Upcoding and undercoding both create serious compliance exposure for US healthcare organizations. Upcoding inflates reimbursement through unsupported higher-level codes, triggering federal audits and False Claims Act liability. Undercoding leaves money on the table while creating statistical patterns that signal poor documentation or intentional avoidance of scrutiny. This guide explains how both practices create risk, what auditors look for, and how to build defenses that protect revenue and compliance simultaneously.
Revenue cycle leaders face pressure from two directions. CFOs want maximum reimbursement. Compliance officers want zero audit risk. The gap between those goals is where upcoding and undercoding problems grow.
What upcoding and undercoding mean in practice
Upcoding assigns a higher-level code than the documentation supports. A physician documents a straightforward office visit but the claim bills a comprehensive exam. An inpatient stay coded as a complication when the record shows routine care. The pattern is always the same: the code inflates severity or complexity beyond what the record proves.
Undercoding does the opposite. A complex encounter gets billed as a simple one. A patient with multiple documented chronic conditions gets coded without those diagnoses. An ED visit with extensive workup gets billed at the lowest level.
Both practices create compliance problems, just different ones.
Why undercoding still triggers audits
Many organizations assume undercoding is safe because it reduces reimbursement. That logic fails under scrutiny.
Medicare's Targeted Probe and Educate program flags outliers in both directions. If your ED codes 80% of visits as level 2 when regional benchmarks show 40%, that's a statistical anomaly. OIG reviews target practices with suspiciously low coding patterns because they signal potential gaming: intentionally lowering codes to avoid audit thresholds, then upcoding select high-dollar claims that fly under the radar.
Undercoding also erodes risk adjustment accuracy. In Medicare Advantage and ACO contracts, missing documented diagnoses directly reduces capitation payments. A 2024 OIG report found that 15% of sampled MA plans undercoded beneficiaries by failing to capture documented HCC conditions, costing those plans millions in legitimate reimbursement.
Federal enforcement priorities through 2026
CMS and the Department of Justice have been clear about coding compliance enforcement. The 2025 OIG Work Plan continues to prioritize upcoding in evaluation and management services, inpatient DRG validation, and HCC risk adjustment.
Three areas are getting the most scrutiny right now.
E/M upcoding in office and outpatient settings
The 2021 E/M guidelines gave providers more flexibility, but OIG data shows level 4 and 5 visit coding jumped 22% nationally between 2021 and 2024. That increase doesn't match corresponding changes in patient complexity metrics.
Auditors compare your facility's distribution of E/M levels against regional and specialty benchmarks. If 70% of your visits are level 4 or 5 when peers are at 45%, you're flagged. The review pulls charts. If documentation doesn't support medical decision-making complexity or time spent, you're facing extrapolation and repayment.
Inpatient DRG manipulation
Hospitals face intense pressure to code higher-weighted DRGs. The most common red flags: principal diagnosis changes that shift reimbursement without clear clinical justification, complication codes added without physician documentation of treatment or clinical impact, and query patterns that consistently push toward higher-paying codes.
A 2025 DOJ settlement with a Michigan health system centered on systematic upcoding of sepsis diagnoses. The government's case showed query templates that led physicians toward sepsis documentation even when clinical indicators were borderline. The settlement: $18.3 million plus a five-year corporate integrity agreement.
HCC risk adjustment coding
Medicare Advantage plan payments depend on member risk scores driven by diagnosis coding. CMS's Risk Adjustment Data Validation audits pull charts from high-coding plans and disallow any HCC condition that lacks sufficient support.
The standard is strict: documentation must show the condition was evaluated, addressed, or considered in care planning during that year. A problem list entry without any progress note mention doesn't count. A copied-forward diagnosis without current assessment fails validation.
Organizations working with delegated coding vendors have additional exposure. If your vendor routinely codes every documented diagnosis without clinical validation, you own the compliance liability. MedCodex Health sees this frequently when new clients bring us in after failed RADV audits traced back to previous vendors who prioritized volume over accuracy.
Red flags auditors use to select targets
Payers and federal auditors don't randomly select organizations for review. They run analytics that surface statistical outliers and billing patterns that correlate with known fraud schemes.
Here's what gets you flagged.
Benchmark deviations
Your coding distribution gets compared against regional, specialty, and facility-type peers. Significant deviation in either direction triggers deeper review. This includes case mix index trending sharply upward without corresponding changes in patient population, E/M level distribution skewing high or low compared to similar practices, and HCC coding rates exceeding regional averages by more than 15%.
Documentation-coding mismatches
Automated pre-payment reviews now use natural language processing to scan documentation and compare it against submitted codes. Claims get denied or held when the algorithm detects phrases like "routine follow-up" paired with high-level E/M codes, or when high-complexity codes appear but progress notes lack differential diagnosis or management options discussion.
Query patterns that steer outcomes
CDI query practices are under scrutiny. Compliant queries are clinical clarifications. Non-compliant queries lead the physician toward a specific answer that increases reimbursement.
OIG specifically calls out multiple-choice queries where all options are higher-severity diagnoses, queries sent only on cases where clarification would increase payment, and template language that suggests the "preferred" answer.
If your physician query management process shows these patterns, you're creating evidence for a False Claims Act case.
Building defenses that protect both revenue and compliance
The answer isn't to code conservatively out of fear. That leaves legitimate reimbursement uncaptured and creates its own compliance questions. The answer is accurate coding supported by complete documentation.
Pre-bill coding audits with statistical monitoring
Don't wait for an external audit to find problems. Run your own internal coding quality audits quarterly, stratified by coder, department, and code type.
Track your distributions against CMS and commercial payer benchmarks. When you spot outliers, drill into individual coder performance and specific encounter types. If one coder consistently codes higher than peers, that's a training issue or a termination issue, depending on intent.
Statistical process control charts help you spot trends before they become enforcement actions. A gradual upward drift in average E/M level is easier to correct at 6 months than at 3 years when CMS sends a refund demand.
Clinical documentation improvement that supports codes
Coders can only code what's documented. If physicians don't document medical decision-making elements, time spent, or chronic condition status and management, accurate coding is impossible.
Effective CDI programs do two things: they ensure documentation captures the clinical story completely, and they educate physicians on what language supports specific code requirements without leading them toward unearned reimbursement.
The difference matters. A compliant CDI specialist asks "Was sepsis considered and ruled out, or is this documented as present?" A non-compliant specialist asks "Can we call this sepsis?"
Independent validation for high-risk services
Some service lines carry higher audit risk and deserve additional validation layers. Inpatient DRG coding, risk adjustment capture, and ED coding top the list.
Consider independent secondary review for cases that meet specific criteria: DRG codes in the top 20% of your facility's reimbursement, any case where a query changed the principal diagnosis or added a complication, and HCC conditions coded for the first time or after a gap year.
This catches errors before submission and creates documentation that you're monitoring for accuracy, not maximizing payment regardless of support.
What to do if you're already under audit
If you receive a ZPIC request, RADV audit notice, or DOJ civil investigative demand, your response window is narrow and the stakes are high.
Immediately preserve all relevant documentation, including coding guidelines in effect during the audit period, coder training materials and credentialing records, CDI policies and query templates, and any coding software or CAC tool configurations.
Don't start internal investigations without legal counsel. Anything your team documents during internal review can be discovered. Engage healthcare legal counsel before you pull charts or interview staff.
Your legal team will typically bring in coding experts to review the sampled claims and assess exposure. If the audit is statistical extrapolation based on a sample, every claim error gets multiplied across your entire relevant population. A 10% error rate on a 30-claim sample can generate seven-figure repayment demands.
This is also when organizations realize their coding vendor's contract limits their liability but leaves the provider holding full financial and legal exposure.
Frequently asked questions
What's the difference between upcoding and fraud?
Upcoding becomes fraud when it's intentional and repeated. A single miscoded claim is an error. A pattern of unsupported codes submitted knowingly is False Claims Act territory. Intent is hard to prove directly, so prosecutors use pattern evidence: consistent upcoding across multiple coders, financial incentives tied to code levels, or ignored audit findings. If you know codes are wrong and submit them anyway, that's fraud.
Can undercoding get you in legal trouble?
Undercoding rarely triggers False Claims Act liability because you're not seeking unearned payment. But it can create problems in value-based contracts where accurate risk adjustment is required, and it raises questions during audits about whether you're strategically avoiding scrutiny. Systematic undercoding to avoid audit thresholds while selectively upcoding other claims is a fraud red flag that investigators specifically look for.
How often should we audit our coding for compliance?
Quarterly internal audits are standard for most organizations, with monthly monitoring of key metrics like case mix index and E/M distributions. High-risk service lines may need more frequent review. Annual audits aren't sufficient because you won't catch problems until they've created a year's worth of exposure. The goal is to identify and correct patterns within 90 days, before they generate statistical anomalies visible to payer analytics.
Who's liable when an outsourced coding vendor upcodes?
The billing provider is always primarily liable. You can't outsource compliance responsibility. Your contract with the vendor may give you indemnification rights, but CMS and DOJ will pursue repayment and penalties from the entity that submitted the claims. This is why vendor oversight and regular validation of vendor coding accuracy is non-negotiable. If your vendor is consistently coding higher than your internal benchmarks showed before you outsourced, that's a problem you need to address immediately.
Do the 2021 E/M changes reduce upcoding risk?
The updated guidelines gave providers more flexibility to code based on time or medical decision-making without requiring all history and exam elements. But they didn't eliminate upcoding risk. You still need documentation to support whatever level you bill. If you're billing based on time, you must document time spent. If you're using MDM, you need documented evidence of complexity. The 2021 changes shifted what needs to be documented but didn't lower the standard for supporting your codes.
Moving from risk exposure to defensive positioning
Upcoding and undercoding aren't opposites on a compliance spectrum. They're both symptoms of the same problem: coding accuracy gaps that create financial and legal exposure.
Organizations that treat coding as a revenue function will eventually face enforcement. Those that treat it as a clinical documentation accuracy function get paid correctly and sleep better.
The path forward is straightforward: audit regularly, benchmark continuously, train constantly, and validate high-risk areas before submission. When you can't resource that internally, bring in external expertise with skin in the game.
If your current coding operation can't demonstrate accuracy through regular audits and benchmark comparisons, you're operating blind. MedCodex Health offers compliance-focused coding reviews that identify exposure before auditors do. Reach out for a no-obligation assessment of your current coding accuracy and risk profile.