Table of Contents
Ready to See Results?
From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.
Reducing Audit Risk Starts Before the Records Request Arrives
Behavioral health operators reduce audit risk by aligning clinical documentation, medical necessity standards, and billing operations to the exact criteria payers and regulators use to evaluate claims, before a records request ever lands. Audit exposure rarely reflects an isolated coding error. It reflects an operational gap between how clinicians document a level of care and how payers and government auditors test it.
The scale here is not theoretical. HHS-OIG reported $3.44 billion in expected recoveries in FY 2023 alone, with $283 million tied directly to program audit findings and $3.16 billion from investigative work. CMS reported that total Medicare program integrity savings jumped from $26.3 billion in FY 2024 to $41.9 billion in FY 2025, a 59% increase. Behavioral health is squarely inside that enforcement window.
The psychotherapy numbers tell the story plainly. In one Medicare review, OIG estimated that of $1 billion paid for psychotherapy services, $580 million went out as improper payments, including $348 million for telehealth and $232 million for non-telehealth claims. Atlantic Health Strategies builds payer-specific medical necessity maps, runs retrospective claim reviews that mirror SIU audit methodologies, and rewrites documentation workflows so the next surveyor focus finds aligned records, not gaps. We work the prevention side because the recoupment math is brutal once a finding is issued.
Multi-State Compliance Belongs at the Enterprise Level, Not in a Folder
Operators running facilities across multiple states face overlapping regulatory regimes: state licensing boards, Medicaid program integrity units, commercial payer policies, and federal fraud and abuse statutes. Decentralized compliance does not survive that environment. Neither does the binder-in-the-corner model.
The federal expectation is now explicit. On November 6, 2023, OIG published its General Compliance Program Guidance, the first significant refresh of the seven elements in 15 years. The 2023 guidance adds annual internal risk assessments, integrates quality of care into the compliance program, and emphasizes board and executive leadership oversight. OIG also calls out private equity owners specifically, instructing them to scrutinize operations and ensure compliance with fraud and abuse laws. PE-backed platforms in behavioral health are reading the same paragraph their auditors are reading.
Atlantic Health Strategies builds MSO-level compliance infrastructure for multi-state operators in states like Texas, Florida, and Michigan: centralized policies, state-specific tracking calendars, audit readiness frameworks, internal exclusion screening against the OIG LEIE and state Medicaid exclusion lists, and quarterly board reporting. The work is operational, not legal theater. When an MFCU or commercial SIU sends a records request, the operational backbone is what answers it.
Documentation Failures Are Clinical Operations Problems
Documentation deficiencies are almost never solved by another coder training. They get solved by fixing how clinical leadership defines the service, supervises the clinician, and structures the schedule. If the clinical model is unclear, the chart will be unclear, and the payer will deny.
The 60-day clock makes this urgent. When evidence of overpayment exists through an audit or credible complaint, healthcare organizations have just 60 days to investigate and return any overpayments, and OIG considers its audit reports themselves “credible information of potential overpayments,” triggering that obligation. There is no slow lane.
The Medicare Benefit Policy Manual is also unambiguous about what PHP actually is. PHPs are structured to provide intensive psychiatric care through active treatment that closely resembles a highly structured, short-term hospital inpatient program, and “programs providing primarily social, recreational or diversionary activities are not considered partial hospitalization”. AHS rewrites progress notes, treatment plans, and discharge summaries against that language so the chart proves the service, the level of care, and the medical necessity. Every time.
Building PHP, IOP, Detox, and Residential Programs Without Day-One Exposure
PHP (ASAM Level 2.5, an outpatient level of care), IOP, residential withdrawal management, and clinically managed residential programs are not licensing exercises. Operators who treat them that way end up rebuilding twelve months in, usually after a payer audit or a state finding. The level of care, staffing model, utilization management, and revenue cycle have to be designed together or none of them work.
Federal and state auditors are paying close attention to intensive outpatient and partial hospitalization billing for a reason. In a Houston case, three individuals were sentenced to 12, 20, and 45 years in prison and ordered to pay more than $100 million in restitution for a $158-million PHP scheme in which patients with dementia were billed for therapy they could not participate in. In a more recent series, OIG recommended Maine refund $28.8 million in Federal share for Medicaid payments that did not comply with Federal and State requirements, after finding that all 100 sampled enrollee-months included improper or potentially improper claims. OIG recommended Wisconsin refund $12.29 million in Federal share for non-compliant Medicaid ABA payments. Different services, same pattern: weak documentation, unclear medical necessity, money clawed back.
AHS does not work in ABA or autism services, and we do not license in California or New York. We build PHP, IOP, withdrawal management, and residential programs in our active states with level-of-care design tied to the ASAM Criteria 4th Edition, staffing ratio modeling against state minimums, policy sets that survive an EOC tour, and payer readiness packets that hold up to utilization management review on day one.
Choosing a Partner Who Has Actually Run the Programs
Behavioral health operators do not need a generalist consultant with a deck. They need people who have built the schedule, sat through the survey window, negotiated the corrective action plan, and rebuilt a census after a payer suspension. The 2023 OIG guidance frames the bar plainly. OIG underscores the critical role of the Board in overseeing and assuring compliance. Boards now expect their operators and advisors to bring the same discipline.
AHS works directly with CEOs, clinical directors, compliance officers, and revenue cycle leaders. The engagements are scoped to leave the organization stronger after we go: tighter policies, defensible documentation, a finance team that can read its own utilization data, and a compliance function that does not collapse when the surveyor walks in unannounced. That is the work. It is not glamorous. It holds up under scrutiny.
Frequently asked questions
How much exposure do behavioral health operators actually face in a payer or government audit?
Audit math compounds fast. HHS-OIG reported $3.44 billion in expected recoveries in FY 2023, with $283 million from program audit findings alone. In one Medicare review of psychotherapy services, OIG estimated $580 million of $1 billion paid was improper. Once a finding is issued, the 60-day overpayment rule starts running and the organization must investigate and return overpayments within that window.
What does the 2023 OIG General Compliance Program Guidance change for behavioral health operators?
OIG published the GCPG on November 6, 2023, the first significant refresh of the seven elements in 15 years. It adds annual internal risk assessments, integrates quality of care into the compliance program, expects board and executive leadership oversight, and specifically calls out private equity owners to scrutinize operations and ensure compliance with fraud and abuse laws. Behavioral health platforms with PE capital should expect that paragraph to be read back to them during diligence and during any investigation.
Is PHP a residential level of care?
No. Partial Hospitalization (PHP, ASAM Level 2.5) is an outpatient level of care. The Medicare Benefit Policy Manual defines PHP as intensive psychiatric care through active treatment, structured to resemble a short-term hospital inpatient program, but it is not residential. Programs offering primarily social, recreational, or diversionary activities do not qualify as PHP and have produced some of the largest fraud cases in the sector.
Does Atlantic Health Strategies operate in every state?
No. AHS does not work in ABA or autism services and does not license facilities in California or New York. We focus on substance use disorder and mental health programs (PHP, IOP, withdrawal management, and residential) in states where we operate actively, including Texas, Florida, and Michigan.
References
- HHS-OIG, General Compliance Program Guidance (November 6, 2023)
- HHS-OIG Fall 2023 Semiannual Report to Congress, $3.44 Billion in Expected Recoveries
- CMS, Crushing Fraud, Waste, & Abuse, FY 2025 Program Integrity Results
- HHS-OIG, Audits of Medicaid Applied Behavior Analysis for Children Diagnosed With Autism (Maine, Wisconsin, Indiana, Colorado)
- American Journal of Managed Care, Mental Health Fraud Exacts High Human and Financial Costs
- AAPC, Lessons Learned From OIG Audits (60-Day Overpayment Rule)
- HHS-OIG Work Plan, Audit of CCBHC Medicaid Reimbursement and Compliance