Medical coding audit preparation is the process of systematically reviewing your coding practices, documentation workflows, and compliance controls before an internal or external audit occurs. For revenue cycle leaders in 2026, preparation isn't optional. The Office of Inspector General (OIG) work plan continues to target high-risk areas like HCC coding, inpatient evaluation and management services, and telehealth claims. Organizations that wait until an audit notice arrives face expensive findings, compliance actions, and revenue disruption. This post walks you through an actionable compliance checklist to prepare your coding department for audits, self-audit your highest-risk areas, and align your team with current regulatory priorities.
Why medical coding audit preparation matters more in 2026
Federal oversight of healthcare billing has intensified. The OIG's 2026 work plan identifies specific billing and coding areas for review, including HCC risk adjustment coding, E/M services billed under the new 2023-2025 guidelines, and telehealth claims submitted during and after the public health emergency flexibilities.
Payers are also increasing their own audit activity. Commercial insurers and Medicare Advantage plans conduct post-payment reviews targeting diagnosis codes that affect risk scores and reimbursement. If your coders haven't documented and validated HCC conditions properly, expect takebacks.
Internal audits catch errors before external auditors do. A proactive audit program identifies patterns in miscoding, incomplete documentation, and compliance gaps. It gives you time to correct course, retrain staff, and implement workflow fixes. Reactive organizations discover their problems during a RAC or ZPIC audit when corrective action means refunds and potential penalties.
OIG work plan focus areas for coding departments
The OIG work plan guides federal audit priorities. Understanding these areas helps you focus your internal audit resources where risk is highest.
HCC and risk adjustment coding
Hierarchical Condition Category (HCC) coding, which assigns diagnosis codes that reflect patient complexity and predict healthcare costs, remains a top OIG focus. The agency is reviewing whether providers adequately document chronic conditions, whether coders accurately translate documentation into valid HCC codes, and whether organizations over-report conditions to inflate risk scores.
Your audit checklist should verify that every reported HCC condition meets these standards: documented by a qualified provider, supported by clinical evidence in the current year, and coded to the highest specificity available. Claims for conditions like diabetes with complications, congestive heart failure, and chronic kidney disease receive extra scrutiny.
Inpatient evaluation and management services
The OIG continues examining inpatient E/M services to confirm that level of service matches documentation. This includes medical decision-making complexity, time spent on the date of service, and whether split/shared visits between physicians and NPPs follow CMS billing rules.
Review a sample of your inpatient E/M claims. Confirm that coders are applying current guidelines correctly, that attending physicians document their role in shared visits, and that modifier use aligns with CMS guidance.
Telehealth and remote service claims
Telehealth billing expanded rapidly during COVID-19. CMS extended some flexibilities, but others expired. The OIG is auditing telehealth claims to verify that services meet current place of service requirements, originating site rules, and documentation standards.
If your organization bills telehealth services, audit your claims for correct use of place of service codes, appropriate modifiers, and documentation that supports the medical necessity of the remote visit. Services billed under temporary waivers that have since expired are at high risk for recoupment.
Short-stay inpatient admissions
CMS and the OIG review short inpatient stays to determine whether observation status was more appropriate. The two-midnight rule generally guides this decision, but medical necessity and physician judgment still matter.
Audit a random sample of inpatient admissions under 48 hours. Verify that the admitting physician documented the expectation of a multi-day stay or that the patient's condition justified inpatient care regardless of length of stay. Claims missing this documentation are vulnerable.
Building your internal coding audit checklist
An effective audit checklist targets your highest-risk areas, includes statistically valid sample sizes, and produces actionable findings. Here's how to structure it.
Define audit scope and objectives
Start by identifying what you're auditing and why. Are you verifying coding accuracy for specific service lines? Testing compliance with a new coding guideline? Measuring coder performance after a training update?
Narrow your scope. An audit that tries to review every code type across all departments produces shallow findings and wastes time. Focus on 2 or 4 areas where risk is highest or revenue is largest.
Select your sample size and methodology
Use random sampling to avoid bias. The OIG recommends sample sizes of at least 30 records per coder or per audit area to produce statistically meaningful results. Larger samples increase confidence but require more time.
Stratified sampling works when you need to audit multiple service types or payer categories. For example, pull 30 Medicare inpatient charts, 30 commercial outpatient charts, and 30 Medicare Advantage claims separately. This ensures each category gets adequate coverage.
Create a standardized review tool
Your audit tool should include clear yes/no criteria for each element you're testing. Examples include:
- Is the principal diagnosis supported by documentation?
- Are all secondary diagnoses present on admission and clinically valid?
- Does the procedure code match the operative report?
- Is the level of E/M service substantiated by documented medical decision-making?
- Are modifiers applied correctly?
Standardized tools reduce subjective judgment and make findings easier to track over time. They also help if you need to defend your audit methodology during an external review.
Assign qualified reviewers
Auditors should hold relevant certifications (CCS, CPC, CDIP) and have recent experience in the areas they're reviewing. Don't assign an outpatient coder to audit complex inpatient surgical cases without additional training.
Peer review can work for internal audits, but avoid having coders audit their own work. Independence matters for credibility.
Self-audit strategies for high-risk coding areas
Self-audits give you control over the process and timeline. Here are targeted strategies for common risk areas.
Audit your HCC coding practices
Pull a sample of charts where HCC codes were reported. Verify that the diagnosis appears in the current year's documentation, that a qualified provider documented it during a face-to-face visit, and that the condition was evaluated or treated.
Look for unsupported HCCs carried forward from previous years without current clinical evidence. This is a common finding in OIG audits and results in risk score adjustments and payment recoupment.
MedCodex Health supports organizations with HCC coding accuracy reviews that identify documentation gaps before payer audits occur.
Review surgical and procedural coding
Compare procedure codes to operative reports and procedure notes. Confirm that the code reflects the approach (open vs. laparoscopic), anatomical site, and laterality where applicable.
Check for unbundling errors where component procedures were billed separately instead of using a comprehensive code. NCCI edits catch many of these, but coders sometimes override edits incorrectly.
Test E/M coding accuracy
Audit both outpatient and inpatient E/M services. For outpatient visits, verify that the level of service aligns with total time or medical decision-making documented. For inpatient visits, confirm that the coder applied the correct level based on complexity and time.
Flag any visits where the coder consistently selects the highest level of service. This pattern triggers payer audits.
Validate modifier usage
Incorrect modifier use causes claim denials and compliance risk. Common errors include misuse of modifier 25 (significant, separately identifiable E/M service), modifier 59 (distinct procedural service), and split/shared visit modifiers.
Review claims with these modifiers to confirm that the clinical scenario justifies their use and that documentation supports the billing decision.
Corrective action and documentation
Audit findings mean nothing without follow-up. Document every finding, calculate error rates, and categorize errors by type and severity.
When you identify coding errors, determine root cause. Was it a training gap? A documentation issue? A workflow problem? Assign corrective actions to the appropriate team and set deadlines.
Retrain coders on specific guidelines where errors cluster. If multiple coders misapply the same rule, that's a training issue. If one coder shows high error rates across categories, that's a performance issue requiring individual coaching.
Track corrective actions to completion. Re-audit the same area 60 to 90 days after implementing changes to verify improvement. If error rates don't drop, your corrective action didn't work.
Keep detailed records of your audit process, findings, and corrective actions. If an external auditor questions your coding, you'll need evidence that you have an active compliance program.
Preparing for external audits
External audits come from Medicare contractors (MACs, RACs, ZPICs), commercial payers, and Medicare Advantage plans. Preparation reduces findings and speeds resolution.
Maintain an audit response team that includes coding leadership, compliance officers, HIM staff, and legal counsel if needed. Assign clear roles before an audit notice arrives.
When you receive an audit request, respond within the stated deadline. Gather the requested records, but don't send extra documentation unless asked. Over-documentation can introduce new findings.
Review the requested records internally before submission. If you spot obvious errors, consult legal counsel about whether to self-report or withdraw claims. This decision depends on error type and volume.
If the auditor issues findings, review them carefully. You have appeal rights. Many audit findings are overturned on appeal when providers submit additional documentation or clarify coding rationale.
Frequently asked questions
How often should a coding department conduct internal audits?
Most organizations conduct baseline audits quarterly and focused audits monthly for high-risk areas. New coders should be audited weekly for the first 90 days, then monthly until they achieve sustained accuracy above 95%. Experienced coders typically undergo quarterly or semi-annual audits unless performance issues or regulatory changes require more frequent review.
What is a passing accuracy rate for a coding audit?
Industry standards generally consider 95% accuracy as the minimum acceptable threshold for coding quality. Some organizations set higher targets for specific high-risk areas like HCC coding or inpatient DRG assignment. Accuracy below 90% indicates significant compliance risk and requires immediate corrective action including retraining and workflow review.
Can coding audits prevent RAC or ZPIC investigations?
Regular internal audits reduce the likelihood of external audit findings but don't prevent audits from occurring. RAC and ZPIC audits are often triggered by data analytics, billing patterns, or routine sampling rather than known compliance issues. However, organizations with strong internal audit programs typically have lower error rates when external audits occur, which reduces financial exposure and demonstrates good faith compliance efforts.
What documentation should we keep from internal coding audits?
Retain audit work papers, sample selection methodology, reviewer credentials, individual findings by record, aggregate results, corrective action plans, training materials, and follow-up audit results for at least 7 years. This documentation demonstrates your compliance program's effectiveness and provides evidence during external audits or government investigations. Store audit records securely and separately from billing records.
Should we hire external auditors or conduct audits internally?
Both approaches have value. Internal audits are more frequent, less expensive, and allow immediate feedback to coders. External auditors provide objectivity, specialized expertise in high-risk areas, and credibility with payers and regulators. Many organizations use internal auditors for routine monitoring and bring in external experts for annual comprehensive reviews, pre-billing audits for new service lines, or when preparing for known regulatory scrutiny.
Take action before the audit notice arrives
Audit preparation isn't a one-time project. It's an ongoing compliance function that protects revenue, reduces risk, and demonstrates your commitment to accurate billing. Start with your highest-risk areas, use statistically valid sampling, document findings thoroughly, and follow through on corrective actions.
If your coding team is stretched thin or lacks specialized audit expertise, you don't have to manage it alone. MedCodex Health offers coding quality audits that identify compliance gaps, quantify financial risk, and provide actionable recommendations. Contact us for a free audit consultation tailored to your organization's risk profile.