Medical billing investigations sit at the intersection of healthcare regulation, federal criminal exposure, and civil False Claims Act liability. A single set of facts can produce a Medicare audit, a Medicaid investigation by the Office of the Medicaid Inspector General (OMIG), a False Claims Act civil suit (often filed under seal by a relator), a parallel federal grand jury investigation, professional discipline through OPMC or OPD, and exclusion proceedings under 42 U.S.C. § 1320a-7. Coordinated defense across all of those tracks — not just the audit in front of you — is essential.

Who Audits and Investigates Medical Billing in New York

Agency or Contractor	Scope and Authority
CMS Recovery Audit Contractors (RACs)	Post-payment review of Medicare fee-for-service claims. Identify and recover overpayments. Operate on contingency.
Medicare Administrative Contractors (MACs)	Process Medicare Part A and B claims; conduct prepayment and post-payment reviews; issue overpayment determinations.
Unified Program Integrity Contractors (UPICs)	Integrated Medicare and Medicaid program integrity investigations; investigate suspected fraud and refer to law enforcement.
HHS Office of Inspector General (OIG)	Federal civil and administrative investigations; exclusion authority under 42 U.S.C. § 1320a-7; Civil Monetary Penalties Law (42 U.S.C. § 1320a-7a).
DOJ Civil Division and US Attorney’s Offices	Federal False Claims Act civil enforcement (31 U.S.C. §§ 3729–3733); criminal healthcare fraud (18 U.S.C. § 1347). EDNY, SDNY, NDNY, WDNY for NY-based providers.
NYS Office of the Medicaid Inspector General (OMIG)	State Medicaid program integrity. Audits, investigations, recoupments, exclusions, and referrals to the Medicaid Fraud Control Unit.
NY Medicaid Fraud Control Unit (MFCU)	Within the NY Attorney General’s Office. Criminal Medicaid fraud, abuse and neglect in Medicaid-funded facilities, civil enforcement under the NY False Claims Act (State Finance Law § 187 et seq.) and Social Services Law § 145-b.
Commercial payer special investigations units (SIUs)	Private payer audits and recoupment demands. Often the first warning of broader exposure if government payers are also implicated.
Qui tam relators	Private parties (often current or former employees) who file FCA suits under seal on behalf of the government. The provider learns of the case only when the seal is partially or fully lifted.

The Legal Framework

Federal False Claims Act (31 U.S.C. §§ 3729–3733). Civil liability for knowingly submitting (or causing to be submitted) false claims to the federal government, or for knowingly making false records or statements material to a false claim. Penalties include treble damages plus per-claim civil penalties (currently roughly $14,000 to $28,000 per false claim, indexed annually). The “knowingly” standard includes actual knowledge, deliberate ignorance, and reckless disregard — not just intent to defraud.

Federal healthcare fraud statute (18 U.S.C. § 1347). Criminal liability for executing a scheme to defraud any health care benefit program or to obtain money or property by false pretenses. Up to 10 years’ imprisonment per offense; 20 years if the violation results in serious bodily injury; life if it results in death.

Anti-Kickback Statute (42 U.S.C. § 1320a-7b). Criminal prohibition on remuneration to induce or reward referrals of items or services payable by federal healthcare programs. Violations can also serve as predicates for FCA liability.

Stark Law (42 U.S.C. § 1395nn). Strict-liability prohibition on physician self-referral of designated health services to entities with which the physician has a financial relationship, absent an applicable exception. Stark violations create FCA exposure for the underlying claims.

Civil Monetary Penalties Law (42 U.S.C. § 1320a-7a). Administrative penalties enforced by HHS OIG for a wide range of conduct, including upcoding, billing for medically unnecessary services, and pattern claims that should have been known to be false.

Federal exclusion statute (42 U.S.C. § 1320a-7). Mandatory exclusion from federal healthcare programs upon conviction of certain healthcare-related offenses; permissive exclusion for a broader range of conduct. Exclusion is often the most damaging single consequence of a billing investigation.

NY False Claims Act (State Finance Law § 187 et seq.). State-law parallel to the federal FCA, specifically including tax claims (rare among state FCAs). Enforced by the NY Attorney General. Treble damages plus per-claim penalties.

Social Services Law § 145-b. NY civil and administrative liability for false statements made to obtain Medicaid payments. Penalties up to three times the amount falsely claimed plus per-claim penalties.

Penal Law Article 177. NY criminal “Health Care Fraud” offenses, with felony grading scaled to the amount obtained.

HIPAA-related exposure. The Health Insurance Portability and Accountability Act (HIPAA) created additional federal criminal healthcare fraud offenses; OCR enforcement of privacy and security can produce parallel exposure when billing investigations expose PHI handling deficiencies.

Common Billing Allegations

Upcoding. Billing a higher-paying CPT or E/M code than the documentation supports. The most common single allegation in healthcare billing matters. Often built from statistical analysis of E/M coding patterns relative to specialty peer groups.

Unbundling. Billing separately for component services that should be billed as a single bundled code under the National Correct Coding Initiative (NCCI) edits.

Billing for services not rendered (“phantom billing”). Submitting claims for services that did not occur. The most serious type of allegation; supports both FCA and criminal exposure.

Billing for medically unnecessary services. Submitting claims for services not supported by medical necessity under the applicable Local or National Coverage Determination. Pattern allegations are common in laboratory, imaging, durable medical equipment, and behavioral health settings.

Misrepresentation of place of service. Billing facility-rate codes for services rendered in a non-facility setting (or vice versa).

“Incident to” and supervision violations. Billing services performed by non-physicians under a physician NPI without satisfying the supervision and “incident to” requirements (42 CFR § 410.26 and related).

Improper modifier use. Misuse of modifiers (-25, -59, -GT, -95, etc.) to obtain separate or higher payment.

Anti-Kickback / Stark referral arrangements. Compensation arrangements with referring physicians, marketing relationships, lab and imaging arrangements, and joint ventures that do not fit a Safe Harbor or Stark exception.

60-day overpayment rule violations. Failure to report and return identified overpayments within 60 days of identification (42 U.S.C. § 1320a-7k(d)). Non-return of an identified overpayment becomes a “reverse false claim” under the FCA.

Telehealth-specific allegations. Place-of-service coding, audio-only versus video distinctions, originating-site requirements, and post-PHE rule changes.

Potential Consequences

• Recoupment: Repayment of overpayments, often calculated through statistical extrapolation from a sample to the universe of claims
• FCA damages and penalties: Treble damages plus per-claim civil penalties (currently approximately $14,000 to $28,000 per false claim under the federal FCA, indexed for inflation)
• Criminal charges: 18 U.S.C. § 1347 (up to 10 years per count), 18 U.S.C. § 1349 (conspiracy), and related statutes; NY Penal Law Article 177
• Anti-Kickback / Stark exposure: Treble damages, civil monetary penalties, criminal liability under the AKS, and FCA exposure based on tainted referrals
• OIG exclusion: Mandatory or permissive exclusion from Medicare, Medicaid, TRICARE, and other federal healthcare programs — often a practice-ending consequence
• State Medicaid sanctions: OMIG-imposed recoupments, censure, and exclusion from NY Medicaid
• Professional discipline: OPMC, OPD, or other licensing board action (Education Law §§ 6509, 6530)
• Corporate Integrity Agreement (CIA): Multi-year monitoring and reporting obligations as a condition of continued federal program participation
• Hospital and payer consequences: Loss of admitting privileges, removal from preferred-provider networks, contractual termination
• NPDB reporting: Adverse actions reportable to the National Practitioner Data Bank
• Asset forfeiture: Criminal and civil forfeiture of assets traceable to the alleged offense

The Defense Process

Self-Disclosure as a Strategic Option

When an internal review identifies a material billing problem before the government does, voluntary self-disclosure can substantially reduce exposure compared to discovery through audit or relator action. Two formal pathways exist:

OIG Self-Disclosure Protocol (SDP). For potential FCA violations, the AKS, and certain other conduct. OIG SDP resolutions typically settle at a multiplier closer to 1.5x rather than the FCA’s 3x default, with no CIA in many cases.

CMS Self-Referral Disclosure Protocol (SRDP). For Stark Law violations specifically. Settlement amounts in SRDP cases are typically a fraction of full FCA exposure.

Self-disclosure is not appropriate for every situation. In some matters, the better course is a quiet refund and process correction. In others, the issue does not rise to the level of a “potential FCA violation” requiring disclosure. The 60-day overpayment rule (42 U.S.C. § 1320a-7k(d)) creates its own analytical framework that does not always require an SDP submission. The decision is matter-specific and requires careful counsel review — self-disclosure done badly can create exposure that did not previously exist.

Who the Firm Represents

• Solo practitioners and small medical groups
• Multispecialty practices and PLLCs
• Dental practices and oral surgery groups
• Behavioral health and substance use treatment providers
• Physical, occupational, and speech therapy practices
• Diagnostic imaging and laboratory entities
• Durable medical equipment (DME) suppliers
• Ambulatory surgery centers
• Medical billing companies and revenue cycle management firms (separate exposure as billing agents)
• Hospital-based physician groups (anesthesiology, radiology, pathology, hospitalist, intensivist)

Frequently Asked Questions

A RAC has requested 30 charts. Is this a fraud investigation?

Not necessarily. RAC reviews are routine and most providers receive them periodically. But the records request is the start of a process that can escalate — sample-level findings can lead to extrapolation, which can lead to large overpayment determinations, which can attract OIG or DOJ attention if the pattern suggests FCA exposure. Treat every records request as the potential first step in a longer matter and engage counsel before producing.

I just received a Civil Investigative Demand from the U.S. Attorney’s Office. What does that mean?

A CID is a powerful pre-suit discovery tool authorized by the FCA (31 U.S.C. § 3733). It typically signals the existence of an unsealed or sealed qui tam complaint or a government-initiated investigation. CIDs require document production, written interrogatory responses, and often oral testimony. They are not optional and have specific deadlines. Engage counsel immediately — CID response is a critical inflection point in the matter.

A former employee just sued me on behalf of the government. Now what?

If you’ve received an unsealed qui tam complaint, the case has been pending under seal — sometimes for years — while the government investigated and decided whether to intervene. Government intervention dramatically increases the relator’s leverage; declination is more favorable for the defendant but does not end the case (the relator can proceed). Either way, the case proceeds in federal court. Defense begins with a thorough internal investigation independent of the relator’s narrative.

My biller did this, not me. Am I personally liable?

Possibly. The FCA’s “knowing” standard includes deliberate ignorance and reckless disregard, not just actual knowledge. Practice owners can be liable for the conduct of their billing staff or third-party billing companies. Documentation of compliance program design, training, and oversight matters. The defense often turns on what the owner reasonably should have known and did about the billing patterns at issue.

What is the 60-day overpayment rule?

42 U.S.C. § 1320a-7k(d) requires healthcare providers to report and return Medicare and Medicaid overpayments within 60 days of “identification.” Non-return of an identified overpayment becomes a “reverse false claim” under the FCA, with full FCA exposure. The trigger (“identification”) is the subject of substantial litigation and CMS guidance. Whether and when the 60-day clock starts is itself a frequent area of dispute.

Will my malpractice insurance cover billing defense?

Many policies include some coverage for regulatory and administrative defense (audits, OPMC, OPD), and some include limited FCA defense coverage. Criminal defense is often excluded. Coverage limits, deductibles, and definitions vary widely. Notice provisions are time-sensitive — late notice can void coverage. Notify the carrier in writing and copy counsel; do not assume coverage or non-coverage without policy review.

What is exclusion and how serious is it?

Exclusion under 42 U.S.C. § 1320a-7 bars a provider from receiving payment from any federal healthcare program (Medicare, Medicaid, TRICARE, FEHB, etc.). Exclusion is mandatory for certain convictions and permissive for a wide range of other conduct. For most practices, exclusion is the single most damaging consequence available — it eliminates the bulk of revenue and triggers cascading consequences with hospitals, payers, and credentialing entities. Avoiding exclusion is often the central strategic objective in resolution negotiations.

How We Help

The firm represents healthcare providers in defense of Medicare, Medicaid, OMIG, OIG, and US Attorney billing matters — from initial audit response through administrative appeal, FCA settlement, or trial. The firm partners with experienced criminal trial counsel where the matter benefits from additional resources, particularly in federal criminal cases. For practices identifying potential billing issues internally, the firm advises on the appropriate response — refund, internal correction, OIG SDP, CMS SRDP, or other path — based on the specific facts and exposure profile.

Related pages: Healthcare law · Healthcare law for medical professionals · Prescription defense · Independent Dispute Resolution · Criminal defense · Medical litigation

Contact Us

Call toll-free: (888) 275-2620. Available 24/7.

Suffolk County Office: 12 Bank Avenue, Smithtown, NY 11787

Nassau County Office: 1225 Franklin Avenue, Suite 325, Garden City, NY 11530

The firm represents healthcare providers in billing defense matters across all 62 New York counties.

Our law firm has over 3,000 client testimonials across Google, BBB, Trustpilot, and other platforms. View verified client reviews.

Contact the law firm

Last reviewed by Attorney Ronald S. Cook — May 2026

This page is for informational purposes only and does not constitute legal advice. Statutes, regulations, and procedural rules change; verify current requirements before relying on the information here. Per-claim FCA penalties are indexed annually for inflation; current ranges are illustrative. Prior results do not guarantee future results.