10 billing red flags that increase your audit risk as a therapist

Most therapy audits don’t start with a complaint or a tip-off. They start with a pattern in your billing data that looks different from your peers. Payers and Medicare contractors run claims through analytics that flag outliers, and the practices that get pulled for review are usually the ones whose numbers stand out. The good news is that the patterns are knowable. Once you can recognize them, you can check your own billing before anyone else does.

This is an awareness guide, not a fix-it guide. The goal is to help you look at your practice the way an auditor’s software does, and to point out the 10 things most likely to put you on a list.

A quick note on how seriously payers take this. In one federal review of psychotherapy services during the first year of the pandemic, the Office of Inspector General (OIG) estimated that of roughly $1 billion Medicare paid, about $580 million was improperly billed, with most of that tied to documentation problems.

Why audits usually start with your billing data

Before getting into the list, it helps to understand the machine on the other side. The Centers for Medicare and Medicaid Services (CMS) and commercial payers use data analytics to spot claims that deviate from the norm for a given specialty, region, and practice size. Under the Targeted Probe and Educate process, Medicare contractors specifically target clinicians with unusual billing practices, high utilization, or high error rates compared to their peers. Commercial payers like Optum, Aetna, and UnitedHealthcare have built similar review systems.

None of this means legitimate billing gets you in trouble. It means the appearance of your data matters, and that a defensible practice is one where your records back up every claim. With that in mind, here are the patterns that draw the most attention.

1. Billing the 60-minute code (90837) for nearly every session

The psychotherapy time codes are tied to documented session length: 90832 covers 16 to 37 minutes, 90834 covers 38 to 52 minutes, and 90837 covers 53 minutes or more, per AMA CPT rules. Because 90837 reimburses meaningfully more than 90834, it gets reviewed more aggressively than any other psychotherapy code.

The red flag is not using 90837. It’s using it for almost everything. Billing experts who work in behavioral health note that a typical caseload produces a mix of session lengths, and that practices billing a large majority of sessions as 90837 tend to stand out in payer analytics. There’s no official cutoff that automatically means “wrong,” but a practice whose claims are 90 percent 90837 looks very different from one with a realistic split, and that difference can prompt a review. If your ratio is heavily weighted toward the longest code, it’s worth understanding why.

2. Leaving start and stop times off your time-based codes

Because the psychotherapy codes are time-based, the time has to be in the note. Writing “60-minute session” is not enough on its own. Auditors and Medicare contractors look for the actual clock time the face-to-face session began and ended, or a clear total of face-to-face minutes.

This is the most common reason behavioral health claims fail review. In the OIG’s pandemic-era psychotherapy audit, reviewers found that for a large share of sampled days, clinicians did not properly document psychotherapy time or omitted other required information. When the time isn’t documented, a payer can downcode a 90837 to 90834 and demand the difference back, even when you genuinely spent the time. A simple habit, recording start and end times in every note, removes this exposure.

3. Using notes that look copied and pasted

Cloned documentation is a well-known audit signal. When a client’s notes read identically week after week, or when notes across different clients use the same boilerplate, it suggests the record doesn’t reflect what actually happened in each session. Industry coding guidance flags identical notes across sessions as a major audit risk, and weak or generic documentation is one of the most common reasons claims fail review.

Each note should reflect that day’s session: the client’s current presentation, the specific interventions used, their response, and progress toward treatment-plan goals. If your notes lean heavily on templates, the templates aren’t the problem on their own, but identical content from visit to visit is. For broader help here, see our guide to faster, audit-ready clinical documentation.

4. Missing a current treatment plan or a clear medical-necessity story

A treatment plan is not paperwork you can skip. Medicare and most payers expect an active, dated plan with a diagnosis, measurable goals, and planned interventions, and they expect your notes to connect back to it.

This is where one widely cited OIG audit landed hard. In its review of On-Site Psychological Services, the OIG found that 111 of 120 sampled claims did not comply with Medicare requirements, largely because treatment plans were missing required elements, and it estimated at least $3.3 million in overpayments. The lesson for a solo or group practice is the same at any scale: if you can’t produce a current treatment plan and show that each session supports medical necessity, an auditor can deny the claim regardless of how good the care was.

5. Billing almost everything as telehealth, or getting the telehealth details wrong

Telehealth is here to stay for behavioral health, and billing it is completely legitimate. But two telehealth patterns raise risk.

The first is volume: payers compare in-person to telehealth ratios, and practices billing nearly 100 percent virtual visits are more likely to be flagged for review.

The second is mechanics: using the wrong place-of-service code or leaving off a required modifier can trigger denials or overpayment demands.

Place-of-service and modifier rules vary by payer and change over time, so this is an area worth verifying against current guidance rather than relying on what worked last year. The pattern auditors notice is the combination of high telehealth volume and inconsistent coding details.

6. Leaning on vague diagnoses that don’t match the service

Every psychotherapy claim needs at least one ICD-10 diagnosis, and that diagnosis has to support the service you billed. Defaulting to unspecified codes, like F32.9 for depression or F41.9 for anxiety, is acceptable for the first visit or two while the picture is still forming. The risk comes when a practice keeps billing unspecified codes long-term, or pairs a mild, unspecified diagnosis with the longest, most intensive session code.

Billing guidance warns that payers increasingly treat high volumes of unspecified codes as a sign of inadequate documentation or upcoding risk, and that a mismatch between a low-acuity diagnosis and a 90837 can prompt manual review. The fix is specificity: as the clinical picture clarifies, the diagnosis should get more precise, and it should make sense alongside the intensity of care you’re billing.

7. Misusing crisis and add-on codes

Some codes carry extra scrutiny because they’re easy to apply incorrectly. A few that come up repeatedly in behavioral health reviews:

• Crisis code 90839 is for an urgent, unplanned intervention in an acute situation, not a difficult-but-stable session. Applying it to routine high-intensity visits is a documented audit trigger.

• Interactive complexity (90785) is an add-on billed only for the specific clients who meet a qualifying criterion, with that criterion documented in each client’s record. Billing it for everyone in a group is a flag.

• Psychotherapy add-on codes (90833, 90836, 90838) are used with an evaluation and management service, and that E/M code needs modifier 25 when it appears with the add-on. When you provide both medication management and therapy, the time for each has to be carved out and documented separately.

The common thread is that each of these codes describes a specific situation, and the note has to show that situation actually occurred.

8. Billing more sessions than the calendar can hold

Volume outliers are one of the oldest audit triggers. When the total hours billed in a day add up to more time than is physically possible, or when one clinician’s session counts sit far above their peers, payer analytics notice. In one OIG case, a clinician drew federal attention in part because of the sheer volume of claims submitted, which ranked among the highest in the nation.

This one tends to surface in group practices, where supervisory or billing arrangements can pile many sessions under a single name (more on that next). It can also surface for a solo clinician whose documented session times, added together, exceed a realistic workday. If your billed hours don’t reconcile with a believable schedule, that gap is visible in the data.

9. Billing a supervisee’s work under someone else’s name

When associate-level or pre-licensed clinicians deliver care, who appears on the claim matters a great deal. Billing a supervisee’s sessions under a fully licensed clinician’s name, when the payer’s rules don’t allow it, is one of the highest-risk practices in behavioral health. 

This is risky for two reasons. First, it can inflate one clinician’s session counts to levels that invite audits, as described above. Second, payers and regulators treat claims that misstate who rendered the service as a serious compliance problem. CMS has improper “incident to” payments in its sights, and commercial payers have built risk systems to catch it. The rules differ sharply by payer, by setting, and by state, and a single arrangement that’s allowed by one plan may be prohibited by another. If your practice bills for supervised clinicians, this is worth confirming against each payer’s contract rather than assuming. 

10. Billing before you’re credentialed, or beyond your license 

The last red flag is the one that catches otherwise careful practices off guard, because the claim itself can look perfect. A clean, well-documented claim can still be invalidated if the clinician wasn’t credentialed and enrolled with that payer on the date of service. Payers won’t pay for services delivered before approval, and assuming “in network” means “ready to bill” is a common and costly mistake.

A related issue is billing a code your license doesn’t cover. Payers check the rendering clinician’s taxonomy against the code automatically, so something like a non-prescribing therapist billing 90792, the evaluation code reserved for prescribers, gets denied or flagged. Keeping credentialing current and matching every code to the right license closes a gap that has nothing to do with the quality of your notes. Our overview of insurance credentialing for therapists covers how this works in more detail.

What to do if you recognize your practice here 

Spotting one of these patterns in your own billing isn’t cause for panic, and it doesn’t mean you’ve done anything wrong. Many of these issues come from habit, time pressure, or outdated guidance rather than intent. The point of awareness is that you can act before a payer does.

A reasonable next step is a quick internal review: pull a sample of your recent claims and check them against the 10 patterns above. Where something stands out, you can correct the habit going forward and decide whether any past claims need a closer look. Good documentation and accurate coding are also far easier to maintain when your practice management and billing tools prompt for the right details at the point of care rather than after the fact.

And if a records request or audit notice does land, that’s a different process with its own steps. Our guide to responding to a payer or Medicare audit walks through what to do, what to send, and how to protect your practice.

Frequently asked questions

What is the most common reason therapy claims get audited?

Outlier billing patterns are the usual starting point. Payers and Medicare contractors compare your claims to peers in your specialty and region, then review the ones that look unusual, such as a heavy concentration of the longest session code or session volumes that exceed a realistic schedule. From there, the most common reason claims actually fail review is documentation that doesn’t fully support what was billed.

Does billing 90837 a lot automatically trigger an audit?

No single percentage automatically triggers an audit, and 90837 is a valid code when your sessions genuinely run 53 minutes or longer. The risk comes from billing it for nearly every session, which makes your data an outlier. The protective move is to bill the code that matches the actual documented time of each session and to keep start and stop times in your notes.

How far back can a payer audit go?

It depends on the payer and the program, and lookback periods vary. When auditors identify a systemic problem in a sample of claims, they may apply extrapolation, estimating overpayments across a larger population of similar claims, which is how a small sample of errors can turn into a much larger repayment demand. This is one reason consistent documentation across your whole caseload matters, not just on individual claims.

Can a perfectly documented claim still fail an audit?

Yes. If the rendering clinician wasn’t credentialed with the payer on the date of service, or the code didn’t match the clinician’s license, the claim can be invalidated regardless of how strong the notes are. Credentialing status and license-to-code alignment are separate from documentation quality, and both need to be right.

Are commercial payers as strict as Medicare on this?

Increasingly, yes. Commercial payers have adopted data analytics and review systems modeled on Medicare’s approach, and several have built risk tools specifically to catch issues like improper supervisory billing and outlier coding. The patterns that flag a claim for Medicare tend to flag it for commercial payers as well, though the specific rules and modifiers differ by plan.