Atlantic Health Strategies

How to Prepare for a Payer Audit in Behavioral Health: A Step-by-Step Guide

Table of Contents

Ready to See Results?

From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.

The short answer

Treat every payer records request as the opening move in an SIU investigation, not a paperwork errand. If a commercial payer’s Special Investigations Unit sends you a records request, the fastest way to protect your license and your revenue is to stop the clock, identify the audit type in writing, pull the exact claims and dates being reviewed, and produce a defensible packet inside the payer’s stated window.

Documentation gaps drive most adverse findings, not fraud. CMS reported that in FY 2024, 79.11% of Medicaid improper payments were the result of insufficient documentation, meaning the underlying service may well have been delivered but the chart could not prove it. That distinction matters. CMS itself notes these payments “do not necessarily indicate fraud or abuse” and typically reflect a missed administrative step. Payers do not treat you that gently. Blue Cross, Aetna, Cigna, and Optum SIUs will recoup, offset future payments, and refer to law enforcement on the same fact pattern CMS would call a documentation problem.

What has worked at behavioral health operators I’ve supported in Florida, Texas, and Utah: a written audit-response protocol, a single point of contact, chart audits run before the payer runs theirs, and clinical leadership involved from day one. What has failed: a billing manager quietly sending PDFs to an SIU investigator without legal review.

Know which audit you are actually in

Prepayment audits sit in front of the claim. Post-payment audits look backward and drive recoupment. SIU audits are the ones that end careers. Hendershot Cowart’s healthcare team writes that an SIU records request indicates “a fraud investigation – not a routine audit”, and warns that providers should preserve documentation and secure counsel immediately.

The players behind these audits are not clerks. Private-payer SIUs staff clinical reviewers who know medical necessity, coding, and coverage rules cold, and many recruit former federal investigators. Assume the person on the other side of your audit letter has run federal cases.

Referrals also flow the other direction. If a payer’s SIU concludes a case looks criminal, the investigator hands the file to HHS-OIG or DOJ. DOJ’s 2026 National Health Care Fraud Takedown charged 455 defendants across schemes involving over $6.5 billion in alleged false claims, and behavioral health featured prominently. Federal prosecutors charged a $49 million Virginia Medicaid crisis-stabilization scheme and a $44 million Arizona behavioral services case targeting Native Americans, and announced the first prosecution arising from the Fusion Center’s Financial Intelligence Review Team, a $67 million Illinois Medicaid behavioral health case with claims allegedly submitted for 500 or more hours of counseling and therapy per day. Behavioral health is not a quiet corner of enforcement anymore. It is the front page.

The first 72 hours after an audit letter arrives

Read the letter twice. Identify the requesting department. If the header says SIU, escalate to counsel before you send a single page. Provider-defense counsel routinely advises against altering, destroying, or “supplementing” any record, and against signing non-disclosure or confidentiality agreements without legal review.

  1. Freeze the chart. Snapshot the EMR state on the day the notice arrived. Do not late-enter progress notes. Do not backdate signatures.
  2. Confirm scope. Which member IDs, which dates of service, which CPT codes, which level of care. Ask for it in writing.
  3. Assign one owner. One person handles the payer conversation. Everyone else routes through them.
  4. Log everything. Every call, every email, every deadline extension. Create a tracking spreadsheet on day one.
  5. Run your own audit first. Pull the same charts the payer requested and review them against the payer’s medical policy and ASAM Criteria before you produce anything.

Behavioral health charts fail audits for the same three reasons over and over: the level of care documented does not match the ASAM Criteria justification, the physician’s signature or timing is off, and the group note does not identify what the individual patient did in the session. Operators I’ve worked with in Arizona and Tennessee have absorbed six-figure recoupments on those three findings alone.

What SIU investigators actually look at

Insurance SIUs do not read every chart. Their analysts run algorithms against your billing history and pull outliers. Federal enforcement uses the same playbook, only bigger. DOJ’s Fraud Division and CMS disclosed a new agreement giving prosecutors cloud-computing space within the CMS Integrated Data Repository “in which to deploy advanced data analytics algorithms and artificial intelligence tools,” with separate data-sharing agreements now reaching DHS and the FTC.

CMS Administrator Mehmet Oz put the strategy plainly in the DOJ release: “CMS is done playing catch-up. We’re deploying advanced data analytics to expose fraud networks, freeze suspicious payments, and shut down bad actors before they can do damage.”

Common red flags an SIU or federal analytics team will flag on a behavioral health operator:

  • High volumes of ASAM Level 2.1 IOP and 2.5 PHP hours per patient per week that exceed the payer’s utilization norms.
  • Concurrent billing across facilities for the same patient on the same day.
  • Urine drug screen frequencies that outpace medical necessity.
  • Group therapy billed for hours the facility could not physically staff.
  • Discharge patterns that repeatedly land at the payer’s benefit-max day.

If your internal team cannot explain why any of the above look the way they do, the SIU investigator will not either, and the investigator’s assumption will not favor you.

Build the operational backbone before the audit letter shows up

Operators treat audit readiness as a system, not a scramble. The behavioral health leaders I’ve worked with in Florida, Texas, and Utah who come through SIU reviews cleanly share five habits.

  1. Human chart audits every month. Not annual. Not AI-only. A trained auditor reviews a sample of charts against payer policy and ASAM Criteria and issues written findings the clinical team must close.
  2. Medical necessity documented at the level of care. The chart must show why this patient needs this level of care today, tied to specific ASAM dimensions, not boilerplate.
  3. UM notes that match the claim. Utilization management concurrent-review notes, authorization numbers, and billed dates of service should reconcile line by line.
  4. A written audit-response SOP. Who opens the letter, who calls counsel, who pulls the charts, who signs the cover letter, what the response window is. Rehearsed, not theoretical.
  5. A compliance program the board actually reviews. HHS-OIG’s General Compliance Program Guidance, released November 6, 2023, lays out the seven elements and emphasizes board and executive oversight. Boards that treat it as a checklist watch their operators default the covenant when a recoupment lands.

The macro numbers explain the pressure operators are under. CMS estimated the FY 2024 Medicare Fee-for-Service improper payment rate at 7.66%, or $31.70 billion, and the Medicaid improper payment rate at 5.09%, or $31.10 billion. Every one of those dollars becomes a recoupment target for some regulator or payer. Behavioral health, with its documentation-heavy service lines and rising enforcement profile, sits directly in the crosshairs. The operators who survive audits treat compliance as an operational discipline that clinical leadership, billing, IT, and the CEO all own together. The ones who outsource it to a single vendor and forget about it write the recoupment check.

Frequently asked questions

What is the difference between a payer audit and an SIU investigation?

A routine payer audit reviews claims against medical policy and coding rules and results in denial, adjustment, or recoupment. An SIU audit is a fraud investigation. Hendershot Cowart’s healthcare attorneys note that an SIU records request “indicates a fraud investigation – not a routine audit,” and the most severe SIU action is a referral to HHS-OIG or the DOJ. If the letterhead says Special Investigations Unit, treat it as a legal matter from minute one and engage counsel before responding.

How much time do behavioral health providers usually get to respond to an SIU records request?

Windows vary by payer and by state contract, but most commercial SIU letters give 14 to 30 days, and Medicaid managed-care contracts often set tighter deadlines. Missing the window virtually guarantees adverse action. Operators should confirm the exact deadline in writing, request any extensions in writing, and never let a request expire while waiting on internal signoff.

What documentation failures trigger the most behavioral health recoupments?

Insufficient documentation is the dominant driver. CMS reported that 79.11% of FY 2024 Medicaid improper payments stemmed from insufficient documentation. In behavioral health specifically, the recurring failures are missing or late physician signatures, group notes that do not individualize each patient’s participation, and level-of-care justifications that do not tie back to the ASAM Criteria dimensions.

Is behavioral health actually a federal enforcement priority right now?

Yes. DOJ’s 2026 National Health Care Fraud Takedown charged 455 defendants in schemes involving over $6.5 billion, and prosecutors specifically called out a $49 million Virginia Medicaid crisis-stabilization scheme, a $44 million Arizona behavioral services case, and a $67 million Illinois Medicaid behavioral health prosecution, the first case brought through the Health Care Fraud Unit’s Financial Intelligence Review Team. Federal enforcement teams are using data analytics to identify billing outliers before whistleblowers ever surface.

Request a Free Consultation

Scroll to Top