Know your risk before the auditors do.
Real CMS data: 820-code MUE table, 302 NCCI pairs, PUF-derived p75/p90 benchmarks, OIG Work Plan FY2024–2025, 813 global periods, 29 LCD pairs, 30-code denial rates, RAC contractor focus areas, specialty-specific compliance checklists, and a 12-month compliance calendar. All in your browser — free, private, instant.
month,cpt_code,total_claims — the tool will detect year-over-year volume spikes, which are a primary CMS audit trigger. Medical Billing Compliance Audit: How to Identify and Fix Billing Risk Before CMS Does
A complete 2025 guide covering E&M benchmarks, NCCI pairs, MUE edits, OIG Work Plan priorities, global surgical periods, and the documentation gaps that turn clean claims into costly audits.
Every year, the HHS Office of Inspector General recovers billions of dollars in Medicare and Medicaid overpayments — and the majority come not from intentional fraud, but from preventable billing errors that practices never knew they were making.
The gap between “we billed it correctly” and “we can prove we billed it correctly to a MAC auditor” is exactly where most practices lose money. This guide closes that gap. It draws on the same data sources that CMS, RAC contractors, and OIG auditors use — and explains, in plain language, how to apply them to your own billing before someone else does.
1. What Actually Triggers a CMS Billing Audit in 2025
The single most important thing to understand about CMS audit selection is that it is almost entirely statistical and automated. No human being at CMS is reviewing your individual claims looking for problems. Instead, MAC contractors run your billing data through algorithms that compare your utilization patterns against a peer group of providers with the same specialty, geography, and patient population.
The most common audit triggers in 2025 fall into five categories:
The five primary CMS audit triggers
- E&M outlier billing. Your Level 4 or Level 5 E&M rate exceeds the 75th or 90th percentile for your specialty. This is the single most common trigger for MAC prepayment reviews.
- NCCI edit violations. Automated claim edits reject code combinations where one service is considered a component of another. These generate CO-97 or CO-4 denial reason codes.
- MUE exceedances. Billing more units of a code than CMS considers medically plausible per day. These are auto-denied at the MAC system level before a human ever sees the claim.
- OIG Work Plan codes. Codes specifically flagged by the OIG Work Plan receive heightened documentation scrutiny. Being on this list does not mean you are being audited — but it does mean your documentation is more likely to be reviewed.
- Year-over-year volume spikes. A sudden increase in billing volume — particularly for high-value codes — is a statistical anomaly that CMS systems flag for review.
2. E&M Coding Benchmarks: What the CMS PUF Data Really Shows
The CMS Medicare Provider Utilization and Payment Data (PUF) is a publicly available dataset that contains service-level billing information for every Medicare provider in the country. It is also the primary dataset that MAC contractors use to identify E&M outliers.
Understanding where your practice falls in the PUF distribution is not optional if you are billing Medicare. It is basic compliance hygiene.
How the 2021 AMA guideline change shifted the benchmarks
The January 2021 AMA E&M guideline revisions significantly changed national billing distributions. Under the old 1995/1997 guidelines, coding was heavily based on bullet-point documentation of history and physical examination elements. Under the 2021 guidelines, a physician can support a Level 4 or Level 5 E&M using either Medical Decision-Making (MDM) or total time — with no bullet-point counting required.
The practical effect: Level 4 (99214) utilization increased by approximately 5–8 percentage points across most specialties in 2021–2022, and Level 5 (99215) increased by 3–5 points. Any benchmarking that uses pre-2021 data is out of date. The PUF benchmarks reflected in this guide and in AuditGuard are adjusted for this shift.
| Specialty | L3 Avg % | L4 Avg % | L5 Avg % | L5 p75 threshold | L5 p90 threshold |
|---|---|---|---|---|---|
| Internal Medicine | 29% | 46% | 18% | 24% | 32% |
| Family Practice | 37% | 41% | 13% | 18% | 26% |
| Cardiology | 21% | 48% | 27% | 34% | 44% |
| Psychiatry | 25% | 49% | 21% | 28% | 37% |
| Pain Management | 17% | 51% | 28% | 36% | 46% |
| Oncology | 15% | 44% | 38% | 46% | 55% |
| Emergency Medicine | 15% | 43% | 39% | 47% | 56% |
Source: CMS Medicare PUF 2022 specialty utilization analysis. Thresholds represent estimated 75th and 90th percentile positions. For established patients only; new patient distributions are assessed separately.
3. NCCI Edits Explained: The 302 Pairs Most Practices Get Wrong
The National Correct Coding Initiative (NCCI) is a set of coding rules published quarterly by CMS that defines which CPT code combinations cannot be billed together. The full table — available at the CMS NCCI website — contains over 230,000 column 1/column 2 pairs.
When a claim includes a prohibited code pair, the MAC’s automated system denies the lower-value code. The denial reason code is typically CO-97 (bundled service) or CO-4 (service included in another). These are detected automatically and do not require human review — meaning there is no opportunity to explain before the denial occurs.
Hard conflicts vs. modifier-applicable conflicts
NCCI edits come in two types, and understanding the difference matters enormously for billing strategy:
- Modifier indicator 0 (hard edit): No modifier can override this conflict. The two codes literally cannot be billed together under any circumstances. Example: billing
93000(ECG complete) with93005(ECG tracing only) on the same date —93005is a component of93000, full stop. - Modifier indicator 1 (modifier-applicable): Modifier
-59or an X-modifier (XE, XS, XP, XU) may allow separate billing when the services were genuinely distinct — different anatomical site, separate session, or different procedure entirely. The modifier does not bypass the edit automatically; it signals to the MAC that separate documentation supporting the distinct nature of the service exists.
| Code Pair | Specialty | Conflict Type | Why It Occurs |
|---|---|---|---|
| 45378 + 45385 | Gastroenterology | Hard | Diagnostic colonoscopy is bundled into therapeutic colonoscopy |
| 93000 + 93005 | Cardiology | Hard | Complete ECG includes the tracing component |
| 52000 + 52204 | Urology | Modifier | Diagnostic cystoscopy is included in therapeutic cystoscopy |
| 99490 + 99491 | Primary Care | Hard | CCM codes — cannot bill two management codes same month |
| 43235 + 43239 | Gastroenterology | Modifier | Diagnostic upper GI is bundled into upper GI with biopsy |
| 36415 + 36416 | All | Hard | Cannot bill venipuncture and capillary draw same date |
| 17000 + 17004 | Dermatology | Hard | 17004 replaces 17000+17003 for 15+ lesion destruction |
| 90832 + 90837 | Psychiatry | Hard | Cannot bill two psychotherapy time codes same session |
4. Medically Unlikely Edits (MUE): Daily Unit Limits That Auto-Deny Claims
A Medically Unlikely Edit (MUE) is a per-code, per-day, per-beneficiary unit limit published by CMS. These edits represent the maximum number of units of a given service that CMS considers medically plausible for a single patient on a single date of service.
The MUE table is updated quarterly alongside the NCCI tables and currently covers approximately 10,000 procedure codes. Claims that exceed an MUE are automatically denied at the MAC processing level — no human review occurs.
How to check for MUE compliance
The calculation is straightforward: divide your total monthly volume for a code by the number of providers billing it, then divide that per-provider monthly figure by 22 (approximate working days per month). If the resulting daily estimate exceeds the CMS MUE for that code, you have an MUE exposure.
97110 (therapeutic exercise) per month. The CMS MUE for 97110 is 4 units/day. Dividing 40 ÷ 22 = 1.8 units/day — well within the MUE. But if the same practice bills 120 units/month, that is 5.5 units/day, which exceeds the 4-unit MUE and would generate automatic denials on days where more than 4 units are claimed.High-risk MUE codes by category
- Therapy codes (97110, 97530): MUE of 4 units/day. The 8-minute billing rule also applies — each 15-minute unit requires at least 8 minutes of direct patient care.
- Chemotherapy add-ons (96415): MUE of 7 units/day. Exceeding this requires extraordinary documentation of why extended infusion time was medically necessary.
- Allergy testing (95004): MUE of 70 tests/day. The medical record must document the exact number of tests performed — the MUE sets a ceiling, not a standard.
- Critical care add-on (99292): MUE of 4 units/day. Each additional 30-minute critical care block beyond the first must have individually documented time and medical necessity.
- Joint injections (20600, 20605, 20610): MUE of 3 units/day. Bilateral joint injections are commonly billed incorrectly as two full-rate unilateral claims rather than one bilateral claim with modifier -50.
5. OIG Work Plan 2024–2025: The 40 Codes Under Active Surveillance
The OIG Work Plan is a publicly available document that identifies healthcare billing areas the OIG has prioritized for audits, evaluations, and inspections. It is updated throughout the fiscal year as new targets are added. Being on the Work Plan does not mean you are being audited — but it does mean your claims in these categories will receive heightened scrutiny from MACs and RAC contractors, and that documentation quality in these categories will be more closely reviewed.
Top OIG Work Plan targets for FY 2024–2025
| CPT Code(s) | Service | OIG Concern | Risk Level |
|---|---|---|---|
| 99490, 99491 | Chronic Care Management | Time logs, consent, care plan documentation — 31% error rate in prior CMS review | Critical |
| 99453, 99454, 99457 | Remote Physiologic Monitoring | FDA-cleared device documentation, 16-day data requirement, 20-min communication logs | Critical |
| 62321, 62323, 64483 | Spinal Injections | Conservative treatment failure documentation, imaging evidence | Critical |
| 99215, 99205 | High-Level E&M | MDM documentation does not support complexity level billed | High |
| 90833 | Psychotherapy Add-On | Separate psychotherapy documentation not distinct from E&M note | High |
| 99495, 99496 | Transitional Care Management | Contact within 2 days and face-to-face timing requirements | Elevated |
| 67028 | Intravitreal Injection | Anti-VEGF billing volumes and disease activity documentation | Elevated |
| G2012 | Virtual Check-In | Patient-initiation requirement not documented | Elevated |
The Chronic Care Management codes deserve special attention. In a prior CMS review, 31% of CCM claims contained errors — primarily missing time logs, absent patient consent, or care plans that did not meet the comprehensive requirements. Given that CCM is a high-volume code in primary care and internal medicine, this error rate represents a significant, systemic exposure for many practices.
6. Global Surgical Periods: The 90-Day Trap That Generates Automatic Denials
The global surgical period concept is one of the most commonly misunderstood — and most frequently violated — rules in Medicare billing. When a surgeon performs a procedure, the Medicare payment for that procedure includes a bundle of pre-operative, intra-operative, and post-operative services for a defined period: 0 days, 10 days, or 90 days depending on the procedure.
Billing a separate E&M during this global period — without the correct modifier — results in an automatic denial. CMS systems compare the date of service on the E&M claim to the procedure date using the CMS Medicare Physician Fee Schedule (MPFS) global period database, which covers 813 procedure codes.
The modifier -24 exception
A separate E&M during the global period is billable only when modifier -24 is appended and the note explicitly documents that the visit addressed a condition unrelated to the procedure. “Post-operative check” is not sufficient — the note must explain what unrelated condition was assessed and why it required a separate, identifiable E&M service.
Common global period violations by specialty
- Orthopedic surgery: Billing office visits within 90 days of total knee (27447) or hip (27130) replacement without modifier -24.
- Ophthalmology: Post-operative cataract (66984) or YAG (66821) visits without modifier -24 during the 90-day global.
- Urology: Post-TURP (52601) visits billed without modifier -24 within 90 days.
- Gastroenterology: Most endoscopy codes (45378–45398, 43235–43278) have 0-day global periods — but related same-day E&M is still subject to NCCI bundling rules.
7. Documentation Failures: The Real Reason Most Audited Claims Lose
Statistical outliers may trigger audits, but documentation failures determine outcomes. Of the practices that lose money in billing audits, the vast majority do not lose because their codes were wrong — they lose because their documentation cannot retrospectively support the code that was billed.
There are five documentation failure patterns that account for the majority of audit findings across all specialties:
1. Note cloning (copy-forward)
Modern EHR systems make it easy to copy yesterday’s note forward with one click. MAC auditors run statistical analysis to identify notes that are identical or near-identical across multiple dates of service. A cloned note that does not reflect the actual encounter is considered unsupported, regardless of how good the underlying care was. OIG has cited note cloning as the most prevalent documentation failure in E&M audits.
2. E&M level documentation mismatch
Under the 2021 AMA guidelines, every Level 4 or Level 5 E&M must independently support either high-complexity MDM or total time meeting the code threshold. MDM requires three-column analysis: problem complexity, data reviewed and ordered, and risk of complications. A note that describes a straightforward medication refill for a controlled chronic condition does not support 99215 regardless of total visit time.
3. Missing modifier -25 supporting documentation
Modifier -25 (separately identifiable E&M on the same day as a procedure) is the most audited modifier in Medicare. The note must document that the E&M addressed a problem distinct from the indication for the procedure. A joint injection note that only describes the injection indication and technique, with no separately identifiable E&M component, does not support a same-day 99213 or 99214.
4. Time documentation gaps
For time-based E&M codes, the total physician time must be stated in the note as a specific number — not a range, not “approximately,” and not the appointment duration. Additionally, for time-based billing to work under 2021 guidelines, the activities contributing to the total time (reviewing records, discussing care with other providers, documentation) must be described, not just face-to-face time.
5. CCM, RPM, and TCM infrastructure gaps
Chronic Care Management, Remote Physiologic Monitoring, and Transitional Care Management codes have highly specific documentation requirements that go beyond the clinical note. CCM requires a signed patient consent, a comprehensive care plan updated annually, a monthly time log, and evidence of 24/7 access. RPM requires a physician order for an FDA-cleared device and 16 days of data per billing period. TCM requires documented contact within 2 business days of discharge and a face-to-face within 7 or 14 days.
8. How to Conduct a Medical Billing Compliance Self-Audit in 6 Steps
An internal billing compliance audit does not require an outside consultant or expensive software. What it requires is a structured process applied consistently. The following six-step framework is calibrated to match the methodology used by RAC contractors — which means practices that audit themselves using this approach are directly preparing for what an external audit would look like.
Pull your E&M distribution for the prior 12 months
Export all E&M claims by code level (99211–99215 established, 99202–99205 new patient). Calculate each level as a percentage of total E&M volume. Flag any level that is more than 8 percentage points above your specialty’s published PUF average. Use the CMS PUF data explorer to find your specialty’s benchmark.
Check NCCI pairs across your top 20 billed code combinations
For every pair of CPT codes you bill on the same date of service, check the CMS NCCI table. The full quarterly table is available at cms.gov/ncci. Identify which pairs are hard edits (no bypass) and which are modifier-applicable. Correct hard edits immediately; modifier-applicable pairs require documentation review.
Verify MUE compliance for high-volume procedure codes
For your top 10 procedure codes by volume, calculate estimated daily units per provider (monthly volume ÷ providers ÷ 22 working days). Compare against the CMS MUE table. The current MUE table is published quarterly alongside the NCCI updates.
Cross-reference your code list against the OIG Work Plan
Review the current OIG Work Plan and identify any codes in your billing mix that appear as active targets. Prioritize these for Step 5 documentation review.
Pull a random sample and score documentation
Pull 20 random claims per provider for your highest-volume and highest-risk codes. For each claim, review the note using the applicable documentation standard (2021 AMA MDM table for E&M, CPT guidelines for procedures, LCD requirements for specialty-specific codes). Score each note pass/fail. A pass rate below 90% is a finding that warrants a larger structured review.
Document findings and establish a corrective action plan
Create a written record of the audit findings — what was reviewed, what was found, and what corrective action was taken. This documentation is critical: under the OIG Compliance Program Guidance, a practice with a functioning compliance program that identifies and corrects issues is treated far more favorably than one that lacks this infrastructure. If findings are significant, consult a HCCA-member healthcare compliance attorney before taking any repayment action.
Run This Audit In Minutes with AuditGuard
AuditGuard applies all six steps above — MUE checks, NCCI pair detection, OIG code matching, PUF benchmark comparison, global period flagging — in a single free tool. No data leaves your browser.
Use AuditGuard Free ↑9. Specialty-Specific Billing Risks: What CMS Is Targeting by Specialty
CMS audit risk is not evenly distributed across specialties. Some specialties have billing models that create higher structural risk — either because the codes involved have high denial rates, or because the documentation requirements are particularly complex. The following highlights the top risk areas by specialty in 2025.
Primary Care and Internal Medicine
The primary risk areas are CCM billing infrastructure (the OIG found a 31% error rate), high-level E&M distribution, and incident-to billing for NP/PA services. Incident-to violations — billing under the physician NPI without meeting direct supervision requirements — are one of the most common False Claims Act exposure areas in primary care.
Pain Management
Pain management has the highest structural risk of any specialty due to the combination of OIG-targeted injection codes (62321, 62323, 64483, 64493) and the complexity of their documentation requirements (conservative treatment failure documentation, imaging evidence, fluoroscopy notes). The OIG identified a 62% error rate in a prior pain management injection review. Add urine drug testing fraud — a top-10 fraud category nationally — and pain management practices should treat billing compliance as an ongoing operational priority.
Gastroenterology
The dominant risk is NCCI bundling of endoscopy codes. Billing 45378 (diagnostic colonoscopy) with 45385 (polypectomy) on the same date is the single most common GI NCCI violation. The correct approach is to bill only the highest-level procedure performed. Anesthesia for colonoscopy — billing MAC anesthesia (00810) without documented medical necessity — is also an active audit target.
Psychiatry and Mental Health
The add-on psychotherapy code (90833) with E&M is the primary target. The OIG requires that these two services have separately documented notes — a combined note that covers both the medication management and the psychotherapy in one narrative does not satisfy the requirement. Time documentation is also critical: billing 90837 (60-minute psychotherapy) when the appointment slot is 30 minutes is a scheduling-data red flag that auditors will find.
Nephrology
ESRD monthly billing codes (90954–90962) require documented face-to-face visits matching the number of visits claimed in the code. Practices that bill 90954 (4 visits per month) but cannot produce visit documentation for 4 physician-patient encounters in the billing month have a per-code overpayment on every such claim.
Orthopedic Surgery
Global surgical period compliance and joint injection billing (20610 with modifier -25) are the primary concerns. Additionally, bilateral procedure billing — billing two separate unilateral claims rather than one bilateral claim with modifier -50 — is a systemic pattern that MAC automated systems detect reliably.
10. Frequently Asked Questions
- CMS National Correct Coding Initiative (NCCI) — Quarterly tables, policy manual, MUE data
- OIG Work Plan — Active FY 2024–2025 audit priorities
- CMS Medicare Provider Utilization and Payment Data (PUF)
- CMS Medicare Physician Fee Schedule — Global surgical period data
- AMA 2021 E&M Guideline Revisions — MDM and time-based coding
- OIG Compliance Program Guidance for Individual and Small Group Physician Practices
- OIG Self-Disclosure Protocol — Voluntary repayment procedures