2026 Guide to Healthcare Auditing and Auditing Services Blog Post
Author Jacob Yates at Healthcare Compliance Pros
Auditing and audit services has become a core part of how
healthcare providers manage both compliance risk and revenue integrity in 2026.
Regulators such as the Office of Inspector General (OIG) and the Centers for
Medicare and Medicaid Services (CMS) make it clear that risk assessments,
auditing, and monitoring are fundamental elements of an effective
compliance program[1]. Furthermore, many improper payments in federal
programs stem from documentation and billing errors rather than
deliberate fraud. For healthcare administrators, compliance officers, practice
managers, and revenue cycle leaders, understanding the importance of regular
auditing and auditing services is essential to protecting an organization and
optimizing its financial performance.
In this blog article, I'll explain what healthcare auditing
and auditing services are, which types of audits matter most, what common
errors audits uncover, how audits connect to compliance and revenue cycle
results, how to choose an audit vendor, and how Healthcare Compliance Pros can
add value as a compliance‑first organization.
The TL; DR Version: As Benjamin Franklin said, "An ounce of
prevention is worth a pound of cure."
Auditing Services in 2026: What Providers Need to Know
Auditing services are structured, professional reviews of
clinical documentation, coding, billing, and related processes to determine
whether they meet regulatory and payer requirements. The OIG's General
Compliance Program Guidance (GCPG)1
describes "risk assessment, auditing and monitoring" as one of the seven
elements of an effective healthcare compliance program and explains that audits
should be based on risks identified through formal risk assessments. The CMS's
review programs similarly rely on collection and clinical review of medical
records and related information to ensure that Medicare and Medicaid payments
are made only for services that are reasonable, necessary, covered, and
correctly documented.
In practice, auditing services can include reviews of
evaluation and management (E&M) coding, ICD‑10 diagnosis coding, procedure
coding, documentation quality, medical necessity support, and claims submission
practices. They can also focus on compliance—for example, making sure
documentation supports billed services and meets HIPAA and CMS expectations—or
focused on revenue, such as identifying patterns of under coding, over coding, or
claim denials that cause avoidable financial loss or inappropriate financial
gain.
Audits are critical for multiple reasons.
First, enforcement and oversight are becoming more
focused and frequent. The OIG's updated guidance underscores the importance of
risk‑based auditing and monitoring, while its reports on HIPAA oversight urge the
Office of Civil Rights (OCR) to expand audit scope to better evaluate physical
and technical safeguards under the Security Rule.
Second, the CMS continues to measure and address
improper payments[2],
repeatedly pointing out that most improper payments are caused by inadequate or
missing documentation rather than fraud. However, that is not to say that fraud
does not exist and that some providers are intentionally trying to get
more funds from the CMS. Just by subscribing to healthcare news, we can see
that fraud is still a significant problem in healthcare today.
Third, the HIPAA Security Rule Notice of Proposed
Rule Making[3]
signals more prescriptive expectations for documentation, risk analysis, and
cybersecurity protections around electronic protected health information.
Organizations that incorporate regular audit services into their operations better
position themselves to adapt to these trends and to show regulators, payers,
and business partners that they are managing both compliance and revenue risks
proactively.
What Are Audits and Auditing Services?
Healthcare audits and auditing services encompass a range of
activities aimed at evaluating and improving how an organization documents,
codes, and bills patient care, as well as how it adheres to key regulations. In
the compliance program context, the OIG explains that audits are conducted
based on the risks identified by risk assessments and that they help
organizations determine whether policies and procedures are being followed and
whether claims and practices meet applicable requirements. The CMS describes
medical review audits as involving the collection and clinical review of
medical records and related information to ensure that payment is made only
for services that meet coverage, coding, and documentation standards.[4]
The scope of audits and auditing services typically includes
coding accuracy, documentation completeness, support for medical necessity,
adherence to payer rules, and compliance with federal standards such as HIPAA
and the CMS program requirements.[5]
For HIPAA, audits ordered or conducted by the OCR evaluate whether an
organization complies with the Privacy and Security Rules by reviewing
policies, procedures, records, and controls related to protected health
information (PHI). For Medicare and Medicaid, the CMS and its contractors
review claims and records to detect improper payments and educate providers on
how to correct errors. Internal auditing is a vital proactive step healthcare
organizations can take to reduce their risk of overpayments instead of putting
themselves on the CMS' auditing list.
Audits matter in 2026 because they help organizations bridge
the gap between written policies and day‑to‑day practice. A compliance program
can look robust on paper, but if audits consistently show documentation gaps,
coding errors, or unaddressed risk areas, regulators may question its
effectiveness. Conversely, organizations that conduct regular, targeted audits and
act on their findings demonstrate that they are actively managing their
compliance and financial obligations.
Types of Healthcare Audits Explained
The OIG and the CMS may not use the exact labels business
associates and vendors use, but their guidance supports four distinct
approaches to auditing:
· Prospective
audits
· Retrospective
audits
· Risk‑based
audits
· Focused
audits
These four audit categories are grounded in how regulators expect
programs to operate.
Prospective audits review documentation and coding before
claims are submitted. Although the CMS's medical review programs often operate
retrospectively, organizations can use the same principles prospectively to
catch errors early. A prospective E&M or ICD‑10 audit might examine records
and proposed codes to ensure that documentation supports medical necessity and
coding rules before billing occurs. This type of audit supports both compliance
and revenue by preventing improper payments and avoiding denials caused
by missing or inconsistent information.5
Retrospective audits examine claims already submitted
and paid or denied. The CMS's improper payment measurement activities and
medical review programs are mostly retrospective, analyzing past claims to
identify patterns of documentation errors, coverage issues, and coding
mistakes. Organizations can mirror this approach by sampling past claims in
high‑risk areas, such as certain E&M levels, chronic care management codes,
or high‑cost procedures, to determine whether documentation and coding were
correct. Retrospective audits help identify overpayments that may need to be
refunded and underpayments which can be corrected, as well as areas where staff
need additional training.
Risk‑based audits involve selecting audit targets
based on a formal risk assessment rather than simple rotation or random
sampling. The OIG's GCPG guidance emphasizes that risk assessments provide the
process for identifying, analyzing, and responding to risks. As a result, audits
should be conducted based on risks identified by those assessments. A risk‑based
audit plan might prioritize service lines with high denial rates, coding
categories with known complexity, or areas flagged by internal or external
reviews, payer notices, or regulatory changes. This approach aligns with the OIG's
expectation that auditing and monitoring should be tailored to the
organization's risk profile rather than applied generically without regard to
risk.
Focused audits or specialty audits concentrate on
specific topics, such as E&M services, ICD‑10 diagnosis coding, particular
specialties (e.g., cardiology, orthopedics), or specific payer contracts. The CMS's
medical review guidance recognizes that different services and specialties pose
different compliance risks, and the OIG's guidance suggests that organizations
should consider medical necessity, documentation, and coding rules in any claim
reviews and audits. A focus audit allows deeper examination of one area, which
can be particularly valuable when external data (such as the CMS improper
payment statistics[6] or
contractor review results) indicate that a particular type of service has a
high error rate.
Organizations should use each type at different times.
Prospective audits are useful when launching new services or coding patterns.
Retrospective audits work well for ongoing monitoring and correction. Risk‑based
audits ensure resources are directed to the areas of greatest exposure and
potential for a CMS or payer audit. Focused and specialty audits provide depth
where issues are already identified or where rules are particularly complex.
Top Audit Findings and Common Errors
The CMS's improper payment fact sheets6 make it clear that most improper payments
are typically not caused by intentional fraud, but rather by errors such as
missing or inadequate documentation, incorrect coding, and failures to meet
coverage or eligibility requirements. The OIG's compliance guidance1 likewise emphasizes audits and
investigations should consider root causes and organizations should adjust
policies and training when systematic issues are found.
Common billing and documentation errors that audits uncover
include incorrect E&M levels, discrepancies between clinical documentation
and billed codes, missing signatures or dates, lack of clear medical necessity
support, and miscoded diagnoses or procedures. When medical record reviewers
cannot determine whether a service was reasonable and necessary under the CMS
program rules, the payment may be classified as improper even if the patient
was eligible and the service was appropriate. This often occurs because
information required for payment is missing or incomplete, not because of
deliberate misconduct.
Upcoding and under coding remain persistent issues. Upcoding—where
the level of service billed exceeds the complexity documented—can lead to
overpayments and potential enforcement risk if patterns suggest systemic
issues. Under coding—where providers bill less than documentation
supports—usually produces underpayments and lost revenue. Both internal and
external audits will help reveal both patterns, enabling organizations to
correct errors, refund overpayments when necessary, and retrain staff to code
accurately. After all, who would want to be unpaid for doing more work!
Documentation gaps are another major finding. The CMS notes
that most improper payments are due to instances where required information
is missing, or where documentation, eligibility determination, or
enrollment was handled correctly is absent. In the clinical arena, this can
include missing progress notes, incomplete diagnostic information, or absence
of test results that support a billed service. HIPAA audits and the OCR
enforcement actions similarly highlight documentation issues around privacy and
security policies, risk analyses, and incident responses. Organizations that
conduct regular audits and address documentation gaps are best positioned to
withstand both payer reviews and regulatory audits.
Compliance, ROI, and Revenue: Real Impact of Effective Audits
Effective audits affect compliance and revenue in multiple
ways. The OIG's guidance1 makes it clear
that risk assessments, auditing, and monitoring help organizations detect
improper conduct, determine its scope, and implement corrective actions. The CMS's
medical review and improper payment measurement programs show that
documentation and coding errors directly affect payment accuracy. When
organizations work with professional audit services—and act on their findings—they
can reduce improper payments, improve documentation, and strengthen their
compliance posture.
From a regulatory standpoint, routine audits demonstrate an
organization is performing internal monitoring and auditing as the OIG
recommends. This matters when regulators or payers evaluate the effectiveness
of a compliance program. A program that includes risk‑based audits, documented
findings, and corrective actions looks more credible than one that relies
solely on policies and one‑off training.
Financially, audits support revenue cycle optimization by
identifying both overpayments and underpayments. Overpayments resulting from
errors such as upcoding or overbilling need to be refunded to avoid potential
penalties or corporate integrity agreements (CIAs). Underpayments due to under coding
represent lost revenue which can be recovered through corrected claims or
improved documentation practices. However, there are limitations on when and
how these claim corrections are applicable. The CMS's fact sheets2 emphasize that improper payment estimates
are not measures of fraud and that most errors are fixable once identified.
This means that effective audits can have a positive return on investment by
reducing both financial risk and missed legitimate revenue.
Consider a scenario drawn from these principles: A multi‑specialty
clinic conducts a risk assessment and identifies its highest‑risk areas as E&M
coding in internal medicine, ICD‑10 diagnosis coding in cardiology, and
outpatient procedure billing in orthopedics. It engages an external auditing
vendor to review a targeted sample of claims from each area. The audits reveal
that internal medicine physicians often under code E&M levels despite
thorough documentation. Cardiology documentation sometimes lacks clear links
between diagnoses and procedures. And orthopedic records occasionally lack
signatures or time stamps required by payer rules.
Based on these findings, the clinic retrains its physicians
and coders, updates documentation templates to capture required elements more
clearly, and implements periodic follow‑up audits. Over the next year, the
organization sees fewer denials for documentation issues, more accurate
billing, and more consistent support for medical necessity. The audit vendor
helps the clinic refine its risk assessment and monitoring plans, aligning them
with the OIG's expectations for ongoing auditing and corrective action. The
result: better compliance and more stable revenue. This example illustrates how
regular auditing and auditing services contribute directly to both regulatory
readiness and financial health.
How to Choose An Auditing Partner
Choosing an auditing partner involves both regulatory
and practical considerations. The OIG's guidance1 underscores the importance of compliance
officers and committees having sufficient authority and resources to oversee
auditing and monitoring. It also stresses that audits should be thorough,
ongoing, and tied to risk assessments. An auditing partner should help an
organization design and execute risk‑based audits, interpret findings through
the context of HIPAA, the CMS, and the OIG expectations, and support corrective
actions.
Credentialed professionals and regulatory expertise matter
because auditing services are closely tied to federal regulations and payer
rules. A strong auditing partner should be deeply familiar with the HIPAA
Privacy and Security Rules, CMS documentation and coverage requirements, and the
OIG's compliance program framework. A reputable vendor will use those sources
as the basis for their methods rather than relying on generic coding checklists
or AI input alone.
Technology‑enabled auditing is increasingly important. The CMS's
medical review programs and the OIG's recommendations emphasize the need for
better data, expanded audit scope, and defined metrics to evaluate the impact
of audits on cybersecurity and payment integrity. Auditing partners that
leverage technology to analyze claims patterns, detect anomalies, and correlate
documentation issues with denial rates can provide more precise and actionable
insights for your organization.
Geography and regulatory focus also matter. Offshore providers may be able to offer lower costs, but they can be less familiar with U.S. regulatory nuances or less able to assist with on‑site education and follow‑up. The OIG's guidance, the CMS's programs, and the OCR's enforcement work all operate within the U.S. regulatory framework, and it is vital for healthcare organizations to make sure their audit methodologies reflect that reality. Healthcare Compliance Pros differentiates itself by focusing on healthcare compliance, aligning its audit processes with the OCR, the CMS, and the OIG expectations—emphasizing a compliance‑first approach that considers both documentation and regulatory risk.
Frequently Asked Questions about Auditing and Audit Services in 2026
How often should I conduct audits?
The OIG does not set a fixed schedule, but its guidance indicates that auditing
and monitoring should be ongoing, thorough, and based on risk assessments. The CMS
guidance suggests that Medicare Advantage plans and other entities should
independently audit compliance program effectiveness at least annually,
while regular claim review and medical review activities continue throughout
the year. In practice, many organizations conduct formal audits in high‑risk
areas at least once per year and use more frequent, smaller reviews as part of
ongoing monitoring.
How do audits support staff education?
The OIG's seven elements of an effective compliance program include effective
training and education as one of the core requirements. Audit findings reveal
where staff misunderstand coding rules, documentation expectations, or
regulatory requirements. When organizations share audit results and
provide targeted training in response, they use audits as a teaching tool
rather than just a punitive mechanism. The CMS's emphasis on education in its
medical review programs also shows that audits can help providers learn how to
document and bill more accurately.
What is new or changing in auditing practices post‑2025?
The HIPAA Security Rule NPRM and the OIG's recommendations point toward broader
and more detailed audits of security safeguards and coding documentation. The OIG
and OCR have urged healthcare organizations to expand audits, implement
administrative, physical, and technical safeguards, and establish standards for
corrective actions—initiating compliance reviews. The CMS continues to refine
its improper payment measurement and medical review programs, emphasizing
documentation quality and eligibility processes.
These developments suggest that healthcare organizations should expect audits to increase and examine not just their billing and documentation, but also cybersecurity, access controls, and incident responses. If you haven't already, now is a great time to adjust your internal audit plans accordingly.
[1] https://oig.hhs.gov/compliance/general-compliance-program-guidance/
[2] https://www.cms.gov/newsroom/fact-sheets/improper-payments-fact-sheet
[3] https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html
[4] https://www.cms.gov/data-research/monitoring-programs/medicare-fee-service-compliance-programs/medical-review-and-education
[5] https://www.cms.gov/data-research/monitoring-programs/medicare-fee-service-compliance-programs/medical-review-and-education
[6] https://www.cms.gov/newsroom/fact-sheets/fiscal-year-2024-improper-payments-fact-sheet