The war on health care fraud: A conversation with Shannon Sumner, CPA, CHC

Fraud enforcement in health care is no longer a matter of auditors pulling random samples. The government is now analyzing entire claims populations, running pattern recognition across practice data and flagging outliers before a complaint is ever filed. For physician practices, that shift changes the calculus on compliance — and the margin for error is shrinking.

Shannon Sumner, CPA, CHC, managing principal of PYA's Nashville office and the firm's chief compliance officer, has spent more than 30 years in health care internal auditing and regulatory compliance.

Medical Economics sat down with Sumner to go through where enforcement is heading in 2026, what value-based care arrangements are getting wrong and what a functional compliance program actually looks like for a practice that doesn't have a dedicated legal team.

"In 2026, physician practices will face greater scrutiny and less margin for error," she said.

What's driving enforcement

The biggest structural change, according to Sumner, is the move to full-population analytics.

Before this shift, investigators might review a sample of claims and extrapolate findings. Now the entire claims history of a practice can be analyzed and benchmarked against peers. Practices get flagged not because someone reported them, but because their data looks different from everyone else's.

The CMS CRUSH initiative — Comprehensive Regulations to Uncover Suspicious Healthcare — is the latest signal of where things are headed. CMS even held a "chili cook-off" competition to solicit vendors capable of improving fraud detection analytics. "That tells you where things are headed," she said.

The priority areas she sees consistently on enforcement radar: evaluation and management level selection and medical necessity, modifier misuse, incident-to billing, split and shared visits, telehealth documentation, Medicare Advantage risk adjustment and quality reporting integrity. Data privacy and cybersecurity round out the list.

Value-based care and the compliance gap

As more physicians enter value-based care arrangements, Sumner said, many are signing contracts without fully understanding what they're agreeing to — or how those agreements will be audited. The compliance risks concentrate around risk adjustment, quality reporting, patient attribution and incentive payments. Vague contractual language is often where problems begin.

Her advice is to nail down definitions before signing: what counts as a covered service, what counts as a quality event, what counts as an attributed patient. Practices also need independent access to claims and performance data so they can verify the benchmarks being used against them. "Make sure you can audit it," she said. Stark law, she reminded, is strict liability — and in her experience, many deals that look clean on paper fail at the execution stage.

Most compliance problems in these arrangements, she noted, don't require walking away from the deal. "Most deals do not need to be scrapped. They just need to be properly vetted."

Telehealth and AI on the horizon

Telehealth remains a high-priority enforcement area. The OIG's analytics have grown more sophisticated, and the patterns drawing scrutiny include brief or scripted encounters, reliance on questionnaires alone, improbable utilization rates and place-of-service coding errors. Remote prescribing and HIPAA compliance — particularly the use of platforms without a business associate agreement — are also on the list.

Artificial intelligence (AI) is next. AI-enabled documentation and coding tools will face heavy regulatory scrutiny as adoption grows, Sumner said. Her recommendation for practices already using these tools is to form an AI governance committee — even a small one — to inventory what's in use, assess the risk and document the oversight process.

Building a compliance program that works

The OIG recently updated its General Compliance Program Guidance, acknowledging that compliance programs don't need to be identical across organizations. But Sumner was clear about what the must-haves are, regardless of practice size: a designated compliance lead with access to leadership who is not directly involved in coding or billing, written policies and procedures that match actual workflows, role-specific training, a mechanism for reporting concerns, basic auditing and monitoring focused on the highest-risk areas, and a corrective action roadmap.

When an internal audit surfaces a problem, she said, the first move is containment — pause the process, hold bills, locate documentation — and then get counsel involved quickly, ideally someone versed in fraud, waste and abuse, anti-kickback, the Stark Law and the Health Insurance Portability and Accountability Act. Self-disclosure may or may not be warranted depending on what's found, but that determination should be made with legal guidance, not on the fly.

Her closing point was as much about posture as process. The OIG has made it explicit: The absence of an effective compliance program is an aggravating factor in enforcement actions. "Prevention really is the best medicine," Sumner said.