Table of Contents
Ready to See Results?
From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.
What a behavioral health compliance audit actually covers
A behavioral health compliance audit is a structured review of clinical documentation, billing, policies, supervision, licensure posture, and accreditation readiness, run against the specific payer, state, and federal rules that govern each program. Most operators should run one comprehensive audit per year and add targeted quarterly reviews on documentation, billing, supervision, and 42 CFR Part 2. That cadence is not a preference. It lines up with current HHS-OIG guidance and with what the last two years of federal enforcement have made non-negotiable.
Most generalist healthcare compliance shops do not read SUD documentation, supervision ratios, incident reporting, or 42 CFR Part 2 the way an operator who has actually run programs does. Atlantic Health Strategies sits in that narrow space. Our auditors have managed state licensing surveys, prepared sites for CARF and Joint Commission, corrected documentation systems after payer takebacks, and rebuilt compliance infrastructure after enforcement actions.
Why this matters got very concrete on June 30, 2025. The Department of Justice announced its 2025 National Health Care Fraud Takedown, and DOJ charged 324 defendants, including 96 doctors, nurse practitioners, pharmacists, and other licensed medical professionals, in 50 federal districts and 12 State Attorneys General’s Offices across the United States, for their alleged participation in various health care fraud schemes involving over $14.6 billion in intended loss. In the same coordinated action, the government seized over $245 million in cash, luxury vehicles, cryptocurrency, and other assets.
Behavioral health was not a footnote. In Arizona, federal prosecutors charged Farrukh Jarar Ali, a Pakistan-based operator of ProMD Solutions, in what DOJ described as an alleged $650 million scheme involving at least 41 substance abuse treatment clinics in Arizona, with AHCCCS paying approximately $564 million on those claims before the scheme unraveled. That is exactly the pattern surveyors, SIU auditors, and federal prosecutors now open a chart looking for.
A real audit gives leadership a clear picture of operational risk. Not a checklist. It covers documentation and medical necessity, billing integrity and modifier usage, policy alignment with current state regulations, licensure and accreditation readiness across each jurisdiction, and supervision, onboarding, and workforce practices. Operator-driven, not theoretical.
How often behavioral health operators should run a compliance audit
Most behavioral health organizations should run a full annual compliance audit and add quarterly or semi-annual targeted reviews on high-risk areas. Multi-state operators, managed care contract holders, and programs approaching a survey window need a tighter cadence. This is not arbitrary.
HHS-OIG published its General Compliance Program Guidance (GCPG) on November 6, 2023, the first comprehensive compliance program guidance from OIG in roughly 15 years. The GCPG reinforces the seven elements of an effective compliance program and adds a specific new expectation: the compliance committee should conduct annual risk assessments to identify and address risk areas, and quality of care considerations should be included in a compliance program to mitigate patient harm and False Claims Act liability.
OIG put the quality-of-care point directly. In its analysis of the GCPG, Jones Day notes that the guidance recommends adding topics such as quality and patient safety, to compliance reviews and expressly considers the impact of ownership and payment incentives on patient care. That is the language auditors who ignore the clinical side of the chart keep missing.
For SUD programs, the cadence question got sharper in 2026. The SAMHSA and OCR final rule modernizing 42 CFR Part 2 has been effective since April 16, 2024, and compliance was required by February 16, 2026. On February 13, 2026, HHS announced a civil enforcement program under which OCR is now aligned with the HIPAA Privacy, Security, and Breach Notification Rules, with the ability to not only investigate violations, but to impose corrective action plans, administer civil monetary penalties, and enter into resolution agreements. Operators who did not refresh consents, breach notification procedures, patient notices, and re-disclosure workflows by that date are now operating outside the rule.
Financial exposure is real. HIPAA-aligned penalties in 2025 range from $141 to $2.1 million, with criminal penalties also possible. We tell SUD clients to treat the post-effective-date period as a heightened surveyor-focus window and run a targeted Part 2 review on top of the annual cycle.
Where operators find consultants who actually specialize in behavioral health
Generalist healthcare compliance firms do not translate cleanly into behavioral health. The documentation rules are different. The supervision rules are different. Part 2 layered over HIPAA is different. The payer audit playbooks are different. SIU teams at behavioral health managed care plans look for patterns hospital auditors do not even think to flag.
What separates a specialized behavioral health audit partner is field experience. You want people who have supervised clinicians, sat through state licensing surveys in multiple jurisdictions, managed corrective action plans after CARF or Joint Commission findings, and rebuilt billing workflows after a payer SIU audit. The market is not large.
AHS serves community agencies, SUD programs, residential providers, and outpatient clinics, including PHP (ASAM Level 2.5, an outpatient level of care), IOP, and outpatient services across states like Florida, Arizona, Texas, Utah, and Tennessee. We do not work in California or New York, and we do not provide ABA or autism services. Our scope is behavioral health and SUD operations.
A good partner identifies gaps and then helps you actually close them: policy updates, workflow redesign, staff training, supervision structures, and corrective action plans that match your real capacity. One note on AI-driven audit tools. We have tested several. Our auditors still catch documentation patterns the AI misses, and we have seen AI tools hallucinate findings and skip obvious errors. We use technology where it accelerates the work, but a person reads the charts.
How AHS schedules and runs a behavioral health compliance audit
The process is straightforward and designed to limit disruption to clinical and billing teams:
- Initial conversation. A short discussion about size, programs, payers, licensure status, accreditation cycle, and current concerns. This calibrates scope.
- Scope and workplan. We outline the service lines, locations, policies, documentation samples, and billing data we will review. Predictable and bounded.
- Document collection and review. Our team reviews charts, policies, billing data, supervision records, and required elements tied to state, payer, and accreditor expectations.
- Operational interviews. We meet with clinical leadership, billing, quality, and administrative staff to surface workflow gaps that do not show up on paper.
- Findings and recommendations. A clear written report explaining what is compliant, what needs correction, and how to fix it on a realistic timeline.
- Ongoing support. Many clients move to a quarterly or semi-annual review cycle so audit work becomes part of the operational rhythm, not a reaction to a payer letter.
OIG has also raised the bar on what internal audits should actually assess. According to Sidley’s analysis of the GCPG, the guidance addresses developments and emerging issues in the healthcare industry, including a recommendation to incorporate quality and patient safety oversight into compliance programs; new entrants in the healthcare industry; financial incentives and ownership; and financial arrangements tracking. That is a bar most generalist auditors do not clear. Our chart reviewers include clinicians who read medical necessity, not just billing coders who check boxes.
Why enforcement pressure is climbing fast for behavioral health operators
The federal enforcement environment for behavioral health is the most aggressive it has been in a decade. Look at the DOJ’s own numbers. According to Medical Economics, the 2025 Takedown marks the largest coordinated enforcement action in the history of the DOJ’s Health Care Fraud Strike Force, more than doubling the previous $6 billion record. As of June 2025, the Health Care Fraud Strike Force has charged more than 5,400 defendants since 2007, collectively accused of billing over $27 billion.
CMS was directly involved. CMS successfully prevented over $4 billion from being paid in response to false and fraudulent claims and suspended or revoked the billing privileges of 205 providers in the months leading up to the Takedown. Attorney General Pamela Bondi framed the action in plain terms: “This record-setting Health Care Fraud Takedown delivers justice to criminal actors who prey upon our most vulnerable citizens and steal from hardworking American taxpayers”.
The Arizona AHCCCS scandal is now the case study every operator should read. In the Ali indictment specifically, Ali personally received approximately $24.5 million of AHCCCS funds as a result of the scheme, and he used $2.9 million of the funds to purchase a home located on a golf estate in Dubai, United Arab Emirates. Since May 2023, AHCCCS has suspended more than 300 providers, assisted over 10,000 individuals with the humanitarian response, and implemented more than 20 new initiatives to combat fraud, waste, and abuse in our Medicaid program.
Put those trends together with OCR’s active enforcement of the updated Part 2 rule, OIG’s 2023 GCPG raising the bar on quality and risk-assessment expectations, and CARF’s continued focus on outcome data, and a behavioral health operator who waits for a trigger event to audit is now working against the grain of every regulator in the system. Scheduled audits are the cheapest insurance policy available.
Frequently asked questions
How often should a behavioral health organization run a compliance audit?
Most operators should run one full comprehensive audit annually and add quarterly or semi-annual targeted reviews on high-risk domains (documentation, billing, supervision, 42 CFR Part 2). Multi-state operators and programs under managed care contracts often need tighter cycles. The HHS-OIG General Compliance Program Guidance, released November 6, 2023, reinforces internal monitoring and auditing as one of the seven elements of an effective compliance program and recommends that the compliance committee conduct annual risk assessments to identify and address risk areas.
What does a behavioral health compliance audit actually cover?
Documentation and medical necessity (assessments, treatment plans, progress notes, discharge), billing and coding integrity, policy alignment with current state and payer rules, licensure and accreditation readiness (CARF or Joint Commission), supervision and workforce practices, and 42 CFR Part 2 controls for SUD programs. The OIG’s 2023 GCPG also recommends that compliance programs incorporate quality and patient safety oversight, given that excessive or medically unnecessary services can trigger False Claims Act liability.
What changed with 42 CFR Part 2 in 2026?
The SAMHSA and OCR final rule modifying 42 CFR Part 2 has been effective since April 16, 2024, with a compliance deadline of February 16, 2026. HHS announced its civil enforcement program on February 13, 2026, and OCR began accepting complaints and breach notifications on February 16, 2026. Key changes include a single patient consent for treatment, payment, and healthcare operations, alignment of breach notification and penalties with HIPAA, and OCR authority to investigate violations, impose corrective action plans, and levy civil monetary penalties. Penalties now align with HIPAA and can reach up to $2.1 million per year of violations.
Why is enforcement risk in behavioral health higher than it was a few years ago?
Federal enforcement scale has grown dramatically. The DOJ’s 2025 National Health Care Fraud Takedown charged 324 defendants across 50 federal districts and 12 State Attorneys General’s Offices, involving over $14.6 billion in intended loss, more than doubling the previous $6 billion record. CMS separately prevented over $4 billion in improper payments and suspended or revoked the billing privileges of 205 providers ahead of the takedown. Behavioral health featured prominently, most notably the $650 million ProMD/AHCCCS Arizona case, where prosecutors allege AHCCCS paid roughly $564 million on false claims tied to at least 41 substance abuse treatment clinics.
References
- U.S. Department of Justice. National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud (June 30, 2025)
- U.S. Attorney’s Office, District of Arizona. District of Arizona Charges 7 Defendants as Part of National Health Care Fraud Takedown
- HHS-OIG. General Compliance Program Guidance (November 6, 2023)
- HHS.gov. Understanding Confidentiality of Substance Use Disorder (SUD) Patient Records or “Part 2”
- Feldesman. OCR Announces Part 2 Confidentiality Enforcement Program (February 2026)
- CMS. National Health Care Fraud Takedown Press Release
- Arizona Health Care Cost Containment System (AHCCCS). Sober Living Fraud
- HIPAA Journal. February 16, 2026 Compliance Deadline for Part 2 Final Rule