Medical Coding Audits: A Complete Guide for Physician Practices (2026)

The word "audit" makes most practice administrators nervous, and with good reason. A coding audit — whether internal or initiated by a government contractor — can surface liability exposure that has been accumulating undetected for years. But the practices that get hurt most are not necessarily those with the most egregious billing problems. They're the ones that don't know what they're doing wrong until someone else finds it for them.

The economics are stark. A 2024 HHS OIG report found that improper payments in Medicare Part B exceeded $31 billion annually. Recovery Audit Contractors recoup roughly $2 billion per year. CMS and its contractor network have significant financial incentive to audit aggressively. Your internal compliance infrastructure is the only thing standing between your practice and a recoupment demand that arrives without warning.

This guide covers what types of audits exist, what coding errors are most common by specialty, how the E/M coding changes from 2021 still trip up practices, what the OIG is specifically targeting in 2026, and how to run an internal audit that actually finds problems before the government does.

Why Coding Audits Matter More Than Most Practices Realize

Coding audits are not primarily about fraud prevention — they're about accuracy. Most coding errors are not intentional. They result from physicians who weren't trained on E/M documentation requirements, billing staff who don't know the specialty-specific rules, or practices that adopted billing patterns years ago and never updated them as guidelines changed.

The problem is that the government's enforcement posture doesn't distinguish well between intentional and unintentional errors. The False Claims Act covers "reckless disregard" for the truth of a claim — meaning that consistent systematic upcoding, even if no individual made a decision to commit fraud, can create FCA exposure. A practice that consistently bills 99215 when documentation supports 99213 is objectively submitting false claims regardless of intent.

The financial stakes cut both ways. Upcoding creates government liability; downcoding costs revenue. Many practices, worried about audits, systematically undercode out of caution and leave significant reimbursement on the table. Internal audits that find undercoding generate recoverable revenue going forward — not backward-looking liability.

Six Types of Coding Audits

Common Coding Errors by Specialty

Coding errors are not random — they follow specialty-specific patterns driven by the complexity of the work, the billing rules that apply, and the documentation habits of physicians in each field. Knowing your specialty's highest-risk areas is the starting point for any internal audit.

Primary Care and Internal Medicine

• E/M level selection without adequate documentation. The most common error in primary care — billing 99214 or 99215 when medical decision making complexity or time documented supports only 99213.
• Chronic Care Management (CCM) billing errors. CCM (99490) requires at least 20 minutes of clinical staff time per month for a patient with two or more chronic conditions, a written care plan, and specific consent documentation. Billing CCM without meeting all required elements is the single fastest-growing audit target in primary care.
• Modifier 25 abuse. Modifier 25 allows billing a separate E/M on the same day as a minor procedure. It's appropriate when the E/M reflects a significant, separately identifiable service — not simply documentation of the decision to perform the procedure. Overuse of modifier 25 is a documented audit trigger.

Surgery and Surgical Specialties

• Global period billing errors. Surgical global periods (0-day, 10-day, 90-day) bundle pre-operative and post-operative services into the surgical fee. Billing separate E/M visits during a global period — without appropriate modifiers (modifier 24 for unrelated visits, modifier 79 for unrelated procedures) — results in overbilling.
• Modifier 59 overuse. Modifier 59 indicates a distinct procedural service. Applying it to break up bundled services that are appropriately bundled under CMS's National Correct Coding Initiative (NCCI) edits is a significant audit target. CMS created modifiers X{EPSU} to replace modifier 59 for more specific scenarios — practices that haven't updated their modifier usage are at risk.
• Assistant surgeon billing discrepancies. Billing for an assistant surgeon when the procedure doesn't qualify for assistant surgeon reimbursement under payer policy.

Behavioral Health

• Session time documentation. Psychotherapy codes (90832, 90834, 90837) are time-based. The documentation must reflect start and stop times or total time and must match the billed code's time threshold. Billing 90837 (53+ minutes) when documented time is 45 minutes is a systematic error with significant exposure.
• Same-day E/M and psychotherapy. When an E/M is billed on the same day as psychotherapy, it must reflect a separately identifiable medical evaluation — medication management, a new clinical issue — not the same service as the therapy.
• Telehealth compliance gaps. Behavioral health has been the highest-growth area for telehealth since 2020. Audio-only telehealth reimbursement rules, place of service codes (POS 02 vs. POS 10), and state-specific telehealth practice standards are frequently coded incorrectly.

Physical and Occupational Therapy

• The 8-minute rule. Timed therapeutic procedures use the "8-minute rule" — each 15-minute unit requires at least 8 minutes of direct time. A 22-minute session warrants 1 unit, not 2. Documentation must support the claimed units, and errors here are systematic rather than isolated.
• Supervision level requirements. Medicare distinguishes general, direct, and personal supervision. Physical therapy assistants (PTAs) must bill under the supervising physical therapist; PT aides cannot bill independently. Supervision documentation requirements differ by payer and setting.

Chiropractic

• The AT modifier. Medicare covers chiropractic manipulation only for active/corrective treatment — not maintenance care. Modifier AT must be appended to indicate the patient has not yet reached their maximum therapeutic benefit. Billing maintenance care without the AT modifier (or billing AT when the patient is in maintenance) is the primary audit target in chiropractic billing.
• Subluxation documentation. Medicare requires documentation of the subluxation either by x-ray or physical examination findings. Inadequate subluxation documentation is a common audit finding.

E/M Coding After the 2021 Changes

CMS significantly revised outpatient E/M coding guidelines effective January 1, 2021 — the first major overhaul since 1997. Four years later, many practices are still not coding correctly under the new framework, either because they trained staff once at implementation and drifted back to old habits, or because they never fully understood the new rules.

The core change: outpatient E/M visits (99202–99215) are now based on either (1) total time spent on the date of service (including pre- and post-encounter work) or (2) the level of medical decision making (MDM). The old "three-key-component" approach (history, exam, MDM) was replaced entirely. History and physical exam are still documented, but they no longer drive code selection.

Under the new MDM-based coding, three elements determine complexity: (1) number and complexity of problems addressed, (2) amount and/or complexity of data reviewed and analyzed, and (3) risk of complications or morbidity or mortality. Each element has defined thresholds for straightforward, low, moderate, and high complexity. MDM level is set by two of the three elements — you don't need all three at the same level.

OIG 2026 Enforcement Targets

The OIG publishes an annual Work Plan identifying areas of focus for audits and investigations. For 2026, physician practices should be aware of these specific priorities:

• Telehealth billing — post-PHE compliance. The COVID public health emergency telehealth flexibilities have been extended through 2025 and partially into 2026. The OIG is auditing telehealth claims for documentation of the originating site, provider location, and compliance with in-person visit requirements for behavioral health that took effect in 2024.
• Remote Patient Monitoring (RPM) billing. RPM codes (99453, 99454, 99457, 99458) require specific device data transmission thresholds (16 days of data per 30-day period for 99454), physician time documentation (20 minutes for 99457), and patient consent. The OIG has flagged RPM as an area of high improper payment risk due to rapid adoption without adequate compliance infrastructure.
• E/M upcoding — high-complexity visit rates by specialty. The OIG analyzes the distribution of E/M codes billed by each specialty. Practices that bill 99215 at significantly higher rates than their specialty peers are flagged for review.
• Split/shared visits. When a physician and NPP (nurse practitioner, physician assistant) both participate in an E/M visit, the visit is billed under the provider who performed the "substantive portion" — defined as more than half the total time or the majority of MDM elements. Documentation requirements for split/shared visits are specific, and failure to meet them is a systematic error in practices with mixed physician/NPP teams.
• Evaluation and management during global periods. As noted in the specialty section — E/M visits billed during surgical global periods without appropriate modifiers.

Running an Effective Internal Audit: 10 Steps

An internal audit that actually protects your practice is not a one-day chart pull exercise. It's a structured process that produces actionable findings, corrects identified problems, and creates a documented compliance record. Here is the process that experienced healthcare compliance consultants use.

1. Define the audit scope. Select the provider(s), time period (typically 12 months of historical claims), and CPT code range to review. Focused audits by provider and code category are more useful than broad reviews.
2. Pull a statistically valid sample. OIG guidance recommends a minimum of 30–50 records for retrospective audits. Random sampling is preferable to cherry-picking; if challenged, you want your sample to be defensible as representative.
3. Establish the review criteria. Before reviewing charts, document what "correct coding" looks like for each code range you're auditing — the specific documentation requirements, the relevant LCD or NCD, and the E/M MDM thresholds. This prevents post-hoc rationalization of findings.
4. Conduct the chart review. A certified professional coder (CPC) or certified coding specialist (CCS) should review each chart independently, mapping documentation to the billed codes. Discrepancies are flagged without attribution to individuals at this stage.
5. Calculate the error rate. Separate findings into upcoding (billed higher than documentation supports), downcoding (billed lower), and other errors (missing modifiers, incorrect diagnosis linkage, etc.). Calculate error rates by provider and by code.
6. Determine financial impact. Extrapolate identified errors to the full claims population. This quantifies the liability exposure for upcoding errors and the revenue opportunity for downcoding corrections.
7. Identify root causes. Pattern analysis is more valuable than individual findings. Is one provider consistently selecting the wrong MDM level? Is the billing staff applying modifier 59 incorrectly? Root cause identification drives targeted correction.
8. Implement corrective action. Documentation templates, coder training, physician education sessions, billing system edits, and workflow changes. Corrective action must be documented with dates and responsible parties.
9. Assess voluntary self-disclosure. If the audit identifies systematic upcoding that resulted in Medicare or Medicaid overpayments, consult a healthcare attorney about the voluntary self-disclosure protocols. Proactive disclosure typically produces lower penalties than waiting to be discovered.
10. Schedule the follow-up audit. Corrective action is not the endpoint. A follow-up audit in 90–180 days confirms that the corrective measures actually changed behavior. Without follow-up, compliance programs are largely performative.

When to Hire an External Coding Auditor

Internal audits are appropriate for routine compliance monitoring. External auditors are worth the cost ($1,500–$6,000 for a focused audit) in specific situations:

• You received a government records request, RAC demand, or MAC pre-payment review notice
• A significant change occurred — new billing company, new EHR, new physician(s), new specialty service line
• Internal staff conducting audits are the same people who coded the claims (independence is compromised)
• You're preparing to sell the practice and need a clean compliance record for due diligence
• You're entering a Corporate Integrity Agreement (CIA) requiring independent review organization (IRO) oversight

When evaluating external auditors, verify that auditors hold active credentials (CPC, CCS, CPCO), request sample audit reports to assess methodology and documentation quality, ask specifically about experience with your specialty, and understand the difference between a coding audit and a compliance program assessment — these are different engagements.

Responding to a Government Audit

When a government audit request arrives, the response posture matters as much as the underlying facts. A few operational principles:

• Get a healthcare attorney involved immediately — before you respond to anything. Your response creates a record.
• Produce exactly what was requested, nothing more. Voluntary over-production can expand the audit scope.
• Do not destroy any records after receiving a request. This creates an independent obstruction issue.
• Document the response process — what was provided, when, and by whom.
• Know your appeal rights. RAC and MAC denials have multi-level appeal processes. Level 3 (ALJ hearing) and Level 4 (Medicare Appeals Council) have historically produced favorable outcomes for practices that appeal.
• Consider voluntary self-disclosure if the audit reveals systematic overpayments. The OIG's voluntary self-disclosure protocol (VDP) typically produces a multiplier of 1.5x on overpayments — significantly better than the False Claims Act's treble damages exposure.

Frequently Asked Questions

How often should we conduct internal coding audits?

Best practice is quarterly focused audits for high-risk code areas and an annual comprehensive audit covering all major service lines. New physicians and billing staff should be audited within 60–90 days of onboarding, before patterns are established. Practices with a history of audit findings or that are under a Corporate Integrity Agreement may require more frequent review.

What is voluntary self-disclosure and when should we use it?

Voluntary self-disclosure is the process of proactively notifying CMS or the OIG that your practice has identified potential billing errors or fraud and abuse violations. The OIG's Voluntary Self-Disclosure Protocol (VDP) requires reporting the nature of the issue, the estimated overpayment, and a corrective action plan. The benefit: reduced multipliers on repayments (typically 1.5x vs. FCA's 3x treble damages) and reduced risk of exclusion. The decision to self-disclose should be made with a healthcare attorney — it's not appropriate in all situations, but it's underused as a risk management tool.

What's the difference between upcoding and undercoding?

Upcoding means billing a higher-level service than the documentation supports — billing 99215 for a visit documented at 99213 complexity. Undercoding is the reverse: billing 99213 when documentation clearly supports 99214 out of excessive caution. Upcoding creates government liability. Undercoding costs the practice revenue it's entitled to. Both are correctable through targeted coding education, and internal audits should flag both.

Can I bill for services my NP or PA performs?

Yes — with the correct billing approach. Services provided by NPPs (nurse practitioners, physician assistants, clinical nurse specialists) can be billed under the NPP's own NPI (at 85% of the physician fee schedule for Medicare) or, if a physician was directly involved in the service, potentially under the physician's NPI using appropriate documentation. The rules for "incident-to" billing (which allows billing under the physician's NPI at 100% of fee schedule for services that meet specific criteria) are specific and frequently misapplied. Incident-to requires direct physician supervision — physical presence in the suite, not just the building — and cannot be used for new patients or new problems.

What triggers a RAC audit?

RAC auditors use proprietary data analytics to identify billing patterns that deviate from specialty and geographic benchmarks. Common triggers include unusually high frequency of high-level E/M visits relative to peers, high rates of certain procedure codes, claims with high denial rates at other payers, and patterns flagged by beneficiary complaints. RAC auditors work on contingency — they keep a percentage of what they recover — which creates strong financial incentive to target high-volume, high-value services.

What does a coding audit cost?

An external focused coding audit typically runs $1,500–$3,000 for a single provider and code category, $3,000–$6,000 for a multi-provider practice audit, and $6,000–$15,000 for a comprehensive compliance program assessment. Internal audits cost staff time. The comparison point is not audit cost vs. zero — it's audit cost vs. the financial exposure of an undiscovered systematic error caught by a government contractor.