I've spent the last decade helping medical practices steer HIPAA and regulatory compliance with certifications in CISSP and CISA, so I'm constantly tracking these enforcement trends. Based on what I'm seeing with our clients in Santa Fe and across the country, here's what's coming. **Telehealth and remote patient monitoring will be under heavy scrutiny.** During COVID, CMS relaxed telehealth rules, but they're tightening back up. I'm already seeing audits focused on "incident to" billing for virtual visits and whether practices are properly documenting the patient's location. We've had three clients get pre-audit letters specifically asking about their telehealth billing patterns from 2023-2024. **Controlled substance prescribing through telehealth is the big one for DEA and state boards.** The temporary flexibilities are mostly gone, and practices that got comfortable prescribing Schedule II drugs without in-person visits are going to face investigations. One dental practice we work with had to completely overhaul their opioid prescribing protocols after their state board started asking questions. **On the cybersecurity side, OCR is targeting Business Associate Agreements and ransomware response.** We're seeing massive HIPAA fines (not just warnings) when practices can't produce proper BAAs or didn't have encryption on breached systems. The OCR settlements from late 2025 show they're done being lenient--one practice paid $450K for a breach affecting just 3,000 patients because they had no risk analysis documented. **My prediction: CPT codes 99421-99423 (online digital E/M) and 99453-99457 (remote monitoring) will see significant audits** because CMS knows practices are still figuring out proper documentation requirements. If you're billing these, make sure your time logs are bulletproof and you're meeting the specific technical requirements, not just copy-pasting notes.
I've spent decades training investigators across law enforcement, military, and corporate sectors--including building Amazon's Loss Prevention program--and here's what nobody's talking about: **the convergence of health IT security breaches and fraud investigations is about to explode.** Federal agencies aren't just looking at traditional billing fraud anymore; they're targeting practices where a data breach exposed patient records *and* there's questionable billing activity. When those two things overlap, you're looking at both HHS-OCR penalties and potential False Claims Act exposure. **My prediction: Controlled substance prescribing patterns tied to telehealth will face massive scrutiny.** We train investigators who are already building cases where providers ramped up Schedule II prescriptions during COVID telehealth expansion and never scaled back. DEA and state medical boards are cross-referencing PDMP data with billing records--if your E/M codes show 10-minute telehealth visits but you're prescribing 90-day Adderall refills, expect a knock. I've seen agencies build entire investigations around timestamp mismatches between telehealth platform logs and claim submissions. **The other landmine: employee background check failures leading to fraud charges.** We certify investigators who've caught medical practices employing people with excluded provider status or credential fraud. One case involved a practice that billed $890K in services "supervised" by a physician who'd moved to another state--finded only after an HR audit we recommended. CMS is using AI to cross-match NPI databases with exclusion lists and state licensing boards automatically now. Document your cybersecurity measures like your license depends on it--because increasingly, it does. When ransomware hits and patient data walks, investigators assume billing irregularities exist too. That's when the real digging starts.
I work with dental practices on their IT, and regulators are getting serious about cybersecurity and HIPAA. We've tried a lot of things, but what actually works is putting money into securing patient records and watching for ransomware. Auditors always poke around the virtual visit software and your breach plan. My advice is to check your systems often and keep your security current. Cleaning up a mess is way harder than preventing it.
Running behavioral health programs, I can tell you the compliance risks for 2026 are heading straight for telehealth and mental health billing. We faced more audits last year, and getting our documentation right for group therapy and substance use disorder coding was what kept us out of trouble. Clear notes on anxiety and depression diagnoses were especially important. The CMS guidelines are always shifting, so you have to keep training your team on what's new.
As a doctor and ENT specialist who has spent more than two decades running a medical practice, I see 2026 bringing a sharper focus on how clinics document and deliver care. Federal and state investigators are paying closer attention to patterns that hint at overuse or inconsistent coding. ENT practices that use higher-level E/M codes without tight documentation will draw interest. Sinus procedures, allergy services, and anything tied to in-office technology will likely be reviewed more closely because they mix convenience with cost, and regulators want to ensure medical necessity is rock solid. I also expect health IT compliance to get tougher. Practices are relying on more digital tools, and every upgrade increases the chance of gaps in security or data handling. That is a growing target for auditors. No Surprises rules still create confusion for patients and clinics, and regulators see that friction. They will want cleaner cost communication. Controlled substances remain a major area of oversight, even for specialists who prescribe them sparingly. Workplace safety will also be on the radar, since staffing pressures can expose weak points.
As a practicing dentist, I see how much our world has tightened around compliance and clear documentation. When I think about what federal and state agencies are likely to focus on next year, I expect to see more attention on overbilling in preventive and restorative care. Dentistry is often included in larger healthcare reviews, and simple issues like inconsistent documentation for perio treatment or unclear narratives for advanced procedures tend to raise red flags. I have made it a priority in my practice to slow down and document the reasoning behind each treatment plan. That level of clarity protects both the patient and the practice. CMS audits often circle back to coding patterns that appear repetitive or out of proportion with averages. In dentistry, these patterns show up with evaluations, periodontal scaling and radiographs. Even if we are treating the unique needs of each patient, the coding still has to match the clinical story. It becomes even more important to ensure that every chart reflects the true condition of the patient rather than leaning on routine codes. Beyond coding, I anticipate stronger attention on health IT, patient communication requirements and safe handling of controlled substances. We have already seen how sensitive patients are to surprise fees and a lack of transparency. As dentists, we must be very clear with financial conversations and documentation. On the clinical side, prescription monitoring has become a regular part of my workflow. I believe these oversight areas will only expand, and staying consistent with strong habits today will make next year much smoother.
1 / Telehealth services continue to undergo scrutiny by healthcare organizations using this technology to treat chronic diseases, mental health conditions, and substance abuse. Since the pandemic led to the adoption of permanent virtual care options, state boards and federal investigators regularly evaluate virtual prescription practices and potential service overuse. Our compliance reviews now require organizations to maintain detailed audit trails for remote consultations, confirm patient eligibility under CMS telehealth waivers, and document all time-based billing activities. 2 / CMS is still focused on high-use codes like 99214 and 99215, but we're also seeing a surge in audit activity related to prolonged services and time-based E/M services linked to procedures, particularly in geriatrics and cardiology. One practice we supported came under scrutiny after using add-on codes multiple times while failing to clearly show the full duration of services. The practice ultimately passed the audit because we had established structured note templates and a peer-review process for evaluating documentation before claim submission. 3 / Prescribing controlled substances continues to represent a major compliance risk, especially regarding compound medications and the use of substances for unapproved indications. We're also seeing compliance challenges arise from the No Surprises Act, which requires practices to implement strict processes for securing patient consent prior to providing out-of-network care. Meanwhile, regulations such as HIPAA and the California CPRA, along with similar state-specific mandates, are evolving quickly. Organizations now need to build patient data governance systems that align with clinical safety standards and include structured auditing procedures backed by visible top-level leadership.
In my work with small cardiology and primary care groups, the 2026 hot zone is still fraud around billing. Data driven teams are circling telehealth, remote monitoring, labs, genetic tests, and high level E/M when they pair with chronic pain, substance use, or behavioral health diagnoses. For practices I advise, the sleeper risk sits outside pure coding. Tougher HIPAA cybersecurity rules, No Surprises Act fights, information blocking penalties, and state pressure on workplace safety and controlled substances stack up fast. I push clients toward short internal audits and written fixes, backed by 2025 enforcement data: https://www.mintz.com/insights-center/viewpoints/2406/2025-01-28-health-care-enforcement-trends-2025-outlook
At RGV Direct Care we see the biggest compliance risks in 2026 forming around the quiet operational habits that medical practices tend to overlook. The first involves documentation created with AI support. Many clinics adopted ambient note tools in 2025, and the risk now lies in subtle inaccuracies that slip into the record when a clinician does not review the output closely. A single misplaced phrase about medication timing or symptom duration can change the coding level and invite audits that stretch for months. Another growing risk sits in data handling as patient portals, remote monitoring programs and telehealth platforms expand. Each tool collects measurable streams of information, and practices often underestimate how many staff members have access. When access logs are not reviewed and permissions drift, the exposure becomes real. We also expect payer scrutiny on time based billing to rise. Virtual check ins, chronic care management minutes and care coordination hours need clear timestamps, and loose tracking will draw attention quickly. Practices that rely on verbal updates rather than auditable systems usually feel the impact first. The safest path involves tightening internal workflows now, especially around review processes and data governance. Those steps keep the practice stable even as scrutiny intensifies in the year ahead.
From an IT and data side, the biggest 2026 risk for medical practices is that every minor documentation flaw now matters more as CMS tightens how it classifies audit findings and leans on data integrity. Expect scrutiny around telehealth, chronic care management, and high-value imaging codes, where usage growth and complex rules make upcoding and medical necessity prime targets. On top of that, weak access controls in health IT, sloppy log retention around controlled substances e-prescribing, and gaps in No Surprises Act workflows are all easy pickings once auditors correlate claims, logs and patient communications. The practices doing best in my world are the ones treating compliance as a continuous data governance exercise - centralised logs, role-based access, automated anomaly detection on billing patterns - instead of a yearly policy binder update.
Psychotherapist | Mental Health Expert | Founder at Uncover Mental Health Counseling
Answered 4 months ago
What health care areas federal and state are likely to target with fraud and related investigations? Fraudulent activities often target individuals or groups who exhibit vulnerabilities, such as financial insecurity, emotional distress, or a lack of knowledge regarding specific systems. From a professional perspective, recognizing behavioral patterns and psychological triggers is key to identifying targets and preventing exploitation. For example, in a recent case I worked on, a small business owner was manipulated into a phishing scheme due to pressure during a high-stress financial period. By analyzing cognitive biases like urgency or fear-based decision-making, we can predict and prevent such incidents. With extensive experience navigating human behavior and systemic risk factors, I've found it critical to address both education and emotional resilience to combat fraud effectively. What codes and diagnoses CMS is likely to look audit; CMS is meticulous in auditing codes and diagnoses that indicate high-cost treatments or involve mental health services frequently billed by providers. For psychotherapists, the focus often falls on CPT codes like 90837 (60-minute psychotherapy session) and the accuracy of diagnoses such as major depressive disorder (F32.x) or generalized anxiety disorder (F41.1). Chronic care management codes and codes for telehealth services have also been under recent scrutiny due to increases in their usage. From my experience, audits tend to center on ensuring the documentation justifies the diagnosis and treatment plan. For instance, if a patient is diagnosed with major depressive disorder, auditors evaluate the treatment's medical necessity, symptom duration, and recovery trajectory. Early in my career, I encountered an audit where insufficient documentation for symptom severity resulted in a claim denial. Since then, I've implemented detailed progress notes reflecting every clinical decision and its alignment with DSM-5 criteria to mitigate audit risks. These steps not only improve compliance but also protect patient outcomes by maintaining detailed therapy records.
In 2026, the biggest compliance risk I see isn't a single code set or rule; it's the growing gap between what practices document and what CMS now expects them to show. Regulators are moving away from line-item audits and toward what they call "clinical coherence reviews," which look at the whole patient story in relation to the billing pattern. That's where a lot of practices will be found out. We can already see signs that CMS will step up audits of chronic diagnoses that bring in money but don't show that they are being managed properly, like hypertension with complications, COPD, and major depression. People don't care about the codes themselves; they care when the care plan, medication changes, and follow-up times don't match the severity being billed. The next round of federal fraud investigations will almost certainly look at telehealth patterns that look more mechanical than clinical. These include quick cycles of established-patient visits, notes that are all the same, and behavioral health encounters that all look the same. It's not the amount of risk; it's the lack of variety. Controlled-substance documentation is the one blind spot that practices need to fix right away. The prescribing data is already part of state PDMP systems. In 2026, regulators will start looking at prescribing patterns in the chart, not just the signature log, to see if they make sense. The main point of all of these trends is simple: Any part of the record that doesn't sound like the patient will be looked at during the 2026 audit.