The 2026 OIG Work Plan: 6 New Enforcement Signals That Will Trigger Audits This Year
The HHS-OIG has updated its 2026 Work Plan with aggressive new targets. Here are the 6 enforcement signals that will trigger a medical billing audit.

The HHS Office of Inspector General (OIG) just updated its 2026 Work Plan, and it is a clear warning shot to healthcare providers. The government is aggressively deploying new data analytics tools to identify outlier billing patterns across Medicare and Medicaid. If your practice is flagging for these specific enforcement signals, you are practically begging for a federal audit.
The OIG recovered over $3 billion in investigative receivables in recent fiscal years, and they are sharpening their focus in 2026. The days of random sample audits are largely over. The government now knows exactly who to audit before they even request a medical record. Their algorithms are specifically hunting for prolonged misuse of Modifier 25, irregular Chronic Care Management (CCM) time-tracking, and aggressive genetic laboratory testing.
This guide breaks down the top six new enforcement signals in the 2026 OIG Work Plan. It shows you exactly how your billing team might accidentally trigger an audit and how you can proactively self-audit those vulnerable areas before the federal government does.
Key Takeaways
- Metric-Based Enforcement: The OIG relies entirely on federal metrics in 2026. If your billing patterns deviate significantly from your peers, you will be flagged.
- Modifier 25 is Under Fire: Routine billing of an E/M service on the same day as a minor procedure without separate and distinctly identifiable documentation is the fastest way to trigger a review.
- Time is Money in CCM: Chronic Care Management codes require strict, documented time tracking. Rounding up or overlapping times will result in overpayment demands.
- Internal Auditing is Mandatory: You must run internal audits specifically targeting these six areas to protect your bottom line.
Signal 1: The E/M Modifier 25 Trap
The OIG is aggressively targeting Evaluation and Management (E/M) services billed on the same day as a minor surgical procedure. When you append Modifier 25, you are telling the payer that a significant, separately identifiable E/M service was performed above and beyond the usual preoperative and postoperative care associated with the procedure.
Consider a multi-provider rheumatology clinic in Georgia. In late 2025, they were audited after the OIG algorithm noticed they appended Modifier 25 to 95% of their joint injection claims. The practice assumed that evaluating the joint before the injection justified a separate E/M charge. It did not. The OIG ruled that the evaluation was inherently included in the injection code. The clinic was forced to return $85,000 in overpayments because their E/M notes were effectively cloned templates that did not demonstrate a separately identifiable service.
To avoid this, your documentation must clearly physically separate the notes for the E/M service from the notes for the procedure. If the E/M service does not stand alone, do not bill it. If you need a comprehensive review of your coding practices, a professional medical billing audit will expose these vulnerabilities immediately.

Signal 2: Chronic Care Management Time-Tracking Failures
CMS highly encourages Chronic Care Management (CCM), but the OIG is watching the time-tracking closely. The 2026 Work Plan clearly indicates an increase in audit activity targeting CCM noncompliance.
The core of CCM billing is minutes. CPT 99490 requires at least 20 minutes of clinical staff time directed by a physician or other qualified healthcare professional, per calendar month. The OIG is finding that practices are rounding up times, overlapping times between multiple staff members, or billing for tasks that do not qualify as clinical care coordination.
If your EHR logs show a medical assistant spending 12 minutes on the phone with a patient, and your billing team rounds that up to 20 minutes to hit the threshold, you are committing fraud. Your time-tracking must be exact, to the minute, and auditable.
Signal 3: High-Cost Genetic Testing Scrutiny
Laboratory testing, specifically high-cost genetic testing, is a massive target. Following a recent analysis of the top 25 clinical diagnostic laboratory tests, the OIG is focusing heavily on Medicare spending for genetic panels.
The enforcement signal here is medical necessity. Many practices have been caught ordering broad, multi-gene panels when a targeted, single-gene test was clinically appropriate. The OIG is scrutinizing the ordering provider's documentation. If the patient's medical record does not explicitly state how the results of the extensive genetic test will directly impact their medical management, the claim will be flagged as unnecessary.
Ensure your physicians are documenting the precise clinical reasoning for ordering expensive lab tests. A strong revenue integrity tool can help flag these high-risk orders before they go out the door.
Signal 4: Inpatient and Outpatient High-Risk Flags
The OIG is running an ongoing series of reviews targeting hospitals and outpatient facilities with claims flagged as high risk for overpayments. This is a broad category, but the algorithm is looking for specific indicators, such as a sudden spike in high-severity DRG (Diagnosis-Related Group) billing or unusually high utilization of specific high-cost outpatient procedures.
If your facility recently hired a new surgeon who utilizes a more expensive implant or procedure code than the industry average, your facility will look like an outlier. You must ensure that the clinical documentation perfectly supports the higher-acuity billing. You must also regularly review your medical billing specialties mix to understand where you sit compared to national benchmarks.
Signal 5: Medicare Advantage Diagnosis Code Inflation
Medicare Advantage (MA) plans are under intense pressure, and the OIG is deeply suspicious of diagnosis code submissions. The government pays MA organizations based on the risk scores of their beneficiaries, which are derived from diagnosis codes. The OIG is hunting for "upcoding" or the submission of diagnoses that are not actively treated or supported by the medical record.
If you are a primary care provider receiving capitated payments or participating in risk-sharing agreements, your clinical documentation must prove that you actively evaluated and managed every diagnosis you list on the claim. Simply pulling forward a "history of" diagnosis without addressing it in the current encounter will trigger an audit flag. Accurate credentialing services are also vital here to ensure the providers submitting these diagnoses are properly mapped to their specialties in the MA networks.
Signal 6: Hospice and Nursing Home Eligibility
Finally, the 2026 Work Plan continues to target hospice and nursing home care. The specific enforcement signals include audits related to hospice eligibility criteria and Medicare payments for care in skilled nursing facilities (SNFs).
For hospice, the OIG is looking for patients who stay on service for extended periods (beyond six months) without clear, documented evidence of clinical decline supporting a terminal prognosis. For SNFs, the focus is on the accuracy of staff reporting and whether the therapy minutes billed accurately reflect the services delivered.

The Proprietary Calculation: The True Cost of Failing a Self-Audit
Let us break down the math of an OIG audit failure versus the cost of a preventative self-audit.
Assume an independent clinic bills 5,000 encounters per year using Modifier 25. An OIG audit determines a 20% error rate on those claims, meaning 1,000 claims were improperly billed. If the average reimbursement for the attached E/M service was $80, the clinic owes the government $80,000 in direct overpayments.
However, the financial pain does not stop there. The OIG typically extrapolates the error rate across a larger sample and applies massive civil monetary penalties. Even ignoring extrapolation, the administrative labor to defend the audit, pull records, and hire legal counsel will easily exceed $30,000.
- Overpayment demand: $80,000
- Administrative/Legal defense: $30,000
- Total Audit Cost: $110,000
Conversely, conducting a preventative internal audit on 100 sample charts using specialized medical billing services might cost a few thousand dollars. By identifying and correcting the Modifier 25 error internally, you eliminate the $110,000 federal exposure entirely. The return on investment for aggressive compliance is undeniable.
Why Your In-House Team Misses These Audit Triggers
Your internal billing staff is focused on getting claims out the door and working front-line denials. They are judged on cash flow, AR days, and clean claim rates. They are not typically incentivized to slow down and forensically analyze documentation for OIG compliance.
When a biller sees a procedure and an E/M code, their instinct is to append Modifier 25 to force the claim through the clearinghouse edits. They are solving a short-term cash flow problem, but they are creating a massive long-term compliance liability. Relying on your production staff to police themselves against complex federal algorithms is a recipe for disaster. Revenue cycle management is not just about collecting cash; it is about collecting cash that you get to keep.
Protect Your Revenue Before the Letter Arrives
The 2026 OIG Work Plan is not a secret. The government is telling you exactly what they are looking for and exactly how they are going to find it. If you are blindly submitting claims without auditing your own data against these six enforcement signals, you are playing Russian roulette with your bottom line.
An audit letter from the OIG is not a cost of doing business. It is an existential threat to your practice. Stop guessing about your compliance risk. We will audit your data, find the vulnerabilities, and fix your workflows before the federal algorithms flag your practice. Schedule a compliance risk assessment today.
