Internal investigations serve an important role and are often the right starting point. But they require judgment about when that approach is no longer sufficient. That determination turns less on capability and more on structure, credibility, and how the investigation will be evaluated outside the organization.

Most healthcare and life sciences companies do not set out to create whistleblowers. Yet many do, often without realizing it. What begins as an internal concern can evolve into something much larger if it is not handled carefully. A question about billing, a concern about a physician relationship, or an issue raised through a compliance channel may seem manageable at first. But once that concern leaves the organization, it can take on a very different character

While many healthcare and life sciences enforcement actions are initiated by regulators, most investigations actually start internally—with a complaint, a billing question, or a concern that something does not look right. The challenge for many organizations is not whether an issue exists. It is deciding what to do next.

The Columbia / New York-Presbyterian Hospital investigation illustrates how organizational culture can shape whether warning signs are surfaced or suppressed. Healthcare organizations operate in complex and highly regulated environments. Ensuring that employees feel empowered to raise concerns—and that those concerns are taken seriously—is one of the most effective ways to identify risks early and prevent harm before it occurs.

On February 12, 2026, the American Health Law Association published Dennis Sapien-Pangindian's bulletin, “Information Blocking Enforcement on the Horizon: Compliance Considerations Under the 21st Century Cures Act." In the bulletin, Mr. Sapien-Pangindian examines the rapidly evolving enforcement landscape surrounding the federal information blocking framework.

The Department of Justice (DOJ) has signaled and begun rolling out a whistleblower rewards framework aimed at incentivizing insiders and third parties to report corporate crime directly to prosecutors. While the program will continue to evolve through policy and rulemaking, its contours already create immediate implications for New York–based and U.S.-operating companies

The HHS-OIG Self-Disclosure Protocol is designed to encourage healthcare providers, suppliers, contractors, and grantees to self-report evidence of potential fraud or violations of federal healthcare program requirements. By voluntarily disclosing such conduct, entities may benefit from reduced penalties, a presumption against exclusion from federal programs, and a more collaborative resolution process, as opposed to facing government-initiated investigations or litigation.

The FDA defines Software as a Medical Device (SaMD) as software “intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device.”   In plain English: if your app, algorithm, or platform is intended to diagnose, cure, treat, mitigate, or prevent disease, the FDA may consider it a medical device — even if it’s just running on a smartphone.

Here are the five compliance blind spots that catch early-stage digital health companies off guard — and how to avoid them before they become expensive lessons.