Fraud, Waste, and Abuse Prevention in Medical Billing: OIG Compliance Rules, False Claims Act, and Upcoding Red Flags

Fraud, Waste, and Abuse Prevention in Medical Billing: OIG Compliance Rules, False Claims Act, and Upcoding Red Flags is a topic every physician practice and billing team must understand in 2026. The federal government recovers billions each year through FWA enforcement, and the risk extends well beyond large hospital systems. Small practices face the same audit scrutiny, the same potential for exclusion from Medicare and Medicaid programs, and the same False Claims Act exposure. MMBS (MyMedicalBillSolution.com) builds FWA compliance into every step of its outsourced revenue cycle workflow, maintaining a 98.2% clean claim rate across all specialties by coding to documentation rather than to a target reimbursement amount.

Reviewed by Sofia Reyes, CPC, CPMA , Senior Medical Billing Specialist at MMBS. Sofia has 10+ years of experience in process design and coding compliance and holds active AAPC certification.

What the OIG (Office of Inspector General, HHS) Defines as Fraud, Waste, and Abuse in Medical Billing

The OIG (Office of Inspector General, U.S. Department of Health and Human Services) is the primary federal body responsible for detecting and prosecuting healthcare fraud. Each fiscal year, the OIG publishes an annual Work Plan that identifies billing patterns, CPT codes, and specialties under heightened scrutiny, giving practices advance notice of where audits will concentrate. Understanding the OIG's definitions is the starting point for any compliance program.

• OIG (Office of Inspector General, HHS): Primary federal body that detects, prosecutes, and publishes annual Work Plans identifying high-risk billing codes and specialties
• False Claims Act (31 USC 3729): Civil enforcement statute , penalties $13,946 to $27,894 per false claim plus treble damages; qui tam whistleblower provision awards relators 15-30% of recovery
• Anti-Kickback Statute (42 USC 1320a-7b): Criminal prohibition on offering or receiving anything of value to induce federal healthcare program referrals; intent required for criminal liability
• Stark Law (42 USC 1395nn): Strict-liability prohibition on physician self-referrals for designated health services; overpayments must be returned within 60 days of identification under 42 CFR 401.305
• NCCI (National Correct Coding Initiative): CMS-published code pair edits that define CPT codes which cannot be billed together for the same patient on the same date; violations trigger CARC CO-97 denials
• LEIE (List of Excluded Individuals and Entities): OIG database of providers barred from billing Medicare or Medicaid; practices must verify NPI status against LEIE before credentialing

Fraud is intentional misrepresentation: billing for a service not performed, upcoding a CPT code to collect a higher CMS (Centers for Medicare and Medicaid Services) reimbursement, or submitting duplicate claims. Waste is overutilization or inefficient use of resources without intent to deceive, such as ordering unnecessary labs and billing Medicare Part B for them. Abuse describes billing practices inconsistent with sound fiscal or medical standards, such as submitting claims for services that lack documented medical necessity under CMS Local Coverage Determinations (LCDs), even when no deception was intended.

Any practice billing under an NPI (National Provider Identifier) registered with CMS falls within OIG oversight. The OIG maintains the LEIE (List of Excluded Individuals and Entities), and any provider on that list is barred from billing Medicare or Medicaid. MMBS runs NPI verification against the LEIE as part of its credentialing intake process, a verification step that many in-house billing teams skip entirely.

False Claims Act (31 USC 3729): Liability Triggers, Qui Tam Provisions, and Civil Penalties in Medical Billing

The False Claims Act (FCA, 31 USC 3729) is the primary civil enforcement statute for healthcare billing fraud. It creates liability for any person who knowingly submits a false claim to a federal government program, including Medicare and Medicaid. Under the FCA, "knowingly" encompasses actual knowledge, deliberate ignorance, and reckless disregard , a standard that federal courts have interpreted broadly to reach billing errors that look the other way from obvious red flags.

Civil penalties under the FCA range from $13,946 to $27,894 per false claim (adjusted annually for inflation), plus treble damages on the falsely claimed amount. A practice that submits 500 inflated claims over three years can face liability in the millions before any criminal referral is made.

The qui tam provision (FCA Section 3730(b)) allows private citizens, including employees, former billers, or competitors, to file suit on behalf of the federal government under seal and receive 15% to 30% of any recovery. FWA exposure is therefore not only an audit-triggered risk. An employee who observes a pattern of upcoding can initiate a federal investigation with a sealed whistleblower complaint, making internal monitoring and a documented compliance program the most cost-effective defense a practice can maintain.

MMBS incorporates this compliance-first approach into its HIPAA-compliant billing operations, which include coding audit cycles and documentation review before any claim reaches the payer.

Anti-Kickback Statute (42 USC 1320a-7b) and Stark Law (42 USC 1395nn): Referral and Compensation Rules That Affect Billing

The Anti-Kickback Statute (AKS, 42 USC 1320a-7b) prohibits offering, paying, soliciting, or receiving anything of value to induce or reward referrals covered by federal healthcare programs. In billing, AKS violations often arise from improper fee-splitting, paying billers on a percentage-of-collections model that creates incentives to upcode, or accepting vendor gifts tied to steering claim submissions to a particular clearinghouse or payer portal.

The Stark Law (Physician Self-Referral Law, 42 USC 1395nn) prohibits physicians from referring patients to entities providing designated health services when the physician or an immediate family member holds a financial relationship with that entity, unless a specific statutory exception applies. Common Stark exceptions cover bona fide employment relationships and in-office ancillary services. Stark violations are strict liability: no intent is required, and overpayments must be returned within 60 days of identification under the 60-Day Rule (42 CFR 401.305). Where the FCA demands proof of knowing conduct, Stark Law holds providers to the same standard regardless of intent.

Both statutes shape how billing companies must structure their compensation arrangements. MMBS operates under transparent flat-fee and disclosed percentage-of-collections models, with no referral incentives or arrangements that could implicate AKS safe harbor requirements. Onboarding contracts for outsourced billing for independent practices are reviewed for AKS compliance before any engagement begins.

Upcoding Red Flags: CPT Code Patterns the OIG Flags in Evaluation and Management Billing

Upcoding occurs when a submitted CPT code reflects a higher level of service than the documentation supports. The OIG and Medicare Recovery Audit Contractors (RACs) treat upcoding as one of the most common FWA violations in E/M billing, and it is the leading cause of overpayment demands under the RAC program.

In Evaluation and Management billing, the OIG monitors the distribution of codes across Levels 3, 4, and 5. A provider who bills CPT 99215 (high-complexity established patient office visit, approximately $176 CMS reimbursement under the 2026 Physician Fee Schedule) for 80% of visits will draw scrutiny. CPT 99214 (moderate-complexity established patient, approximately $133 CMS reimbursement) and CPT 99213 (low-complexity established patient, approximately $93) require documentation that supports the selected complexity level under AMA E/M guidelines revised in 2021.

Common upcoding red flags include: billing CPT 99215 without documented medical decision-making (MDM) at high complexity or total time of 40 or more minutes; billing CPT 99203 (new patient moderate-complexity visit) without a documented history of present illness and appropriate MDM; and billing CPT 93306 (echocardiogram with spectral and color flow Doppler, approximately $302 CMS reimbursement) for patients without documented medical necessity via a covered ICD-10 diagnosis such as I10 (Essential (primary) hypertension) or I50.9 (Heart failure, unspecified).

MMBS conducts pre-submission coding audits on all claims, catching E/M level mismatches before the claim reaches the payer. Details on how MMBS structures this workflow are available on the AAPC-certified coding services page.

Unbundling and NCCI Edits: How CMS Prevents Separate Billing for Bundled Procedures

Unbundling is the practice of billing component procedures separately when CMS requires them to be submitted under a single comprehensive CPT code, artificially inflating total reimbursement. CMS addresses unbundling through the NCCI (National Correct Coding Initiative), which publishes code pair edits defining which CPT codes cannot be billed together for the same patient on the same date of service.

A practice cannot bill CPT 36415 (routine venipuncture, approximately $3 CMS reimbursement) alongside a lab panel code when the venipuncture is integral to the lab procedure. Similarly, CPT 97110 (therapeutic exercises, approximately $34 per 15-minute unit) and CPT 97530 (therapeutic activities) billed together on the same day for a physical therapy patient trigger an NCCI column-one/column-two edit, and one code will be denied.

ERA (Electronic Remittance Advice) data returned from payers will show CARC code CO-97 ("Payment is included in the allowance for another service/procedure that has already been adjudicated") when NCCI edits fire. Teams without experienced coders reviewing ERA cycles often miss these patterns across dozens of claims per month, cumulatively writing off significant revenue. MMBS's claims-management workflow includes NCCI edit review on every ERA cycle, with same-day resubmission when bundling denials are correctable.

Common FWA Billing Schemes: Phantom Billing, Waiving Copays, and Medically Unnecessary Services

Beyond upcoding and unbundling, the OIG Work Plan regularly targets several additional FWA schemes that affect independent practices:

Phantom billing: Submitting claims for services, procedures, or supplies never actually provided. This constitutes outright fraud under the FCA and typically originates from billing transcription errors, template carry-forwards in EHR (Electronic Health Record) systems, or intentional manipulation. EHR auto-population features that copy prior visit notes forward are a documented source of phantom billing risk when staff fail to update documentation for each new encounter.

Routine waiver of copays and deductibles: Systematically waiving patient cost-sharing without financial hardship documentation violates the AKS because it constitutes an inducement to use federal healthcare programs. Practices must document hardship on a case-by-case basis. Blanket policies of never charging copays are a measurable FWA exposure point that the OIG has flagged in Work Plans across multiple fiscal years.

Billing for medically unnecessary services: CMS Local Coverage Determinations (LCDs) specify the ICD-10 diagnosis codes that establish medical necessity for specific procedures. Billing CPT 71046 (chest X-ray, two views, approximately $22 CMS reimbursement) without a covered ICD-10 code such as J06.9 (Acute upper respiratory infection, unspecified) or J45.909 (Unspecified asthma, uncomplicated) on the claim will return a CO-50 denial (CARC CO-50: non-covered service not deemed medically necessary). MMBS reviews ICD-10 linkage on every claim before submission using HIPAA (Health Insurance Portability and Accountability Act, 45 CFR Parts 160 and 164) compliant claim scrubbing tools. See how our team resolves CO-50 medical necessity denials.

How MMBS Builds FWA Compliance into the Revenue Cycle: Audits, Coding Standards, and HIPAA Safeguards

MMBS achieves a 98.2% clean claim rate across all specialties, compared to the industry average of 75-85% first-pass clean claim rates. AAPC-credentialed billers, each holding CPC (Certified Professional Coder) or COC (Certified Outpatient Coder) credentials, conduct quarterly coding accuracy audits and review every claim for CPT-ICD-10 linkage, modifier usage, and NCCI edit status before submission. No claim goes out unchecked.

Payer-side FWA flags, including prepayment edits on high-frequency E/M codes, are resolved before they become overpayment demands. When a payer requests additional documentation under a pre-payment audit, MMBS's team pulls the EOB (Explanation of Benefits) against the original ERA and coordinates the documentation response directly with the practice within 48 hours. That workflow drives an 85% first-pass denial resolution rate on appealable denials, eliminating the scenarios where unaddressed flags age into formal overpayment demands.

AR days (Accounts Receivable days) at MMBS average 28-32 days, against the industry benchmark of 45-55 AR days. Shorter cycles mean fewer claims reach the 90-day-plus aging bucket where RAC auditors concentrate prepayment review activity. Prior authorization is tracked per procedure and payer at the point of scheduling, so claims requiring prior auth for Medicare Part B or Medicaid never submit without an authorization number on file. Practice administrators receive monthly compliance reports showing denial patterns, clean claim rates, and coding accuracy metrics through MMBS's full-service billing platform.

For specialty-specific OIG Work Plan monitoring, MMBS's psychiatry billing services and cardiology billing specialists track new audit initiatives at the specialty level, so your billing team is never caught off-guard mid-year. All claim submission follows a documented workflow with role-based access controls and audit logging that satisfies HIPAA Security Rule requirements under 45 CFR Part 164.312.

Frequently Asked Questions

What is the difference between fraud, waste, and abuse in medical billing under OIG definitions?

The OIG (Office of Inspector General, HHS) defines fraud as intentional misrepresentation to obtain payment, such as billing for services not rendered or upcoding CPT codes. Waste is overutilization or inefficient billing without fraudulent intent. Abuse refers to billing practices inconsistent with CMS standards or sound medical practice, such as submitting claims for services lacking documented medical necessity under applicable Local Coverage Determinations. All three categories can trigger claim audits, overpayment demands, and exclusion from Medicare and Medicaid programs.

What are the civil penalties for False Claims Act violations in healthcare billing?

The False Claims Act (31 USC 3729) imposes civil penalties of $13,946 to $27,894 per false claim (2026 inflation-adjusted figures), plus treble damages on the overpayment amount. A practice with 200 inflated claims over two years could face liability exceeding $5 million before any criminal referral. The qui tam (whistleblower) provision allows employees, former staff, or competitors to file suit on the government's behalf and receive 15-30% of the recovery, making internal FWA monitoring essential for every practice.

What CPT codes does the OIG most commonly audit for upcoding in Evaluation and Management billing?

The OIG and Medicare Recovery Audit Contractors (RACs) most frequently audit CPT 99215 (high-complexity established patient office visit), CPT 99214 (moderate-complexity established patient), and CPT 99205 (high-complexity new patient visit) when a provider's utilization pattern shows a disproportionately high share of Level 4 and Level 5 codes relative to peers in the same specialty and geographic area. Practices billing CPT 99215 for more than 40% of all E/M visits are statistically more likely to receive a pre-payment review request from their MAC or a RAC audit letter.

How do NCCI edits affect claim submission and denial rates in medical billing?

CMS NCCI (National Correct Coding Initiative) edits define pairs of CPT codes that cannot be billed together for the same patient on the same date of service. When a claim violates an NCCI edit, the lower-valued code is denied with CARC code CO-97 (payment included in the allowance for another procedure). Practices without experienced coders reviewing ERA (Electronic Remittance Advice) data often write off these denials without appeal. MMBS reviews all NCCI edit denials within 24 hours and resubmits corrected claims where rebundling is clinically supported by the encounter documentation.

What is the 60-Day Rule under Stark Law and how does it affect overpayment refunds?

The 60-Day Rule (42 CFR 401.305) requires that any Medicare or Medicaid overpayment a provider identifies must be reported and returned within 60 days of identification. Retaining a known overpayment beyond 60 days converts it into a potential False Claims Act violation, even if the original overpayment was unintentional. Stark Law (42 USC 1395nn) violations that generate overpayments trigger the same 60-day repayment obligation, which is why proactive internal auditing costs far less than reactive repayment after a government inquiry has already opened.

How does MMBS protect practices from FWA exposure during the billing process?

MMBS protects practices through pre-submission coding audits on every claim, NCCI edit verification, ICD-10 medical necessity linkage review, prior authorization tracking, and AAPC-certified coders who assign CPT codes based solely on documented services. The result is a 28-32 AR day average and clean claims that reach payers without the upcoding or unbundling patterns that trigger OIG and RAC audit activity.

If your practice has received an OIG audit letter, a RAC prepayment review request, or simply wants to reduce FWA exposure before it becomes a liability, MMBS can help. Contact MMBS today to schedule a free compliance and billing assessment and see how a compliance-first revenue cycle protects your practice and your reimbursement.