How to Build DOJ-Defensible Documentation

The Department of Justice recovered over $2.68 billion in False Claims Act settlements and judgments in fiscal year 2023 alone. For compliance leaders in healthcare, finance, and other regulated industries, false claims act compliance isn’t just a legal checkbox. It’s an organizational survival strategy.

But here’s the challenge most compliance teams face: you can have a solid program in practice and still fail under DOJ scrutiny if your documentation doesn’t tell the story. Investigators don’t just ask, “Do you have a compliance program?” They ask, “Can you prove it works?”

This article walks through how to build documentation that stands up to that question — step by step.

TL;DR — Key Takeaways

  • The False Claims Act imposes serious liability on organizations that submit false claims to government programs. Strong documentation is your first line of defense.
  • The DOJ evaluates compliance programs based on three core questions: Is it well-designed? Is it implemented effectively? Does it work in practice?
  • Documentation must cover policies, training, reporting channels, investigations, risk assessments, and remediation.
  • A centralized case management system is critical for maintaining an immutable, auditable trail of evidence.
  • Proactive compliance — not reactive scrambling — is what separates organizations that survive investigations from those that don’t.

What the False Claims Act Actually Requires

The False Claims Act (FCA) is a federal law that holds individuals and organizations liable for knowingly submitting false or fraudulent claims to government programs. Originally passed during the Civil War, it has become the DOJ’s primary tool for combating fraud — especially in healthcare (Medicare and Medicaid billing) and government contracting.

Key things to understand:

  • “Knowingly” is broad. It includes actual knowledge, deliberate ignorance, and reckless disregard. You don’t have to intend fraud. You just have to fail to prevent it.
  • Qui tam provisions allow private individuals (often employees) to file lawsuits on behalf of the government. These whistleblower-initiated cases account for the majority of FCA recoveries.
  • Penalties are steep. Treble damages (three times the government’s loss) plus per-claim penalties that currently range from $13,946 to $27,894.

For compliance professionals, the implication is clear: you need a program that both prevents false claims and proves you took reasonable steps to do so.

How the DOJ Evaluates Your False Claims Act Compliance Program

The DOJ’s Evaluation of Corporate Compliance Programs outlines what prosecutors look for when deciding whether a compliance program is credible. It boils down to three questions:

1. Is the Program Well-Designed?

This means your policies, procedures, and controls are tailored to your actual risk profile — not copied from a template. The DOJ wants to see:

  • A written code of conduct and FCA-specific policies
  • Risk assessments that identify your organization’s unique fraud risks
  • Reporting channels that employees actually know about and trust
  • Policies around gifts, entertainment, and conflicts of interest

2. Is the Program Implemented Effectively?

Design on paper isn’t enough. Prosecutors look at whether the program has teeth:

  • Is there adequate staffing and budget for compliance?
  • Does senior leadership visibly support the program?
  • Are reports investigated thoroughly and consistently?
  • Is there evidence of training and communication?

3. Does the Program Work in Practice?

This is where documentation becomes everything. The DOJ looks at:

  • How the organization detected the misconduct (or why it didn’t)
  • Whether the compliance function had access to relevant data
  • How quickly the organization responded
  • What remediation steps were taken — and whether root causes were addressed

For a deeper look at recent shifts in DOJ enforcement priorities, see DOJ Corporate Enforcement Policy 2024 Update: What Changed for Compliance Programs.

The Seven Pillars of DOJ-Defensible Documentation

Now let’s get practical. Here are the seven documentation areas that form the backbone of a defensible false claims act compliance program.

Pillar 1: Written Policies and Code of Conduct

Your policies are the foundation. But they can’t sit in a binder on a shelf. You need to document:

  • Version history. When policies were created, reviewed, and updated.
  • Distribution records. Proof that employees received and acknowledged them.
  • Specificity. Generic anti-fraud language isn’t enough. Include FCA-specific provisions, billing compliance procedures, and anti-kickback protocols relevant to your industry.

Pro tip: A centralized ethics portal — a branded hub where employees access policies, reporting forms, and compliance communications — makes distribution and acknowledgment tracking much simpler.

Pillar 2: Risk Assessments

The DOJ expects your program to be risk-based. That means conducting regular, documented risk assessments that identify:

  • Areas of highest fraud exposure (billing, coding, vendor relationships, etc.)
  • Changes in regulations or business operations that create new risks
  • Gaps between current controls and identified risks

Risk assessments should produce clear outputs — heat maps, scoring, and prioritized action items. They should also be repeatable, not one-time exercises.

Organizations that use structured risk assessment tools with features like automated heat map visualization and configurable scoring see completion rates of 80-90% when using streamlined access methods like magic links. Compare that to the 40-60% industry average with traditional survey approaches.

Pillar 3: Reporting Channels and Speak-Up Culture

The qui tam provisions of the FCA mean that if your employees don’t feel safe reporting internally, they’ll report externally — directly to the government. Your documentation should show:

  • Multiple intake channels. Hotline, web forms, SMS, in-person — the more accessible, the better.
  • Promotion and awareness. Records of how you communicated these channels to employees.
  • Reporter experience data. Metrics like caller satisfaction, identified caller rates, and report volume per employee.

Here’s a benchmark that matters: organizations with effective speak-up cultures typically see around 3.6 reports per 100 employees annually. If your numbers are significantly lower, it may signal that employees don’t trust the system — a red flag for investigators.

The quality of intake matters too. Reports gathered through in-depth, behaviorally informed interviews produce richer detail than scripted, rushed calls. When your average report takes 14-15 minutes to complete (versus a 6-7 minute industry average), the resulting documentation gives investigators far more to work with — in your favor.

For more on how reporting channel design affects compliance outcomes, see Third-Party Ethics Hotline vs. Internal Reporting: What the Data Says About Report Quality, Trust, and Compliance Outcomes.

Pillar 4: Investigation and Case Management

Every report needs a documented investigation trail. This is where many programs fall apart. The DOJ looks for:

  • Consistent intake-to-resolution workflows. Every case follows the same process.
  • Timely response. Delays in investigation signal a program that isn’t taken seriously.
  • Centralized records. All evidence, interview notes, communications, and decisions in one place.
  • Immutable audit trails. Logs that show who did what, when — and that can’t be altered after the fact.

A cloud-based case management system that aggregates all intake channels into a single 360-degree view of each case is essential for this. Spreadsheets and email chains won’t survive DOJ scrutiny.

For guidance on what to look for in a case management platform, check out the Ethics Case Management Software Buyer’s Guide: 12 Must-Have Features for 2025.

Pillar 5: Conflicts of Interest and Disclosure Management

FCA violations often trace back to undisclosed conflicts — physician self-referrals (Stark Law), vendor kickbacks, or undisclosed financial relationships. Your documentation should include:

  • Annual disclosure campaigns with documented completion rates
  • Branching logic that surfaces relevant questions based on role and risk level
  • Risk-based triage so high-risk disclosures get immediate review
  • Records of follow-up actions taken on flagged disclosures

Automated disclosure management with HRIS integration ensures the right people get the right forms — and that you can prove it.

Pillar 6: Remediation and Corrective Action Plans

Finding a problem is only half the battle. The DOJ wants to see what you did about it. Document:

  • Root cause analysis for every substantiated finding
  • Structured corrective action plans (CAPs) with clear owners, deadlines, and milestones
  • Policy revisions triggered by investigation findings
  • Training requirements assigned as part of remediation
  • Follow-up verification that corrective actions were actually completed

Tracking remediation within your case management system — rather than in separate documents — keeps everything connected and auditable.

Pillar 7: Ongoing Monitoring and Analytics

A defensible program isn’t static. It evolves based on data. Your documentation should demonstrate:

  • Trend analysis of report types, case outcomes, and response times
  • Benchmarking against industry standards
  • Board and leadership reporting with role-based dashboards that translate operational data into strategic insights
  • Program adjustments driven by data — not just gut instinct

When your analytics platform transforms case management data into business intelligence, you move from reactive compliance to proactive risk management. That’s exactly the shift the DOJ rewards.

Common Documentation Gaps That Sink FCA Defenses

Even well-intentioned programs stumble on these common mistakes:

  • No evidence of program updates. If your policies haven’t changed in three years, the DOJ will question whether you’re paying attention to evolving risks.
  • Inconsistent investigation processes. If similar reports are handled differently, it suggests bias or lack of structure.
  • Missing remediation follow-through. Identifying issues but not fixing them is arguably worse than not finding them at all.
  • Siloed data. When hotline reports live in one system, disclosures in another, and risk assessments in a spreadsheet, you can’t connect the dots — and neither can your auditors.
  • Low reporting volume with no explanation. If employees aren’t reporting, you need to document what you’re doing to change that.

Building a Culture, Not Just a Binder

Documentation matters. But the DOJ is increasingly looking beyond paperwork to evaluate whether compliance is embedded in organizational culture.

That means your program should demonstrate:

  • Visible leadership commitment. Executive messaging on ethics, not just annual sign-offs.
  • Employee trust in reporting channels. High identified caller rates (around 75% versus the 50% industry average) suggest employees trust the process enough to give their names. For more on why this metric matters, read Why 75% Identified Caller Rates Matter for DOJ Compliance Program Evaluations.
  • Responsive, respectful reporter experience. A caller satisfaction rate above 90% tells the DOJ that your reporting system treats people with dignity — which drives future reporting.

These aren’t soft metrics. They’re measurable indicators that your program works in practice, not just on paper.

Conclusion: Start With What You Can Prove

False claims act compliance isn’t about perfection. It’s about demonstrating a genuine, evolving commitment to preventing fraud and responding appropriately when issues arise.

The DOJ has made it clear: organizations with well-documented, data-driven compliance programs receive more favorable treatment — including reduced penalties, deferred prosecution agreements, and even declinations.

Start by auditing your current documentation against the seven pillars above. Identify your gaps. Then build systems that create audit trails automatically — so your team spends less time assembling evidence and more time actually managing risk.

The best time to prepare for a DOJ investigation is long before one starts.

Frequently Asked Questions

What is the False Claims Act and who does it apply to?

The False Claims Act is a federal law that imposes liability on any person or organization that knowingly submits false claims to government programs. It applies broadly to healthcare providers billing Medicare/Medicaid, government contractors, financial institutions, and any entity receiving federal funds.

How often should we update our FCA compliance documentation?

At minimum, review and update policies annually. However, you should also update documentation whenever there’s a significant regulatory change, a new risk identified through assessment, or a substantiated investigation finding that reveals a control gap.

What’s the most important thing the DOJ looks for in a compliance program?

The DOJ focuses on whether the program works in practice — not just whether it exists on paper. That means documented evidence of reporting, investigations, remediation, and continuous improvement. A program that detects and corrects issues proactively is far more credible than one that looks good in a binder but has no operational track record.

How does a speak-up culture relate to FCA compliance?

Because the FCA’s qui tam provisions allow employees to file lawsuits on behalf of the government, organizations that don’t foster internal reporting risk having issues reported externally first. A strong speak-up culture — supported by accessible, trusted reporting channels — gives you the chance to identify and address problems before they become government investigations.

What role does case management software play in FCA defense?

Case management software centralizes your investigation records, creates immutable audit trails, and connects intake data with remediation tracking. This gives you a single, defensible source of truth that prosecutors and auditors can review — which is far more credible than scattered emails, spreadsheets, and shared drives.

Want to see how your compliance program’s documentation stacks up against DOJ expectations? Ethico’s integrated E&C platform connects reporting, case management, disclosures, risk assessments, and remediation tracking into a single auditable system — so your documentation builds itself as you work. Learn more about how it works.

Categories:

GRC Software Knowledge Hub

Get E&C industry insights
Ethico
Regulatory Updates
JCAHO 2025 Monthly Credential Monitoring Requirements: Complete Compliance Checklist
Explore More