Atlantic Health Strategies

How Behavioral Health Operators Reduce Audit Risk, Manage Compliance, and Build Scalable Programs

Table of Contents

Ready to See Results?

From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.

Records That Match the Rulebook Before the Request Arrives

Behavioral health operators cut audit risk by aligning clinical documentation, medical necessity, and billing to the exact criteria payers and government auditors use, before a records request is ever issued. Audit exposure is rarely one bad code. It is the gap between how a clinician documents a level of care and how a payer, a Medicaid Fraud Control Unit, or an HHS-OIG auditor tests the chart against policy.

The enforcement math is not theoretical. HHS-OIG’s Fall 2023 Semiannual Report to Congress projected over $3.44 billion in expected recoveries, with over $283 million expected to be returned based on program audit findings, and $3.16 billion from investigative work for FY 2023. That same year, HHS-OIG excluded 2,112 individuals and entities from participation in federal health care programs.

Then it accelerated. CMS reports that total Medicare program integrity savings surged 59%, from $26.3 billion in FY 2024 to a record-shattering $41.9 billion in FY 2025, with a Medicare Return on Investment of $22.3 to 1, the highest ROI ever.

Behavioral health sits inside that enforcement window. In one Medicare psychotherapy review, OIG estimated that of the $1 billion Medicare paid for psychotherapy services, providers received $580 million in improper payments, consisting of $348 million for telehealth and $232 million for non-telehealth claims. The sampled files failed for boring reasons. Psychotherapy time was not documented. Providers’ signatures were missing.

My team at Atlantic Health Strategies builds payer-specific medical necessity maps, runs retrospective claim reviews that mirror SIU audit methodologies, and rewrites documentation workflows so the next surveyor focus finds aligned records. Recoupment math is brutal once a finding is issued. Prevention is cheaper.

Multi-State Compliance Belongs at the Enterprise Level, Not in a Folder

Operators running facilities across Texas, Florida, and Michigan sit inside overlapping regulatory regimes at once: state licensing boards, Medicaid program integrity units, commercial payer policies, and the federal fraud and abuse statutes. Decentralized compliance does not survive that environment. Neither does the binder-in-the-corner model.

The federal expectation is now explicit. OIG published its General Compliance Program Guidance (GCPG) on November 6, 2023, its first major update to compliance program guidance in 15 years, running 91 pages. The new guidance includes recommendations to conduct annual internal risk assessments, to consider quality of care as a component of the compliance program, and to emphasize the importance of a board’s and executive leadership’s oversight of compliance.

OIG called out private equity owners directly. Per Crowell & Moring’s read of the GCPG, OIG “specifically calls out the growing presence of private equity and other forms of private investment in health care and recommends that such investors scrutinize their operations and oversight to ensure compliance with fraud and abuse laws”. Sidley notes that OIG framed PE investment as raising “concerns about the impact of ownership incentives … on the delivery of high quality, efficient health care”. PE-backed platforms in behavioral health are reading the same paragraph their auditors are reading.

My team builds MSO-level compliance infrastructure for multi-state operators: centralized policies, state-specific tracking calendars, audit readiness frameworks, internal exclusion screening against the OIG LEIE and state Medicaid exclusion lists, and quarterly board reporting. The work is operational, not legal theater. When a Medicaid Fraud Control Unit or a commercial SIU sends a records request, the operational backbone is what answers it.

Documentation Failures Are Clinical Operations Problems, Not Coding Problems

Coders do not fix documentation deficiencies. Clinical leaders do, by defining the service, supervising the clinician, and structuring the schedule so the chart proves the level of care the payer is paying for. If the clinical model is unclear, the chart will be unclear, and the payer will deny.

The 2023 GCPG reinforces the 60-day overpayment obligation and treats OIG audit reports themselves as credible information of potential overpayments, which triggers the return obligation. There is no slow lane.

The Medicare Benefit Policy Manual is also unambiguous about what PHP actually is. DOJ, quoting that same standard in the Riverside filings, described a PHP as “a form of intensive outpatient treatment for severe mental illness”. Programs providing primarily social, recreational, or diversionary activities do not qualify. That single distinction is the language auditors reach for when they claw back PHP claims.

The OIG psychotherapy sample tells the same story in numbers. For 84 of the 216 sampled enrollee days, providers met Medicare requirements. However, for 128 sampled enrollee days, providers did not meet these requirements (e.g., psychotherapy time was not documented). In addition, for 54 sampled enrollee days, providers did not meet Medicare guidance (e.g., providers’ signatures were missing).

My team rewrites progress notes, treatment plans, and discharge summaries against that language so the chart proves the service, the level of care, and the medical necessity. Every time.

Building PHP, IOP, Detox, and Residential Programs Without Day-One Exposure

PHP (ASAM Criteria 4th Edition Level 2.5, an outpatient level of care), IOP, residential withdrawal management, and clinically managed residential programs are not licensing exercises. Operators who treat them that way rebuild the program twelve months in, usually after a payer audit or a state finding. Clinical, staffing, utilization management, and revenue cycle leaders design the model together, or none of it works.

Federal and state auditors watch PHP and IOP billing for a reason. In the Riverside General Hospital case out of Houston, DOJ charged that a federal jury convicted the president of Riverside General Hospital, his son, and two others for their participation in a $158 million Medicare fraud scheme involving false claims for mental health treatment. Evidence at trial showed the Medicare beneficiaries for whom Riverside and its satellite locations billed Medicare for PHP services did not qualify for or need PHP services, the Medicare beneficiaries rarely saw a psychiatrist and did not receive intensive psychiatric treatment, and some of the Medicare beneficiaries were suffering from Alzheimer’s and could not actively participate in any treatment.

Former Riverside president Earnest Gibson III was sentenced to 45 years in prison. Earnest Gibson IV was sentenced to 20 years in prison. Regina Askew was sentenced to 12 years in prison. Assistant administrator Mohammad Khan pleaded guilty and was sentenced to 40 years in prison. Assistant Attorney General Leslie R. Caldwell put it plainly: “the defendants billed Medicare more than $158 million for care that was never provided”. Different services, same pattern across the sector: weak documentation, unclear medical necessity, money clawed back.

AHS does not work in ABA or autism services, and we do not license facilities in California or New York. My team builds PHP, IOP, withdrawal management, and residential programs in active states like Texas, Florida, and Michigan with level-of-care design tied to the ASAM Criteria 4th Edition, staffing ratio modeling against state minimums, policy sets that survive an EOC tour, and payer readiness packets that hold up to utilization management review on day one.

Choose a Partner Who Has Actually Run the Programs

Behavioral health operators do not need a generalist consultant with a deck. They need people who have built the schedule, worked through the survey window, negotiated the corrective action plan, and rebuilt census after a payer suspension.

The 2023 OIG guidance frames the bar plainly. OIG emphasized the importance of a board’s and executive leadership’s oversight of compliance, and reiterated that every entity should designate a compliance officer, who has the authority, stature, access, and resources necessary to lead an effective compliance program. Boards now expect their operators and advisors to bring the same discipline.

My team at Atlantic Health Strategies works directly with CEOs, clinical directors, compliance officers, and revenue cycle leaders. Our engagements leave the organization stronger after we go: tighter policies, defensible documentation, a finance team that can read its own utilization data, and a compliance function that does not collapse when a surveyor walks in unannounced.

That is the work. It is not glamorous. It holds up under scrutiny.

Frequently asked questions

How much exposure do behavioral health operators actually face in a payer or government audit?

The math compounds fast. HHS-OIG projected over $3.44 billion in expected recoveries in FY 2023, including more than $283 million from program audit findings and $3.16 billion from investigative work, and excluded 2,112 individuals and entities from federal health care programs that year. CMS then reported that Medicare program integrity savings jumped 59%, from $26.3 billion in FY 2024 to $41.9 billion in FY 2025, with a $22.3-to-1 Medicare ROI, the highest ever recorded. In one Medicare psychotherapy review, OIG estimated $580 million of the $1 billion paid was improper, split between $348 million in telehealth and $232 million in non-telehealth claims.

What does the 2023 OIG General Compliance Program Guidance change for behavioral health operators?

OIG published the GCPG on November 6, 2023, its first major update to compliance program guidance in 15 years, running 91 pages. It recommends annual internal risk assessments, integrates quality of care into the compliance program, emphasizes board and executive oversight, and specifically calls out private equity owners to scrutinize operations and oversight to ensure compliance with fraud and abuse laws. Behavioral health platforms with PE capital should expect that paragraph to be read back to them during diligence and during any investigation.

Is PHP a residential level of care?

No. Partial Hospitalization (PHP, ASAM Criteria 4th Edition Level 2.5) is an outpatient level of care. DOJ, in the Riverside General filings, described a PHP as “a form of intensive outpatient treatment for severe mental illness.” Programs offering primarily social, recreational, or diversionary activities do not qualify as PHP and have produced some of the largest fraud cases in the sector, including the $158 million Riverside General Hospital scheme in Houston, where the former president was sentenced to 45 years and an assistant administrator to 40 years.

Does Atlantic Health Strategies operate in every state and every service line?

No. AHS does not work in ABA or autism services and does not license facilities in California or New York. My team focuses on substance use disorder and mental health programs (PHP, IOP, withdrawal management, and residential) in states where we are actively engaged, including Texas, Florida, and Michigan.

Request a Free Consultation

Scroll to Top