The Top Things Payers Are Watching
Right now, as you read this, your practice’s billing data is likely being processed by an AI model. It’s being compared, analyzed, and benchmarked against every other practice in your state and specialty. That AI is searching for one thing: outliers. The critical question is no longer if you are an outlier, but where and why.
Welcome to the new era of payer audits. The game has shifted from random chart pulls to data-driven, AI-led investigations. This isn’t guesswork; it’s a reality based on the latest CMS RAC audit targets, payment integrity trends, and real-world enforcement actions. Knowing what payers are scrutinizing is the first step in building a proactive defense.
Here are the top 6 audit risk areas that should be on every practice manager’s radar in 2026.
1. E/M Services (Especially High-Level Codes & Modifier 25)
This remains the undisputed king of audit targets. Payers are laser-focused on practices that bill a high percentage of Level 4 and 5 E/M codes (99214 and 99215) compared to their peers. They are also aggressively scrutinizing the use of Modifier 25, which is used to bill for a separate E/M service on the same day as a procedure.
If your documentation doesn’t clearly and convincingly prove that the E/M service was “separately identifiable” from the procedure, that money will be clawed back. This isn’t a small risk. In a high-profile case, Skyline Urology paid $1.85 million to settle allegations of misusing this exact modifier.
2. Telehealth Services
The telehealth gold rush of the pandemic is on again, but the auditors are also sifting through the data. With telehealth claims skyrocketing from 840,000 in 2019 to over 52 million in 2020, payers have a massive dataset to mine for red flags.
They are looking for:
- A high percentage of 60-minute behavioral health sessions versus the 45-minute average.
- Overlapping appointment times.
- A high volume of audio-only visits without clear documentation explaining why a video connection wasn’t feasible.
3. Remote Patient Monitoring (RPM)
RPM is another area of explosive growth that has attracted intense scrutiny from the Office of Inspector General (OIG) and the Department of Justice (DOJ). This is now considered a major fraud risk area.
Auditors are flagging:
- Billing for multiple RPM devices for a single patient in one month.
- Rapid, unexplained spikes in RPM patient volume.
- Billing for RPM services without an established provider-patient relationship
Enforcement is serious. Health Wealth Safe paid back $1.29 million for issues including the use of non-FDA approved devices and kickbacks, while BioTelemetry paid a staggering $14.7 million for upcoding their remote cardiac monitoring services.
4. Incident-to Billing & Modifier Usage
Incident-to billing is a classic audit target that often trips up even well-meaning practices. This is when a service provided by a non-physician practitioner (NPP), like a nurse practitioner or physician assistant, is billed under the physician’s NPI to receive 100% of the fee schedule instead of the standard 85%.
For this to be compliant, the supervising physician must be physically present in the office suite and immediately available. Payers use data mining to identify physicians with impossibly high service volumes in a single day, knowing a provider can’t be in two places at once.
Similarly, incorrect use of Modifiers 26 (Professional Component) and TC (Technical Component) is a favorite of RAC auditors. If you perform only the interpretation of an X-ray (the professional component) but bill the global code, you are a target for a takeback.
5. Medical Necessity Documentation
This is the foundation that underpins every single claim. If you cannot prove a service was medically necessary, it doesn’t matter how perfectly it was coded—the payer will not pay. Payers are now using AI to detect generic, copy-pasted documentation and automatically flag it for review. They are targeting specific services where medical necessity is often poorly documented, such as routine Vitamin D testing or excessive lesion destruction codes.
Your 3-Step Proactive Defense Plan
Seeing this list can be overwhelming, but the path to safety is straightforward: find your own problems before an auditor does.
- Know Your Numbers: Once a quarter, analyze your own billing data. How does your E/M distribution compare to your specialty’s national average? What is your percentage of audio-only telehealth visits? Look at your data through the eyes of an auditor and investigate any outliers.
- Fortify Your Documentation: Ditch generic, copy-paste narratives. Create procedure-specific templates in your EMR that prompt providers to include the specific elements auditors look for to prove medical necessity and justify coding levels.
- Conduct Proactive Internal Audits: You must be doing regular internal audits (every 6-12 months) with a certified, third-party expert. Be strategic and tell them to focus on these top risk areas first. This is the most efficient way to find and fix your biggest vulnerabilities.
Is Your Practice Prepared?
This isn’t about being perfect; it’s about being prepared. If you’re reading this and realizing your practice isn’t ready for this level of scrutiny, it’s time to act.
Want to see if you qualify for a complimentary billing metric audit? Check us out here and get a clear, data-driven picture of your practice’s risk profile.
