When Compliance Becomes an M&A Dealbreaker: DOJ and OIG Guidance for Health Care M&A

The Trump Administration’s enforcement tone may have shifted the rhetoric, but the machinery it built still hums. Across agencies, the Department of Justice (DOJ), Department of Health and Human Services (HHS) and the Office of Inspector General (OIG) continue to emphasize accountability, individual liability and program integrity in health care. And that means mergers and acquisitions (M&A) are squarely in their sights.

Start with the DOJ’s Corporate Compliance Program Guidance. Prosecutors will continue to look beyond whether a company had a compliance program “on paper” and focus on whether the program was designed well, resourced properly and working in practice. This matters in M&A because the acquirer can’t simply claim ignorance if a target’s misconduct continues after closing.

The OIG’s 2023 General Compliance Program Guidance brought a parallel shift. Its seven foundational elements, including written policies, leadership oversight, training, open communication, enforcement, risk assessment and corrective action, are now expected from every health care entity, including payers, vendors, tech companies and startups. It’s no longer enough to rely on a compliance officer and a binder. Regulators expect a living, breathing system.

Add to that the DOJ–HHS False Claims Act Working Group, revived in 2025, which has committed to cross-agency coordination in rooting out health care fraud. The message is unmistakable: corporate misconduct will be traced, even across mergers and reorganizations.

The DOJ’s Corporate Whistleblower Awards Pilot Program, the Voluntary Self-Disclosure Policy and the Clawback Program round out a toolkit that blends incentives and penalties. Companies can reduce exposure by self-disclosing issues early, or they can watch employees cash in as whistleblowers while the government claws back bonuses from executives. Either way, compliance is now part of the transaction calculus.

Why This Matters to M&A Transactions

Health care M&A has always been about managing risk: regulatory, reimbursement, clinical and reputational. But today, compliance risk is the new financial and criminal risk.

Under modern DOJ doctrine, successor liability is unavoidable if the buyer continues the target’s operations without addressing past misconduct. Even if the violations occurred pre-closing, the government may still hold the acquirer accountable if it “inherits” bad actors, faulty systems or tainted contracts. In other words, due diligence doesn’t stop at checking licenses and reviewing contracts but instead requires examining compliance culture.

This shift changes dealmaking itself. Buyers are expected to dig deeper: How were claims submitted? Were sales reps incentivized properly? Did the target have internal reporting channels? Were any self-disclosures filed? A weak or nonexistent compliance program can directly affect valuation. What used to be a post-deal problem now impacts purchase price, escrow terms and indemnification clauses.

Integration is the second big challenge. The DOJ explicitly evaluates whether acquirers act quickly to integrate the target into their compliance infrastructure. One must not be seen as allowing a newly purchased subsidiary running its older or otherwise non-compliant compliance system since it may be seen as tolerating misconduct. The voluntary disclosure safe harbor offers protection only if the buyer promptly investigates, reports and remediates.

The DOJ’s whistleblower incentives pilot program means that any insider can report misconduct directly to the government and receive a financial reward. If that happens after your deal closes, the successor company may be seen to inherit the liability.

How These Rules Apply Across the Health Care Sector

Hospitals, payers, device companies, digital health startups and even private equity-owned management firms are all swept up in the same net.

For hospitals and provider groups, compliance diligence should include billing practices, referral relationships and quality-of-care documentation. Stark and Anti-Kickback exposure can easily survive an acquisition if legacy physician-contract structures remain untouched.

In managed care and payer deals, the DOJ–HHS Working Group has zeroed in on network adequacy, data integrity and claims accuracy. Medicare Advantage plans and their subcontractors are especially vulnerable because the DOJ has shown interest in inflated risk-adjustment coding.

For device and pharmaceutical businesses, the risks lie in promotional practices, speaker programs, pricing disclosures and patient assistance arrangements. Buyers inheriting those systems must immediately audit for improper inducements or misbranded claims even if the problem started years before.

And for the fast-growing digital health sector, where health care data meets consumer tech, privacy and cybersecurity now carry their own version of successor liability. If a startup failed to secure patient data, that breach doesn’t vanish with an acquisition; it becomes the acquirer’s DOJ problem the day after closing.

In every case, the OIG’s seven compliance elements provide a practical blueprint. Regulators will look for documentation showing that the organization trained employees, audited risks, maintained open reporting channels and acted when problems arose.

The Big Takeaways for Health Care Companies

There are five key takeaways for health care companies. The first is simple: compliance due diligence is no longer optional. Buyers need to conduct it with the same rigor as financial and operational reviews. That means assessing not only whether policies exist, but also whether they’ve been enforced. Look for evidence of board oversight, internal investigations and corrective actions. Ask whether any voluntary disclosures have been made and identify reasons such disclosures have not been conducted.

Second, plan for post-closing integration before signing the deal. Regulators give credit for proactive planning and not depending solely on acquirers who “discover” misconduct only after an anonymous tip. Companies should build an integration plan that includes immediate risk mapping, training and policy alignment. The DOJ explicitly considers post-acquisition conduct in deciding whether to prosecute or pursue declinations.

Third, use the government’s own programs to your advantage. If misconduct surfaces during diligence or shortly after closing, a timely voluntary disclosure can drastically reduce penalties or even earn a declination. The DOJ’s safe harbor for M&A disclosures rewards speed, cooperation and remediation.

Fourth, structure deals with compliance in mind. Representations and warranties should explicitly cover compliance programs, prior investigations and known violations. Escrows, indemnities and earn outs should account for potential exposure from pending audits or whistleblower suits. In today’s climate, a compliance warranty breach can cost more than a revenue miss.

Compliance is an asset. Companies with strong, documented programs and transparent reporting processes are now seen as lower-risk targets. That translates to better valuations, smoother diligence and fewer post-closing surprises.

A Closing Perspective

The DOJ’s Corporate Compliance Program guidance, the OIG’s seven elements and the growing list of DOJ-HHS initiatives all point to the fact that compliance is a core measure in evaluating deals. Successor liability ensures that an acquirer inherits not only assets and employees, but also habits, histories and hidden liabilities.

The best protection is preparation. Build compliance into your M&A strategy from day one. Make it a standard line item in every diligence checklist and integration plan. Treat voluntary disclosure as a strategic option, not an admission of guilt. And when you price a deal, remember that a strong compliance culture may be the most valuable asset you acquire.