This week brings three developments with direct operational implications for compliance officers: a new OIG audit exposing over $2 million in potentially improper Medicare payments for virtual care services, an HHS action plan on psychiatric overprescribing that carries real billing compliance risk, and a pair of enforcement actions, from Purdue Pharma to a small rural health center, that dismantle the dangerous assumption that size provides protection from federal scrutiny.

Table of Contents

OIG Audit Flags $2.3M in Improper Medicare Payments for Virtual Check-in and E-Visit Services, and CMS Is Already Acting

On April 23, 2026, OIG published the findings of its audit of Medicare payments for virtual check-in and e-visit services, covering claims data from January 1, 2019 through December 31, 2022. The audit identified systemic billing vulnerabilities that resulted in millions of dollars in potentially improper payments, and CMS has confirmed it has already begun implementing corrective system edits in response.

Key Details

The audit revealed 183,524 potentially improper payments totaling over $2 million, drawn from $12 million in Medicare payments for 1.3 million virtual check-in claim lines and $11 million for 600,235 e-visit claim lines during the audit period. OIG identified two distinct billing patterns driving the problem.

The first involves virtual check-ins billed too close to an evaluation and management (E/M) visit. CMS made $1,964,125 in potential improper payments for 173,287 virtual check-in services that occurred within 7 days after or 24 hours prior to an E/M service having the same diagnosis code for the same enrollee. Medicare’s rules are clear: a virtual check-in cannot originate from a related medical visit in the prior seven days, and it cannot result in an E/M visit within the following 24 hours. When those conditions are present, the E/M service is what should be billed, not the virtual check-in as a separate service.

Compounding the problem, nearly 31,000 of the associated E/M claim lines were billed with modifier -25, which is used to report a significant, separately identifiable E/M service. In these cases, CMS may have made approximately $337,000 in improper payments because the virtual check-in services should have been covered as part of the originating E/M service, not billed separately.

The second pattern involves e-visits billed in overlapping windows. CMS made $298,200 in potential improper payments for 10,237 e-visit services because the services were provided within 7 days of another e-visit having the same diagnosis code for the same enrollee. E-visit communications are restricted to a seven-day period. Multiple communications with a patient over that window for the same condition should be aggregated and billed once using the code that reflects cumulative time, not billed as separate encounters.

OIG concluded that the improper payments resulted from a lack of system edits to detect payments at risk for noncompliance, and from CMS’s failure to adequately educate providers on proper billing requirements for these services. OIG made three recommendations: develop system edits to flag and reject noncompliant claims, strengthen HCPCS code descriptions for virtual check-ins in the Physician Fee Schedule, and enhance provider education. OIG estimated the system edits alone could have saved the Medicare program up to $2.3 million during the audit period. CMS concurred with the first and third recommendations and has already implemented some edits, with further review underway.

What this Means for You

When OIG publishes an audit of this kind and CMS confirms it is already implementing system edits, providers should treat it as a direct signal that this billing area is now under heightened scrutiny. Claims that match the patterns identified in the audit are at elevated risk of post-payment review, recoupment demands, and potential False Claims Act exposure.

If you bill virtual check-in or e-visit services, conduct an immediate self-audit against two specific patterns. First, review whether you billed a virtual check-in within 7 days after, or 24 hours before, an E/M visit for the same patient under the same diagnosis code. If so, only the E/M service should have been billed. Second, review whether you billed multiple e-visit codes within a single 7-day period for the same patient and condition. If so, those interactions should have been aggregated and billed once using the appropriate cumulative time code. Document your review process and any corrective actions taken.

Frequently Asked Questions

What is a virtual check-in service under Medicare? A virtual check-in is a brief, technology-assisted communication between a Medicare patient and their established provider, via phone, audio/video, or similar technology, that is not related to an E/M visit in the prior seven days and does not result in one within 24 hours. It is distinct from a full telehealth visit and has specific billing rules governing when it can be separately reimbursed.

What is the correct way to bill multiple e-visit communications over a 7-day period? E-visit services are billed based on cumulative provider time over a 7-day period for a single condition. If a provider communicates with a patient multiple times over that window for the same diagnosis, the appropriate approach is to aggregate the total time and bill once using the code that reflects that cumulative duration, not to bill each individual communication separately.

HHS Launches Psychiatric Overprescribing Action Plan, With Direct Billing Compliance Implications

On May 4, 2026, HHS announced a new action plan to curb psychiatric overprescribing, unveiled by Secretary Robert F. Kennedy, Jr. at a MAHA Institute summit on mental health and overmedicalization. The plan promotes appropriate psychiatric prescribing, supports deprescribing when clinically indicated, and, critically for compliance officers, directs providers toward non-pharmacological treatment alternatives that are already reimbursable under Medicaid and CHIP, with billing codes specified in the accompanying Dear Colleague Letter.

Key Details

The initiative is broad in scope. Through a multipronged approach including education and outreach, program and policy actions, and research-to-practice efforts, HHS is working to prevent the unnecessary initiation of psychiatric medications and support the tapering and discontinuation of medications for patients not experiencing clinical benefit.

The statistics HHS is responding to are striking. According to CDC data, roughly 16.5% of American adults were taking psychiatric medication as of 2020. One in 10 children are on prescription medication for their mental health, and 30% of college students report using psychiatric medications in the past year.

The Dear Colleague Letter accompanying the announcement encourages providers to prioritize informed consent and shared decision-making, emphasizes nonmedication approaches when clinically appropriate, and lists specific billing codes providers can use, including CPT codes 97802, 97803, and 97804 for diet modification and medical nutrition therapy; 90832, 90834, and 90837 for individual psychotherapy; and 90846, 90847, and 90849 for family psychotherapy. CMS also released separate guidance for physicians and practitioners on the importance of deprescribing and related medical care.

The initiative has not been without controversy. The American Psychiatric Association issued a statement welcoming efforts to improve the quality of mental health treatment, but objecting to HHS’s framing of the crisis as primarily a problem of overprescribing, noting that it oversimplifies a complex crisis and ignores persistent workforce shortages, limited psychiatric beds, barriers to psychotherapy, and the lack of a true continuum of care.

What this Means for You

The compliance risk here is specific and consequential. The Dear Colleague Letter explicitly notes that Medicaid and CHIP coverage for non-pharmacological treatment codes varies by state, and directs practitioners to confirm covered services, eligible provider types, and prior authorization requirements before billing. Submitting a claim to Medicaid for a service that is not covered in your state, without verifying coverage in advance, could constitute a False Claims Act violation. The FCA does not require intent to defraud; reckless disregard for a claim’s accuracy can be sufficient to trigger liability.

Before billing for any of the non-pharmacological treatment codes identified in the HHS guidance, verify coverage under your specific state’s Medicaid program, confirm you qualify as an eligible provider type for each code, and satisfy any applicable prior authorization requirements. Document each verification step. This is not a policy area where assumptions are safe.

Frequently Asked Questions

Does HHS’s psychiatric overprescribing action plan create new billing requirements for providers? Not directly. The action plan does not itself impose new billing rules. However, the Dear Colleague Letter encourages use of specific CPT codes for non-pharmacological treatments that may be covered under Medicaid and CHIP. The compliance risk lies in billing those codes without first verifying state-level coverage, eligible provider types, and prior authorization requirements, which vary significantly by state.

What is deprescribing and does it have compliance implications? Deprescribing is the clinically guided process of tapering or discontinuing medications that are no longer providing benefit or whose harms outweigh their efficacy. From a compliance standpoint, the clinical rationale for deprescribing decisions, informed consent conversations, and any transition to alternative treatments should all be thoroughly documented to support the accuracy of related claims.

No Provider Is Too Small for False Claims Act Liability, Two New Enforcement Actions Prove It

A persistent and dangerous misconception among smaller healthcare providers is that federal fraud enforcement is reserved for industry giants. Two enforcement actions announced in late April 2026, one involving one of the most infamous pharmaceutical companies in American history, the other a small federally qualified health center serving underserved populations, make clear that no organization receiving federal healthcare dollars is outside the government’s enforcement reach.

Key Details

On April 28, 2026, Purdue Pharma was sentenced in federal court and ordered to pay criminal penalties exceeding $5 billion for its role in fueling the opioid epidemic. For a decade, Purdue illegally marketed its opioid products to hundreds of prescribers the company had reason to believe were prescribing without a legitimate medical purpose. The company defrauded the DEA by misrepresenting the effectiveness of its diversion prevention programs, and paid kickbacks to prescribers through its speaker program and to an electronic health record platform to induce higher prescribing volumes. At its peak, Purdue was worth approximately $30 billion.

That scale can lull smaller providers into a false sense of security. It should not. Also in late April, Tri-Area Community Health (TACH), a Federally Qualified Health Center in Laurel Fork, Virginia, a community-based clinic providing care to underserved populations regardless of ability to pay, agreed to pay over $513,000 to resolve False Claims Act allegations. TACH allegedly provided Annual Wellness visits to Medicare beneficiaries conducted by pharmacists, without physician oversight, presence, or supervision. Those visits were then billed under the names of physicians who played no role in furnishing the services. TACH’s status as a small FQHC serving medically underserved communities did not shield it from liability.

The broader enforcement context underscores why this matters at scale. By many indications, 2026 is shaping up to be a high-water mark for healthcare enforcement, with the DOJ’s annual False Claims Act report for fiscal year 2025 showing record enforcement with over $6.8 billion in settlements and judgments, more than double the prior year’s total and the highest ever recorded under the FCA.

What this Means for You

The TACH case illustrates two specific risks that apply to providers of every size: billing under a physician’s name for services that physician did not furnish, and failing to ensure the level of supervision Medicare requires for services performed by non-physician practitioners. Neither of these requires intent to defraud. Under the False Claims Act, reckless disregard for a claim’s accuracy is sufficient for liability.

Every provider that participates in federal healthcare programs should review its billing practices for preventive services, including Annual Wellness Visits, and confirm that the physician whose name appears on a claim actually played the role Medicare requires. Train staff on False Claims Act liability, with particular emphasis on the fact that it is not a law that only applies to companies like Purdue. Conduct regular audits of claim submissions, and ensure that when non-physician practitioners furnish services, the applicable supervision requirements are documented and met before the claim is filed.

Frequently Asked Questions

Can a small healthcare provider face False Claims Act liability? Yes. The FCA applies to any individual or organization that knowingly submits false or fraudulent claims for federal funds, regardless of size. The TACH settlement, over half a million dollars paid by a small FQHC serving underserved communities, is a direct illustration that size, mission, and patient population do not provide immunity from federal enforcement.

What is a Federally Qualified Health Center and why does FCA compliance matter for them? A Federally Qualified Health Center is a community-based clinic that receives federal funding to provide comprehensive primary and preventive care to underserved populations, regardless of ability to pay. Because FQHCs receive federal funds and bill Medicare and Medicaid, they are fully subject to the False Claims Act. Participation in federal programs comes with compliance obligations that apply uniformly, regardless of the populations served.

Healthcare compliance regulations move fast. Check back every Wednesday for the developments that impact your healthcare business.

Have a question about how these developments affect your organization?