Commentary|Articles|March 19, 2026

Physicians face 'greater scrutiny, less margin for error' in 2026, compliance expert warns

Fact checked by: Keith A. Reynolds
Listen
0:00 / 0:00

Shannon Sumner, CPA, CHC, of PYA walks through the compliance risks practices can't afford to ignore and what to do before investigators come knocking.

Fraud enforcement in health care has never been more data driven, and physician practices are increasingly finding themselves in the crosshairs.

With the federal government recovering more than $6 billion in health care fraud last year, and the launch of the U.S. Centers for Medicare & Medicaid Services (CMS) CRUSH initiative — Comprehensive Regulations to Uncover Suspicious Healthcare, that is — the pressure on individual physicians and practice leaders is mounting.

Shannon Sumner, CPA, CHC, is managing principal of PYA’s Nashville office and the firm’s chief compliance officer. A nationally recognized health care compliance expert with more than 30 years of experience in health care internal auditing and regulatory compliance, she’s helped organizations of all sizes strengthen their compliance programs, and navigate fraud and abuse risk. The U.S. Department of Justice (DOJ) has sought her expertise in a history-making federal compliance co-monitorship case.

Sumner spoke with Medical Economics about where enforcement is heading in 2026, what’s making value-based care (VBC) arrangements a growing liability and why a reactive compliance program is no longer enough.

This interview has been edited for length and clarity.

Physicians are watching the headlines and hearing more from the DOJ and CMS about fraud, waste and abuse. How is the enforcement environment actually changing in 2026, and what should physicians and practice leaders be worried about now?

The enforcement environment in 2026 is really more data-driven and pattern-focused than ever before. Investigations are increasingly triggered by analytics, so practices get flagged because their data does not look like their peers. In 2026, physician practices will face greater scrutiny and less margin for error.

If you haven’t already, you really should create a compliance framework to monitor high-risk areas. Billing, coding and documentation integrity remain major concerns. The Office of Inspector General (OIG) and the DOJ continue to prioritize improper payments in high-risk areas. Those include evaluation and management level selection and medical necessity, modifier misuse, incident-to billing, split and shared visits, and telehealth documentation compliance.

Another risk area is quality reporting and value-based payment errors. That includes inaccurate or incomplete quality data, electronic health record auto-population that contradicts the clinical note, inability to validate reported measures, and missing or late submissions.

One more area to add is Medicare Advantage and risk adjustment. There is a huge focus by the OIG and CMS on inadequate documentation supporting hierarchical condition category coding. You also have to layer in marketing and incentives tied to plan enrollment or utilization. The risk exposure there is significant and can include recoupment, risk adjustment data validation audits, anti-kickback exposure for incentive arrangements and False Claims Act actions tied to unsupported diagnoses.

And then there is data privacy and security. Cybersecurity risk, ransomware and third-party vendor risk are all going to stay high on the horizon for 2026.

More and more physicians joining VBC arrangements. Where do those deals create the most fraud and abuse risk, and what can organizations build in from the start to stay out of trouble?

The biggest compliance risks in value-based arrangements include risk adjustment, quality reporting, patient attribution and incentive payments. It is critical for providers to avoid vague contractual definitions.

When you look at those arrangements, you need clarity around what counts as a covered service, what counts as a quality event, and what counts as an attributed patient. Do your due diligence before entering into or renewing any value-based arrangement.

It is important to understand the payment model, the incentive model and the quality measures. Those need to be defined in advance, not after the fact, and they should be objective and evidence-based. You also need to understand your financial risk, including your upside and downside, and make sure that is clearly stated.

Practices also need timely access to claims and performance data, and they need to be able to independently review the benchmarks and targets being used. Coming from an internal audit and compliance background, I always say: make sure you can audit it. Also ensure there are no restrictions on patient freedom of choice and no steering away from high-risk or complex patients.

Finally, any arrangement should be thoroughly vetted by legal and compliance experts. You really need to ask yourself whether the arrangement could withstand an audit or regulatory review.

When a practice or physician group is negotiating one of those agreements, what are the biggest compliance red flags you look for? And what changes can reduce risk without blowing up the deal?

A lot of the risk-reducing fixes do not blow up the deal. Clarifying definitions is one. It is okay to ask questions. Adding payment guardrails is another. And now, of course, we are all going to be talking about artificial intelligence (AI) for a long time, so requiring data transparency is critical too.

Practices need to understand the data and dig into it. You have to know how the deal is structured, and that is part of due diligence. Most deals do not need to be scrapped. They just need to be properly vetted.

You also need to ask how you will monitor compliant execution of the agreement. Do you have the people and processes to do that? It is not one and done. You need to stay on top of the arrangement after the transaction or execution.

There is also False Claims Act risk if inaccurate data is knowingly submitted. Data errors are now treated as compliance failures, not technical mistakes. While CMS and the OIG have created VBC exceptions and safe harbors, they are highly technical and easy to miss. I am not trying to scare anyone away from these arrangements, but it is critical to know what you are getting into. Stark law remains strict liability, and in my experience many deals look great on paper but fail on execution.

Telehealth fraud remains a priority. What patterns are drawing attention now, and what can practices that rely heavily on telehealth do to reduce their risk?

In the telehealth world, risks that need to be mitigated include controls to ensure adequate patient evaluation and medical necessity. That is no different from the in-person setting. But some of the concerning patterns being monitored include brief or highly scripted encounters, no access to medical history, and reliance solely on questionnaires.

The OIG’s telehealth analytics are getting more robust. They have flagged high-volume billing for services, improbable utilization patterns, duplicate claims, and incorrect coding tied to place of service and time-based billing.

Remote prescribing is another risk area. Providers need to closely follow Drug Enforcement Administration and state rules. From a Health Insurance Portability and Accountability Act perspective, risks include using platforms without a business associate agreement. I cannot stress that enough. You need to know who has access to your information and make sure you have the right agreement in place to protect protected health information.

There are also issues around recording sessions without patient authorization, notices of privacy practices, and breach notification rules. Telehealth is a great tool, and many organizations use it for the right reasons. But there are also bad actors using it for the wrong reasons. That is why it is going to remain an area of strong focus.

You mentioned the growing role of analytics. How has that changed the kinds of cases you are seeing, and what should organizations be doing now around documentation, coding and internal monitoring?

Before the increase in analytics, claims might have been reviewed on a sample basis and then extrapolated. Now the full population of claims can be analyzed.

Practices should be doing the same and investing in the appropriate technology to monitor their own operations. But regardless of the method regulators are using, the basic principles of good internal controls remain the same.

Documentation integrity is essential. Make sure the clinical story matches the code. Conduct internal monitoring and build your own dashboards to track top outlier metrics. That could include evaluation and management distributions, modifier rates, use of high-cost codes, services, procedures and supplies, denials and refunds.

Then conduct targeted audits. Focus on the 20% that is generating 80% of the risk. There is a lot to think about, but the key is to be proactive.

What are the must-haves versus the nice-to-haves for an effective compliance program in 2026?

This is a great question. The OIG recently updated its General Compliance Program Guidance, and it acknowledges that one size does not fit all. That was good to hear. But it also lays out some must-haves, regardless of size, and smaller physician practices clearly fall into that category.

The must-haves include a designated compliance lead. It does not have to be a full-time compliance officer, but it does need to be someone who is taking charge of the program and who has access to leadership. The OIG also says that person should not be directly involved in coding and billing because they should not be auditing their own work.

Other must-haves include written policies and procedures that actually match the workflow, role-specific training, a mechanism to report concerns, and some basic auditing and monitoring. You do not have to boil the ocean. Focus on the top risks. And finally, you need a good corrective action roadmap. If you identify something, you need controls and action plans to mitigate that risk going forward.

On the nice-to-have side, I would put a third-party compliance assessment there, although as a consultant I would love to call it a must-have. We are doing more of these even for smaller entities. It does not need to happen every year, but every three to five years, or when there is a major change, can be very useful.

Advanced analytic tools might still be a nice-to-have for some practices today, but I would say they are moving toward must-have status pretty quickly. They can also become a competitive advantage. And above all, you have to show consistency. It has to be more than a paper program.

If a practice conducts an audit and finds a potential compliance problem, what should they do first? How do you decide when self-disclosure is necessary vs. when an internal corrective plan is sufficient?

We get that question a lot. The first priority is to contain the issue. Pause the process, hold bills and locate documentation.

You really need to have a plan before you are in the middle of a crisis. That could be part of a policy or procedure for how you respond to an investigation or what you do if an internal review identifies an error.

After containing the issue, seek the advice of counsel, ideally someone well versed in fraud, waste and abuse, anti-kickback, Stark compliance and HIPAA. Counsel has different areas of expertise, just like consultants do.

You may also want to engage a compliance consultant under attorney-client privilege to help do a deeper dive. There could be a repayment issue. There should definitely be a corrective action plan. Then, with good counsel, you can determine whether self-disclosure is appropriate or whether a corrective action plan is sufficient.

As you look at telehealth, VBC and new digital tools, where do you expect the next wave of enforcement to land?

We have already touched on it, but AI is going to be a major area. AI-enabled documentation and coding tools will come under heavy scrutiny.

If you are already using those tools, create some type of AI governance committee. It could be three people. The point is to inventory the tools and evaluate the risk. There are many tools available to assess risk, and my recommendation would be to conduct an internal risk assessment of how AI affects clinical decision-making, patient privacy, security and billing risk.

Another major area is third-party risk. Who are you working with? Are you doing due diligence on those vendors and third parties? What access do they have to your information? Those contracts, including business associate agreements, matter a lot. Are they really protecting your information? Have they undergone an appropriate level of security assessment for the work they are doing to support your practice? Those are the questions practices need to be asking now.

CMS recently announced its new fraud crackdown initiative: CRUSH. Is there anything physicians should know about that broader push?

The times have changed. The emphasis used to be on the large entities, the big health systems and the insurance providers. Now individuals are also being targeted. If your readers search for health care fraud in the practice setting, they will see that regulators are going after individual providers and individual physicians.

The larger point is that health care fraud enforcement is not going away. Last year was probably the largest year in terms of health care fraud recoveries, at more than $6 billion. These are easy targets because of the growing use of data analytics.

CMS even held what it called a “chili cook-off” contest to solicit vendors that could help improve data analytic tools and identify what types of fraud should be targeted. That tells you where things are headed. There is going to be more and more emphasis on identifying fraud and abuse.

The government has now given clear notice that providers are expected to have strong compliance programs in place to identify and mitigate risk and protect federal health care dollars. Last week’s announcement was another sign that this focus is only going to continue.

Anything else physicians and practice leaders should keep in mind?

The best compliance programs are really operational partners. Practices need to move from reactive compliance to proactive compliance.

The OIG has made it clear that the absence of an effective compliance program is an aggravating factor in enforcement actions, even for small practices. Prevention really is the best medicine.