Skip to Main Content
Article

How Home Health Agencies Can Prepare for a Medicare or Medicaid Audit

11.24.2025

5 minute read

How Home Health Agencies Can Prepare for a Medicare or Medicaid Audit

Federal and state regulators have intensified oversight of home health services in recent years with Medicare and Medicaid fraud estimated to cost taxpayers over $300 billion each year.

Agencies and individual health care workers are experiencing heightened scrutiny from the Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG). As a result, preparing for a potential audit is no longer optional. It's essential risk management.

The Much team represents health care workers and home health professionals facing regulatory investigations, audits, licensing matters, and allegations of improper billing. The guidance below highlights major audit risk areas and practical steps agencies and clinicians can take to protect themselves.

Key Areas of Audit Focus

The OIG’s Compliance Program Guidance for home health agencies emphasizes common issues that often lead to audits or enforcement actions, including:

  • Billing for services or items not provided
  • Billing for medically unnecessary services
  • Duplicate claims
  • Offering incentives to referral sources
  • Billing for patients who are not homebound
  • Over- or under-utilization of services
  • Documentation that does not support reimbursement
  • Improper patient solicitation
  • Poor oversight of subcontractors leading to inaccurate billing

A strong, well-maintained compliance program is the most effective protection against these risks.

How To Build a Compliance Program

A comprehensive compliance program must be regularly reviewed, updated, and documented. Home health owners and administrators must create processes that support legal and ethical behavior. They also need to ensure compliance. Key elements include:

  • Accurate, timely documentation
  • Consistent billing practices
  • Adherence to privacy and security requirements
  • Ongoing training for clinical and administrative staff
  • Internal monitoring and corrective action procedures

Most Common Home Health Audit Types

Medical Necessity and Homebound Status

The most common home health audit involves determining whether services were reasonable, necessary, and compliant with Medicare rules. Auditors routinely examine:

  • Whether the patient’s care needs meet homebound criteria
  • Whether a physician ordered and certified medical services
  • Whether documentation clearly supports the level of care provided
  • Whether the plan of care was routinely evaluated and followed

Insufficient documentation does not just lead to claim denials. It can result in:

  • Repayment demands
  • Lengthy appeals
  • Potential civil penalties under the False Claims Act

For health care workers, inadequate documentation can also expose clinicians to disciplinary complaints or employment consequences. Thorough and consistent charting is a strong defense.

Improper Referral Relationships

Federal and state law strictly regulate financial and referral relationships in home health. Agencies and health care workers must be cautious about how they interact with physicians, facilities, and other referral partners. Key laws include:

  • Stark Law: Prohibits physicians from referring Medicare/Medicaid patients to entities in which they have a financial interest
  • Anti-Kickback Statute (AKS): Prohibits offering or receiving any payments for referrals of federal health care program beneficiaries
  • Civil Monetary Penalties Law: Restricts giving beneficiaries gifts valued over $15

Improper arrangements can cause serious penalties and may also result in exclusion from federal programs. Examples include:

  • Medical directorships as referral incentives
  • Free services to facilities
  • Gifts to providers

If you are unsure whether a relationship is legally compliant, seek guidance from your Much health care attorney before proceeding.

Protecting Patient Privacy and Securing PHI

The home health industry is moving towards mobile technology and remote access. Because of this, regulators are paying more attention to HIPAA and HITECH compliance. Home health workers often access sensitive data outside traditional clinical settings, increasing risk. Common vulnerabilities include:

  • Unsecured mobile devices
  • Weak password protection
  • Lack of encryption
  • Improper storage or transfer of PHI
  • Unauthorized sharing of patient information

HIPAA violations, even unintentional ones, can result in significant fines and mandatory reporting obligations. Agencies should train clinicians on proper PHI handling and implement technical safeguards.

Audit-Ready Compliance Checklist

Below is a practical compliance checklist that agencies and their staff can use to prepare for potential audits:

Clinical and Documentation Compliance

  • Train and re-train staff on homebound criteria and medical necessity requirements.
  • Conduct pre-billing chart reviews to confirm documentation supports all services billed.
  • Perform routine internal audits or engage an outside consultant.
  • Ensure frequent physician review and updating of the plan of care.

Referral and Financial Relationship Compliance

  • Maintain written agreements for all referral-related financial arrangements.
  • Limit who can enter into financial or contractual relationships on behalf of the agency.
  • Keep a log of any gifts provided to referral sources or clients.
  • Consult a health care attorney before entering any questionable arrangement.

HIPAA, Security, and Technology Practices

  • Require two-factor authentication for all devices accessing PHI.
  • Provide encrypted, agency-managed devices where possible.
  • Implement a written Bring Your Own Device (BYOD) policy if personal devices are permitted.
  • Discourage storing passwords in unencrypted browser-based managers.
  • Require immediate reporting of lost or stolen devices.
  • Designate a Privacy and Security Officer responsible for HIPAA oversight.

Organizational Culture and Reporting

  • Encourage staff to report potential compliance issues without consequence.
  • Foster a culture of transparency and accountability across all levels of the agency.

When to Contact a Health Care Law Firm

Whether you are an agency owner, administrator, nurse, therapist, or biller, legal guidance from an experienced health care firm is crucial if you receive:

  • An audit notification
  • A documentation request
  • A suspected overpayment letter
  • A visit from surveyors
  • Allegations of improper billing or referrals

Contact Your Much Health Care Attorney

Because of the complexities and variations associated with home care, it is often difficult to keep track of regulations. A good home health care lawyer will carefully review your organization and help ensure that all regulations and compliance requirements are met.

The Much Health Care group regularly develops preventative and proactive legal strategies for any transactional, litigation, compliance, and regulatory defense needs. If you are a practitioner or director of a home care facility in need of legal guidance, speak with one of our California health care attorneys today.