What E/M coding audit failures cost you in 2026
E/M coding audit failures trigger overpayment recoveries, compliance penalties, and Medicare Advantage payment reductions across thousands of provider groups each year. The 2026 OIG work plan targets evaluation and management services with specific focus on telehealth encounters, prolonged service codes, and time-based billing patterns.
This post covers the most common audit triggers CMS and commercial payers flag in 2026, the documentation errors that cause failures, and specific tactics to prevent them before auditors review your claims. You'll see the exact patterns that fail audits and how to build prevention into your coding workflow.
Common E/M coding audit failures in 2026
Four patterns cause most E/M audit failures this year.
First: time-based billing without documented start and stop times. The 2021 E/M guidelines allow time-only selection for office visits, but auditors demand exact timestamps. "45 minutes spent counseling" fails. "11:15 AM to 12:00 PM discussing diabetes management" passes.
Second: prolonged service codes billed without supporting E/M base codes. CPT 99417 requires a minimum of 15 minutes beyond the typical time for 99205 or 99215. Auditors see frequent 99417 claims without matching total time documentation. Providers bill 99205 + 99417 but document 62 minutes total. That's a failure. You need 75 minutes minimum for 99205 (60 minutes typical) plus one unit of 99417.
Third: telehealth visit levels inconsistent with documented complexity. Many practices bill 99215 for routine med checks conducted via video. The medical decision making doesn't support level 5. CMS specifically flagged this pattern in their January 2026 CERT report as a high-error area.
Fourth: modifier 25 overuse on preventive visit days. Billing 99214 with modifier 25 alongside 99395 triggers automatic review when the "separate E/M" documentation describes only the issues addressed in the preventive exam. Auditors want clear separation: different diagnoses, different body systems, or separately identifiable problems documented.
What the 2026 OIG work plan targets
The Office of Inspector General's 2026 work plan lists three specific E/M review projects.
Project one examines Medicare Advantage encounter data for E/M upcoding patterns. OIG compares E/M level distributions between fee-for-service Medicare and MA plans. Outlier providers billing more than 40% of office visits at levels 4 or 5 face chart review. They're looking for MDM documentation that doesn't match the billed level.
Project two audits telehealth E/M claims from 2024-2025 for appropriate level selection. OIG pulls samples from high-volume telehealth billers and reviews whether virtual encounters documented enough elements to support levels 3, 4, or 5. Early findings show 23% of sampled telehealth claims lacked sufficient MDM to support the billed code.
Project three reviews prolonged service codes billed with E/M visits. OIG wants to confirm total time documented, that time qualifies (face-to-face or floor time on the same date), and that the work described justifies the additional payment. Recovery rates from past prolonged service audits run around $3,800 per identified claim error.
Documentation gaps that trigger E/M coding audit failures
Audit failures trace back to five documentation problems.
Missing MDM elements. Coders can't assign level 4 or 5 if the note doesn't document data reviewed, risk addressed, or problem complexity. "Reviewed labs, adjusted meds, follow up 3 months" doesn't give an auditor enough. You need specifics: which labs, what values, which medication, what dose change, why that choice matters given the patient's conditions.
Vague time statements. "Spent significant time counseling" fails. "35 minutes of the 40-minute visit spent counseling patient on insulin titration and hypoglycemia recognition" works. Auditors need total time and the portion spent on counseling or coordination when you're billing based on time instead of MDM.
Copy-forward errors. EHR templates pull prior visit text forward. Coders see "patient ambulating without difficulty" on a telemedicine note or "abdomen soft, non-tender" on a phone call. Auditors spot these immediately. They indicate the provider didn't perform or document what the note claims. That's fraud risk territory.
Unsigned or late-signed notes. Medicare requires signatures within a reasonable timeframe. "Reasonable" typically means before claim submission. Notes signed 60 days after the visit, especially if signed after an audit request, won't support payment. Some MACs deny any claim where the signature date is after the initial claim submission date.
Insufficient problem list detail. The 2021 guidelines tie MDM to problems addressed, not problems listed. An active problem list with 12 chronic conditions doesn't support level 4 MDM if today's visit addressed only one stable issue. Auditors look at what the provider actively managed during this encounter, not the patient's overall complexity.
How HCC coding intersects with E/M audits
Risk adjustment audits often start as E/M reviews. Medicare Advantage plans submit diagnosis codes from E/M encounters to CMS for payment. Those codes drive risk scores.
Auditors pull charts when they see patterns: same diagnoses on every visit without supporting documentation changes, HCC codes added during telehealth visits without condition-specific exam findings, or high-value diagnoses listed but not addressed in the assessment and plan.
A 2025 OIG report found 18% of sampled MA encounters with submitted HCC codes lacked sufficient documentation to support those diagnoses. The E/M level was often appropriate, but the specific diagnosis wasn't documented as evaluated or treated. That's an E/M audit that becomes an overpayment recovery.
Providers doing risk adjustment coding need documentation that supports both the E/M level and every diagnosis submitted. Generic phrases like "chronic conditions managed" don't work. Name the condition, show what you assessed, state your clinical thinking.
Prevention strategies for E/M audit failures
You can prevent most E/M audit failures with four operational changes.
Build time capture into your workflow. If providers bill based on time, they need to document it. Add timestamp fields to your EHR templates. Train providers to note start time when entering the room and end time when wrapping up. For telehealth, log-in and log-off times from the platform can serve as documentation, but the note should still state total time.
Many groups use scribes or voice recognition to capture time statements during the visit. "Beginning visit at 2:15 PM" and "Concluding visit at 2:47 PM" become part of the transcribed note. Simple, auditable, defensible.
Run monthly MDM audits on high-level claims. Pull a random sample of your 99205, 99215, and 99285 claims each month. Review whether the MDM table in the 2021 guidelines supports the billed level. You're checking for documented number and complexity of problems, amount and complexity of data, and risk of complications or morbidity.
This catches patterns before payer audits do. If 30% of your sampled charts don't support the billed level, you have a training problem or a template problem. Fix it before CMS notices.
Internal audit programs from vendors like MedCodex Health can run these reviews and provide coder feedback tied to specific encounter examples. That's more effective than annual training sessions.
Create telehealth-specific documentation standards. Virtual visits present different documentation challenges. You can't document a physical exam you didn't perform. Providers need alternative ways to show MDM complexity.
Train them to document what they observed via video, what they asked the patient to demonstrate, and what data they reviewed to compensate for exam limitations. A detailed medication reconciliation, review of home glucose logs, and shared decision-making conversation can support level 4 MDM even without a hands-on exam.
Your telemedicine documentation should clearly state the visit was conducted via telehealth, describe the platform used, and confirm the patient's location and consent. CMS requires this for payment.
Audit modifier 25 claims quarterly. This modifier generates audit activity because it's frequently misused. Review a sample of claims where you billed a procedure or preventive visit plus a separate E/M with modifier 25 on the same day.
Check whether the documentation supports two separately identifiable services. The E/M should address a different problem than the preventive exam or procedure. "Patient here for annual physical, also complaining of new knee pain" works if the knee pain gets its own history, exam, and MDM. "Patient here for physical, BP elevated, discussed diet" doesn't support modifier 25 because BP screening is part of the preventive service.
Technology tools that reduce audit risk
Clinical decision support tools built into your EHR can flag incomplete documentation before claim submission.
Best performing systems check for required MDM elements based on the preliminary code the provider selects. If they choose 99214, the system prompts them to document at least two MDM categories at moderate level. If time-based coding is selected, the system requires total time and counseling time entries.
Some revenue cycle platforms now use natural language processing to scan notes for audit risk patterns: missing exam elements for the body system treated, diagnosis codes in the claim that don't appear in the assessment, or time-based code selection without time documentation. These get flagged for coder review before claim submission.
AI-assisted coding tools can help, but they introduce risk if used incorrectly. The AI suggests a code based on the note. If the note has gaps, the suggested code may be wrong. You still need human coders trained in 2026 guidelines to validate suggestions and query providers when documentation is insufficient.
How to respond when an E/M audit notice arrives
Your response timeline and strategy determine recovery outcomes.
First 48 hours: read the entire audit request. Note the requested records, the lookback period, and the sample size. MAC audits typically request 20-40 charts. RAC audits often start with smaller samples. The letter will state whether this is pre-payment or post-payment review.
Assign one person to coordinate the response. Pulling charts from multiple EHR systems, scanning paper records, and organizing submissions takes dedicated time. Don't split this across your billing team's other responsibilities.
Before submitting records, have a certified coder review the requested charts. Identify obvious documentation gaps. If the note doesn't support the billed code, you can withdraw the claim or submit a corrected claim before the auditor reviews it. This limits extrapolation risk.
Submit everything requested, on time. Late submissions or partial responses trigger automatic denials. If the auditor requests 30 charts and you submit 28, they'll deny the 2 missing charts and potentially extrapolate that error rate across all your claims in that date range.
When audit results come back, you typically have 30 days to request a redetermination. This is when detailed coding quality audit findings help. You need to show why the auditor's decision was incorrect, citing specific guideline references and documentation elements they missed.
Many providers bring in external coding experts at this stage. A well-written appeal with coding rationale can overturn 40-60% of initial denials, but only if you cite the right policy sources and point auditors to specific documentation they overlooked.
What extrapolation means for your revenue
When Medicare or a MAC finds a high error rate in your sample, they can extrapolate that rate across all similar claims you billed during the audit period. This turns a $15,000 sample overpayment into a $400,000 total recovery demand.
Extrapolation kicks in when the sample error rate exceeds 50% and the sample size meets statistical validity requirements. If an auditor reviews 30 claims, finds errors in 18, and determines you overbilled those by an average of $85 per claim, they'll apply that error rate to every similar claim you submitted.
You filed 6,200 E/M claims in the audit period. The extrapolated overpayment becomes 6,200 × 60% error rate × $85 = $316,200. You can challenge the extrapolation methodology, but you need a statistician and strong documentation to succeed.
Preventing extrapolation means keeping your error rate below 50% and your documentation consistent. Regular internal audits catch problems while they're fixable.
Building a sustainable E/M compliance program
Compliance isn't a one-time fix. You need ongoing systems.
Start with baseline measurement. Audit 20 charts per provider per quarter. Calculate error rates by E/M level and service type. Track documentation completion rates, time capture compliance for time-based billing, and MDM element presence for complexity-based coding.
Share results with providers individually and privately. Public scorecards create defensiveness. One-on-one feedback with specific chart examples drives behavior change. Show them the documentation that failed and what would have passed.
Create job aids providers can reference during documentation. A one-page MDM table showing what level 3, 4, and 5 require for problems addressed, data reviewed, and risk level beats a 40-slide training deck. Providers won't remember the training, but they'll use a reference card.
Run your compliance program separately from productivity metrics. If providers think better documentation will reduce their patient volume or RVU counts, they won't do it. Compliance targets need dedicated time and separate recognition.
Partner with external coding resources when your internal team can't keep up with documentation reviews and provider education. Outsourced coding support gives you access to certified coders who know current guidelines without adding headcount. They can audit, provide feedback, and handle queries while your core team focuses on claims production.
Frequently asked questions about E/M coding audit failures
What percentage of E/M claims get audited each year?
CMS audits approximately 0.4% of all fee-for-service E/M claims annually through the CERT program, but high-risk providers face significantly higher audit rates. Medicare Advantage plans audit 3-8% of provider encounters for risk adjustment validation. Commercial payers run post-payment reviews on 1-2% of E/M claims. If your coding patterns flag as statistical outliers, your audit rate can reach 15-20% of submitted claims.
Can I bill an E/M visit based on time if I also documented MDM?
Yes. The 2021 E/M guidelines allow you to select the visit level based on either MDM or total time, whichever supports the higher level. You must clearly document which method you're using. Best practice: if you're billing based on time, state total time and how much was spent on counseling or coordination. If MDM supports a higher level, document the elements from the MDM table. Don't mix the two methods for the same claim.
How long do I have to correct E/M coding errors before they become fraud?
There's no grace period. Once you identify a coding error, you're obligated to investigate the scope and report overpayments to CMS within 60 days under the Stark Law self-disclosure requirements. Patterns of upcoding discovered and not corrected become False Claims Act violations. If you find errors during an internal audit, quantify the overpayment, submit corrected claims or refunds, and document your corrective action. Waiting doesn't reduce your liability; it increases it.
What's the difference between a MAC audit and a RAC audit for E/M claims?
MAC audits are conducted by Medicare Administrative Contractors as part of routine claims processing oversight. They're typically educational, with lower financial penalties for first-time errors. RAC audits are performed by Recovery Audit Contractors specifically to identify overpayments. RACs work on contingency, keeping a percentage of recovered funds, so they're more aggressive. RACs can extrapolate findings and demand large repayments.