How to reduce audits for your therapy practice

An audit letter from a payer is one of the most stressful pieces of mail a therapist can receive. The good news: most audits are not accusations, and most findings trace back to documentation gaps that are entirely preventable. Knowing what auditors actually look for, and building habits that hold up when they look, is the difference between a routine records request and a recoupment.

Why payer audits happen

Payers audit because they are required to. The Centers for Medicare and Medicaid Services (CMS) contracts with Recovery Audit Contractors (RACs) to identify and correct improper payments, running both system-level automated reviews and complex reviews in which a qualified person reads the medical record. Commercial payers run similar programs, often through contracted vendors.

A subset of audits are required by federal law. Risk adjustment audits, for example, are conducted annually under requirements set by the U.S. Department of Health and Human Services (HHS), which means even a perfect practice will eventually receive a records request.

One thing worth naming directly: auditors are not evaluating whether your clinical decisions were correct or if you’re a good therapist. They’re checking whether your documentation supports what you billed. That’s a much narrower question than most clinicians fear, and it’s one you can prepare for. An audit letter is a request for records, not a verdict. The volume of audit activity in behavioral health is real, but the outcome depends almost entirely on what your documentation shows when the auditor opens the file.

The audit types you’re most likely to see

You don’t need to memorize every audit program, but knowing the general categories reduces the surprise factor. 

• Random or routine reviews. Payers pull a sample of claims to assess overall accuracy. The selection is not personal.

• Targeted or “red flag” reviews. Triggered by something specific in your billing data, such as a code used at an unusual frequency, a diagnosis pattern that doesn’t match peers, or a complaint.

• Medicare Recovery Audit Program (RAC) reviews. Conducted by CMS contractors to identify improper payments. RACs issue an Additional Documentation Request (ADR) when they need to see the medical record.

• Risk Adjustment reviews. Annual, required by HHS for commercial health plans, and largely unrelated to clinician behavior.
• Commercial payer audits. Conducted under the contract you signed when you joined the network. The payer’s policies define what they can request and when. 

What can trigger a targeted audit

The Office of Inspector General has identified four high-risk areas for small physician and therapy practices: coding and billing, reasonable and necessary services, documentation, and improper inducements or kickbacks. Most therapy audits originate in the first three. 

A few patterns get flagged repeatedly, and each has a clear fix: 

The throughline is that auditors are looking for evidence that the service you billed is what you actually delivered, and that it was medically necessary. Everything else is process around those two questions.

The documentation gaps most likely to flag your claims

Office of Inspector General (OIG) audits of psychotherapy services have identified a consistent set of failures. In a nationwide review, clinicians did not meet Medicare requirements when billing for some psychotherapy services, including telehealth. For 128 of 216 sampled enrollee days, clinicians did not meet requirements (for example, psychotherapy time was not documented). For an additional 54 sampled days, clinician signatures were missing.

In one OIG review of a high-volume clinician, 100 of 100 treatment plans failed to meet Medicare requirements, often for reasons as simple as missing signatures or unspecified treatment frequency.

That stat is striking because of what it tells you: even at high volume, the failures were not clinical. They were administrative. Which means they were entirely fixable before the audit ever began.

Auditors specifically check that psychotherapy time is documented, with start and stop times or total time. If a separate evaluation and management (E/M) service is also performed during the encounter, the clinician must differentiate the time spent on both services. Time spent on E/M cannot be counted toward the time requirement for psychotherapy, and vice versa.

For Medicaid, auditors are particularly vigilant about overbilling, upcoding (billing for a higher level of service than was provided), and billing for services not rendered.

Billing patterns that draw attention

Statistical outliers, unusual coding distributions, rapid claim volume increases, and other anomalies identified through data analysis frequently appear as OIG Work Plan priorities. When certain services are billed at significantly higher rates by some clinicians than by their peers, those services often become audit targets.

On the commercial payer side, coding errors (even unintentional ones) can be considered a misrepresentation of services and flag a clinician for an audit. This includes something as simple as mistyping a number or using the same code for consecutive clients, as well as intentional upcoding (using a code for a more expensive service than was performed).

Build documentation that can withstand a review

The single most protective habit in private practice is writing every note as if an auditor will read it, because eventually one might. That doesn’t mean longer notes. It means the right elements, in the right places, every time: 

• Start time, stop time, and total face-to-face time, with E/M time separated from psychotherapy time

• A clear “golden thread” running from diagnosis, to treatment plan goals, to the session intervention, to the client’s response

• Concrete, specific language that shows medical necessity, including named interventions, quantifiable symptoms, and observable functional impairment

• Treatment plans that specify type, amount, frequency, and duration of services, with progress summaries on the cadence each payer requires

• A signature and date from the rendering clinician on every note

Psychotherapy notes, HIPAA’s separately protected category, belong in their own file. Progress notes are auditable. Psychotherapy notes, kept properly, usually are not.

For the deeper documentation mechanics that prevent claims problems before they start, see when a claim gets denied, the problem usually started in the chart.

Set a self-review cadence that prevents most audit problems

The OIG recommends that even small practices adopt basic compliance measures, with internal monitoring and auditing listed first among the seven components of a voluntary compliance program. The lift is smaller than it sounds.

A workable cadence for a solo or small group practice:

• Weekly. Reconcile your schedule, notes, and claims. Every session should have a signed note before the claim goes out.

• Monthly. Pull three to five charts at random and read them as if you were the auditor. Are the times documented? Is the medical necessity clear? Does the intervention connect to the goal?

• Quarterly. Run a small internal audit. Pick a focus, such as every 90837 you billed last quarter, and confirm the timing, the rationale, and the documentation all hold up.

• Annually. Review payer policy updates from every plan you’re in-network with, and update your templates, language, and treatment plan formats if anything changes.

That rhythm catches the small drift (shortcuts, copy-paste creep, time and code rounding) that becomes a finding in an external audit two years later.

What to do if you’re selected

The hour you open the audit letter is the wrong time to decide your strategy. A few moves matter most in that first day:

• Read the letter carefully, twice. Note the audit type, the payer or contractor, the records requested, the response method, and the deadline. Most audits give you 30 to 60 days. Risk Adjustment Audits can give 60 to 180.

• Don’t ignore it, and don’t rush. Missing a deadline is one of the few ways to lose an audit you would otherwise have passed. Sending records before you’ve reviewed them is the other.

• Send only what’s requested. Under HIPAA, payers are entitled to the minimum necessary information to support the reason for the audit, and they don’t have the right to psychotherapy notes kept in a separate record set.

• Document everything you send, including transmission method, date, and confirmation of delivery.

• Know your appeal rights. Most payers have a formal appeal process with specific timelines. For Medicare RAC determinations, historical data shows a substantial portion of appealed cases have been overturned.

For the full step-by-step on responding to a records request, handling a recoupment notice, and running an appeal, see how to handle insurance recoupments and audits for therapists.

An organized practice is an audit-ready practice

Audits are a process, and the process rewards clinicians who built clean habits early and stayed with them. The point isn’t to live in fear of the next letter. It’s to build a documentation, billing, and review rhythm that means an audit letter is just another piece of mail.

Audit-ready documentation checklist

For every progress note: 

• [ ] Date of service recorded 

• [ ] Start and stop time (or total session time) documented 

• [ ] Clinician signature present 

• [ ] Presenting issues and client affect described specifically 

• [ ] Therapeutic interventions named (not just “supportive therapy”) 

• [ ] Client progress toward treatment plan goals addressed 

• [ ] Medical necessity supported, with the note showing why ongoing treatment is clinically indicated 

• [ ] Risk and safety issues documented if present, with action taken 

For treatment plans: 

• [ ] Active treatment plan on file and current (updated per payer requirements, at minimum every 90 days; Medicaid may require every 30) 

• [ ] Treatment plan signed by all required parties 

• [ ] Goals are specific, measurable, and linked to diagnosis 

• [ ] Frequency and duration of treatment specified 

• [ ] Plan reflects actual services being delivered 

For billing: 

• [ ] CPT code matches documented session length 

• [ ] Diagnosis codes match the treatment being provided 

• [ ] No copy-paste or cloned notes (each note reflects the actual session) 

• [ ] If E/M and psychotherapy billed on same day, documentation separates and supports both 

Telehealth-specific: 

• [ ] Telehealth consent documented

• [ ] Platform noted as HIPAA-compliant in record

• [ ] Client location at time of session documented (required for Medicare)

General housekeeping:

• [ ] Prior authorizations current for clients requiring them

• [ ] Credentialing files up to date

[ ] Your payer contracts reviewed for documentation requirements specific to each payer