Atlantic Health Strategies

Why Even High-Performing Behavioral Health Facilities Need External Audits

Table of Contents

Ready to See Results?

From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.

The short answer: internal teams miss what surveyors and prosecutors find

Even high-performing behavioral health treatment centers need external audits because internal staff cannot see the blind spots that state surveyors, HHS-OIG auditors, and payer SIU teams are trained to find. External reviewers catch the documentation gaps, billing patterns, and Environment of Care issues that quietly compound until they surface as a Requirement for Improvement, a payer takeback, or a subpoena.

The federal enforcement data is not subtle. In the 2026 National Health Care Fraud Takedown, DOJ charged 455 defendants, including 90 doctors and other licensed medical professionals, in schemes involving more than $6.5 billion in false claims, and behavioral health featured prominently across the docket. The action covered 56 federal districts, 45 states and territories, and 50 state Medicaid Fraud Control Units, the most in DOJ history.

Legitimate operators get pulled into scrutiny for boring reasons. A coder used the wrong add-on. A therapist copy-forwarded a progress note. A biller kept submitting 99215 when the encounter was a routine check-in. A defensible chart, a clean EOC tour, and a payer-ready claim are the output of a compliance program that someone from outside the building checks. Not once a year. On a rhythm.

What surveyors and OIG auditors are actually finding

HHS-OIG audits keep landing on the same category of findings: missing assessments, unsigned notes, treatment plans without required signatures, and undocumented provider credentials. Those are not sophisticated fraud schemes. Those are chart-audit findings any competent external reviewer would have caught in a mock survey.

Joint Commission surveys tell the same story in the field. Ligature risks in residential settings, medication reconciliation gaps, incomplete treatment plans, untimely assessments, and missing informed consent show up on Behavioral Health Care Standards Manual surveys over and over. The Joint Commission has confirmed that re-surveys can occur any time between 18 and 36 months after the initial survey, which means an internal team that treats accreditation as a triennial event is planning around a calendar the surveyors are not using.

An internal QA nurse who audits her own program will not spot what a surveyor spots. Not because she is not sharp. Because she wrote half the workflows.

Why 'we passed our last survey' is not a compliance program

Founders point to a clean CARF three-year decision and treat it as a shield. It is not. Payer SIU audits, state licensure inspections, and OIG data pulls do not follow the accreditation calendar. Barrins & Associates notes that the official Joint Commission triennial survey window runs anytime from 18 to 36 months after the last full survey, and organizations that have been in Preliminary Denial of Accreditation should anticipate being surveyed early in that window.

Enforcement analytics have collapsed the timeline further. DOJ announced in 2025 that it was standing up a Health Care Fraud Data Fusion Center, bringing together the Criminal Division’s Health Care Fraud Unit Data Analytics Team, HHS-OIG, FBI, and other agencies to use cloud computing, AI, and advanced analytics to identify emerging schemes. Data does the math before any human auditor walks in.

External audits at Atlantic Health Strategies run on different logic than an internal QA cycle. We enter the building as a surveyor would. We pull a stratified sample of charts across ASAM Criteria 4th Edition levels of care. We tour the EOC as if we had never seen it. We test payer readiness against the actual timely filing windows and utilization management rules in the contract. We compare census patterns to billed encounters. And we tell the CEO what we found, in writing, before someone with subpoena power tells them instead.

What an external audit program actually covers

A serious external audit program for a behavioral health treatment center has five moving parts, and none of them are optional:

  • Clinical documentation and chart audit. Human reviewers sampling charts across ASAM Criteria 4th Edition levels of care, testing assessment timeliness, treatment plan signatures, session note quality, discharge planning, and medical necessity.
  • Billing and coding audit. CPT and HCPCS validation, add-on code documentation (90833, 90836, 90838), time-based service verification against schedules, and payer-specific rule testing. Drug-testing code selection gets its own pass after the North Carolina Crossroads settlement.
  • Mock survey and EOC tour. Ligature risk sweep in residential and withdrawal-management settings, medication storage and reconciliation, emergency preparedness drills, and life-safety inspection currency.
  • HIPAA and 42 CFR Part 2 review. Access controls, termination workflows, audit log review, and business associate inventory.
  • Payer readiness and UM review. Contract audit against timely filing, prior authorization, and level-of-care criteria; SIU-simulation audit on high-dollar claim families.

Operators in Florida, Texas, North Carolina, and Virginia should pay particular attention. The 2026 DOJ takedown involved a record 295 defendants and more than $518 million in false claims charged in Medicaid cases alone. State Medicaid Fraud Control Units are staffed, funded, and looking. If no outside team has ever audited your program on a defined rhythm, you do not have a compliance program. You have a hope.

Frequently asked questions

How often should a behavioral health treatment center undergo an external audit?

At minimum, annually for chart, billing, and Environment of Care. High-acuity or multi-site operators should run quarterly billing audits on high-risk code families and a full mock survey 6-9 months before any expected Joint Commission or CARF visit. The Joint Commission has confirmed that re-surveys can occur any time between 18 and 36 months from an initial survey, so a rigid three-year internal cadence leaves you exposed.

What is the difference between an internal QA review and an external audit?

Internal QA staff wrote or trained on the workflows they are reviewing, which creates blind spots. An external audit brings surveyor-side and payer-side methodology into the building: stratified chart sampling, tracer methodology on the EOC, and coding review against the actual payer contract. External auditors also test whether written policy matches actual practice, which is where most Joint Commission Requirements for Improvement live.

Which behavioral health billing patterns draw the most federal scrutiny?

Psychotherapy add-on codes 90833 and 90836, tied to the $2.75 million August 2025 DOJ settlement with Comprehensive Psychiatric Services in the Northern District of California; drug-testing code selection, tied to the $584,143 May 2026 Crossroads Greensboro settlement announced by the North Carolina Attorney General; and billing volumes that outrun documented staff capacity, now flagged by DOJ’s Health Care Fraud Data Fusion Center using data analytics before human auditors ever walk in.

Can an external audit be discoverable in a False Claims Act case?

Audit findings can become discoverable, which is why the audit should be structured with counsel, remediation should be documented and completed, and the workflow should be governed by attorney-client privilege where appropriate. The greater risk is not having an audit trail at all; a former employee filing a qui tam suit will describe what happened without your version on record.

Request a Free Consultation

Scroll to Top