Upcoding Investigation by OIG: What Your Practice Should Do Immediately

You just learned that the Office of Inspector General is looking at your billing. Maybe you received a subpoena, a Civil Investigative Demand, or a letter from a Medicare Administrative Contractor flagging unusual coding patterns. Whatever form it took, the message is clear: OIG believes your practice may be upcoding, and they want answers. Here is what to do right now — and what to avoid doing — to protect your practice, your license, and your staff.

What Upcoding Means in the Eyes of OIG

Upcoding is the practice of billing for a higher level of service than what was documented or medically necessary. To OIG and the Department of Justice, upcoding is not an innocent clerical error — it is a form of fraud under the False Claims Act (31 USC § 3729–3733). The distinction between a billing mistake and fraud often comes down to whether the pattern was systematic, whether the practice knew or should have known the claims were incorrect, and whether the practice had an effective compliance program in place to catch and correct these issues.

Common upcoding patterns that trigger OIG scrutiny include consistently billing evaluation and management (E/M) codes at the highest levels (99214 and 99215) far above specialty benchmarks, billing new patient visits as established patient visits or vice versa when the higher code pays more, and using time-based billing without adequate documentation of the time spent. OIG’s data analytics are sophisticated — they compare your billing distribution against national and regional norms for your specialty, and statistical outliers get flagged automatically.

Step One: Preserve Everything

The moment you learn of an investigation, issue an internal document preservation directive. This means no altering, deleting, or destroying any billing records, medical charts, correspondence, emails, audit logs, or electronic health record metadata. Instruct every staff member who touches billing or documentation that no records are to be modified. Spoliation of evidence — even accidental — can turn a civil investigation into a criminal one and exposes your practice to obstruction charges that carry penalties far beyond the original billing issue.

Step Two: Engage Healthcare Fraud Counsel Immediately

This is not the time for your general business attorney. You need a lawyer who specializes in healthcare fraud defense and has experience with OIG investigations, False Claims Act cases, and qui tam lawsuits. Attorney-client privilege will protect your internal investigation findings, and experienced counsel can help you evaluate whether a voluntary self-disclosure to OIG is in your best interest — a decision that must be made carefully and early.

Step Three: Conduct an Internal Audit

Under the direction of counsel (to maintain privilege), pull a statistically valid sample of the claims in question and have them reviewed by a certified coder who is independent of your billing staff. Compare the billed codes against the documentation in the medical record. The goal is to determine the scope of the problem: Is this a small number of isolated errors, a pattern attributable to one provider or coder, or a systemic issue across the practice?

Your internal audit should evaluate E/M level distribution against published specialty benchmarks, whether documentation supports the medical necessity and level billed, whether modifier usage is appropriate and documented, and whether any claims were submitted for services not rendered. Document your methodology, sample size, findings, and conclusions. This internal audit record becomes critical evidence that your practice took the investigation seriously and acted in good faith.

Understanding Your Exposure Under the False Claims Act

The False Claims Act (42 USC § 1320a–7b) imposes liability on anyone who knowingly submits or causes the submission of false claims to the federal government. Penalties include treble damages (three times the amount of the false claims) plus per-claim penalties that currently range from $13,508 to $27,018 per false claim. For a practice that billed hundreds of upcoded claims over several years, the math becomes devastating quickly.

The word “knowingly” in the statute does not require proof of specific intent to defraud. It includes acting in deliberate ignorance or reckless disregard of the truth. A practice that had no compliance program, no internal auditing, and no coding education for providers will have a very difficult time arguing it did not “know” its billing was inaccurate. This is precisely why OIG’s seven elements of an effective compliance program emphasize internal monitoring and auditing as core requirements.

The Voluntary Self-Disclosure Option

OIG operates a formal Self-Disclosure Protocol that allows healthcare providers to voluntarily report potential fraud to OIG before or during an investigation. When a practice self-discloses, OIG typically settles for 1.5 times the single damages amount — compared to the treble damages and per-claim penalties available under the False Claims Act. Self-disclosure also demonstrates good faith and can help avoid exclusion from federal healthcare programs, which for most practices would be a death sentence.

The decision to self-disclose must be made with counsel and is highly fact-specific. If the overpayments are modest and clearly attributable to a correctable process failure, self-disclosure is often the best path. If the facts are ambiguous or the exposure is unclear, your attorney may recommend completing the internal audit before making that decision.

Corrective Actions That Matter

Whether or not you self-disclose, you need to demonstrate that your practice has taken concrete steps to prevent future upcoding. Investigators and settlement negotiators look for evidence that the practice implemented real changes, not just promises. Effective corrective actions include retaining an independent coding consultant to retrain all providers on E/M documentation and code selection, implementing prospective coding audits where a sample of claims are reviewed before submission, establishing a formal billing compliance program with written policies and a designated compliance officer, and creating a mechanism for staff to report billing concerns without fear of retaliation.

Repaying identified overpayments promptly is essential. Under the 60-day rule (42 USC § 1320a–7k(d)), once you identify an overpayment, you have 60 days to report and return it. Failure to do so converts the overpayment into a false claim, creating additional liability.

What Happens If You Do Nothing

Ignoring an OIG investigation does not make it go away. It makes it worse. OIG has subpoena power, access to your claims data through CMS, and the resources to pursue cases for years. Practices that fail to cooperate or that attempt to conceal problems face the harshest outcomes: maximum financial penalties, exclusion from Medicare and Medicaid, and potential criminal referral. The cost of non-compliance in this arena is existential.

Building the Compliance Program You Should Have Had

If this investigation revealed that your practice lacked a formal compliance program, billing audits, or coding education, the most important thing you can do — beyond resolving the current matter — is build one now. OIG has published detailed guidance on compliance programs for small physician practices, and the seven elements are not optional suggestions. They are the framework that separates practices that made honest mistakes from practices that were recklessly indifferent to whether their billing was accurate.