Lessons Learned From OIG Audits
Take to heart these lessons that others learned the hard way. In healthcare, every audit tells a story. Some provide cautionary tales, while others serve as blueprints for doing things the right way. The Office of Inspector General’s (OIG’s) audit reports show the real risks and real opportunities in our industry. Their lessons surrounding documentation, coding, and internal oversight help us protect our revenue, professional reputation, and patients. Read on to learn what recent OIG audits reveal, why these findings matter for every healthcare organization, and how you can turn these lessons into a foundation for smarter, safer compliance practices. The First Line of Defense Every OIG audit, across specialties and services, comes back to a central theme: A service not documented is a service not done. Consider the 2019 audit of psychotherapy billing, where 100 percent of Oceanside Medical Group’s sampled claims failed compliance checks. In over half the cases, therapy was never provided or was missing from the notes. For almost all the rest, the required duration or session details were left blank. The result? An estimated $2.6 million in unallowable payments, as well as a clear warning that basic record-keeping lapses can cascade into large-scale repayment obligations and deeper regulatory scrutiny. A similar pattern emerged in audits of opioid treatment programs (OTPs). The OIG identified $17.8 million in potentially improper payments due to duplicate billing, missing diagnoses, and excessive intake visits, problems often flagged by missing or vague documentation. Medicare paid millions for OTP services that, according to the audit, could not be verified as legitimate patient care, including cases missing a documented opioid use disorder diagnosis or records to support multiple intake visits. As the OIG findings make clear, missing even a single piece of required information can mean the difference between allowable payment and a costly overpayment notification. The winning strategy? Embed real-time, point-of-care documentation practices into workflows, ensure ongoing training for staff at every level, and periodically audit a sample of records for completeness. Medical Necessity Every medical claim needs specific documentation to clearly illustrate why a service was medically required at the time of care. Vague references to “monitoring,” lack of detail about patient instability, or generic statements about treatment goals won’t stand up to audit scrutiny. Audits of critical care claims at Lahey Clinic, for example, revealed that in 54 of 92 reviewed cases, the medical records did not support a truly critical illness or an intervention at the level that Medicare expects for critical care coding. Some admissions reflected routine postoperative care or chronic conditions but lacked documentation that a patient’s deterioration was imminent or that the physician was actively managing vital system failure. The result: 61 percent of critical care services in the audit sample were unallowable as billed. The OIG’s crackdown on malnutrition upcoding tells a similar story. In a 2020 review, almost nine in 10 hospital claims coded for “severe malnutrition” were downgraded or denied after audit review of the records, typically because the clinical details didn’t confirm both the diagnosis and its effect on patient care. In its report, the OIG said, “Hospitals used severe malnutrition diagnosis codes when they should have used codes for other forms of malnutrition or no malnutrition diagnosis code at all, resulting in net overpayments of $914,128.” The estimated impact was more than $1 billion in recoupments and a clear signal that diagnosis codes must track precisely to the documented clinical scenario. The Disguised Cost of Upcoding In the 2024 Medicare Advantage (MA) audit of Independent Health Association (IHA), most high-risk diagnosis codes failed validation. Only 17 of 247 sampled enrollee-years were confirmed as supported by medical records, with an estimated $7 million in excess payments. Most of the selected diagnosis codes that IHA submitted to the Centers for Medicare & Medicaid Services (CMS) for use in CMS’ risk adjustment program did not comply with federal requirements. Upcoding for higher reimbursement is a bright red flag. Every diagnosis, hierarchical condition category, or complication code must be actively managed to match clear, recent documentation. Coding audits, coder/provider crosswalks, and proactive validation are critical in minimizing risk adjustment and diagnosis related group repayments. When Routine Becomes Risky The OIG’s 2025 audit on evaluation and management (E/M) services billed with modifier 25 (Significant, separately identifiable evaluation and management service by the same physician or other qualified health care professional on the same day of the procedure or other service) during intravitreal eye injections is a model for how minor coding mistakes mushroom into multi-million-dollar risks. Of 1.4 million E/M services billed with modifier 25 on the same day as an eye injection, 42 percent were found to lack sufficient documentation, putting $124 million in payments at risk for recoupment. Providers often misunderstood or were unaware of the strict rules around significant, separately identifiable services when using modifier 25, with system edits consistently bypassed by default use of the modifier. The report claimed that “Documentation for 22 of the 24 sampled services did not support the use of modifier 25.” Modifier misuse is a telltale sign of uncontrolled or misunderstood billing practices. Modifier 25 and others should be subject to routine targeted review. Analytics to flag high-frequency users coupled with detailed provider/coder education on modifier application can forestall bulk denials and repayments. The Root Cause Behind Claims Losses Most audit findings are the end result of systemic issues — old policies, informal provider training, lack of internal review, or ignoring new audit risk areas. Failure to update training or audit protocols after regulatory guidance changes allows new forms of noncompliance to spread unchecked, multiplying financial losses. Compliance must include living policies featuring routine high-risk area audits and clear escalation structures for billing/payment issues. These policies must be updated annually with corresponding staff training. Strong compliance infrastructures, deeply embedded in day-to-day operations and supported at the leadership level, are a non-negotiable compliance foundation. Overpayments and the 60-Day Rule When evidence of overpayment exists through an audit or a credible complaint, healthcare organizations have just 60 days to investigate and return any overpayments. In every audit, the OIG underscores that it considers its report “credible information of potential overpayments,” triggering this obligation. Self-disclosure and rapid repayment aren’t just best practices, they are regulatory expectations. Clear procedures for overpayment triage, investigation, calculation, and timely reporting can dramatically reduce risk. Anticipating the Next Target OIG audit targets evolve with new care models and emerging issues. Recent shifts include focus on MA risk scores, bundled payments, opioid treatments, and behavioral health. Organizations that monitor the OIG Work Plan and pay attention to industry alerts can anticipate future audits, proactively audit their own exposure, and adjust controls before errors become systemic. Be proactive, not reactive. Make continuous improvement and environmental scanning a core compliance priority. Transforming Lessons Into Action OIG audits do not simply point out flaws — they light a path to industry standards and best practices. Documentation, medical necessity, coding accuracy, appropriate modifier use, robust internal controls, rapid response to overpayments, and a responsive compliance culture are no longer optional but vital for survival, professional reputation, and patient safety. By taking these OIG lessons to heart and framing each as a compliance checkpoint and operational improvement, healthcare organizations can position themselves to withstand audits and thrive in an era of relentless regulatory change and heightened accountability. Resources: HHS OIG: Oceanside Medical Group Received Unallowable Medicare Payments for Psychotherapy Services HHS OIG: Medicare Critical Care Services Provider Compliance Audit: Lahey Clinic, Inc. Lamon Willis, CPC, CPCO, CPC-I, CPC-H
(A version of this article first appeared in the October 2025 issue of AAPC the Magazine)
