OIG Telehealth Audit Priorities for Behavioral Health: What to Expect in 2026

Why the OIG Is Focused on Behavioral Health Telehealth

The convergence of three factors has made behavioral health telehealth a top OIG enforcement priority in 2026.

First, behavioral health had the highest telehealth adoption rate of any medical specialty during the COVID-19 public health emergency (PHE). At peak adoption in 2020-2021, an estimated 60-70% of outpatient behavioral health visits were delivered via telehealth. While other specialties returned substantially to in-person care after the PHE, behavioral health maintained elevated telehealth utilization rates. CMS data shows that in 2025, approximately 50-55% of outpatient behavioral health claims included a telehealth modifier, compared to 10-15% for most medical specialties. This volume makes behavioral health the largest single-specialty contributor to telehealth claims in both Medicare and Medicaid.

Second, the OIG has already demonstrated through enforcement actions that telehealth fraud in behavioral health is a real and significant problem. Since 2023, DOJ and OIG joint enforcement actions have targeted telehealth schemes involving behavioral health services, including cases where providers billed for psychotherapy sessions that never occurred, where sessions billed as 53+ minutes (90837) were actually brief phone calls, and where companies recruited patients for unnecessary telehealth assessments used to bill for durable medical equipment or genetic testing. These high-profile fraud cases have sensitized auditors to the entire behavioral health telehealth billing population.

Third, the post-PHE regulatory framework for telehealth is still settling. Congress extended most Medicare telehealth flexibilities through 2027 (see our Medicare telehealth extension analysis), but the extension created new compliance requirements around place of service codes, modifiers, and documentation standards that many practices have not fully implemented. The gap between what was permitted during the PHE and what is required now creates a compliance risk zone that auditors are specifically targeting.

Behavioral Health-Specific Audit Triggers

OIG and its contractor auditors use data analytics to identify practices with billing patterns that suggest potential compliance problems. For behavioral health telehealth, the following patterns trigger heightened scrutiny:

High Volume of 90837 (53+ Minute Therapy) Via Telehealth

CPT 90837 requires a minimum of 53 minutes of psychotherapy time. Auditors have identified that some practices bill 90837 for a disproportionately high percentage of telehealth sessions compared to their in-person sessions, or compared to peer practices. If 80% or more of a practice's telehealth therapy claims are billed at the 90837 level, the practice will likely appear in audit data pulls. The concern is that clinicians may be billing 90837 based on the scheduled appointment length (60 minutes) rather than actual session time, or that documentation does not support the time threshold.

The fix is straightforward: document start and stop times for every therapy session, and bill the code that matches the actual documented time. If the session lasted 42 minutes, bill 90834. Consistent, accurate time documentation eliminates this audit trigger entirely.

Audio-Only Claims Volume

Audio-only (telephone) behavioral health sessions are reimbursable under specific conditions in Medicare and in many state Medicaid programs, but they carry heightened audit risk. Audio-only sessions lack the visual clinical assessment component that video and in-person sessions provide, and auditors question whether the clinical content and time documented are accurate when there is no video record. Practices with high audio-only utilization rates (more than 30-40% of telehealth claims) attract scrutiny.

For audio-only sessions, documentation must include: the clinical rationale for using audio-only rather than video (patient lacks broadband, patient preference with clinical appropriateness documented, etc.), the same clinical content as a video or in-person session, and the correct modifier (93 for audio-only synchronous telehealth). Claims billed with modifier 95 (synchronous video telehealth) for audio-only sessions are a coding error that auditors will catch.

Cross-State Telehealth

Providers delivering telehealth services to patients in states other than the provider's primary practice location attract audit attention for two reasons: licensure compliance (is the provider licensed in the patient's state?) and billing accuracy (are the correct state-specific billing rules being followed?). The OIG is particularly interested in situations where a provider in one state bills a high volume of claims for patients in multiple other states, which can indicate either a legitimate multi-state practice or a telehealth mill operating without proper licensure.

Group Therapy Via Telehealth

Billing group therapy (CPT 90853) via telehealth raises documentation challenges. Auditors want to see documentation that all patients listed in the group were actually present and participating, that the group session met the minimum time requirements, and that the billing accurately reflects the number of participants. The telehealth environment makes it harder to verify participation (a patient may be logged in but not present), and auditors are aware of this vulnerability.

Documentation Requirements That Auditors Evaluate

When your telehealth claims are selected for audit, the reviewer will examine each note against specific documentation criteria. A note that meets these standards will survive audit; a note that falls short will result in a denied claim and potential overpayment demand. These are the elements auditors evaluate:

Modality Statement

Every telehealth note must clearly state the modality used for the session. "Session conducted via synchronous video telehealth using [platform name]" or "Session conducted via audio-only telephone due to patient's lack of broadband access." A note that does not specify the modality is deficient, even if the claim includes the correct telehealth modifier. Auditors view the absence of a modality statement as a red flag because it suggests the documentation was not tailored to the actual service delivery method.

Patient and Provider Location

The note must document the patient's location (city and state at minimum) and the provider's location. This information is necessary to verify that the correct Place of Service code was used, that the provider was licensed in the patient's state, and that state-specific telehealth billing rules were followed. Some states require the patient's specific location type (home, office, etc.) in addition to the geographic location.

Consent Documentation

Informed consent for telehealth must be documented. This can be a signed consent form (for new patients) or a notation that ongoing consent was confirmed at the beginning of the session. Many states have specific telehealth consent requirements, and auditors will check that the documented consent meets the applicable standard. For Medicare, CMS requires that the patient agrees to the telehealth modality and that this agreement is documented.

Clinical Content Equivalent to In-Person

The clinical content of a telehealth note must be equivalent in depth and quality to what would be documented for an in-person session. This means documenting the patient's presenting concerns, clinical observations (for video: appearance, affect, psychomotor activity, engagement; for audio-only: tone, rate of speech, coherence, engagement level), therapeutic interventions used, patient response, risk assessment, and the treatment plan. Notes that are significantly shorter or less detailed than the practice's in-person notes for equivalent codes will be flagged.

Time Documentation for Time-Based Codes

For time-based therapy codes, the most important documentation element is start and stop time:

• 90834 (Individual psychotherapy, 45 minutes): Requires 38-52 minutes of psychotherapy time. The note should document times that support this range.
• 90837 (Individual psychotherapy, 60 minutes): Requires 53 minutes or more of psychotherapy time. If the documented time is 52 minutes, the correct code is 90834, not 90837. Auditors calculate the time from the documented start and stop and compare it to the billed code.
• Time must reflect psychotherapy time, not total encounter time. If the clinician spends 10 minutes on paperwork and 48 minutes on psychotherapy, the psychotherapy time is 48 minutes (90834), not 58 minutes.

Place of Service Code Compliance

POS code errors are the single most common billing error identified in telehealth audits. After the PHE, CMS established a clear POS code framework for telehealth that many practices have not fully implemented:

• POS 10 (Telehealth Provided in Patient Home): Use when the patient is at their residence. This is the correct POS for the vast majority of behavioral health telehealth sessions in 2026.
• POS 02 (Telehealth Provided Other than in Patient Home): Use when the patient is at a healthcare facility, community center, or other non-home location receiving telehealth services. This was more common before the PHE when patients typically went to an originating site.
• POS 11 (Office): This is an in-person code. Do not use POS 11 for telehealth sessions. This error occurs when practices fail to update their default POS settings after converting in-person appointments to telehealth.

The POS code matters for reimbursement: some payers reimburse POS 10 at a lower rate than POS 11 (the so-called "facility/non-facility" rate differential), while others pay the same rate regardless of POS. Using the wrong POS code is a billing error regardless of whether it results in an overpayment or underpayment. Auditors do not give credit for good intentions; they evaluate coding accuracy.

Modifier Compliance: 95, 93, and Legacy GT Issues

Telehealth modifiers tell the payer the modality used for the service. Getting them right is essential:

• Modifier 95 (Synchronous telehealth service rendered via real-time interactive audio and video): Use for live video telehealth sessions. This is the standard telehealth modifier for most behavioral health video sessions.
• Modifier 93 (Synchronous telehealth service rendered via telephone or other real-time interactive audio-only): Use for audio-only sessions. This modifier was introduced during the PHE and is now the standard for telephone-based sessions where the payer permits audio-only billing.
• Modifier GT (Via interactive audio and video telecommunications systems): This is a legacy modifier that has been replaced by modifier 95 for most payers, including Medicare. Some state Medicaid programs and commercial payers still accept or require GT. Using GT when the payer expects 95, or vice versa, can cause claim denials or audit flags. Verify each payer's current modifier requirements.

A common error: billing modifier 95 for an audio-only session, or billing modifier 93 for a video session. These mismatches indicate either sloppy coding or intentional upcoding (audio-only billed as video). Auditors flag these mismatches systematically through claims data analysis.

ZPIC/UPIC Audit Process: What Happens When You Get a Records Request

Zone Program Integrity Contractors (ZPICs) and Unified Program Integrity Contractors (UPICs) are CMS-contracted entities that investigate potential fraud, waste, and abuse in Medicare and Medicaid billing. If your telehealth billing patterns trigger their algorithms, here is what to expect:

1. Records request letter. You will receive a formal letter requesting complete medical records for a sample of claims, typically 20-40 claims. The letter specifies which claims, what documentation to provide, and the response deadline (usually 30 days, sometimes 45). The letter may come from the ZPIC/UPIC directly or from the Medicare Administrative Contractor (MAC).
2. Record compilation and submission. You must submit the complete medical record for each sampled claim, including the clinical note, treatment plan, consent documentation, and any supporting documents. Submit everything relevant. Incomplete submissions count against you.
3. Clinical review. A clinical reviewer (typically a nurse or physician) evaluates each note against the documentation requirements for the billed code. For telehealth claims, they specifically check modality, location, time documentation, clinical content, and coding accuracy.
4. Preliminary determination. The contractor issues a preliminary determination identifying denied claims and the calculated overpayment. If the error rate in the sample exceeds a threshold (typically 50%), the contractor may extrapolate the error rate across your full claim population, which can produce overpayment demands of $100,000 to $1,000,000 or more.
5. Appeals process. You have appeal rights through the standard Medicare appeals process: redetermination (35 days to file), reconsideration by a Qualified Independent Contractor (180 days to file), Administrative Law Judge hearing (60 days to file), Medicare Appeals Council review, and federal court review. Most cases are resolved at the redetermination or reconsideration level. However, the appeals process can take 12-24 months, and the overpayment demand accrues interest during the appeal.

The best defense is not needing one. Practices with clean documentation rarely face adverse audit outcomes. Practices with documentation gaps face costly and time-consuming appeals processes.

What Your Billing Team Needs to Do

These are the specific, prioritized action items for behavioral health organizations that bill telehealth services:

1. Conduct an internal telehealth billing audit immediately. Pull a random sample of 20-30 telehealth claims from the past 12 months. For each claim, pull the clinical note and evaluate it against the documentation standards described in this article. Check: Is the modality stated? Is the patient location documented? Is the time documented with start and stop times? Does the documented time support the billed code? Is the POS code correct? Is the modifier correct? Calculate your error rate. If it exceeds 10%, you have a significant compliance problem that needs immediate remediation.
2. Verify and standardize POS codes across all telehealth claims. Run a report of all telehealth claims submitted in the past 6 months and identify POS code usage. If you find POS 11 on telehealth claims, or POS 02 where POS 10 is appropriate, correct the systematic error. Update your practice management system defaults so that telehealth appointments automatically populate the correct POS code based on session type.
3. Audit modifier usage. Verify that modifier 95 is used only for video sessions and modifier 93 is used only for audio-only sessions. Check whether any claims use the legacy GT modifier for payers that now require 95. Correct any systematic modifier errors and update your billing rules.
4. Implement mandatory time documentation for all therapy sessions. Require clinicians to document start time and stop time for every therapy session, telehealth or in-person. This is the single most impactful compliance action for behavioral health. Without documented times, any 90837 claim is at risk in an audit. Build time fields into your note templates so clinicians document times as part of their standard workflow rather than as an afterthought.
5. Update telehealth note templates. Your telehealth note template should include required fields for: modality (video/audio-only), patient location (city, state), provider location, telehealth consent confirmation, session start time, session stop time, and clinical observations appropriate to the modality. The template should not allow the note to be finalized without these fields completed.
6. Train clinicians on time-based code selection. Many clinicians do not understand the time thresholds for 90834 vs. 90837. Conduct a training session that explicitly explains: 90834 = 38-52 minutes of psychotherapy, 90837 = 53+ minutes of psychotherapy, and the time is psychotherapy time only, not total encounter time. Provide examples and have clinicians practice applying the thresholds to sample scenarios.
7. Create an audit response protocol. Do not wait until you receive an audit letter to figure out your response process. Designate a compliance officer or team lead who will manage audit responses. Create a checklist of what documentation to compile for each audited claim. Establish relationships with a healthcare attorney who can advise on audit responses and appeals. Having a protocol in place reduces the risk of missed deadlines and incomplete submissions.
8. Monitor billing patterns quarterly. Run quarterly reports comparing your telehealth billing patterns to benchmarks: What percentage of therapy claims are 90837 vs. 90834? What is your audio-only vs. video mix? What is your POS code distribution? If your patterns diverge significantly from industry averages, investigate whether the divergence reflects legitimate clinical practice or a coding problem.

Revenue and Financial Impact

The financial risk of telehealth audit findings is substantial, and it scales with the volume of telehealth claims your practice submits.

Beyond the direct overpayment risk, audit findings can trigger additional consequences:

• Prepayment review: If audit findings indicate a pattern of billing errors, the MAC may place the practice on prepayment review, meaning every claim must be reviewed before payment. This can delay payments by weeks or months and significantly impair cash flow.
• Referral to OIG for fraud investigation: If the ZPIC/UPIC identifies patterns suggesting intentional fraud (as opposed to inadvertent errors), they refer the case to OIG for formal investigation. Fraud investigations can result in civil monetary penalties, False Claims Act liability (treble damages plus per-claim penalties), and exclusion from federal healthcare programs.
• Credentialing and network consequences: Audit findings can affect credentialing status with commercial payers and managed care organizations. Some payers require practices to report audit outcomes, and adverse findings can lead to termination from payer networks.

EHR and Technology Implications

Your EHR system is your first line of defense against telehealth audit findings. The right system configuration can prevent documentation errors at the point of care, before they become billing errors and audit targets.

• Telehealth-specific note templates: Your EHR should offer distinct note templates for telehealth encounters that include mandatory fields for modality, patient location, provider location, consent confirmation, and start/stop times. These fields should be required, meaning the note cannot be signed and finalized without them. This forces documentation compliance at the point of care rather than relying on clinician memory or retrospective auditing. EHR platforms like AZZLY Rize and PIMSY include telehealth-specific templates with built-in required fields that enforce these documentation standards automatically.
• Automatic POS code assignment: The EHR should automatically assign the correct POS code based on the appointment type. When a clinician selects "telehealth - patient at home" as the visit type, the system should populate POS 10. When "telehealth - patient at facility" is selected, POS 02 should populate. This eliminates the most common telehealth billing error without requiring manual intervention.
• Automatic modifier appending: Based on the modality documented in the note, the EHR should automatically append the correct modifier (95 for video, 93 for audio-only) to the claim. This ensures modifier accuracy and prevents the mismatch errors that auditors target.
• Built-in time tracking: The EHR should include session timer functionality that records start and stop times automatically, or at minimum, require clinicians to enter start and stop times as part of the note workflow. Some systems also include logic that compares documented time against the selected billing code and alerts the clinician if there is a mismatch (for example, 48 minutes documented but 90837 selected).
• Audit trail and documentation integrity: The EHR must maintain a tamper-evident audit trail showing when each note was created, when it was signed, and any subsequent amendments. Auditors examine documentation timing to verify that notes were completed contemporaneously with the session. Notes completed days or weeks after the session are viewed with skepticism. An EHR with robust audit trail capabilities demonstrates documentation integrity.
• Billing analytics and compliance reporting: Your EHR or practice management system should be able to generate the reports needed for internal auditing: telehealth claim volume by CPT code, POS code distribution, modifier usage, 90834 vs. 90837 ratios, and audio-only vs. video splits. These reports enable the quarterly monitoring described in the action items above.

Frequently Asked Questions

Why is the OIG targeting behavioral health telehealth specifically?

The OIG 2025-2026 Work Plan explicitly identifies telehealth billing for behavioral health as a priority audit area. Behavioral health had the highest telehealth adoption rate during the pandemic (60-70% of visits at peak), and utilization has remained at approximately 50-55% of outpatient claims. The OIG has identified patterns of potential fraud including high-volume billing of extended therapy codes via telehealth, audio-only claims that may not meet documentation standards, and cross-state telehealth arrangements. Since 2023, OIG and DOJ have recovered over $1 billion in telehealth fraud enforcement actions across all specialties, with behavioral health representing a significant share of those cases.

What are the most common telehealth billing errors that trigger OIG audits?

The most common errors include incorrect Place of Service codes (using POS 02 when POS 10 is appropriate, or POS 11 for telehealth sessions), billing 90837 at high volumes without supporting time documentation, using incorrect modifiers (95 for video vs. 93 for audio-only), billing audio-only sessions without proper documentation and authorization, and failing to document modality, patient location, and provider location. POS code errors alone account for an estimated 15-20% of telehealth claim denials and are among the first items auditors check.

What documentation is required for a telehealth session to survive an audit?

Auditors expect telehealth notes to contain the same clinical content as in-person notes plus additional telehealth-specific elements: modality statement (video or audio-only), patient location including state, provider location, informed consent documentation, start and stop times for time-based codes, clinical observations appropriate to the modality, a statement of clinical appropriateness for the modality, and for audio-only sessions, the clinical rationale for why video was not used. Notes that simply state "session conducted via telehealth" without these elements are the most common audit failure point.

What is the difference between POS 02 and POS 10 for telehealth?

POS 02 (Telehealth Provided Other than in Patient Home) is for patients receiving telehealth at a facility such as a hospital or clinic. POS 10 (Telehealth Provided in Patient Home) is for patients at their residence. The distinction affects reimbursement rates with some payers and is a coding accuracy issue regardless. For behavioral health, most telehealth sessions occur with the patient at home (POS 10). The legacy POS 02 coding that many practices defaulted to during the PHE transition remains a common source of errors. POS 11 (Office) should never be used for telehealth.

What happens if my practice receives a ZPIC or UPIC audit request?

You will receive a records request for a sample of 20-40 claims with a 30-day response deadline. You must submit complete records for each claim. A clinical reviewer evaluates documentation against coding standards. You receive a preliminary determination with denied claims and overpayment amount. If the error rate exceeds 50%, the contractor may extrapolate across your full claim population, potentially producing six-figure overpayment demands. You have appeal rights through the Medicare appeals process. Failure to respond within the deadline results in automatic denial of all sampled claims and potential extrapolation.

How can EHR systems help prevent telehealth audit risk?

Modern behavioral health EHR systems reduce telehealth audit risk through telehealth-specific note templates with required fields, automatic POS code assignment based on session type, automatic modifier appending based on modality, built-in time tracking for session start and stop times, and audit trail logging that records documentation timing and edits. EHR platforms such as AZZLY Rize and PIMSY include telehealth workflow features that enforce documentation standards at the point of care, catching errors before claims are submitted rather than after an auditor identifies them.

Editorial Standards

Last reviewed: February 26, 2026

Methodology

• OIG 2025-2026 Work Plan reviewed for telehealth-specific audit priorities and initiative descriptions
• Published OIG telehealth reports and data briefs analyzed for audit findings and enforcement patterns
• CMS Medicare Learning Network telehealth guidance reviewed for current billing and documentation requirements
• DOJ press releases on telehealth fraud enforcement actions cataloged and analyzed for behavioral health patterns

Primary Sources

• HHS OIG: Work Plan 2025-2026
• HHS OIG: Telehealth Program Integrity Reports
• CMS MLN: Telehealth Services Guidance
• DOJ: Health Care Fraud Enforcement Actions
• CMS: Place of Service Code Set